0d89b46cb3f0851dd1503edc111866bee22a0cf4
[openwrt/staging/mans0n.git] /
1 From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Fri, 8 Mar 2019 00:24:12 +0200
4 Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
5 crypto_bignum_legendre()
6
7 Get rid of the branches that depend on the result of the Legendre
8 operation. This is needed to avoid leaking information about different
9 temporary results in blinding mechanisms.
10
11 This is related to CVE-2019-9494 and CVE-2019-9495.
12
13 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
14 ---
15 src/crypto/crypto_openssl.c | 15 +++++++++------
16 1 file changed, 9 insertions(+), 6 deletions(-)
17
18 --- a/src/crypto/crypto_openssl.c
19 +++ b/src/crypto/crypto_openssl.c
20 @@ -24,6 +24,7 @@
21 #endif /* CONFIG_ECC */
22
23 #include "common.h"
24 +#include "utils/const_time.h"
25 #include "wpabuf.h"
26 #include "dh_group5.h"
27 #include "sha1.h"
28 @@ -1435,6 +1436,7 @@ int crypto_bignum_legendre(const struct
29 BN_CTX *bnctx;
30 BIGNUM *exp = NULL, *tmp = NULL;
31 int res = -2;
32 + unsigned int mask;
33
34 if (TEST_FAIL())
35 return -2;
36 @@ -1453,12 +1455,13 @@ int crypto_bignum_legendre(const struct
37 (const BIGNUM *) p, bnctx, NULL))
38 goto fail;
39
40 - if (BN_is_word(tmp, 1))
41 - res = 1;
42 - else if (BN_is_zero(tmp))
43 - res = 0;
44 - else
45 - res = -1;
46 + /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
47 + * constant time selection to avoid branches here. */
48 + res = -1;
49 + mask = const_time_eq(BN_is_word(tmp, 1), 1);
50 + res = const_time_select_int(mask, 1, res);
51 + mask = const_time_eq(BN_is_zero(tmp), 1);
52 + res = const_time_select_int(mask, 0, res);
53
54 fail:
55 BN_clear_free(tmp);