1870c497c416d9e3441ffdcefc411e2a878855c3
[openwrt/openwrt.git] /
1 From aaf65feac67c3993935634eefe5bc76b9fce03aa Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Tue, 26 Feb 2019 11:59:45 +0200
4 Subject: [PATCH 04/14] EAP-pwd: Use constant time and memory access for
5 finding the PWE
6
7 This algorithm could leak information to external observers in form of
8 timing differences or memory access patterns (cache use). While the
9 previous implementation had protection against the most visible timing
10 differences (looping 40 rounds and masking the legendre operation), it
11 did not protect against memory access patterns between the two possible
12 code paths in the masking operations. That might be sufficient to allow
13 an unprivileged process running on the same device to be able to
14 determine which path is being executed through a cache attack and based
15 on that, determine information about the used password.
16
17 Convert the PWE finding loop to use constant time functions and
18 identical memory access path without different branches for the QR/QNR
19 cases to minimize possible side-channel information similarly to the
20 changes done for SAE authentication. (CVE-2019-9495)
21
22 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
23 ---
24 src/eap_common/eap_pwd_common.c | 187 +++++++++++++++++++++-------------------
25 1 file changed, 99 insertions(+), 88 deletions(-)
26
27 --- a/src/eap_common/eap_pwd_common.c
28 +++ b/src/eap_common/eap_pwd_common.c
29 @@ -8,11 +8,15 @@
30
31 #include "includes.h"
32 #include "common.h"
33 +#include "utils/const_time.h"
34 #include "crypto/sha256.h"
35 #include "crypto/crypto.h"
36 #include "eap_defs.h"
37 #include "eap_pwd_common.h"
38
39 +#define MAX_ECC_PRIME_LEN 66
40 +
41 +
42 /* The random function H(x) = HMAC-SHA256(0^32, x) */
43 struct crypto_hash * eap_pwd_h_init(void)
44 {
45 @@ -102,6 +106,15 @@ EAP_PWD_group * get_eap_pwd_group(u16 nu
46 }
47
48
49 +static void buf_shift_right(u8 *buf, size_t len, size_t bits)
50 +{
51 + size_t i;
52 + for (i = len - 1; i > 0; i--)
53 + buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
54 + buf[0] >>= bits;
55 +}
56 +
57 +
58 /*
59 * compute a "random" secret point on an elliptic curve based
60 * on the password and identities.
61 @@ -113,17 +126,27 @@ int compute_password_element(EAP_PWD_gro
62 const u8 *token)
63 {
64 struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
65 + struct crypto_bignum *qr_or_qnr = NULL;
66 + u8 qr_bin[MAX_ECC_PRIME_LEN];
67 + u8 qnr_bin[MAX_ECC_PRIME_LEN];
68 + u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
69 + u8 x_bin[MAX_ECC_PRIME_LEN];
70 struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
71 struct crypto_hash *hash;
72 unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
73 - int is_odd, ret = 0, check, found = 0;
74 - size_t primebytelen, primebitlen;
75 - struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
76 + int ret = 0, check, res;
77 + u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
78 + * mask */
79 + size_t primebytelen = 0, primebitlen;
80 + struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
81 const struct crypto_bignum *prime;
82 + u8 mask, found_ctr = 0, is_odd = 0;
83
84 if (grp->pwe)
85 return -1;
86
87 + os_memset(x_bin, 0, sizeof(x_bin));
88 +
89 prime = crypto_ec_get_prime(grp->group);
90 cofactor = crypto_bignum_init();
91 grp->pwe = crypto_ec_point_init(grp->group);
92 @@ -152,8 +175,6 @@ int compute_password_element(EAP_PWD_gro
93
94 /* get a random quadratic residue and nonresidue */
95 while (!qr || !qnr) {
96 - int res;
97 -
98 if (crypto_bignum_rand(tmp1, prime) < 0)
99 goto fail;
100 res = crypto_bignum_legendre(tmp1, prime);
101 @@ -167,6 +188,11 @@ int compute_password_element(EAP_PWD_gro
102 if (!tmp1)
