lkundrak / rpms / hostapd

Forked from rpms/hostapd 4 years ago
Clone
Source Code
GIT

Blame 0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch

el6 epel7 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 lr/sae lr/v1 master
  1.   f28
  2.   0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
Blob History Raw
John W. Linville aeb7fa6 
From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
John W. Linville aeb7fa6 
From: Jouni Malinen <jouni@codeaurora.org>
John W. Linville aeb7fa6 
Date: Fri, 8 Mar 2019 00:24:12 +0200
John W. Linville aeb7fa6 
Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
John W. Linville aeb7fa6 
 crypto_bignum_legendre()
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
Get rid of the branches that depend on the result of the Legendre
John W. Linville aeb7fa6 
operation. This is needed to avoid leaking information about different
John W. Linville aeb7fa6 
temporary results in blinding mechanisms.
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
This is related to CVE-2019-9494 and CVE-2019-9495.
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
John W. Linville aeb7fa6 
---
John W. Linville aeb7fa6 
 src/crypto/crypto_openssl.c | 15 +++++++++------
John W. Linville aeb7fa6 
 1 file changed, 9 insertions(+), 6 deletions(-)
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
John W. Linville aeb7fa6 
index ac53cc8..0f52101 100644
John W. Linville aeb7fa6 
--- a/src/crypto/crypto_openssl.c
John W. Linville aeb7fa6 
+++ b/src/crypto/crypto_openssl.c
John W. Linville aeb7fa6 
@@ -24,6 +24,7 @@
John W. Linville aeb7fa6 
 #endif /* CONFIG_ECC */
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
 #include "common.h"
John W. Linville aeb7fa6 
+#include "utils/const_time.h"
John W. Linville aeb7fa6 
 #include "wpabuf.h"
John W. Linville aeb7fa6 
 #include "dh_group5.h"
John W. Linville aeb7fa6 
 #include "sha1.h"
John W. Linville aeb7fa6 
@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
John W. Linville aeb7fa6 
 	BN_CTX *bnctx;
John W. Linville aeb7fa6 
 	BIGNUM *exp = NULL, *tmp = NULL;
John W. Linville aeb7fa6 
 	int res = -2;
John W. Linville aeb7fa6 
+	unsigned int mask;
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
 	if (TEST_FAIL())
John W. Linville aeb7fa6 
 		return -2;
John W. Linville aeb7fa6 
@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
John W. Linville aeb7fa6 
 				       (const BIGNUM *) p, bnctx, NULL))
John W. Linville aeb7fa6 
 		goto fail;
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
-	if (BN_is_word(tmp, 1))
John W. Linville aeb7fa6 
-		res = 1;
John W. Linville aeb7fa6 
-	else if (BN_is_zero(tmp))
John W. Linville aeb7fa6 
-		res = 0;
John W. Linville aeb7fa6 
-	else
John W. Linville aeb7fa6 
-		res = -1;
John W. Linville aeb7fa6 
+	/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
John W. Linville aeb7fa6 
+	 * constant time selection to avoid branches here. */
John W. Linville aeb7fa6 
+	res = -1;
John W. Linville aeb7fa6 
+	mask = const_time_eq(BN_is_word(tmp, 1), 1);
John W. Linville aeb7fa6 
+	res = const_time_select_int(mask, 1, res);
John W. Linville aeb7fa6 
+	mask = const_time_eq(BN_is_zero(tmp), 1);
John W. Linville aeb7fa6 
+	res = const_time_select_int(mask, 0, res);
John W. Linville aeb7fa6
John W. Linville aeb7fa6 
 fail:
John W. Linville aeb7fa6 
 	BN_clear_free(tmp);
John W. Linville aeb7fa6 
--
John W. Linville aeb7fa6 
2.7.4
John W. Linville aeb7fa6
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.