diff options
| author | tb <> | 2018-04-28 14:22:21 +0000 | 
|---|---|---|
| committer | tb <> | 2018-04-28 14:22:21 +0000 | 
| commit | c4453cc5caf0e9a62ff5dbd2c00349f8dc13c878 (patch) | |
| tree | 2b9bf7013db68f28acde937c2f3ea0071b53af1a /src/lib/libssl/ssl_algs.c | |
| parent | 14f45f5c33b8fb98a6fccb34d3a680c55fbf306b (diff) | |
| download | openbsd-c4453cc5caf0e9a62ff5dbd2c00349f8dc13c878.tar.gz openbsd-c4453cc5caf0e9a62ff5dbd2c00349f8dc13c878.tar.bz2 openbsd-c4453cc5caf0e9a62ff5dbd2c00349f8dc13c878.zip | |
Fix a small timing side channel in dsa_sign_setup(). Simple adaptation
of OpenSSL commit c0caa945f6ef30363e0d01d75155f20248403df4 to our
version of this function.
ok beck, jsing
Original commit message:
commit c0caa945f6ef30363e0d01d75155f20248403df4
Author: Pauli <paul.dale@oracle.com>
Date:   Wed Nov 1 06:58:13 2017 +1000
    Address a timing side channel whereby it is possible to determine some
    information about the length of the scalar used in DSA operations from
    a large number (2^32) of signatures.
    This doesn't rate as a CVE because:
    * For the non-constant time code, there are easier ways to extract
      more information.
    * For the constant time code, it requires a significant number of signatures
      to leak a small amount of information.
    Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
    reporting this issue.
    Reviewed-by: Andy Polyakov <appro@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4576)]
Diffstat (limited to 'src/lib/libssl/ssl_algs.c')
0 files changed, 0 insertions, 0 deletions