103 goto fail;
104 }
105 + if (crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
106 + primebytelen) < 0 ||
107 + crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
108 + primebytelen) < 0)
109 + goto fail;
110
111 os_memset(prfbuf, 0, primebytelen);
112 ctr = 0;
113 @@ -194,17 +220,16 @@ int compute_password_element(EAP_PWD_gro
114 eap_pwd_h_update(hash, &ctr, sizeof(ctr));
115 eap_pwd_h_final(hash, pwe_digest);
116
117 - crypto_bignum_deinit(rnd, 1);
118 - rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
119 - if (!rnd) {
120 - wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
121 - goto fail;
122 - }
123 + is_odd = const_time_select_u8(
124 + found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
125 if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
126 (u8 *) "EAP-pwd Hunting And Pecking",
127 os_strlen("EAP-pwd Hunting And Pecking"),
128 prfbuf, primebitlen) < 0)
129 goto fail;
130 + if (primebitlen % 8)
131 + buf_shift_right(prfbuf, primebytelen,
132 + 8 - primebitlen % 8);
133
134 crypto_bignum_deinit(x_candidate, 1);
135 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
136 @@ -214,24 +239,13 @@ int compute_password_element(EAP_PWD_gro
137 goto fail;
138 }
139
140 - /*
141 - * eap_pwd_kdf() returns a string of bits 0..primebitlen but
142 - * BN_bin2bn will treat that string of bits as a big endian
143 - * number. If the primebitlen is not an even multiple of 8
144 - * then excessive bits-- those _after_ primebitlen-- so now
145 - * we have to shift right the amount we masked off.
146 - */
147 - if ((primebitlen % 8) &&
148 - crypto_bignum_rshift(x_candidate,
149 - (8 - (primebitlen % 8)),
150 - x_candidate) < 0)
151 - goto fail;
152 -
153 if (crypto_bignum_cmp(x_candidate, prime) >= 0)
154 continue;
155
156 - wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
157 - prfbuf, primebytelen);
158 + wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
159 + prfbuf, primebytelen);
160 + const_time_select_bin(found, x_bin, prfbuf, primebytelen,
161 + x_bin);
162
163 /*
164 * compute y^2 using the equation of the curve
165 @@ -260,13 +274,15 @@ int compute_password_element(EAP_PWD_gro
166 * Flip a coin, multiply by the random quadratic residue or the
167 * random quadratic nonresidue and record heads or tails.
168 */
169 - if (crypto_bignum_is_odd(tmp1)) {
170 - crypto_bignum_mulmod(tmp2, qr, prime, tmp2);
171 - check = 1;
172 - } else {
173 - crypto_bignum_mulmod(tmp2, qnr, prime, tmp2);
174 - check = -1;
175 - }
176 + mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
177 + check = const_time_select_s8(mask, 1, -1);
178 + const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
179 + qr_or_qnr_bin);
180 + crypto_bignum_deinit(qr_or_qnr, 1);
181 + qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
182 + if (!qr_or_qnr ||
183 + crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
184 + goto fail;
185
186 /*
187 * Now it's safe to do legendre, if check is 1 then it's
188 @@ -274,59 +290,12 @@ int compute_password_element(EAP_PWD_gro
189 * change result), if check is -1 then it's the opposite test
190 * (multiplying a qr by qnr would make a qnr).
191 */
192 - if (crypto_bignum_legendre(tmp2, prime) == check) {
193 - if (found == 1)
194 - continue;
195 -
196 - /* need to unambiguously identify the solution */
197 - is_odd = crypto_bignum_is_odd(rnd);
198 -
199 - /*
200 - * We know x_candidate is a quadratic residue so set
201 - * it here.
202 - */
203 - if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
204 - x_candidate,
205 - is_odd) != 0) {
206 - wpa_printf(MSG_INFO,
207 - "EAP-pwd: Could not solve for y");
208 - continue;
209 - }
210 -
211 - /*
212 - * If there's a solution to the equation then the point
213 - * must be on the curve so why check again explicitly?
