From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 8 Mar 2019 00:24:12 +0200 Subject: [PATCH] OpenSSL: Use constant time selection for crypto_bignum_legendre() Get rid of the branches that depend on the result of the Legendre operation. This is needed to avoid leaking information about different temporary results in blinding mechanisms. This is related to CVE-2019-9494 and CVE-2019-9495. Signed-off-by: Jouni Malinen --- src/crypto/crypto_openssl.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index ac53cc81a..0f52101ea 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -24,6 +24,7 @@ #endif /* CONFIG_ECC */ #include "common.h" +#include "utils/const_time.h" #include "wpabuf.h" #include "dh_group5.h" #include "sha1.h" @@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, BN_CTX *bnctx; BIGNUM *exp = NULL, *tmp = NULL; int res = -2; + unsigned int mask; if (TEST_FAIL()) return -2; @@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, (const BIGNUM *) p, bnctx, NULL)) goto fail; - if (BN_is_word(tmp, 1)) - res = 1; - else if (BN_is_zero(tmp)) - res = 0; - else - res = -1; + /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use + * constant time selection to avoid branches here. */ + res = -1; + mask = const_time_eq(BN_is_word(tmp, 1), 1); + res = const_time_select_int(mask, 1, res); + mask = const_time_eq(BN_is_zero(tmp), 1); + res = const_time_select_int(mask, 0, res); fail: BN_clear_free(tmp); -- 2.21.0