diff options
author | Bernard Spil <brnrd@FreeBSD.org> | 2018-11-20 17:53:09 +0000 |
---|---|---|
committer | Bernard Spil <brnrd@FreeBSD.org> | 2018-11-20 17:53:09 +0000 |
commit | d3e894d9264c058a4fdb8b366773fd934a8427d0 (patch) | |
tree | 115c797c8a18f0277fa92b1472907917754ded41 /security/openssl | |
parent | ea1eba8edc73b486923f1d3cec4d5ee885679ad9 (diff) | |
download | ports-d3e894d9264c058a4fdb8b366773fd934a8427d0.tar.gz ports-d3e894d9264c058a4fdb8b366773fd934a8427d0.zip |
security/openssl: Update to 1.0.2q
Notes
Notes:
svn path=/head/; revision=485452
Diffstat (limited to 'security/openssl')
-rw-r--r-- | security/openssl/Makefile | 3 | ||||
-rw-r--r-- | security/openssl/distinfo | 6 | ||||
-rw-r--r-- | security/openssl/files/patch-CVE-2018-5407 | 341 | ||||
-rw-r--r-- | security/openssl/pkg-plist | 1 |
4 files changed, 5 insertions, 346 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index be8c66de10a6..f15f9a67fcce 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= openssl -PORTVERSION= 1.0.2p -PORTREVISION= 2 +PORTVERSION= 1.0.2q PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/source/ \ diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 1d4b19c9bf10..ffefc573e44c 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,6 +1,6 @@ -TIMESTAMP = 1534253606 -SHA256 (openssl-1.0.2/openssl-1.0.2p.tar.gz) = 50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00 -SIZE (openssl-1.0.2/openssl-1.0.2p.tar.gz) = 5338192 +TIMESTAMP = 1542734523 +SHA256 (openssl-1.0.2/openssl-1.0.2q.tar.gz) = 5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 +SIZE (openssl-1.0.2/openssl-1.0.2q.tar.gz) = 5345604 SHA256 (openssl-1.0.2/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 SIZE (openssl-1.0.2/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717 SHA256 (openssl-1.0.2/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 diff --git a/security/openssl/files/patch-CVE-2018-5407 b/security/openssl/files/patch-CVE-2018-5407 deleted file mode 100644 index 0e65ecb396a1..000000000000 --- a/security/openssl/files/patch-CVE-2018-5407 +++ /dev/null @@ -1,341 +0,0 @@ -From b18162a7c9bbfb57112459a4d6631fa258fd8c0c Mon Sep 17 00:00:00 2001 -From: Billy Brumley <bbrumley@gmail.com> -Date: Thu, 8 Nov 2018 13:57:54 +0200 -Subject: [PATCH] CVE-2018-5407 fix: ECC ladder - -Reviewed-by: Matt Caswell <matt@openssl.org> -Reviewed-by: Paul Dale <paul.dale@oracle.com> -Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> -(Merged from https://github.com/openssl/openssl/pull/7593) ---- CHANGES.orig 2018-08-14 13:01:02 UTC -+++ CHANGES -@@ -7,6 +7,21 @@ - https://github.com/openssl/openssl/commits/ and pick the appropriate - release branch. - -+ Changes between 1.0.2p and 1.0.2q [xx XXX xxxx] -+ -+ *) Microarchitecture timing vulnerability in ECC scalar multiplication -+ -+ OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been -+ shown to be vulnerable to a microarchitecture timing side channel attack. -+ An attacker with sufficient access to mount local timing attacks during -+ ECDSA signature generation could recover the private key. -+ -+ This issue was reported to OpenSSL on 26th October 2018 by Alejandro -+ Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and -+ Nicola Tuveri. -+ (CVE-2018-5407) -+ [Billy Brumley] -+ - Changes between 1.0.2o and 1.0.2p [14 Aug 2018] - - *) Client DoS due to large DH parameter - CHANGES | 13 +++ - crypto/bn/bn_lib.c | 32 ++++++ - crypto/ec/ec_mult.c | 246 ++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 291 insertions(+) - ---- crypto/bn/bn_lib.c.orig 2018-08-14 12:49:04 UTC -+++ crypto/bn/bn_lib.c -@@ -889,6 +889,38 @@ void BN_consttime_swap(BN_ULONG conditio - a->top ^= t; - b->top ^= t; - -+ t = (a->neg ^ b->neg) & condition; -+ a->neg ^= t; -+ b->neg ^= t; -+ -+ /*- -+ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention -+ * is actually to treat it as it's read-only data, and some (if not most) -+ * of it does reside in read-only segment. In other words observation of -+ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal -+ * condition. It would either cause SEGV or effectively cause data -+ * corruption. -+ * -+ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be -+ * preserved. -+ * -+ * BN_FLG_SECURE: must be preserved, because it determines how x->d was -+ * allocated and hence how to free it. -+ * -+ * BN_FLG_CONSTTIME: sufficient to mask and swap -+ * -+ * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on -+ * the data, so the d array may be padded with additional 0 values (i.e. -+ * top could be greater than the minimal value that it could be). We should -+ * be swapping it -+ */ -+ -+#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) -+ -+ t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; -+ a->flags ^= t; -+ b->flags ^= t; -+ - #define BN_CONSTTIME_SWAP(ind) \ - do { \ - t = (a->d[ind] ^ b->d[ind]) & condition; \ ---- crypto/ec/ec_mult.c.orig 2018-08-14 12:48:57 UTC -+++ crypto/ec/ec_mult.c -@@ -310,6 +310,224 @@ static signed char *compute_wNAF(const B - return r; - } - -+#define EC_POINT_BN_set_flags(P, flags) do { \ -+ BN_set_flags(&(P)->X, (flags)); \ -+ BN_set_flags(&(P)->Y, (flags)); \ -+ BN_set_flags(&(P)->Z, (flags)); \ -+} while(0) -+ -+/*- -+ * This functions computes (in constant time) a point multiplication over the -+ * EC group. -+ * -+ * At a high level, it is Montgomery ladder with conditional swaps. -+ * -+ * It performs either a fixed scalar point multiplication -+ * (scalar * generator) -+ * when point is NULL, or a generic scalar point multiplication -+ * (scalar * point) -+ * when point is not NULL. -+ * -+ * scalar should be in the range [0,n) otherwise all constant time bets are off. -+ * -+ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, -+ * which of course are not constant time themselves. -+ * -+ * The product is stored in r. -+ * -+ * Returns 1 on success, 0 otherwise. -+ */ -+static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, const EC_POINT *point, -+ BN_CTX *ctx) -+{ -+ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; -+ EC_POINT *s = NULL; -+ BIGNUM *k = NULL; -+ BIGNUM *lambda = NULL; -+ BIGNUM *cardinality = NULL; -+ BN_CTX *new_ctx = NULL; -+ int ret = 0; -+ -+ if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ -+ s = EC_POINT_new(group); -+ if (s == NULL) -+ goto err; -+ -+ if (point == NULL) { -+ if (!EC_POINT_copy(s, group->generator)) -+ goto err; -+ } else { -+ if (!EC_POINT_copy(s, point)) -+ goto err; -+ } -+ -+ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); -+ -+ cardinality = BN_CTX_get(ctx); -+ lambda = BN_CTX_get(ctx); -+ k = BN_CTX_get(ctx); -+ if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx)) -+ goto err; -+ -+ /* -+ * Group cardinalities are often on a word boundary. -+ * So when we pad the scalar, some timing diff might -+ * pop if it needs to be expanded due to carries. -+ * So expand ahead of time. -+ */ -+ cardinality_bits = BN_num_bits(cardinality); -+ group_top = cardinality->top; -+ if ((bn_wexpand(k, group_top + 2) == NULL) -+ || (bn_wexpand(lambda, group_top + 2) == NULL)) -+ goto err; -+ -+ if (!BN_copy(k, scalar)) -+ goto err; -+ -+ BN_set_flags(k, BN_FLG_CONSTTIME); -+ -+ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { -+ /*- -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(k, k, cardinality, ctx)) -+ goto err; -+ } -+ -+ if (!BN_add(lambda, k, cardinality)) -+ goto err; -+ BN_set_flags(lambda, BN_FLG_CONSTTIME); -+ if (!BN_add(k, lambda, cardinality)) -+ goto err; -+ /* -+ * lambda := scalar + cardinality -+ * k := scalar + 2*cardinality -+ */ -+ kbit = BN_is_bit_set(lambda, cardinality_bits); -+ BN_consttime_swap(kbit, k, lambda, group_top + 2); -+ -+ group_top = group->field.top; -+ if ((bn_wexpand(&s->X, group_top) == NULL) -+ || (bn_wexpand(&s->Y, group_top) == NULL) -+ || (bn_wexpand(&s->Z, group_top) == NULL) -+ || (bn_wexpand(&r->X, group_top) == NULL) -+ || (bn_wexpand(&r->Y, group_top) == NULL) -+ || (bn_wexpand(&r->Z, group_top) == NULL)) -+ goto err; -+ -+ /* top bit is a 1, in a fixed pos */ -+ if (!EC_POINT_copy(r, s)) -+ goto err; -+ -+ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); -+ -+ if (!EC_POINT_dbl(group, s, s, ctx)) -+ goto err; -+ -+ pbit = 0; -+ -+#define EC_POINT_CSWAP(c, a, b, w, t) do { \ -+ BN_consttime_swap(c, &(a)->X, &(b)->X, w); \ -+ BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \ -+ BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \ -+ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ -+ (a)->Z_is_one ^= (t); \ -+ (b)->Z_is_one ^= (t); \ -+} while(0) -+ -+ /*- -+ * The ladder step, with branches, is -+ * -+ * k[i] == 0: S = add(R, S), R = dbl(R) -+ * k[i] == 1: R = add(S, R), S = dbl(S) -+ * -+ * Swapping R, S conditionally on k[i] leaves you with state -+ * -+ * k[i] == 0: T, U = R, S -+ * k[i] == 1: T, U = S, R -+ * -+ * Then perform the ECC ops. -+ * -+ * U = add(T, U) -+ * T = dbl(T) -+ * -+ * Which leaves you with state -+ * -+ * k[i] == 0: U = add(R, S), T = dbl(R) -+ * k[i] == 1: U = add(S, R), T = dbl(S) -+ * -+ * Swapping T, U conditionally on k[i] leaves you with state -+ * -+ * k[i] == 0: R, S = T, U -+ * k[i] == 1: R, S = U, T -+ * -+ * Which leaves you with state -+ * -+ * k[i] == 0: S = add(R, S), R = dbl(R) -+ * k[i] == 1: R = add(S, R), S = dbl(S) -+ * -+ * So we get the same logic, but instead of a branch it's a -+ * conditional swap, followed by ECC ops, then another conditional swap. -+ * -+ * Optimization: The end of iteration i and start of i-1 looks like -+ * -+ * ... -+ * CSWAP(k[i], R, S) -+ * ECC -+ * CSWAP(k[i], R, S) -+ * (next iteration) -+ * CSWAP(k[i-1], R, S) -+ * ECC -+ * CSWAP(k[i-1], R, S) -+ * ... -+ * -+ * So instead of two contiguous swaps, you can merge the condition -+ * bits and do a single swap. -+ * -+ * k[i] k[i-1] Outcome -+ * 0 0 No Swap -+ * 0 1 Swap -+ * 1 0 Swap -+ * 1 1 No Swap -+ * -+ * This is XOR. pbit tracks the previous bit of k. -+ */ -+ -+ for (i = cardinality_bits - 1; i >= 0; i--) { -+ kbit = BN_is_bit_set(k, i) ^ pbit; -+ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); -+ if (!EC_POINT_add(group, s, r, s, ctx)) -+ goto err; -+ if (!EC_POINT_dbl(group, r, r, ctx)) -+ goto err; -+ /* -+ * pbit logic merges this cswap with that of the -+ * next iteration -+ */ -+ pbit ^= kbit; -+ } -+ /* one final cswap to move the right value into r */ -+ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); -+#undef EC_POINT_CSWAP -+ -+ ret = 1; -+ -+ err: -+ EC_POINT_free(s); -+ BN_CTX_end(ctx); -+ BN_CTX_free(new_ctx); -+ -+ return ret; -+} -+ -+#undef EC_POINT_BN_set_flags -+ - /* - * TODO: table should be optimised for the wNAF-based implementation, - * sometimes smaller windows will give better performance (thus the -@@ -369,6 +587,34 @@ int ec_wNAF_mul(const EC_GROUP *group, E - return EC_POINT_set_to_infinity(group, r); - } - -+ if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) { -+ /*- -+ * Handle the common cases where the scalar is secret, enforcing a constant -+ * time scalar multiplication algorithm. -+ */ -+ if ((scalar != NULL) && (num == 0)) { -+ /*- -+ * In this case we want to compute scalar * GeneratorPoint: this -+ * codepath is reached most prominently by (ephemeral) key generation -+ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH -+ * keygen/first half), where the scalar is always secret. This is why -+ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the -+ * constant time version. -+ */ -+ return ec_mul_consttime(group, r, scalar, NULL, ctx); -+ } -+ if ((scalar == NULL) && (num == 1)) { -+ /*- -+ * In this case we want to compute scalar * GenericPoint: this codepath -+ * is reached most prominently by the second half of ECDH, where the -+ * secret scalar is multiplied by the peer's public point. To protect -+ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and -+ * we always call the constant time version. -+ */ -+ return ec_mul_consttime(group, r, scalars[0], points[0], ctx); -+ } -+ } -+ - for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { - ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); diff --git a/security/openssl/pkg-plist b/security/openssl/pkg-plist index fe5afe80ed3b..7833b989e2c9 100644 --- a/security/openssl/pkg-plist +++ b/security/openssl/pkg-plist @@ -1052,6 +1052,7 @@ man/man1/x509.1.gz %%MAN3%%man/man3/OBJ_txt2obj.3.gz %%MAN3%%man/man3/OPENSSL_Applink.3.gz %%MAN3%%man/man3/OPENSSL_VERSION_NUMBER.3.gz +%%MAN3%%man/man3/OPENSSL_VERSION_TEXT.3.gz %%MAN3%%man/man3/OPENSSL_config.3.gz %%MAN3%%man/man3/OPENSSL_ia32cap.3.gz %%MAN3%%man/man3/OPENSSL_ia32cap_loc.3.gz |