summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authortez <tez@pkgsrc.org>2011-07-04 14:42:56 +0000
committertez <tez@pkgsrc.org>2011-07-04 14:42:56 +0000
commit7d9d8dc49bf26de51bb070ed2ea3b0d390f4b959 (patch)
treeb67e17cc089cf9d6003d4b8d6c1c0d8e5763eeac /security
parent0cb661e6455b3b34dfe7e62f3315db990d82faba (diff)
downloadpkgsrc-7d9d8dc49bf26de51bb070ed2ea3b0d390f4b959.tar.gz
Correct the fix for http://secunia.com/advisories/44572/
See the thread here: http://www.mail-archive.com/openssl-dev@openssl.org/msg29283.html
Diffstat (limited to 'security')
-rw-r--r--security/openssl/Makefile4
-rw-r--r--security/openssl/distinfo4
-rw-r--r--security/openssl/patches/patch-crypto_ecdsa_ecs__ossl.c11
3 files changed, 10 insertions, 9 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index f04b1278560..c8f64ef9bbf 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.156 2011/05/31 17:18:42 tez Exp $
+# $NetBSD: Makefile,v 1.157 2011/07/04 14:42:56 tez Exp $
OPENSSL_SNAPSHOT?= # empty
OPENSSL_STABLE?= # empty
@@ -22,7 +22,7 @@ MASTER_SITES= ftp://ftp.openssl.org/snapshot/
.endif
SVR4_PKGNAME= ossl
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= security
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= http://www.openssl.org/
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 05c660f38aa..62e364e76dd 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.81 2011/05/31 17:18:42 tez Exp $
+$NetBSD: distinfo,v 1.82 2011/07/04 14:42:56 tez Exp $
SHA1 (openssl-0.9.8q.tar.gz) = 12b6859698ca299fa0cba594686c25d5c01e410d
RMD160 (openssl-0.9.8q.tar.gz) = 2a6583fc059f83232b16d0dad8855fc8086f2450
@@ -11,5 +11,5 @@ SHA1 (patch-af) = 2610930b6b06397fa2e3955b3244c02193f5b7a6
SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8
SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0
SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302
-SHA1 (patch-crypto_ecdsa_ecs__ossl.c) = 07e038d0fa4df429336e9f879f3323fae5c6b9d9
+SHA1 (patch-crypto_ecdsa_ecs__ossl.c) = d5eeefca9df411d7478f731809133dea8f1978f5
SHA1 (patch-ssl_t1__lib.c) = 0ec0cfd2c70c7d35c2bb1c6261d5817ea56941aa
diff --git a/security/openssl/patches/patch-crypto_ecdsa_ecs__ossl.c b/security/openssl/patches/patch-crypto_ecdsa_ecs__ossl.c
index 2dfa4683f4a..7dce2114e32 100644
--- a/security/openssl/patches/patch-crypto_ecdsa_ecs__ossl.c
+++ b/security/openssl/patches/patch-crypto_ecdsa_ecs__ossl.c
@@ -1,17 +1,19 @@
-$NetBSD: patch-crypto_ecdsa_ecs__ossl.c,v 1.1 2011/05/31 17:18:42 tez Exp $
+$NetBSD: patch-crypto_ecdsa_ecs__ossl.c,v 1.2 2011/07/04 14:42:57 tez Exp $
Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
+#ifdef conditional removed per
+ http://www.mail-archive.com/openssl-dev@openssl.org/msg29283.html
+
--- crypto/ecdsa/ecs_ossl.c.orig 2009-12-01 11:32:16.000000000 -0600
-+++ crypto/ecdsa/ecs_ossl.c 2011-05-31 11:17:14.168169900 -0500
-@@ -144,6 +144,16 @@
++++ crypto/ecdsa/ecs_ossl.c 2011-06-03 10:10:10.161291300 -0500
+@@ -144,6 +144,14 @@
}
while (BN_is_zero(k));
-+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+ /* We do not want timing information to leak the length of k,
+ * so we compute G*k using an equivalent scalar of fixed
+ * bit-length. */
@@ -19,7 +21,6 @@ by Billy Bob Brumley and Nicola Tuveri, see:
+ if (!BN_add(k, k, order)) goto err;
+ if (BN_num_bits(k) <= BN_num_bits(order))
+ if (!BN_add(k, k, order)) goto err;
-+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))