From f628ba9e29293c2b9fc8be20c7ccb9e373a08083 Mon Sep 17 00:00:00 2001
From: wiz <wiz@pkgsrc.org>
Date: Thu, 20 Feb 2003 07:59:24 +0000
Subject: Add patch from http://www.openssl.org/news/secadv_20030219.txt: In
 ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by
 performing a MAC computation even if incorrrect block cipher padding has been
 found.  This is a countermeasure against active attacks where the attacker
 has to distinguish between bad padding and a MAC verification error.
 (CAN-2003-0078)

Bump PKGREVISION.
---
 security/openssl/Makefile         |   3 +-
 security/openssl/distinfo         |   3 +-
 security/openssl/patches/patch-ag | 101 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100644 security/openssl/patches/patch-ag

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 9e53d5c7b3c..9a3eb706ccd 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.65 2003/01/28 22:04:07 jlam Exp $
+# $NetBSD: Makefile,v 1.66 2003/02/20 07:59:24 wiz Exp $
 
 DISTNAME=		openssl-0.9.6g
+PKGREVISION=		1
 SVR4_PKGNAME=		ossl
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssl.org/source/
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 363dd38cd53..a4e2a93950c 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.15 2002/12/03 14:02:24 grant Exp $
+$NetBSD: distinfo,v 1.16 2003/02/20 07:59:25 wiz Exp $
 
 SHA1 (openssl-0.9.6g.tar.gz) = 5b3cdad1d33134c97f659a8ad5dbf4ca4cf3d9c8
 Size (openssl-0.9.6g.tar.gz) = 2170570 bytes
@@ -10,3 +10,4 @@ SHA1 (patch-ac) = 9d53250cf7267461d57edc26573bcd822cd945db
 SHA1 (patch-ad) = ee8283d5537edce1bb60470c616ebabfda0aa084
 SHA1 (patch-ae) = f4bf6ae5aa41b55d9978376e4e50ee10c10dd288
 SHA1 (patch-af) = fd470396c5f54ea2d333df44504c03e7c6c8dc96
+SHA1 (patch-ag) = d470c7da2cff7ba37ac38d6ceb79751a7d21d432
diff --git a/security/openssl/patches/patch-ag b/security/openssl/patches/patch-ag
new file mode 100644
index 00000000000..3b5fda10917
--- /dev/null
+++ b/security/openssl/patches/patch-ag
@@ -0,0 +1,101 @@
+$NetBSD: patch-ag,v 1.8 2003/02/20 07:59:26 wiz Exp $
+
+--- ssl/s3_pkt.c.orig	Fri May 10 01:07:45 2002
++++ ssl/s3_pkt.c
+@@ -238,6 +238,8 @@ static int ssl3_get_record(SSL *s)
+ 	unsigned int mac_size;
+ 	int clear=0;
+ 	size_t extra;
++	int decryption_failed_or_bad_record_mac = 0;
++	unsigned char *mac = NULL;
+ 
+ 	rr= &(s->s3->rrec);
+ 	sess=s->session;
+@@ -353,8 +355,11 @@ again:
+ 			/* SSLerr() and ssl3_send_alert() have been called */
+ 			goto err;
+ 
+-		/* otherwise enc_err == -1 */
+-		goto decryption_failed_or_bad_record_mac;
++		/* Otherwise enc_err == -1, which indicates bad padding
++		 * (rec->length has not been changed in this case).
++		 * To minimize information leaked via timing, we will perform
++		 * the MAC computation anyway. */
++		decryption_failed_or_bad_record_mac = 1;
+ 		}
+ 
+ #ifdef TLS_DEBUG
+@@ -380,28 +385,46 @@ printf("\n");
+ 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+ 			goto f_err;
+ #else
+-			goto decryption_failed_or_bad_record_mac;
++			decryption_failed_or_bad_record_mac = 1;
+ #endif			
+ 			}
+ 		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+-		if (rr->length < mac_size)
++		if (rr->length >= mac_size)
+ 			{
++			rr->length -= mac_size;
++			mac = &rr->data[rr->length];
++			}
++		else
++			{
++			/* record (minus padding) is too short to contain a MAC */
+ #if 0 /* OK only for stream ciphers */
+ 			al=SSL_AD_DECODE_ERROR;
+ 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+ 			goto f_err;
+ #else
+-			goto decryption_failed_or_bad_record_mac;
++			decryption_failed_or_bad_record_mac = 1;
++			rr->length = 0;
+ #endif
+ 			}
+-		rr->length-=mac_size;
+ 		i=s->method->ssl3_enc->mac(s,md,0);
+-		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
++		if (mac == NULL || memcmp(md, mac, mac_size) != 0)
+ 			{
+-			goto decryption_failed_or_bad_record_mac;
++			decryption_failed_or_bad_record_mac = 1;
+ 			}
+ 		}
+ 
++	if (decryption_failed_or_bad_record_mac)
++		{
++		/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
++		 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
++		 * failure is directly visible from the ciphertext anyway,
++		 * we should not reveal which kind of error occured -- this
++		 * might become visible to an attacker (e.g. via a logfile) */
++		al=SSL_AD_BAD_RECORD_MAC;
++		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
++		goto f_err;
++		}
++
+ 	/* r->length is now just compressed */
+ 	if (s->expand != NULL)
+ 		{
+@@ -443,19 +466,12 @@ printf("\n");
+ 
+ 	return(1);
+ 
+-decryption_failed_or_bad_record_mac:
+-	/* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+-	 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+-	 * failure is directly visible from the ciphertext anyway,
+-	 * we should not reveal which kind of error occured -- this
+-	 * might become visible to an attacker (e.g. via logfile) */
+-	al=SSL_AD_BAD_RECORD_MAC;
+-	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ f_err:
+ 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ err:
+ 	return(ret);
+ 	}
++const char *CAN_2003_0078_patch_ID="CAN-2003-0078 patch 2003-02-19";
+ 
+ static int do_uncompress(SSL *ssl)
+ 	{
-- 
cgit v1.2.3