diff options
7 files changed, 1447 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch new file mode 100644 index 0000000000..32fad29cf6 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch @@ -0,0 +1,939 @@ +The WPA2 four-way handshake protocol is vulnerable to replay attacks which can +result in unauthenticated clients gaining access to the network. + +Backport a number of patches from upstream to fix this. + +CVE: CVE-2017-13077 +CVE: CVE-2017-13078 +CVE: CVE-2017-13079 +CVE: CVE-2017-13080 +CVE: CVE-2017-13081 +CVE: CVE-2017-13082 +CVE: CVE-2017-13086 +CVE: CVE-2017-13087 +CVE: CVE-2017-13088 + +Thanks to Wind River for the backport from upstream master to wpa_supplicant +2.5. + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 9a4a0f78bb2ad516d4a295fb5d042f8a61bd3f47 Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 10:13:17 +0800 +Subject: [PATCH 1/7] hostapd: Avoid key reinstallation in FT handshake + +Do not reinstall TK to the driver during Reassociation Response frame +processing if the first attempt of setting the TK succeeded. This avoids +issues related to clearing the TX/RX PN that could result in reusing +same PN values for transmitted frames (e.g., due to CCM nonce reuse and +also hitting replay protection on the receiver) and accepting replayed +frames on RX side. + +This issue was introduced by the commit +0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in +authenticator') which allowed wpa_ft_install_ptk() to be called multiple +times with the same PTK. While the second configuration attempt is +needed with some drivers, it must be done only if the first attempt +failed. + +Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/ap/wpa_auth.c | 9 +++++++++ + src/ap/wpa_auth.h | 3 ++- + src/ap/wpa_auth_ft.c | 10 ++++++++++ + src/ap/wpa_auth_i.h | 1 + + 4 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +index 2760a3f..b38a64d 100644 +--- a/src/ap/wpa_auth.c ++++ b/src/ap/wpa_auth.c +@@ -1740,6 +1740,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) + #else /* CONFIG_IEEE80211R */ + break; + #endif /* CONFIG_IEEE80211R */ ++ case WPA_DRV_STA_REMOVED: ++ sm->tk_already_set = FALSE; ++ return 0; + } + + #ifdef CONFIG_IEEE80211R +@@ -3208,6 +3211,12 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) + return sm->wpa; + } + ++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) ++{ ++ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) ++ return 0; ++ return sm->tk_already_set; ++} + + int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, + struct rsn_pmksa_cache_entry *entry) +diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h +index fd04f16..3e53461 100644 +--- a/src/ap/wpa_auth.h ++++ b/src/ap/wpa_auth.h +@@ -258,7 +258,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, + u8 *data, size_t data_len); + enum wpa_event { + WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, +- WPA_REAUTH_EAPOL, WPA_ASSOC_FT ++ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED + }; + void wpa_remove_ptk(struct wpa_state_machine *sm); + int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); +@@ -271,6 +271,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); + int wpa_auth_get_pairwise(struct wpa_state_machine *sm); + int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); + int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); ++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); + int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, + struct rsn_pmksa_cache_entry *entry); + struct rsn_pmksa_cache_entry * +diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c +index eeaffbf..f8f5dbe 100644 +--- a/src/ap/wpa_auth_ft.c ++++ b/src/ap/wpa_auth_ft.c +@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) + return; + } + ++ if (sm->tk_already_set) { ++ /* Must avoid TK reconfiguration to prevent clearing of TX/RX ++ * PN in the driver */ ++ wpa_printf(MSG_DEBUG, ++ "FT: Do not re-install same PTK to the driver"); ++ return; ++ } ++ + /* FIX: add STA entry to kernel/driver here? The set_key will fail + * most likely without this.. At the moment, STA entry is added only + * after association has been completed. This function will be called +@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) + + /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ + sm->pairwise_set = TRUE; ++ sm->tk_already_set = TRUE; + } + + +@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, + + sm->pairwise = pairwise; + sm->PTK_valid = TRUE; ++ sm->tk_already_set = FALSE; + wpa_ft_install_ptk(sm); + + buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + +diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h +index 57b098f..234d84c 100644 +--- a/src/ap/wpa_auth_i.h ++++ b/src/ap/wpa_auth_i.h +@@ -64,6 +64,7 @@ struct wpa_state_machine { + struct wpa_ptk PTK; + Boolean PTK_valid; + Boolean pairwise_set; ++ Boolean tk_already_set; + int keycount; + Boolean Pair; + struct wpa_key_replay_counter { +-- +1.9.1 + +From d0d1adad8792ae948743031543db8839f83db829 Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 13:18:59 +0800 +Subject: [PATCH 2/7] Prevent reinstallation of an already in-use group key + +Track the current GTK and IGTK that is in use and when receiving a +(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do +not install the given key if it is already in use. This prevents an +attacker from trying to trick the client into resetting or lowering the +sequence counter associated to the group