rpms/hostapd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
82095b53ff
hostapd/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
John W. Linville aeb7fa69dd Update to version 2.6 from upstream 
Remove obsolete patches for NL80211_ATTR_SMPS_MODE encoding and KRACK
Fix CVE-2019-9494 (cache attack against SAE)
Fix CVE-2019-9495 (cache attack against EAP-pwd)
Fix CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
Fix CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
Fix CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element)
Fix CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element)
2019-04-12 13:18:49 -04:00

61 lines
1.7 KiB
Diff
Raw Blame History

From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Fri, 8 Mar 2019 00:24:12 +0200
Subject: [PATCH 03/14] OpenSSL: Use constant time selection for
crypto_bignum_legendre()
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/crypto/crypto_openssl.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index ac53cc8..0f52101 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -24,6 +24,7 @@
#endif /* CONFIG_ECC */
#include "common.h"
+#include "utils/const_time.h"
#include "wpabuf.h"
#include "dh_group5.h"
#include "sha1.h"
@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
BN_CTX *bnctx;
BIGNUM *exp = NULL, *tmp = NULL;
int res = -2;
+ unsigned int mask;
if (TEST_FAIL())
return -2;
@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
(const BIGNUM *) p, bnctx, NULL))
goto fail;
- if (BN_is_word(tmp, 1))
- res = 1;
- else if (BN_is_zero(tmp))
- res = 0;
- else
- res = -1;
+ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
+ * constant time selection to avoid branches here. */
+ res = -1;
+ mask = const_time_eq(BN_is_word(tmp, 1), 1);
+ res = const_time_select_int(mask, 1, res);
+ mask = const_time_eq(BN_is_zero(tmp), 1);
+ res = const_time_select_int(mask, 0, res);
fail:
BN_clear_free(tmp);
--
2.7.4
Reference in New Issue View Git Blame Copy Permalink