diff options
| author | obache <obache> | 2014-04-08 06:20:44 +0000 |
|---|---|---|
| committer | obache <obache> | 2014-04-08 06:20:44 +0000 |
| commit | 6919dba79d6afbaab4ed05f6ba8e92fe0343f318 (patch) | |
| tree | da017f1f6324e77e03941e2ce8d61d0a58ae4059 | |
| parent | 26980567e6435c2e613801bc8bd24ea47d16fff2 (diff) | |
| download | pkgsrc-6919dba79d6afbaab4ed05f6ba8e92fe0343f318.tar.gz | |
Update openssl to 1.0.1g.
(CVE-2014-0076 is already fixed in pkgsrc).
OpenSSL CHANGES
_______________
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) TLS pad extension: draft-agl-tls-padding-03
Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long.
[Adam Langley, Steve Henson]
| -rw-r--r-- | security/openssl/Makefile | 5 | ||||
| -rw-r--r-- | security/openssl/distinfo | 8 | ||||
| -rw-r--r-- | security/openssl/patches/patch-crypto_bn_bn.h | 36 | ||||
| -rw-r--r-- | security/openssl/patches/patch-crypto_bn_bn__lib.c | 62 | ||||
| -rw-r--r-- | security/openssl/patches/patch-crypto_ec_ec2__mult.c | 58 |
5 files changed, 6 insertions, 163 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 131b8b8ebf8..099b64b0179 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.187 2014/04/08 02:48:38 obache Exp $ +# $NetBSD: Makefile,v 1.188 2014/04/08 06:20:44 obache Exp $ -DISTNAME= openssl-1.0.1f -PKGREVISION= 1 +DISTNAME= openssl-1.0.1g MASTER_SITES= http://ftp.openssl.org/source/ SVR4_PKGNAME= ossl CATEGORIES= security diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 34bf0862443..38c0cbfced2 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.103 2014/04/02 12:11:35 he Exp $ +$NetBSD: distinfo,v 1.104 2014/04/08 06:20:44 obache Exp $ -SHA1 (openssl-1.0.1f.tar.gz) = 9ef09e97dfc9f14ac2c042f3b7e301098794fc0f -RMD160 (openssl-1.0.1f.tar.gz) = db8c07f8753fab2b76118d4c18175290356ed144 -Size (openssl-1.0.1f.tar.gz) = 4509212 bytes +SHA1 (openssl-1.0.1g.tar.gz) = b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c +RMD160 (openssl-1.0.1g.tar.gz) = cd2eb879646a2b91b2f67dfaf99eb9668ba5d7ea +Size (openssl-1.0.1g.tar.gz) = 4509047 bytes SHA1 (patch-Configure) = ecdafa378e73bd2d6789c985ea28ef4ab2126aa6 SHA1 (patch-Makefile.org) = 8780f8829b8a010d4283f00740c264a4dc15c7c6 SHA1 (patch-Makefile.shared) = 1b47a1d3d95391217b15663d3558545780263fbb diff --git a/security/openssl/patches/patch-crypto_bn_bn.h b/security/openssl/patches/patch-crypto_bn_bn.h deleted file mode 100644 index 5b4016f0272..00000000000 --- a/security/openssl/patches/patch-crypto_bn_bn.h +++ /dev/null @@ -1,36 +0,0 @@ -$NetBSD: patch-crypto_bn_bn.h,v 1.1 2014/04/02 12:11:35 he Exp $ - -Part of fix for CVE-2014-0076. - ---- crypto/bn/bn.h.orig 2014-01-06 13:47:42.000000000 +0000 -+++ crypto/bn/bn.h -@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret, - BIGNUM *BN_mod_sqrt(BIGNUM *ret, - const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx); - -+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); -+ - /* Deprecated versions */ - #ifndef OPENSSL_NO_DEPRECATED - BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe, -@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf - - #define bn_fix_top(a) bn_check_top(a) - -+#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) -+#define bn_wcheck_size(bn, words) \ -+ do { \ -+ const BIGNUM *_bnum2 = (bn); \ -+ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ -+ } while (0) -+ - #else /* !BN_DEBUG */ - - #define bn_pollute(a) - #define bn_check_top(a) - #define bn_fix_top(a) bn_correct_top(a) -+#define bn_check_size(bn, bits) -+#define bn_wcheck_size(bn, words) - - #endif - diff --git a/security/openssl/patches/patch-crypto_bn_bn__lib.c b/security/openssl/patches/patch-crypto_bn_bn__lib.c deleted file mode 100644 index 146aeba393a..00000000000 --- a/security/openssl/patches/patch-crypto_bn_bn__lib.c +++ /dev/null @@ -1,62 +0,0 @@ -$NetBSD: patch-crypto_bn_bn__lib.c,v 1.1 2014/04/02 12:11:35 he Exp $ - -Part of fix for