1 files changed, 12 insertions, 43 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 12509a7083..f1a85afcde 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
        BN_CTX *ctx;
-        BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
+        BIGNUM k,*kinv=NULL,*r=NULL;
        int ret=0;
        if (!dsa->p || !dsa->q || !dsa->g)
@@ -182,7 +182,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                }
        BN_init(&k);
-        BN_init(&kq);
        if (ctx_in == NULL)
                {
@@ -192,49 +191,22 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                ctx=ctx_in;
        if ((r=BN_new()) == NULL) goto err;
+        kinv=NULL;
        /* Get random k */
        do
                if (!BN_rand_range(&k, dsa->q)) goto err;
        while (BN_is_zero(&k));
-        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
-                {
-                BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
-                }
-        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
                {
-                if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-                                                CRYPTO_LOCK_DSA,
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-                                                dsa->p, ctx))
+                                dsa->p,ctx)) goto err;
-                        goto err;
                }
        /* Compute r = (g^k mod p) mod q */
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
-        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
-                {
-                if (!BN_copy(&kq, &k)) goto err;
-                /* We do not want timing information to leak the length of k,
-                 * so we compute g^k using an equivalent exponent of fixed length.
-                 *
-                 * (This is a kludge that we need because the BN_mod_exp_mont()
-                 * does not let us specify the desired timing behaviour.) */
-                if (!BN_add(&kq, &kq, dsa->q)) goto err;
-                if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
-                        {
-                        if (!BN_add(&kq, &kq, dsa->q)) goto err;
-                        }
-                K = &kq;
-                }
-        else
-                {
-                K = &k;
-                }
-        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
@@ -257,7 +229,6 @@ err:
        if (ctx_in == NULL) BN_CTX_free(ctx);
        if (kinv != NULL) BN_clear_free(kinv);
        BN_clear_free(&k);
-        BN_clear_free(&kq);
        return(ret);
        }
@@ -304,15 +275,13 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
        /* u2 = r * w mod q */
        if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
-        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                mont = BN_MONT_CTX_set_locked(
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-                                        (BN_MONT_CTX **)&dsa->method_mont_p,
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-                                        CRYPTO_LOCK_DSA, dsa->p, ctx);
+                                dsa->p,ctx)) goto err;
-                if (!mont)
-                        goto err;
                }
+        mont=(BN_MONT_CTX *)dsa->method_mont_p;
 #if 0
        {

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 12509a7083..f1a85afcde 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
172	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)	172	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
173	{	173	{
174	BN_CTX *ctx;	174	BN_CTX *ctx;
175	BIGNUM k,kq,K,kinv=NULL,*r=NULL;	175	BIGNUM k,kinv=NULL,r=NULL;
176	int ret=0;	176	int ret=0;
177		177
178	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)	178	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
@@ -182,7 +182,6 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
182	}	182	}
183		183
184	BN_init(&k);	184	BN_init(&k);
185	BN_init(&kq);
186		185
187	if (ctx_in == NULL)	186	if (ctx_in == NULL)
188	{	187	{
@@ -192,49 +191,22 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
192	ctx=ctx_in;	191	ctx=ctx_in;
193		192
194	if ((r=BN_new()) == NULL) goto err;	193	if ((r=BN_new()) == NULL) goto err;
		194	kinv=NULL;
195		195
196	/* Get random k */	196	/* Get random k */
197	do	197	do
198	if (!BN_rand_range(&k, dsa->q)) goto err;	198	if (!BN_rand_range(&k, dsa->q)) goto err;
199	while (BN_is_zero(&k));	199	while (BN_is_zero(&k));
200	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
201	{
202	BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
203	}
204		200
205	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)	201	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
206	{	202	{
207	if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,	203	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
208	CRYPTO_LOCK_DSA,	204	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
209	dsa->p, ctx))	205	dsa->p,ctx)) goto err;
210	goto err;
211	}	206	}
212		207
213	/* Compute r = (g^k mod p) mod q */	208	/* Compute r = (g^k mod p) mod q */
214		209	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
215	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
216	{
217	if (!BN_copy(&kq, &k)) goto err;
218
219	/* We do not want timing information to leak the length of k,
220	* so we compute g^k using an equivalent exponent of fixed length.
221	*
222	* (This is a kludge that we need because the BN_mod_exp_mont()
223	* does not let us specify the desired timing behaviour.) */
224
225	if (!BN_add(&kq, &kq, dsa->q)) goto err;
226	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
227	{
228	if (!BN_add(&kq, &kq, dsa->q)) goto err;
229	}
230
231	K = &kq;
232	}
233	else
234	{
235	K = &k;
236	}
237	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
238	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;	210	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
239	if (!BN_mod(r,r,dsa->q,ctx)) goto err;	211	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
240		212
@@ -257,7 +229,6 @@ err:
257	if (ctx_in == NULL) BN_CTX_free(ctx);	229	if (ctx_in == NULL) BN_CTX_free(ctx);
258	if (kinv != NULL) BN_clear_free(kinv);	230	if (kinv != NULL) BN_clear_free(kinv);
259	BN_clear_free(&k);	231	BN_clear_free(&k);
260	BN_clear_free(&kq);
261	return(ret);	232	return(ret);
262	}	233	}
263		234
@@ -304,15 +275,13 @@ static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
304	/* u2 = r * w mod q */	275	/* u2 = r * w mod q */
305	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;	276	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
306		277
307		278	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
308	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
309	{	279	{
310	mont = BN_MONT_CTX_set_locked(	280	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
311	(BN_MONT_CTX **)&dsa->method_mont_p,	281	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
312	CRYPTO_LOCK_DSA, dsa->p, ctx);	282	dsa->p,ctx)) goto err;
313	if (!mont)
314	goto err;
315	}	283	}
		284	mont=(BN_MONT_CTX *)dsa->method_mont_p;
316		285
317	#if 0	286	#if 0
318	{	287	{