214 - * OpenSSL code says this is required by X9.62. We're
215 - * not X9.62 but it can't hurt just to be sure.
216 - */
217 - if (!crypto_ec_point_is_on_curve(grp->group,
218 - grp->pwe)) {
219 - wpa_printf(MSG_INFO,
220 - "EAP-pwd: point is not on curve");
221 - continue;
222 - }
223 -
224 - if (!crypto_bignum_is_one(cofactor)) {
225 - /* make sure the point is not in a small
226 - * sub-group */
227 - if (crypto_ec_point_mul(grp->group, grp->pwe,
228 - cofactor,
229 - grp->pwe) != 0) {
230 - wpa_printf(MSG_INFO,
231 - "EAP-pwd: cannot multiply generator by order");
232 - continue;
233 - }
234 - if (crypto_ec_point_is_at_infinity(grp->group,
235 - grp->pwe)) {
236 - wpa_printf(MSG_INFO,
237 - "EAP-pwd: point is at infinity");
238 - continue;
239 - }
240 - }
241 - wpa_printf(MSG_DEBUG,
242 - "EAP-pwd: found a PWE in %d tries", ctr);
243 - found = 1;
244 - }
245 + res = crypto_bignum_legendre(tmp2, prime);
246 + if (res == -2)
247 + goto fail;
248 + mask = const_time_eq(res, check);
249 + found_ctr = const_time_select_u8(found, found_ctr, ctr);
250 + found |= mask;
251 }
252 if (found == 0) {
253 wpa_printf(MSG_INFO,
254 @@ -334,6 +303,44 @@ int compute_password_element(EAP_PWD_gro
255 num);
256 goto fail;
257 }
258 +
259 + /*
260 + * We know x_candidate is a quadratic residue so set it here.
261 + */
262 + crypto_bignum_deinit(x_candidate, 1);
263 + x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
264 + if (!x_candidate ||
265 + crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
266 + is_odd) != 0) {
267 + wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
268 + goto fail;
269 + }
270 +
271 + /*
272 + * If there's a solution to the equation then the point must be on the
273 + * curve so why check again explicitly? OpenSSL code says this is
274 + * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
275 + */
276 + if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
277 + wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
278 + goto fail;
279 + }
280 +
281 + if (!crypto_bignum_is_one(cofactor)) {
282 + /* make sure the point is not in a small sub-group */
283 + if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
284 + grp->pwe) != 0) {
285 + wpa_printf(MSG_INFO,
286 + "EAP-pwd: cannot multiply generator by order");
287 + goto fail;
288 + }
289 + if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
290 + wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
291 + goto fail;
292 + }
293 + }
294 + wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
295 +
296 if (0) {
297 fail:
298 crypto_ec_point_deinit(grp->pwe, 1);
299 @@ -343,14 +350,18 @@ int compute_password_element(EAP_PWD_gro
300 /* cleanliness and order.... */
301 crypto_bignum_deinit(cofactor, 1);
302 crypto_bignum_deinit(x_candidate, 1);
303 - crypto_bignum_deinit(rnd, 1);
304 crypto_bignum_deinit(pm1, 0);
305 crypto_bignum_deinit(tmp1, 1);
306 crypto_bignum_deinit(tmp2, 1);
307 crypto_bignum_deinit(qr, 1);
308 crypto_bignum_deinit(qnr, 1);
309 + crypto_bignum_deinit(qr_or_qnr, 1);
310 crypto_bignum_deinit(one, 0);
311 - os_free(prfbuf);
312 + bin_clear_free(prfbuf, primebytelen);
313 + os_memset(qr_bin, 0, sizeof(qr_bin));
314 + os_memset(qnr_bin, 0, sizeof(qnr_bin));
315 + os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
316 + os_memset(pwe_digest, 0, sizeof(pwe_digest));
317
318 return ret;
319 }