aboutsummaryrefslogtreecommitdiffstats
path: root/main/wpa_supplicant
diff options
context:
space:
mode:
Diffstat (limited to 'main/wpa_supplicant')
-rw-r--r--main/wpa_supplicant/0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch31
-rw-r--r--main/wpa_supplicant/0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch121
-rw-r--r--main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch257
-rw-r--r--main/wpa_supplicant/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch70
-rw-r--r--main/wpa_supplicant/0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch66
-rw-r--r--main/wpa_supplicant/0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch59
-rw-r--r--main/wpa_supplicant/0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch57
-rw-r--r--main/wpa_supplicant/0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch45
-rw-r--r--main/wpa_supplicant/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch59
-rw-r--r--main/wpa_supplicant/0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch51
-rw-r--r--main/wpa_supplicant/APKBUILD28
-rw-r--r--main/wpa_supplicant/CVE-2019-16275.patch73
12 files changed, 916 insertions, 1 deletions
diff --git a/main/wpa_supplicant/0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch b/main/wpa_supplicant/0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch
new file mode 100644
index 0000000000..073f1e3ce1
--- /dev/null
+++ b/main/wpa_supplicant/0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch
@@ -0,0 +1,31 @@
+From e43f08991f00820c1f711ca254021d5f83b5cd7d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 18:52:34 +0300
+Subject: [PATCH 1/6] SAE: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 8e14b030e558d23f65d761895c07089404e61cf1)
+---
+ src/common/sae.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 5a50294a6..0d56e5505 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -317,7 +317,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ pwd_value, sae->tmp->prime_len);
+
+- if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
++ if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
+ return 0;
+
+ x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
+--
+2.20.1
+
diff --git a/main/wpa_supplicant/0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch b/main/wpa_supplicant/0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch
new file mode 100644
index 0000000000..2cd0aa5a27
--- /dev/null
+++ b/main/wpa_supplicant/0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch
@@ -0,0 +1,121 @@
+From 4396f74a36e16e32a51238d84bf6225b89c8b25c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 5 Apr 2019 12:37:21 +0300
+Subject: [PATCH] EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1
+
+RFC 5931 has these conditions as MUST requirements, so better follow
+them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases
+are very unlikely to occur in practice while generating random values
+locally.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_common/eap_pwd_common.c | 28 ++++++++++++++++++++++++++++
+ src/eap_common/eap_pwd_common.h | 3 +++
+ src/eap_peer/eap_pwd.c | 14 ++------------
+ src/eap_server/eap_server_pwd.c | 13 ++-----------
+ 4 files changed, 35 insertions(+), 23 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index c28b56d62..4288b5299 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -534,3 +534,31 @@ struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
+
+ return scalar;
+ }
++
++
++int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
++ struct crypto_bignum *_mask,
++ struct crypto_bignum *scalar)
++{
++ const struct crypto_bignum *order;
++ int count;
++
++ order = crypto_ec_get_order(group->group);
++
++ /* Select two random values rand,mask such that 1 < rand,mask < r and
++ * rand + mask mod r > 1. */
++ for (count = 0; count < 100; count++) {
++ if (crypto_bignum_rand(_rand, order) == 0 &&
++ !crypto_bignum_is_zero(_rand) &&
++ crypto_bignum_rand(_mask, order) == 0 &&
++ !crypto_bignum_is_zero(_mask) &&
++ crypto_bignum_add(_rand, _mask, scalar) == 0 &&
++ crypto_bignum_mod(scalar, order, scalar) == 0 &&
++ !crypto_bignum_is_zero(scalar) &&
++ !crypto_bignum_is_one(scalar))
++ return 0;
++ }
++
++ wpa_printf(MSG_INFO, "EAP-pwd: unable to get randomness");
++ return -1;
++}
+diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h
+index 2387e59a2..c48acee20 100644
+--- a/src/eap_common/eap_pwd_common.h
++++ b/src/eap_common/eap_pwd_common.h
+@@ -70,5 +70,8 @@ void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
+ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+ const u8 *buf);
+ struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
++int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
++ struct crypto_bignum *_mask,
++ struct crypto_bignum *scalar);
+
+ #endif /* EAP_PWD_COMMON_H */
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index f37b974eb..5f6c00218 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -542,19 +542,9 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
+- if (crypto_bignum_rand(data->private_value,
+- crypto_ec_get_order(data->grp->group)) < 0 ||
+- crypto_bignum_rand(mask,
+- crypto_ec_get_order(data->grp->group)) < 0 ||
+- crypto_bignum_add(data->private_value, mask,
+- data->my_scalar) < 0 ||
+- crypto_bignum_mod(data->my_scalar,
+- crypto_ec_get_order(data->grp->group),
+- data->my_scalar) < 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd (peer): unable to get randomness");
++ if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
++ data->my_scalar) < 0)
+ goto fin;
+- }
+
+ if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
+ data->my_element) < 0) {
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index f6c75cf80..cf6affdaf 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -261,18 +261,9 @@ static void eap_pwd_build_commit_req(struct eap_sm *sm,
+ goto fin;
+ }
+
+- if (crypto_bignum_rand(data->private_value,
+- crypto_ec_get_order(data->grp->group)) < 0 ||
+- crypto_bignum_rand(mask,
+- crypto_ec_get_order(data->grp->group)) < 0 ||
+- crypto_bignum_add(data->private_value, mask, data->my_scalar) < 0 ||
+- crypto_bignum_mod(data->my_scalar,
+- crypto_ec_get_order(data->grp->group),
+- data->my_scalar) < 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd (server): unable to get randomness");
++ if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
++ data->my_scalar) < 0)
+ goto fin;
+- }
+
+ if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
+ data->my_element) < 0) {
+--
+2.22.0
+
diff --git a/main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch b/main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
new file mode 100644
index 0000000000..9ffa00c1d0
--- /dev/null
+++ b/main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
@@ -0,0 +1,257 @@
+From 8b093db2c3f489a74b67f687becf750d24fcf626 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Apr 2019 17:30:22 +0300
+Subject: [PATCH] EAP-pwd: Remove unused checks for cofactor > 1 cases
+
+None of the ECC groups supported in the implementation had a cofactor
+greater than 1, so these checks are unreachable and for all cases, the
+cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
+of ECC groups with cofactor larger than 1, so this checks cannot be
+needed for any curve that is compliant with the RFC.
+
+Remove the unneeded group cofactor checks to simplify the
+implementation.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 53 ++-------------------------------
+ src/eap_peer/eap_pwd.c | 23 ++------------
+ src/eap_server/eap_server_pwd.c | 23 ++------------
+ 3 files changed, 7 insertions(+), 92 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 00f85a390..884150e6c 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -151,7 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+ * mask */
+ size_t primebytelen = 0, primebitlen;
+- struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
++ struct crypto_bignum *x_candidate = NULL;
+ const struct crypto_bignum *prime;
+ u8 mask, found_ctr = 0, is_odd = 0;
+
+@@ -161,21 +161,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ os_memset(x_bin, 0, sizeof(x_bin));
+
+ prime = crypto_ec_get_prime(grp->group);
+- cofactor = crypto_bignum_init();
+ grp->pwe = crypto_ec_point_init(grp->group);
+ tmp1 = crypto_bignum_init();
+ pm1 = crypto_bignum_init();
+ one = crypto_bignum_init_set((const u8 *) "\x01", 1);
+- if (!cofactor || !grp->pwe || !tmp1 || !pm1 || !one) {
++ if (!grp->pwe || !tmp1 || !pm1 || !one) {
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+ goto fail;
+ }
+
+- if (crypto_ec_cofactor(grp->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
+- "curve");
+- goto fail;
+- }
+ primebitlen = crypto_ec_prime_len_bits(grp->group);
+ primebytelen = crypto_ec_prime_len(grp->group);
+ if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+@@ -340,19 +334,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- if (!crypto_bignum_is_one(cofactor)) {
+- /* make sure the point is not in a small sub-group */
+- if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
+- grp->pwe) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: cannot multiply generator by order");
+- goto fail;
+- }
+- if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
+- wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
+- goto fail;
+- }
+- }
+ wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
+
+ if (0) {
+@@ -362,7 +343,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ ret = 1;
+ }
+ /* cleanliness and order.... */
+- crypto_bignum_deinit(cofactor, 1);
+ crypto_bignum_deinit(x_candidate, 1);
+ crypto_bignum_deinit(pm1, 0);
+ crypto_bignum_deinit(tmp1, 1);