key. + +Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/common/wpa_common.h | 11 +++++ + src/rsn_supp/wpa.c | 119 +++++++++++++++++++++++++++++------------------- + src/rsn_supp/wpa_i.h | 4 ++ + 3 files changed, 88 insertions(+), 46 deletions(-) + +diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h +index c08f651..21e13da 100644 +--- a/src/common/wpa_common.h ++++ b/src/common/wpa_common.h +@@ -215,6 +215,17 @@ struct wpa_ptk { + size_t tk_len; + }; + ++struct wpa_gtk { ++ u8 gtk[WPA_GTK_MAX_LEN]; ++ size_t gtk_len; ++}; ++ ++#ifdef CONFIG_IEEE80211W ++struct wpa_igtk { ++ u8 igtk[WPA_IGTK_MAX_LEN]; ++ size_t igtk_len; ++}; ++#endif /* CONFIG_IEEE80211W */ + + /* WPA IE version 1 + * 00-50-f2:1 (OUI:OUI type) +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index a9f255e..eab7151 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -697,6 +697,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + const u8 *_gtk = gd->gtk; + u8 gtk_buf[32]; + ++ /* Detect possible key reinstallation */ ++ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && ++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", ++ gd->keyidx, gd->tx, gd->gtk_len); ++ return 0; ++ } ++ + wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", +@@ -731,6 +740,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + } + os_memset(gtk_buf, 0, sizeof(gtk_buf)); + ++ sm->gtk.gtk_len = gd->gtk_len; ++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); ++ + return 0; + } + +@@ -801,6 +813,47 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, + return 0; + } + ++#ifdef CONFIG_IEEE80211W ++static int wpa_supplicant_install_igtk(struct wpa_sm *sm, ++ const struct wpa_igtk_kde *igtk) ++{ ++ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); ++ u16 keyidx = WPA_GET_LE16(igtk->keyid); ++ ++ /* Detect possible key reinstallation */ ++ if (sm->igtk.igtk_len == len && ++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", ++ keyidx); ++ return 0; ++ } ++ ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", ++ keyidx, MAC2STR(igtk->pn)); ++ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); ++ if (keyidx > 4095) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Invalid IGTK KeyID %d", keyidx); ++ return -1; ++ } ++ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), ++ broadcast_ether_addr, ++ keyidx, 0, igtk->pn, sizeof(igtk->pn), ++ igtk->igtk, len) < 0) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Failed to configure IGTK to the driver"); ++ return -1; ++ } ++ ++ sm->igtk.igtk_len = len; ++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); ++ ++ return 0; ++} ++#endif /* CONFIG_IEEE80211W */ ++ + + static int ieee80211w_set_keys(struct wpa_sm *sm, + struct wpa_eapol_ie_parse *ie) +@@ -812,30 +865,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, + if (ie->igtk) { + size_t len; + const struct wpa_igtk_kde *igtk; +- u16 keyidx; ++ + len = wpa_cipher_key_len(sm->mgmt_group_cipher); + if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) + return -1; ++ + igtk = (const struct wpa_igtk_kde *) ie->igtk; +- keyidx = WPA_GET_LE16(igtk->keyid); +- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " +- "pn %02x%02x%02x%02x%02x%02x", +- keyidx, MAC2STR(igtk->pn)); +- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", +- igtk->igtk, len); +- if (keyidx > 4095) { +- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, +- "WPA: Invalid IGTK KeyID %d", keyidx); +- return -1; +- } +- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), +- broadcast_ether_addr, +- keyidx, 0, igtk->pn, sizeof(igtk->pn), +- igtk->igtk, len) < 0) { +- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, +- "WPA: Failed to configure IGTK to the driver"); +- return -1; +- } ++ if (wpa_supplicant_install_igtk(sm, igtk) < 0) ++ return -1; + } + + return 0; +@@ -2251,7 +2288,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) + */ + void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + { +- int clear_ptk = 1; ++ int clear_keys = 1; + + if (sm == NULL) + return; +@@ -2277,11 +2314,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + /* Prepare for the next transition */ + wpa_ft_prepare_auth_request(sm, NULL); + +- clear_ptk = 0; ++ clear_keys = 0; + } + #endif /* CONFIG_IEEE80211R */ + +- if (clear_ptk) { ++ if (clear_keys) { + /* + * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if + * this is not part of a Fast BSS Transition. +@@ -2291,6 +2328,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + os_memset(&sm->ptk, 0, sizeof(sm->ptk)); + sm->tptk_set = 0; + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); ++ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++#ifdef CONFIG_IEEE80211W ++ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++#endif /* CONFIG_IEEE80211W */ + } + + #ifdef CONFIG_TDLS +@@ -2807,6 +2848,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) + os_memset(sm->pmk, 0, sizeof(sm->pmk)); + os_memset(&sm->ptk, 0, sizeof(sm->ptk)); + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); ++ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++#ifdef CONFIG_IEEE80211W ++ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++#endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211R + os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); + os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); +@@ -2879,29 +2924,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + os_memset(&gd, 0, sizeof(gd)); + #ifdef CONFIG_IEEE80211W + } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { +- struct wpa_igtk_kde igd; +- u16 keyidx; +- +- os_memset(&igd, 0, sizeof(igd)); +- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); +- os_memcpy(igd.keyid, buf + 2, 2); +- os_memcpy(igd.pn, buf + 4, 6); +- +- keyidx = WPA_GET_LE16(igd.keyid); +- os_memcpy(igd.igtk, buf + 10, keylen); +- +- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", +- igd.igtk, keylen); +- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), +- broadcast_ether_addr, +- keyidx, 0, igd.pn, sizeof(igd.pn), +- igd.igtk, keylen) < 0) { +- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " +- "WNM mode"); +- os_memset(&igd, 0, sizeof(igd)); +- return -1; +- } +- os_memset(&igd, 0, sizeof(igd)); ++ const struct wpa_igtk_kde *igtk; ++ ++ igtk = (const struct wpa_igtk_kde *) (buf + 2); ++ if (wpa_supplicant_install_igtk(sm, igtk) < 0) ++ return -1; + #endif /* CONFIG_IEEE80211W */ + } else { + wpa_printf(MSG_DEBUG, "Unknown element id"); +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index 965a9c1..27b6123 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -30,6 +30,10 @@ struct wpa_sm { + u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; + int rx_replay_counter_set; + u8 request_counter[WPA_REPLAY_COUNTER_LEN]; ++ struct wpa_gtk gtk; ++#ifdef CONFIG_IEEE80211W ++ struct wpa_igtk igtk; ++#endif /* CONFIG_IEEE80211W */ + + struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ + +-- +1.9.1 + +From 76c0d1a21f0ebf00119e50bc57776d393ee4a30d Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 17:31:46 +0800 +Subject: [PATCH 3/7] Extend protection of GTK/IGTK reinstallation of WNM-Sleep + Mode cases + +This extends the protection to track last configured GTK/IGTK value +separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a +corner case where these two different mechanisms may get used when the +GTK/IGTK has changed and tracking a single value is not sufficient to +detect a possible key reconfiguration. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- + src/rsn_supp/wpa_i.h | 2 ++ + 2 files changed, 40 insertions(+), 15 deletions(-) + +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index eab7151..e7b5ca8 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -692,14 +692,17 @@ struct wpa_gtk_data { + + static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + const struct wpa_gtk_data *gd, +- const u8 *key_rsc) ++ const u8 *key_rsc, int wnm_sleep) + { + const u8 *_gtk = gd->gtk; + u8 gtk_buf[32]; + + /* Detect possible key reinstallation */ +- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && +- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { ++ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && ++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || ++ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && ++ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, ++ sm->gtk_wnm_sleep.gtk_len) == 0)) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", + gd->keyidx, gd->tx, gd->gtk_len); +@@ -740,8 +743,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + } + os_memset(gtk_buf, 0, sizeof(gtk_buf)); + +- sm->gtk.gtk_len = gd->gtk_len; +- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); ++ if (wnm_sleep) { ++ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; ++ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, ++ sm->gtk_wnm_sleep.gtk_len); ++ } else { ++ sm->gtk.gtk_len = gd->gtk_len; ++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); ++ } + + return 0; + } +@@ -800,7 +809,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, + (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, + gtk_len, gtk_len, + &gd.key_rsc_len, &gd.alg) || +- wpa_supplicant_install_gtk(sm, &gd, key->key_rsc))) { ++ wpa_supplicant_install_gtk(sm, &gd, key->key_rsc, 0))) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "RSN: Failed to install GTK"); + os_memset(&gd, 0, sizeof(gd)); +@@ -815,14 +824,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, + + #ifdef CONFIG_IEEE80211W + static int wpa_supplicant_install_igtk(struct wpa_sm *sm, +- const struct wpa_igtk_kde *igtk) ++ const struct wpa_igtk_kde *igtk, ++ int wnm_sleep) + { + size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); + u16 keyidx = WPA_GET_LE16(igtk->keyid); + + /* Detect possible key reinstallation */ +- if (sm->igtk.igtk_len == len && +- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { ++ if ((sm->igtk.igtk_len == len && ++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || ++ (sm->igtk_wnm_sleep.igtk_len == len && ++ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, ++ sm->igtk_wnm_sleep.igtk_len) == 0)) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", + keyidx); +@@ -847,8 +860,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, + return -1; + } + +- sm->igtk.igtk_len = len; +- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); ++ if (wnm_sleep) { ++ sm->igtk_wnm_sleep.igtk_len = len; ++ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, ++ sm->igtk_wnm_sleep.igtk_len); ++ } else { ++ sm->igtk.igtk_len = len; ++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); ++ } + + return 0; + } +@@ -871,7 +890,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, + return -1; + + igtk = (const struct wpa_igtk_kde *) ie->igtk; +- if (wpa_supplicant_install_igtk(sm, igtk) < 0) ++ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) + return -1; + } + +@@ -1520,7 +1539,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, + if (ret) + goto failed; + +- if (wpa_supplicant_install_gtk(sm, &gd, key->key_rsc) || ++ if (wpa_supplicant_install_gtk(sm, &gd, key->key_rsc, 0) || + wpa_supplicant_send_2_of_2(sm, key, ver, key_info)) + goto failed; + os_memset(&gd, 0, sizeof(gd)); +@@ -2329,8 +2348,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + sm->tptk_set = 0; + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); + #ifdef CONFIG_IEEE80211W + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); + #endif /* CONFIG_IEEE80211W */ + } + +@@ -2849,8 +2870,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) + os_memset(&sm->ptk, 0, sizeof(sm->ptk)); + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); + #ifdef CONFIG_IEEE80211W + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); + #endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211R + os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); +@@ -2915,7 +2938,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + + wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", + gd.gtk, gd.gtk_len); +- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { ++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { + os_memset(&gd, 0, sizeof(gd)); + wpa_printf(MSG_DEBUG, "Failed to install the GTK in " + "WNM mode"); +@@ -2927,7 +2950,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + const struct wpa_igtk_kde *igtk; + + igtk = (const struct wpa_igtk_kde *) (buf + 2); +- if (wpa_supplicant_install_igtk(sm, igtk) < 0) ++ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) + return -1; + #endif /* CONFIG_IEEE80211W */ + } else { +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index 27b6123..51753ee 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -31,8 +31,10 @@ struct wpa_sm { + int rx_replay_counter_set; + u8 request_counter[WPA_REPLAY_COUNTER_LEN]; + struct wpa_gtk gtk; ++ struct wpa_gtk gtk_wnm_sleep; + #ifdef CONFIG_IEEE80211W + struct wpa_igtk igtk; ++ struct wpa_igtk igtk_wnm_sleep; + #endif /* CONFIG_IEEE80211W */ + + struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ +-- +1.9.1 + +From dc0d33ee697d016f14d0b6f3330720de2dfa9ad8 Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 17:55:19 +0800 +Subject: [PATCH 4/7] Prevent installation of an all-zero TK + +Properly track whether a PTK has already been installed to the driver +and the TK part cleared from memory. This prevents an attacker from +trying to trick the client into installing an all-zero TK. + +Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/common/wpa_common.h | 1 + + src/rsn_supp/wpa.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h +index 21e13da..a04e759 100644 +--- a/src/common/wpa_common.h ++++ b/src/common/wpa_common.h +@@ -213,6 +213,7 @@ struct wpa_ptk { + size_t kck_len; + size_t kek_len; + size_t tk_len; ++ int installed; /* 1 if key has already been installed to driver */ + }; + + struct wpa_gtk { +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index e7b5ca8..cb69b67 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -605,6 +605,12 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, + const u8 *key_rsc; + u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; + ++ if (sm->ptk.installed) { ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: Do not re-install same PTK to the driver"); ++ return 0; ++ } ++ + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Installing PTK to the driver"); + +@@ -643,6 +649,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, + + /* TK is not needed anymore in supplicant */ + os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); ++ sm->ptk.installed = 1; + + if (sm->wpa_ptk_rekey) { + eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); +-- +1.9.1 + +From 9831007c38f18cd70a077fccc22c836100867138 Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 19:45:13 +0800 +Subject: [PATCH 5/7] Fix PTK rekeying to generate a new ANonce + +The Authenticator state machine path for PTK rekeying ended up bypassing +the AUTHENTICATION2 state where a new ANonce is generated when going +directly to the PTKSTART state since there is no need to try to +determine the PMK again in such a case. This is far from ideal since the +new PTK would depend on a new nonce only from the supplicant. + +Fix this by generating a new ANonce when moving to the PTKSTART state +for the purpose of starting new 4-way handshake to rekey PTK. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/ap/wpa_auth.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +index b38a64d..c603b1b 100644 +--- a/src/ap/wpa_auth.c ++++ b/src/ap/wpa_auth.c +@@ -1895,6 +1895,20 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) + sm->TimeoutCtr = 0; + } + ++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) ++{ ++ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { ++ wpa_printf(MSG_ERROR, ++ "WPA: Failed to get random data for ANonce"); ++ sm->Disconnect = TRUE; ++ return -1; ++ } ++ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, ++ WPA_NONCE_LEN); ++ sm->TimeoutCtr = 0; ++ return 0; ++} ++ + + SM_STATE(WPA_PTK, INITPMK) + { +@@ -2417,9 +2431,12 @@ SM_STEP(WPA_PTK) + SM_ENTER(WPA_PTK, AUTHENTICATION); + else if (sm->ReAuthenticationRequest) + SM_ENTER(WPA_PTK, AUTHENTICATION2); +- else if (sm->PTKRequest) +- SM_ENTER(WPA_PTK, PTKSTART); +- else switch (sm->wpa_ptk_state) { ++ else if (sm->PTKRequest) { ++ if (wpa_auth_sm_ptk_update(sm) < 0) ++ SM_ENTER(WPA_PTK, DISCONNECTED); ++ else ++ SM_ENTER(WPA_PTK, PTKSTART); ++ } else switch (sm->wpa_ptk_state) { + case WPA_PTK_INITIALIZE: + break; + case WPA_PTK_DISCONNECT: +-- +1.9.1 + +From 7ec70b3c5a5e32f7687999ef21c608524dcf35b9 Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 20:09:26 +0800 +Subject: [PATCH 6/7] TDLS: Reject TPK-TK reconfiguration + +Do not try to reconfigure the same TPK-TK to the driver after it has +been successfully configured. This is an explicit check to avoid issues +related to resetting the TX/RX packet number. There was already a check +for this for TPK M2 (retries of that message are ignored completely), so +that behavior does not get modified. + +For TPK M3, the TPK-TK could have been reconfigured, but that was +followed by immediate teardown of the link due to an issue in updating +the STA entry. Furthermore, for TDLS with any real security (i.e., +ignoring open/WEP), the TPK message exchange is protected on the AP path +and simple replay attacks are not feasible. + +As an additional corner case, make sure the local nonce gets updated if +the peer uses a very unlikely "random nonce" of all zeros. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/rsn_supp/tdls.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c +index 722c20a..0878c62 100644 +--- a/src/rsn_supp/tdls.c ++++ b/src/rsn_supp/tdls.c +@@ -112,6 +112,7 @@ struct wpa_tdls_peer { + u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ + } tpk; + int tpk_set; ++ int tk_set; /* TPK-TK configured to the driver */ + int tpk_success; + int tpk_in_progress; + +@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) + u8 rsc[6]; + enum wpa_alg alg; + ++ if (peer->tk_set) { ++ /* ++ * This same TPK-TK has already been configured to the driver ++ * and this new configuration attempt (likely due to an ++ * unexpected retransmitted frame) would result in clearing ++ * the TX/RX sequence number which can break security, so must ++ * not allow that to happen. ++ */ ++ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR ++ " has already been configured to the driver - do not reconfigure", ++ MAC2STR(peer->addr)); ++ return -1; ++ } ++ + os_memset(rsc, 0, 6); + + switch (peer->cipher) { +@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) + return -1; + } + ++ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, ++ MAC2STR(peer->addr)); + if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, + rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { + wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " + "driver"); + return -1; + } ++ peer->tk_set = 1; + return 0; + } + +@@ -690,7 +708,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) + peer->cipher = 0; + peer->qos_info = 0; + peer->wmm_capable = 0; +- peer->tpk_set = peer->tpk_success = 0; ++ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; + peer->chan_switch_enabled = 0; + os_memset(&peer->tpk, 0, sizeof(peer->tpk)); + os_memset(peer->inonce, 0, WPA_NONCE_LEN); +@@ -1153,6 +1171,7 @@ skip_rsnie: + wpa_tdls_peer_free(sm, peer); + return -1; + } ++ peer->tk_set = 0; /* A new nonce results in a new TK */ + wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", + peer->inonce, WPA_NONCE_LEN); + os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); +@@ -1744,6 +1763,17 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, + peer->supp_oper_classes_len); + } + ++static int tdls_nonce_set(const u8 *nonce) ++{ ++ int i; ++ ++ for (i = 0; i < WPA_NONCE_LEN; i++) { ++ if (nonce[i]) ++ return 1; ++ } ++ ++ return 0; ++} + + static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, + const u8 *buf, size_t len) +@@ -1998,7 +2028,8 @@ skip_rsn: + peer->rsnie_i_len = kde.rsn_ie_len; + peer->cipher = cipher; + +- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { ++ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || ++ !tdls_nonce_set(peer->inonce)) { + /* + * There is no point in updating the RNonce for every obtained + * TPK M1 frame (e.g., retransmission due to timeout) with the +@@ -2014,6 +2045,7 @@ skip_rsn: + "TDLS: Failed to get random data for responder nonce"); + goto error; + } ++ peer->tk_set = 0; /* A new nonce results in a new TK */ + } + + #if 0 +-- +1.9.1 + +From 642f5eadf775b41bf3ddd8ffe77c33e785bda48f Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Thu, 12 Oct 2017 20:36:56 +0800 +Subject: [PATCH 7/7] FT: Do not allow multiple Reassociation Response frames + +The driver is expected to not report a second association event without +the station having explicitly request a new association. As such, this +case should not be reachable. However, since reconfiguring the same +pairwise or group keys to the driver could result in nonce reuse issues, +be extra careful here and do an additional state check to avoid this +even if the local driver ends up somehow accepting an unexpected +Reassociation Response frame. