|
John W. Linville |
aeb7fa6 |
From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
|
|
John W. Linville |
aeb7fa6 |
From: Jouni Malinen <jouni@codeaurora.org>
|
|
John W. Linville |
aeb7fa6 |
Date: Fri, 8 Mar 2019 00:24:12 +0200
|
|
John W. Linville |
aeb7fa6 |
Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
|
|
John W. Linville |
aeb7fa6 |
crypto_bignum_legendre()
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
Get rid of the branches that depend on the result of the Legendre
|
|
John W. Linville |
aeb7fa6 |
operation. This is needed to avoid leaking information about different
|
|
John W. Linville |
aeb7fa6 |
temporary results in blinding mechanisms.
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
This is related to CVE-2019-9494 and CVE-2019-9495.
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
John W. Linville |
aeb7fa6 |
---
|
|
John W. Linville |
aeb7fa6 |
src/crypto/crypto_openssl.c | 15 +++++++++------
|
|
John W. Linville |
aeb7fa6 |
1 file changed, 9 insertions(+), 6 deletions(-)
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
|
|
John W. Linville |
aeb7fa6 |
index ac53cc8..0f52101 100644
|
|
John W. Linville |
aeb7fa6 |
--- a/src/crypto/crypto_openssl.c
|
|
John W. Linville |
aeb7fa6 |
+++ b/src/crypto/crypto_openssl.c
|
|
John W. Linville |
aeb7fa6 |
@@ -24,6 +24,7 @@
|
|
John W. Linville |
aeb7fa6 |
#endif /* CONFIG_ECC */
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
#include "common.h"
|
|
John W. Linville |
aeb7fa6 |
+#include "utils/const_time.h"
|
|
John W. Linville |
aeb7fa6 |
#include "wpabuf.h"
|
|
John W. Linville |
aeb7fa6 |
#include "dh_group5.h"
|
|
John W. Linville |
aeb7fa6 |
#include "sha1.h"
|
|
John W. Linville |
aeb7fa6 |
@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
|
|
John W. Linville |
aeb7fa6 |
BN_CTX *bnctx;
|
|
John W. Linville |
aeb7fa6 |
BIGNUM *exp = NULL, *tmp = NULL;
|
|
John W. Linville |
aeb7fa6 |
int res = -2;
|
|
John W. Linville |
aeb7fa6 |
+ unsigned int mask;
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
if (TEST_FAIL())
|
|
John W. Linville |
aeb7fa6 |
return -2;
|
|
John W. Linville |
aeb7fa6 |
@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
|
|
John W. Linville |
aeb7fa6 |
(const BIGNUM *) p, bnctx, NULL))
|
|
John W. Linville |
aeb7fa6 |
goto fail;
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
- if (BN_is_word(tmp, 1))
|
|
John W. Linville |
aeb7fa6 |
- res = 1;
|
|
John W. Linville |
aeb7fa6 |
- else if (BN_is_zero(tmp))
|
|
John W. Linville |
aeb7fa6 |
- res = 0;
|
|
John W. Linville |
aeb7fa6 |
- else
|
|
John W. Linville |
aeb7fa6 |
- res = -1;
|
|
John W. Linville |
aeb7fa6 |
+ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
|
|
John W. Linville |
aeb7fa6 |
+ * constant time selection to avoid branches here. */
|
|
John W. Linville |
aeb7fa6 |
+ res = -1;
|
|
John W. Linville |
aeb7fa6 |
+ mask = const_time_eq(BN_is_word(tmp, 1), 1);
|
|
John W. Linville |
aeb7fa6 |
+ res = const_time_select_int(mask, 1, res);
|
|
John W. Linville |
aeb7fa6 |
+ mask = const_time_eq(BN_is_zero(tmp), 1);
|
|
John W. Linville |
aeb7fa6 |
+ res = const_time_select_int(mask, 0, res);
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
fail:
|
|
John W. Linville |
aeb7fa6 |
BN_clear_free(tmp);
|
|
John W. Linville |
aeb7fa6 |
--
|
|
John W. Linville |
aeb7fa6 |
2.7.4
|
|
John W. Linville |
aeb7fa6 |
|