1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
new file mode 100644
index 0000000000..e64d140c7b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
@@ -0,0 +1,97 @@
+From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:43:03 +0200
+Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private
+ bignums
+This helps in reducing measurable timing differences in operations
+involving private information. BoringSSL has removed BN_FLG_CONSTTIME
+and expects specific constant time functions to be called instead, so a
+bit different approach is needed depending on which library is used.
+The main operation that needs protection against side channel attacks is
+BN_mod_exp() that depends on private keys (the public key validation
+step in crypto_dh_derive_secret() is an exception that can use the
+faster version since it does not depend on private keys).
+crypto_bignum_div() is currently used only in SAE FFC case with not
+safe-prime groups and only with values that do not depend on private
+keys, so it is not critical to protect it.
+crypto_bignum_inverse() is currently used only in SAE FFC PWE
+derivation. The additional protection here is targeting only OpenSSL.
+BoringSSL may need conversion to using BN_mod_inverse_blinded().
+This is related to CVE-2019-9494 and CVE-2019-9495.
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+CVE: CVE-2019-9495
+---
+ src/crypto/crypto_openssl.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 9c2ba58..ac53cc8 100644
+--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
+@@ -607,7 +607,8 @@ int crypto_mod_exp(const u8 *base, size_t base_len,
+            bn_result == NULL)
+                goto error;
+ 
+-       if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
+       if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
+                                     ctx, NULL) != 1)
+                goto error;
+ 
+        *result_len = BN_bn2bin(bn_result, result);
+@@ -1360,8 +1361,9 @@ int crypto_bignum_exptmod(const struct crypto_bignum *a,
+        bnctx = BN_CTX_new();
+        if (bnctx == NULL)
+                return -1;
+-       res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
+-                        (const BIGNUM *) c, bnctx);
+       res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
+                                       (const BIGNUM *) b, (const BIGNUM *) c,
+                                       bnctx, NULL);
+        BN_CTX_free(bnctx);
+ 
+        return res ? 0 : -1;
+@@ -1380,6 +1382,11 @@ int crypto_bignum_inverse(const struct crypto_bignum *a,
+        bnctx = BN_CTX_new();
+        if (bnctx == NULL)
+                return -1;
+#ifdef OPENSSL_IS_BORINGSSL
+       /* TODO: use BN_mod_inverse_blinded() ? */
+#else /* OPENSSL_IS_BORINGSSL */
+       BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
+#endif /* OPENSSL_IS_BORINGSSL */
+        res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
+                             (const BIGNUM *) b, bnctx);
+        BN_CTX_free(bnctx);
+@@ -1413,6 +1420,9 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+        bnctx = BN_CTX_new();
+        if (bnctx == NULL)
+                return -1;
+#ifndef OPENSSL_IS_BORINGSSL
+       BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
+#endif /* OPENSSL_IS_BORINGSSL */
+        res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
+                     (const BIGNUM *) b, bnctx);
+        BN_CTX_free(bnctx);
+@@ -1504,8 +1514,8 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+            /* exp = (p-1) / 2 */
+            !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
+            !BN_rshift1(exp, exp) ||
+-           !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
+-                       bnctx))
+           !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
+                                      (const BIGNUM *) p, bnctx, NULL))
+                goto fail;
+ 
+        if (BN_is_word(tmp, 1))
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch new file mode 100644 index 0000000000..e64d140c7b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
@@ -0,0 +1,97 @@
	1	From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Tue, 26 Feb 2019 11:43:03 +0200
	4	Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private
	5	bignums
	6
	7	This helps in reducing measurable timing differences in operations
	8	involving private information. BoringSSL has removed BN_FLG_CONSTTIME
	9	and expects specific constant time functions to be called instead, so a
	10	bit different approach is needed depending on which library is used.
	11
	12	The main operation that needs protection against side channel attacks is
	13	BN_mod_exp() that depends on private keys (the public key validation
	14	step in crypto_dh_derive_secret() is an exception that can use the
	15	faster version since it does not depend on private keys).
