[Pkg-openssl-changes] r670 - openssl/branches/squeeze/debian/patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Thu Jun 5 19:03:40 UTC 2014 

Author: kroeckx
Date: 2014-06-05 19:03:40 +0000 (Thu, 05 Jun 2014)
New Revision: 670

Modified:
   openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch
Log:
Make patch apply.


Modified: openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch	2014-06-05 18:36:38 UTC (rev 669)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch	2014-06-05 19:03:40 UTC (rev 670)
@@ -1,28 +1,8 @@
-diff --git a/CHANGES b/CHANGES
-index 58ac884..99aeefb 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -4,6 +4,15 @@
- 
-  Changes between 1.0.1f and 1.0.1g [xx XXX xxxx]
- 
-+  *) Fix for the attack described in the paper "Recovering OpenSSL
-+     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
-+     by Yuval Yarom and Naomi Benger. Details can be obtained from:
-+     http://eprint.iacr.org/2014/140
-+
-+     Thanks to Yuval Yarom and Naomi Benger for discovering this
-+     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
-+     [Yuval Yarom and Naomi Benger]
-+
-   *) TLS pad extension: draft-agl-tls-padding-02
- 
-      Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
-diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
-index f34248e..21a1a3f 100644
---- a/crypto/bn/bn.h
-+++ b/crypto/bn/bn.h
-@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
+Index: openssl-0.9.8o/crypto/bn/bn.h
+===================================================================
+--- openssl-0.9.8o.orig/crypto/bn/bn.h	2008-10-18 14:27:35.000000000 +0000
++++ openssl-0.9.8o/crypto/bn/bn.h	2014-06-05 18:33:14.074792662 +0000
+@@ -511,6 +511,8 @@
  BIGNUM *BN_mod_sqrt(BIGNUM *ret,
  	const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
  
@@ -31,7 +11,7 @@
  /* Deprecated versions */
  #ifndef OPENSSL_NO_DEPRECATED
  BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
-@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
+@@ -740,11 +742,20 @@
  
  #define bn_fix_top(a)		bn_check_top(a)
  
@@ -52,11 +32,11 @@
  
  #endif
  
-diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
-index 7a5676d..5461e6e 100644
---- a/crypto/bn/bn_lib.c
-+++ b/crypto/bn/bn_lib.c
-@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
+Index: openssl-0.9.8o/crypto/bn/bn_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/bn/bn_lib.c	2008-09-16 11:08:24.000000000 +0000
++++ openssl-0.9.8o/crypto/bn/bn_lib.c	2014-06-05 18:33:14.322787414 +0000
+@@ -824,3 +824,55 @@
  		}
  	return bn_cmp_words(a,b,cl);
  	}
@@ -112,11 +92,11 @@
 +	}
 +#undef BN_CONSTTIME_SWAP
 +}
-diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
-index 26f4a78..1c575dc 100644
---- a/crypto/ec/ec2_mult.c
-+++ b/crypto/ec/ec2_mult.c
-@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
+Index: openssl-0.9.8o/crypto/ec/ec2_mult.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/ec/ec2_mult.c	2005-04-26 18:53:17.000000000 +0000
++++ openssl-0.9.8o/crypto/ec/ec2_mult.c	2014-06-05 18:34:16.549470521 +0000
+@@ -206,11 +206,15 @@
  	return ret;
  	}
  
@@ -125,15 +105,15 @@
   * point can not equal r.
 - * Uses algorithm 2P of
 + * Uses a modified algorithm 2P of
-  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
-  *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
+  *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
+  *     GF(2^m) without precomputation".
 + *
 + * To protect against side-channel attack the function uses constant time swap,
 + * avoiding conditional branches.
   */
  static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
  	const EC_POINT *point, BN_CTX *ctx)
-@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
+@@ -244,6 +248,11 @@
  	x2 = &r->X;
  	z2 = &r->Y;
  
@@ -145,11 +125,11 @@
  	if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
  	if (!BN_one(z1)) goto err; /* z1 = 1 */
  	if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
-@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
- 		word = scalar->d[i];
- 		while (mask)
+@@ -266,16 +275,12 @@
+ 		{
+ 		for (; j >= 0; j--)
  			{
--			if (word & mask)
+-			if (scalar->d[i] & mask)
 -				{
 -				if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
 -				if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
@@ -159,12 +139,12 @@
 -				if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
 -				if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
 -				}
-+			BN_consttime_swap(word & mask, x1, x2, group->field.top);
-+			BN_consttime_swap(word & mask, z1, z2, group->field.top);
++			BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top);
++			BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top);
 +			if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
 +			if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
-+			BN_consttime_swap(word & mask, x1, x2, group->field.top);
-+			BN_consttime_swap(word & mask, z1, z2, group->field.top);
++			BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top);
++			BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top);
  			mask >>= 1;
  			}
- 		mask = BN_TBIT;
+ 		j = BN_BITS2 - 1;

More information about the Pkg-openssl-changes mailing list