Accepting request 74715 from Base:System

update to latest stable version 1.0.0d. OBS-URL: https://build.opensuse.org/request/show/74715 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=59
2011-06-28 08:06:25 +00:00 · 2011-06-28 08:06:25 +00:00 · afb2b76da7
commit afb2b76da7
parent ca270b4d26
6 changed files with 69 additions and 34 deletions
--- a/CVE-2011-0014.patch
+++ b/CVE-2011-0014.patch
@ -1,28 +0,0 @@
-Index: openssl-1.0.0c/ssl/t1_lib.c
-===================================================================
--- openssl-1.0.0c.orig/ssl/t1_lib.c
-+++ openssl-1.0.0c/ssl/t1_lib.c
-@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- 						}
- 					n2s(data, idsize);
- 					dsize -= 2 + idsize;
-+					size -= 2 + idsize;
- 					if (dsize < 0)
- 						{
- 						*al = SSL_AD_DECODE_ERROR;
-@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- 					}
- 
- 				/* Read in request_extensions */
-+				if (size < 2)
-+				{
-+					*al = SSL_AD_DECODE_ERROR;
-+					return 0;
-+				}
- 				n2s(data,dsize);
- 				size -= 2;
-				if (dsize > size) 
-+				if (dsize != size) 
- 					{
- 					*al = SSL_AD_DECODE_ERROR;
- 					return 0;
--- a/ECDSA_signatures_timing_attack.patch
+++ b/ECDSA_signatures_timing_attack.patch
@ -0,0 +1,43 @@
+Index: openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c
+===================================================================
+--- openssl-1.0.0c.orig/crypto/ecdsa/ecs_ossl.c
+++ openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c
+@@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke
+ 			}
+ 		while (BN_is_zero(k));
+ 
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+		/* We do not want timing information to leak the length of k,
+		 * so we compute G*k using an equivalent scalar of fixed
+		 * bit-length. */
+
+		if (!BN_add(k, k, order)) goto err;
+		if (BN_num_bits(k) <= BN_num_bits(order))
+			if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
+ 		/* compute r the x-coordinate of generator * k */
+ 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
+ 		{
+Index: openssl-1.0.0c/crypto/ocsp/ocsp_lib.c
+===================================================================
+--- openssl-1.0.0c.orig/crypto/ocsp/ocsp_lib.c
+++ openssl-1.0.0c/crypto/ocsp/ocsp_lib.c
+@@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho
+ 
+ 	char *host, *port;
+ 
+	*phost = NULL;
+	*pport = NULL;
+	*ppath = NULL;
+
+ 	/* dup the buffer since we are going to mess with it */
+ 	buf = BUF_strdup(url);
+ 	if (!buf) goto mem_err;
+ 
+-	*phost = NULL;
+-	*pport = NULL;
+-	*ppath = NULL;
+ 
+ 	/* Check for initial colon */
+ 	p = strchr(buf, ':');
--- a/openssl-1.0.0c.tar.bz2
+++ b/openssl-1.0.0c.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fabc7750eb05c2b15916b1abdff7287064dd4bc120b0b77e233bc390352bae5d
-size 3207024
--- a/openssl-1.0.0d.tar.bz2
+++ b/openssl-1.0.0d.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1544c7464c7b6cd40bed63cf9e7e27a913d1af881f14d9afd15e61f401056eda
+size 3223694
--- a/openssl.changes
+++ b/openssl.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Fri Jun 24 04:51:50 UTC 2011 - gjhe@novell.com
+
+- update to latest stable version 1.0.0d.
+  patch removed(already in the new package):
+  CVE-2011-0014
+  patch added:
+  ECDSA_signatures_timing_attack.patch
+
+-------------------------------------------------------------------
+Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com
+
+- fix bug[bnc#693027].
+  Add protection against ECDSA timing attacks as mentioned in the paper
+  by Billy Bob Brumley and Nicola Tuveri, see:
+  http://eprint.iacr.org/2011/232.pdf
+  [Billy Bob Brumley and Nicola Tuveri]
+
 -------------------------------------------------------------------
 Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org

--- a/openssl.spec
+++ b/openssl.spec
@ -32,7 +32,7 @@ Obsoletes:      openssl-64bit
 %endif
 #
 #Version:        1.0.0
-Version:        1.0.0c
+Version:        1.0.0d
 Release:        25
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
@ -49,7 +49,8 @@ Patch2:         bug610223.patch
 #Patch5:         CVE-2010-2939.patch
 #Patch6:         CVE-2010-3864.patch
 Patch7:         openssl-1.0.0b-aesni.patch
-Patch8:         CVE-2011-0014.patch
+#Patch8:         CVE-2011-0014.patch
+Patch9:         ECDSA_signatures_timing_attack.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -185,7 +186,8 @@ Authors:
 #%patch5 -p1
 #%patch6 -p1
 %patch7 -p1
-%patch8 -p1
+#%patch8 -p1
+%patch9 -p1
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags