Clear BN_FLG_CONSTTIME on BN_CTX_get()

(cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)

diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 526c6a046d16a394a44891c47fb50ad39781c944..3391134d7b25c8f4e7c97ccbeecc1cba0c6fe500 100644 (file)
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
     }
     /* OK, make sure the returned bignum is "zero" */
     BN_zero(ret);
+    /* clear BN_FLG_CONSTTIME if leaked from previous frames */
+    ret->flags &= (~BN_FLG_CONSTTIME);
     ctx->used++;
     CTXDBG_RET(ctx, ret);
     return ret;