diff options
author | Bernard Spil <brnrd@FreeBSD.org> | 2017-01-11 11:53:40 +0000 |
---|---|---|
committer | Bernard Spil <brnrd@FreeBSD.org> | 2017-01-11 11:53:40 +0000 |
commit | a83b9f03f34fd70bcf7c01c85d722640cd4c00d9 (patch) | |
tree | 9a02fb2e5d18968f476a3328e03eb0cfd84b8e5d /security/libressl-devel | |
parent | dfab4689804a70d56cfcef39cd954aef68ff7e51 (diff) | |
download | ports-a83b9f03f34fd70bcf7c01c85d722640cd4c00d9.tar.gz ports-a83b9f03f34fd70bcf7c01c85d722640cd4c00d9.zip |
security/libressl-devel: Fix ECDSA P-256 timing attack vuln
- Add patch from LibreSSL github
MFH: 2017Q1
Security: 7caebe30-d7f1-11e6-a9a5-b499baebfeaf
Security: CVE-2016-7056
Notes
Notes:
svn path=/head/; revision=431176
Diffstat (limited to 'security/libressl-devel')
-rw-r--r-- | security/libressl-devel/Makefile | 1 | ||||
-rw-r--r-- | security/libressl-devel/files/patch-CVE-2016-7056 | 33 |
2 files changed, 34 insertions, 0 deletions
diff --git a/security/libressl-devel/Makefile b/security/libressl-devel/Makefile index c766a109f1a5..fdcb342ef5ce 100644 --- a/security/libressl-devel/Makefile +++ b/security/libressl-devel/Makefile @@ -3,6 +3,7 @@ PORTNAME= libressl PORTVERSION= 2.5.0 +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= OPENBSD/LibreSSL PKGNAMESUFFIX= -devel diff --git a/security/libressl-devel/files/patch-CVE-2016-7056 b/security/libressl-devel/files/patch-CVE-2016-7056 new file mode 100644 index 000000000000..8d04bdf06333 --- /dev/null +++ b/security/libressl-devel/files/patch-CVE-2016-7056 @@ -0,0 +1,33 @@ +From 3585681bd8ac343b7c357a932c9577988bca86b0 Mon Sep 17 00:00:00 2001 +From: jsing <> +Date: Thu, 5 Jan 2017 13:25:52 +0000 +Subject: [PATCH] Avoid a side-channel cache-timing attack that can leak the + ECDSA private keys when signing. This is due to BN_mod_inverse() being used + without the constant time flag being set. + +This issue was reported by Cesar Pereida Garcia and Billy Brumley +(Tampere University of Technology). The fix was developed by Cesar Pereida +Garcia. +--- + src/lib/libcrypto/ecdsa/ecs_ossl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c +index b03b1fb..9e23b88 100644 +--- crypto/ecdsa/ecs_ossl.c ++++ crypto/ecdsa/ecs_ossl.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ecs_ossl.c,v 1.5 2014/07/12 16:03:37 miod Exp $ */ ++/* $OpenBSD: ecs_ossl.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */ + /* + * Written by Nils Larsch for the OpenSSL project + */ +@@ -142,6 +142,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) + if (!BN_add(k, k, order)) + goto err; + ++ BN_set_flags(k, BN_FLG_CONSTTIME); ++ + /* compute r the x-coordinate of generator * k */ + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); |