svn commit: r431206 - in branches/2017Q1/security/libressl: . files
Bernard Spil
brnrd at FreeBSD.org
Wed Jan 11 20:07:01 UTC 2017
Author: brnrd
Date: Wed Jan 11 20:07:00 2017
New Revision: 431206
URL: https://svnweb.freebsd.org/changeset/ports/431206
Log:
MFH: r431174
security/libressl: Fix ECDSA P-256 timing attack vuln
- Add patch from OpenBSD
Security: 7caebe30-d7f1-11e6-a9a5-b499baebfeaf
Security: CVE-2016-7056
Approved by: ports-secteam (feld)
Added:
branches/2017Q1/security/libressl/files/patch-CVE-2016-7056
- copied unchanged from r431174, head/security/libressl/files/patch-CVE-2016-7056
Modified:
branches/2017Q1/security/libressl/Makefile
Directory Properties:
branches/2017Q1/ (props changed)
Modified: branches/2017Q1/security/libressl/Makefile
==============================================================================
--- branches/2017Q1/security/libressl/Makefile Wed Jan 11 19:53:54 2017 (r431205)
+++ branches/2017Q1/security/libressl/Makefile Wed Jan 11 20:07:00 2017 (r431206)
@@ -3,6 +3,7 @@
PORTNAME= libressl
PORTVERSION= 2.4.4
+PORTREVISION= 1
CATEGORIES= security devel
MASTER_SITES= OPENBSD/LibreSSL
Copied: branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 (from r431174, head/security/libressl/files/patch-CVE-2016-7056)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 Wed Jan 11 20:07:00 2017 (r431206, copy of r431174, head/security/libressl/files/patch-CVE-2016-7056)
@@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 6.0 base secret key
+RWSho3oKSqgLQ55BCxFoKK3pckJBYNZ3l6vujvan4SYLtXvRIsH6PNnmu7Xu18ILyYPxIQnYmCf1ux+IeoD8vzKfEeoCb+UVdQg=
+
+OpenBSD 6.0 errata 16, Jan 5, 2017:
+
+Avoid possible side-channel leak of ECDSA private keys when signing.
+
+Apply by doing:
+ signify -Vep /etc/signify/openbsd-60-base.pub -x 016_libcrypto.patch.sig \
+ -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+ cd /usr/src/lib/libcrypto
+ make obj
+ make depend
+ make
+ make install
+
+Index: lib/libssl/src/crypto/ecdsa/ecs_ossl.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/ecdsa/Attic/ecs_ossl.c,v
+retrieving revision 1.6
+retrieving revision 1.6.8.1
+diff -u -p -r1.6 -r1.6.8.1
+--- crypto/ecdsa/ecs_ossl.c 8 Feb 2015 13:35:07 -0000 1.6
++++ crypto/ecdsa/ecs_ossl.c 5 Jan 2017 13:28:48 -0000 1.6.8.1
+@@ -141,6 +141,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *
+ if (BN_num_bits(k) <= BN_num_bits(order))
+ if (!BN_add(k, k, order))
+ goto err;
++
++ BN_set_flags(k, BN_FLG_CONSTTIME);
+
+ /* compute r the x-coordinate of generator * k */
+ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
More information about the svn-ports-all
mailing list