From owner-svn-ports-head@freebsd.org  Mon Jun 13 00:28:04 2016
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 762AEAF1785;
 Mon, 13 Jun 2016 00:28:04 +0000 (UTC)
 (envelope-from pierre@guinoiseau.eu)
Received: from tritus.sig11.fr (tritus.sig11.fr [IPv6:2a01:4f8:160:72a3::6:1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 238782195;
 Mon, 13 Jun 2016 00:28:03 +0000 (UTC)
 (envelope-from pierre@guinoiseau.eu)
Received: from kyleck.sig11.fr (kyleck.sig11.fr [IPv6:2a01:4f8:160:72a3::7:1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by tritus.sig11.fr (Postfix) with ESMTPSA id 5F94722C92;
 Mon, 13 Jun 2016 12:27:52 +1200 (NZST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=guinoiseau.eu;
 s=mail; t=1465777672;
 bh=ZqVfso8seTJBq9FlZ1rS+xrNKwGFi3GyKhE+Y6yxTqI=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=lukl71o6hYWKJp9dX2QhPQdvldd3sI++u9u7Ih9dyrFl6VEGiQ2xfzv2QR+0UhHj6
 6tseNNzvmokMigQBiEc/n6MASDFbp9cTeKKrptXSDJcYBIpbMOegkOR6Q5c6ZS+T4C
 Qg6rMdjrc/P4wbNOo0rmkx8fIOo0AJKQrg14oOsQ=
Date: Mon, 13 Jun 2016 12:27:51 +1200
From: Pierre Guinoiseau <pierre@guinoiseau.eu>
To: Dirk Meyer <dinoex@FreeBSD.org>
Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: Re: svn commit: r416823 - in head/security/openssl: . files
Message-ID: <20160613002750.GA50877@kyleck.sig11.fr>
References: <201606122129.u5CLTwvq063421@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh"
Content-Disposition: inline
In-Reply-To: <201606122129.u5CLTwvq063421@repo.freebsd.org>
X-Operating-System: FreeBSD
User-Agent: Mutt/1.6.1 (2016-04-27)
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2016 00:28:04 -0000


--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

can you please update the vuxml entry?

Cheers,
Pierre

On 12/06/2016 21:29:58, Dirk Meyer <dinoex@FreeBSD.org> wrote:

> Author: dinoex
> Date: Sun Jun 12 21:29:57 2016
> New Revision: 416823
> URL: https://svnweb.freebsd.org/changeset/ports/416823
>=20
> Log:
>   - Fix DSA, preserve BN_FLG_CONSTTIME
>   Security: CVE-2016-2178
>=20
> Added:
>   head/security/openssl/files/patch-dsa_ossl.c   (contents, props changed)
> Modified:
>   head/security/openssl/Makefile
>=20
> Modified: head/security/openssl/Makefile
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- head/security/openssl/Makefile	Sun Jun 12 20:49:19 2016	(r416822)
> +++ head/security/openssl/Makefile	Sun Jun 12 21:29:57 2016	(r416823)
> @@ -4,7 +4,7 @@
>  PORTNAME=3D	openssl
>  PORTVERSION=3D	1.0.2
>  DISTVERSIONSUFFIX=3D	h
> -PORTREVISION=3D	12
> +PORTREVISION=3D	13
>  CATEGORIES=3D	security devel
>  MASTER_SITES=3D	http://www.openssl.org/source/ \
>  		ftp://ftp.openssl.org/source/ \
>=20
> Added: head/security/openssl/files/patch-dsa_ossl.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- /dev/null	00:00:00 1970	(empty, because file is newly added)
> +++ head/security/openssl/files/patch-dsa_ossl.c	Sun Jun 12 21:29:57 2016=
	(r416823)
> @@ -0,0 +1,35 @@
> +
> +Fix DSA, preserve BN_FLG_CONSTTIME
> +
> +Operations in the DSA signing algorithm should run in constant time in
> +order to avoid side channel attacks. A flaw in the OpenSSL DSA
> +implementation means that a non-constant time codepath is followed for
> +certain operations. This has been demonstrated through a cache-timing
> +attack to be sufficient for an attacker to recover the private DSA key.
> +
> +CVE-2016-2178
> +
> +--- crypto/dsa/dsa_ossl.c.orig	2016-05-03 15:44:42.000000000 +0200
> ++++ crypto/dsa/dsa_ossl.c	2016-06-12 22:57:49.000000000 +0200
> +@@ -248,9 +248,6 @@
> +         if (!BN_rand_range(&k, dsa->q))
> +             goto err;
> +     while (BN_is_zero(&k)) ;
> +-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) =3D=3D 0) {
> +-        BN_set_flags(&k, BN_FLG_CONSTTIME);
> +-    }
> +=20
> +     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
> +         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
> +@@ -282,6 +279,11 @@
> +     } else {
> +         K =3D &k;
> +     }
> ++
> ++    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) =3D=3D 0) {
> ++        BN_set_flags(&k, BN_FLG_CONSTTIME);
> ++    }
> ++
> +     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
> +                    dsa->method_mont_p);
> +     if (!BN_mod(r, r, dsa->q, ctx))
> _______________________________________________
> svn-ports-all@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-ports-all
> To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"

--=20
Pierre Guinoiseau <pierre@guinoiseau.eu>
https://segmentationfau.lt/ | +PierreGuinoiseau | @peikk00

--NzB8fVQJ5HfG6fxh
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCgAGBQJXXf39AAoJEFBNg+ogrffPflMP/i6FpaeqGFf7qRKvAsrcYqo0
vxjgVyDpgHofG5b+yyChOFtTU2WKrm+fm9I2jHhbMPEV1KbZ/O0gA2js5GILv7Kt
wkzJb6i533Jo4MJenUfiHOw/USP1eF9OrmPr7QhBoCmuGu11xW3lVJxm7lEFumNs
uD7XU4uxFdrtGuw5zhSc/Y7IcnrzsS0/NmS1FO2xDRHqUkX7a6udcK5zuIx8C0l7
SQngYnDAGiFG4y6PSXW8Ew5h/tHH61QMbMVLsEEEdfgLC7gYHBRjfzb4bdtU/bUX
D/I7u2FwG6R1QUqyhYAxgDrqNCZbqZSNdZZ5EeI74XiMlq1DmQSKKuBOnb5rKzxR
sPUih0slMP10s7DDkc+AepXkBhs4CvTrhLbY8fdOvOQowUQDphzEAsfEXpPE5crw
Fzyw7ebZ8nWHpsPhA2oeIUwFkU6pejlaeLq/1ToVlqQPx4dEdDAfz6Ooz+dXn/Vm
/PUHXupWizYvgkHOTKtHgsJgCwu1eBwWIePmmhE8h/+9t0EsI/T99H6F4XpaFRZP
A65ShlpbCUiEZqwcd4/atfbgDjitnSWDPC+cKg4U9vJAd8+boG7u0iJf4UR7i2Gx
3xyRrJcor6ljZiwNO7WoOrWmfq2ZolJtIPyeT5wSbxzZDxnJY6jvrVYm6scxa7ki
4OxT4GqZ2DpvEhajgefN
=6HDH
-----END PGP SIGNATURE-----

--NzB8fVQJ5HfG6fxh--