security/libressl: Fix ECDSA P-256 timing attack vuln

  - Add patch from OpenBSD

MFH:		2017Q1
Security:	7caebe30-d7f1-11e6-a9a5-b499baebfeaf
Security:	CVE-2016-7056

2 files changed, 36 insertions, 0 deletions

diff --git a/security/libressl/Makefile b/security/libressl/Makefile
index 02ce5fe..f2f6980 100644
--- a/security/libressl/Makefile
+++ b/security/libressl/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	libressl
 PORTVERSION=	2.4.4
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	OPENBSD/LibreSSL
 
diff --git a/security/libressl/files/patch-CVE-2016-7056 b/security/libressl/files/patch-CVE-2016-7056
new file mode 100644
index 0000000..e190eee
--- /dev/null
+++ b/security/libressl/files/patch-CVE-2016-7056
@@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 6.0 base secret key
+RWSho3oKSqgLQ55BCxFoKK3pckJBYNZ3l6vujvan4SYLtXvRIsH6PNnmu7Xu18ILyYPxIQnYmCf1ux+IeoD8vzKfEeoCb+UVdQg=
+
+OpenBSD 6.0 errata 16, Jan 5, 2017:
+
+Avoid possible side-channel leak of ECDSA private keys when signing.
+
+Apply by doing:
+    signify -Vep /etc/signify/openbsd-60-base.pub -x 016_libcrypto.patch.sig \
+        -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+        cd /usr/src/lib/libcrypto
+        make obj
+        make depend
+        make
+        make install
+
+Index: lib/libssl/src/crypto/ecdsa/ecs_ossl.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/ecdsa/Attic/ecs_ossl.c,v
+retrieving revision 1.6
+retrieving revision 1.6.8.1
+diff -u -p -r1.6 -r1.6.8.1
+--- crypto/ecdsa/ecs_ossl.c	8 Feb 2015 13:35:07 -0000	1.6
++++ crypto/ecdsa/ecs_ossl.c	5 Jan 2017 13:28:48 -0000	1.6.8.1
+@@ -141,6 +141,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *
+ 		if (BN_num_bits(k) <= BN_num_bits(order))
+ 			if (!BN_add(k, k, order))
+ 				goto err;
++
++		BN_set_flags(k, BN_FLG_CONSTTIME);
+ 
+ 		/* compute r the x-coordinate of generator * k */
+ 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {