7 files changed, 110 insertions, 35 deletions
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 225ff391f9..851e3f0445 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -80,6 +80,20 @@
 #endif
 #define DSA_FLAG_CACHE_MONT_P   0x01
+#define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
+                                              * implementation now uses constant time
+                                              * modular exponentiation for secret exponents
+                                              * by default. This flag causes the
+                                              * faster variable sliding window method to
+                                              * be used for all exponents.
+                                              */
+/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode
+ * it is then the applications responsibility to ensure the external method
+ * is compliant.
+ */
+#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW     0x04
 #if defined(OPENSSL_FIPS)
 #define FIPS_DSA_SIZE_T int
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index 79aa4ff526..fd42053572 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/dsa/dsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,29 +64,33 @@
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
 static ERR_STRING_DATA DSA_str_functs[]=
        {
-{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0),       "d2i_DSA_SIG"},
+{ERR_FUNC(DSA_F_D2I_DSA_SIG),   "d2i_DSA_SIG"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0),   "DSAparams_print"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT),       "DSAparams_print"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),        "DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),    "DSAparams_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),       "DSA_do_sign"},
+{ERR_FUNC(DSA_F_DSA_DO_SIGN),   "DSA_do_sign"},
-{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),     "DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
-{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0),    "DSA_new_method"},
+{ERR_FUNC(DSA_F_DSA_NEW_METHOD),        "DSA_new_method"},
-{ERR_PACK(0,DSA_F_DSA_PRINT,0), "DSA_print"},
+{ERR_FUNC(DSA_F_DSA_PRINT),     "DSA_print"},
-{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),      "DSA_print_fp"},
+{ERR_FUNC(DSA_F_DSA_PRINT_FP),  "DSA_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_SIGN,0),  "DSA_sign"},
+{ERR_FUNC(DSA_F_DSA_SIGN),      "DSA_sign"},
-{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0),    "DSA_sign_setup"},
+{ERR_FUNC(DSA_F_DSA_SIGN_SETUP),        "DSA_sign_setup"},
-{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0),       "DSA_SIG_new"},
+{ERR_FUNC(DSA_F_DSA_SIG_NEW),   "DSA_SIG_new"},
-{ERR_PACK(0,DSA_F_DSA_VERIFY,0),        "DSA_verify"},
+{ERR_FUNC(DSA_F_DSA_VERIFY),    "DSA_verify"},
-{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0),       "i2d_DSA_SIG"},
+{ERR_FUNC(DSA_F_I2D_DSA_SIG),   "i2d_DSA_SIG"},
-{ERR_PACK(0,DSA_F_SIG_CB,0),    "SIG_CB"},
+{ERR_FUNC(DSA_F_SIG_CB),        "SIG_CB"},
 {0,NULL}
        };
 static ERR_STRING_DATA DSA_str_reasons[]=
        {
-{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
+{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
-{DSA_R_MISSING_PARAMETERS                ,"missing parameters"},
+{ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {0,NULL}
        };
@@ -100,8 +104,8 @@ void ERR_load_DSA_strings(void)
                {
                init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);
+                ERR_load_strings(0,DSA_str_functs);
-                ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);
+                ERR_load_strings(0,DSA_str_reasons);
 #endif
                }
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 30607ca579..980b6dc2d3 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -90,8 +90,22 @@ int DSA_generate_key(DSA *dsa)
                }
        else
                pub_key=dsa->pub_key;
+        
+        {
+                BIGNUM local_prk;
+                BIGNUM *prk;
+                if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                        {
+                        BN_init(&local_prk);
+                        prk = &local_prk;
+                        BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        prk = priv_key;
-        if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+                if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+        }
        dsa->priv_key=priv_key;
        dsa->pub_key=pub_key;
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index f1a85afcde..12509a7083 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
        BN_CTX *ctx;
-        BIGNUM k,*kinv=NULL,*r=NULL;
+        BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
        int ret=0;
        if (!dsa->p || !dsa->q || !dsa->g)
@@ -182,6 +182,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                }
        BN_init(&k);
+        BN_init(&kq);
        if (ctx_in == NULL)
                {
@@ -191,22 +192,49 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                ctx=ctx_in;
        if ((r=BN_new()) == NULL) goto err;
-        kinv=NULL;
        /* Get random k */
        do
                if (!BN_rand_range(&k, dsa->q)) goto err;
        while (BN_is_zero(&k));
+        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                {
+                BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+                }
-        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                                CRYPTO_LOCK_DSA,
-                                dsa->p,ctx)) goto err;
+                                                dsa->p, ctx))
+                        goto err;
                }
        /* Compute r = (g^k mod p) mod q */
-        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                {
+                if (!BN_copy(&kq, &k)) goto err;
+                /* We do not want timing information to leak the length of k,
+                 * so we compute g^k using an equivalent exponent of fixed length.
+                 *
+                 * (This is a kludge that we need because the BN_mod_exp_mont()
+                 * does not let us specify the desired timing behaviour.) */
+                if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+                        {
+                        if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                        }
+                K = &kq;
+                }
+        else
+                {
+                K = &k;
+                }
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
@@ -229,6 +257,7 @@ err:
        if (ctx_in == NULL) BN_CTX_free(ctx);
        if (kinv != NULL) BN_clear_free(kinv);
        BN_clear_free(&k);
+        BN_clear_free(&kq);
        return(ret);
        }
@@ -275,13 +304,15 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
        /* u2 = r * w mod q */
        if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
-        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                mont = BN_MONT_CTX_set_locked(
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                        (BN_MONT_CTX **)&dsa->method_mont_p,
-                                dsa->p,ctx)) goto err;
+                                        CRYPTO_LOCK_DSA, dsa->p, ctx);
+                if (!mont)
+                        goto err;
                }
-        mont=(BN_MONT_CTX *)dsa->method_mont_p;
 #if 0
        {
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 3c9753bac3..37c65efb20 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -72,7 +72,8 @@
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        {
 #ifdef OPENSSL_FIPS
-        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+                && !FIPS_dsa_check(dsa))
                return NULL;
 #endif
        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
@@ -96,7 +97,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
 #ifdef OPENSSL_FIPS
-        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+                && !FIPS_dsa_check(dsa))
                return 0;
 #endif
        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 8ef0c45025..c9784bed48 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -74,7 +74,8 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                  DSA *dsa)
        {
 #ifdef OPENSSL_FIPS
-        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+                && !FIPS_dsa_check(dsa))
                return -1;
 #endif
        return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c
index 4734ce4af8..55a3756aff 100644
--- a/src/lib/libcrypto/dsa/dsatest.c
+++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -194,10 +194,19 @@ int main(int argc, char **argv)
                BIO_printf(bio_err,"g value is wrong\n");
                goto end;
                }
+        dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
        DSA_generate_key(dsa);
        DSA_sign(0, str1, 20, sig, &siglen, dsa);
        if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
                ret=1;
+        dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
+        DSA_generate_key(dsa);
+        DSA_sign(0, str1, 20, sig, &siglen, dsa);
+        if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+                ret=1;
 end:
        if (!ret)
                ERR_print_errors(bio_err);

diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h index 225ff391f9..851e3f0445 100644 --- a/src/lib/libcrypto/dsa/dsa.h +++ b/src/lib/libcrypto/dsa/dsa.h
@@ -80,6 +80,20 @@
80	#endif	80	#endif
81		81
82	#define DSA_FLAG_CACHE_MONT_P 0x01	82	#define DSA_FLAG_CACHE_MONT_P 0x01
		83	#define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
		84	* implementation now uses constant time
		85	* modular exponentiation for secret exponents
		86	* by default. This flag causes the
		87	* faster variable sliding window method to
		88	* be used for all exponents.
		89	*/
		90
		91	/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode
		92	* it is then the applications responsibility to ensure the external method
		93	* is compliant.
		94	*/
		95
		96	#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW 0x04
83		97
84	#if defined(OPENSSL_FIPS)	98	#if defined(OPENSSL_FIPS)
85	#define FIPS_DSA_SIZE_T int	99	#define FIPS_DSA_SIZE_T int


diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c index 79aa4ff526..fd42053572 100644 --- a/src/lib/libcrypto/dsa/dsa_err.c +++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
1	/* crypto/dsa/dsa_err.c */	1	/* crypto/dsa/dsa_err.c */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4	*	4	*
5	* Redistribution and use in source and binary forms, with or without	5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions	6	* modification, are permitted provided that the following conditions
@@ -64,29 +64,33 @@
64		64
65	/* BEGIN ERROR CODES */	65	/* BEGIN ERROR CODES */
66	#ifndef OPENSSL_NO_ERR	66	#ifndef OPENSSL_NO_ERR
		67
		68	#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
		69	#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
		70
67	static ERR_STRING_DATA DSA_str_functs[]=	71	static ERR_STRING_DATA DSA_str_functs[]=
68	{	72	{
69	{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0), "d2i_DSA_SIG"},	73	{ERR_FUNC(DSA_F_D2I_DSA_SIG), "d2i_DSA_SIG"},
70	{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0), "DSAparams_print"},	74	{ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
71	{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0), "DSAparams_print_fp"},	75	{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
72	{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0), "DSA_do_sign"},	76	{ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
73	{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0), "DSA_do_verify"},	77	{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
74	{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0), "DSA_new_method"},	78	{ERR_FUNC(DSA_F_DSA_NEW_METHOD), "DSA_new_method"},
75	{ERR_PACK(0,DSA_F_DSA_PRINT,0), "DSA_print"},	79	{ERR_FUNC(DSA_F_DSA_PRINT), "DSA_print"},
76	{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0), "DSA_print_fp"},	80	{ERR_FUNC(DSA_F_DSA_PRINT_FP), "DSA_print_fp"},
77	{ERR_PACK(0,DSA_F_DSA_SIGN,0), "DSA_sign"},	81	{ERR_FUNC(DSA_F_DSA_SIGN), "DSA_sign"},
78	{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0), "DSA_sign_setup"},	82	{ERR_FUNC(DSA_F_DSA_SIGN_SETUP), "DSA_sign_setup"},
79	{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0), "DSA_SIG_new"},	83	{ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"},
80	{ERR_PACK(0,DSA_F_DSA_VERIFY,0), "DSA_verify"},	84	{ERR_FUNC(DSA_F_DSA_VERIFY), "DSA_verify"},
81	{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0), "i2d_DSA_SIG"},	85	{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"},
82	{ERR_PACK(0,DSA_F_SIG_CB,0), "SIG_CB"},	86	{ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"},
83	{0,NULL}	87	{0,NULL}
84	};	88	};
85		89
86	static ERR_STRING_DATA DSA_str_reasons[]=	90	static ERR_STRING_DATA DSA_str_reasons[]=
87	{	91	{
88	{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"},	92	{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
89	{DSA_R_MISSING_PARAMETERS ,"missing parameters"},	93	{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
90	{0,NULL}	94	{0,NULL}
91	};	95	};
92		96
@@ -100,8 +104,8 @@ void ERR_load_DSA_strings(void)
100	{	104	{
101	init=0;	105	init=0;
102	#ifndef OPENSSL_NO_ERR	106	#ifndef OPENSSL_NO_ERR
103	ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);	107	ERR_load_strings(0,DSA_str_functs);
104	ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);	108	ERR_load_strings(0,DSA_str_reasons);
105	#endif	109	#endif
106		110
107	}	111	}


diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index 30607ca579..980b6dc2d3 100644 --- a/src/lib/libcrypto/dsa/dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -90,8 +90,22 @@ int DSA_generate_key(DSA *dsa)
