From: Jouni Malinen Date: Thu, 7 Mar 2019 22:24:12 +0000 (+0200) Subject: OpenSSL: Use constant time selection for crypto_bignum_legendre() X-Git-Tag: hostap_2_8~118 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c93461c1d98f52681717a088776ab32fd97872b0;p=thirdparty%2Fhostap.git OpenSSL: Use constant time selection for crypto_bignum_legendre() Get rid of the branches that depend on the result of the Legendre operation. This is needed to avoid leaking information about different temporary results in blinding mechanisms. This is related to CVE-2019-9494 and CVE-2019-9495. Signed-off-by: Jouni Malinen --- diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index ac53cc81a..0f52101ea 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -24,6 +24,7 @@ #endif /* CONFIG_ECC */ #include "common.h" +#include "utils/const_time.h" #include "wpabuf.h" #include "dh_group5.h" #include "sha1.h" @@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, BN_CTX *bnctx; BIGNUM *exp = NULL, *tmp = NULL; int res = -2; + unsigned int mask; if (TEST_FAIL()) return -2; @@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, (const BIGNUM *) p, bnctx, NULL)) goto fail; - if (BN_is_word(tmp, 1)) - res = 1; - else if (BN_is_zero(tmp)) - res = 0; - else - res = -1; + /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use + * constant time selection to avoid branches here. */ + res = -1; + mask = const_time_eq(BN_is_word(tmp, 1), 1); + res = const_time_select_int(mask, 1, res); + mask = const_time_eq(BN_is_zero(tmp), 1); + res = const_time_select_int(mask, 0, res); fail: BN_clear_free(tmp);