- Fix DSA, preserve BN_FLG_CONSTTIME

Security: CVE-2016-2178
freebsd · Jun 12, 2016 · 5ae24c9 · 5ae24c9
1 parent 964f618
commit 5ae24c9
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
@@ -4,7 +4,7 @@
 PORTNAME=	openssl
 PORTVERSION=	1.0.2
 DISTVERSIONSUFFIX=	h
-PORTREVISION=	12
+PORTREVISION=	13
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/source/ \
 		ftp://ftp.openssl.org/source/ \

diff --git a/security/openssl/files/patch-dsa_ossl.c b/security/openssl/files/patch-dsa_ossl.c
@@ -0,0 +1,35 @@
+
+Fix DSA, preserve BN_FLG_CONSTTIME
+
+Operations in the DSA signing algorithm should run in constant time in
+order to avoid side channel attacks. A flaw in the OpenSSL DSA
+implementation means that a non-constant time codepath is followed for
+certain operations. This has been demonstrated through a cache-timing
+attack to be sufficient for an attacker to recover the private DSA key.
+
+CVE-2016-2178
+
+--- crypto/dsa/dsa_ossl.c.orig	2016-05-03 15:44:42.000000000 +0200
++++ crypto/dsa/dsa_ossl.c	2016-06-12 22:57:49.000000000 +0200
+@@ -248,9 +248,6 @@
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -282,6 +279,11 @@
+     } else {
+         K = &k;
+     }
++
++    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
++        BN_set_flags(&k, BN_FLG_CONSTTIME);
++    }
++
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))