Use BN_mod_exp_mont_consttime in dsa_priv_decode.

The exponent is secret, so we should be using the consttime variant. See also upstream's f9cbf470180841966338db1f4c28d99ec4debec4. Change-Id: I233d4223ded5b80711d7c8f906e3579c36b24cd0 Reviewed-on: https://boringssl-review.googlesource.com/20924 Reviewed-by: Adam Langley <agl@google.com>
2017-09-29 15:10:50 -04:00 · 2017-09-29 15:10:50 -04:00 · 575334657f
commit 575334657f
parent 81f030b106
1 changed files with 2 additions and 2 deletions
--- a/crypto/evp/p_dsa_asn1.c
+++ b/crypto/evp/p_dsa_asn1.c
@ -151,8 +151,8 @@ static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
  // Calculate the public key.
  ctx = BN_CTX_new();
  if (ctx == NULL ||
-      !BN_mod_exp_mont(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx,
-                       NULL)) {
+      !BN_mod_exp_mont_consttime(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p,
+                                 ctx, NULL)) {
    goto err;
  }