!52 [sync] PR-50: fix CVE-2023-52160

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

CVE-2019-13377-1.patch

@@ -0,0 +1,28 @@
+From e43f08991f00820c1f711ca254021d5f83b5cd7d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 18:52:34 +0300
+Subject: [PATCH 1/6] SAE: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 8e14b030e558d23f65d761895c07089404e61cf1)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 72b7954..4741753 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -287,7 +287,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ 			pwd_value, sae->tmp->prime_len);
+ 
+-	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
++	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)	
+ 		return 0;
+ 
+ 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
+-- 
+2.23.0
+

CVE-2019-13377-2-pre.patch

@@ -0,0 +1,246 @@
+From 8b093db2c3f489a74b67f687becf750d24fcf626 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Apr 2019 17:30:22 +0300
+Subject: EAP-pwd: Remove unused checks for cofactor > 1 cases
+
+None of the ECC groups supported in the implementation had a cofactor
+greater than 1, so these checks are unreachable and for all cases, the
+cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
+of ECC groups with cofactor larger than 1, so this checks cannot be
+needed for any curve that is compliant with the RFC.
+
+Remove the unneeded group cofactor checks to simplify the
+implementation.
+---
+ src/eap_common/eap_pwd_common.c | 53 ++---------------------------------------
+ src/eap_peer/eap_pwd.c          | 23 +++---------------
+ src/eap_server/eap_server_pwd.c | 23 ++----------------
+ 3 files changed, 7 insertions(+), 92 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index ccd3627..cd7cd0f 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -149,7 +149,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+                        * mask */
+         size_t primebytelen = 0, primebitlen;
+-        struct crypto_bignum *x_candidate = NULL, *cofactor = NULL; 
++        struct crypto_bignum *x_candidate = NULL; 
+         const struct crypto_bignum *prime;
+         u8 mask, found_ctr = 0, is_odd = 0;
+ 
+@@ -159,21 +159,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         os_memset(x_bin, 0, sizeof(x_bin));
+ 
+         prime = crypto_ec_get_prime(grp->group);
+-        cofactor = crypto_bignum_init();
+         grp->pwe = crypto_ec_point_init(grp->group);
+         tmp1 = crypto_bignum_init();
+         pm1 = crypto_bignum_init();
+         one = crypto_bignum_init_set((const u8 *) "\x01", 1);
+-        if (!cofactor || !grp->pwe || !tmp1 || !pm1 || !one) {
++        if ( !grp->pwe || !tmp1 || !pm1 || !one) {
+ 		wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+ 		goto fail;
+ 	}
+ 
+-        if (crypto_ec_cofactor(grp->group, cofactor) < 0) {
+-		wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
+-			   "curve");
+-		goto fail;
+-	}
+         primebitlen = crypto_ec_prime_len_bits(grp->group);
+         primebytelen = crypto_ec_prime_len(grp->group);
+ 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+@@ -342,19 +336,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+                 goto fail;
+         }
+ 
+-        if (!crypto_bignum_is_one(cofactor)) {
+-                /* make sure the point is not in a small sub-group */
+-                if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
+-                                        grp->pwe) != 0) {
+-                        wpa_printf(MSG_INFO,
+-                                   "EAP-pwd: cannot multiply generator by order");
+-                        goto fail;
+-                }
+-                if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
+-                        wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
+-                        goto fail;
+-                }
+-        }
+         wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
+ 
+ 	if (0) {
+@@ -364,7 +345,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 		ret = 1;
+ 	}
+ 	/* cleanliness and order.... */
+-        crypto_bignum_deinit(cofactor, 1);
+         crypto_bignum_deinit(x_candidate, 1);
+         crypto_bignum_deinit(pm1, 0);
+         crypto_bignum_deinit(tmp1, 1);
+@@ -491,35 +471,7 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+ 		goto fail;
+ 	}
+ 
+-	cofactor = crypto_bignum_init();
+-	if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
+-		wpa_printf(MSG_INFO,
+-			   "EAP-pwd: Unable to get cofactor for curve");
+-		goto fail;
+-	}
+-
+-	if (!crypto_bignum_is_one(cofactor)) {
+-		struct crypto_ec_point *point;
+-		int ok = 1;
+-
+-		/* check to ensure peer's element is not in a small sub-group */
+-		point = crypto_ec_point_init(group->group);
+-		if (!point ||
+-		    crypto_ec_point_mul(group->group, element,
+-					cofactor, point) != 0 ||
+-		    crypto_ec_point_is_at_infinity(group->group, point))
+-			ok = 0;
+-		crypto_ec_point_deinit(point, 0);
+-
+-		if (!ok) {
+-			wpa_printf(MSG_INFO,
+-				   "EAP-pwd: Small sub-group check on peer element failed");
+-			goto fail;
+-		}
+-	}
+-
+ out:
+-	crypto_bignum_deinit(cofactor, 0);
+ 	return element;
+ fail:
+ 	crypto_ec_point_deinit(element, 0);
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 8064f3f..1ed00e2 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -347,7 +347,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ 				const u8 *payload, size_t payload_len)
+ {
+         struct crypto_ec_point *K = NULL, *point = NULL;
+-        struct crypto_bignum *mask = NULL, *cofactor = NULL;
++        struct crypto_bignum *mask = NULL;
+         const u8 *ptr;
+         u8 *scalar = NULL, *element = NULL;
+ 	size_t prime_len, order_len;
+@@ -370,20 +370,14 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ 
+         data->private_value = crypto_bignum_init();
+         data->my_element = crypto_ec_point_init(data->grp->group);
+-        cofactor = crypto_bignum_init();
+         data->my_scalar = crypto_bignum_init();
+         mask = crypto_bignum_init();
+-        if (!data->private_value || !data->my_element || !cofactor ||
++        if (!data->private_value || !data->my_element ||
+             !data->my_scalar || !mask) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
+ 		goto fin;
+ 	}
+ 
+-        if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
+-		wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
+-			   "for curve");
+-		goto fin;
+-	}
+ 
+         if (crypto_bignum_rand(data->private_value,
+                                crypto_ec_get_order(data->grp->group)) < 0 ||
+@@ -470,17 +464,9 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ 		goto fin;
+ 	}
+ 
+-	/* ensure that the shared key isn't in a small sub-group */
+-        if (!crypto_bignum_is_one(cofactor)) {
+-                if (crypto_ec_point_mul(data->grp->group, K, cofactor, K) < 0) {
+-			wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
+-				   "shared key point by order");
+-			goto fin;
+-		}
+-	}
+ 
+ 	/*
+-	 * This check is strictly speaking just for the case above where
++	 * This check is strictly speaking just for the case where
+ 	 * co-factor > 1 but it was suggested that even though this is probably
+ 	 * never going to happen it is a simple and safe check "just to be
+ 	 * sure" so let's be safe.
+@@ -529,7 +515,6 @@ fin:
+ 	os_free(scalar);
+ 	os_free(element);
+         crypto_bignum_deinit(mask, 1);
+-        crypto_bignum_deinit(cofactor, 1);
+         crypto_ec_point_deinit(K, 1);
+         crypto_ec_point_deinit(point, 1);
+ 	if (data->outbuf == NULL)
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index b952b67..aa0f0d8 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -602,7 +602,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ 			    const u8 *payload, size_t payload_len)
+ {
+         const u8 *ptr;
+-        struct crypto_bignum *cofactor = NULL;
+         struct crypto_ec_point *K = NULL, *point = NULL;
+ 	int res = 0;
+ 	size_t prime_len, order_len;
+@@ -621,20 +620,14 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ 	}
+ 
+         data->k = crypto_bignum_init();
+-        cofactor = crypto_bignum_init();
+         point = crypto_ec_point_init(data->grp->group);
+         K = crypto_ec_point_init(data->grp->group);
+-        if (!data->k || !cofactor || !point || !K) {
++        if (!data->k || !point || !K) {
+ 		wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ 			   "fail");
+ 		goto fin;
+ 	}
+ 
+-        if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
+-		wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get "
+-			   "cofactor for curve");
+-		goto fin;
+-	}
+ 
+ 	/* element, x then y, followed by scalar */
+         ptr = payload;
+@@ -666,18 +659,9 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ 		goto fin;
+ 	}
+ 
+-	/* ensure that the shared key isn't in a small sub-group */
+-        if (!crypto_bignum_is_one(cofactor)) {
+-                if (crypto_ec_point_mul(data->grp->group, K, cofactor,
+-                                        K) != 0) {
+-			wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
+-				   "multiply shared key point by order!\n");
+-			goto fin;
+-		}
+-	}
+ 
+ 	/*
+-	 * This check is strictly speaking just for the case above where
++	 * This check is strictly speaking just for the case where
+ 	 * co-factor > 1 but it was suggested that even though this is probably
+ 	 * never going to happen it is a simple and safe check "just to be
+ 	 * sure" so let's be safe.
+@@ -697,7 +681,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ fin:
+         crypto_ec_point_deinit(K, 1);
+         crypto_ec_point_deinit(point, 1);
+-        crypto_bignum_deinit(cofactor, 1);
+ 
+ 	if (res)
+ 		eap_pwd_state(data, PWD_Confirm_Req);
+-- 
+2.23.0
+

