summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2016-06-06 10:01:18 +0000
committerbeck <>2016-06-06 10:01:18 +0000
commit16de52d94e9739526cc0bd41c0b48d5dce18dcaa (patch)
tree5f3cbe5e732863027d5b39245d421b4aa502a0ec
parent0bae3b9428e85e2bcb702f45c99165eb92dae926 (diff)
downloadopenbsd-16de52d94e9739526cc0bd41c0b48d5dce18dcaa.tar.gz
openbsd-16de52d94e9739526cc0bd41c0b48d5dce18dcaa.tar.bz2
openbsd-16de52d94e9739526cc0bd41c0b48d5dce18dcaa.zip
Correct a problem that prevents the DSA signing algorithm from running
in constant time even if the flag BN_FLG_CONSTTIME is set. This issue was reported by Cesar Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by Cesar Pereida
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_ossl.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 7c0a7802b0..d35e7d5491 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dsa_ossl.c,v 1.23 2015/09/10 07:58:28 bcook Exp $ */ 1/* $OpenBSD: dsa_ossl.c,v 1.23.2.1 2016/06/06 10:01:17 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -247,9 +247,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
247 if (!BN_rand_range(&k, dsa->q)) 247 if (!BN_rand_range(&k, dsa->q))
248 goto err; 248 goto err;
249 } while (BN_is_zero(&k)); 249 } while (BN_is_zero(&k));
250 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
251 BN_set_flags(&k, BN_FLG_CONSTTIME);
252 }
253 250
254 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { 251 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
255 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, 252 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
@@ -283,6 +280,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
283 } else { 280 } else {
284 K = &k; 281 K = &k;
285 } 282 }
283
284 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
285 BN_set_flags(&k, BN_FLG_CONSTTIME);
286 }
287
286 DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, 288 DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
287 dsa->method_mont_p); 289 dsa->method_mont_p);
288 if (!BN_mod(r,r,dsa->q,ctx)) 290 if (!BN_mod(r,r,dsa->q,ctx))