Opened 2 years ago

Closed 2 years ago

#12370 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New minor version

2019-08-07 - v2.9
	* SAE changes
	  - disable use of groups using Brainpool curves
	  - improved protection against side channel attacks
	* EAP-pwd changes
	  - disable use of groups using Brainpool curves
	  - allow the set of groups to be configured (eap_pwd_groups)
	  - improved protection against side channel attacks
	* fixed FT-EAP initial mobility domain association using PMKSA caching
	  (disabled by default for backwards compatibility; can be enabled
	  with ft_eap_pmksa_caching=1)
	* fixed a regression in OpenSSL 1.1+ engine loading
	* added validation of RSNE in (Re)Association Response frames
	* fixed DPP bootstrapping URI parser of channel list
	* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
	* extended ca_cert_blob to support PEM format
	* improved robustness of P2P Action frame scheduling
	* added support for EAP-SIM/AKA using anonymous@realm identity
	* fixed Hotspot 2.0 credential selection based on roaming consortium
	  to ignore credentials without a specific EAP method
	* added experimental support for EAP-TEAP peer (RFC 7170)
	* added experimental support for EAP-TLS peer with TLS v1.3
	* fixed a regression in WMM parameter configuration for a TDLS peer
	* fixed a regression in operation with drivers that offload 802.1X
	  4-way handshake
	* fixed an ECDH operation corner case with OpenSSL

Here's the security advisory I got this morning that mandated the release of this version:

Published: August 7, 2019
Latest version available from:

This is an update on earlier security advisories 2019-1 and
2019-2. Please see those advisories for more details in the issues.


hostapd and wpa_supplicant security advisories 2019-1 and 2019-2
addressed side-channel attacks related to SAE and EAP-pwd. The
improvements identified in those advisories made it more difficult to
observe external differences in timing or memory access to mitigate
against this type of attacks. However, the identified changes did not
remove all differences. Especially when using ECC groups that use a
prime that is not close to a power of two, those improvements were not
complete. In practice, use of groups that use Brainpool curves (groups
28-30) are in this category.

Additional implementation changes are now available to improve
mitigation against potential attacks. While these are expected to
improve security of SAE and EAP-pwd in general to some extend, the
largest help from these would be to the cases where groups 28-30 are
used. However, for those groups, additional changes would likely be
needed to make the protection against timing differences be at similar
level as it is for other ECC groups. That would result in significantly
higher need for CPU and that may not be practical for all devices. As
such, the current recommended practice is to disable all use of the
Brainpool curves in the context of SAE and EAP-pwd. This does not mean
that these curves themselves have issues, but the way the SAE and
EAP-pwd derivation of PWE is designed is not convenient for the primes
used in these curves. In other words, this has no impact to other uses
of the Brainpool curves.

The timing differences even when using groups 28-30 are non-trivial to
attack in practice, but cannot be ruled impossible. Cache attacks (see
advisories 2019-1 and 2019-2 for more details) can still be feasible
when using these groups in SAE or EAP-pwd with wpa_supplicant/hostapd

Vulnerable versions/configurations

All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y
in the build configuration and SAE with groups 28-30 enabled in the
runtime configuration and supported by the used crypto library). Note
that the applicable groups are not enabled by default in v2.8 (and in
case of wpa_supplicant, in any version) and they would need to be
explicitly enabled by adding the group identifies into the sae_groups
configuration parameter.

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration). Note that EAP-pwd server implementation
in hostapd enables only a single group at the time (pwd_group parameter)
and by default, group 19 is used. As such, this would be applicable only
if the pwd_group parameter is set to use one of the groups 28-30. The
EAP-pwd peer implementation wpa_supplicant, follows the group selected
by the server and as such, it would be vulnerable for the case where an
attacker controls the authentication server (e.g., through a rogue AP)
if the crypto library supports groups 28-30.

As far as crypto library support for Brainpool curves is concerned,
OpenSSL 1.0.2 and newer have support for them while BoringSSL does not.

Possible mitigation steps

- Update to wpa_supplicant/hostapd v2.9 or newer

- Merge the following commits to wpa_supplicant/hostapd v2.8 and
  SAE: Use const_time_memcmp() for pwd_value >= prime comparison
  EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison
  OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available
  SAE: Run through prf result processing even if it >= prime
  EAP-pwd: Run through prf result processing even if it >= prime
  dragonfly: Disable use of groups using Brainpool curves

  These patches are available from

Change History (3)

comment:1 by Douglas R. Reno, 2 years ago

Priority: normalhigh

comment:2 by Bruce Dubbs, 2 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:3 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 21918.

Note: See TracTickets for help on using tickets.