From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 8 Mar 2019 00:24:12 +0200 Subject: [PATCH 03/14] OpenSSL: Use constant time selection for crypto_bignum_legendre() Get rid of the branches that depend on the result of the Legendre operation. This is needed to avoid leaking information about different temporary results in blinding mechanisms. This is related to CVE-2019-9494 and CVE-2019-9495. Signed-off-by: Jouni Malinen Signed-off-by: Adrian Bunk Upstream-Status: Backport CVE: CVE-2019-9494 CVE: CVE-2019-9495 --- src/crypto/crypto_openssl.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index ac53cc8..0f52101 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -24,6 +24,7 @@ #endif /* CONFIG_ECC */ #include "common.h" +#include "utils/const_time.h" #include "wpabuf.h" #include "dh_group5.h" #include "sha1.h" @@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, BN_CTX *bnctx; BIGNUM *exp = NULL, *tmp = NULL; int res = -2; + unsigned int mask; if (TEST_FAIL()) return -2; @@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, (const BIGNUM *) p, bnctx, NULL)) goto fail; - if (BN_is_word(tmp, 1)) - res = 1; - else if (BN_is_zero(tmp)) - res = 0; - else - res = -1; + /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use + * constant time selection to avoid branches here. */ + res = -1; + mask = const_time_eq(BN_is_word(tmp, 1), 1); + res = const_time_select_int(mask, 1, res); + mask = const_time_eq(BN_is_zero(tmp), 1); + res = const_time_select_int(mask, 0, res); fail: BN_clear_free(tmp); -- 2.7.4