[Pkg-openssl-changes] r670 - openssl/branches/squeeze/debian/patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Thu Jun 5 19:03:40 UTC 2014
Author: kroeckx
Date: 2014-06-05 19:03:40 +0000 (Thu, 05 Jun 2014)
New Revision: 670
Modified:
openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch
Log:
Make patch apply.
Modified: openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch 2014-06-05 18:36:38 UTC (rev 669)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch 2014-06-05 19:03:40 UTC (rev 670)
@@ -1,28 +1,8 @@
-diff --git a/CHANGES b/CHANGES
-index 58ac884..99aeefb 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -4,6 +4,15 @@
-
- Changes between 1.0.1f and 1.0.1g [xx XXX xxxx]
-
-+ *) Fix for the attack described in the paper "Recovering OpenSSL
-+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
-+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
-+ http://eprint.iacr.org/2014/140
-+
-+ Thanks to Yuval Yarom and Naomi Benger for discovering this
-+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
-+ [Yuval Yarom and Naomi Benger]
-+
- *) TLS pad extension: draft-agl-tls-padding-02
-
- Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
-diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
-index f34248e..21a1a3f 100644
---- a/crypto/bn/bn.h
-+++ b/crypto/bn/bn.h
-@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
+Index: openssl-0.9.8o/crypto/bn/bn.h
+===================================================================
+--- openssl-0.9.8o.orig/crypto/bn/bn.h 2008-10-18 14:27:35.000000000 +0000
++++ openssl-0.9.8o/crypto/bn/bn.h 2014-06-05 18:33:14.074792662 +0000
+@@ -511,6 +511,8 @@
BIGNUM *BN_mod_sqrt(BIGNUM *ret,
const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
@@ -31,7 +11,7 @@
/* Deprecated versions */
#ifndef OPENSSL_NO_DEPRECATED
BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
-@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
+@@ -740,11 +742,20 @@
#define bn_fix_top(a) bn_check_top(a)
@@ -52,11 +32,11 @@
#endif
-diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
-index 7a5676d..5461e6e 100644
---- a/crypto/bn/bn_lib.c
-+++ b/crypto/bn/bn_lib.c
-@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
+Index: openssl-0.9.8o/crypto/bn/bn_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/bn/bn_lib.c 2008-09-16 11:08:24.000000000 +0000
++++ openssl-0.9.8o/crypto/bn/bn_lib.c 2014-06-05 18:33:14.322787414 +0000
+@@ -824,3 +824,55 @@
}
return bn_cmp_words(a,b,cl);
}
@@ -112,11 +92,11 @@
+ }
+#undef BN_CONSTTIME_SWAP
+}
-diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
-index 26f4a78..1c575dc 100644
---- a/crypto/ec/ec2_mult.c
-+++ b/crypto/ec/ec2_mult.c
-@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
+Index: openssl-0.9.8o/crypto/ec/ec2_mult.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/ec/ec2_mult.c 2005-04-26 18:53:17.000000000 +0000
++++ openssl-0.9.8o/crypto/ec/ec2_mult.c 2014-06-05 18:34:16.549470521 +0000
+@@ -206,11 +206,15 @@
return ret;
}
@@ -125,15 +105,15 @@
* point can not equal r.
- * Uses algorithm 2P of
+ * Uses a modified algorithm 2P of
- * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
- * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
+ * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
+ * GF(2^m) without precomputation".
+ *
+ * To protect against side-channel attack the function uses constant time swap,
+ * avoiding conditional branches.
*/
static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
const EC_POINT *point, BN_CTX *ctx)
-@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
+@@ -244,6 +248,11 @@
x2 = &r->X;
z2 = &r->Y;
@@ -145,11 +125,11 @@
if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
if (!BN_one(z1)) goto err; /* z1 = 1 */
if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
-@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
- word = scalar->d[i];
- while (mask)
+@@ -266,16 +275,12 @@
+ {
+ for (; j >= 0; j--)
{
-- if (word & mask)
+- if (scalar->d[i] & mask)
- {
- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
@@ -159,12 +139,12 @@
- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
- }
-+ BN_consttime_swap(word & mask, x1, x2, group->field.top);
-+ BN_consttime_swap(word & mask, z1, z2, group->field.top);
++ BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top);
++ BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top);
+ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
-+ BN_consttime_swap(word & mask, x1, x2, group->field.top);
-+ BN_consttime_swap(word & mask, z1, z2, group->field.top);
++ BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top);
++ BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top);
mask >>= 1;
}
- mask = BN_TBIT;
+ j = BN_BITS2 - 1;
More information about the Pkg-openssl-changes
mailing list