+@@ -464,7 +444,6 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+ struct crypto_ec_point *element;
+ const struct crypto_bignum *prime;
+ size_t prime_len;
+- struct crypto_bignum *cofactor = NULL;
+
+ prime = crypto_ec_get_prime(group->group);
+ prime_len = crypto_ec_prime_len(group->group);
+@@ -489,35 +468,7 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+ goto fail;
+ }
+
+- cofactor = crypto_bignum_init();
+- if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Unable to get cofactor for curve");
+- goto fail;
+- }
+-
+- if (!crypto_bignum_is_one(cofactor)) {
+- struct crypto_ec_point *point;
+- int ok = 1;
+-
+- /* check to ensure peer's element is not in a small sub-group */
+- point = crypto_ec_point_init(group->group);
+- if (!point ||
+- crypto_ec_point_mul(group->group, element,
+- cofactor, point) != 0 ||
+- crypto_ec_point_is_at_infinity(group->group, point))
+- ok = 0;
+- crypto_ec_point_deinit(point, 0);
+-
+- if (!ok) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Small sub-group check on peer element failed");
+- goto fail;
+- }
+- }
+-
+ out:
+- crypto_bignum_deinit(cofactor, 0);
+ return element;
+ fail:
+ crypto_ec_point_deinit(element, 0);
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 4be4fcf35..46894a52f 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -309,7 +309,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ const u8 *payload, size_t payload_len)
+ {
+ struct crypto_ec_point *K = NULL;
+- struct crypto_bignum *mask = NULL, *cofactor = NULL;
++ struct crypto_bignum *mask = NULL;
+ const u8 *ptr = payload;
+ u8 *scalar, *element;
+ size_t prime_len, order_len;
+@@ -527,21 +527,14 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ data->private_value = crypto_bignum_init();
+ data->my_element = crypto_ec_point_init(data->grp->group);
+- cofactor = crypto_bignum_init();
+ data->my_scalar = crypto_bignum_init();
+ mask = crypto_bignum_init();
+- if (!data->private_value || !data->my_element || !cofactor ||
++ if (!data->private_value || !data->my_element ||
+ !data->my_scalar || !mask) {
+ wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
+ goto fin;
+ }
+
+- if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
+- "for curve");
+- goto fin;
+- }
+-
+ if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
+ data->my_scalar) < 0)
+ goto fin;
+@@ -595,17 +588,8 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
+- /* ensure that the shared key isn't in a small sub-group */
+- if (!crypto_bignum_is_one(cofactor)) {
+- if (crypto_ec_point_mul(data->grp->group, K, cofactor, K) < 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
+- "shared key point by order");
+- goto fin;
+- }
+- }
+-
+ /*
+- * This check is strictly speaking just for the case above where
++ * This check is strictly speaking just for the case where
+ * co-factor > 1 but it was suggested that even though this is probably
+ * never going to happen it is a simple and safe check "just to be
+ * sure" so let's be safe.
+@@ -644,7 +628,6 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ fin:
+ crypto_bignum_deinit(mask, 1);
+- crypto_bignum_deinit(cofactor, 1);
+ crypto_ec_point_deinit(K, 1);
+ if (data->outbuf == NULL)
+ eap_pwd_state(data, FAILURE);
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 9799c8197..81ecd773f 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -648,7 +648,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ const u8 *payload, size_t payload_len)
+ {
+ const u8 *ptr;
+- struct crypto_bignum *cofactor = NULL;
+ struct crypto_ec_point *K = NULL;
+ int res = 0;
+ size_t prime_len, order_len;
+@@ -667,20 +666,13 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ }
+
+ data->k = crypto_bignum_init();
+- cofactor = crypto_bignum_init();
+ K = crypto_ec_point_init(data->grp->group);
+- if (!data->k || !cofactor || !K) {
++ if (!data->k || !K) {
+ wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ "fail");
+ goto fin;
+ }
+
+- if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get "
+- "cofactor for curve");
+- goto fin;
+- }
+-
+ /* element, x then y, followed by scalar */
+ ptr = payload;
+ data->peer_element = eap_pwd_get_element(data->grp, ptr);
+@@ -718,18 +710,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
+- /* ensure that the shared key isn't in a small sub-group */
+- if (!crypto_bignum_is_one(cofactor)) {
+- if (crypto_ec_point_mul(data->grp->group, K, cofactor,
+- K) != 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
+- "multiply shared key point by order!\n");
+- goto fin;
+- }
+- }
+-
+ /*
+- * This check is strictly speaking just for the case above where
++ * This check is strictly speaking just for the case where
+ * co-factor > 1 but it was suggested that even though this is probably
+ * never going to happen it is a simple and safe check "just to be
+ * sure" so let's be safe.
