From 5d4f7fca620e50781f015316e5e0968bc058ea2e Mon Sep 17 00:00:00 2001 From: Christian Neukirchen Date: Mon, 6 Jun 2016 13:15:16 +0200 Subject: [PATCH] libressl: security fix for OpenBSD 5.9 errata 11. --- srcpkgs/libressl/patches/011_crypto.patch | 32 +++++++++++++++++++++++ srcpkgs/libressl/template | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/libressl/patches/011_crypto.patch diff --git a/srcpkgs/libressl/patches/011_crypto.patch b/srcpkgs/libressl/patches/011_crypto.patch new file mode 100644 index 00000000000..51dbe5b834d --- /dev/null +++ b/srcpkgs/libressl/patches/011_crypto.patch @@ -0,0 +1,32 @@ +OpenBSD 5.9 errata 11, June 6, 2016: + +Correct a problem that prevents the DSA signing algorithm from running +in constant time even if the flag BN_FLG_CONSTTIME is set. This issue +was reported by Cesar Pereida (Aalto University), Billy Brumley +(Tampere University of Technology), and Yuval Yarom (The University of +Adelaide and NICTA). The fix was developed by Cesar Pereida. + +--- crypto/dsa/dsa_ossl.c 10 Sep 2015 07:58:28 -0000 1.23 ++++ crypto/dsa/dsa_ossl.c 5 Jun 2016 20:17:11 -0000 +@@ -247,9 +247,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + if (!BN_rand_range(&k, dsa->q)) + goto err; + } while (BN_is_zero(&k)); +- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { +- BN_set_flags(&k, BN_FLG_CONSTTIME); +- } + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, +@@ -283,6 +280,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + } else { + K = &k; + } ++ ++ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { ++ BN_set_flags(&k, BN_FLG_CONSTTIME); ++ } ++ + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, + dsa->method_mont_p); + if (!BN_mod(r,r,dsa->q,ctx)) diff --git a/srcpkgs/libressl/template b/srcpkgs/libressl/template index 96969945a72..06d9994da47 100644 --- a/srcpkgs/libressl/template +++ b/srcpkgs/libressl/template @@ -1,7 +1,7 @@ # Template file for 'libressl' pkgname=libressl version=2.3.5 -revision=1 +revision=2 bootstrap=yes build_style=gnu-configure short_desc="Version of the TLS/crypto stack forked from OpenSSL"