OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available

This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.

OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 1b0c1ec96b36cadda4158dda6ad447419a7e9466..23ae5462dadf52281423476685d53810e185b1cc 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -1295,7 +1295,13 @@ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
 int crypto_bignum_to_bin(const struct crypto_bignum *a,
                         u8 *buf, size_t buflen, size_t padlen)
 {
+#ifdef OPENSSL_IS_BORINGSSL
+#else /* OPENSSL_IS_BORINGSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#else
        int num_bytes, offset;
+#endif
+#endif /* OPENSSL_IS_BORINGSSL */
 
        if (TEST_FAIL())
                return -1;
@@ -1303,6 +1309,14 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a,
        if (padlen > buflen)
                return -1;
 
+#ifdef OPENSSL_IS_BORINGSSL
+       if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
+               return -1;
+       return padlen;
+#else /* OPENSSL_IS_BORINGSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+       return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
+#else
        num_bytes = BN_num_bytes((const BIGNUM *) a);
        if ((size_t) num_bytes > buflen)
                return -1;
@@ -1315,6 +1329,8 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a,
        BN_bn2bin((const BIGNUM *) a, buf + offset);
 
        return num_bytes + offset;
+#endif
+#endif /* OPENSSL_IS_BORINGSSL */
 }