+@@ -748,7 +730,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ fin:
+ crypto_ec_point_deinit(K, 1);
+- crypto_bignum_deinit(cofactor, 1);
+
+ if (res)
+ eap_pwd_state(data, PWD_Confirm_Req);
+--
+2.22.0
+
diff --git a/main/wpa_supplicant/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch b/main/wpa_supplicant/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
new file mode 100644
index 0000000000..e27cd827e8
--- /dev/null
+++ b/main/wpa_supplicant/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
@@ -0,0 +1,70 @@
+From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:07:05 +0300
+Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c)
+---
+ src/eap_common/eap_pwd_common.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 884150e6c..6ca2c8bad 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 qnr_bin[MAX_ECC_PRIME_LEN];
+ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+ u8 x_bin[MAX_ECC_PRIME_LEN];
++ u8 prime_bin[MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+@@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ os_memset(x_bin, 0, sizeof(x_bin));
+
+ prime = crypto_ec_get_prime(grp->group);
++ primebitlen = crypto_ec_prime_len_bits(grp->group);
++ primebytelen = crypto_ec_prime_len(grp->group);
++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++ primebytelen) < 0)
++ return -1;
+ grp->pwe = crypto_ec_point_init(grp->group);
+ tmp1 = crypto_bignum_init();
+ pm1 = crypto_bignum_init();
+@@ -170,8 +176,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- primebitlen = crypto_ec_prime_len_bits(grp->group);
+- primebytelen = crypto_ec_prime_len(grp->group);
+ if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+ "buffer");
+@@ -237,6 +241,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (primebitlen % 8)
+ buf_shift_right(prfbuf, primebytelen,
+ 8 - primebitlen % 8);
++ if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
++ continue;
+
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -246,9 +252,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+- continue;
+-
+ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
+ prfbuf, primebytelen);
+ const_time_select_bin(found, x_bin, prfbuf, primebytelen,
+--
+2.20.1
+
diff --git a/main/wpa_supplicant/0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch b/main/wpa_supplicant/0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch
new file mode 100644
index 0000000000..16feeaabb4
--- /dev/null
+++ b/main/wpa_supplicant/0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch
@@ -0,0 +1,66 @@
+From ee34d8cfbd0fbf7ba7429531d4bee1c43b074d8b Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:23:05 +0300
+Subject: [PATCH 3/6] OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if
+ available
+
+This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
+functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
+differences in runtime and memory access patterns depending on the
+leading bytes of the BIGNUM value.
+
+OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
+are still using the previous implementation where the BN_num_bytes()
+call may result in different memory access pattern.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3)
+---
+ src/crypto/crypto_openssl.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 1b0c1ec96..23ae5462d 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1295,7 +1295,13 @@ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ u8 *buf, size_t buflen, size_t padlen)
+ {
++#ifdef OPENSSL_IS_BORINGSSL
++#else /* OPENSSL_IS_BORINGSSL */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#else
+ int num_bytes, offset;
++#endif
++#endif /* OPENSSL_IS_BORINGSSL */
+
+ if (TEST_FAIL())
+ return -1;
+@@ -1303,6 +1309,14 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ if (padlen > buflen)
+ return -1;
+
++#ifdef OPENSSL_IS_BORINGSSL
++ if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
++ return -1;
++ return padlen;
++#else /* OPENSSL_IS_BORINGSSL */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
++#else
+ num_bytes = BN_num_bytes((const BIGNUM *) a);
+ if ((size_t) num_bytes > buflen)
+ return -1;
+@@ -1315,6 +1329,8 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ BN_bn2bin((const BIGNUM *) a, buf + offset);
+
+ return num_bytes + offset;
++#endif
++#endif /* OPENSSL_IS_BORINGSSL */
+ }
+
+
+--
+2.20.1
+
diff --git a/main/wpa_supplicant/0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch b/main/wpa_supplicant/0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch
new file mode 100644
index 0000000000..0a2f398527
--- /dev/null
+++ b/main/wpa_supplicant/0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch
@@ -0,0 +1,59 @@
+From a25b48118d75f3c2d7cb1b2c3b4cffb13091a34c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 24 Jun 2019 23:01:06 +0300
+Subject: [PATCH 4/6] SAE: Run through prf result processing even if it >=
+ prime
+
+This reduces differences in timing and memory access within the
+hunting-and-pecking loop for ECC groups that have a prime that is not
+close to a power of two (e.g., Brainpool curves).