CVE-2014-0076. - ---- crypto/bn/bn_lib.c.orig 2014-01-06 13:47:42.000000000 +0000 -+++ crypto/bn/bn_lib.c -@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, - } - return bn_cmp_words(a,b,cl); - } -+ -+/* -+ * Constant-time conditional swap of a and b. -+ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. -+ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, -+ * and that no more than nwords are used by either a or b. -+ * a and b cannot be the same number -+ */ -+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) -+ { -+ BN_ULONG t; -+ int i; -+ -+ bn_wcheck_size(a, nwords); -+ bn_wcheck_size(b, nwords); -+ -+ assert(a != b); -+ assert((condition & (condition - 1)) == 0); -+ assert(sizeof(BN_ULONG) >= sizeof(int)); -+ -+ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; -+ -+ t = (a->top^b->top) & condition; -+ a->top ^= t; -+ b->top ^= t; -+ -+#define BN_CONSTTIME_SWAP(ind) \ -+ do { \ -+ t = (a->d[ind] ^ b->d[ind]) & condition; \ -+ a->d[ind] ^= t; \ -+ b->d[ind] ^= t; \ -+ } while (0) -+ -+ -+ switch (nwords) { -+ default: -+ for (i = 10; i < nwords; i++) -+ BN_CONSTTIME_SWAP(i); -+ /* Fallthrough */ -+ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ -+ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ -+ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ -+ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ -+ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ -+ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ -+ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ -+ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ -+ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ -+ case 1: BN_CONSTTIME_SWAP(0); -+ } -+#undef BN_CONSTTIME_SWAP -+} diff --git a/security/openssl/patches/patch-crypto_ec_ec2__mult.c b/security/openssl/patches/patch-crypto_ec_ec2__mult.c deleted file mode 100644 index e8986853102..00000000000 --- a/security/openssl/patches/patch-crypto_ec_ec2__mult.c +++ /dev/null @@ -1,58 +0,0 @@ -$NetBSD: patch-crypto_ec_ec2__mult.c,v 1.1 2014/04/02 12:11:35 he Exp $ - -Part of fix for CVE-2014-0076. - ---- crypto/ec/ec2_mult.c.orig 2014-01-06 13:47:42.000000000 +0000 -+++ crypto/ec/ec2_mult.c -@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *grou - return ret; - } - -+ - /* Computes scalar*point and stores the result in r. - * point can not equal r. -- * Uses algorithm 2P of -+ * Uses a modified algorithm 2P of - * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over - * GF(2^m) without precomputation" (CHES '99, LNCS 1717). -+ * -+ * To protect against side-channel attack the function uses constant time swap, -+ * avoiding conditional branches. - */ - static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - const EC_POINT *point, BN_CTX *ctx) -@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_mult - x2 = &r->X; - z2 = &r->Y; - -+ bn_wexpand(x1, group->field.top); -+ bn_wexpand(z1, group->field.top); -+ bn_wexpand(x2, group->field.top); -+ bn_wexpand(z2, group->field.top); -+ - if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ - if (!BN_one(z1)) goto err; /* z1 = 1 */ - if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ -@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_mult - word = scalar->d[i]; - while (mask) - { -- if (word & mask) -- { -- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; -- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; -- } -- else -- { -- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; -- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; -- } -+ BN_consttime_swap(word & mask, x1, x2, group->field.top); -+ BN_consttime_swap(word & mask, z1, z2, group->field.top); -+ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; -+ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; -+ BN_consttime_swap(word & mask, x1, x2, group->field.top); -+ BN_consttime_swap(word & mask, z1, z2, group->field.top); - mask >>= 1; - } - mask = BN_TBIT; |