[src/trunk]: src/external/bsd/wpa/dist/src/crypto Get rid of the branches tha...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e4d4cc8f67f1
branches:  trunk
changeset: 450336:e4d4cc8f67f1
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Apr 10 17:56:43 2019 +0000

description:
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.

This is related to CVE-2019-9494 and CVE-2019-9495.

diffstat:

 external/bsd/wpa/dist/src/crypto/crypto_openssl.c |  15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diffs (39 lines):

diff -r 91cbefdf0bf8 -r e4d4cc8f67f1 external/bsd/wpa/dist/src/crypto/crypto_openssl.c
--- a/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Wed Apr 10 17:56:13 2019 +0000
+++ b/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Wed Apr 10 17:56:43 2019 +0000
@@ -24,6 +24,7 @@
 #endif /* CONFIG_ECC */
 
 #include "common.h"
+#include "utils/const_time.h"
 #include "wpabuf.h"
 #include "dh_group5.h"
 #include "sha1.h"
@@ -1435,6 +1436,7 @@
        BN_CTX *bnctx;
        BIGNUM *exp = NULL, *tmp = NULL;
        int res = -2;
+       unsigned int mask;
 
        if (TEST_FAIL())
                return -2;
@@ -1453,12 +1455,13 @@
                                       (const BIGNUM *) p, bnctx, NULL))
                goto fail;
 
-       if (BN_is_word(tmp, 1))
-               res = 1;
-       else if (BN_is_zero(tmp))
-               res = 0;
-       else
-               res = -1;
+       /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
+        * constant time selection to avoid branches here. */
+       res = -1;
+       mask = const_time_eq(BN_is_word(tmp, 1), 1);
+       res = const_time_select_int(mask, 1, res);
+       mask = const_time_eq(BN_is_zero(tmp), 1);
+       res = const_time_select_int(mask, 0, res);
 
 fail:
        BN_clear_free(tmp);