mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-14 08:50:14 +00:00
7bed9bf10f
Fixes this security problem: * SAE/EAP-pwd side-channel attack update https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From db54db11aec763b6fc74715c36e0f9de0d65e206 Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <jouni@codeaurora.org>
|
|
Date: Mon, 8 Apr 2019 18:01:07 +0300
|
|
Subject: SAE: Reject unsuitable groups based on REVmd changes
|
|
|
|
The rules defining which DH groups are suitable for SAE use were
|
|
accepted into IEEE 802.11 REVmd based on this document:
|
|
https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
|
|
|
|
Enforce those rules in production builds of wpa_supplicant and hostapd.
|
|
CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
|
|
implemented groups to maintain testing coverage.
|
|
|
|
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
---
|
|
src/common/sae.c | 23 +++++++++++++++++++++++
|
|
1 file changed, 23 insertions(+)
|
|
|
|
--- a/src/common/sae.c
|
|
+++ b/src/common/sae.c
|
|
@@ -18,10 +18,33 @@
|
|
#include "sae.h"
|
|
|
|
|
|
+static int sae_suitable_group(int group)
|
|
+{
|
|
+#ifdef CONFIG_TESTING_OPTIONS
|
|
+ /* Allow all groups for testing purposes in non-production builds. */
|
|
+ return 1;
|
|
+#else /* CONFIG_TESTING_OPTIONS */
|
|
+ /* Enforce REVmd rules on which SAE groups are suitable for production
|
|
+ * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
|
|
+ * defined over a prime field whose prime is >= 256 bits. Furthermore,
|
|
+ * ECC groups defined over a characteristic 2 finite field and ECC
|
|
+ * groups with a co-factor greater than 1 are not suitable. */
|
|
+ return group == 19 || group == 20 || group == 21 ||
|
|
+ group == 28 || group == 29 || group == 30 ||
|
|
+ group == 15 || group == 16 || group == 17 || group == 18;
|
|
+#endif /* CONFIG_TESTING_OPTIONS */
|
|
+}
|
|
+
|
|
+
|
|
int sae_set_group(struct sae_data *sae, int group)
|
|
{
|
|
struct sae_temporary_data *tmp;
|
|
|
|
+ if (!sae_suitable_group(group)) {
|
|
+ wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
sae_clear_data(sae);
|
|
tmp = sae->tmp = os_zalloc(sizeof(*tmp));
|
|
if (tmp == NULL)
|