Date: Mon, 13 Jun 2016 12:27:51 +1200 From: Pierre Guinoiseau <pierre@guinoiseau.eu> To: Dirk Meyer <dinoex@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r416823 - in head/security/openssl: . files Message-ID: <20160613002750.GA50877@kyleck.sig11.fr> In-Reply-To: <201606122129.u5CLTwvq063421@repo.freebsd.org> References: <201606122129.u5CLTwvq063421@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, can you please update the vuxml entry? Cheers, Pierre On 12/06/2016 21:29:58, Dirk Meyer <dinoex@FreeBSD.org> wrote: > Author: dinoex > Date: Sun Jun 12 21:29:57 2016 > New Revision: 416823 > URL: https://svnweb.freebsd.org/changeset/ports/416823 >=20 > Log: > - Fix DSA, preserve BN_FLG_CONSTTIME > Security: CVE-2016-2178 >=20 > Added: > head/security/openssl/files/patch-dsa_ossl.c (contents, props changed) > Modified: > head/security/openssl/Makefile >=20 > Modified: head/security/openssl/Makefile > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/security/openssl/Makefile Sun Jun 12 20:49:19 2016 (r416822) > +++ head/security/openssl/Makefile Sun Jun 12 21:29:57 2016 (r416823) > @@ -4,7 +4,7 @@ > PORTNAME=3D openssl > PORTVERSION=3D 1.0.2 > DISTVERSIONSUFFIX=3D h > -PORTREVISION=3D 12 > +PORTREVISION=3D 13 > CATEGORIES=3D security devel > MASTER_SITES=3D http://www.openssl.org/source/ \ > ftp://ftp.openssl.org/source/ \ >=20 > Added: head/security/openssl/files/patch-dsa_ossl.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/security/openssl/files/patch-dsa_ossl.c Sun Jun 12 21:29:57 2016= (r416823) > @@ -0,0 +1,35 @@ > + > +Fix DSA, preserve BN_FLG_CONSTTIME > + > +Operations in the DSA signing algorithm should run in constant time in > +order to avoid side channel attacks. A flaw in the OpenSSL DSA > +implementation means that a non-constant time codepath is followed for > +certain operations. This has been demonstrated through a cache-timing > +attack to be sufficient for an attacker to recover the private DSA key. > + > +CVE-2016-2178 > + > +--- crypto/dsa/dsa_ossl.c.orig 2016-05-03 15:44:42.000000000 +0200 > ++++ crypto/dsa/dsa_ossl.c 2016-06-12 22:57:49.000000000 +0200 > +@@ -248,9 +248,6 @@ > + if (!BN_rand_range(&k, dsa->q)) > + goto err; > + while (BN_is_zero(&k)) ; > +- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) =3D=3D 0) { > +- BN_set_flags(&k, BN_FLG_CONSTTIME); > +- } > +=20 > + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { > + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, > +@@ -282,6 +279,11 @@ > + } else { > + K =3D &k; > + } > ++ > ++ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) =3D=3D 0) { > ++ BN_set_flags(&k, BN_FLG_CONSTTIME); > ++ } > ++ > + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, > + dsa->method_mont_p); > + if (!BN_mod(r, r, dsa->q, ctx)) > _______________________________________________ > svn-ports-all@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-ports-all > To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org" --=20 Pierre Guinoiseau <pierre@guinoiseau.eu> https://segmentationfau.lt/ | +PierreGuinoiseau | @peikk00 --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCgAGBQJXXf39AAoJEFBNg+ogrffPflMP/i6FpaeqGFf7qRKvAsrcYqo0 vxjgVyDpgHofG5b+yyChOFtTU2WKrm+fm9I2jHhbMPEV1KbZ/O0gA2js5GILv7Kt wkzJb6i533Jo4MJenUfiHOw/USP1eF9OrmPr7QhBoCmuGu11xW3lVJxm7lEFumNs uD7XU4uxFdrtGuw5zhSc/Y7IcnrzsS0/NmS1FO2xDRHqUkX7a6udcK5zuIx8C0l7 SQngYnDAGiFG4y6PSXW8Ew5h/tHH61QMbMVLsEEEdfgLC7gYHBRjfzb4bdtU/bUX D/I7u2FwG6R1QUqyhYAxgDrqNCZbqZSNdZZ5EeI74XiMlq1DmQSKKuBOnb5rKzxR sPUih0slMP10s7DDkc+AepXkBhs4CvTrhLbY8fdOvOQowUQDphzEAsfEXpPE5crw Fzyw7ebZ8nWHpsPhA2oeIUwFkU6pejlaeLq/1ToVlqQPx4dEdDAfz6Ooz+dXn/Vm /PUHXupWizYvgkHOTKtHgsJgCwu1eBwWIePmmhE8h/+9t0EsI/T99H6F4XpaFRZP A65ShlpbCUiEZqwcd4/atfbgDjitnSWDPC+cKg4U9vJAd8+boG7u0iJf4UR7i2Gx 3xyRrJcor6ljZiwNO7WoOrWmfq2ZolJtIPyeT5wSbxzZDxnJY6jvrVYm6scxa7ki 4OxT4GqZ2DpvEhajgefN =6HDH -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160613002750.GA50877>