Merge "bouncycastle: upgrade to version 1.56" am: ae9dc88d85 am: ed012da722

am: 07a37e800c

Change-Id: Ie6a51b57d83037f0f7f1acecedc16da1c1bd6820

1 files changed, 10 insertions, 1 deletions

diff --git a/bcprov/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java b/bcprov/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java
index 44f838b2..920611bc 100644
--- a/bcprov/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java
+++ b/bcprov/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java
@@ -95,7 +95,8 @@ public class DSASigner
 
         BigInteger  k = kCalculator.nextK();
 
-        BigInteger  r = params.getG().modPow(k, params.getP()).mod(q);
+        // the randomizer is to conceal timing information related to k and x.
+        BigInteger  r = params.getG().modPow(k.add(getRandomizer(q, random)), params.getP()).mod(q);
 
         k = k.modInverse(q).multiply(m.add(x.multiply(r)));
 
@@ -163,4 +164,12 @@ public class DSASigner
     {
         return !needed ? null : (provided != null) ? provided : new SecureRandom();
     }
+
+    private BigInteger getRandomizer(BigInteger q, SecureRandom provided)
+    {
+        // Calculate a random multiple of q to add to k. Note that g^q = 1 (mod p), so adding multiple of q to k does not change r.
+        int randomBits = 7;
+
+        return new BigInteger(randomBits, provided != null ? provided : new SecureRandom()).add(BigInteger.valueOf(128)).multiply(q);
+    }
 }