From b57d9bfda0a4cfebac3b70e39ad9581d29db6c4f Mon Sep 17 00:00:00 2001
From: beck <>
Date: Mon, 6 Jun 2016 10:00:04 +0000
Subject: Correct a problem that prevents the DSA signing algorithm from
 running in constant time even if the flag BN_FLG_CONSTTIME is set. This issue
 was reported by Cesar Pereida (Aalto University), Billy Brumley (Tampere
 University of Technology), and Yuval Yarom (The University of Adelaide and
 NICTA). The fix was developed by Cesar Pereida.

---
 src/lib/libcrypto/dsa/dsa_ossl.c         | 10 ++++++----
 src/lib/libssl/src/crypto/dsa/dsa_ossl.c | 10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 7c0a7802b0..13101cea1d 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.23 2015/09/10 07:58:28 bcook Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.24 2016/06/06 10:00:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,9 +247,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 		if (!BN_rand_range(&k, dsa->q))
 			goto err;
 	} while (BN_is_zero(&k));
-	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-		BN_set_flags(&k, BN_FLG_CONSTTIME);
-	}
 
 	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
 		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
@@ -283,6 +280,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	} else {
 		K = &k;
 	}
+
+	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+		BN_set_flags(&k, BN_FLG_CONSTTIME);
+	}
+
 	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
 	    dsa->method_mont_p);
 	if (!BN_mod(r,r,dsa->q,ctx))
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 7c0a7802b0..13101cea1d 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.23 2015/09/10 07:58:28 bcook Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.24 2016/06/06 10:00:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,9 +247,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 		if (!BN_rand_range(&k, dsa->q))
 			goto err;
 	} while (BN_is_zero(&k));
-	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-		BN_set_flags(&k, BN_FLG_CONSTTIME);
-	}
 
 	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
 		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
@@ -283,6 +280,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	} else {
 		K = &k;
 	}
+
+	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+		BN_set_flags(&k, BN_FLG_CONSTTIME);
+	}
+
 	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
 	    dsa->method_mont_p);
 	if (!BN_mod(r,r,dsa->q,ctx))
-- 
cgit v1.2.3-55-g6feb