Hello community, here is the log from the commit of package srtp.1874 for openSUSE:12.3:Update checked in at 2013-07-26 11:07:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/srtp.1874 (Old) and /work/SRC/openSUSE:12.3:Update/.srtp.1874.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "srtp.1874" Changes: -------- New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.srtp.1874.new/srtp.changes 2013-07-26 11:07:14.000000000 +0200 @@ -0,0 +1,52 @@ +------------------------------------------------------------------- +Thu Jul 18 18:07:35 CEST 2013 - [email protected] + +- Fix buffer overflow flaw + (CVE-2013-2139.diff, CVE-2013-2139, bnc828009). + +------------------------------------------------------------------- +Wed Oct 31 20:11:34 UTC 2012 - [email protected] + +- Fold the pkgconfig file into srtp-automake.diff +- Have libsrtp-devel depend on library package + +------------------------------------------------------------------- +Thu Oct 31 13:18:09 UTC 2012 - [email protected] + +- Have the package provide a pkg-config file, and run ldconfig + for the library package + +------------------------------------------------------------------- +Tue Oct 25 15:45:56 UTC 2011 - [email protected] + +- Remove redundant %clean section +- Add automake patch so as to properly create shared libraries + +------------------------------------------------------------------- +Tue Mar 8 16:01:11 UTC 2011 - [email protected] + +- spec-cleaner +- remove author from description +- rpmlint: wrong-file-end-of-line-encoding + +------------------------------------------------------------------- +Sat Aug 8 12:45:35 UTC 2009 - [email protected] + +- Version update to 1.4.4 and bzipped source. + o sorry but CHANGES file is outdated + +------------------------------------------------------------------- +Mon Jan 28 16:05:24 CET 2008 - [email protected] + +- Generate package named srtp-devel. + +------------------------------------------------------------------- +Wed Jun 6 01:27:06 CEST 2007 - [email protected] + +- suppress devel file warnings, we only have a static lib here + +------------------------------------------------------------------- +Wed Jun 28 17:30:46 CEST 2006 - [email protected] + +- New SuSE package, version 1.4.2. + New: ---- CVE-2013-2139.diff srtp-1.4.4.tar.bz2 srtp-automake.diff srtp.changes srtp.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ srtp.spec ++++++ # # spec file for package srtp # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: srtp %define lname libsrtp1 Summary: Secure Real-Time Transport Protocol (SRTP) library License: BSD-3-Clause Group: Development/Libraries/C and C++ Version: 1.4.4 Release: 0 Url: http://srtp.sourceforge.net/srtp.html Source: %{name}-%{version}.tar.bz2 Patch1: srtp-automake.diff # PATCH-FIX-SECURITY CVE-2013-2139.diff bnc828009 CVE-2013-2139 [email protected] -- Fix buffer overflow flaw. Patch2: CVE-2013-2139.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake >= 1.11 BuildRequires: dos2unix BuildRequires: libtool BuildRequires: pkg-config %description The libSRTP library is an open source implementation of the Secure Real-time Transport Protocol (SRTP) originally authored by Cisco Systems, Inc. %package -n %lname Summary: Secure Real-Time Transport Protocol (SRTP) library Group: System/Libraries %description -n %lname The libSRTP library is an open source implementation of the Secure Real-time Transport Protocol (SRTP) originally authored by Cisco Systems, Inc. SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is specified in RFC 3711. More information about the SRTP protocol itself can be found on the Secure RTP page. %package devel Summary: Secure Real-Time Transport Protocol (SRTP) library Group: Development/Libraries/C and C++ Requires: %lname = %version %description devel The libSRTP library is an open source implementation of the Secure Real-time Transport Protocol (SRTP) originally authored by Cisco Systems, Inc. SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is specified in RFC 3711. More information about the SRTP protocol itself can be found on the Secure RTP page. %prep %setup -q -n %{name} %patch -P 1 -p1 %patch2 -p1 dos2unix doc/draft-irtf-cfrg-icm-00.txt %build autoreconf -fi %configure \ --enable-generic-aesicm \ --enable-syslog # --enable-gdoi # FIXME: Does not work: # --enable-kernel-linux make %{?