diff options
Diffstat (limited to 'thirdparty/openssl/crypto/dsa/dsa_ossl.c')
-rw-r--r-- | thirdparty/openssl/crypto/dsa/dsa_ossl.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/thirdparty/openssl/crypto/dsa/dsa_ossl.c b/thirdparty/openssl/crypto/dsa/dsa_ossl.c index efc4f1b6ae..58013a4a13 100644 --- a/thirdparty/openssl/crypto/dsa/dsa_ossl.c +++ b/thirdparty/openssl/crypto/dsa/dsa_ossl.c @@ -247,11 +247,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, do if (!BN_rand_range(&k, dsa->q)) goto err; - while (BN_is_zero(&k)) ; + while (BN_is_zero(&k)); + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); } + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) @@ -264,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_copy(&kq, &k)) goto err; + BN_set_flags(&kq, BN_FLG_CONSTTIME); + /* * We do not want timing information to leak the length of k, so we * compute g^k using an equivalent exponent of fixed length. (This @@ -282,6 +286,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, } else { K = &k; } + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p); if (!BN_mod(r, r, dsa->q, ctx)) |