svn commit: r431206 - in branches/2017Q1/security/libressl: . files

Bernard Spil brnrd at FreeBSD.org
Wed Jan 11 20:07:01 UTC 2017 

Author: brnrd
Date: Wed Jan 11 20:07:00 2017
New Revision: 431206
URL: https://svnweb.freebsd.org/changeset/ports/431206

Log:
  MFH: r431174
  
  security/libressl: Fix ECDSA P-256 timing attack vuln
  
    - Add patch from OpenBSD
  
  Security:	7caebe30-d7f1-11e6-a9a5-b499baebfeaf
  Security:	CVE-2016-7056
  
  Approved by:	ports-secteam (feld)

Added:
  branches/2017Q1/security/libressl/files/patch-CVE-2016-7056
     - copied unchanged from r431174, head/security/libressl/files/patch-CVE-2016-7056
Modified:
  branches/2017Q1/security/libressl/Makefile
Directory Properties:
  branches/2017Q1/   (props changed)

Modified: branches/2017Q1/security/libressl/Makefile
==============================================================================
--- branches/2017Q1/security/libressl/Makefile	Wed Jan 11 19:53:54 2017	(r431205)
+++ branches/2017Q1/security/libressl/Makefile	Wed Jan 11 20:07:00 2017	(r431206)
@@ -3,6 +3,7 @@
 
 PORTNAME=	libressl
 PORTVERSION=	2.4.4
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	OPENBSD/LibreSSL
 

Copied: branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 (from r431174, head/security/libressl/files/patch-CVE-2016-7056)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q1/security/libressl/files/patch-CVE-2016-7056	Wed Jan 11 20:07:00 2017	(r431206, copy of r431174, head/security/libressl/files/patch-CVE-2016-7056)
@@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 6.0 base secret key
+RWSho3oKSqgLQ55BCxFoKK3pckJBYNZ3l6vujvan4SYLtXvRIsH6PNnmu7Xu18ILyYPxIQnYmCf1ux+IeoD8vzKfEeoCb+UVdQg=
+
+OpenBSD 6.0 errata 16, Jan 5, 2017:
+
+Avoid possible side-channel leak of ECDSA private keys when signing.
+
+Apply by doing:
+    signify -Vep /etc/signify/openbsd-60-base.pub -x 016_libcrypto.patch.sig \
+        -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+        cd /usr/src/lib/libcrypto
+        make obj
+        make depend
+        make
+        make install
+
+Index: lib/libssl/src/crypto/ecdsa/ecs_ossl.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/ecdsa/Attic/ecs_ossl.c,v
+retrieving revision 1.6
+retrieving revision 1.6.8.1
+diff -u -p -r1.6 -r1.6.8.1
+--- crypto/ecdsa/ecs_ossl.c	8 Feb 2015 13:35:07 -0000	1.6
++++ crypto/ecdsa/ecs_ossl.c	5 Jan 2017 13:28:48 -0000	1.6.8.1
+@@ -141,6 +141,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *
+ 		if (BN_num_bits(k) <= BN_num_bits(order))
+ 			if (!BN_add(k, k, order))
+ 				goto err;
++
++		BN_set_flags(k, BN_FLG_CONSTTIME);
+ 
+ 		/* compute r the x-coordinate of generator * k */
+ 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {

More information about the svn-ports-all mailing list