Date: Wed, 11 Jan 2017 11:53:40 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r431176 - in head/security/libressl-devel: . files Message-ID: <201701111153.v0BBremT046671@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Wed Jan 11 11:53:40 2017 New Revision: 431176 URL: https://svnweb.freebsd.org/changeset/ports/431176 Log: security/libressl-devel: Fix ECDSA P-256 timing attack vuln - Add patch from LibreSSL github MFH: 2017Q1 Security: 7caebe30-d7f1-11e6-a9a5-b499baebfeaf Security: CVE-2016-7056 Added: head/security/libressl-devel/files/ head/security/libressl-devel/files/patch-CVE-2016-7056 (contents, props changed) Modified: head/security/libressl-devel/Makefile Modified: head/security/libressl-devel/Makefile ============================================================================== --- head/security/libressl-devel/Makefile Wed Jan 11 11:50:02 2017 (r431175) +++ head/security/libressl-devel/Makefile Wed Jan 11 11:53:40 2017 (r431176) @@ -3,6 +3,7 @@ PORTNAME= libressl PORTVERSION= 2.5.0 +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= OPENBSD/LibreSSL PKGNAMESUFFIX= -devel Added: head/security/libressl-devel/files/patch-CVE-2016-7056 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/libressl-devel/files/patch-CVE-2016-7056 Wed Jan 11 11:53:40 2017 (r431176) @@ -0,0 +1,33 @@ +From 3585681bd8ac343b7c357a932c9577988bca86b0 Mon Sep 17 00:00:00 2001 +From: jsing <> +Date: Thu, 5 Jan 2017 13:25:52 +0000 +Subject: [PATCH] Avoid a side-channel cache-timing attack that can leak the + ECDSA private keys when signing. This is due to BN_mod_inverse() being used + without the constant time flag being set. + +This issue was reported by Cesar Pereida Garcia and Billy Brumley +(Tampere University of Technology). The fix was developed by Cesar Pereida +Garcia. +--- + src/lib/libcrypto/ecdsa/ecs_ossl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c +index b03b1fb..9e23b88 100644 +--- crypto/ecdsa/ecs_ossl.c ++++ crypto/ecdsa/ecs_ossl.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ecs_ossl.c,v 1.5 2014/07/12 16:03:37 miod Exp $ */ ++/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */ + /* + * Written by Nils Larsch for the OpenSSL project + */ +@@ -142,6 +142,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) + if (!BN_add(k, k, order)) + goto err; + ++ BN_set_flags(k, BN_FLG_CONSTTIME); ++ + /* compute r the x-coordinate of generator * k */ + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701111153.v0BBremT046671>