diff --git a/SOURCES/openssl-1.0.2k-cve-2018-5407.patch b/SOURCES/openssl-1.0.2k-cve-2018-5407.patch
new file mode 100644
index 0000000..4152f20
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cve-2018-5407.patch
@@ -0,0 +1,305 @@
+diff -up openssl-1.0.2k/crypto/bn/bn_lib.c.ecc-ladder openssl-1.0.2k/crypto/bn/bn_lib.c
+--- openssl-1.0.2k/crypto/bn/bn_lib.c.ecc-ladder 2019-02-06 12:58:50.575844123 +0100
++++ openssl-1.0.2k/crypto/bn/bn_lib.c 2019-02-08 10:48:53.529291777 +0100
+@@ -877,6 +877,38 @@ void BN_consttime_swap(BN_ULONG conditio
+ a->top ^= t;
+ b->top ^= t;
+
++ t = (a->neg ^ b->neg) & condition;
++ a->neg ^= t;
++ b->neg ^= t;
++
++ /*-
++ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
++ * is actually to treat it as it's read-only data, and some (if not most)
++ * of it does reside in read-only segment. In other words observation of
++ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
++ * condition. It would either cause SEGV or effectively cause data
++ * corruption.
++ *
++ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
++ * preserved.
++ *
++ * BN_FLG_SECURE: must be preserved, because it determines how x->d was
++ * allocated and hence how to free it.
++ *
++ * BN_FLG_CONSTTIME: sufficient to mask and swap
++ *
++ * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
++ * the data, so the d array may be padded with additional 0 values (i.e.
++ * top could be greater than the minimal value that it could be). We should
++ * be swapping it
++ */
++
++#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
++
++ t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
++ a->flags ^= t;
++ b->flags ^= t;
++
+ #define BN_CONSTTIME_SWAP(ind) \
+ do { \
+ t = (a->d[ind] ^ b->d[ind]) & condition; \
+diff -up openssl-1.0.2k/crypto/ec/ec_mult.c.ecc-ladder openssl-1.0.2k/crypto/ec/ec_mult.c
+--- openssl-1.0.2k/crypto/ec/ec_mult.c.ecc-ladder 2017-01-26 14:22:03.000000000 +0100
++++ openssl-1.0.2k/crypto/ec/ec_mult.c 2019-02-08 10:48:53.531291744 +0100
+@@ -306,6 +306,224 @@ static signed char *compute_wNAF(const B
+ return r;
+ }
+
++#define EC_POINT_BN_set_flags(P, flags) do { \
++ BN_set_flags(&(P)->X, (flags)); \
++ BN_set_flags(&(P)->Y, (flags)); \
++ BN_set_flags(&(P)->Z, (flags)); \
++} while(0)
++
++/*-
++ * This functions computes (in constant time) a point multiplication over the
++ * EC group.
++ *
++ * At a high level, it is Montgomery ladder with conditional swaps.
++ *
++ * It performs either a fixed scalar point multiplication
++ * (scalar * generator)
++ * when point is NULL, or a generic scalar point multiplication
++ * (scalar * point)
++ * when point is not NULL.
++ *
++ * scalar should be in the range [0,n) otherwise all constant time bets are off.
++ *
++ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
++ * which of course are not constant time themselves.
++ *
++ * The product is stored in r.
++ *
++ * Returns 1 on success, 0 otherwise.
++ */
++static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
++ const BIGNUM *scalar, const EC_POINT *point,
++ BN_CTX *ctx)
++{
++ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
++ EC_POINT *s = NULL;
++ BIGNUM *k = NULL;
++ BIGNUM *lambda = NULL;
++ BIGNUM *cardinality = NULL;
++ BN_CTX *new_ctx = NULL;
++ int ret = 0;
++
++ if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL)
++ return 0;
++
++ BN_CTX_start(ctx);
++
++ s = EC_POINT_new(group);
++ if (s == NULL)
++ goto err;
++
++ if (point == NULL) {
++ if (!EC_POINT_copy(s, group->generator))
++ goto err;
++ } else {
++ if (!EC_POINT_copy(s, point))
++ goto err;
++ }
++
++ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
++
++ cardinality = BN_CTX_get(ctx);
++ lambda = BN_CTX_get(ctx);
++ k = BN_CTX_get(ctx);
++ if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx))
++ goto err;
++
++ /*
++ * Group cardinalities are often on a word boundary.
++ * So when we pad the scalar, some timing diff might
++ * pop if it needs to be expanded due to carries.
++ * So expand ahead of time.
++ */
++ cardinality_bits = BN_num_bits(cardinality);
++ group_top = cardinality->top;
++ if ((bn_wexpand(k, group_top + 2) == NULL)
++ || (bn_wexpand(lambda, group_top + 2) == NULL))
++ goto err;
++
++ if (!BN_copy(k, scalar))
++ goto err;
++
++ BN_set_flags(k, BN_FLG_CONSTTIME);
++
++ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) {
++ /*-
++ * this is an unusual input, and we don't guarantee
++ * constant-timeness
++ */
++ if (!BN_nnmod(k, k, cardinality, ctx))
++ goto err;
++ }
++
++ if (!BN_add(lambda, k, cardinality))
++ goto err;
++ BN_set_flags(lambda, BN_FLG_CONSTTIME);
++ if (!BN_add(k, lambda, cardinality))
++ goto err;
++ /*
++ * lambda := scalar + cardinality
++ * k := scalar + 2*cardinality
++ */
++ kbit = BN_is_bit_set(lambda, cardinality_bits);
++ BN_consttime_swap(kbit, k, lambda, group_top + 2);
++
++ group_top = group->field.top;
++ if ((bn_wexpand(&s->X, group_top) == NULL)
++ || (bn_wexpand(&s->Y, group_top) == NULL)
++ || (bn_wexpand(&s->Z, group_top) == NULL)
++ || (bn_wexpand(&r->X, group_top) == NULL)
++ || (bn_wexpand(&r->Y, group_top) == NULL)
++ || (bn_wexpand(&r->Z, group_top) == NULL))
++ goto err;
++
++ /* top bit is a 1, in a fixed pos */
++ if (!EC_POINT_copy(r, s))
++ goto err;
++
++ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
++
++ if (!EC_POINT_dbl(group, s, s, ctx))
++ goto err;
++
++ pbit = 0;
++
++#define EC_POINT_CSWAP(c, a, b, w, t) do { \
++ BN_consttime_swap(c, &(a)->X, &(b)->X, w); \
++ BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \
++ BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \
++ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \
++ (a)->Z_is_one ^= (t); \
++ (b)->Z_is_one ^= (t); \
++} while(0)
++
++ /*-
++ * The ladder step, with branches, is
++ *
++ * k[i] == 0: S = add(R, S), R = dbl(R)
++ * k[i] == 1: R = add(S, R), S = dbl(S)
++ *
++ * Swapping R, S conditionally on k[i] leaves you with state
++ *
++ * k[i] == 0: T, U = R, S
++ * k[i] == 1: T, U = S, R
++ *
++ * Then perform the ECC ops.
++ *
++ * U = add(T, U)
++ * T = dbl(T)
++ *
++ * Which leaves you with state
++ *
++ * k[i] == 0: U = add(R, S), T = dbl(R)
++ * k[i] == 1: U = add(S, R), T = dbl(S)
++ *
++ * Swapping T, U conditionally on k[i] leaves you with state
++ *
++ * k[i] == 0: R, S = T, U
++ * k[i] == 1: R, S = U, T
++ *
++ * Which leaves you with state
++ *
++ * k[i] == 0: S = add(R, S), R = dbl(R)
++ * k[i] == 1: R = add(S, R), S = dbl(S)
++ *
++ * So we get the same logic, but instead of a branch it's a
++ * conditional swap, followed by ECC ops, then another conditional swap.
++ *
++ * Optimization: The end of iteration i and start of i-1 looks like
++ *
++ * ...
++ * CSWAP(k[i], R, S)
++ * ECC
++ * CSWAP(k[i], R, S)
++ * (next iteration)
++ * CSWAP(k[i-1], R, S)
++ * ECC
++ * CSWAP(k[i-1], R, S)
++ * ...
++ *
++ * So instead of two contiguous swaps, you can merge the condition
++ * bits and do a single swap.
++ *
++ * k[i] k[i-1] Outcome
++ * 0 0 No Swap
++ * 0 1 Swap
++ * 1 0 Swap
++ * 1 1 No Swap
++ *
++ * This is XOR. pbit tracks the previous bit of k.
