diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2019-05-17 23:22:02 +0200 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2019-06-21 10:29:23 +0200 |
| commit | b463a13881d3699c0f2d67ceeda146c76af58ac6 (patch) | |
| tree | 117e73afb22cfa753cdc076a063ae22cd33fb194 /package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch | |
| parent | fc1dae5be797f54d45f5a61ae17fe548e108dd0d (diff) | |
| download | upstream-b463a13881d3699c0f2d67ceeda146c76af58ac6.tar.gz upstream-b463a13881d3699c0f2d67ceeda146c76af58ac6.tar.bz2 upstream-b463a13881d3699c0f2d67ceeda146c76af58ac6.zip | |
hostapd: fix multiple security problems
This fixes the following security problems:
* CVE-2019-9494: cache attack against SAE
* CVE-2019-9495: cache attack against EAP-pwd
* CVE-2019-9496: SAE confirm missing state validation in hostapd/AP
* CVE-2019-9497: EAP-pwd server not checking for reflection attack)
* CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
* CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
* CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment
Most of these problems are not relevant for normal users, SAE is only
used in ieee80211s mesh mode and EAP-pwd is normally not activated.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch')
| -rw-r--r-- | package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch b/package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch new file mode 100644 index 0000000000..003985bdd2 --- /dev/null +++ b/package/network/services/hostapd/patches/061-0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch @@ -0,0 +1,55 @@ +From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Fri, 8 Mar 2019 00:24:12 +0200 +Subject: [PATCH 03/14] OpenSSL: Use constant time selection for + crypto_bignum_legendre() + +Get rid of the branches that depend on the result of the Legendre +operation. This is needed to avoid leaking information about different +temporary results in blinding mechanisms. + +This is related to CVE-2019-9494 and CVE-2019-9495. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/crypto/crypto_openssl.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -24,6 +24,7 @@ + #endif /* CONFIG_ECC */ + + #include "common.h" ++#include "utils/const_time.h" + #include "wpabuf.h" + #include "dh_group5.h" + #include "sha1.h" +@@ -1434,6 +1435,7 @@ int crypto_bignum_legendre(const struct + BN_CTX *bnctx; + BIGNUM *exp = NULL, *tmp = NULL; + int res = -2; ++ unsigned int mask; + + if (TEST_FAIL()) + return -2; +@@ -1452,12 +1454,13 @@ int crypto_bignum_legendre(const struct + (const BIGNUM *) p, bnctx, NULL)) + goto fail; + +- if (BN_is_word(tmp, 1)) +- res = 1; +- else if (BN_is_zero(tmp)) +- res = 0; +- else +- res = -1; ++ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use ++ * constant time selection to avoid branches here. */ ++ res = -1; ++ mask = const_time_eq(BN_is_word(tmp, 1), 1); ++ res = const_time_select_int(mask, 1, res); ++ mask = const_time_eq(BN_is_zero(tmp), 1); ++ res = const_time_select_int(mask, 0, res); + + fail: + BN_clear_free(tmp); |