1 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
new file mode 100644
index 0000000000..5209559659
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
@@ -0,0 +1,147 @@
+From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 19:34:38 +0200
+Subject: [PATCH 06/14] SAE: Avoid branches in is_quadratic_residue_blind()
+Make the non-failure path in the function proceed without branches based
+on r_odd and in constant time to minimize risk of observable differences
+in timing or cache use. (CVE-2019-9494)
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 64 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 37 insertions(+), 27 deletions(-)
+diff --git a/src/common/sae.c b/src/common/sae.c
+index d55323b..5df9b95 100644
+--- a/src/common/sae.c
+++ b/src/common/sae.c
+@@ -232,12 +232,14 @@ get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
+ 
+ static int is_quadratic_residue_blind(struct sae_data *sae,
+                                      const u8 *prime, size_t bits,
+-                                     const struct crypto_bignum *qr,
+-                                     const struct crypto_bignum *qnr,
+                                     const u8 *qr, const u8 *qnr,
+                                      const struct crypto_bignum *y_sqr)
+ {
+-       struct crypto_bignum *r, *num;
+       struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
+        int r_odd, check, res = -1;
+       u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
+       size_t prime_len = sae->tmp->prime_len;
+       unsigned int mask;
+ 
+        /*
+         * Use the blinding technique to mask y_sqr while determining
+@@ -248,7 +250,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
+         * r = a random number between 1 and p-1, inclusive
+         * num = (v * r * r) modulo p
+         */
+-       r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
+       r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
+        if (!r)
+                return -1;
+ 
+@@ -258,41 +260,45 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
+            crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
+                goto fail;
+ 
+-       if (r_odd) {
+-               /*
+-                * num = (num * qr) module p
+-                * LGR(num, p) = 1 ==> quadratic residue
+-                */
+-               if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
+-                       goto fail;
+-               check = 1;
+-       } else {
+-               /*
+-                * num = (num * qnr) module p
+-                * LGR(num, p) = -1 ==> quadratic residue
+-                */
+-               if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
+-                       goto fail;
+-               check = -1;
+-       }
+       /*
+        * Need to minimize differences in handling different cases, so try to
+        * avoid branches and timing differences.
+        *
+        * If r_odd:
+        * num = (num * qr) module p
+        * LGR(num, p) = 1 ==> quadratic residue
+        * else:
+        * num = (num * qnr) module p
+        * LGR(num, p) = -1 ==> quadratic residue
+        */
+       mask = const_time_is_zero(r_odd);
+       const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
+       qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
+       if (!qr_or_qnr ||
+           crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
+               goto fail;
+       /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
+       check = const_time_select_int(mask, -1, 1);
+ 
+        res = crypto_bignum_legendre(num, sae->tmp->prime);
+        if (res == -2) {
+                res = -1;
+                goto fail;
+        }
+-       res = res == check;
+       /* branchless version of res = res == check
+        * (res is -1, 0, or 1; check is -1 or 1) */
+       mask = const_time_eq(res, check);
+       res = const_time_select_int(mask, 1, 0);
+ fail:
+        crypto_bignum_deinit(num, 1);
+        crypto_bignum_deinit(r, 1);
+       crypto_bignum_deinit(qr_or_qnr, 1);
+        return res;
+ }
+ 
+ 
+ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+-                                const u8 *prime,
+-                                const struct crypto_bignum *qr,
+-                                const struct crypto_bignum *qnr,
+                                const u8 *prime, const u8 *qr, const u8 *qnr,
+                                 u8 *pwd_value)
+ {
+        struct crypto_bignum *y_sqr, *x_cand;
+@@ -452,6 +458,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+        struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
+        u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+       u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
+       u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
+        size_t bits;
+        int res = -1;
+        u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+@@ -476,7 +484,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+         * (qnr) modulo p for blinding purposes during the loop.
+         */
+        if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
+-                             &qr, &qnr) < 0)
+                             &qr, &qnr) < 0 ||
+           crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
+           crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
+                goto fail;
+ 
+        wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+@@ -527,7 +537,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+                        break;
+ 
+                res = sae_test_pwd_seed_ecc(sae, pwd_seed,
+-                                           prime, qr, qnr, x_cand_bin);
+                                           prime, qr_bin, qnr_bin, x_cand_bin);
+                const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
+                                      x_bin);
+                pwd_seed_odd = const_time_select_u8(
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch new file mode 100644 index 0000000000..5209559659 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
@@ -0,0 +1,147 @@
	1	From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Tue, 26 Feb 2019 19:34:38 +0200
	4	Subject: [PATCH 06/14] SAE: Avoid branches in is_quadratic_residue_blind()
	5
	6	Make the non-failure path in the function proceed without branches based
	7	on r_odd and in constant time to minimize risk of observable differences
	8	in timing or cache use. (CVE-2019-9494)
	9
	10	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	11	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	12	Upstream-Status: Backport
	13	CVE: CVE-2019-9494
	14	---
	15	src/common/sae.c \| 64 ++++++++++++++++++++++++++++++++------------------------
	16	1 file changed, 37 insertions(+), 27 deletions(-)
	17
	18	diff --git a/src/common/sae.c b/src/common/sae.c
	19	index d55323b..5df9b95 100644
	20	--- a/src/common/sae.c
	21	+++ b/src/common/sae.c
	22	@@ -232,12 +232,14 @@ get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
	23
	24	static int is_quadratic_residue_blind(struct sae_data *sae,
	25	const u8 *prime, size_t bits,
	26	- const struct crypto_bignum *qr,
	27	- const struct crypto_bignum *qnr,
	28	+ const u8 qr, const u8 qnr,
	29	const struct crypto_bignum *y_sqr)
	30	{
	31	- struct crypto_bignum r, num;
	32	+ struct crypto_bignum r, num, *qr_or_qnr = NULL;
	33	int r_odd, check, res = -1;
	34	+ u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
	35	+ size_t prime_len = sae->tmp->prime_len;
	36	+ unsigned int mask;
	37
	38	/*
	39	* Use the blinding technique to mask y_sqr while determining
	40	@@ -248,7 +250,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
	41	* r = a random number between 1 and p-1, inclusive
	42	* num = (v * r * r) modulo p
	43	*/
	44	- r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
	45	+ r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
	46	if (!r)
	47	return -1;
	48
	49	@@ -258,41 +260,45 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
	50	crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
	51	goto fail;
	52
	53	- if (r_odd) {
	54	- /*
	55	- * num = (num * qr) module p
	56	- * LGR(num, p) = 1 ==> quadratic residue
	57	- */
	58	- if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
	59	- goto fail;
	60	- check = 1;
	61	- } else {
	62	- /*
	63	- * num = (num * qnr) module p
	64	- * LGR(num, p) = -1 ==> quadratic residue
	65	- */
	66	- if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
	67	- goto fail;
	68	- check = -1;
	69	- }
	70	+ /*
	71	+ * Need to minimize differences in handling different cases, so try to
	72	+ * avoid branches and timing differences.
	73	+ *
	74	+ * If r_odd:
	75	+ * num = (num * qr) module p
	76	+ * LGR(num, p) = 1 ==> quadratic residue
	77	+ * else:
	78	+ * num = (num * qnr) module p
	79	+ * LGR(num, p) = -1 ==> quadratic residue
	80	+ */
	81	+ mask = const_time_is_zero(r_odd);
	82	+ const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
	83	+ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
	84	+ if (!qr_or_qnr \|\|
	85	+ crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
	86	+ goto fail;
	87	+ /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
	88	+ check = const_time_select_int(mask, -1, 1);
	89
	90	res = crypto_bignum_legendre(num, sae->tmp->prime);
	91	if (res == -2) {
	92	res = -1;
	93	goto fail;
	94	}
	95	- res = res == check;
	96	+ /* branchless version of res = res == check
	97	+ * (res is -1, 0, or 1; check is -1 or 1) */
	98	+ mask = const_time_eq(res, check);
	99	+ res = const_time_select_int(mask, 1, 0);
	100	fail:
	101	crypto_bignum_deinit(num, 1);
	102	crypto_bignum_deinit(r, 1);
	103	+ crypto_bignum_deinit(qr_or_qnr, 1);
	104	return res;
	105	}
	106
	107
	108	static int sae_test_pwd_seed_ecc(struct sae_data sae, const u8 pwd_seed,
	109	- const u8 *prime,
	110	- const struct crypto_bignum *qr,
	111	- const struct crypto_bignum *qnr,
	112	+ const u8 prime, const u8 qr, const u8 *qnr,
	113	u8 *pwd_value)
	114	{
	115	struct crypto_bignum y_sqr, x_cand;
	116	@@ -452,6 +458,8 @@ static int sae_derive_pwe_ecc(struct sae_data sae, const u8 addr1,
	117	struct crypto_bignum x = NULL, qr = NULL, *qnr = NULL;
	118	u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
	119	u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
	120	+ u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
	121	+ u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
	122	size_t bits;
	123	int res = -1;
	124	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
	125	@@ -476,7 +484,9 @@ static int sae_derive_pwe_ecc(struct sae_data sae, const u8 addr1,
	126	* (qnr) modulo p for blinding purposes during the loop.
	127	*/
	128	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
	129	- &qr, &qnr) < 0)
	130	+ &qr, &qnr) < 0 \|\|
	131	+ crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 \|\|
	132	+ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
	133	goto fail;
	134
	135	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
	136	@@ -527,7 +537,7 @@ static int sae_derive_pwe_ecc(struct sae_data sae, const u8 addr1,
	137	break;
	138
	139	res = sae_test_pwd_seed_ecc(sae, pwd_seed,
	140	- prime, qr, qnr, x_cand_bin);
	141	+ prime, qr_bin, qnr_bin, x_cand_bin);
	142	const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
	143	x_bin);
	144	pwd_seed_odd = const_time_select_u8(
	145	--
	146	2.7.4
	147