++ */
++
++ for (i = cardinality_bits - 1; i >= 0; i--) {
++ kbit = BN_is_bit_set(k, i) ^ pbit;
++ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
++ if (!EC_POINT_add(group, s, r, s, ctx))
++ goto err;
++ if (!EC_POINT_dbl(group, r, r, ctx))
++ goto err;
++ /*
++ * pbit logic merges this cswap with that of the
++ * next iteration
++ */
++ pbit ^= kbit;
++ }
++ /* one final cswap to move the right value into r */
++ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
++#undef EC_POINT_CSWAP
++
++ ret = 1;
++
++ err:
++ EC_POINT_free(s);
++ BN_CTX_end(ctx);
++ BN_CTX_free(new_ctx);
++
++ return ret;
++}
++
++#undef EC_POINT_BN_set_flags
++
+ /*
+ * TODO: table should be optimised for the wNAF-based implementation,
+ * sometimes smaller windows will give better performance (thus the
+@@ -365,6 +583,34 @@ int ec_wNAF_mul(const EC_GROUP *group, E
+ return EC_POINT_set_to_infinity(group, r);
+ }
+
++ if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) {
++ /*-
++ * Handle the common cases where the scalar is secret, enforcing a constant
++ * time scalar multiplication algorithm.
++ */
++ if ((scalar != NULL) && (num == 0)) {
++ /*-
++ * In this case we want to compute scalar * GeneratorPoint: this
++ * codepath is reached most prominently by (ephemeral) key generation
++ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
++ * keygen/first half), where the scalar is always secret. This is why
++ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the
++ * constant time version.
++ */
++ return ec_mul_consttime(group, r, scalar, NULL, ctx);
++ }
++ if ((scalar == NULL) && (num == 1)) {
++ /*-
++ * In this case we want to compute scalar * GenericPoint: this codepath
++ * is reached most prominently by the second half of ECDH, where the
++ * secret scalar is multiplied by the peer's public point. To protect
++ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
++ * we always call the constant time version.
++ */
++ return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
++ }
++ }
++
+ for (i = 0; i < num; i++) {
+ if (group->meth != points[i]->meth) {
+ ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
diff --git a/SOURCES/openssl-1.0.2k-rsa-check.patch b/SOURCES/openssl-1.0.2k-rsa-check.patch
new file mode 100644
index 0000000..a7ccd9c
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-rsa-check.patch
@@ -0,0 +1,18 @@
+diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.rsa-check openssl-1.0.2k/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.rsa-check 2019-02-06 12:58:50.570844207 +0100
++++ openssl-1.0.2k/crypto/rsa/rsa_gen.c 2019-02-06 13:10:57.058468214 +0100
+@@ -94,11 +94,11 @@ int fips_check_rsa(RSA *rsa)
+
+ /* Perform pairwise consistency signature test */
+ if (!fips_pkey_signature_test(pk, tbs, -1,
+- NULL, 0, EVP_sha1(),
++ NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
+- || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_X931, NULL)
+- || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
+ goto err;
+ /* Now perform pairwise consistency encrypt/decrypt test */
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 62e886e..fa17165 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.2k
-Release: 16%{?dist}
+Release: 16%{?dist}.1
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -87,6 +87,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
Patch97: openssl-1.0.2k-no-ssl2.patch
Patch98: openssl-1.0.2k-long-hello.patch
Patch99: openssl-1.0.2k-fips-randlock.patch
+Patch106: openssl-1.0.2k-rsa-check.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
@@ -104,6 +105,7 @@ Patch102: openssl-1.0.2k-cve-2018-0732.patch
Patch103: openssl-1.0.2k-cve-2018-0737.patch
Patch104: openssl-1.0.2k-cve-2018-0739.patch
Patch105: openssl-1.0.2k-cve-2018-0495.patch
+Patch107: openssl-1.0.2k-cve-2018-5407.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -223,6 +225,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch97 -p1 -b .no-ssl2
%patch98 -p1 -b .long-hello
%patch99 -p1 -b .randlock
+%patch106 -p1 -b .rsa-check
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
@@ -240,6 +243,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch103 -p1 -b .gen-timing
%patch104 -p1 -b .asn1-recursive
%patch105 -p1 -b .rohnp-fix
+%patch107 -p1 -b .ecc-ladder
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@@ -539,6 +543,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Feb 6 2019 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-16.1
+- use SHA-256 in FIPS RSA pairwise key check
+- fix CVE-2018-5407 - EC signature local timing side-channel key extraction
+
* Tue Aug 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-16
- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
- fix incorrect error message on FIPS DSA parameter generation (#1603597)