1 files changed, 101 insertions, 0 deletions

diff --git a/security/openssl/patches/patch-ag b/security/openssl/patches/patch-ag
new file mode 100644
index 00000000000..3b5fda10917
--- /dev/null
+++ b/security/openssl/patches/patch-ag
@@ -0,0 +1,101 @@
+$NetBSD: patch-ag,v 1.8 2003/02/20 07:59:26 wiz Exp $
+
+--- ssl/s3_pkt.c.orig	Fri May 10 01:07:45 2002
++++ ssl/s3_pkt.c
+@@ -238,6 +238,8 @@ static int ssl3_get_record(SSL *s)
+ 	unsigned int mac_size;
+ 	int clear=0;
+ 	size_t extra;
++	int decryption_failed_or_bad_record_mac = 0;
++	unsigned char *mac = NULL;
+ 
+ 	rr= &(s->s3->rrec);
+ 	sess=s->session;
+@@ -353,8 +355,11 @@ again:
+ 			/* SSLerr() and ssl3_send_alert() have been called */
+ 			goto err;
+ 
+-		/* otherwise enc_err == -1 */
+-		goto decryption_failed_or_bad_record_mac;
++		/* Otherwise enc_err == -1, which indicates bad padding
++		 * (rec->length has not been changed in this case).
++		 * To minimize information leaked via timing, we will perform
++		 * the MAC computation anyway. */
++		decryption_failed_or_bad_record_mac = 1;
+ 		}
+ 
+ #ifdef TLS_DEBUG
+@@ -380,28 +385,46 @@ printf("\n");
+ 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+ 			goto f_err;
+ #else
+-			goto decryption_failed_or_bad_record_mac;
++			decryption_failed_or_bad_record_mac = 1;
+ #endif			
+ 			}
+ 		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+-		if (rr->length < mac_size)
++		if (rr->length >= mac_size)
+ 			{
++			rr->length -= mac_size;
++			mac = &rr->data[rr->length];
++			}
++		else
++			{
++			/* record (minus padding) is too short to contain a MAC */
+ #if 0 /* OK only for stream ciphers */
+ 			al=SSL_AD_DECODE_ERROR;
+ 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+ 			goto f_err;
+ #else
+-			goto decryption_failed_or_bad_record_mac;
++			decryption_failed_or_bad_record_mac = 1;
++			rr->length = 0;
+ #endif
+ 			}
+-		rr->length-=mac_size;
+ 		i=s->method->ssl3_enc->mac(s,md,0);
+-		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
++		if (mac == NULL || memcmp(md, mac, mac_size) != 0)
+ 			{
+-			goto decryption_failed_or_bad_record_mac;
++			decryption_failed_or_bad_record_mac = 1;
+ 			}
+ 		}
+ 
++	if (decryption_failed_or_bad_record_mac)
++		{
++		/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
++		 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
++		 * failure is directly visible from the ciphertext anyway,
++		 * we should not reveal which kind of error occured -- this
++		 * might become visible to an attacker (e.g. via a logfile) */
++		al=SSL_AD_BAD_RECORD_MAC;
++		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
++		goto f_err;
++		}
++
+ 	/* r->length is now just compressed */
+ 	if (s->expand != NULL)
+ 		{
+@@ -443,19 +466,12 @@ printf("\n");
+ 
+ 	return(1);
+ 
+-decryption_failed_or_bad_record_mac:
+-	/* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+-	 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+-	 * failure is directly visible from the ciphertext anyway,
+-	 * we should not reveal which kind of error occured -- this
+-	 * might become visible to an attacker (e.g. via logfile) */
+-	al=SSL_AD_BAD_RECORD_MAC;
+-	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ f_err:
+ 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ err:
+ 	return(ret);
+ 	}
++const char *CAN_2003_0078_patch_ID="CAN-2003-0078 patch 2003-02-19";
+ 
+ static int do_uncompress(SSL *ssl)
+ 	{