Address a timing side channel whereby it is possible to determine some
information about the length of a value used in DSA operations from
a large number of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4642)
projects / oweals / openssl.git / commit