Apply upstream patch to fix data corruption.

Bump PKGREVISION.

3 files changed, 71 insertions, 3 deletions

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 39077893543..0e4228fd62c 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.174 2013/02/06 23:20:57 jperkin Exp $
+# $NetBSD: Makefile,v 1.175 2013/02/08 14:11:08 jperkin Exp $
 
 DISTNAME=	openssl-1.0.1d
 MASTER_SITES=	http://ftp.openssl.org/source/
-PKGREVISION=	1
+PKGREVISION=	2
 SVR4_PKGNAME=	ossl
 CATEGORIES=	security
 
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 2de35a1cc46..adb60418767 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.92 2013/02/06 21:40:33 jperkin Exp $
+$NetBSD: distinfo,v 1.93 2013/02/08 14:11:08 jperkin Exp $
 
 SHA1 (openssl-1.0.1d.tar.gz) = 5e586810ea516a5eec1c7d7c730a17fb528de32d
 RMD160 (openssl-1.0.1d.tar.gz) = 37710d9841a9d89e55d01a09083801ee0cc63f76
@@ -11,3 +11,4 @@ SHA1 (patch-af) = 376f474f3809365a20a53cfe1c91eca4bc02a5cd
 SHA1 (patch-ag) = b407200455878a8a151fc9b4f771fe17552d04fc
 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0
 SHA1 (patch-engines_ccgost_Makefile) = 08999f0f40969883482ad9ffc1aa9959ed7d402c
+SHA1 (patch-ssl_s3__cbc.c) = e6b3e1f79b6cab8f8097a277302b078e12fcaf24
diff --git a/security/openssl/patches/patch-ssl_s3__cbc.c b/security/openssl/patches/patch-ssl_s3__cbc.c
new file mode 100644
index 00000000000..41acb9a6b97
--- /dev/null
+++ b/security/openssl/patches/patch-ssl_s3__cbc.c
@@ -0,0 +1,67 @@
+$NetBSD: patch-ssl_s3__cbc.c,v 1.1 2013/02/08 14:11:08 jperkin Exp $
+
+Apply data-corruption patch from:
+
+  http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=32cc247
+
+Fix IV check and padding removal.
+
+Fix the calculation that checks there is enough room in a record
+after removing padding and optional explicit IV. (by Steve)
+
+For AEAD remove the correct number of padding bytes (by Andy)
+
+--- ssl/s3_cbc.c
++++ ssl/s3_cbc.c
+@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s,
+ 			    unsigned mac_size)
+ 	{
+ 	unsigned padding_length, good, to_check, i;
+-	const char has_explicit_iv =
+-		s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
+-	const unsigned overhead = 1 /* padding length byte */ +
+-				  mac_size +
+-				  (has_explicit_iv ? block_size : 0);
+-
+-	/* These lengths are all public so we can test them in non-constant
+-	 * time. */
+-	if (overhead > rec->length)
+-		return 0;
+-
+-	/* We can always safely skip the explicit IV. We check at the beginning
+-	 * of this function that the record has at least enough space for the
+-	 * IV, MAC and padding length byte. (These can be checked in
+-	 * non-constant time because it's all public information.) So, if the
+-	 * padding was invalid, then we didn't change |rec->length| and this is
+-	 * safe. If the padding was valid then we know that we have at least
+-	 * overhead+padding_length bytes of space and so this is still safe
+-	 * because overhead accounts for the explicit IV. */
+-	if (has_explicit_iv)
++	const unsigned overhead = 1 /* padding length byte */ + mac_size;
++	/* Check if version requires explicit IV */
++	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+ 		{
++		/* These lengths are all public so we can test them in
++		 * non-constant time.
++		 */
++		if (overhead + block_size > rec->length)
++			return 0;
++		/* We can now safely skip explicit IV */
+ 		rec->data += block_size;
+ 		rec->input += block_size;
+ 		rec->length -= block_size;
+ 		}
++	else if (overhead > rec->length)
++		return 0;
+ 
+ 	padding_length = rec->data[rec->length-1];
+ 
+@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ 	if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
+ 		{
+ 		/* padding is already verified */
+-		rec->length -= padding_length;
++		rec->length -= padding_length + 1;
+ 		return 1;
+ 		}
+