subject:"CVS commit\: src\/external\/bsd\/wpa\/dist"

CVS commit: src/external/bsd/wpa/dist

2024-02-13 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Tue Feb 13 18:43:45 UTC 2024

Modified Files:
src/external/bsd/wpa/dist/src/eap_peer: eap_config.h eap_peap.c
eap_tls_common.c eap_tls_common.h
src/external/bsd/wpa/dist/wpa_supplicant: wpa_supplicant.conf

Log Message:
https://www.phoronix.com/news/IWD-WPA-WiFi-Auth-Vulns
https://www.top10vpn.com/research/wifi-vulnerabilities/

PEAP client: Update Phase 2 authentication requirements

The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
 * 0 = do not require Phase 2 authentication
 * 1 = require Phase 2 authentication when client certificate
   (private_key/client_cert) is no used and TLS session resumption was
   not used (default)
 * 2 = require Phase 2 authentication in all cases


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.7 -r1.2 \
src/external/bsd/wpa/dist/src/eap_peer/eap_config.h \
src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h
cvs rdiff -u -r1.1.1.8 -r1.2 \
src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c \
src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c
cvs rdiff -u -r1.1.1.8 -r1.2 \
src/external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/external/bsd/wpa/dist

2024-02-13 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Tue Feb 13 18:43:45 UTC 2024

Modified Files:
src/external/bsd/wpa/dist/src/eap_peer: eap_config.h eap_peap.c
eap_tls_common.c eap_tls_common.h
src/external/bsd/wpa/dist/wpa_supplicant: wpa_supplicant.conf

Log Message:
https://www.phoronix.com/news/IWD-WPA-WiFi-Auth-Vulns
https://www.top10vpn.com/research/wifi-vulnerabilities/

PEAP client: Update Phase 2 authentication requirements

The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
 * 0 = do not require Phase 2 authentication
 * 1 = require Phase 2 authentication when client certificate
   (private_key/client_cert) is no used and TLS session resumption was
   not used (default)
 * 2 = require Phase 2 authentication in all cases


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.7 -r1.2 \
src/external/bsd/wpa/dist/src/eap_peer/eap_config.h \
src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h
cvs rdiff -u -r1.1.1.8 -r1.2 \
src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c \
src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c
cvs rdiff -u -r1.1.1.8 -r1.2 \
src/external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_peer/eap_config.h
diff -u src/external/bsd/wpa/dist/src/eap_peer/eap_config.h:1.1.1.7 src/external/bsd/wpa/dist/src/eap_peer/eap_config.h:1.2
--- src/external/bsd/wpa/dist/src/eap_peer/eap_config.h:1.1.1.7	Sun Feb 28 20:37:57 2021
+++ src/external/bsd/wpa/dist/src/eap_peer/eap_config.h	Tue Feb 13 13:43:45 2024
@@ -470,6 +470,14 @@ struct eap_peer_config {
 	 * 1 = use cryptobinding if server supports it
 	 * 2 = require cryptobinding
 	 *
+	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
+	 * tunnel) behavior for PEAP:
+	 * 0 = do not require Phase 2 authentication
+	 * 1 = require Phase 2 authentication when client certificate
+	 *  (private_key/client_cert) is no used and TLS session resumption was
+	 *  not used (default)
+	 * 2 = require Phase 2 authentication in all cases
+	 *
 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
 	 * uuid=Device_UUID
 	 *
Index: src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h
diff -u src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h:1.1.1.7 src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h:1.2
--- src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h:1.1.1.7	Sun Feb 28 20:37:57 2021
+++ src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h	Tue Feb 13 13:43:45 2024
@@ -79,6 +79,11 @@ struct eap_ssl_data {
 	 * tls_v13 - Whether TLS v1.3 or newer is used
 	 */
 	int tls_v13;
+
+	/**
+	 * client_cert_conf: Whether client certificate has been configured
+	 */
+	bool client_cert_conf;
 };
 
 

Index: src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c
diff -u src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c:1.1.1.8 src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c:1.2
--- src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c:1.1.1.8	Sun Feb 28 20:37:57 2021
+++ src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c	Tue Feb 13 13:43:45 2024
@@ -67,6 +67,7 @@ struct eap_peap_data {
 	u8 cmk[20];
 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
 		  * is enabled. */
+	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
 };
 
 
@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct
 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
 	}
 
+	if (os_strstr(phase1, "phase2_auth=0")) {
+		data->phase2_auth = NO_AUTH;
+		wpa_printf(MSG_DEBUG,
+

CVS commit: src/external/bsd/wpa/dist/src/ap

2019-09-12 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Sep 12 23:46:11 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/ap: drv_callbacks.c ieee802_11.c

Log Message:
[PATCH] AP: Silently ignore management frame from unexpected source address

Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.

In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.

Signed-off-by: Jouni Malinen 


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/src/ap/ieee802_11.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/external/bsd/wpa/dist/src/ap

2019-09-12 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Sep 12 23:46:11 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/ap: drv_callbacks.c ieee802_11.c

Log Message:
[PATCH] AP: Silently ignore management frame from unexpected source address

Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.

In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.

Signed-off-by: Jouni Malinen 


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/src/ap/ieee802_11.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/ap/drv_callbacks.c
diff -u src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.4 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.5
--- src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.4	Fri Jan  4 16:22:20 2019
+++ src/external/bsd/wpa/dist/src/ap/drv_callbacks.c	Thu Sep 12 19:46:11 2019
@@ -129,6 +129,19 @@ int hostapd_notif_assoc(struct hostapd_d
 			   "hostapd_notif_assoc: Skip event with no address");
 		return -1;
 	}
+
+	if (is_multicast_ether_addr(addr) ||
+	is_zero_ether_addr(addr) ||
+	os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+		/* Do not process any frames with unexpected/invalid SA so that
+		 * we do not add any state for unexpected STA addresses or end
+		 * up sending out frames to unexpected destination. */
+		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+			   " in received indication - ignore this indication silently",
+			   __func__, MAC2STR(addr));
+		return 0;
+	}
+
 	random_add_randomness(addr, ETH_ALEN);
 
 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,

Index: src/external/bsd/wpa/dist/src/ap/ieee802_11.c
diff -u src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.3 src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.4
--- src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.3	Fri Jan  4 16:22:20 2019
+++ src/external/bsd/wpa/dist/src/ap/ieee802_11.c	Thu Sep 12 19:46:11 2019
@@ -3978,6 +3978,18 @@ int ieee802_11_mgmt(struct hostapd_data 
 	fc = le_to_host16(mgmt->frame_control);
 	stype = WLAN_FC_GET_STYPE(fc);
 
+	if (is_multicast_ether_addr(mgmt->sa) ||
+	is_zero_ether_addr(mgmt->sa) ||
+	os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+		/* Do not process any frames with unexpected/invalid SA so that
+		 * we do not add any state for unexpected STA addresses or end
+		 * up sending out frames to unexpected destination. */
+		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+			   " in received frame - ignore this frame silently",
+			   MAC2STR(mgmt->sa));
+		return 0;
+	}
+
 	if (stype == WLAN_FC_STYPE_BEACON) {
 		handle_beacon(hapd, mgmt, len, fi);
 		return 1;

CVS commit: src/external/bsd/wpa/dist/src/eap_common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 09:56:41 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c

Log Message:
EAP-pwd: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen 
(cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 \
src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/external/bsd/wpa/dist/src/eap_common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 09:56:41 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c

Log Message:
EAP-pwd: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen 
(cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 \
src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c
diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.5
--- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4	Thu Aug  8 04:58:40 2019
+++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c	Thu Aug  8 05:56:41 2019
@@ -142,6 +142,8 @@ int compute_password_element(EAP_PWD_gro
 	struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
 	const struct crypto_bignum *prime;
 	u8 mask, found_ctr = 0, is_odd = 0;
+	int cmp_prime;
+	unsigned int in_range;
 
 	if (grp->pwe)
 		return -1;
@@ -234,8 +236,13 @@ int compute_password_element(EAP_PWD_gro
 		if (primebitlen % 8)
 			buf_shift_right(prfbuf, primebytelen,
 	8 - primebitlen % 8);
-		if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
-			continue;
+		cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
+		/* Create a const_time mask for selection based on prf result
+		 * being smaller than prime. */
+		in_range = const_time_fill_msb((unsigned int) cmp_prime);
+		/* The algorithm description would skip the next steps if
+		 * cmp_prime >= 0, but go through them regardless to minimize
+		 * externally observable differences in behavior. */
 
 		crypto_bignum_deinit(x_candidate, 1);
 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@@ -298,7 +305,7 @@ int compute_password_element(EAP_PWD_gro
 			goto fail;
 		mask = const_time_eq(res, check);
 		found_ctr = const_time_select_u8(found, found_ctr, ctr);
-		found |= mask;
+		found |= mask & in_range;
 	}
 	if (found == 0) {
 		wpa_printf(MSG_INFO,

