mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-13 04:22:58 +02:00
5ca47910a7
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
Module, accidentally introduced while backporting security fixes from the
development branch and hindering the use of ECC in FIPS mode.
[Nicola Tuveri]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
149 lines
4.7 KiB
Plaintext
149 lines
4.7 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 1.0.2q
|
|
|
|
THISAPP = openssl-$(VER)
|
|
DL_FILE = $(THISAPP).tar.gz
|
|
DL_FROM = $(URL_IPFIRE)
|
|
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
|
|
|
TARGET = $(DIR_INFO)/$(THISAPP)$(KCFG)
|
|
|
|
export RPM_OPT_FLAGS = $(CFLAGS)
|
|
|
|
CONFIGURE_OPTIONS = \
|
|
--prefix=/usr \
|
|
--openssldir=/etc/ssl \
|
|
--enginesdir=/usr/lib/openssl/engines \
|
|
shared \
|
|
zlib-dynamic \
|
|
enable-camellia \
|
|
enable-md2 \
|
|
disable-ssl2 \
|
|
enable-seed \
|
|
enable-tlsext \
|
|
enable-rfc3779 \
|
|
no-idea \
|
|
no-mdc2 \
|
|
no-rc5 \
|
|
no-srp \
|
|
-DSSL_FORBID_ENULL \
|
|
$(OPENSSL_ARCH)
|
|
|
|
ifeq "$(IS_64BIT)" "1"
|
|
OPENSSL_ARCH = linux-generic64
|
|
else
|
|
OPENSSL_ARCH = linux-generic32
|
|
endif
|
|
|
|
ifeq "$(BUILD_ARCH)" "aarch64"
|
|
OPENSSL_ARCH = linux-aarch64
|
|
endif
|
|
|
|
ifeq "$(BUILD_ARCH)" "x86_64"
|
|
OPENSSL_ARCH = linux-x86_64
|
|
endif
|
|
|
|
ifeq "$(BUILD_ARCH)" "i586"
|
|
OPENSSL_ARCH = linux-elf
|
|
|
|
ifneq "$(KCFG)" "-sse2"
|
|
OPENSSL_ARCH += no-sse2
|
|
endif
|
|
endif
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_MD5 = 7563e1ce046cb21948eeb6ba1a0eb71c
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
md5 : $(subst %,%_MD5,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, md5sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_MD5,$(objects)) :
|
|
@$(MD5)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
|
|
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
|
|
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
|
|
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
|
|
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
|
|
|
|
# i586 specific patches
|
|
ifeq "$(BUILD_ARCH)" "i586"
|
|
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a_disable_ssse3_for_amd.patch
|
|
endif
|
|
|
|
# With openssl 1.0.2e, pod2mantest is missing
|
|
echo -e "#!/bin/bash\necho \$$(which pod2man)" > $(DIR_APP)/util/pod2mantest
|
|
chmod a+x $(DIR_APP)/util/pod2mantest
|
|
|
|
# Apply our CFLAGS
|
|
cd $(DIR_APP) && sed -i Configure \
|
|
-e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g"
|
|
|
|
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
|
|
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
|
|
|
|
cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS)
|
|
|
|
cd $(DIR_APP) && make depend
|
|
cd $(DIR_APP) && make
|
|
|
|
# Install libraries only
|
|
cd $(DIR_APP) && install -m 755 \
|
|
libcrypto.so.10 libssl.so.10 /usr/lib
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|