1 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
new file mode 100644
index 0000000000..790041f259
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
@@ -0,0 +1,64 @@
+From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 8 Mar 2019 00:24:12 +0200
+Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
+ crypto_bignum_legendre()
+Get rid of the branches that depend on the result of the Legendre
+operation. This is needed to avoid leaking information about different
+temporary results in blinding mechanisms.
+This is related to CVE-2019-9494 and CVE-2019-9495.
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+CVE: CVE-2019-9495
+---
+ src/crypto/crypto_openssl.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index ac53cc8..0f52101 100644
+--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
+@@ -24,6 +24,7 @@
+ #endif /* CONFIG_ECC */
+ 
+ #include "common.h"
+#include "utils/const_time.h"
+ #include "wpabuf.h"
+ #include "dh_group5.h"
+ #include "sha1.h"
+@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+        BN_CTX *bnctx;
+        BIGNUM *exp = NULL, *tmp = NULL;
+        int res = -2;
+       unsigned int mask;
+ 
+        if (TEST_FAIL())
+                return -2;
+@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
+                                       (const BIGNUM *) p, bnctx, NULL))
+                goto fail;
+ 
+-       if (BN_is_word(tmp, 1))
+-               res = 1;
+-       else if (BN_is_zero(tmp))
+-               res = 0;
+-       else
+-               res = -1;
+       /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
+        * constant time selection to avoid branches here. */
+       res = -1;
+       mask = const_time_eq(BN_is_word(tmp, 1), 1);
+       res = const_time_select_int(mask, 1, res);
+       mask = const_time_eq(BN_is_zero(tmp), 1);
+       res = const_time_select_int(mask, 0, res);
+ 
+ fail:
+        BN_clear_free(tmp);
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch new file mode 100644 index 0000000000..790041f259 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
@@ -0,0 +1,64 @@
	1	From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Fri, 8 Mar 2019 00:24:12 +0200
	4	Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
	5	crypto_bignum_legendre()
	6
	7	Get rid of the branches that depend on the result of the Legendre
	8	operation. This is needed to avoid leaking information about different
	9	temporary results in blinding mechanisms.
	10
	11	This is related to CVE-2019-9494 and CVE-2019-9495.
	12
	13	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	14	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	15	Upstream-Status: Backport
	16	CVE: CVE-2019-9494
	17	CVE: CVE-2019-9495
	18	---
	19	src/crypto/crypto_openssl.c \| 15 +++++++++------
	20	1 file changed, 9 insertions(+), 6 deletions(-)
	21
	22	diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
	23	index ac53cc8..0f52101 100644
	24	--- a/src/crypto/crypto_openssl.c
	25	+++ b/src/crypto/crypto_openssl.c
	26	@@ -24,6 +24,7 @@
	27	#endif /* CONFIG_ECC */
	28
	29	#include "common.h"
	30	+#include "utils/const_time.h"
	31	#include "wpabuf.h"
	32	#include "dh_group5.h"
	33	#include "sha1.h"
	34	@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
	35	BN_CTX *bnctx;
	36	BIGNUM exp = NULL, tmp = NULL;
	37	int res = -2;
	38	+ unsigned int mask;
	39
	40	if (TEST_FAIL())
	41	return -2;
	42	@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
	43	(const BIGNUM *) p, bnctx, NULL))
	44	goto fail;
	45
	46	- if (BN_is_word(tmp, 1))
	47	- res = 1;
	48	- else if (BN_is_zero(tmp))
	49	- res = 0;
	50	- else
	51	- res = -1;
	52	+ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
	53	+ * constant time selection to avoid branches here. */
	54	+ res = -1;
	55	+ mask = const_time_eq(BN_is_word(tmp, 1), 1);
	56	+ res = const_time_select_int(mask, 1, res);
	57	+ mask = const_time_eq(BN_is_zero(tmp), 1);
	58	+ res = const_time_select_int(mask, 0, res);
	59
	60	fail:
	61	BN_clear_free(tmp);
	62	--
	63	2.7.4
	64