Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
18538605 problem in UTILITY/OPENSSL s11u1-sru 0.175.1.20.0.3.0 S11.1SRU20.3
authorRonald Jordan <ron.jordan@oracle.com>
Fri, 09 May 2014 15:18:09 -0700
branchs11u1-sru
changeset 3134 8c9dcb670552
parent 3133 96f724c369da
child 3144 4ff596d1b27b
18538605 problem in UTILITY/OPENSSL
components/openssl/openssl-1.0.0/patches/37-cve-2014-0076.patch file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0/patches/37-cve-2014-0076.patch	Fri May 09 15:18:09 2014 -0700
@@ -0,0 +1,148 @@
+Patch comes from upstream:
+  http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29
+It will be obsoleted when openssl-1.0.0m is available.
+
+--- openssl-1.0.0l/crypto/bn/bn.h.orig	Mon Jan  6 07:00:59 2014
++++ openssl-1.0.0l/crypto/bn/bn.h		Fri Apr 18 13:03:57 2014
+@@ -538,6 +538,8 @@
+ BIGNUM *BN_mod_sqrt(BIGNUM *ret,
+ 	const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+ 
++void	BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
++
+ /* Deprecated versions */
+ #ifndef OPENSSL_NO_DEPRECATED
+ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
+@@ -759,11 +761,20 @@
+ 
+ #define bn_fix_top(a)		bn_check_top(a)
+ 
++#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
++#define bn_wcheck_size(bn, words) \
++	do { \
++		const BIGNUM *_bnum2 = (bn); \
++		assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
++	} while(0)
++
+ #else /* !BN_DEBUG */
+ 
+ #define bn_pollute(a)
+ #define bn_check_top(a)
+ #define bn_fix_top(a)		bn_correct_top(a)
++#define bn_check_size(bn, bits)
++#define bn_wcheck_size(bn, words)
+ 
+ #endif
+ 
+--- openssl-1.0.0l/crypto/bn/bn_lib.c.orig	Mon Jan  6 07:00:59 2014
++++ openssl-1.0.0l/crypto/bn/bn_lib.c		Fri Apr 18 13:03:08 2014
+@@ -843,3 +843,55 @@
+ 		}
+ 	return bn_cmp_words(a,b,cl);
+ 	}
++
++/* 
++ * Constant-time conditional swap of a and b.  
++ * a and b are swapped if condition is not 0.  The code assumes that at most one bit of condition is set.
++ * nwords is the number of words to swap.  The code assumes that at least nwords are allocated in both a and b,
++ * and that no more than nwords are used by either a or b.
++ * a and b cannot be the same number
++ */
++void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
++	{
++	BN_ULONG t;
++	int i;
++
++	bn_wcheck_size(a, nwords);
++	bn_wcheck_size(b, nwords);
++
++	assert(a != b);
++	assert((condition & (condition - 1)) == 0);
++	assert(sizeof(BN_ULONG) >= sizeof(int));
++
++	condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
++
++	t = (a->top^b->top) & condition;
++	a->top ^= t;
++	b->top ^= t;
++
++#define BN_CONSTTIME_SWAP(ind) \
++	do { \
++		t = (a->d[ind] ^ b->d[ind]) & condition; \
++		a->d[ind] ^= t; \
++		b->d[ind] ^= t; \
++	} while (0)
++
++
++	switch (nwords) {
++	default:
++		for (i = 10; i < nwords; i++) 
++			BN_CONSTTIME_SWAP(i);
++		/* Fallthrough */
++	case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
++	case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
++	case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
++	case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
++	case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
++	case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
++	case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
++	case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
++	case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
++	case 1: BN_CONSTTIME_SWAP(0);
++	}
++#undef BN_CONSTTIME_SWAP
++}
+--- openssl-1.0.0l/crypto/ec/ec2_mult.c.orig	Mon Jan  6 07:00:59 2014
++++ openssl-1.0.0l/crypto/ec/ec2_mult.c	Fri Apr 18 13:00:28 2014
+@@ -206,11 +206,15 @@
+ 	return ret;
+ 	}
+ 
++
+ /* Computes scalar*point and stores the result in r.
+  * point can not equal r.
+- * Uses algorithm 2P of
++ * Uses a modified algorithm 2P of
+  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
+  *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
++ *
++ * To protect against side-channel attack the function uses constant time swap,
++ * avoiding conditional branches.
+  */
+ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ 	const EC_POINT *point, BN_CTX *ctx)
+@@ -244,6 +248,11 @@
+ 	x2 = &r->X;
+ 	z2 = &r->Y;
+ 
++	bn_wexpand(x1, group->field.top);
++	bn_wexpand(z1, group->field.top);
++	bn_wexpand(x2, group->field.top);
++	bn_wexpand(z2, group->field.top);
++
+ 	if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
+ 	if (!BN_one(z1)) goto err; /* z1 = 1 */
+ 	if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
+@@ -268,16 +277,12 @@
+ 		word = scalar->d[i];
+ 		while (mask)
+ 			{
+-			if (word & mask)
+-				{
+-				if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
+-				if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
+-				}
+-			else
+-				{
+-				if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+-				if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+-				}
++			BN_consttime_swap(word & mask, x1, x2, group->field.top);
++			BN_consttime_swap(word & mask, z1, z2, group->field.top);
++			if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
++			if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
++			BN_consttime_swap(word & mask, x1, x2, group->field.top);
++			BN_consttime_swap(word & mask, z1, z2, group->field.top);
+ 			mask >>= 1;
+ 			}
+ 		mask = BN_TBIT;
upstream/oracle/userland-gate