CVE-2019-13377-2-pre1.patch

@@ -0,0 +1,43 @@
+From 92e1b96c26a84e503847bdd22ebadf697c4031ad Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Apr 2019 17:20:57 +0300
+Subject: EAP-pwd: Disallow ECC groups with a prime under 256 bits
+
+Based on the SAE implementation guidance update to not allow ECC groups
+with a prime that is under 256 bits, reject groups 25, 26, and 27 in
+EAP-pwd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index a2dd386..ccd3627 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -84,11 +84,23 @@ static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
+ 	return 0;
+ }
+ 
++static int eap_pwd_suitable_group(u16 num)
++{
++	/* Do not allow ECC groups with prime under 256 bits based on guidance
++	* for the similar design in SAE. */
++	return num == 19 || num == 20 || num == 21 ||
++		num == 28 || num == 29 || num == 30;
++}
+ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ {
+         EAP_PWD_group *grp;
+ 
+         grp = os_zalloc(sizeof(EAP_PWD_group));
++        if (!eap_pwd_suitable_group(num)) {
++                wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
++                return NULL;
++       }
++
+         if (!grp)
+                 return NULL;
+         grp->group = crypto_ec_init(num);
+-- 
+2.23.0
+

CVE-2019-13377-2.patch

@@ -0,0 +1,70 @@
+From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:07:05 +0300
+Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c)
+---
+ src/eap_common/eap_pwd_common.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index cd7cd0f..a2aaafe 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -142,6 +142,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         u8 qnr_bin[MAX_ECC_PRIME_LEN];
+         u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+         u8 x_bin[MAX_ECC_PRIME_LEN];
++        u8 prime_bin[MAX_ECC_PRIME_LEN];
+         struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ 	struct crypto_hash *hash;
+ 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+@@ -159,6 +160,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         os_memset(x_bin, 0, sizeof(x_bin));
+ 
+         prime = crypto_ec_get_prime(grp->group);
++        primebitlen = crypto_ec_prime_len_bits(grp->group);
++        primebytelen = crypto_ec_prime_len(grp->group);
++        if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++                                 primebytelen) < 0)
++                return -1;
+         grp->pwe = crypto_ec_point_init(grp->group);
+         tmp1 = crypto_bignum_init();
+         pm1 = crypto_bignum_init();
+@@ -168,8 +174,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 		goto fail;
+ 	}
+ 
+-        primebitlen = crypto_ec_prime_len_bits(grp->group);
+-        primebytelen = crypto_ec_prime_len(grp->group);
+ 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+ 			   "buffer");
+@@ -235,6 +239,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+                 if (primebitlen % 8)
+                         buf_shift_right(prfbuf, primebytelen,
+                                         8 - primebitlen % 8);
++                if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
++                        continue;
+ 
+                 crypto_bignum_deinit(x_candidate, 1);
+                 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -244,9 +250,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+                         goto fail;
+                 }
+ 
+-                if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+-			continue;
+-
+                 wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
+                                 prfbuf, primebytelen);
+                 const_time_select_bin(found, x_bin, prfbuf, primebytelen,
+-- 
+2.23.0
+

CVE-2019-13377-3.patch

@@ -0,0 +1,66 @@
+From ee34d8cfbd0fbf7ba7429531d4bee1c43b074d8b Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:23:05 +0300
+Subject: [PATCH 3/6] OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if
+ available
+
+This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
+functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
+differences in runtime and memory access patterns depending on the
+leading bytes of the BIGNUM value.
+
+OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
+are still using the previous implementation where the BN_num_bytes()
+call may result in different memory access pattern.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3)
+---
+ src/crypto/crypto_openssl.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 748a7ad..00b61b9 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1129,14 +1129,27 @@ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ 			 u8 *buf, size_t buflen, size_t padlen)
+ {
++#ifdef OPENSSL_IS_BORINGSSL
++#else /* OPENSSL_IS_BORINGSSL */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#else
+ 	int num_bytes, offset;
++#endif
++#endif /* OPENSSL_IS_BORINGSSL */
+ 
+ 	if (TEST_FAIL())
+ 		return -1;
+ 
+ 	if (padlen > buflen)
+ 		return -1;
+-
++#ifdef OPENSSL_IS_BORINGSSL
++       if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
++               return -1;
++       return padlen;
++#else /* OPENSSL_IS_BORINGSSL */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++       return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
++#else
+ 	num_bytes = BN_num_bytes((const BIGNUM *) a);
+ 	if ((size_t) num_bytes > buflen)
+ 		return -1;
+@@ -1149,6 +1162,8 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ 	BN_bn2bin((const BIGNUM *) a, buf + offset);
+ 
+ 	return num_bytes + offset;
++#endif
++#endif /* OPENSSL_IS_BORINGSSL */
+ }
+ 
+ 
+-- 
+2.23.0
+

