svn commit: r431174 - in head/security/libressl: . files

Bernard Spil brnrd at FreeBSD.org
Wed Jan 11 11:42:38 UTC 2017 

Author: brnrd
Date: Wed Jan 11 11:42:37 2017
New Revision: 431174
URL: https://svnweb.freebsd.org/changeset/ports/431174

Log:
  security/libressl: Fix ECDSA P-256 timing attack vuln
  
    - Add patch from OpenBSD
  
  MFH:		2017Q1
  Security:	7caebe30-d7f1-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-7056

Added:
  head/security/libressl/files/patch-CVE-2016-7056   (contents, props changed)
Modified:
  head/security/libressl/Makefile

Modified: head/security/libressl/Makefile
==============================================================================
--- head/security/libressl/Makefile	Wed Jan 11 11:41:08 2017	(r431173)
+++ head/security/libressl/Makefile	Wed Jan 11 11:42:37 2017	(r431174)
@@ -3,6 +3,7 @@
 
 PORTNAME=	libressl
 PORTVERSION=	2.4.4
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	OPENBSD/LibreSSL
 

Added: head/security/libressl/files/patch-CVE-2016-7056
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/libressl/files/patch-CVE-2016-7056	Wed Jan 11 11:42:37 2017	(r431174)
@@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 6.0 base secret key
+RWSho3oKSqgLQ55BCxFoKK3pckJBYNZ3l6vujvan4SYLtXvRIsH6PNnmu7Xu18ILyYPxIQnYmCf1ux+IeoD8vzKfEeoCb+UVdQg=
+
+OpenBSD 6.0 errata 16, Jan 5, 2017:
+
+Avoid possible side-channel leak of ECDSA private keys when signing.
+
+Apply by doing:
+    signify -Vep /etc/signify/openbsd-60-base.pub -x 016_libcrypto.patch.sig \
+        -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+        cd /usr/src/lib/libcrypto
+        make obj
+        make depend
+        make
+        make install
+
+Index: lib/libssl/src/crypto/ecdsa/ecs_ossl.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/ecdsa/Attic/ecs_ossl.c,v
+retrieving revision 1.6
+retrieving revision 1.6.8.1
+diff -u -p -r1.6 -r1.6.8.1
+--- crypto/ecdsa/ecs_ossl.c	8 Feb 2015 13:35:07 -0000	1.6
++++ crypto/ecdsa/ecs_ossl.c	5 Jan 2017 13:28:48 -0000	1.6.8.1
+@@ -141,6 +141,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *
+ 		if (BN_num_bits(k) <= BN_num_bits(order))
+ 			if (!BN_add(k, k, order))
+ 				goto err;
++
++		BN_set_flags(k, BN_FLG_CONSTTIME);
+ 
+ 		/* compute r the x-coordinate of generator * k */
+ 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {

More information about the svn-ports-all mailing list