 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.174 2013/02/06 23:20:57 jperkin Exp $
+# $NetBSD: Makefile,v 1.175 2013/02/08 14:11:08 jperkin Exp $
 DISTNAME=	openssl-1.0.1d
 MASTER_SITES=	http://ftp.openssl.org/source/
-PKGREVISION=	1
+PKGREVISION=	2
 SVR4_PKGNAME=	ossl
 CATEGORIES=	security
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.openssl.org/
 COMMENT=	Secure Socket Layer and cryptographic library
 CONFLICTS=	SSLeay-[0-9]* ssleay-[0-9]*
 CRYPTO=		yes
 PKG_INSTALLATION_TYPES=	overwrite pkgviews

 @@ -1,13 +1,14 @@
-$NetBSD: distinfo,v 1.92 2013/02/06 21:40:33 jperkin Exp $
+$NetBSD: distinfo,v 1.93 2013/02/08 14:11:08 jperkin Exp $
 SHA1 (openssl-1.0.1d.tar.gz) = 5e586810ea516a5eec1c7d7c730a17fb528de32d
 RMD160 (openssl-1.0.1d.tar.gz) = 37710d9841a9d89e55d01a09083801ee0cc63f76
 Size (openssl-1.0.1d.tar.gz) = 4459791 bytes
 SHA1 (patch-aa) = c4b27857698c108fe495fe65ea8857b77e89a655
 SHA1 (patch-ac) = 89043b9e3369a9781de3a82cefa9b1cacab07510
 SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3
 SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480
 SHA1 (patch-af) = 376f474f3809365a20a53cfe1c91eca4bc02a5cd
 SHA1 (patch-ag) = b407200455878a8a151fc9b4f771fe17552d04fc
 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0
 SHA1 (patch-engines_ccgost_Makefile) = 08999f0f40969883482ad9ffc1aa9959ed7d402c
 SHA1 (patch-ssl_s3__cbc.c) = e6b3e1f79b6cab8f8097a277302b078e12fcaf24

$NetBSD: patch-ssl_s3__cbc.c,v 1.1 2013/02/08 14:11:08 jperkin Exp $ Apply data-corruption patch from: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=32cc247 Fix IV check and padding removal. Fix the calculation that checks there is enough room in a record after removing padding and optional explicit IV. (by Steve) For AEAD remove the correct number of padding bytes (by Andy) --- ssl/s3_cbc.c +++ ssl/s3_cbc.c @@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned mac_size) { unsigned padding_length, good, to_check, i; - const char has_explicit_iv = - s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION; - const unsigned overhead = 1 /* padding length byte */ + - mac_size + - (has_explicit_iv ? block_size : 0); - - /* These lengths are all public so we can test them in non-constant - * time. */ - if (overhead > rec->length) - return 0; - - /* We can always safely skip the explicit IV. We check at the beginning - * of this function that the record has at least enough space for the - * IV, MAC and padding length byte. (These can be checked in - * non-constant time because it's all public information.) So, if the - * padding was invalid, then we didn't change |rec->length| and this is - * safe. If the padding was valid then we know that we have at least - * overhead+padding_length bytes of space and so this is still safe - * because overhead accounts for the explicit IV. */ - if (has_explicit_iv) + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ + if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) { + /* These lengths are all public so we can test them in + * non-constant time. + */ + if (overhead + block_size > rec->length) + return 0; + /* We can now safely skip explicit IV */ rec->data += block_size; rec->input += block_size; rec->length -= block_size; } + else if (overhead > rec->length) + return 0; padding_length = rec->data[rec->length-1]; @@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s, if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { /* padding is already verified */ - rec->length -= padding_length; + rec->length -= padding_length + 1; return 1; }