diff options
author | delphij <delphij@FreeBSD.org> | 2016-09-23 07:48:34 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2016-09-23 07:48:34 +0000 |
commit | eaf14f8188deb08bcb1fa48ab854b3a3ab8bf939 (patch) | |
tree | 665f71e1ff012a51099b77b57c6d573b8f3c3d68 /crypto/openssl/crypto/dsa | |
parent | 31dd439280dad5066313b92d89838db63d850228 (diff) | |
download | FreeBSD-src-eaf14f8188deb08bcb1fa48ab854b3a3ab8bf939.zip FreeBSD-src-eaf14f8188deb08bcb1fa48ab854b3a3ab8bf939.tar.gz |
Fix multiple OpenSSL vulnerabilitites.
Approved by: so
Security: FreeBSD-SA-16:26.openssl
Diffstat (limited to 'crypto/openssl/crypto/dsa')
-rw-r--r-- | crypto/openssl/crypto/dsa/dsa_ossl.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c index 9a3772e..06cd2a2 100644 --- a/crypto/openssl/crypto/dsa/dsa_ossl.c +++ b/crypto/openssl/crypto/dsa/dsa_ossl.c @@ -247,11 +247,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, do if (!BN_rand_range(&k, dsa->q)) goto err; - while (BN_is_zero(&k)) ; + while (BN_is_zero(&k)); + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); } + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) @@ -264,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_copy(&kq, &k)) goto err; + BN_set_flags(&kq, BN_FLG_CONSTTIME); + /* * We do not want timing information to leak the length of k, so we * compute g^k using an equivalent exponent of fixed length. (This @@ -282,6 +286,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, } else { K = &k; } + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p); if (!BN_mod(r, r, dsa->q, ctx)) |