CVE-2019-13377-4.patch

@@ -0,0 +1,59 @@
+From a25b48118d75f3c2d7cb1b2c3b4cffb13091a34c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 24 Jun 2019 23:01:06 +0300
+Subject: [PATCH 4/6] SAE: Run through prf result processing even if it >=
+ prime
+
+This reduces differences in timing and memory access within the
+hunting-and-pecking loop for ECC groups that have a prime that is not
+close to a power of two (e.g., Brainpool curves).
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)
+---
+ src/common/sae.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 4741753..e155a71 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -274,6 +274,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ 	struct crypto_bignum *y_sqr, *x_cand;
+ 	int res;
+ 	size_t bits;
++	int cmp_prime;
++	unsigned int in_range;
+ 
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
+ 
+@@ -287,8 +289,13 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
+ 			pwd_value, sae->tmp->prime_len);
+ 
+-	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)	
+-		return 0;
++	cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
++	/* Create a const_time mask for selection based on prf result
++	 * being smaller than prime. */
++	in_range = const_time_fill_msb((unsigned int) cmp_prime);
++	/* The algorithm description would skip the next steps if
++	 * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
++	 * minimize externally observable differences in behavior. */
+ 
+ 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
+ 	if (!x_cand)
+@@ -300,7 +307,9 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
+ 
+ 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+ 	crypto_bignum_deinit(y_sqr, 1);
+-	return res;
++	if (res < 0)
++		return res;
++	return const_time_select_int(in_range, res, 0);
+ }
+ 
+ 
+-- 
+2.23.0
+

CVE-2019-13377-5.patch

@@ -0,0 +1,58 @@
+From 00a6cc73da61b03c146b6c341d0d1e572bcef432 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 24 Jun 2019 23:02:51 +0300
+Subject: [PATCH 5/6] EAP-pwd: Run through prf result processing even if it >=
+ prime
+
+This reduces differences in timing and memory access within the
+hunting-and-pecking loop for ECC groups that have a prime that is not
+close to a power of two (e.g., Brainpool curves).
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)
+
+---
+ src/eap_common/eap_pwd_common.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index a2aaafe..8e7966e 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -153,6 +153,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         struct crypto_bignum *x_candidate = NULL; 
+         const struct crypto_bignum *prime;
+         u8 mask, found_ctr = 0, is_odd = 0;
++	int cmp_prime;
++	unsigned int in_range;
+ 
+         if (grp->pwe)
+                 return -1;
+@@ -239,8 +241,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+                 if (primebitlen % 8)
+                         buf_shift_right(prfbuf, primebytelen,
+                                         8 - primebitlen % 8);
+-                if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
+-                        continue;
++                cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
++                /* Create a const_time mask for selection based on prf result
++                 * being smaller than prime. */
++                in_range = const_time_fill_msb((unsigned int) cmp_prime);
++                /* The algorithm description would skip the next steps if
++                 * cmp_prime >= 0, but go through them regardless to minimize
++                 * externally observable differences in behavior. */
+ 
+                 crypto_bignum_deinit(x_candidate, 1);
+                 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -308,7 +315,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+                         goto fail;
+                 mask = const_time_eq(res, check);
+                 found_ctr = const_time_select_u8(found, found_ctr, ctr);
+-                found |= mask;
++                found |= mask & in_range;
+ 	}
+         if (found == 0) {
+                 wpa_printf(MSG_INFO,
+-- 
+2.23.0
+

CVE-2019-13377-6-pre.patch

@@ -0,0 +1,59 @@
+From db54db11aec763b6fc74715c36e0f9de0d65e206 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 8 Apr 2019 18:01:07 +0300
+Subject: SAE: Reject unsuitable groups based on REVmd changes
+
+The rules defining which DH groups are suitable for SAE use were
+accepted into IEEE 802.11 REVmd based on this document:
+https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
+
+Enforce those rules in production builds of wpa_supplicant and hostapd.
+CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
+implemented groups to maintain testing coverage.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+
+---
+ src/common/sae.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index e155a71..91b6b41 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -17,11 +17,32 @@
+ #include "ieee802_11_defs.h"
+ #include "sae.h"
+ 
++static int sae_suitable_group(int group)
++{
++#ifdef CONFIG_TESTING_OPTIONS
++	/* Allow all groups for testing purposes in non-production builds. */
++	return 1;
++#else /* CONFIG_TESTING_OPTIONS */
++	/* Enforce REVmd rules on which SAE groups are suitable for production
++	 * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
++	 * defined over a prime field whose prime is >= 256 bits. Furthermore,
++	 * ECC groups defined over a characteristic 2 finite field and ECC
++	 * groups with a co-factor greater than 1 are not suitable. */
++	return group == 19 || group == 20 || group == 21 ||
++		group == 28 || group == 29 || group == 30 ||
++		group == 15 || group == 16 || group == 17 || group == 18;
++#endif /* CONFIG_TESTING_OPTIONS */
++}
+ 
+ int sae_set_group(struct sae_data *sae, int group)
+ {
+ 	struct sae_temporary_data *tmp;
+ 
++	if (!sae_suitable_group(group)) {
++		wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
++		return -1;
++	}
++
+ 	sae_clear_data(sae);
+ 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
+ 	if (tmp == NULL)
+-- 
+2.23.0
+

CVE-2019-13377-6.patch

@@ -0,0 +1,53 @@
+From 558518ed63202e5358116ab7e0afd5e85490f2ef Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 27 Jul 2019 23:19:17 +0300
+Subject: [PATCH 6/6] dragonfly: Disable use of groups using Brainpool curves
+
+Disable groups that use Brainpool curves for now since they leak more
+timing information due to the prime not being close to a power of two.
+This removes use of groups 28, 29, and 30 from SAE and EAP-pwd.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+(cherry picked from commit 876c5eaa6dae1a87a17603fc489a44c29eedc2e3)
+
+---
+ src/common/sae.c                | 7 +++++--
+ src/eap_common/eap_pwd_common.c | 3 +--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 91b6b41..5ef6c4c 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -27,9 +27,12 @@ static int sae_suitable_group(int group)
+ 	 * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
+ 	 * defined over a prime field whose prime is >= 256 bits. Furthermore,
+ 	 * ECC groups defined over a characteristic 2 finite field and ECC
+-	 * groups with a co-factor greater than 1 are not suitable. */
++	 * groups with a co-factor greater than 1 are not suitable. Disable
++	 * groups that use Brainpool curves as well for now since they leak more
++	 * timing information due to the prime not being close to a power of
++	 * two. */
++
+ 	return group == 19 || group == 20 || group == 21 ||
+-		group == 28 || group == 29 || group == 30 ||
+ 		group == 15 || group == 16 || group == 17 || group == 18;
+ #endif /* CONFIG_TESTING_OPTIONS */
+ }
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 8e7966e..bac2796 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -88,8 +88,7 @@ static int eap_pwd_suitable_group(u16 num)
+ {
+ 	/* Do not allow ECC groups with prime under 256 bits based on guidance
+ 	* for the similar design in SAE. */
+-	return num == 19 || num == 20 || num == 21 ||
+-		num == 28 || num == 29 || num == 30;
++	return num == 19 || num == 20 || num == 21;
+ }
+ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ {
+-- 
+2.23.0
+

CVE-2021-0326.patch

@@ -0,0 +1,38 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index 74b7b52..5cbfc21 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+ 	dev->info.config_methods = cli->config_methods;
+ 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+ 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+ 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+ 		  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+1.8.3.1
+

