diff options
-rw-r--r-- | security/openssl/Makefile | 4 | ||||
-rw-r--r-- | security/openssl/distinfo | 3 | ||||
-rw-r--r-- | security/openssl/patches/patch-ssl_s3__cbc.c | 67 |
3 files changed, 71 insertions, 3 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 39077893543..0e4228fd62c 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.174 2013/02/06 23:20:57 jperkin Exp $ +# $NetBSD: Makefile,v 1.175 2013/02/08 14:11:08 jperkin Exp $ DISTNAME= openssl-1.0.1d MASTER_SITES= http://ftp.openssl.org/source/ -PKGREVISION= 1 +PKGREVISION= 2 SVR4_PKGNAME= ossl CATEGORIES= security diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 2de35a1cc46..adb60418767 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.92 2013/02/06 21:40:33 jperkin Exp $ +$NetBSD: distinfo,v 1.93 2013/02/08 14:11:08 jperkin Exp $ SHA1 (openssl-1.0.1d.tar.gz) = 5e586810ea516a5eec1c7d7c730a17fb528de32d RMD160 (openssl-1.0.1d.tar.gz) = 37710d9841a9d89e55d01a09083801ee0cc63f76 @@ -11,3 +11,4 @@ SHA1 (patch-af) = 376f474f3809365a20a53cfe1c91eca4bc02a5cd SHA1 (patch-ag) = b407200455878a8a151fc9b4f771fe17552d04fc SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 SHA1 (patch-engines_ccgost_Makefile) = 08999f0f40969883482ad9ffc1aa9959ed7d402c +SHA1 (patch-ssl_s3__cbc.c) = e6b3e1f79b6cab8f8097a277302b078e12fcaf24 diff --git a/security/openssl/patches/patch-ssl_s3__cbc.c b/security/openssl/patches/patch-ssl_s3__cbc.c new file mode 100644 index 00000000000..41acb9a6b97 --- /dev/null +++ b/security/openssl/patches/patch-ssl_s3__cbc.c @@ -0,0 +1,67 @@ +$NetBSD: patch-ssl_s3__cbc.c,v 1.1 2013/02/08 14:11:08 jperkin Exp $ + +Apply data-corruption patch from: + + http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=32cc247 + +Fix IV check and padding removal. + +Fix the calculation that checks there is enough room in a record +after removing padding and optional explicit IV. (by Steve) + +For AEAD remove the correct number of padding bytes (by Andy) + +--- ssl/s3_cbc.c ++++ ssl/s3_cbc.c +@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned mac_size) + { + unsigned padding_length, good, to_check, i; +- const char has_explicit_iv = +- s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION; +- const unsigned overhead = 1 /* padding length byte */ + +- mac_size + +- (has_explicit_iv ? block_size : 0); +- +- /* These lengths are all public so we can test them in non-constant +- * time. */ +- if (overhead > rec->length) +- return 0; +- +- /* We can always safely skip the explicit IV. We check at the beginning +- * of this function that the record has at least enough space for the +- * IV, MAC and padding length byte. (These can be checked in +- * non-constant time because it's all public information.) So, if the +- * padding was invalid, then we didn't change |rec->length| and this is +- * safe. If the padding was valid then we know that we have at least +- * overhead+padding_length bytes of space and so this is still safe +- * because overhead accounts for the explicit IV. */ +- if (has_explicit_iv) ++ const unsigned overhead = 1 /* padding length byte */ + mac_size; ++ /* Check if version requires explicit IV */ ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) + { ++ /* These lengths are all public so we can test them in ++ * non-constant time. ++ */ ++ if (overhead + block_size > rec->length) ++ return 0; ++ /* We can now safely skip explicit IV */ + rec->data += block_size; + rec->input += block_size; + rec->length -= block_size; + } ++ else if (overhead > rec->length) ++ return 0; + + padding_length = rec->data[rec->length-1]; + +@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s, + if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { + /* padding is already verified */ +- rec->length -= padding_length; ++ rec->length -= padding_length + 1; + return 1; + } + |