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)
+---
+ src/common/sae.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 0d56e5505..759e48e22 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -304,6 +304,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ struct crypto_bignum *y_sqr, *x_cand;
+ int res;
+ size_t bits;
++ int cmp_prime;
++ unsigned int in_range;
+
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+
+@@ -317,8 +319,13 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ pwd_value, sae->tmp->prime_len);
+
+- if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
+- return 0;
++ cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
++ /* Create a const_time mask for selection based on prf result
++ * being smaller than prime. */
++ in_range = const_time_fill_msb((unsigned int) cmp_prime);
++ /* The algorithm description would skip the next steps if
++ * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
++ * minimize externally observable differences in behavior. */
+
+ x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
+ if (!x_cand)
+@@ -330,7 +337,9 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+
+ res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+ crypto_bignum_deinit(y_sqr, 1);
+- return res;
++ if (res < 0)
++ return res;
++ return const_time_select_int(in_range, res, 0);
+ }
+
+
+--
+2.20.1
+
diff --git a/main/wpa_supplicant/0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch b/main/wpa_supplicant/0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch
new file mode 100644
index 0000000000..d5ebe59aec
--- /dev/null
+++ b/main/wpa_supplicant/0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch
@@ -0,0 +1,57 @@
+From 00a6cc73da61b03c146b6c341d0d1e572bcef432 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 24 Jun 2019 23:02:51 +0300
+Subject: [PATCH 5/6] EAP-pwd: Run through prf result processing even if it >=
+ prime
+
+This reduces differences in timing and memory access within the
+hunting-and-pecking loop for ECC groups that have a prime that is not
+close to a power of two (e.g., Brainpool curves).
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)
+---
+ src/eap_common/eap_pwd_common.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 6ca2c8bad..fec251472 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -155,6 +155,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ struct crypto_bignum *x_candidate = NULL;
+ const struct crypto_bignum *prime;
+ u8 mask, found_ctr = 0, is_odd = 0;
++ int cmp_prime;
++ unsigned int in_range;
+
+ if (grp->pwe)
+ return -1;
+@@ -241,8 +243,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (primebitlen % 8)
+ buf_shift_right(prfbuf, primebytelen,
+ 8 - primebitlen % 8);
+- if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
+- continue;
++ cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
++ /* Create a const_time mask for selection based on prf result
++ * being smaller than prime. */
++ in_range = const_time_fill_msb((unsigned int) cmp_prime);
++ /* The algorithm description would skip the next steps if
++ * cmp_prime >= 0, but go through them regardless to minimize
++ * externally observable differences in behavior. */
+
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -306,7 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ mask = const_time_eq(res, check);
+ found_ctr = const_time_select_u8(found, found_ctr, ctr);
+- found |= mask;
++ found |= mask & in_range;
+ }
+ if (found == 0) {
+ wpa_printf(MSG_INFO,
+--
+2.20.1
+
diff --git a/main/wpa_supplicant/0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch b/main/wpa_supplicant/0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch
new file mode 100644
index 0000000000..0ffff7ea9d
--- /dev/null
+++ b/main/wpa_supplicant/0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch
@@ -0,0 +1,45 @@
+From 92e1b96c26a84e503847bdd22ebadf697c4031ad Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Apr 2019 17:20:57 +0300
+Subject: [PATCH] EAP-pwd: Disallow ECC groups with a prime under 256 bits
+
+Based on the SAE implementation guidance update to not allow ECC groups
+with a prime that is under 256 bits, reject groups 25, 26, and 27 in
+EAP-pwd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 4288b5299..00f85a390 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -85,10 +85,23 @@ static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
+ }
+
+
++static int eap_pwd_suitable_group(u16 num)
++{
++ /* Do not allow ECC groups with prime under 256 bits based on guidance
++ * for the similar design in SAE. */
++ return num == 19 || num == 20 || num == 21 ||
++ num == 28 || num == 29 || num == 30;
++}
++
++
+ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ {
+ EAP_PWD_group *grp;
+
++ if (!eap_pwd_suitable_group(num)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
++ return NULL;
++ }
+ grp = os_zalloc(sizeof(EAP_PWD_group));
+ if (!grp)
+ return NULL;
+--
+2.22.0
+
diff --git a/main/wpa_supplicant/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch b/main/wpa_supplicant/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
new file mode 100644
index 0000000000..a7e6d37fb1
--- /dev/null
+++ b/main/wpa_supplicant/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
@@ -0,0 +1,59 @@
+From db54db11aec763b6fc74715c36e0f9de0d65e206 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 8 Apr 2019 18:01:07 +0300
+Subject: [PATCH] SAE: Reject unsuitable groups based on REVmd changes
+
+The rules defining which DH groups are suitable for SAE use were
+accepted into IEEE 802.11 REVmd based on this document:
+https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
+
+Enforce those rules in production builds of wpa_supplicant and hostapd.
+CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
+implemented groups to maintain testing coverage.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 981e788dc..8129a7c15 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -17,10 +17,33 @@
+ #include "sae.h"
+
+
++static int sae_suitable_group(int group)
++{
++#ifdef CONFIG_TESTING_OPTIONS
++ /* Allow all groups for testing purposes in non-production builds. */
++ return 1;
++#else /* CONFIG_TESTING_OPTIONS */
++ /* Enforce REVmd rules on which SAE groups are suitable for production
++ * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
++ * defined over a prime field whose prime is >= 256 bits. Furthermore,
++ * ECC groups defined over a characteristic 2 finite field and ECC
++ * groups with a co-factor greater than 1 are not suitable. */
++ return group == 19 || group == 20 || group == 21 ||
++ group == 28 || group == 29 || group == 30 ||
++ group == 15 || group == 16 || group == 17 || group == 18;
++#endif /* CONFIG_TESTING_OPTIONS */
++}
++
++
+ int sae_set_group(struct sae_data *sae, int group)
+ {
+ struct sae_temporary_data *tmp;
+
++ if (!sae_suitable_group(group)) {
++ wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
++ return -1;
++ }
++
+ sae_clear_data(sae);
+ tmp = sae->tmp = os_zalloc(sizeof(*tmp));
+ if (tmp == NULL)
+--
+2.22.0
+
diff --git a/main/wpa_supplicant/0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch b/main/wpa_supplicant/0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
new file mode 100644
index 0000000000..8dce92fffc
--- /dev/null
+++ b/main/wpa_supplicant/0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
@@ -0,0 +1,51 @@
+From 558518ed63202e5358116ab7e0afd5e85490f2ef Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 27 Jul 2019 23:19:17 +0300
+Subject: [PATCH 6/6] dragonfly: Disable use of groups using Brainpool curves
+
+Disable groups that use Brainpool curves for now since they leak more
+timing information due to the prime not being close to a power of two.
+This removes use of groups 28, 29, and 30 from SAE and EAP-pwd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit 876c5eaa6dae1a87a17603fc489a44c29eedc2e3)
+---
+ src/common/sae.c | 6 ++++--
+ src/eap_common/eap_pwd_common.c | 3 +--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 759e48e22..2dbc251a4 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -28,9 +28,11 @@ static int sae_suitable_group(int group)
+ * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
+ * defined over a prime field whose prime is >= 256 bits. Furthermore,
+ * ECC groups defined over a characteristic 2 finite field and ECC
+- * groups with a co-factor greater than 1 are not suitable. */
++ * groups with a co-factor greater than 1 are not suitable. Disable
++ * groups that use Brainpool curves as well for now since they leak more
++ * timing information due to the prime not being close to a power of
++ * two. */
+ return group == 19 || group == 20 || group == 21 ||
+- group == 28 || group == 29 || group == 30 ||
+ group == 15 || group == 16 || group == 17 || group == 18;
+ #endif /* CONFIG_TESTING_OPTIONS */
+ }
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index fec251472..4a5eb2599 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -89,8 +89,7 @@ static int eap_pwd_suitable_group(u16 num)
+ {
+ /* Do not allow ECC groups with prime under 256 bits based on guidance
+ * for the similar design in SAE. */
+- return num == 19 || num == 20 || num == 21 ||
+- num == 28 || num == 29 || num == 30;
++ return num == 19 || num == 20 || num == 21;
+ }
+
+
+--
+2.20.1
+
diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD
index 0d232d9c87..c177a73001 100644
--- a/main/wpa_supplicant/APKBUILD
