Commit 2d9183b2 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/openssl: upgrade to 1.0.1e

parent 619c4e6f
From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 7 Feb 2013 21:06:37 +0000
Subject: [PATCH] Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)
For AEAD remove the correct number of padding bytes (by Andy)
---
ssl/s3_cbc.c | 33 ++++++++++++---------------------
1 file changed, 12 insertions(+), 21 deletions(-)
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index ce77acd..0f60507 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned mac_size)
{
unsigned padding_length, good, to_check, i;
- const char has_explicit_iv =
- s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
- const unsigned overhead = 1 /* padding length byte */ +
- mac_size +
- (has_explicit_iv ? block_size : 0);
-
- /* These lengths are all public so we can test them in non-constant
- * time. */
- if (overhead > rec->length)
- return 0;
-
- /* We can always safely skip the explicit IV. We check at the beginning
- * of this function that the record has at least enough space for the
- * IV, MAC and padding length byte. (These can be checked in
- * non-constant time because it's all public information.) So, if the
- * padding was invalid, then we didn't change |rec->length| and this is
- * safe. If the padding was valid then we know that we have at least
- * overhead+padding_length bytes of space and so this is still safe
- * because overhead accounts for the explicit IV. */
- if (has_explicit_iv)
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
{
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+ */
+ if (overhead + block_size > rec->length)
+ return 0;
+ /* We can now safely skip explicit IV */
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
}
+ else if (overhead > rec->length)
+ return 0;
padding_length = rec->data[rec->length-1];
@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s,
if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
{
/* padding is already verified */
- rec->length -= padding_length;
+ rec->length -= padding_length + 1;
return 1;
}
--
1.8.1.2
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
pkgver=1.0.1d
pkgrel=1
pkgver=1.0.1e
pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
url="http://openssl.org"
depends=
......@@ -20,7 +20,6 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
0004-crypto-engine-autoload-padlock-dynamic-engine.patch
0005-s_client-ircv3-starttls.patch
0001-Fix-IV-check-and-padding-removal.patch
openssl-1.0.1-version-eglibc.patch"
_builddir="$srcdir"/$pkgname-$pkgver
......@@ -90,7 +89,7 @@ libssl() {
done
}
md5sums="b92fc634f0f1f31a67ed4175adc5ba33 openssl-1.0.1d.tar.gz
md5sums="66bf6f10f060d561929de96f9dfe5b8c openssl-1.0.1e.tar.gz
115c481cd59b3dba631364e8fb1778f5 fix-manpages.patch
c6a9857a5dbd30cead0404aa7dd73977 openssl-bb-basename.patch
ddb5fc155145d5b852425adaec32234d 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
......@@ -98,9 +97,8 @@ ddb5fc155145d5b852425adaec32234d 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESH
d95bbaa38889836afd3c52f3962f3b54 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
c32f42451a07267ee5dfb3781fa40c00 0004-crypto-engine-autoload-padlock-dynamic-engine.patch
c5b1042a3acaf3591f3f5620b7086e12 0005-s_client-ircv3-starttls.patch
b92ec62a1f3e7fdc65481afff709cd8b 0001-Fix-IV-check-and-padding-removal.patch
d1f3aaad7c36590f21355682983cd14e openssl-1.0.1-version-eglibc.patch"
sha256sums="88a423f9b08a994054583691b968815875580e12df754e881d7cfe9f1bd1f49d openssl-1.0.1d.tar.gz
sha256sums="f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 openssl-1.0.1e.tar.gz
fe844e21b2c42da2d8e9c89350211d70c0829f45532b89b7e492bfde589ee7ed fix-manpages.patch
82863c2fed659a7186c7f3905a1853b8bd8060350ad101ce159fa7e7d2ba27e8 openssl-bb-basename.patch
18dd81fefb39b3328a444774ed10871ed50348ca171d2da9f826f916127b2dae 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
......@@ -108,9 +106,8 @@ fe844e21b2c42da2d8e9c89350211d70c0829f45532b89b7e492bfde589ee7ed fix-manpages.p
e59f86fb779d327479fa97506c6d0d2df44b97f8182b45ca2eefebe9bef44b8d 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
157ec6d17add25b96956abc7c44259c91eebe8a6c1026cdb976b895bf42ec56f 0004-crypto-engine-autoload-padlock-dynamic-engine.patch
44b553d92e33c48f854a8e15b23830375bc400e987505c74956ac196266f0d46 0005-s_client-ircv3-starttls.patch
a6a6ff34f2a363e2a6d7d4e44da36df6e3f040539e6822752a68efb7fa956c3c 0001-Fix-IV-check-and-padding-removal.patch
51146851d8454dcb73138f794ced8bd629658b4a0524c466f61b653fff536c93 openssl-1.0.1-version-eglibc.patch"
sha512sums="333c915501cc4998ab1d16251790eeb471ee6cbf30afcba9b7eefd3cec6a50e061b4347e60b751fa4afea15700ef629503931f22cec3ed64723ac3372ca7735e openssl-1.0.1d.tar.gz
sha512sums="c76857e439431b2ef6f2aa123997e53f82b9c3c964d4d765d7cc6c0c20b37a21adf578f9b759b2b65ae3925454c432a01b7de0cd320ece7181dc292e00d3244e openssl-1.0.1e.tar.gz
880411d56da49946d24328445728367e0bf13b0fd47954971514bee8cd5613a038ad8aeaf68da2c92f4634deb022febd7b3e37f9bbfc5d2c9c8b3b5ffd971407 fix-manpages.patch
6c4f4b0c1b606b3e5a8175618c4398923392f9c25ad8d3f5b65b0424fe51e104c4f456d2da590d9f572382225ab320278e88db1585790092450cad60a02819a5 openssl-bb-basename.patch
ea282b09d4692a29e5a554e19b0798fa921717d4892decc68cba92cad11e85e4064d8ac78d98f6fa8bb45c65fdd1a5d1a6f6755e53102d520e9d8b807c3a7822 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
......@@ -118,5 +115,4 @@ ea282b09d4692a29e5a554e19b0798fa921717d4892decc68cba92cad11e85e4064d8ac78d98f6fa
b403a402debf1890df10d5cac12c5f6cc54be6f9bfd3b9cbc014694c02621d4c488f1215a94ac13f01e4cfc6ab93658cfa4c4ba8b707956dc745bf5648a927cf 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
3bedc326ca3e5945bc4ec4dccfe596042ee87aaeaf90b5063110a99cc8e38584838d68289907e4a3fcdb8e04635052ad0759c94e1d7070bb317c2066e2506bbe 0004-crypto-engine-autoload-padlock-dynamic-engine.patch
70cd257bbd5a86685dc2508399e67746b60ed5d581eb84fe4d4fc6af214f31b71e2a58ad758d572976a61f67bf64c37a935a9788db160f75bced75397b9bcce3 0005-s_client-ircv3-starttls.patch
bc9113ce820deb984094c9f9b5b5a5405eb591f4db0b976ed66d5819ef8eb1556c29d75cd8d23a7cbf3caff52a6b88e653ed280b0b379d48527fcea507cd4583 0001-Fix-IV-check-and-padding-removal.patch
6db9d9ee62048d27f80e392eda99a46712ee85f1c8fd49f4931be73c880da8b84844a72657f7bceddb7db0026daddd31870d9c5065494f8d359ee8560284fd4a openssl-1.0.1-version-eglibc.patch"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment