[src/trunk]: src/external/bsd/wpa/dist/src/crypto This helps in reducing meas...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ce881a4d0c1f
branches:  trunk
changeset: 455704:ce881a4d0c1f
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Apr 10 17:55:31 2019 +0000

description:
This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.

The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).

crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.

crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().

This is related to CVE-2019-9494 and CVE-2019-9495.

diffstat:

 external/bsd/wpa/dist/src/crypto/crypto_openssl.c |  20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

diffs (58 lines):

diff -r 248654ce5169 -r ce881a4d0c1f external/bsd/wpa/dist/src/crypto/crypto_openssl.c
--- a/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Wed Apr 10 17:52:46 2019 +0000
+++ b/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Wed Apr 10 17:55:31 2019 +0000
@@ -549,7 +549,8 @@
            bn_result == NULL)
                goto error;
 
-       if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
+       if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
+                                     ctx, NULL) != 1)
                goto error;
 
        *result_len = BN_bn2bin(bn_result, result);
@@ -1295,8 +1296,9 @@
        bnctx = BN_CTX_new();
        if (bnctx == NULL)
                return -1;
-       res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
-                        (const BIGNUM *) c, bnctx);
+       res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
+                                       (const BIGNUM *) b, (const BIGNUM *) c,
+                                       bnctx, NULL);
        BN_CTX_free(bnctx);
 
        return res ? 0 : -1;
@@ -1315,6 +1317,11 @@
        bnctx = BN_CTX_new();
        if (bnctx == NULL)
                return -1;
+#ifdef OPENSSL_IS_BORINGSSL
+       /* TODO: use BN_mod_inverse_blinded() ? */
+#else /* OPENSSL_IS_BORINGSSL */
+       BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
+#endif /* OPENSSL_IS_BORINGSSL */
        res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
                             (const BIGNUM *) b, bnctx);
        BN_CTX_free(bnctx);
@@ -1348,6 +1355,9 @@
        bnctx = BN_CTX_new();
        if (bnctx == NULL)
                return -1;
+#ifndef OPENSSL_IS_BORINGSSL
+       BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
+#endif /* OPENSSL_IS_BORINGSSL */
        res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
                     (const BIGNUM *) b, bnctx);
        BN_CTX_free(bnctx);
@@ -1439,8 +1449,8 @@
            /* exp = (p-1) / 2 */
            !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
            !BN_rshift1(exp, exp) ||
-           !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
-                       bnctx))
+           !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
+                                      (const BIGNUM *) p, bnctx, NULL))
                goto fail;
 
        if (BN_is_word(tmp, 1))