	16
	17	crypto_bignum_div() is currently used only in SAE FFC case with not
	18	safe-prime groups and only with values that do not depend on private
	19	keys, so it is not critical to protect it.
	20
	21	crypto_bignum_inverse() is currently used only in SAE FFC PWE
	22	derivation. The additional protection here is targeting only OpenSSL.
	23	BoringSSL may need conversion to using BN_mod_inverse_blinded().
	24
	25	This is related to CVE-2019-9494 and CVE-2019-9495.
	26
	27	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	28	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	29	Upstream-Status: Backport
	30	CVE: CVE-2019-9494
	31	CVE: CVE-2019-9495
	32	---
	33	src/crypto/crypto_openssl.c \| 20 +++++++++++++++-----
	34	1 file changed, 15 insertions(+), 5 deletions(-)
	35
	36	diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
	37	index 9c2ba58..ac53cc8 100644
	38	--- a/src/crypto/crypto_openssl.c
	39	+++ b/src/crypto/crypto_openssl.c
	40	@@ -607,7 +607,8 @@ int crypto_mod_exp(const u8 *base, size_t base_len,
	41	bn_result == NULL)
	42	goto error;
	43
	44	- if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
	45	+ if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
	46	+ ctx, NULL) != 1)
	47	goto error;
	48
	49	*result_len = BN_bn2bin(bn_result, result);
	50	@@ -1360,8 +1361,9 @@ int crypto_bignum_exptmod(const struct crypto_bignum *a,
	51	bnctx = BN_CTX_new();
	52	if (bnctx == NULL)
	53	return -1;
	54	- res = BN_mod_exp((BIGNUM ) d, (const BIGNUM ) a, (const BIGNUM *) b,
	55	- (const BIGNUM *) c, bnctx);
	56	+ res = BN_mod_exp_mont_consttime((BIGNUM ) d, (const BIGNUM ) a,
	57	+ (const BIGNUM ) b, (const BIGNUM ) c,
	58	+ bnctx, NULL);
	59	BN_CTX_free(bnctx);
	60
	61	return res ? 0 : -1;
	62	@@ -1380,6 +1382,11 @@ int crypto_bignum_inverse(const struct crypto_bignum *a,
	63	bnctx = BN_CTX_new();
	64	if (bnctx == NULL)
	65	return -1;
	66	+#ifdef OPENSSL_IS_BORINGSSL
	67	+ /* TODO: use BN_mod_inverse_blinded() ? */
	68	+#else /* OPENSSL_IS_BORINGSSL */
	69	+ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
	70	+#endif /* OPENSSL_IS_BORINGSSL */
	71	res = BN_mod_inverse((BIGNUM ) c, (const BIGNUM ) a,
	72	(const BIGNUM *) b, bnctx);
	73	BN_CTX_free(bnctx);
	74	@@ -1413,6 +1420,9 @@ int crypto_bignum_div(const struct crypto_bignum *a,
	75	bnctx = BN_CTX_new();
	76	if (bnctx == NULL)
	77	return -1;
	78	+#ifndef OPENSSL_IS_BORINGSSL
	79	+ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
	80	+#endif /* OPENSSL_IS_BORINGSSL */
	81	res = BN_div((BIGNUM ) c, NULL, (const BIGNUM ) a,
	82	(const BIGNUM *) b, bnctx);
	83	BN_CTX_free(bnctx);
	84	@@ -1504,8 +1514,8 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
	85	/* exp = (p-1) / 2 */
	86	!BN_sub(exp, (const BIGNUM *) p, BN_value_one()) \|\|
	87	!BN_rshift1(exp, exp) \|\|
	88	- !BN_mod_exp(tmp, (const BIGNUM ) a, exp, (const BIGNUM ) p,
	89	- bnctx))
	90	+ !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
	91	+ (const BIGNUM *) p, bnctx, NULL))
	92	goto fail;
	93
	94	if (BN_is_word(tmp, 1))
	95	--
	96	2.7.4
	97