+++ b/main/wpa_supplicant/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=wpa_supplicant
pkgver=2.7
-pkgrel=3
+pkgrel=5
pkgdesc="A utility providing key negotiation for WPA wireless networks"
url="https://w1.fi/wpa_supplicant/"
arch="all"
@@ -32,11 +32,26 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
0013-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+ 0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch
+ 0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch
+ 0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
+ 0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
+ 0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch
+ 0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch
+ 0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch
+ 0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch
+ 0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
+ 0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
+ CVE-2019-16275.patch
config
wpa_cli.sh"
# secfixes:
+# 2.7-r5:
+# - CVE-2019-16275
+# 2.7-r4:
+# - CVE-2019-13377
# 2.7-r3:
# - CVE-2019-11555
# 2.7-r2:
@@ -144,5 +159,16 @@ c2ebe127e0d14c56b9e274a6f8f97c5fb763edc9dc7a3cab4cb1748d29a4d514c240e398ab140542
39cb011348a4723b52405bd6cd85f78da1a80e077b61ef0c489e5a0a03e21e30de38378554f1a81092b65cd923d1c3c430821812037a7607f582038d3ba26687 0013-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+0dfc8728cfc3a86f7a182a7f71213b94f64880ee4470e2a939c83059df5af7a60d56ec0a8a5f2f717838995f4ef2c6a8fb909324875b0f12a52040239092d115 0016-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch
+abc2a40f9437280b1b0d3355f6485fd3d3b6412011e23b4699eb53eebbb761b7d6af553df5655bf5171dabf010f18bd9923a5589c295766d8b6643645b466146 0017-EAP-pwd-Enforce-1-rand-mask-r-and-rand-mask-mod-r-1.patch
+d9113a9f59cd35de88a2ef57e2f83c10986dddd3fa18652c3ddfe9f9d5db828d5fdd6385f2de9d6e8e11207c4b35fad2fb72d6698e554fc017cd369231115f44 0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
+88b28f73267b5031417e527b4e2eea117e62649862bafbe99b83b77bade56612283279906c8d1a4c997fb8f32fc7a6cf8c88931a64e9520d1bf45fbdb0e6c381 0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
+01389b9d3951bf1148894c0f4b45d22ef8352a8fe1090721d17216506581305726f6a6c0ebff88479e5342330e75fc04db9201d7d65d4cc6b01a5f7258dc26f9 0020-OpenSSL-Use-BN_bn2binpad-or-BN_bn2bin_padded-if-avai.patch
+1fabc83a5e05ce3d09c89e37365d038bd0eec3a76683966ad172eac3c2c884dbc24fc6ca11c27a8f4582e886d0f1cde73bbede4484352b42a3f686d89d088fff 0021-SAE-Run-through-prf-result-processing-even-if-it-pri.patch
+bcae73930c35d441c5615970c305abb3dff293fdec16df50823e57419b22d1aac0e780970619e0c78b4482b7d07962bcf6162706a20e20f7b21a3a10f500eff1 0022-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch
+89ac9ee8b0a3521b135ea5075fcc01ee37b111ba129e75f58e4bb863aad0e782c0e1928c91cab2ab1859a7a52d66987e14018b0552c167c05dbaeed76f1b12dd 0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch
+da5f4248a0173cd7d07972b760631a8dc26f258e7b5be059c0d7de26e17f668945a62d2afce01ed1a1e9df6c55f9fd6ee344d4f006f5564b90a25e90e1e7c704 0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
+4734a8ab8ba1e91fc9e3d729f34527c14c291df238b02adea5acc04b0361b41d4bffca2fb13a4f464e9f007fa624117af4f50d755cb41a3129b4868da91bdf9a 0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
6707991f9a071f2fcb09d164d31d12b1f52b91fbb5574b70b8d6f9727f72bbe42b03dd66d10fcc2126f5b7e49ac785657dec90e88b4bf54a9aa5638582f6e505 config
212c4265afce2e72b95a32cd785612d6c3e821b47101ead154136d184ac4add01434ada6c87edbb9a98496552e76e1a4d79c6b5840e3a5cfe5e6d602fceae576 wpa_cli.sh"
diff --git a/main/wpa_supplicant/CVE-2019-16275.patch b/main/wpa_supplicant/CVE-2019-16275.patch
new file mode 100644
index 0000000000..d764a9db01
--- /dev/null
+++ b/main/wpa_supplicant/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+