OpenSSL: Use constant time selection for crypto_bignum_legendre()

Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index ac53cc81a71043ddababd6952daca307db42854b..0f52101ea727c7c262635b35d68dba3f3e5eb67e 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -24,6 +24,7 @@
 #endif /* CONFIG_ECC */
 
 #include "common.h"
+#include "utils/const_time.h"
 #include "wpabuf.h"
 #include "dh_group5.h"
 #include "sha1.h"
@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
        BN_CTX *bnctx;
        BIGNUM *exp = NULL, *tmp = NULL;
        int res = -2;
+       unsigned int mask;
 
        if (TEST_FAIL())
                return -2;
@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
                                       (const BIGNUM *) p, bnctx, NULL))
                goto fail;
 
-       if (BN_is_word(tmp, 1))
-               res = 1;
-       else if (BN_is_zero(tmp))
-               res = 0;
-       else
-               res = -1;
+       /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
+        * constant time selection to avoid branches here. */
+       res = -1;
+       mask = const_time_eq(BN_is_word(tmp, 1), 1);
+       res = const_time_select_int(mask, 1, res);
+       mask = const_time_eq(BN_is_zero(tmp), 1);
+       res = const_time_select_int(mask, 0, res);
 
 fail:
        BN_clear_free(tmp);