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/rsn_supp/wpa.c | 3 +++ + src/rsn_supp/wpa_ft.c | 8 ++++++++ + src/rsn_supp/wpa_i.h | 1 + + 3 files changed, 12 insertions(+) + +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index cb69b67..05e5168 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -2391,6 +2391,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) + #ifdef CONFIG_TDLS + wpa_tdls_disassoc(sm); + #endif /* CONFIG_TDLS */ ++#ifdef CONFIG_IEEE80211R ++ sm->ft_reassoc_completed = 0; ++#endif /* CONFIG_IEEE80211R */ + + /* Keys are not needed in the WPA state machine anymore */ + wpa_sm_drop_sa(sm); +diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c +index 205793e..d45bb45 100644 +--- a/src/rsn_supp/wpa_ft.c ++++ b/src/rsn_supp/wpa_ft.c +@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, + u16 capab; + + sm->ft_completed = 0; ++ sm->ft_reassoc_completed = 0; + + buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + + 2 + sm->r0kh_id_len + ric_ies_len + 100; +@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, + return -1; + } + ++ if (sm->ft_reassoc_completed) { ++ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); ++ return 0; ++ } ++ + if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { + wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); + return -1; +@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, + return -1; + } + ++ sm->ft_reassoc_completed = 1; ++ + if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) + return -1; + +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index 51753ee..85cc862 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -127,6 +127,7 @@ struct wpa_sm { + size_t r0kh_id_len; + u8 r1kh_id[FT_R1KH_ID_LEN]; + int ft_completed; ++ int ft_reassoc_completed; + int over_the_ds_in_progress; + u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ + int set_ptk_after_assoc; +-- +1.9.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb index a4160e1c5c..f4b3b6a887 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb @@ -29,6 +29,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch \ file://0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch \ file://0003-Reject-SET-commands-with-newline-characters-in-the-s.patch \ + file://key-replay-cve-multiple.patch \ " SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110" SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316" diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh index d58826a240..d4c5fb3297 100644 --- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh +++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh @@ -138,6 +138,12 @@ if [ ! "${device#/dev/mmcblk}" = "${device}" ]; then part_prefix="p" rootwait="rootwait" fi + +# USB devices also require rootwait +if [ -n `readlink /dev/disk/by-id/usb* | grep $TARGET_DEVICE_NAME` ]; then + rootwait="rootwait" +fi + bootfs=${device}${part_prefix}1 rootfs=${device}${part_prefix}2 swap=${device}${part_prefix}3 diff --git a/meta/recipes-core/initrdscripts/files/init-install.sh b/meta/recipes-core/initrdscripts/files/init-install.sh index c5623eeb26..fddaf6aa82 100644 --- a/meta/recipes-core/initrdscripts/files/init-install.sh +++ b/meta/recipes-core/initrdscripts/files/init-install.sh @@ -146,6 +146,11 @@ if [ ! "${device#/dev/mmcblk}" = "${device}" ]; then rootwait="rootwait" fi +# USB devices also require rootwait +if [ -n `readlink /dev/disk/by-id/usb* | grep $TARGET_DEVICE_NAME` ]; then + rootwait="rootwait" +fi + if [ $grub_version -eq 0 ] ; then bios_boot='' bootfs=${device}${part_prefix}1 diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch new file mode 100644 index 0000000000..f6c4ca76f3 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch @@ -0,0 +1,39 @@ +CVE: CVE-2017-9526 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From b3cab278eb9c2ceda79f980bc26460d97f260041 Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> +Date: Thu, 19 Jan 2017 17:00:15 +0100 +Subject: [PATCH] ecc: Store EdDSA session key in secure memory. + +* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate +session key. +-- + +An attacker who learns the EdDSA session key from side-channel +observation during the signing process, can easily revover the long- +term secret key. Storing the session key in secure memory ensures that +constant time point operations are used in the MPI library. + +Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> +--- + cipher/ecc-eddsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index f91f8489..813e030d 100644 +--- a/cipher/ecc-eddsa.c ++++ b/cipher/ecc-eddsa.c +@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + a = mpi_snew (0); + x = mpi_new (0); + y = mpi_new (0); +- r = mpi_new (0); ++ r = mpi_snew (0); + ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, + skey->E.p, skey->E.a, skey->E.b); + b = (ctx->nbits+7)/8; +-- +2.11.0 + diff --git a/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch new file mode 100644 index 0000000000..c9541d44f3 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch @@ -0,0 +1,455 @@ +Flush+reload side-channel attack on RSA secret keys dubbed "Sliding right +into disaster". + +CVE: CVE-2017-7526 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 8ae178108eb3c64b40dcb4d1c1943205a86db724 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Tue, 4 Apr 2017 17:38:05 +0900 +Subject: [PATCH 1/5] mpi: Simplify mpi_powm. