1 files changed, 43 insertions, 12 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index f1a85afcde..12509a7083 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
        BN_CTX *ctx;
-        BIGNUM k,*kinv=NULL,*r=NULL;
+        BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
        int ret=0;
        if (!dsa->p || !dsa->q || !dsa->g)
@@ -182,6 +182,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                }
        BN_init(&k);
+        BN_init(&kq);
        if (ctx_in == NULL)
                {
@@ -191,22 +192,49 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                ctx=ctx_in;
        if ((r=BN_new()) == NULL) goto err;
-        kinv=NULL;
        /* Get random k */
        do
                if (!BN_rand_range(&k, dsa->q)) goto err;
        while (BN_is_zero(&k));
+        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                {
+                BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+                }
-        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                                CRYPTO_LOCK_DSA,
-                                dsa->p,ctx)) goto err;
+                                                dsa->p, ctx))
+                        goto err;
                }
        /* Compute r = (g^k mod p) mod q */
-        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                {
+                if (!BN_copy(&kq, &k)) goto err;
+                /* We do not want timing information to leak the length of k,
+                 * so we compute g^k using an equivalent exponent of fixed length.
+                 *
+                 * (This is a kludge that we need because the BN_mod_exp_mont()
+                 * does not let us specify the desired timing behaviour.) */
+                if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+                        {
+                        if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                        }
+                K = &kq;
+                }
+        else
+                {
+                K = &k;
+                }
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
@@ -229,6 +257,7 @@ err:
        if (ctx_in == NULL) BN_CTX_free(ctx);
        if (kinv != NULL) BN_clear_free(kinv);
        BN_clear_free(&k);
+        BN_clear_free(&kq);
        return(ret);
        }
@@ -275,13 +304,15 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
        /* u2 = r * w mod q */
        if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
-        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                mont = BN_MONT_CTX_set_locked(
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                        (BN_MONT_CTX **)&dsa->method_mont_p,
-                                dsa->p,ctx)) goto err;
+                                        CRYPTO_LOCK_DSA, dsa->p, ctx);
+                if (!mont)
+                        goto err;
                }
-        mont=(BN_MONT_CTX *)dsa->method_mont_p;
 #if 0
        {

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index f1a85afcde..12509a7083 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
172	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)	172	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
173	{	173	{
174	BN_CTX *ctx;	174	BN_CTX *ctx;
175	BIGNUM k,kinv=NULL,r=NULL;	175	BIGNUM k,kq,K,kinv=NULL,*r=NULL;
176	int ret=0;	176	int ret=0;
177		177
178	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)	178	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
@@ -182,6 +182,7 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
182	}	182	}
183		183
184	BN_init(&k);	184	BN_init(&k);
		185	BN_init(&kq);
185		186
186	if (ctx_in == NULL)	187	if (ctx_in == NULL)
187	{	188	{
@@ -191,22 +192,49 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
191	ctx=ctx_in;	192	ctx=ctx_in;
192		193
193	if ((r=BN_new()) == NULL) goto err;	194	if ((r=BN_new()) == NULL) goto err;
194	kinv=NULL;
195		195
196	/* Get random k */	196	/* Get random k */
197	do	197	do
198	if (!BN_rand_range(&k, dsa->q)) goto err;	198	if (!BN_rand_range(&k, dsa->q)) goto err;
199	while (BN_is_zero(&k));	199	while (BN_is_zero(&k));
		200	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		201	{
		202	BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
		203	}
200		204
201	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))	205	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
202	{	206	{
203	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)	207	if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
204	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,	208	CRYPTO_LOCK_DSA,
205	dsa->p,ctx)) goto err;	209	dsa->p, ctx))
		210	goto err;
206	}	211	}
207		212
208	/* Compute r = (g^k mod p) mod q */	213	/* Compute r = (g^k mod p) mod q */
209	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,	214
		215	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		216	{
		217	if (!BN_copy(&kq, &k)) goto err;
		218
		219	/* We do not want timing information to leak the length of k,
		220	* so we compute g^k using an equivalent exponent of fixed length.
		221	*
		222	* (This is a kludge that we need because the BN_mod_exp_mont()
		223	* does not let us specify the desired timing behaviour.) */
		224
		225	if (!BN_add(&kq, &kq, dsa->q)) goto err;
		226	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
		227	{
		228	if (!BN_add(&kq, &kq, dsa->q)) goto err;
		229	}
		230
		231	K = &kq;
		232	}
		233	else
		234	{
		235	K = &k;
		236	}
		237	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
210	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;	238	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
211	if (!BN_mod(r,r,dsa->q,ctx)) goto err;	239	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
212		240
@@ -229,6 +257,7 @@ err:
229	if (ctx_in == NULL) BN_CTX_free(ctx);	257	if (ctx_in == NULL) BN_CTX_free(ctx);
230	if (kinv != NULL) BN_clear_free(kinv);	258	if (kinv != NULL) BN_clear_free(kinv);
231	BN_clear_free(&k);	259	BN_clear_free(&k);
		260	BN_clear_free(&kq);
232	return(ret);	261	return(ret);
233	}	262	}
234		263
@@ -275,13 +304,15 @@ static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
275	/* u2 = r * w mod q */	304	/* u2 = r * w mod q */
276	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;	305	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
277		306
278	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))	307
		308	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
279	{	309	{
280	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)	310	mont = BN_MONT_CTX_set_locked(
281	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,	311	(BN_MONT_CTX **)&dsa->method_mont_p,
282	dsa->p,ctx)) goto err;	312	CRYPTO_LOCK_DSA, dsa->p, ctx);
		313	if (!mont)
		314	goto err;
283	}	315	}
284	mont=(BN_MONT_CTX *)dsa->method_mont_p;
285		316
286	#if 0	317	#if 0
287	{	318	{