CVE-2021-27803.patch

@@ -0,0 +1,50 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
++++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+ 			goto out;
+ 		}
+ 
++		dev = p2p_get_device(p2p, sa);
+ 		if (!dev) {
+-			dev = p2p_get_device(p2p, sa);
+-			if (!dev) {
+-				p2p_dbg(p2p,
+-					"Provision Discovery device not found "
+-					MACSTR, MAC2STR(sa));
+-				goto out;
+-			}
++			p2p_dbg(p2p,
++				"Provision Discovery device not found "
++				MACSTR, MAC2STR(sa));
++			goto out;
+ 		}
+ 	} else if (msg.wfd_subelems) {
+ 		wpabuf_free(dev->info.wfd_subelems);
+-- 
+cgit v0.12
+

CVE-2023-52160.patch

@@ -0,0 +1,219 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_config.h          |  8 ++++++++
+ src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c      |  6 ++++++
+ src/eap_peer/eap_tls_common.h      |  5 +++++
+ src/utils/includes.h               |  1 +
+ wpa_supplicant/wpa_supplicant.conf |  7 +++++++
+ 6 files changed, 64 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index d416afd..f803488 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -419,6 +419,14 @@ struct eap_peer_config {
+ 	 * 1 = use cryptobinding if server supports it
+ 	 * 2 = require cryptobinding
+ 	 *
++	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++	 * tunnel) behavior for PEAP:
++	 * 0 = do not require Phase 2 authentication
++	 * 1 = require Phase 2 authentication when client certificate
++	 *  (private_key/client_cert) is no used and TLS session resumption was
++	 *  not used (default)
++	 * 2 = require Phase 2 authentication in all cases
++	 *
+ 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ 	 * uuid=Device_UUID
+ 	 *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 34075b1..79a36b0 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ 	u8 cmk[20];
+ 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ 		  * is enabled. */
++	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+ 
+ 
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ 	}
+ 
++	if (os_strstr(phase1, "phase2_auth=0")) {
++		data->phase2_auth = NO_AUTH;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Do not require Phase 2 authentication");
++	} else if (os_strstr(phase1, "phase2_auth=1")) {
++		data->phase2_auth = FOR_INITIAL;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
++	} else if (os_strstr(phase1, "phase2_auth=2")) {
++		data->phase2_auth = ALWAYS;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for all cases");
++	}
+ #ifdef EAP_TNC
+ 	if (os_strstr(phase1, "tnc=soh2")) {
+ 		data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ 	data->force_peap_version = -1;
+ 	data->peap_outer_success = 2;
+ 	data->crypto_binding = OPTIONAL_BINDING;
++	data->phase2_auth = FOR_INITIAL;
+ 
+ 	if (config && config->phase1)
+ 		eap_peap_parse_phase1(data, config->phase1);
+@@ -451,6 +466,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+ 
+ 
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++				   struct eap_peap_data *data)
++{
++	if ((data->phase2_auth == ALWAYS ||
++	     (data->phase2_auth == FOR_INITIAL &&
++	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++	      !data->ssl.client_cert_conf) ||
++	     data->phase2_eap_started) &&
++	    !data->phase2_eap_success)
++		return false;
++	return true;
++}
++
++
+ /**
+  * eap_tlv_process - Process a received EAP-TLV message and generate a response
+  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -565,6 +594,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ 					   " - force failed Phase 2");
+ 				resp_status = EAP_TLV_RESULT_FAILURE;
+ 				ret->decision = DECISION_FAIL;
++			} else if (!peap_phase2_sufficient(sm, data)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++				resp_status = EAP_TLV_RESULT_FAILURE;
++				ret->decision = DECISION_FAIL;
+ 			} else {
+ 				resp_status = EAP_TLV_RESULT_SUCCESS;
+ 				ret->decision = DECISION_UNCOND_SUCC;
+@@ -864,8 +898,7 @@ continue_req:
+ 			/* EAP-Success within TLS tunnel is used to indicate
+ 			 * shutdown of the TLS channel. The authentication has
+ 			 * been completed. */
+-			if (data->phase2_eap_started &&
+-			    !data->phase2_eap_success) {
++			if (!peap_phase2_sufficient(sm, data)) {
+ 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ 					   "Success used to indicate success, "
+ 					   "but Phase 2 EAP was not yet "
+@@ -1156,8 +1189,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ 	struct eap_peap_data *data = priv;
++
+ 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+-		data->phase2_success;
++		data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+ 
+ 
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index 7dbd364..6c586ba 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -220,6 +220,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+ 
+ 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ 
++	if (!phase2)
++		data->client_cert_conf = params->client_cert ||
++			params->client_cert_blob ||
++			params->private_key ||
++			params->private_key_blob;
++
+ 	return 0;
+ }
+ 
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 306e6a9..e2cf829 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -73,6 +73,11 @@
+ 	 * eap_type - EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
+ 	 */
+ 	u8 eap_type;
++
++	/**
++	 * client_cert_conf: Whether client certificate has been configured
++	 */
++	bool client_cert_conf;
+ };
+ 
+ 
+diff --git a/src/utils/includes.h b/src/utils/includes.h
+index 75513fc..4166d0e 100644
+--- a/src/utils/includes.h
++++ b/src/utils/includes.h
+@@ -20,6 +20,7 @@
+ #include <stddef.h>
+ #include <stdio.h>
+ #include <stdarg.h>
++#include <stdbool.h>
+ #include <string.h>
+ #ifndef _WIN32_WCE
+ #include <signal.h>
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 1bd43b2..4e4e2e0 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1205,6 +1205,13 @@ fast_reauth=1
+ #	 * 0 = do not use cryptobinding (default)
+ #	 * 1 = use cryptobinding if server supports it
+ #	 * 2 = require cryptobinding
++#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++#	tunnel) behavior for PEAP:
++#	 * 0 = do not require Phase 2 authentication
++#	 * 1 = require Phase 2 authentication when client certificate
++#	   (private_key/client_cert) is no used and TLS session resumption was
++#	   not used (default)
++#	 * 2 = require Phase 2 authentication in all cases
+ #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ #	pbc=1.
+ #