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop. + +-- + +This fix is not a solution for the problem reported (yet). The +problem is that the current algorithm of _gcry_mpi_powm depends on +exponent and some information leaks is possible. + +Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de> +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> + +(backport from master commit: +719468e53133d3bdf12156c5bfdea2bf15f9f6f1) + +Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + mpi/mpi-pow.c | 105 +++++++++++++++++----------------------------------------- + 1 file changed, 30 insertions(+), 75 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index 70bf9e84..c00cfed3 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -613,12 +613,8 @@ _gcry_mpi_powm (gcry_mpi_t res, + if (e == 0) + { + j += c; +- i--; +- if ( i < 0 ) +- { +- c = 0; +- break; +- } ++ if ( --i < 0 ) ++ break; + + e = ep[i]; + c = BITS_PER_MPI_LIMB; +@@ -633,38 +629,33 @@ _gcry_mpi_powm (gcry_mpi_t res, + c -= c0; + j += c0; + ++ e0 = (e >> (BITS_PER_MPI_LIMB - W)); + if (c >= W) +- { +- e0 = (e >> (BITS_PER_MPI_LIMB - W)); +- e = (e << W); +- c -= W; +- } ++ c0 = 0; + else + { +- i--; +- if ( i < 0 ) ++ if ( --i < 0 ) + { +- e = (e >> (BITS_PER_MPI_LIMB - c)); +- break; ++ e0 = (e >> (BITS_PER_MPI_LIMB - c)); ++ j += c - W; ++ goto last_step; ++ } ++ else ++ { ++ c0 = c; ++ e = ep[i]; ++ c = BITS_PER_MPI_LIMB; ++ e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); + } +- +- c0 = c; +- e0 = (e >> (BITS_PER_MPI_LIMB - W)) +- | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); +- e = (ep[i] << (W - c0)); +- c = BITS_PER_MPI_LIMB - W + c0; + } + ++ e = e << (W - c0); ++ c -= (W - c0); ++ ++ last_step: + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + +- for (j += W - c0; j; j--) +- { +- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- } +- + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0] +@@ -681,25 +672,23 @@ _gcry_mpi_powm (gcry_mpi_t res, + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == e0); +- base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); ++ base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); + } + +- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +- mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; ++ for (j += W - c0; j >= 0; j--) ++ { ++ mul_mod (xp, &xsize, rp, rsize, ++ j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, ++ mp, msize, &karactx); ++ tp = rp; rp = xp; xp = tp; ++ rsize = xsize; ++ } + + j = c0; ++ if ( i < 0 ) ++ break; + } + +- if (c != 0) +- { +- j += c; +- count_trailing_zeros (c, e); +- e = (e >> c); +- j -= c; +- } +- + while (j--) + { + mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +@@ -707,40 +696,6 @@ _gcry_mpi_powm (gcry_mpi_t res, + rsize = xsize; + } + +- if (e != 0) +- { +- /* +- * base_u <= precomp[(e>>1)] +- * base_u_size <= precomp_size[(e>>1)] +- */ +- base_u_size = 0; +- for (k = 0; k < (1<< (W - 1)); k++) +- { +- struct gcry_mpi w, u; +- w.alloced = w.nlimbs = precomp_size[k]; +- u.alloced = u.nlimbs = precomp_size[k]; +- w.sign = u.sign = 0; +- w.flags = u.flags = 0; +- w.d = base_u; +- u.d = precomp[k]; +- +- mpi_set_cond (&w, &u, k == (e>>1)); +- base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); +- } +- +- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +- mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- +- for (; c; c--) +- { +- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- } +- } +- + /* We shifted MOD, the modulo reduction argument, left + MOD_SHIFT_CNT steps. Adjust the result by reducing it with the + original MOD. +-- +2.11.0 + + +From ab6d34849f33d16e1da2b09e3d938bcb0f48f682 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Sat, 24 Jun 2017 20:46:20 +0900 +Subject: [PATCH 2/5] Same computation for square and multiply. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move +the assignment to base_u into the loop. Copy content refered by RP to +BASE_U except the last of the loop. + +-- + +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +(backport from master commit: +78130828e9a140a9de4dafadbc844dbb64cb709a) + +Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + mpi/mpi-pow.c | 50 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index c00cfed3..0d74f28c 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -577,6 +577,8 @@ _gcry_mpi_powm (gcry_mpi_t res, + MPN_COPY (precomp[i], rp, rsize); + } + ++ if (msize > max_u_size) ++ max_u_size = msize; + base_u = mpi_alloc_limb_space (max_u_size, esec); + MPN_ZERO (base_u, max_u_size); + +@@ -623,6 +625,10 @@ _gcry_mpi_powm (gcry_mpi_t res, + { + int c0; + mpi_limb_t e0; ++ struct gcry_mpi w, u; ++ w.sign = u.sign = 0; ++ w.flags = u.flags = 0; ++ w.d = base_u; + + count_leading_zeros (c0, e); + e = (e << c0); +@@ -656,29 +662,31 @@ _gcry_mpi_powm (gcry_mpi_t res, + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + +- /* +- * base_u <= precomp[e0] +- * base_u_size <= precomp_size[e0] +- */ +- base_u_size = 0; +- for (k = 0; k < (1<< (W - 1)); k++) +- { +- struct gcry_mpi w, u; +- w.alloced = w.nlimbs = precomp_size[k]; +- u.alloced = u.nlimbs = precomp_size[k]; +- w.sign = u.sign = 0; +- w.flags = u.flags = 0; +- w.d = base_u; +- u.d = precomp[k]; +- +- mpi_set_cond (&w, &u, k == e0); +- base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); +- } +- + for (j += W - c0; j >= 0; j--) + { +- mul_mod (xp, &xsize, rp, rsize, +- j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, ++ ++ /* ++ * base_u <= precomp[e0] ++ * base_u_size <= precomp_size[e0] ++ */ ++ base_u_size = 0; ++ for (k = 0; k < (1<< (W - 1)); k++) ++ { ++ w.alloced = w.nlimbs = precomp_size[k]; ++ u.alloced = u.nlimbs = precomp_size[k]; ++ u.d = precomp[k]; ++ ++ mpi_set_cond (&w, &u, k == e0); ++ base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) ); ++ } ++ ++ w.alloced = w.nlimbs = rsize; ++ u.alloced = u.nlimbs = rsize; ++ u.d = rp; ++ mpi_set_cond (&w, &u, j != 0); ++ base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0))); ++ ++ mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; +-- +2.11.0 + + +From b5370d527612d2c453a366729f07892974b28ba8 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 29 Jun 2017 