diff -Nru openssl-1.0.1f/debian/changelog openssl-1.0.1f/debian/changelog --- openssl-1.0.1f/debian/changelog 2018-06-20 11:57:40.000000000 +0000 +++ openssl-1.0.1f/debian/changelog 2018-12-04 15:36:19.000000000 +0000 @@ -1,3 +1,22 @@ +openssl (1.0.1f-1ubuntu2.27) trusty-security; urgency=medium + + * SECURITY UPDATE: PortSmash side channel attack + - debian/patches/CVE-2018-5407.patch: fix timing vulnerability in + crypto/bn/bn_lib.c, crypto/ec/ec_mult.c. + - CVE-2018-5407 + * SECURITY UPDATE: timing side channel attack in DSA + - debian/patches/CVE-2018-0734-pre1.patch: address a timing side + channel in crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in + crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-2.patch: fix mod inverse in + crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-3.patch: add a constant time flag in + crypto/dsa/dsa_ossl.c. + - CVE-2018-0734 + + -- Marc Deslauriers Tue, 04 Dec 2018 10:36:19 -0500 + openssl (1.0.1f-1ubuntu2.26) trusty-security; urgency=medium * SECURITY UPDATE: ECDSA key extraction side channel diff -Nru openssl-1.0.1f/debian/patches/CVE-2018-0734-1.patch openssl-1.0.1f/debian/patches/CVE-2018-0734-1.patch --- openssl-1.0.1f/debian/patches/CVE-2018-0734-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2018-0734-1.patch 2018-12-04 15:28:32.000000000 +0000 @@ -0,0 +1,26 @@ +Backport of: + +From 43e6a58d4991a451daf4891ff05a48735df871ac Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 29 Oct 2018 08:24:22 +1000 +Subject: [PATCH] Merge DSA reallocation timing fix CVE-2018-0734. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7513) +--- + crypto/dsa/dsa_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.1f/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/dsa/dsa_ossl.c 2018-12-04 10:28:30.175965323 -0500 ++++ openssl-1.0.1f/crypto/dsa/dsa_ossl.c 2018-12-04 10:28:30.171965316 -0500 +@@ -242,7 +242,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C + if ((r=BN_new()) == NULL) goto err; + + /* Preallocate space */ +- q_bits = BN_num_bits(dsa->q); ++ q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; + if (!BN_set_bit(&k, q_bits) + || !BN_set_bit(&l, q_bits) + || !BN_set_bit(&m, q_bits)) diff -Nru openssl-1.0.1f/debian/patches/CVE-2018-0734-2.patch openssl-1.0.1f/debian/patches/CVE-2018-0734-2.patch --- openssl-1.0.1f/debian/patches/CVE-2018-0734-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2018-0734-2.patch 2018-12-04 15:27:00.000000000 +0000 @@ -0,0 +1,76 @@ +Backport of: + +From ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 29 Oct 2018 07:18:09 +1000 +Subject: [PATCH] Merge to 1.0.2: DSA mod inverse fix. + +There is a side channel attack against the division used to calculate one of +the modulo inverses in the DSA algorithm. This change takes advantage of the +primality of the modulo and Fermat's little theorem to calculate the inverse +without leaking information. + +Thanks to Samuel Weiser for finding and reporting this. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7512) +--- + crypto/dsa/dsa_ossl.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +Index: openssl-1.0.1f/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/dsa/dsa_ossl.c 2018-12-04 10:24:18.003533898 -0500 ++++ openssl-1.0.1f/crypto/dsa/dsa_ossl.c 2018-12-04 10:26:34.659755577 -0500 +@@ -72,6 +72,8 @@ static int dsa_do_verify(const unsigned + DSA *dsa); + static int dsa_init(DSA *dsa); + static int dsa_finish(DSA *dsa); ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx); + + static DSA_METHOD openssl_dsa_meth = { + "OpenSSL DSA method", +@@ -298,8 +300,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C + dsa->method_mont_p); + if (!BN_mod(r,r,dsa->q,ctx)) goto err; + +- /* Compute part of 's = inv(k) (m + xr) mod q' */ +- if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; ++ /* Compute part of 's = inv(k) (m + xr) mod q' */ ++ if ((kinv=dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL) goto err; + + if (*kinvp != NULL) BN_clear_free(*kinvp); + *kinvp=kinv; +@@ -428,3 +430,31 @@ static int dsa_finish(DSA *dsa) + return(1); + } + ++ ++/* ++ * Compute the inverse of k modulo q. ++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to ++ * mod-exp operation. Both the exponent and modulus are public information ++ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated ++ * BIGNUM is returned which the caller must free. ++ */ ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx) ++{ ++ BIGNUM *res = NULL; ++ BIGNUM *r, e; ++ ++ if ((r = BN_new()) == NULL) ++ return NULL; ++ ++ BN_init(&e); ++ ++ if (BN_set_word(r, 2) ++ && BN_sub(&e, q, r) ++ && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) ++ res = r; ++ else ++ BN_free(r); ++ BN_free(&e); ++ return res; ++} diff -Nru openssl-1.0.1f/debian/patches/CVE-2018-0734-3.patch openssl-1.0.1f/debian/patches/CVE-2018-0734-3.patch --- openssl-1.0.1f/debian/patches/CVE-2018-0734-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2018-0734-3.patch 2018-12-04 15:29:47.000000000 +0000 @@ -0,0 +1,28 @@ +Backport of: + +From 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Thu, 1 Nov 2018 08:44:11 +1000 +Subject: [PATCH] Add a constant time flag to one of the bignums to avoid a + timing leak. + +Reviewed-by: Tim Hudson +(Merged from https://github.com/openssl/openssl/pull/7549) + +(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) +--- + crypto/dsa/dsa_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.1f/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/dsa/dsa_ossl.c 2018-12-04 10:28:45.627994680 -0500 ++++ openssl-1.0.1f/crypto/dsa/dsa_ossl.c 2018-12-04 10:29:20.096061156 -0500 +@@ -258,6 +258,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { + BN_set_flags(&k, BN_FLG_CONSTTIME); ++ BN_set_flags(&l, BN_FLG_CONSTTIME); + } + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) diff -Nru openssl-1.0.1f/debian/patches/CVE-2018-0734-pre1.patch openssl-1.0.1f/debian/patches/CVE-2018-0734-pre1.patch --- openssl-1.0.1f/debian/patches/CVE-2018-0734-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2018-0734-pre1.patch 2018-12-04 15:28:02.000000000 +0000 @@ -0,0 +1,115 @@ +Backport of: + +From b96bebacfe814deb99fb64a3ed2296d95c573600 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 1 Nov 2017 06:58:13 +1000 +Subject: [PATCH] Address a timing side channel whereby it is possible to + determine some + +information about the length of a value used in DSA operations from +a large number of signatures. + +This doesn't rate as a CVE because: + +* For the non-constant time code, there are easier ways to extract + more information. + +* For the constant time code, it requires a significant number of signatures + to leak a small amount of information. + +Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for +reporting this issue. + +Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell + +Reviewed-by: Andy Polyakov +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/4642) +--- + crypto/dsa/dsa_ossl.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +Index: openssl-1.0.1f/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/dsa/dsa_ossl.c 2018-12-04 10:14:21.307177249 -0500 ++++ openssl-1.0.1f/crypto/dsa/dsa_ossl.c 2018-12-04 10:22:24.079376912 -0500 +@@ -217,7 +217,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C + { + BN_CTX *ctx; + BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; ++ BIGNUM l, m; + int ret=0; ++ int q_bits; + + if (!dsa->p || !dsa->q || !dsa->g) + { +@@ -227,6 +229,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C + + BN_init(&k); + BN_init(&kq); ++ BN_init(&l); ++ BN_init(&m); + + if (ctx_in == NULL) + { +@@ -237,6 +241,13 @@ static int dsa_sign_setup(DSA *dsa, BN_C + + if ((r=BN_new()) == NULL) goto err; + ++ /* Preallocate space */ ++ q_bits = BN_num_bits(dsa->q); ++ if (!BN_set_bit(&k, q_bits) ++ || !BN_set_bit(&l, q_bits) ++ || !BN_set_bit(&m, q_bits)) ++ goto err; ++ + /* Get random