diff -Nru openssl-1.0.2g/debian/changelog openssl-1.0.2g/debian/changelog --- openssl-1.0.2g/debian/changelog 2018-04-18 18:35:56.000000000 +0000 +++ openssl-1.0.2g/debian/changelog 2018-06-20 11:38:22.000000000 +0000 @@ -1,3 +1,28 @@ +openssl (1.0.2g-1ubuntu4.13) xenial-security; urgency=medium + + * SECURITY UPDATE: ECDSA key extraction side channel + - debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA + signature in crypto/ecdsa/ecdsatest.c, crypto/ecdsa/ecs_ossl.c. + - CVE-2018-0495 + * SECURITY UPDATE: denial of service via long prime values + - debian/patches/CVE-2018-0732.patch: reject excessively large primes + in DH key generation in crypto/dh/dh_key.c. + - CVE-2018-0732 + * SECURITY UPDATE: RSA cache timing side channel attack + (previous update was incomplete) + - debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-3.patch: consttime flag changed in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and + BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in + crypto/rsa/rsa_gen.c. + - CVE-2018-0737 + + -- Marc Deslauriers Wed, 20 Jun 2018 07:38:22 -0400 + openssl (1.0.2g-1ubuntu4.12) xenial-security; urgency=medium * SECURITY UPDATE: Cache timing side channel diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0495.patch openssl-1.0.2g/debian/patches/CVE-2018-0495.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0495.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0495.patch 2018-06-20 11:37:55.000000000 +0000 @@ -0,0 +1,218 @@ +From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz +--- + CHANGES | 4 +++ + crypto/ecdsa/ecdsatest.c | 9 +++++- + crypto/ecdsa/ecs_ossl.c | 82 +++++++++++++++++++++++++++++++++++++++--------- + 3 files changed, 79 insertions(+), 16 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index f17fbbf..a3861ab 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,10 @@ +# +# Changes between 1.0.2o and 1.0.2p [xx XXX xxxx] +# +#+ *) Add blinding to an ECDSA signature to protect against side channel attacks +#+ discovered by Keegan Ryan (NCC Group). +#+ [Matt Caswell] +#+ +# *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we +# now allow empty (zero character) pass phrases. +# [Richard Levitte] +Index: openssl-1.0.2g/crypto/ecdsa/ecdsatest.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ecdsa/ecdsatest.c 2018-06-20 07:30:04.909513406 -0400 ++++ openssl-1.0.2g/crypto/ecdsa/ecdsatest.c 2018-06-20 07:30:04.905513403 -0400 +@@ -137,7 +137,7 @@ int restore_rand(void) + return 1; + } + +-static int fbytes_counter = 0; ++static int fbytes_counter = 0, use_fake = 0; + static const char *numbers[8] = { + "651056770906015076056810763456358567190100156695615665659", + "6140507067065001063065065565667405560006161556565665656654", +@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num) + int ret; + BIGNUM *tmp = NULL; + ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ + if (fbytes_counter >= 8) + return 0; + tmp = BN_new(); +@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int ni + /* create the key */ + if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) + goto x962_int_err; ++ use_fake = 1; + if (!EC_KEY_generate_key(key)) + goto x962_int_err; + BIO_printf(out, "."); + (void)BIO_flush(out); + /* create the signature */ ++ use_fake = 1; + signature = ECDSA_do_sign(digest, 20, key); + if (signature == NULL) + goto x962_int_err; +Index: openssl-1.0.2g/crypto/ecdsa/ecs_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ecdsa/ecs_ossl.c 2018-06-20 07:30:04.909513406 -0400 ++++ openssl-1.0.2g/crypto/ecdsa/ecs_ossl.c 2018-06-20 07:30:04.905513403 -0400 +@@ -238,6 +238,7 @@ static ECDSA_SIG *ecdsa_do_sign(const un + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; ++ BIGNUM *blind = NULL, *blindm = NULL; + const BIGNUM *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -255,14 +256,25 @@ static ECDSA_SIG *ecdsa_do_sign(const un + } + + ret = ECDSA_SIG_new(); +- if (!ret) { ++ if (ret == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + return NULL; + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ order = BN_CTX_get(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -301,26 +313,70 @@ static ECDSA_SIG *ecdsa_do_sign(const un + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, +- ECDSA_R_NEED_NEW_SETUP_VALUES); ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else +@@ -335,15 +391,11 @@ static ECDSA_SIG *ecdsa_do_sign(const un + ECDSA_SIG_free(ret); + ret = NULL; + } +- if (ctx) ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- if (m) +- BN_clear_free(m); +- if (tmp) +- BN_clear_free(tmp); +- if (order) +- BN_free(order); +- if (kinv) ++ } ++ if (kinv != NULL) + BN_clear_free(kinv); + return ret; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0732.patch openssl-1.0.2g/debian/patches/CVE-2018-0732.