1 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
new file mode 100644
index 0000000000..7b8616a66d
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
@@ -0,0 +1,108 @@
+From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:45:33 +0200
+Subject: [PATCH 08/14] SAE: Use const_time selection for PWE in FFC
+This is an initial step towards making the FFC case use strictly
+constant time operations similarly to the ECC case.
+sae_test_pwd_seed_ffc() does not yet have constant time behavior,
+though.
+This is related to CVE-2019-9494.
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 53 +++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 18 deletions(-)
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 75b1b4a..fa9a145 100644
+--- a/src/common/sae.c
+++ b/src/common/sae.c
+@@ -612,17 +612,28 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+                              const u8 *addr2, const u8 *password,
+                              size_t password_len, const char *identifier)
+ {
+-       u8 counter, k;
+       u8 counter, k, sel_counter = 0;
+        u8 addrs[2 * ETH_ALEN];
+        const u8 *addr[3];
+        size_t len[3];
+        size_t num_elem;
+-       int found = 0;
+-       struct crypto_bignum *pwe = NULL;
+       u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+                      * mask */
+       u8 mask;
+       struct crypto_bignum *pwe;
+       size_t prime_len = sae->tmp->prime_len * 8;
+       u8 *pwe_buf;
+ 
+        crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
+        sae->tmp->pwe_ffc = NULL;
+ 
+       /* Allocate a buffer to maintain selected and candidate PWE for constant
+        * time selection. */
+       pwe_buf = os_zalloc(prime_len * 2);
+       pwe = crypto_bignum_init();
+       if (!pwe_buf || !pwe)
+               goto fail;
+
+        wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+                              password, password_len);
+ 
+@@ -661,27 +672,33 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+                if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+                                       addr, len, pwd_seed) < 0)
+                        break;
+-               if (!pwe) {
+-                       pwe = crypto_bignum_init();
+-                       if (!pwe)
+-                               break;
+-               }
+                res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
+               /* res is -1 for fatal failure, 0 if a valid PWE was not found,
+                * or 1 if a valid PWE was found. */
+                if (res < 0)
+                        break;
+-               if (res > 0) {
+-                       found = 1;
+-                       if (!sae->tmp->pwe_ffc) {
+-                               wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+-                               sae->tmp->pwe_ffc = pwe;
+-                               pwe = NULL;
+-                       }
+-               }
+               /* Store the candidate PWE into the second half of pwe_buf and
+                * the selected PWE in the beginning of pwe_buf using constant
+                * time selection. */
+               if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
+                                        prime_len) < 0)
+                       break;
+               const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
+                                     prime_len, pwe_buf);
+               sel_counter = const_time_select_u8(found, sel_counter, counter);
+               mask = const_time_eq_u8(res, 1);
+               found = const_time_select_u8(found, found, mask);
+        }
+ 
+-       crypto_bignum_deinit(pwe, 1);
+       if (!found)
+               goto fail;
+ 
+-       return found ? 0 : -1;
+       wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
+       sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
+fail:
+       crypto_bignum_deinit(pwe, 1);
+       bin_clear_free(pwe_buf, prime_len * 2);
+       return sae->tmp->pwe_ffc ? 0 : -1;
+ }
+ 
+ 
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch new file mode 100644 index 0000000000..7b8616a66d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
@@ -0,0 +1,108 @@
	1	From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Sat, 2 Mar 2019 12:45:33 +0200
	4	Subject: [PATCH 08/14] SAE: Use const_time selection for PWE in FFC
	5
	6	This is an initial step towards making the FFC case use strictly
	7	constant time operations similarly to the ECC case.
	8	sae_test_pwd_seed_ffc() does not yet have constant time behavior,
	9	though.
	10
	11	This is related to CVE-2019-9494.
	12
	13	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	14	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	15	Upstream-Status: Backport
	16	CVE: CVE-2019-9494
	17	---
	18	src/common/sae.c \| 53 +++++++++++++++++++++++++++++++++++------------------
	19	1 file changed, 35 insertions(+), 18 deletions(-)
	20
	21	diff --git a/src/common/sae.c b/src/common/sae.c
	22	index 75b1b4a..fa9a145 100644
	23	--- a/src/common/sae.c
	24	+++ b/src/common/sae.c
	25	@@ -612,17 +612,28 @@ static int sae_derive_pwe_ffc(struct sae_data sae, const u8 addr1,
	26	const u8 addr2, const u8 password,
	27	size_t password_len, const char *identifier)
	28	{
	29	- u8 counter, k;
	30	+ u8 counter, k, sel_counter = 0;
	31	u8 addrs[2 * ETH_ALEN];
	32	const u8 *addr[3];
	33	size_t len[3];
	34	size_t num_elem;
	35	- int found = 0;
	36	- struct crypto_bignum *pwe = NULL;
	37	+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
	38	+ * mask */
	39	+ u8 mask;
	40	+ struct crypto_bignum *pwe;
	41	+ size_t prime_len = sae->tmp->prime_len * 8;
	42	+ u8 *pwe_buf;
	43
	44	crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
	45	sae->tmp->pwe_ffc = NULL;
	46
	47	+ /* Allocate a buffer to maintain selected and candidate PWE for constant
	48	+ * time selection. */
	49	+ pwe_buf = os_zalloc(prime_len * 2);
	50	+ pwe = crypto_bignum_init();
	51	+ if (!pwe_buf \|\| !pwe)
	52	+ goto fail;
	53	+
	54	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
	55	password, password_len);
	56
	57	@@ -661,27 +672,33 @@ static int sae_derive_pwe_ffc(struct sae_data sae, const u8 addr1,
	58	if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
	59	addr, len, pwd_seed) < 0)
	60	break;
	61	- if (!pwe) {
	62	- pwe = crypto_bignum_init();
	63	- if (!pwe)
	64	- break;
	65	- }
	66	res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
	67	+ /* res is -1 for fatal failure, 0 if a valid PWE was not found,
	68	+ * or 1 if a valid PWE was found. */
	69	if (res < 0)
	70	break;
	71	- if (res > 0) {
	72	- found = 1;
	73	- if (!sae->tmp->pwe_ffc) {
	74	- wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
	75	- sae->tmp->pwe_ffc = pwe;
	76	- pwe = NULL;
	77	- }
	78	- }
	79	+ /* Store the candidate PWE into the second half of pwe_buf and
	80	+ * the selected PWE in the beginning of pwe_buf using constant
	81	+ * time selection. */
	82	+ if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
	83	+ prime_len) < 0)
	84	+ break;
	85	+ const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
	86	+ prime_len, pwe_buf);
	87	+ sel_counter = const_time_select_u8(found, sel_counter, counter);
	88	+ mask = const_time_eq_u8(res, 1);
	89	+ found = const_time_select_u8(found, found, mask);
	90	}
	91
	92	- crypto_bignum_deinit(pwe, 1);
	93	+ if (!found)
	94	+ goto fail;
	95
	96	- return found ? 0 : -1;
	97	+ wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
	98	+ sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
	99	+fail:
	100	+ crypto_bignum_deinit(pwe, 1);
	101	+ bin_clear_free(pwe_buf, prime_len * 2);
	102	+ return sae->tmp->pwe_ffc ? 0 : -1;
	103	}
	104
	105
	106	--
	107	2.7.4
	108