backport-0001-CVE-2022-23303-CVE-2022-23304.patch

@@ -0,0 +1,318 @@
+From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 27 Aug 2019 16:33:15 +0300
+Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions
+
+These are needed for implementing SAE hash-to-element.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/crypto/crypto.h         | 45 ++++++++++++++++++++++
+ src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++++++++++
+ src/crypto/crypto_wolfssl.c | 66 +++++++++++++++++++++++++++++++
+ 3 files changed, 205 insertions(+)
+
+diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
+index bdc3ba6..0bc9df4 100644
+--- a/src/crypto/crypto.h
++++ b/src/crypto/crypto.h
+@@ -508,6 +508,13 @@ struct crypto_bignum * crypto_bignum_init(void);
+ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len);
+ 
+ /**
++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint)
++ * @val: Value to set
++ * Returns: Pointer to allocated bignum or %NULL on failure
++ */
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val);
++
++/**
+  * crypto_bignum_deinit - Free bignum
+  * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set()
+  * @clear: Whether to clear the value from memory
+@@ -594,6 +601,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ 		      struct crypto_bignum *c);
+ 
+ /**
++ * crypto_bignum_addmod - d = a + b (mod c)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum
++ * @d: Bignum; used to store the result of (a + b) % c
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 const struct crypto_bignum *c,
++			 struct crypto_bignum *d);
++
++/**
+  * crypto_bignum_mulmod - d = a * b (mod c)
+  * @a: Bignum
+  * @b: Bignum
+@@ -607,6 +627,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ 			 struct crypto_bignum *d);
+ 
+ /**
++ * crypto_bignum_sqrmod - c = a^2 (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result of a^2 % b
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 struct crypto_bignum *c);
++
++/**
++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++			  const struct crypto_bignum *b,
++			  struct crypto_bignum *c);
++
++/**
+  * crypto_bignum_cmp - Compare two bignums
+  * @a: Bignum
+  * @b: Bignum
+@@ -695,6 +737,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e);
+  */
+ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);
++
+ /**
+  * struct crypto_ec_point - Elliptic curve point
+  *
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 00b61b9..80867b6 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1117,6 +1117,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+ 
+ 
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++	BIGNUM *bn;
++
++	if (TEST_FAIL())
++		return NULL;
++
++	bn = BN_new();
++	if (!bn)
++		return NULL;
++	if (BN_set_word(bn, val) != 1) {
++		BN_free(bn);
++		return NULL;
++	}
++	return (struct crypto_bignum *) bn;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ 	if (clear)
+@@ -1278,6 +1296,28 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 const struct crypto_bignum *c,
++			 struct crypto_bignum *d)
++{
++	int res;
++	BN_CTX *bnctx;
++
++	if (TEST_FAIL())
++		return -1;
++
++	bnctx = BN_CTX_new();
++	if (!bnctx)
++		return -1;
++	res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
++			 (const BIGNUM *) c, bnctx);
++	BN_CTX_free(bnctx);
++
++	return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ 			 const struct crypto_bignum *b,
+ 			 const struct crypto_bignum *c,
+@@ -1301,6 +1341,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        struct crypto_bignum *c)
++{
++       int res;
++       BN_CTX *bnctx;
++
++       if (TEST_FAIL())
++               return -1;
++
++       bnctx = BN_CTX_new();
++       if (!bnctx)
++               return -1;
++       res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++                        bnctx);
++       BN_CTX_free(bnctx);
++
++       return res ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++                         const struct crypto_bignum *b,
++                         struct crypto_bignum *c)
++{
++       BN_CTX *bnctx;
++       BIGNUM *res;
++
++       if (TEST_FAIL())
++               return -1;
++
++       bnctx = BN_CTX_new();
++       if (!bnctx)
++               return -1;
++       res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++                         bnctx);
++       BN_CTX_free(bnctx);
++
++       return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_cmp(const struct crypto_bignum *a,
+ 		      const struct crypto_bignum *b)
+ {
+@@ -1494,6 +1576,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+ 
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ 	if (clear)
+diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
+index 90163c4..683c553 100644
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -1043,6 +1043,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+ 
+ 
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++	mp_int *a;
++
++	if (TEST_FAIL())
++		return NULL;
++
++	a = (mp_int *) crypto_bignum_init();
++	if (!a)
++		return NULL;
++
++	if (mp_set_int(a, val) != MP_OKAY) {
++		os_free(a);
++		a = NULL;
++	}
++
++	return (struct crypto_bignum *) a;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ 	if (!n)
+@@ -1167,6 +1187,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 const struct crypto_bignum *c,
++			 struct crypto_bignum *d)
++{
++	if (TEST_FAIL())
++		return -1;
++
++	return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c,
++			 (mp_int *) d) == MP_OKAY ?  0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ 			 const struct crypto_bignum *b,
+ 			 const struct crypto_bignum *m,
+@@ -1180,6 +1213,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 struct crypto_bignum *c)
++{
++	if (TEST_FAIL())
++		return -1;
++
++	return mp_sqrmod((mp_int *) a, (mp_int *) b,
++			 (mp_int *) c) == MP_OKAY ?  0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++			  const struct crypto_bignum *b,
++			  struct crypto_bignum *c)
++{
++	/* TODO */
++	return -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ 			 struct crypto_bignum *r)
+ {
+@@ -1401,6 +1455,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+ 
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) &e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) &e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ 	ecc_point *point = (ecc_point *) p;
+-- 
+1.8.3.1
+

backport-0002-CVE-2022-23303-CVE-2022-23304.patch

@@ -0,0 +1,72 @@
+From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function
+
+This is a backport of "SAE: Move sqrt() implementation into a helper
+function" to introduce the helper function needed for the following
+patches.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++
+ src/common/dragonfly.h |  3 +++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
+index 1e80404..7dcc6de 100644
+--- a/src/common/dragonfly.c
++++ b/src/common/dragonfly.c
+@@ -25,3 +25,37 @@ int dragonfly_suitable_group(int group, int ecc_only)
+ 		(!ecc_only &&
+ 		 (group == 15 || group == 16 || group == 17 || group == 18));
+ }
++
++
++/* res = sqrt(val) */
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++		   struct crypto_bignum *res)
++{
++	const struct crypto_bignum *prime;
++	struct crypto_bignum *tmp, *one;
++	int ret = 0;
++	u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
++	size_t prime_len;
++
++	/* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
++
++	prime = crypto_ec_get_prime(ec);
++	prime_len = crypto_ec_prime_len(ec);
++	tmp = crypto_bignum_init();
++	one = crypto_bignum_init_uint(1);
++
++	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++				 prime_len) < 0 ||
++	    (prime_bin[prime_len - 1] & 0x03) != 3 ||
++	    !tmp || !one ||
++	    /* tmp = (p+1)/4 */
++	    crypto_bignum_add(prime, one, tmp) < 0 ||
++	    crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
++	    /* res = sqrt(val) */
++	    crypto_bignum_exptmod(val, tmp, prime, res) < 0)
++		ret = -1;
++
++	crypto_bignum_deinit(tmp, 0);
++	crypto_bignum_deinit(one, 0);
++	return ret;
++}
+diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
+index 9f3c428..f0f49d0 100644
+--- a/src/common/dragonfly.h
++++ b/src/common/dragonfly.h
+@@ -12,4 +12,7 @@
+ 
+ int dragonfly_suitable_group(int group, int ecc_only);
+ 
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++                   struct crypto_bignum *res);
++
+ #endif /* DRAGONFLY_H */
+-- 
+1.8.3.1
+

