openssl: Security fix CVE-2016-2178

affects openssl < 1.0.2i Reference: https://www.openssl.org/news/secadv/20160922.txt Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-09-26 12:18:14 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2016-09-26 12:49:28 +0200
commit: ac47871dfb962355c3c8971cd2fde2e4d03c9790 (patch)
tree: 8e772e66de7e35c40f53265084666167fc07ed50
parent: c6d3104f100630967604fa5d875e031d2b974155 (diff)
download: meta-el-common-ac47871dfb962355c3c8971cd2fde2e4d03c9790.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
new file mode 100644
index 0000000..07b1310
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
@@ -0,0 +1,54 @@
+From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001
+From: Cesar Pereida <cesar.pereida@aalto.fi>
+Date: Mon, 23 May 2016 12:45:25 +0300
+Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
+Operations in the DSA signing algorithm should run in constant time in
+order to avoid side channel attacks. A flaw in the OpenSSL DSA
+implementation means that a non-constant time codepath is followed for
+certain operations. This has been demonstrated through a cache-timing
+attack to be sufficient for an attacker to recover the private DSA key.
+CVE-2016-2178
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Upstream-Status: Backport
+CVE: CVE-2016-2178
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ crypto/dsa/dsa_ossl.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
+index efc4f1b..b29eb4b 100644
+--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
+@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+ 
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+         }
+ 
+         K = &kq;
+
+        BN_set_flags(K, BN_FLG_CONSTTIME);
+     } else {
+         K = &k;
+     }
+
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))
+-- 
+2.7.4
diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
new file mode 100644
index 0000000..9f70a33
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -0,0 +1,3 @@
+SRC_URI += "file://CVE-2016-2178.patch \
+           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-09-26 12:18:14 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2016-09-26 12:49:28 +0200
commit	ac47871dfb962355c3c8971cd2fde2e4d03c9790 (patch)
tree	8e772e66de7e35c40f53265084666167fc07ed50
parent	c6d3104f100630967604fa5d875e031d2b974155 (diff)
download	meta-el-common-ac47871dfb962355c3c8971cd2fde2e4d03c9790.tar.gz

diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch new file mode 100644 index 0000000..07b1310 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch
@@ -0,0 +1,54 @@
	1	From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001
	2	From: Cesar Pereida <cesar.pereida@aalto.fi>
	3	Date: Mon, 23 May 2016 12:45:25 +0300
	4	Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
	5
	6	Operations in the DSA signing algorithm should run in constant time in
	7	order to avoid side channel attacks. A flaw in the OpenSSL DSA
	8	implementation means that a non-constant time codepath is followed for
	9	certain operations. This has been demonstrated through a cache-timing
	10	attack to be sufficient for an attacker to recover the private DSA key.
	11
	12	CVE-2016-2178
	13
	14	Reviewed-by: Richard Levitte <levitte@openssl.org>
	15	Reviewed-by: Matt Caswell <matt@openssl.org>
	16
	17	Upstream-Status: Backport
	18	CVE: CVE-2016-2178
	19	Signed-off-by: Armin Kuster <akuster@mvista.com>
	20
	21	---
	22	crypto/dsa/dsa_ossl.c \| 6 +++---
	23	1 file changed, 3 insertions(+), 3 deletions(-)
	24
	25	diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
	26	index efc4f1b..b29eb4b 100644
	27	--- a/crypto/dsa/dsa_ossl.c
	28	+++ b/crypto/dsa/dsa_ossl.c
	29	@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM **kinvp,
	30	if (!BN_rand_range(&k, dsa->q))
	31	goto err;
	32	while (BN_is_zero(&k)) ;
	33	- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
	34	- BN_set_flags(&k, BN_FLG_CONSTTIME);
	35	- }
	36
	37	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
	38	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
	39	@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM **kinvp,
	40	}
	41
	42	K = &kq;
	43	+
	44	+ BN_set_flags(K, BN_FLG_CONSTTIME);
	45	} else {
	46	K = &k;
	47	}
	48	+
	49	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
	50	dsa->method_mont_p);
	51	if (!BN_mod(r, r, dsa->q, ctx))
	52	--
	53	2.7.4
	54


diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend new file mode 100644 index 0000000..9f70a33 --- /dev/null +++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -0,0 +1,3 @@
	1
	2	SRC_URI += "file://CVE-2016-2178.patch \
	3	"