Date: Fri, 10 Apr 2009 01:42:13 +0400 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org, secteam@freebsd.org Subject: Re: Openssl advisory ? Message-ID: <9JcZBMdMQ7dwCWEdjJLVlfrtgTg@7qgLKkvX/1U6eu9avhKQpU/1pEI> In-Reply-To: <200904061843.n36IhGxl052471@lava.sentex.ca> References: <200904061843.n36IhGxl052471@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike, *, good day. Mon, Apr 06, 2009 at 02:44:01PM -0400, Mike Tancsa wrote: > Just wondering if this impacts FreeBSD's version in any significant way ? > > http://www.openssl.org/news/secadv_20090325.txt DoS is probably the likiest item that will be visible: CMS is disabled by-default in upstream version and isn't yet present in FreeBSD's OpenSSL (checked 7-STABLE and 8-CURRENT) and the third issue is only present on platforms where sizeof (void *) > sizeof (long). I guess that there could be such platforms (and compilers) on FreeBSD that will produce such result, but I can't name anything. I only know that M$'s Visual Studio will produce sizeof(long) == 4 and sizeof(void *) == 8 on the 64-bit branch. By the way, there is other. older OpenSSL issue that looks unpatched, http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/126446 Side-channel attacks are often hard to conduct and some special curcumstances should hold, but when it is done properly, this could yield very sound results, for example, http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf http://www.openssl.org/news/secadv_20030317.txt Perhaps the second issue could be patched as well? The patch touches only Montgomery multiplication routine and should not interfere with anything else, so it should be rather safe to fix this vulnerability in terms of possible regressions. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9JcZBMdMQ7dwCWEdjJLVlfrtgTg>