backport-0003-CVE-2022-23303-CVE-2022-23304.patch

@@ -0,0 +1,100 @@
+From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/sae.c | 47 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index b35821d..c168bf1 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -459,15 +459,17 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ 	int pwd_seed_odd = 0;
+ 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ 	size_t prime_len;
+-       struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++        struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
+        u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++       u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
+ 	size_t bits;
+        int res = -1;
+        u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+                       * mask */
++       unsigned int is_eq;
+ 
+        os_memset(x_bin, 0, sizeof(x_bin));
+ 
+@@ -567,25 +569,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ 		goto fail;
+ 	}
+ 
+-	if (!sae->tmp->pwe_ecc)
+-		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
+-	if (!sae->tmp->pwe_ecc)
+-		res = -1;
+-	else
+-		res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+-						    sae->tmp->pwe_ecc, x,
+-						    pwd_seed_odd);
+-	if (res < 0) {
+-		/*
+-		 * This should not happen since we already checked that there
+-		 * is a result.
+-		 */
++	/* y = sqrt(x^3 + ax + b) mod p
++	 * if LSB(save) == LSB(y): PWE = (x, y)
++	 * else: PWE = (x, p - y)
++	 *
++	 * Calculate y and the two possible values for PWE and after that,
++	 * use constant time selection to copy the correct alternative.
++	 */
++	y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
++	if (!y ||
++	    dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
++	    crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
++				 prime_len) < 0 ||
++	    crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
++	    crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
++				 SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
+ 		wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++		goto fail;
++	}
++
++	is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
++	const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
++			      prime_len, x_y + prime_len);
++	os_memcpy(x_y, x_bin, prime_len);
++	wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
++	crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
++	sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
++	if (!sae->tmp->pwe_ecc) {
++		wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++		res = -1;
+ 	}
+ 
+ fail:
++	forced_memzero(x_y, sizeof(x_y));
+ 	crypto_bignum_deinit(qr, 0);
+ 	crypto_bignum_deinit(qnr, 0);
++	crypto_bignum_deinit(y, 1);
+ 	os_free(dummy_password);
+ 	bin_clear_free(tmp_password, password_len);
+ 	crypto_bignum_deinit(x, 1);
+-- 
+1.8.3.1
+

backport-0004-CVE-2022-23303-CVE-2022-23304.patch

@@ -0,0 +1,109 @@
+From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 18:52:27 +0200
+Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 42 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 755aafb..ab8eb92 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -137,7 +137,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+         u8 x_bin[MAX_ECC_PRIME_LEN];
+         u8 prime_bin[MAX_ECC_PRIME_LEN];
+-        struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
++        u8 x_y[2 * MAX_ECC_PRIME_LEN];
++        struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL, *y = NULL;
+ 	struct crypto_hash *hash;
+ 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+         int ret = 0, check, res;
+@@ -149,6 +150,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         u8 mask, found_ctr = 0, is_odd = 0;
+ 	int cmp_prime;
+ 	unsigned int in_range;
++	unsigned int is_eq;
+ 
+         if (grp->pwe)
+                 return -1;
+@@ -161,7 +163,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+                                  primebytelen) < 0)
+                 return -1;
+-        grp->pwe = crypto_ec_point_init(grp->group);
+         tmp1 = crypto_bignum_init();
+         pm1 = crypto_bignum_init();
+         one = crypto_bignum_init_set((const u8 *) "\x01", 1);
+@@ -323,10 +324,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+          */
+         crypto_bignum_deinit(x_candidate, 1);
+         x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
+-        if (!x_candidate ||
+-            crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
+-                                          is_odd) != 0) {
+-                wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++       if (!x_candidate)
++               goto fail;
++
++       /* y = sqrt(x^3 + ax + b) mod p
++        * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
++        * else: PWE = (x, p - y)
++        *
++        * Calculate y and the two possible values for PWE and after that,
++        * use constant time selection to copy the correct alternative.
++        */
++       y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
++       if (!y ||
++           dragonfly_sqrt(grp->group, y, y) < 0 ||
++           crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
++           crypto_bignum_sub(prime, y, y) < 0 ||
++           crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
++                                MAX_ECC_PRIME_LEN, primebytelen) < 0) {
++               wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++               goto fail;
++       }
++
++       /* Constant time selection of the y coordinate from the two
++        * options */
++       is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
++       const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
++                             primebytelen, x_y + primebytelen);
++       os_memcpy(x_y, x_bin, primebytelen);
++       wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
++       grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
++       if (!grp->pwe) {
++                wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
+                 goto fail;
+         }
+ 
+@@ -353,6 +381,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         crypto_bignum_deinit(pm1, 0);
+         crypto_bignum_deinit(tmp1, 1);
+         crypto_bignum_deinit(tmp2, 1);
++        crypto_bignum_deinit(y, 1);
+         crypto_bignum_deinit(qr, 1);
+         crypto_bignum_deinit(qnr, 1);
+         crypto_bignum_deinit(qr_or_qnr, 1);
+@@ -362,6 +391,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         os_memset(qnr_bin, 0, sizeof(qnr_bin));
+         os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
+         os_memset(pwe_digest, 0, sizeof(pwe_digest));
++        forced_memzero(x_y, sizeof(x_y));
+ 
+ 	return ret;
+ }
+-- 
+1.8.3.1
+

backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch

@@ -0,0 +1,219 @@
+From 2b84ca4dd96459b661b0ebaf40ec43074fc9f42c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:45:27 +0300
+Subject: Share common SAE and EAP-pwd functionality: suitable groups
+
+Start sharing common SAE and EAP-pwd functionality by adding a new
+source code file that can be included into both. This first step is
+bringing in a shared function to check whether a group is suitable.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/dragonfly.c          | 27 +++++++++++++++++++++++++++
+ src/common/dragonfly.h          | 15 +++++++++++++++
+ src/common/sae.c                | 27 ++++++---------------------
+ src/eap_common/eap_pwd_common.c |  9 ++-------
+ wpa_supplicant/Android.mk       |  6 ++++++
+ wpa_supplicant/Makefile         |  6 ++++++
+ 6 files changed, 62 insertions(+), 28 deletions(-)
+ create mode 100644 src/common/dragonfly.c
+ create mode 100644 src/common/dragonfly.h
+
+diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
+new file mode 100644
+index 0000000..1e80404
+--- /dev/null
++++ b/src/common/dragonfly.c
+@@ -0,0 +1,27 @@
++/*
++ * Shared Dragonfly functionality
++ * Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
++ * Copyright (c) 2019, The Linux Foundation
++ *
++ * This software may be distributed under the terms of the BSD license.
++ * See README for more details.
++ */
++
++#include "utils/includes.h"
++
++#include "utils/common.h"
++#include "dragonfly.h"
++
++
++int dragonfly_suitable_group(int group, int ecc_only)
++{
++	/* Enforce REVmd rules on which SAE groups are suitable for production
++	 * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
++	 * defined over a prime field whose prime is >= 256 bits. Furthermore,
++	 * ECC groups defined over a characteristic 2 finite field and ECC
++	 * groups with a co-factor greater than 1 are not suitable. */
++	return group == 19 || group == 20 || group == 21 ||
++		group == 28 || group == 29 || group == 30 ||
++		(!ecc_only &&
++		 (group == 15 || group == 16 || group == 17 || group == 18));
++}
+diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
+new file mode 100644
+index 0000000..9f3c428
+--- /dev/null
++++ b/src/common/dragonfly.h
+@@ -0,0 +1,15 @@
++/*
++ * Shared Dragonfly functionality
++ * Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
++ * Copyright (c) 2019, The Linux Foundation
++ *
++ * This software may be distributed under the terms of the BSD license.
++ * See README for more details.
++ */
++
++#ifndef DRAGONFLY_H
++#define DRAGONFLY_H
++
++int dragonfly_suitable_group(int group, int ecc_only);
++
++#endif /* DRAGONFLY_H */
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 5ef6c4c..b35821d 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -15,36 +15,21 @@
+ #include "crypto/random.h"
+ #include "crypto/dh_groups.h"
+ #include "ieee802_11_defs.h"
++#include "dragonfly.h"
+ #include "sae.h"
+ 
+-static int sae_suitable_group(int group)
+-{
+-#ifdef CONFIG_TESTING_OPTIONS
+-	/* Allow all groups for testing purposes in non-production builds. */
+-	return 1;
+-#else /* CONFIG_TESTING_OPTIONS */
+-	/* Enforce REVmd rules on which SAE groups are suitable for production
+-	 * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
+-	 * defined over a prime field whose prime is >= 256 bits. Furthermore,
+-	 * ECC groups defined over a characteristic 2 finite field and ECC
+-	 * groups with a co-factor greater than 1 are not suitable. Disable
+-	 * groups that use Brainpool curves as well for now since they leak more
+-	 * timing information due to the prime not being close to a power of
+-	 * two. */
+-
+-	return group == 19 || group == 20 || group == 21 ||
+-		group == 15 || group == 16 || group == 17 || group == 18;
+-#endif /* CONFIG_TESTING_OPTIONS */
+-}
+-
+ int sae_set_group(struct sae_data *sae, int group)
+ {
+ 	struct sae_temporary_data *tmp;
+ 
+-	if (!sae_suitable_group(group)) {
++#ifdef CONFIG_TESTING_OPTIONS
++       /* Allow all groups for testing purposes in non-production builds. */
++#else /* CONFIG_TESTING_OPTIONS */
++       if (!dragonfly_suitable_group(group, 0)) {
+ 		wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
+ 		return -1;
+ 	}
++#endif /* CONFIG_TESTING_OPTIONS */
+ 
+ 	sae_clear_data(sae);
+ 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index bac2796..755aafb 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -9,6 +9,7 @@
+ #include "includes.h"
+ #include "common.h"
+ #include "utils/const_time.h"
++#include "common/dragonfly.h"
+ #include "crypto/sha256.h"
+ #include "crypto/crypto.h"
+ #include "eap_defs.h"
+@@ -84,18 +85,12 @@ static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
+ 	return 0;
+ }
+ 
+-static int eap_pwd_suitable_group(u16 num)
+-{
+-	/* Do not allow ECC groups with prime under 256 bits based on guidance
+-	* for the similar design in SAE. */
+-	return num == 19 || num == 20 || num == 21;
+-}
+ EAP_PWD_group * get_eap_pwd_group(u16 num)
+ {
+         EAP_PWD_group *grp;
+ 
+         grp = os_zalloc(sizeof(EAP_PWD_group));
+-        if (!eap_pwd_suitable_group(num)) {
++        if (!dragonfly_suitable_group(num, 1)) {
+                 wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
+                 return NULL;
+        }
+diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
+index 924ac07..aa5ac8c 100644
+--- a/wpa_supplicant/Android.mk
++++ b/wpa_supplicant/Android.mk
+@@ -236,6 +236,7 @@ L_CFLAGS += -DCONFIG_SAE
+ OBJS += src/common/sae.c
+ NEED_ECC=y
+ NEED_DH_GROUPS=y
++NEED_DRAGONFLY=y
+ endif
+ 
+ ifdef CONFIG_WNM
+@@ -641,6 +642,7 @@ OBJS += src/eap_peer/eap_pwd.c src/eap_common/eap_pwd_common.c
+ CONFIG_IEEE8021X_EAPOL=y
+ NEED_SHA256=y
+ NEED_ECC=y
++NEED_DRAGONFLY=y
+ endif
+ 
+ ifdef CONFIG_EAP_EKE
+@@ -918,6 +920,10 @@ ifdef CONFIG_SMARTCARD
+ L_CFLAGS += -DCONFIG_SMARTCARD
+ endif
+ 
++ifdef NEED_DRAGONFLY
++OBJS += src/common/dragonfly.c
++endif
++
+ ifdef MS_FUNCS
+ OBJS += src/crypto/ms_funcs.c
+ NEED_DES=y
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index d70189b..8fce344 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -270,6 +270,7 @@ CFLAGS += -DCONFIG_SAE
+ OBJS += ../src/common/sae.o
+ NEED_ECC=y
+ NEED_DH_GROUPS=y
++NEED_DRAGONFLY=y
+ endif
+ 
+ ifdef CONFIG_WNM
+@@ -673,6 +674,7 @@ OBJS += ../src/eap_peer/eap_pwd.o ../src/eap_common/eap_pwd_common.o
+ CONFIG_IEEE8021X_EAPOL=y
+ NEED_SHA256=y
+ NEED_ECC=y
++NEED_DRAGONFLY=y
+ endif
+ 
+ ifdef CONFIG_EAP_EKE
+@@ -967,6 +969,10 @@ ifdef CONFIG_SMARTCARD
+ CFLAGS += -DCONFIG_SMARTCARD
+ endif
+ 
++ifdef NEED_DRAGONFLY
++OBJS += ../src/common/dragonfly.o
++endif
++
+ ifdef MS_FUNCS
+ OBJS += ../src/crypto/ms_funcs.o
+ NEED_DES=y
+-- 
+1.8.3.1
+

wpa_supplicant.spec

@@ -1,9 +1,9 @@
 Name:          wpa_supplicant
 Epoch:         1
 Version:       2.6
-Release:       26
+Release:       31
 Summary:       A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN)
-License:       BSD
+License:       BSD or GPLv2
 Url:           https://w1.fi/wpa_supplicant/
 Source0:       http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1:       build-config
@@ -13,83 +13,100 @@ Source5:       %{name}.logrotate
 
