CVS commit: src/external/bsd/wpa/dist/src/common

["Christos Zoulas" <christos%netbsd.org@localhost>]

Module Name:    src
Committed By:   christos
Date:           Wed Apr 10 18:00:21 UTC 2019

Modified Files:
        src/external/bsd/wpa/dist/src/common: sae.c

Log Message:
These groups have significant probability of coming up with pwd-value
that is equal or greater than the prime and as such, need for going
through the PWE derivation loop multiple times. This can result in
sufficient timing different to allow an external observer to determine
how many rounds are needed and that can leak information about the used
password.

Force at least 40 loop rounds for these MODP groups similarly to the ECC
group design to mask timing. This behavior is not described in IEEE Std
802.11-2016 for SAE, but it does not result in different values (i.e.,
only different timing), so such implementation specific countermeasures
can be done without breaking interoperability with other implementation.

Note: These MODP groups 22, 23, and 24 are not considered sufficiently
strong to be used with SAE (or more or less anything else). As such,
they should never be enabled in runtime configuration for any production
use cases. These changes to introduce additional protection to mask
timing is only for completeness of implementation and not an indication
that these groups should be used.

This is related to CVE-2019-9494.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/common/sae.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.