90	}	90	}
91	else	91	else
92	pub_key=dsa->pub_key;	92	pub_key=dsa->pub_key;
		93
		94	{
		95	BIGNUM local_prk;
		96	BIGNUM *prk;
		97
		98	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		99	{
		100	BN_init(&local_prk);
		101	prk = &local_prk;
		102	BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
		103	}
		104	else
		105	prk = priv_key;
93		106
94	if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;	107	if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
		108	}
95		109
96	dsa->priv_key=priv_key;	110	dsa->priv_key=priv_key;
97	dsa->pub_key=pub_key;	111	dsa->pub_key=pub_key;


diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index f1a85afcde..12509a7083 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
172	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)	172	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
173	{	173	{
174	BN_CTX *ctx;	174	BN_CTX *ctx;
175	BIGNUM k,kinv=NULL,r=NULL;	175	BIGNUM k,kq,K,kinv=NULL,*r=NULL;
176	int ret=0;	176	int ret=0;
177		177
178	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)	178	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
@@ -182,6 +182,7 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
182	}	182	}
183		183
184	BN_init(&k);	184	BN_init(&k);
		185	BN_init(&kq);
185		186
186	if (ctx_in == NULL)	187	if (ctx_in == NULL)
187	{	188	{
@@ -191,22 +192,49 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
191	ctx=ctx_in;	192	ctx=ctx_in;
192		193
193	if ((r=BN_new()) == NULL) goto err;	194	if ((r=BN_new()) == NULL) goto err;
194	kinv=NULL;
195		195
196	/* Get random k */	196	/* Get random k */
197	do	197	do
198	if (!BN_rand_range(&k, dsa->q)) goto err;	198	if (!BN_rand_range(&k, dsa->q)) goto err;
199	while (BN_is_zero(&k));	199	while (BN_is_zero(&k));
		200	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		201	{
		202	BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
		203	}
200		204
201	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))	205	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
202	{	206	{
203	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)	207	if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
204	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,	208	CRYPTO_LOCK_DSA,
205	dsa->p,ctx)) goto err;	209	dsa->p, ctx))
		210	goto err;
206	}	211	}
207		212
208	/* Compute r = (g^k mod p) mod q */	213	/* Compute r = (g^k mod p) mod q */
209	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,	214
		215	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		216	{
		217	if (!BN_copy(&kq, &k)) goto err;
		218
		219	/* We do not want timing information to leak the length of k,
		220	* so we compute g^k using an equivalent exponent of fixed length.
		221	*
		222	* (This is a kludge that we need because the BN_mod_exp_mont()
		223	* does not let us specify the desired timing behaviour.) */
		224
		225	if (!BN_add(&kq, &kq, dsa->q)) goto err;
		226	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
		227	{
		228	if (!BN_add(&kq, &kq, dsa->q)) goto err;
		229	}
		230
		231	K = &kq;
		232	}
		233	else
		234	{
		235	K = &k;
		236	}
		237	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
210	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;	238	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
211	if (!BN_mod(r,r,dsa->q,ctx)) goto err;	239	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
212		240
@@ -229,6 +257,7 @@ err:
229	if (ctx_in == NULL) BN_CTX_free(ctx);	257	if (ctx_in == NULL) BN_CTX_free(ctx);
230	if (kinv != NULL) BN_clear_free(kinv);	258	if (kinv != NULL) BN_clear_free(kinv);
231	BN_clear_free(&k);	259	BN_clear_free(&k);
		260	BN_clear_free(&kq);
232	return(ret);	261	return(ret);
233	}	262	}
234		263
@@ -275,13 +304,15 @@ static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
275	/* u2 = r * w mod q */	304	/* u2 = r * w mod q */
276	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;	305	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
277		306
278	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))	307
		308	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
279	{	309	{
280	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)	310	mont = BN_MONT_CTX_set_locked(
281	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,	311	(BN_MONT_CTX **)&dsa->method_mont_p,
282	dsa->p,ctx)) goto err;	312	CRYPTO_LOCK_DSA, dsa->p, ctx);
		313	if (!mont)
		314	goto err;
283	}	315	}
284	mont=(BN_MONT_CTX *)dsa->method_mont_p;
285		316
286	#if 0	317	#if 0
287	{	318	{


diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c index 3c9753bac3..37c65efb20 100644 --- a/src/lib/libcrypto/dsa/dsa_sign.c +++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -72,7 +72,8 @@
72	DSA_SIG * DSA_do_sign(const unsigned char dgst, int dlen, DSA dsa)	72	DSA_SIG * DSA_do_sign(const unsigned char dgst, int dlen, DSA dsa)
73	{	73	{
74	#ifdef OPENSSL_FIPS	74	#ifdef OPENSSL_FIPS
75	if(FIPS_mode() && !FIPS_dsa_check(dsa))	75	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
		76	&& !FIPS_dsa_check(dsa))
76	return NULL;	77	return NULL;
77	#endif	78	#endif
78	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);	79	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
@@ -96,7 +97,8 @@ int DSA_sign(int type, const unsigned char dgst, int dlen, unsigned char sig,
96	int DSA_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)	97	int DSA_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
97	{	98	{
98	#ifdef OPENSSL_FIPS	99	#ifdef OPENSSL_FIPS
99	if(FIPS_mode() && !FIPS_dsa_check(dsa))	100	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
		101	&& !FIPS_dsa_check(dsa))
100	return 0;	102	return 0;
101	#endif	103	#endif
102	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);	104	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);


diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c index 8ef0c45025..c9784bed48 100644 --- a/src/lib/libcrypto/dsa/dsa_vrf.c +++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -74,7 +74,8 @@ int DSA_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
74	DSA *dsa)	74	DSA *dsa)
75	{	75	{
76	#ifdef OPENSSL_FIPS	76	#ifdef OPENSSL_FIPS
77	if(FIPS_mode() && !FIPS_dsa_check(dsa))	77	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
		78	&& !FIPS_dsa_check(dsa))
78	return -1;	79	return -1;
79	#endif	80	#endif
80	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);	81	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);


diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c index 4734ce4af8..55a3756aff 100644 --- a/src/lib/libcrypto/dsa/dsatest.c +++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -194,10 +194,19 @@ int main(int argc, char **argv)
194	BIO_printf(bio_err,"g value is wrong\n");	194	BIO_printf(bio_err,"g value is wrong\n");
195	goto end;	195	goto end;
196	}	196	}
		197
		198	dsa->flags \|= DSA_FLAG_NO_EXP_CONSTTIME;
197	DSA_generate_key(dsa);	199	DSA_generate_key(dsa);
198	DSA_sign(0, str1, 20, sig, &siglen, dsa);	200	DSA_sign(0, str1, 20, sig, &siglen, dsa);
199	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)	201	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
200	ret=1;	202	ret=1;
		203
		204	dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
		205	DSA_generate_key(dsa);
		206	DSA_sign(0, str1, 20, sig, &siglen, dsa);
		207	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
		208	ret=1;
		209
201	end:	210	end:
202	if (!ret)	211	if (!ret)
203	ERR_print_errors(bio_err);	212	ERR_print_errors(bio_err);