Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-01-31 09:14:03 -05:00
Code Issues Projects Releases Wiki Activity

OpenSSL: Use constant time selection for crypto_bignum_legendre()

Browse Source 
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-03-08 00:24:12 +02:00 committed by Jouni Malinen
parent 6e34f618d3
commit c93461c1d9
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/crypto/crypto_openssl.c
View File

@ -24,6 +24,7 @@
#endif /* CONFIG_ECC */
#include "common.h"
#include "utils/const_time.h"
#include "wpabuf.h"
#include "dh_group5.h"
#include "sha1.h"
@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
BN_CTX *bnctx;
BIGNUM *exp = NULL, *tmp = NULL;
int res = -2;
unsigned int mask;
if (TEST_FAIL())
return -2;
@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
(const BIGNUM *) p, bnctx, NULL))
goto fail;
if (BN_is_word(tmp, 1))
res = 1;
else if (BN_is_zero(tmp))
res = 0;
else
res = -1;
/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
* constant time selection to avoid branches here. */
res = -1;
mask = const_time_eq(BN_is_word(tmp, 1), 1);
res = const_time_select_int(mask, 1, res);
mask = const_time_eq(BN_is_zero(tmp), 1);
res = const_time_select_int(mask, 0, res);
fail:
BN_clear_free(tmp);