k */ + do + if (!BN_rand_range(&k, dsa->q)) goto err; +@@ -259,21 +270,22 @@ static int dsa_sign_setup(DSA *dsa, BN_C + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { +- if (!BN_copy(&kq, &k)) goto err; +- +- BN_set_flags(&kq, BN_FLG_CONSTTIME); +- +- /* We do not want timing information to leak the length of k, +- * so we compute g^k using an equivalent exponent of fixed length. ++ /* We do not want timing information to leak the length of k, so we ++ * compute G^k using an equivalent scalar of fixed bit-length. + * +- * (This is a kludge that we need because the BN_mod_exp_mont() +- * does not let us specify the desired timing behaviour.) */ ++ * We unconditionally perform both of these additions to prevent a ++ * small timing information leakage. We then choose the sum that is ++ * one bit longer than the modulus. ++ * ++ * TODO: revisit the BN_copy aiming for a memory access agnostic ++ * conditional copy. */ ++ ++ if (!BN_add(&l, &k, dsa->q) ++ || !BN_add(&m, &l, dsa->q) ++ || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) ++ goto err; + +- if (!BN_add(&kq, &kq, dsa->q)) goto err; +- if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) +- { +- if (!BN_add(&kq, &kq, dsa->q)) goto err; +- } ++ BN_set_flags(&kq, BN_FLG_CONSTTIME); + + K = &kq; + } +@@ -305,7 +317,9 @@ err: + if (ctx_in == NULL) BN_CTX_free(ctx); + BN_clear_free(&k); + BN_clear_free(&kq); +- return(ret); ++ BN_clear_free(&l); ++ BN_clear_free(&m); ++ return ret; + } + + static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, diff -Nru openssl-1.0.1f/debian/patches/CVE-2018-5407.patch openssl-1.0.1f/debian/patches/CVE-2018-5407.patch --- openssl-1.0.1f/debian/patches/CVE-2018-5407.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2018-5407.patch 2018-12-04 15:35:12.000000000 +0000 @@ -0,0 +1,345 @@ +Backport of: + +From b18162a7c9bbfb57112459a4d6631fa258fd8c0c Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Thu, 8 Nov 2018 13:57:54 +0200 +Subject: [PATCH] CVE-2018-5407 fix: ECC ladder + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri +(Merged from https://github.com/openssl/openssl/pull/7593) +--- + CHANGES | 13 +++ + crypto/bn/bn_lib.c | 32 +++++++ + crypto/ec/ec_mult.c | 246 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 291 insertions(+) + +#diff --git a/CHANGES b/CHANGES +#index b574074..fde66b5 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,19 @@ +# +# Changes between 1.0.2p and 1.0.2q [xx XXX xxxx] +# +#+ *) Microarchitecture timing vulnerability in ECC scalar multiplication +#+ +#+ OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been +#+ shown to be vulnerable to a microarchitecture timing side channel attack. +#+ An attacker with sufficient access to mount local timing attacks during +#+ ECDSA signature generation could recover the private key. +#+ +#+ This issue was reported to OpenSSL on 26th October 2018 by Alejandro +#+ Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and +#+ Nicola Tuveri. +#+ (CVE-2018-5407) +#+ [Billy Brumley] +#+ +# *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object +# Module, accidentally introduced while backporting security fixes from the +# development branch and hindering the use of ECC in FIPS mode. +Index: openssl-1.0.1f/crypto/bn/bn_lib.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/bn/bn_lib.c 2018-12-04 10:30:09.188158053 -0500 ++++ openssl-1.0.1f/crypto/bn/bn_lib.c 2018-12-04 10:35:08.856793986 -0500 +@@ -850,6 +850,32 @@ void BN_consttime_swap(BN_ULONG conditio + a->top ^= t; + b->top ^= t; + ++ t = (a->neg ^ b->neg) & condition; ++ a->neg ^= t; ++ b->neg ^= t; ++ ++ /*- ++ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention ++ * is actually to treat it as it's read-only data, and some (if not most) ++ * of it does reside in read-only segment. In other words observation of ++ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal ++ * condition. It would either cause SEGV or effectively cause data ++ * corruption. ++ * ++ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be ++ * preserved. ++ * ++ * BN_FLG_SECURE: must be preserved, because it determines how x->d was ++ * allocated and hence how to free it. ++ * ++ * BN_FLG_CONSTTIME: sufficient to mask and swap ++ * ++ */ ++ ++ t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; ++ a->flags ^= t; ++ b->flags ^= t; ++ + #define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ +Index: openssl-1.0.1f/crypto/ec/ec_mult.