deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on)

The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: openssl/openssl#7549 Ref: nodejs#24353 Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
rvagg · Nov 14, 2018 · 8d77cc1 · 8d77cc1
1 parent 114ab64
commit 8d77cc1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c
@@ -295,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
 
     if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
         BN_set_flags(&k, BN_FLG_CONSTTIME);
+        BN_set_flags(&l, BN_FLG_CONSTTIME);
     }
 
-
     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
                                     CRYPTO_LOCK_DSA, dsa->p, ctx))