7a73b09ff9d97cf829d12d24442948d1fea8c60e
[openwrt/openwrt.git] /
1 From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Tue, 26 Feb 2019 11:43:03 +0200
4 Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private
5 bignums
6
7 This helps in reducing measurable timing differences in operations
8 involving private information. BoringSSL has removed BN_FLG_CONSTTIME
9 and expects specific constant time functions to be called instead, so a
10 bit different approach is needed depending on which library is used.
11
12 The main operation that needs protection against side channel attacks is
13 BN_mod_exp() that depends on private keys (the public key validation
14 step in crypto_dh_derive_secret() is an exception that can use the
15 faster version since it does not depend on private keys).
16
17 crypto_bignum_div() is currently used only in SAE FFC case with not
18 safe-prime groups and only with values that do not depend on private
19 keys, so it is not critical to protect it.
20
21 crypto_bignum_inverse() is currently used only in SAE FFC PWE
22 derivation. The additional protection here is targeting only OpenSSL.
23 BoringSSL may need conversion to using BN_mod_inverse_blinded().
24
25 This is related to CVE-2019-9494 and CVE-2019-9495.
26
27 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
28 ---
29 src/crypto/crypto_openssl.c | 20 +++++++++++++++-----
30 1 file changed, 15 insertions(+), 5 deletions(-)
31
32 --- a/src/crypto/crypto_openssl.c
33 +++ b/src/crypto/crypto_openssl.c
34 @@ -549,7 +549,8 @@ int crypto_mod_exp(const u8 *base, size_
35 bn_result == NULL)
36 goto error;
37
38 - if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
39 + if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
40 + ctx, NULL) != 1)
41 goto error;
42
43 *result_len = BN_bn2bin(bn_result, result);
44 @@ -1295,8 +1296,9 @@ int crypto_bignum_exptmod(const struct c
45 bnctx = BN_CTX_new();
46 if (bnctx == NULL)
47 return -1;
48 - res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
49 - (const BIGNUM *) c, bnctx);
50 + res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
51 + (const BIGNUM *) b, (const BIGNUM *) c,
52 + bnctx, NULL);
53 BN_CTX_free(bnctx);
54
55 return res ? 0 : -1;
56 @@ -1315,6 +1317,11 @@ int crypto_bignum_inverse(const struct c
57 bnctx = BN_CTX_new();
58 if (bnctx == NULL)
59 return -1;
60 +#ifdef OPENSSL_IS_BORINGSSL
61 + /* TODO: use BN_mod_inverse_blinded() ? */
62 +#else /* OPENSSL_IS_BORINGSSL */
63 + BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
64 +#endif /* OPENSSL_IS_BORINGSSL */
65 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
66 (const BIGNUM *) b, bnctx);
67 BN_CTX_free(bnctx);
68 @@ -1348,6 +1355,9 @@ int crypto_bignum_div(const struct crypt
69 bnctx = BN_CTX_new();
70 if (bnctx == NULL)
71 return -1;
72 +#ifndef OPENSSL_IS_BORINGSSL
73 + BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
74 +#endif /* OPENSSL_IS_BORINGSSL */
75 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
76 (const BIGNUM *) b, bnctx);
77 BN_CTX_free(bnctx);
78 @@ -1439,8 +1449,8 @@ int crypto_bignum_legendre(const struct
79 /* exp = (p-1) / 2 */
80 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
81 !BN_rshift1(exp, exp) ||
82 - !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
83 - bnctx))
84 + !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
85 + (const BIGNUM *) p, bnctx, NULL))
86 goto fail;
87
88 if (BN_is_word(tmp, 1))