boringssl/crypto/dsa
David Benjamin 26b7c35d8c Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178

(Imported from upstream's 621eaf49a289bfac26d4cbcdb7396e796784c534 and
b7d0f2834e139a20560d64c73e2565e93715ce2b.)

We should eventually not depend on BN_FLG_CONSTTIME since it's a mess (seeing
as the original fix was wrong until we reported b7d0f2834e to them), but, for
now, go with the simplest fix.

Change-Id: I9ea15c1d1cc3a7e21ef5b591e1879ec97a179718
Reviewed-on: https://boringssl-review.googlesource.com/8172
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-06-07 19:29:18 +00:00
..
CMakeLists.txt
dsa_asn1.c Fix a few more missing CBB_cleanups. 2016-03-08 21:08:48 +00:00
dsa_test.c Remove dead header file. 2016-02-17 01:34:15 +00:00
dsa.c Fix DSA, preserve BN_FLG_CONSTTIME 2016-06-07 19:29:18 +00:00