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/ec/ec_mult.c 2018-12-04 10:30:09.188158053 -0500 ++++ openssl-1.0.1f/crypto/ec/ec_mult.c 2018-12-04 10:33:24.916566063 -0500 +@@ -68,6 +68,224 @@ + #include "ec_lcl.h" + + ++#define EC_POINT_BN_set_flags(P, flags) do { \ ++ BN_set_flags(&(P)->X, (flags)); \ ++ BN_set_flags(&(P)->Y, (flags)); \ ++ BN_set_flags(&(P)->Z, (flags)); \ ++} while(0) ++ ++/*- ++ * This functions computes (in constant time) a point multiplication over the ++ * EC group. ++ * ++ * At a high level, it is Montgomery ladder with conditional swaps. ++ * ++ * It performs either a fixed scalar point multiplication ++ * (scalar * generator) ++ * when point is NULL, or a generic scalar point multiplication ++ * (scalar * point) ++ * when point is not NULL. ++ * ++ * scalar should be in the range [0,n) otherwise all constant time bets are off. ++ * ++ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, ++ * which of course are not constant time themselves. ++ * ++ * The product is stored in r. ++ * ++ * Returns 1 on success, 0 otherwise. ++ */ ++static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, const EC_POINT *point, ++ BN_CTX *ctx) ++{ ++ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; ++ EC_POINT *s = NULL; ++ BIGNUM *k = NULL; ++ BIGNUM *lambda = NULL; ++ BIGNUM *cardinality = NULL; ++ BN_CTX *new_ctx = NULL; ++ int ret = 0; ++ ++ if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ ++ s = EC_POINT_new(group); ++ if (s == NULL) ++ goto err; ++ ++ if (point == NULL) { ++ if (!EC_POINT_copy(s, group->generator)) ++ goto err; ++ } else { ++ if (!EC_POINT_copy(s, point)) ++ goto err; ++ } ++ ++ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); ++ ++ cardinality = BN_CTX_get(ctx); ++ lambda = BN_CTX_get(ctx); ++ k = BN_CTX_get(ctx); ++ if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx)) ++ goto err; ++ ++ /* ++ * Group cardinalities are often on a word boundary. ++ * So when we pad the scalar, some timing diff might ++ * pop if it needs to be expanded due to carries. ++ * So expand ahead of time. ++ */ ++ cardinality_bits = BN_num_bits(cardinality); ++ group_top = cardinality->top; ++ if ((bn_wexpand(k, group_top + 2) == NULL) ++ || (bn_wexpand(lambda, group_top + 2) == NULL)) ++ goto err; ++ ++ if (!BN_copy(k, scalar)) ++ goto err; ++ ++ BN_set_flags(k, BN_FLG_CONSTTIME); ++ ++ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { ++ /*- ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(k, k, cardinality, ctx)) ++ goto err; ++ } ++ ++ if (!BN_add(lambda, k, cardinality)) ++ goto err; ++ BN_set_flags(lambda, BN_FLG_CONSTTIME); ++ if (!BN_add(k, lambda, cardinality)) ++ goto err; ++ /* ++ * lambda := scalar + cardinality ++ * k := scalar + 2*cardinality ++ */ ++ kbit = BN_is_bit_set(lambda, cardinality_bits); ++ BN_consttime_swap(kbit, k, lambda, group_top + 2); ++ ++ group_top = group->field.top; ++ if ((bn_wexpand(&s->X, group_top) == NULL) ++ || (bn_wexpand(&s->Y, group_top) == NULL) ++ || (bn_wexpand(&s->Z, group_top) == NULL) ++ || (bn_wexpand(&r->X, group_top) == NULL) ++ || (bn_wexpand(&r->Y, group_top) == NULL) ++ || (bn_wexpand(&r->Z, group_top) == NULL)) ++ goto err; ++ ++ /* top bit is a 1, in a fixed pos */ ++ if (!EC_POINT_copy(r, s)) ++ goto err; ++ ++ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); ++ ++ if (!EC_POINT_dbl(group, s, s, ctx)) ++ goto err; ++ ++ pbit = 0; ++ ++#define EC_POINT_CSWAP(c, a, b, w, t) do { \ ++ BN_consttime_swap(c, &(a)->X, &(b)->X, w); \ ++ BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \ ++ BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \ ++ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ ++ (a)->Z_is_one ^= (t); \ ++ (b)->Z_is_one ^= (t); \ ++} while(0) ++ ++ /*- ++ * The ladder step, with branches, is ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * Swapping R, S conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: T, U = R, S ++ * k[i] == 1: T, U = S, R ++ * ++ * Then perform the ECC ops. ++ * ++ * U = add(T, U) ++ * T = dbl(T) ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: U = add(R, S), T = dbl(R) ++ * k[i] == 1: U = add(S, R), T = dbl(S) ++ * ++ * Swapping T, U conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: R, S = T, U ++ * k[i] == 1: R, S = U, T ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * So we get the same logic, but instead of a branch it's a ++ * conditional swap, followed by ECC ops, then another conditional swap. ++ * ++ * Optimization: The end of iteration i and start of i-1 looks like ++ * ++ * ... ++ * CSWAP(k[i], R, S) ++ * ECC ++ * CSWAP(k[i], R, S) ++ * (next iteration) ++ * CSWAP(k[i-1], R, S) ++ * ECC ++ * CSWAP(k[i-1], R, S) ++ * ... ++ * ++ * So instead of two contiguous swaps, you can merge the condition ++ * bits and do a single swap. ++ * ++ * k[i] k[i-1] Outcome ++ * 0 0 No Swap ++ * 0 1 Swap ++ * 1 0 Swap ++ * 1 1 No Swap ++ * ++ * This is XOR. pbit tracks the previous bit of k. ++ */ ++ ++ for (i = cardinality_bits - 1; i >= 0; i--) { ++ kbit = BN_is_bit_set(k, i) ^ pbit; ++ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); ++ if (!EC_POINT_add(group, s, r, s, ctx)) ++ goto err; ++ if (!EC_POINT_dbl(group, r, r, ctx)) ++ goto err; ++ /* ++ * pbit logic merges this cswap with that of the ++ * next iteration ++ */ ++ pbit ^= kbit; ++ } ++ /* one final cswap to move the right value into r */ ++ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); ++#undef EC_POINT_CSWAP ++ ++ ret = 1; ++ ++ err: ++ EC_POINT_free(s); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ ++ return ret; ++} ++ ++#undef EC_POINT_BN_set_flags ++ + /* + * This file implements the wNAF-based interleaving multi-exponentation method + * (); +@@ -380,6 +598,37 @@ int ec_wNAF_mul(const EC_GROUP *group, E + return EC_POINT_set_to_infinity(group, r); + } + ++ if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) ++ { ++ /*- ++ * Handle the common cases where the scalar is secret, enforcing a constant ++ * time scalar multiplication algorithm. ++ */ ++ if ((scalar != NULL) && (num == 0)) ++ { ++ /*- ++ * In this case we want to compute scalar * GeneratorPoint: this ++ * codepath is reached most prominently by (ephemeral) key generation ++ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH ++ * keygen/first half), where the scalar is always secret. This is why ++ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the ++ * constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalar, NULL, ctx); ++ } ++ if ((scalar == NULL) && (num == 1)) ++ { ++ /*- ++ * In this case we want to compute scalar * GenericPoint: this codepath ++ * is reached most prominently by the second half of ECDH, where the ++ * secret scalar is multiplied by the peer's public point. To protect ++ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and ++ * we always call the constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalars[0], points[0], ctx); ++ } ++ } ++ + for (i = 0; i < num; i++) + { + if (group->meth != points[i]->meth) diff -Nru openssl-1.0.1f/debian/patches/series openssl-1.0.1f/debian/patches/series --- openssl-1.0.1f/debian/patches/series 2018-06-20 11:56:42.000000000 +0000 +++ openssl-1.0.1f/debian/patches/series 2018-12-04 15:30:03.000000000 +0000 @@ -145,3 +145,8 @@ CVE-2018-0737-2.patch CVE-2018-0737-3.patch CVE-2018-0737-4.patch +CVE-2018-0734-pre1.patch +CVE-2018-0734-1.patch +CVE-2018-0734-2.patch +CVE-2018-0734-3.patch +CVE-2018-5407.patch