security/libressl: Fix ECDSA P-256 timing attack vulnerability
authorJohn Marino <draco@marino.st>
Fri, 13 Jan 2017 22:11:37 +0000 (16:11 -0600)
committerJohn Marino <draco@marino.st>
Fri, 13 Jan 2017 23:16:06 +0000 (17:16 -0600)
OpenBSD 6.0 errata 16, Jan 5, 2017:
Avoid possible side-channel leak of ECDSA private keys when signing.

security: CVE-2016-7056

crypto/libressl/README.DRAGONFLY
crypto/libressl/crypto/ecdsa/ecs_ossl.c

index be9696c..a74db54 100644 (file)
@@ -10,3 +10,6 @@ size = 3014463
 sha1 = 5daaf33f5cc382e1c9dd7375a67e26aad1d0b2ed
 
 The file README.DELETED contains a list of deleted files and directories.
+
+Local modifications applied to following files:
+       crypto/ecdsa/ecs_ossl.c
index b03b1fb..37245d9 100644 (file)
@@ -142,6 +142,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                        if (!BN_add(k, k, order))
                                goto err;
 
+               BN_set_flags(k, BN_FLG_CONSTTIME);
+
                /* compute r the x-coordinate of generator * k */
                if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
                        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);