rpm/openssl
SHA256
1
0
Fork 0
forked from pool/openssl
Code Pull Requests Activity

Accepting request 155059 from Base:System

Browse Source 
Fix nasty 1.0.1d regression (forwarded request 155056 from sumski)

OBS-URL: https://build.opensuse.org/request/show/155059
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=85
This commit is contained in:
Stephan Kulow 2013-02-11 10:07:26 +00:00 committed by Git OBS Bridge
parent e77612338e
commit f3f9661f10
3 changed files with 85 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
openssl-1.0.1d-s3-packet.patch Normal file
View File

@ -0,0 +1,76 @@
https://bugs.gentoo.org/456108
taken from upstream
From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 7 Feb 2013 21:06:37 +0000
Subject: [PATCH] Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)
For AEAD remove the correct number of padding bytes (by Andy)
---
ssl/s3_cbc.c | 33 ++++++++++++---------------------
1 file changed, 12 insertions(+), 21 deletions(-)
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index ce77acd..0f60507 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s,
unsigned mac_size)
{
unsigned padding_length, good, to_check, i;
- const char has_explicit_iv =
- s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
- const unsigned overhead = 1 /* padding length byte */ +
- mac_size +
- (has_explicit_iv ? block_size : 0);
-
- /* These lengths are all public so we can test them in non-constant
- * time. */
- if (overhead > rec->length)
- return 0;
-
- /* We can always safely skip the explicit IV. We check at the beginning
- * of this function that the record has at least enough space for the
- * IV, MAC and padding length byte. (These can be checked in
- * non-constant time because it's all public information.) So, if the
- * padding was invalid, then we didn't change |rec->length| and this is
- * safe. If the padding was valid then we know that we have at least
- * overhead+padding_length bytes of space and so this is still safe
- * because overhead accounts for the explicit IV. */
- if (has_explicit_iv)
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
{
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+ */
+ if (overhead + block_size > rec->length)
+ return 0;
+ /* We can now safely skip explicit IV */
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
}
+ else if (overhead > rec->length)
+ return 0;
padding_length = rec->data[rec->length-1];
@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s,
if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
{
/* padding is already verified */
- rec->length -= padding_length;
+ rec->length -= padding_length + 1;
return 1;
}
--
1.8.0.2

6
openssl.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Sun Feb 10 20:33:51 UTC 2013 - hrvoje.senjan@gmail.com
- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
bnc#803004, openssl ticket#2975
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 5 16:00:17 UTC 2013 - meissner@suse.com Tue Feb 5 16:00:17 UTC 2013 - meissner@suse.com

3
openssl.spec
View File

@ -46,6 +46,8 @@ Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch Patch3: openssl-ocloexec.patch
Patch4: VIA_padlock_support_on_64systems.patch Patch4: VIA_padlock_support_on_64systems.patch
# PATCH-FIX-UPSTREAM openssl-1.0.1d-s3-packet.patch Fix the calculation that checks there is enough room in a record after removing padding and optional explicit IV bnc#803004, openssl ticket#2975
Patch5: openssl-1.0.1d-s3-packet.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -176,6 +178,7 @@ Authors:
%patch2 -p1 %patch2 -p1
%patch3 %patch3
%patch4 -p1 %patch4 -p1
%patch5 -p1
cp -p %{S:10} . cp -p %{S:10} .
echo "adding/overwriting some entries in the 'table' hash in Configure" echo "adding/overwriting some entries in the 'table' hash in Configure"
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags