From 323a365766e30895860ce0e0ac95f7f33a060021 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Wed, 14 Nov 2018 14:13:57 +1100 Subject: [PATCH] deps: float 26d7fce1 from openssl The fix for CVE-2018-0734, floated in 213c7d2d, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Upstream: https://github.com/openssl/openssl/commit/26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) PR-URL: https://github.com/nodejs/node/pull/24353 Refs: https://github.com/openssl/openssl/pull/7549 Reviewed-By: Sam Roberts Reviewed-By: Daniel Bevenius --- deps/openssl/openssl/crypto/dsa/dsa_ossl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index be58625db3b162..868283ac63a1f4 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -225,6 +225,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); + BN_set_flags(l, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,