11:48:44 +0900 +Subject: [PATCH 3/5] rsa: Add exponent blinding. + +* cipher/rsa.c (secret): Blind secret D with randomized nonce R for +mpi_powm computation. + +-- + +Co-authored-by: Werner Koch <wk@gnupg.org> +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> + +The paper describing attack: https://eprint.iacr.org/2017/627 + +Sliding right into disaster: Left-to-right sliding windows leak +by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and +Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and +Christine van Vredendaal and Yuval Yarom + + It is well known that constant-time implementations of modular + exponentiation cannot use sliding windows. However, software + libraries such as Libgcrypt, used by GnuPG, continue to use sliding + windows. It is widely believed that, even if the complete pattern of + squarings and multiplications is observed through a side-channel + attack, the number of exponent bits leaked is not sufficient to + carry out a full key-recovery attack against RSA. Specifically, + 4-bit sliding windows leak only 40% of the bits, and 5-bit sliding + windows leak only 33% of the bits. + + In this paper we demonstrate a complete break of RSA-1024 as + implemented in Libgcrypt. Our attack makes essential use of the fact + that Libgcrypt uses the left-to-right method for computing the + sliding-window expansion. We show for the first time that the + direction of the encoding matters: the pattern of squarings and + multiplications in left-to-right sliding windows leaks significantly + more information about exponent bits than for right-to-left. We show + how to incorporate this additional information into the + Heninger-Shacham algorithm for partial key reconstruction, and use + it to obtain very efficient full key recovery for RSA-1024. We also + provide strong evidence that the same attack works for RSA-2048 with + only moderately more computation. + +Exponent blinding is a kind of workaround to add noise. Signal (leak) +is still there for non-constant-time implementation. + +(backported from master commit: +8725c99ffa41778f382ca97233183bcd687bb0ce) + +Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + cipher/rsa.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 0b98b6a8..d8658476 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -724,15 +724,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) + gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); +- +- /* m1 = c ^ (d mod (p-1)) mod p */ ++ gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 ); ++ gcry_mpi_t r; ++ unsigned int r_nbits; ++ ++ r_nbits = mpi_get_nbits (skey->p) / 4; ++ if (r_nbits < 96) ++ r_nbits = 96; ++ r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB); ++ ++ /* d_blind = (d mod (p-1)) + (p-1) * r */ ++ /* m1 = c ^ d_blind mod p */ ++ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); ++ mpi_set_highbit (r, r_nbits - 1); + mpi_sub_ui( h, skey->p, 1 ); +- mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m1, input, h, skey->p ); +- /* m2 = c ^ (d mod (q-1)) mod q */ ++ mpi_mul ( D_blind, h, r ); ++ mpi_fdiv_r ( h, skey->d, h ); ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm( m1, input, D_blind, skey->p ); ++ /* d_blind = (d mod (q-1)) + (q-1) * r */ ++ /* m2 = c ^ d_blind mod q */ ++ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); ++ mpi_set_highbit (r, r_nbits - 1); + mpi_sub_ui( h, skey->q, 1 ); +- mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m2, input, h, skey->q ); ++ mpi_mul ( D_blind, h, r ); ++ mpi_fdiv_r ( h, skey->d, h ); ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm( m2, input, D_blind, skey->q ); + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub( h, m2, m1 ); + if ( mpi_has_sign ( h ) ) +-- +2.11.0 + + +From b7c572550b8759f2b0e45ee72df0494700b26da1 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 29 Jun 2017 12:36:27 +0900 +Subject: [PATCH 4/5] rsa: Fix exponent blinding. + +* cipher/rsa.c (secret): Free D_BLIND. + +-- + +Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + cipher/rsa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index d8658476..9474fe89 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -760,6 +760,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); + ++ mpi_free ( D_blind ); + mpi_free ( h ); + mpi_free ( m1 ); + mpi_free ( m2 ); +-- +2.11.0 + + +From e5a5f14bdd8d6265f85264575a1f3c3307306849 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 29 Jun 2017 12:40:19 +0900 +Subject: [PATCH 5/5] rsa: More fix. + +* cipher/rsa.c (secret): Free R. + +-- + +Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + cipher/rsa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 9474fe89..b151b39f 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -760,6 +760,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); + ++ mpi_free ( r ); + mpi_free ( D_blind ); + mpi_free ( h ); + mpi_free ( m1 ); +-- +2.11.0 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc index 5478253e06..8e7a38f894 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt.inc +++ b/meta/recipes-support/libgcrypt/libgcrypt.inc @@ -18,6 +18,8 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-${PV}.tar.gz \ file://add-pkgconfig-support.patch \ file://libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \ file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \ + file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \ + file://CVE-2017-7526.patch \ " BINCONFIG = "${bindir}/libgcrypt-config" |