CVS commit: src/external/bsd/wpa/dist/src/common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 09:56:10 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/common: sae.c

Log Message:
SAE: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen 
(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/wpa/dist/src/common/sae.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/common/sae.c
diff -u src/external/bsd/wpa/dist/src/common/sae.c:1.8 src/external/bsd/wpa/dist/src/common/sae.c:1.9
--- src/external/bsd/wpa/dist/src/common/sae.c:1.8	Thu Aug  8 04:55:48 2019
+++ src/external/bsd/wpa/dist/src/common/sae.c	Thu Aug  8 05:56:10 2019
@@ -281,6 +281,8 @@ static int sae_test_pwd_seed_ecc(struct 
 	struct crypto_bignum *y_sqr, *x_cand;
 	int res;
 	size_t bits;
+	int cmp_prime;
+	unsigned int in_range;
 
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
 
@@ -294,8 +296,13 @@ static int sae_test_pwd_seed_ecc(struct 
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
 			pwd_value, sae->tmp->prime_len);
 
-	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
-		return 0;
+	cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
+	/* Create a const_time mask for selection based on prf result
+	 * being smaller than prime. */
+	in_range = const_time_fill_msb((unsigned int) cmp_prime);
+	/* The algorithm description would skip the next steps if
+	 * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
+	 * minimize externally observable differences in behavior. */
 
 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
 	if (!x_cand)
@@ -307,7 +314,9 @@ static int sae_test_pwd_seed_ecc(struct 
 
 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
 	crypto_bignum_deinit(y_sqr, 1);
-	return res;
+	if (res < 0)
+		return res;
+	return const_time_select_int(in_range, res, 0);
 }

CVS commit: src/external/bsd/wpa/dist/src/common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 09:56:10 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/common: sae.c

Log Message:
SAE: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen 
(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/wpa/dist/src/common/sae.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/external/bsd/wpa/dist/src/crypto

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 09:55:32 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/crypto: crypto_openssl.c

Log Message:
OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available

This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.

OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.

Signed-off-by: Jouni Malinen 
(cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3)


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c
diff -u src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c:1.3 src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c:1.4
--- src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c:1.3	Wed Apr 10 13:56:43 2019
+++ src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c	Thu Aug  8 05:55:32 2019
@@ -1227,7 +1227,13 @@ void crypto_bignum_deinit(struct crypto_
 int crypto_bignum_to_bin(const struct crypto_bignum *a,
 			 u8 *buf, size_t buflen, size_t padlen)
 {
+#ifdef OPENSSL_IS_BORINGSSL
+#else /* OPENSSL_IS_BORINGSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)
+#else
 	int num_bytes, offset;
+#endif
+#endif /* OPENSSL_IS_BORINGSSL */
 
 	if (TEST_FAIL())
 		return -1;
@@ -1235,6 +1241,14 @@ int crypto_bignum_to_bin(const struct cr
 	if (padlen > buflen)
 		return -1;
 
+#ifdef OPENSSL_IS_BORINGSSL
+	if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
+		return -1;
+	return padlen;
+#else /* OPENSSL_IS_BORINGSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)
+	return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
+#else
 	num_bytes = BN_num_bytes((const BIGNUM *) a);
 	if ((size_t) num_bytes > buflen)
 		return -1;
@@ -1247,6 +1261,8 @@ int crypto_bignum_to_bin(const struct cr
 	BN_bn2bin((const BIGNUM *) a, buf + offset);
 
 	return num_bytes + offset;
+#endif
+#endif /* OPENSSL_IS_BORINGSSL */
 }

CVS commit: src/external/bsd/wpa/dist/src/crypto

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 09:55:32 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/crypto: crypto_openssl.c

Log Message:
OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available

This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.

OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.

Signed-off-by: Jouni Malinen 
(cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3)


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/external/bsd/wpa/dist/src/eap_common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 08:58:40 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c

