svn commit: r431174 - in head/security/libressl: . files
Bernard Spil
brnrd at FreeBSD.org
Wed Jan 11 11:42:38 UTC 2017
Author: brnrd
Date: Wed Jan 11 11:42:37 2017
New Revision: 431174
URL: https://svnweb.freebsd.org/changeset/ports/431174
Log:
security/libressl: Fix ECDSA P-256 timing attack vuln
- Add patch from OpenBSD
MFH: 2017Q1
Security: 7caebe30-d7f1-11e6-a9a5-b499baebfeaf
Security: CVE-2016-7056
Added:
head/security/libressl/files/patch-CVE-2016-7056 (contents, props changed)
Modified:
head/security/libressl/Makefile
Modified: head/security/libressl/Makefile
==============================================================================
--- head/security/libressl/Makefile Wed Jan 11 11:41:08 2017 (r431173)
+++ head/security/libressl/Makefile Wed Jan 11 11:42:37 2017 (r431174)
@@ -3,6 +3,7 @@
PORTNAME= libressl
PORTVERSION= 2.4.4
+PORTREVISION= 1
CATEGORIES= security devel
MASTER_SITES= OPENBSD/LibreSSL
Added: head/security/libressl/files/patch-CVE-2016-7056
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/libressl/files/patch-CVE-2016-7056 Wed Jan 11 11:42:37 2017 (r431174)
@@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 6.0 base secret key
+RWSho3oKSqgLQ55BCxFoKK3pckJBYNZ3l6vujvan4SYLtXvRIsH6PNnmu7Xu18ILyYPxIQnYmCf1ux+IeoD8vzKfEeoCb+UVdQg=
+
+OpenBSD 6.0 errata 16, Jan 5, 2017:
+
+Avoid possible side-channel leak of ECDSA private keys when signing.
+
+Apply by doing:
+ signify -Vep /etc/signify/openbsd-60-base.pub -x 016_libcrypto.patch.sig \
+ -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+ cd /usr/src/lib/libcrypto
+ make obj
+ make depend
+ make
+ make install
+
+Index: lib/libssl/src/crypto/ecdsa/ecs_ossl.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/ecdsa/Attic/ecs_ossl.c,v
+retrieving revision 1.6
+retrieving revision 1.6.8.1
+diff -u -p -r1.6 -r1.6.8.1
+--- crypto/ecdsa/ecs_ossl.c 8 Feb 2015 13:35:07 -0000 1.6
++++ crypto/ecdsa/ecs_ossl.c 5 Jan 2017 13:28:48 -0000 1.6.8.1
+@@ -141,6 +141,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *
+ if (BN_num_bits(k) <= BN_num_bits(order))
+ if (!BN_add(k, k, order))
+ goto err;
++
++ BN_set_flags(k, BN_FLG_CONSTTIME);
+
+ /* compute r the x-coordinate of generator * k */
+ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
More information about the svn-ports-all
mailing list