Fix DSA, preserve BN_FLG_CONSTTIME
authorCesar Pereida <cesar.pereida@aalto.fi>
Mon, 23 May 2016 09:45:25 +0000 (12:45 +0300)
committerMatt Caswell <matt@openssl.org>
Mon, 6 Jun 2016 10:31:36 +0000 (11:31 +0100)
commitd168705e11526a4b487640c7cac5b53ee3646cbc
treedc06d447fb50af1cf4e6b21b737d57768f8d9ee9
parentac29a0fed67ea1aeba71bad91f48593b644db4fd
Fix DSA, preserve BN_FLG_CONSTTIME

Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 621eaf49a289bfac26d4cbcdb7396e796784c534)
crypto/dsa/dsa_ossl.c