Log Message:
EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison

This reduces timing and memory access pattern differences for an
operation that could depend on the used password.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c
diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4
--- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3	Wed Apr 10 13:57:15 2019
+++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c	Thu Aug  8 04:58:40 2019
@@ -131,6 +131,7 @@ int compute_password_element(EAP_PWD_gro
 	u8 qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 x_bin[MAX_ECC_PRIME_LEN];
+	u8 prime_bin[MAX_ECC_PRIME_LEN];
 	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
 	struct crypto_hash *hash;
 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
@@ -148,6 +149,11 @@ int compute_password_element(EAP_PWD_gro
 	os_memset(x_bin, 0, sizeof(x_bin));
 
 	prime = crypto_ec_get_prime(grp->group);
+	primebitlen = crypto_ec_prime_len_bits(grp->group);
+	primebytelen = crypto_ec_prime_len(grp->group);
+	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+ primebytelen) < 0)
+		return -1;
 	cofactor = crypto_bignum_init();
 	grp->pwe = crypto_ec_point_init(grp->group);
 	tmp1 = crypto_bignum_init();
@@ -163,8 +169,6 @@ int compute_password_element(EAP_PWD_gro
 			   "curve");
 		goto fail;
 	}
-	primebitlen = crypto_ec_prime_len_bits(grp->group);
-	primebytelen = crypto_ec_prime_len(grp->group);
 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
 			   "buffer");
@@ -230,6 +234,8 @@ int compute_password_element(EAP_PWD_gro
 		if (primebitlen % 8)
 			buf_shift_right(prfbuf, primebytelen,
 	8 - primebitlen % 8);
+		if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
+			continue;
 
 		crypto_bignum_deinit(x_candidate, 1);
 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@@ -239,9 +245,6 @@ int compute_password_element(EAP_PWD_gro
 			goto fail;
 		}
 
-		if (crypto_bignum_cmp(x_candidate, prime) >= 0)
-			continue;
-
 		wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
 prfbuf, primebytelen);
 		const_time_select_bin(found, x_bin, prfbuf, primebytelen,

CVS commit: src/external/bsd/wpa/dist/src/eap_common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 08:58:40 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c

Log Message:
EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison

This reduces timing and memory access pattern differences for an
operation that could depend on the used password.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/external/bsd/wpa/dist/src/common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 08:55:48 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/common: sae.c

Log Message:
SAE: Use const_time_memcmp() for pwd_value >= prime comparison

This reduces timing and memory access pattern differences for an
operation that could depend on the used password.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/external/bsd/wpa/dist/src/common/sae.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/common/sae.c
diff -u src/external/bsd/wpa/dist/src/common/sae.c:1.7 src/external/bsd/wpa/dist/src/common/sae.c:1.8
--- src/external/bsd/wpa/dist/src/common/sae.c:1.7	Wed Apr 10 14:01:08 2019
+++ src/external/bsd/wpa/dist/src/common/sae.c	Thu Aug  8 04:55:48 2019
@@ -294,7 +294,7 @@ static int sae_test_pwd_seed_ecc(struct 
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
 			pwd_value, sae->tmp->prime_len);
 
-	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
+	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
 		return 0;
 
 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);

CVS commit: src/external/bsd/wpa/dist/src/common

2019-08-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Aug  8 08:55:48 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/common: sae.c

Log Message:
SAE: Use const_time_memcmp() for pwd_value >= prime comparison

This reduces timing and memory access pattern differences for an
operation that could depend on the used password.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/external/bsd/wpa/dist/src/common/sae.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Re: CVS commit: src/external/bsd/wpa/dist/src/drivers

2016-01-19 Thread Christos Zoulas

In article <20160119150829.60108f...@cvs.netbsd.org>,
Roy Marples  wrote:
>-=-=-=-=-=-
>
>Module Name:   src
>Committed By:  roy
>Date:  Tue Jan 19 15:08:29 UTC 2016
>
>Modified Files:
>   src/external/bsd/wpa/dist/src/drivers: driver_bsd.c
>
>Log Message:
>Don't log RTM messages we aren't interested in at all.

But these were debugging printfs...

christos

CVS commit: src/external/bsd/wpa/dist

CVS commit: src/external/bsd/wpa/dist

CVS commit: src/external/bsd/wpa/dist/src/ap

CVS commit: src/external/bsd/wpa/dist/src/ap

CVS commit: src/external/bsd/wpa/dist/src/eap_common

CVS commit: src/external/bsd/wpa/dist/src/eap_common

CVS commit: src/external/bsd/wpa/dist/src/common

CVS commit: src/external/bsd/wpa/dist/src/common

CVS commit: src/external/bsd/wpa/dist/src/crypto

CVS commit: src/external/bsd/wpa/dist/src/crypto

CVS commit: src/external/bsd/wpa/dist/src/eap_common

CVS commit: src/external/bsd/wpa/dist/src/eap_common

CVS commit: src/external/bsd/wpa/dist/src/common

CVS commit: src/external/bsd/wpa/dist/src/common

Re: CVS commit: src/external/bsd/wpa/dist/src/drivers

15 matches

Site Navigation

Mail list logo

Footer information