diff options
author | Adrian Bunk <bunk@stusta.de> | 2019-06-19 21:04:22 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-06-30 22:34:23 +0100 |
commit | ee0e9eaafed96587b6f1c6b995cd7d5927170c21 (patch) | |
tree | c3e3b3602923c23aa0614a44b3b4049e6f340dea /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch | |
parent | 76c220e5fe43aef1014e6eec7f0136c2b34be308 (diff) | |
download | poky-ee0e9eaafed96587b6f1c6b995cd7d5927170c21.tar.gz |
wpa-supplicant: Fix CVE-2019-9494 CVE-2019-9495 CVE-2019-9496 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 CVE-2019-11555
(From OE-Core rev: ae8e0440fc1177bf44e46804e1f5927cb86f8324)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch new file mode 100644 index 0000000000..e64d140c7b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Tue, 26 Feb 2019 11:43:03 +0200 | ||
4 | Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private | ||
5 | bignums | ||
6 | |||
7 | This helps in reducing measurable timing differences in operations | ||
8 | involving private information. BoringSSL has removed BN_FLG_CONSTTIME | ||
9 | and expects specific constant time functions to be called instead, so a | ||
10 | bit different approach is needed depending on which library is used. | ||
11 | |||
12 | The main operation that needs protection against side channel attacks is | ||
13 | BN_mod_exp() that depends on private keys (the public key validation | ||
14 | step in crypto_dh_derive_secret() is an exception that can use the | ||
15 | faster version since it does not depend on private keys). | ||
16 | |||
17 | crypto_bignum_div() is currently used only in SAE FFC case with not | ||
18 | safe-prime groups and only with values that do not depend on private | ||
19 | keys, so it is not critical to protect it. | ||
20 | |||
21 | crypto_bignum_inverse() is currently used only in SAE FFC PWE | ||
22 | derivation. The additional protection here is targeting only OpenSSL. | ||
23 | BoringSSL may need conversion to using BN_mod_inverse_blinded(). | ||
24 | |||
25 | This is related to CVE-2019-9494 and CVE-2019-9495. | ||
26 | |||
27 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
28 | Signed-off-by: Adrian Bunk <bunk@stusta.de> | ||
29 | Upstream-Status: Backport | ||
30 | CVE: CVE-2019-9494 | ||
31 | CVE: CVE-2019-9495 | ||
32 | --- | ||
33 | src/crypto/crypto_openssl.c | 20 +++++++++++++++----- | ||
34 | 1 file changed, 15 insertions(+), 5 deletions(-) | ||
35 | |||
36 | diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c | ||
37 | index 9c2ba58..ac53cc8 100644 | ||
38 | --- a/src/crypto/crypto_openssl.c | ||
39 | +++ b/src/crypto/crypto_openssl.c | ||
40 | @@ -607,7 +607,8 @@ int crypto_mod_exp(const u8 *base, size_t base_len, | ||
41 | bn_result == NULL) | ||
42 | goto error; | ||
43 | |||
44 | - if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) | ||
45 | + if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus, | ||
46 | + ctx, NULL) != 1) | ||
47 | goto error; | ||
48 | |||
49 | *result_len = BN_bn2bin(bn_result, result); | ||
50 | @@ -1360,8 +1361,9 @@ int crypto_bignum_exptmod(const struct crypto_bignum *a, | ||
51 | bnctx = BN_CTX_new(); | ||
52 | if (bnctx == NULL) | ||
53 | return -1; | ||
54 | - res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, | ||
55 | - (const BIGNUM *) c, bnctx); | ||
56 | + res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a, | ||
57 | + (const BIGNUM *) b, (const BIGNUM *) c, | ||
58 | + bnctx, NULL); | ||
59 | BN_CTX_free(bnctx); | ||
60 | |||
61 | return res ? 0 : -1; | ||
62 | @@ -1380,6 +1382,11 @@ int crypto_bignum_inverse(const struct crypto_bignum *a, | ||
63 | bnctx = BN_CTX_new(); | ||
64 | if (bnctx == NULL) | ||
65 | return -1; | ||
66 | +#ifdef OPENSSL_IS_BORINGSSL | ||
67 | + /* TODO: use BN_mod_inverse_blinded() ? */ | ||
68 | +#else /* OPENSSL_IS_BORINGSSL */ | ||
69 | + BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME); | ||
70 | +#endif /* OPENSSL_IS_BORINGSSL */ | ||
71 | res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, | ||
72 | (const BIGNUM *) b, bnctx); | ||
73 | BN_CTX_free(bnctx); | ||
74 | @@ -1413,6 +1420,9 @@ int crypto_bignum_div(const struct crypto_bignum *a, | ||
75 | bnctx = BN_CTX_new(); | ||
76 | if (bnctx == NULL) | ||
77 | return -1; | ||
78 | +#ifndef OPENSSL_IS_BORINGSSL | ||
79 | + BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME); | ||
80 | +#endif /* OPENSSL_IS_BORINGSSL */ | ||
81 | res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, | ||
82 | (const BIGNUM *) b, bnctx); | ||
83 | BN_CTX_free(bnctx); | ||
84 | @@ -1504,8 +1514,8 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, | ||
85 | /* exp = (p-1) / 2 */ | ||
86 | !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || | ||
87 | !BN_rshift1(exp, exp) || | ||
88 | - !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p, | ||
89 | - bnctx)) | ||
90 | + !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp, | ||
91 | + (const BIGNUM *) p, bnctx, NULL)) | ||
92 | goto fail; | ||
93 | |||
94 | if (BN_is_word(tmp, 1)) | ||
95 | -- | ||
96 | 2.7.4 | ||
97 | |||