Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at Tue Jun 28 10:06:37 CEST 2011.
-------- --- openssl/openssl.changes 2011-05-16 16:38:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/openssl/openssl.changes 2011-06-24 07:11:45.000000000 +0200 @@ -1,0 +2,18 @@ +Fri Jun 24 04:51:50 UTC 2011 - [email protected] + +- update to latest stable version 1.0.0d. + patch removed(already in the new package): + CVE-2011-0014 + patch added: + ECDSA_signatures_timing_attack.patch + +------------------------------------------------------------------- +Tue May 31 07:07:49 UTC 2011 - [email protected] + +- fix bug[bnc#693027]. + Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + http://eprint.iacr.org/2011/232.pdf + [Billy Bob Brumley and Nicola Tuveri] + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- CVE-2011-0014.patch openssl-1.0.0c.tar.bz2 New: ---- ECDSA_signatures_timing_attack.patch openssl-1.0.0d.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.PF5Mos/_old 2011-06-28 10:04:13.000000000 +0200 +++ /var/tmp/diff_new_pack.PF5Mos/_new 2011-06-28 10:04:13.000000000 +0200 @@ -32,8 +32,8 @@ %endif # #Version: 1.0.0 -Version: 1.0.0c -Release: 25 +Version: 1.0.0d +Release: 22 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -49,7 +49,8 @@ #Patch5: CVE-2010-2939.patch #Patch6: CVE-2010-3864.patch Patch7: openssl-1.0.0b-aesni.patch -Patch8: CVE-2011-0014.patch +#Patch8: CVE-2011-0014.patch +Patch9: ECDSA_signatures_timing_attack.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -185,7 +186,8 @@ #%patch5 -p1 #%patch6 -p1 %patch7 -p1 -%patch8 -p1 +#%patch8 -p1 +%patch9 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags ++++++ ECDSA_signatures_timing_attack.patch ++++++ Index: openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c =================================================================== --- openssl-1.0.0c.orig/crypto/ecdsa/ecs_ossl.c +++ openssl-1.0.0c/crypto/ecdsa/ecs_ossl.c @@ -144,6 +144,16 @@ static int ecdsa_sign_setup(EC_KEY *ecke } while (BN_is_zero(k)); +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME + /* We do not want timing information to leak the length of k, + * so we compute G*k using an equivalent scalar of fixed + * bit-length. */ + + if (!BN_add(k, k, order)) goto err; + if (BN_num_bits(k) <= BN_num_bits(order)) + if (!BN_add(k, k, order)) goto err; +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */ + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { Index: openssl-1.0.0c/crypto/ocsp/ocsp_lib.c =================================================================== --- openssl-1.0.0c.orig/crypto/ocsp/ocsp_lib.c +++ openssl-1.0.0c/crypto/ocsp/ocsp_lib.c @@ -170,13 +170,14 @@ int OCSP_parse_url(char *url, char **pho char *host, *port; + *phost = NULL; + *pport = NULL; + *ppath = NULL; + /* dup the buffer since we are going to mess with it */ buf = BUF_strdup(url); if (!buf) goto mem_err; - *phost = NULL; - *pport = NULL; - *ppath = NULL; /* Check for initial colon */ p = strchr(buf, ':'); ++++++ openssl-1.0.0c.tar.bz2 -> openssl-1.0.0d.tar.bz2 ++++++ ++++ 1724 lines of diff (skipped) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
