1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
new file mode 100644
index 0000000000..c6e61cb803
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
@@ -0,0 +1,61 @@
+From 8ad8585f91823ddcc3728155e288e0f9f872e31a Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Sun, 31 Mar 2019 17:43:44 +0200
+Subject: [PATCH 13/14] EAP-pwd client: Verify received scalar and element
+When processing an EAP-pwd Commit frame, the server's scalar and element
+(elliptic curve point) were not validated. This allowed an adversary to
+bypass authentication, and act as a rogue Access Point (AP) if the
+crypto implementation did not verify the validity of the EC point.
+Fix this vulnerability by assuring the received scalar lies within the
+valid range, and by checking that the received element is not the point
+at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
+The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
+is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
+(and also BoringSSL) implicitly validate the elliptic curve point in
+EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
+Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9499
+---
+ src/eap_peer/eap_pwd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 761c16a..5a05e54 100644
+--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
+@@ -594,6 +594,26 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+                goto fin;
+        }
+ 
+       /* verify received scalar */
+       if (crypto_bignum_is_zero(data->server_scalar) ||
+           crypto_bignum_is_one(data->server_scalar) ||
+           crypto_bignum_cmp(data->server_scalar,
+                             crypto_ec_get_order(data->grp->group)) >= 0) {
+               wpa_printf(MSG_INFO,
+                          "EAP-PWD (peer): received scalar is invalid");
+               goto fin;
+       }
+
+       /* verify received element */
+       if (!crypto_ec_point_is_on_curve(data->grp->group,
+                                        data->server_element) ||
+           crypto_ec_point_is_at_infinity(data->grp->group,
+                                          data->server_element)) {
+               wpa_printf(MSG_INFO,
+                          "EAP-PWD (peer): received element is invalid");
+               goto fin;
+       }
+
+        /* check to ensure server's element is not in a small sub-group */
+        if (!crypto_bignum_is_one(cofactor)) {
+                if (crypto_ec_point_mul(data->grp->group, data->server_element,
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch new file mode 100644 index 0000000000..c6e61cb803 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
@@ -0,0 +1,61 @@
	1	From 8ad8585f91823ddcc3728155e288e0f9f872e31a Mon Sep 17 00:00:00 2001
	2	From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
	3	Date: Sun, 31 Mar 2019 17:43:44 +0200
	4	Subject: [PATCH 13/14] EAP-pwd client: Verify received scalar and element
	5
	6	When processing an EAP-pwd Commit frame, the server's scalar and element
	7	(elliptic curve point) were not validated. This allowed an adversary to
	8	bypass authentication, and act as a rogue Access Point (AP) if the
	9	crypto implementation did not verify the validity of the EC point.
	10
	11	Fix this vulnerability by assuring the received scalar lies within the
	12	valid range, and by checking that the received element is not the point
	13	at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
	14
	15	The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
	16	is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
	17	(and also BoringSSL) implicitly validate the elliptic curve point in
	18	EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
	19
	20	Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
	21	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	22	Upstream-Status: Backport
	23	CVE: CVE-2019-9499
	24	---
	25	src/eap_peer/eap_pwd.c \| 20 ++++++++++++++++++++
	26	1 file changed, 20 insertions(+)
	27
	28	diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
	29	index 761c16a..5a05e54 100644
	30	--- a/src/eap_peer/eap_pwd.c
	31	+++ b/src/eap_peer/eap_pwd.c
	32	@@ -594,6 +594,26 @@ eap_pwd_perform_commit_exchange(struct eap_sm sm, struct eap_pwd_data data,
	33	goto fin;
	34	}
	35
	36	+ /* verify received scalar */
	37	+ if (crypto_bignum_is_zero(data->server_scalar) \|\|
	38	+ crypto_bignum_is_one(data->server_scalar) \|\|
	39	+ crypto_bignum_cmp(data->server_scalar,
	40	+ crypto_ec_get_order(data->grp->group)) >= 0) {
	41	+ wpa_printf(MSG_INFO,
	42	+ "EAP-PWD (peer): received scalar is invalid");
	43	+ goto fin;
	44	+ }
	45	+
	46	+ /* verify received element */
	47	+ if (!crypto_ec_point_is_on_curve(data->grp->group,
	48	+ data->server_element) \|\|
	49	+ crypto_ec_point_is_at_infinity(data->grp->group,
	50	+ data->server_element)) {
	51	+ wpa_printf(MSG_INFO,
	52	+ "EAP-PWD (peer): received element is invalid");
	53	+ goto fin;
	54	+ }
	55	+
	56	/* check to ensure server's element is not in a small sub-group */
	57	if (!crypto_bignum_is_one(cofactor)) {
	58	if (crypto_ec_point_mul(data->grp->group, data->server_element,
	59	--
	60	2.7.4
	61