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0732.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0732.patch 2018-06-20 11:38:01.000000000 +0000 @@ -0,0 +1,42 @@ +From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 +From: Guido Vranken +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 387558f..f235e0d 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -130,10 +130,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch 2018-06-20 11:38:07.000000000 +0000 @@ -0,0 +1,81 @@ +Backport of: + +From 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Tue, 5 Dec 2017 15:55:17 +0100 +Subject: [PATCH] Replaced variable-time GCD with consttime inversion to avoid + side-channel attacks on RSA key generation + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07) +--- + crypto/rsa/rsa_gen.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:30:18.121523563 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:30:18.117523561 -0400 +@@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, + BIGNUM *pr0, *d, *p; + int bitsp, bitsq, ok = -1, n = 0; + BN_CTX *ctx = NULL; ++ unsigned long error = 0; + + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -144,16 +145,25 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + ++ BN_set_flags(rsa->e, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } +@@ -177,10 +187,18 @@ static int rsa_builtin_keygen(RSA *rsa, + } + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch 2018-06-20 11:38:11.000000000 +0000 @@ -0,0 +1,55 @@ +Backport of: + +From 64eb614ccc7ccf30cc412b736f509f1d82bbf897 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Wed, 31 Jan 2018 13:10:55 +0100 +Subject: [PATCH] used ERR set/pop mark + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2) +--- + crypto/rsa/rsa_gen.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:12.537565425 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:12.529565420 -0400 +@@ -152,6 +152,7 @@ static int rsa_builtin_keygen(RSA *rsa, + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -160,7 +161,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } +@@ -187,6 +188,7 @@ static int rsa_builtin_keygen(RSA *rsa, + } + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -195,7 +197,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch 2018-06-20 11:38:15.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 0d6710289307d277ebc3354105c965b6e8ba8eb0 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Fri, 9 Feb 2018 14:11:47 +0100 +Subject: [PATCH] consttime flag changed + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298) +--- + crypto/rsa/rsa_gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:18.793570241 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:18.785570235 -0400 +@@ -145,7 +145,7 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + +- BN_set_flags(rsa->e, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch 2018-06-20 11:38:18.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz +Reviewed-by: Matt Caswell +(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:24.941574975 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:24.933574969 -0400 +@@ -145,6 +145,8 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737.patch openssl-1.0.2g/debian/patches/CVE-2018-0737.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737.patch 2018-04-18 18:33:57.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ -Backported of: - -From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 -From: Billy Brumley -Date: Wed, 11 Apr 2018 10:10:58 +0300 -Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont - both get called with BN_FLG_CONSTTIME flag set. - -CVE-2018-0737 - -Reviewed-by: Rich Salz -Reviewed-by: Matt Caswell -(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index 7f7dca3..afaff51 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -143,6 +143,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - goto err; - - BN_copy(rsa->e, e_value); -+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); - - /* generate p and q */ - for (;;) { diff -Nru openssl-1.0.2g/debian/patches/series openssl-1.0.2g/debian/patches/series --- openssl-1.0.2g/debian/patches/series 2018-04-18 18:33:57.000000000 +0000 +++ openssl-1.0.2g/debian/patches/series 2018-06-20 11:38:18.000000000 +0000 @@ -55,4 +55,9 @@ CVE-2017-3737-2.patch CVE-2017-3738.patch CVE-2018-0739.patch -CVE-2018-0737.patch +CVE-2018-0495.patch +CVE-2018-0732.patch +CVE-2018-0737-1.patch +CVE-2018-0737-2.patch +CVE-2018-0737-3.patch +CVE-2018-0737-4.patch