2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
new file mode 100644
index 0000000000..27ade4e7d2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
@@ -0,0 +1,51 @@
+From 399944622df7bd81af62e67ea967c470534090e2 Mon Sep 17 00:00:00 2001
+From: Cesar Pereida <cesar.pereida@aalto.fi>
+Date: Mon, 23 May 2016 12:45:25 +0300
+Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
+Operations in the DSA signing algorithm should run in constant time in
+order to avoid side channel attacks. A flaw in the OpenSSL DSA
+implementation means that a non-constant time codepath is followed for
+certain operations. This has been demonstrated through a cache-timing
+attack to be sufficient for an attacker to recover the private DSA key.
+CVE-2016-2178
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Upstream-Status: Backport
+CVE: CVE-2016-2178
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ crypto/dsa/dsa_ossl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+Index: openssl-1.0.2h/crypto/dsa/dsa_ossl.c
+===================================================================
+--- openssl-1.0.2h.orig/crypto/dsa/dsa_ossl.c
+++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c
+@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+ 
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -282,6 +279,11 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+     } else {
+         K = &k;
+     }
+
+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+        BN_set_flags(K, BN_FLG_CONSTTIME);
+    }
+
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 4135a312c5..07cb0f9e85 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -39,6 +39,7 @@ SRC_URI += "file://configure-targets.patch \
            file://ptest_makefile_deps.patch  \
            file://parallel.patch \
            file://CVE-2016-2177.patch \
+            file://CVE-2016-2178.patch \
           "
 SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch new file mode 100644 index 0000000000..27ade4e7d2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
@@ -0,0 +1,51 @@
		1	From 399944622df7bd81af62e67ea967c470534090e2 Mon Sep 17 00:00:00 2001
		2	From: Cesar Pereida <cesar.pereida@aalto.fi>
		3	Date: Mon, 23 May 2016 12:45:25 +0300
		4	Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
		5
		6	Operations in the DSA signing algorithm should run in constant time in
		7	order to avoid side channel attacks. A flaw in the OpenSSL DSA
		8	implementation means that a non-constant time codepath is followed for
		9	certain operations. This has been demonstrated through a cache-timing
		10	attack to be sufficient for an attacker to recover the private DSA key.
		11
		12	CVE-2016-2178
		13
		14	Reviewed-by: Richard Levitte <levitte@openssl.org>
		15	Reviewed-by: Matt Caswell <matt@openssl.org>
		16
		17	Upstream-Status: Backport
		18	CVE: CVE-2016-2178
		19
		20	Signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	crypto/dsa/dsa_ossl.c \| 9 +++++----
		24	1 file changed, 5 insertions(+), 4 deletions(-)
		25
		26	Index: openssl-1.0.2h/crypto/dsa/dsa_ossl.c
		27	===================================================================
		28	--- openssl-1.0.2h.orig/crypto/dsa/dsa_ossl.c
		29	+++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c
		30	@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
		31	if (!BN_rand_range(&k, dsa->q))
		32	goto err;
		33	while (BN_is_zero(&k)) ;
		34	- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
		35	- BN_set_flags(&k, BN_FLG_CONSTTIME);
		36	- }
		37
		38	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
		39	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
		40	@@ -282,6 +279,11 @@ static int dsa_sign_setup(DSA *dsa, BN_C
		41	} else {
		42	K = &k;
		43	}
		44	+
		45	+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
		46	+ BN_set_flags(K, BN_FLG_CONSTTIME);
		47	+ }
		48	+
		49	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
		50	dsa->method_mont_p);
		51	if (!BN_mod(r, r, dsa->q, ctx))


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 4135a312c5..07cb0f9e85 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -39,6 +39,7 @@ SRC_URI += "file://configure-targets.patch \
39	file://ptest_makefile_deps.patch \	39	file://ptest_makefile_deps.patch \
40	file://parallel.patch \	40	file://parallel.patch \
41	file://CVE-2016-2177.patch \	41	file://CVE-2016-2177.patch \
		42	file://CVE-2016-2178.patch \
42	"	43	"
43		44
44	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"	45	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"