diff options
| author | David Benjamin <davidben@google.com> | 2016-06-07 21:38:01 +0300 |
|---|---|---|
| committer | David Benjamin <davidben@google.com> | 2016-06-07 22:29:18 +0300 |
| commit | 26b7c35d8c78065a57c93a01d95b31eb85de51b9 (patch) | |
| tree | 1e3943121472446b582a8bc6da57c1224311f79e /crypto/dsa | |
| parent | 0d275bdb32e22e5e75e30981976dbbc28c8805bc (diff) | |
Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
CVE-2016-2178
(Imported from upstream's 621eaf49a289bfac26d4cbcdb7396e796784c534 and
b7d0f2834e139a20560d64c73e2565e93715ce2b.)
We should eventually not depend on BN_FLG_CONSTTIME since it's a mess (seeing
as the original fix was wrong until we reported b7d0f2834e to them), but, for
now, go with the simplest fix.
Change-Id: I9ea15c1d1cc3a7e21ef5b591e1879ec97a179718
Reviewed-on: https://boringssl-review.googlesource.com/8172
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Diffstat (limited to 'crypto/dsa')
| -rw-r--r-- | crypto/dsa/dsa.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c index fe29aa0e..1de0071e 100644 --- a/crypto/dsa/dsa.c +++ b/crypto/dsa/dsa.c @@ -845,6 +845,7 @@ int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv, goto err; } + BN_set_flags(&kq, BN_FLG_CONSTTIME); K = &kq; if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p)) { |