 #patches number ranging between [0,6000) are from fedora/redhat upstream
 #patches number ranging between [6000,9000) are backport from higher versions, including some CVE fixes
-Patch6000:     macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
-Patch6001:     macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
-Patch6002:     macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
-Patch6003:     macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
-Patch6004:     macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
-Patch6005:     macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
-Patch6006:     macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
-Patch6007:     macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
-Patch6008:     macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
-Patch6009:     macsec-0010-mka-Add-support-for-removing-SAs.patch
-Patch6010:     macsec-0011-mka-Implement-reference-counting-on-data_key.patch
-Patch6011:     macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
-Patch6012:     macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
-Patch6013:     macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
-Patch6014:     macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
-Patch6015:     macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
-Patch6016:     macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
-Patch6017:     macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
-Patch6018:     macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
-Patch6019:     macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
-Patch6020:     macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
-Patch6021:     macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
-Patch6022:     macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
-Patch6023:     macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
-Patch6024:     macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
-Patch6025:     macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
-Patch6026:     macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
-Patch6027:     macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
-Patch6028:     macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
-Patch6029:     macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
-Patch6030:     macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
-Patch6031:     macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
-Patch6032:     macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
-Patch6033:     macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
-Patch6034:     macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
-Patch6035:     macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
-Patch6036:     macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
-Patch6037:     macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
-Patch6038:     macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
-Patch6039:     https://w1.fi/security/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
-Patch6040:     https://w1.fi/security/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
-Patch6041:     https://w1.fi/security/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
-Patch6042:     https://w1.fi/security/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
-Patch6043:     https://w1.fi/security/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
-Patch6044:     https://w1.fi/security/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
-Patch6045:     https://w1.fi/security/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
-Patch6046:     https://w1.fi/security/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-Patch6047:     rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
-Patch6048:     rh1462262-use-system-openssl-ciphers.patch
-Patch6049:     rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
-Patch6050:     rh1497640-mka-add-error-handling-for-secy_init_macsec.patch
-Patch6051:     rh1497640-pae-validate-input-before-pointer.patch
-Patch6052:     rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
-Patch6053:     rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
-Patch6054:     CVE-2019-9496-SAE-Fix-confirm-message-validation-in-error-cases.patch
-Patch6055:     CVE-2019-9494-1.patch
-Patch6056:     CVE-2019-9494-2.patch
-Patch6057:     CVE-2019-9494-3.patch
-Patch6058:     CVE-2019-9494-4.patch
-Patch6059:     CVE-2019-9494-5.patch
-Patch6060:     CVE-2019-9494-6.patch
-Patch6061:     CVE-2019-9494-7.patch
-Patch6062:     CVE-2019-9494-8.patch
-Patch6063:     CVE-2019-16275.patch
-Patch6064:     CVE-2019-9497.patch
-Patch6065:     CVE-2019-9498-and-CVE-2019-9499.patch
-Patch6066:     CVE-2019-11555-1.patch
-Patch6067:     CVE-2019-11555-2.patch
-Patch6068:     https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
-Patch6069:     CVE-2019-9499.patch
-Patch6070:     CVE-2019-9495-pre1.patch
-Patch6071:     CVE-2019-9495-pre2.patch
-Patch6072:     CVE-2019-9495-pre3.patch
-Patch6073:     CVE-2019-9495.patch
-
-Patch9000:     add-options-of-wpa_supplicant-service.patch
-Patch9001:     allow-to-override-names-of-qt4-tools.patch
+Patch0:        macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
+Patch1:        macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
+Patch2:        macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
+Patch3:        macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
+Patch4:        macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
+Patch5:        macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
+Patch6:        macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
+Patch7:        macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
+Patch8:        macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
+Patch9:        macsec-0010-mka-Add-support-for-removing-SAs.patch
+Patch10:       macsec-0011-mka-Implement-reference-counting-on-data_key.patch
+Patch11:       macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
+Patch12:       macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
+Patch13:       macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
+Patch14:       macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
+Patch15:       macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
+Patch16:       macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
+Patch17:       macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
+Patch18:       macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
+Patch19:       macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
+Patch20:       macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
+Patch21:       macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
+Patch22:       macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
+Patch23:       macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
+Patch24:       macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
+Patch25:       macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
+Patch26:       macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
+Patch27:       macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
+Patch28:       macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
+Patch29:       macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
+Patch30:       macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
+Patch31:       macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
+Patch32:       macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
+Patch33:       macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
+Patch34:       macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
+Patch35:       macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
+Patch36:       macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
+Patch37:       macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
+Patch38:       macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
+Patch39:       rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
+Patch40:       rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
+Patch41:       rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
+Patch42:       rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
+Patch43:       rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
+Patch44:       rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
+Patch45:       rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
+Patch46:       rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+Patch47:       rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
+Patch48:       rh1462262-use-system-openssl-ciphers.patch
+Patch49:       rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
+Patch50:       rh1497640-mka-add-error-handling-for-secy_init_macsec.patch
+Patch51:       rh1497640-pae-validate-input-before-pointer.patch
+Patch52:       rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
+Patch53:       rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
+Patch54:       CVE-2019-9496-SAE-Fix-confirm-message-validation-in-error-cases.patch
+Patch55:       CVE-2019-9494-1.patch
+Patch56:       CVE-2019-9494-2.patch
+Patch57:       CVE-2019-9494-3.patch
+Patch58:       CVE-2019-9494-4.patch
+Patch59:       CVE-2019-9494-5.patch
+Patch60:       CVE-2019-9494-6.patch
+Patch61:       CVE-2019-9494-7.patch
+Patch62:       CVE-2019-9494-8.patch
+Patch63:       CVE-2019-16275.patch
+Patch64:       CVE-2019-9497.patch
+Patch65:       CVE-2019-9498-and-CVE-2019-9499.patch
+Patch66:       CVE-2019-11555-1.patch
+Patch67:       CVE-2019-11555-2.patch
+Patch68:       rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+Patch69:       CVE-2019-9499.patch
+Patch70:       CVE-2019-9495-pre1.patch
+Patch71:       CVE-2019-9495-pre2.patch
+Patch72:       CVE-2019-9495-pre3.patch
+Patch73:       CVE-2019-9495.patch
+Patch74:       CVE-2019-13377-1.patch
+Patch75:       CVE-2019-13377-2-pre1.patch
+Patch76:       CVE-2019-13377-2-pre.patch
+Patch77:       CVE-2019-13377-2.patch
+Patch78:       CVE-2019-13377-3.patch
+Patch79:       CVE-2019-13377-4.patch
+Patch80:       CVE-2019-13377-5.patch
+Patch81:       CVE-2019-13377-6-pre.patch
+Patch82:       CVE-2019-13377-6.patch
+Patch83:       add-options-of-wpa_supplicant-service.patch
+Patch84:       allow-to-override-names-of-qt4-tools.patch
+Patch85:       CVE-2021-27803.patch
+Patch86:       CVE-2021-0326.patch
+Patch87:       backport-Add-support-for-wolfSSL-cryptographic-library.patch
+Patch88:       backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch
+Patch89:       backport-0001-CVE-2022-23303-CVE-2022-23304.patch
+Patch90:       backport-0002-CVE-2022-23303-CVE-2022-23304.patch
+Patch91:       backport-0003-CVE-2022-23303-CVE-2022-23304.patch
+Patch92:       backport-0004-CVE-2022-23303-CVE-2022-23304.patch
+Patch93:       CVE-2023-52160.patch
 
 BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils
 Requires(post): systemd-sysv
@@ -183,6 +200,33 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 %{_mandir}/man5/*
 
 %changelog
+* Thu Apr 25 2024 dillon chen <dillon.chen@gmail.com> - 1:2.6-31
+- Type:cves
+- ID:CVE-2023-52160
+- SUG:NA
+- DESC:fix CVE-2023-52160
+
+* Wed Jan 26 2022 shixuantong <shixuantong@huawei.com> - 1:2.6-30
+- Type:cves
+- ID:CVE-2022-23303 CVE-2022-23304
+- SUG:NA
+- DESC:fix CVE-2022-23303 CVE-2022-23304
+
+* Thu Sep 23 2021 gaoyusong <gaoyusong1@huawei.com> - 1:2.6-29
+- Type:cves
+- ID: CVE-2021-0326
+- SUG:NA
+- DESC: fix CVE-2021-0326
+
+* Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:2.6-28
+- fix CVE-2021-27803
+
+* Thu Dec 24 2020 wuchaochao <wuchaochao4@huawei.com> - 1:2.6-27
+- Type:cves
+- ID: CVE-2019-13377
+- SUG:NA
+- DESC: fix CVE-2019-13377
+
 * Tue Feb 04 2020 zhouyihang <zhouyihang1@huawei.com> - 1:2.6-26
 - Type:cves
 - ID: CVE-2019-9495