_smp_mflags} %install make install DESTDIR="%buildroot"; rm -f "%buildroot/%_libdir"/*.la %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root,-) %_libdir/libsrtp.so.1* %files devel %defattr(-,root,root,-) %doc CHANGES LICENSE README TODO VERSION doc/*.pdf doc/*.txt %{_includedir}/%{name} %_libdir/libsrtp.so %{_libdir}/pkgconfig/libsrtp.pc %changelog ++++++ CVE-2013-2139.diff ++++++ Merge pull request #22 from cisco/security-fixes Security fix to not ignore RTCP encryption, if required.diff --git a/crypto/ae_xfm/xfm.c b/crypto/ae_xfm/xfm.c index 7aa3388..997ccbc 100644 Index: srtp/crypto/ae_xfm/xfm.c =================================================================== --- srtp.orig/crypto/ae_xfm/xfm.c +++ srtp/crypto/ae_xfm/xfm.c @@ -177,7 +177,7 @@ aes_128_cbc_hmac_sha1_96_inv(void *key, #define ENC 1 -#define DEBUG 0 +#define DEBUG_PRINT 0 err_status_t aes_128_cbc_hmac_sha1_96_enc(void *key, @@ -208,7 +208,7 @@ aes_128_cbc_hmac_sha1_96_enc(void *key, } else { -#if DEBUG +#if DEBUG_PRINT printf("ENC using key %s\n", octet_string_hex_string(key, KEY_LEN)); #endif @@ -236,7 +236,7 @@ aes_128_cbc_hmac_sha1_96_enc(void *key, status = aes_cbc_set_iv(&aes_ctx, iv); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("plaintext len: %d\n", *opaque_len); printf("iv: %s\n", octet_string_hex_string(iv, IV_LEN)); printf("plaintext: %s\n", octet_string_hex_string(opaque, *opaque_len)); @@ -248,7 +248,7 @@ aes_128_cbc_hmac_sha1_96_enc(void *key, if (status) return status; #endif -#if DEBUG +#if DEBUG_PRINT printf("ciphertext len: %d\n", *opaque_len); printf("ciphertext: %s\n", octet_string_hex_string(opaque, *opaque_len)); #endif @@ -266,7 +266,7 @@ aes_128_cbc_hmac_sha1_96_enc(void *key, status = hmac_update(&hmac_ctx, clear, clear_len); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("hmac input: %s\n", octet_string_hex_string(clear, clear_len)); #endif @@ -274,14 +274,14 @@ aes_128_cbc_hmac_sha1_96_enc(void *key, auth_tag += *opaque_len; status = hmac_compute(&hmac_ctx, opaque, *opaque_len, TAG_LEN, auth_tag); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("hmac input: %s\n", octet_string_hex_string(opaque, *opaque_len)); #endif /* bump up the opaque_len to reflect the authentication tag */ *opaque_len += TAG_LEN; -#if DEBUG +#if DEBUG_PRINT printf("prot data len: %d\n", *opaque_len); printf("prot data: %s\n", octet_string_hex_string(opaque, *opaque_len)); #endif @@ -321,7 +321,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, return err_status_fail; } else { -#if DEBUG +#if DEBUG_PRINT printf("DEC using key %s\n", octet_string_hex_string(key, KEY_LEN)); #endif @@ -336,7 +336,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, status = hmac_compute(&hmac_ctx, "MAC", 3, MAC_KEY_LEN, mac_key); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("prot data len: %d\n", *opaque_len); printf("prot data: %s\n", octet_string_hex_string(opaque, *opaque_len)); #endif @@ -347,7 +347,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, */ ciphertext_len = *opaque_len - TAG_LEN; -#if DEBUG +#if DEBUG_PRINT printf("ciphertext len: %d\n", ciphertext_len); #endif /* verify the authentication tag */ @@ -365,7 +365,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, status = hmac_update(&hmac_ctx, clear, clear_len); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("hmac input: %s\n", octet_string_hex_string(clear, clear_len)); #endif @@ -373,7 +373,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, status = hmac_compute(&hmac_ctx, opaque, ciphertext_len, TAG_LEN, tmp_tag); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("hmac input: %s\n", octet_string_hex_string(opaque, ciphertext_len)); #endif @@ -384,7 +384,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, */ auth_tag = (unsigned char *)opaque; auth_tag += ciphertext_len; -#if DEBUG +#if DEBUG_PRINT printf("auth_tag: %s\n", octet_string_hex_string(auth_tag, TAG_LEN)); printf("tmp_tag: %s\n", octet_string_hex_string(tmp_tag, TAG_LEN)); #endif @@ -402,7 +402,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, status = aes_cbc_set_iv(&aes_ctx, iv); if (status) return status; -#if DEBUG +#if DEBUG_PRINT printf("ciphertext: %s\n", octet_string_hex_string(opaque, *opaque_len)); printf("iv: %s\n", octet_string_hex_string(iv, IV_LEN)); #endif @@ -412,7 +412,7 @@ aes_128_cbc_hmac_sha1_96_dec(void *key, if (status) return status; #endif -#if DEBUG +#if DEBUG_PRINT printf("plaintext len: %d\n", ciphertext_len); printf("plaintext: %s\n", octet_string_hex_string(opaque, ciphertext_len)); @@ -464,14 +464,14 @@ null_enc(void *key, } else { -#if DEBUG +#if DEBUG_PRINT printf("NULL ENC using key %s\n", octet_string_hex_string(key, KEY_LEN)); printf("NULL_TAG_LEN: %d\n", NULL_TAG_LEN); printf("plaintext len: %d\n", *opaque_len); #endif for (i=0; i < IV_LEN; i++) init_vec[i] = i + (i * 16); -#if DEBUG +#if DEBUG_PRINT printf("iv: %s\n", octet_string_hex_string(iv, IV_LEN)); printf("plaintext: %s\n", @@ -482,7 +482,7 @@ null_enc(void *key, for (i=0; i < NULL_TAG_LEN; i++) auth_tag[i] = i + (i * 16); *opaque_len += NULL_TAG_LEN; -#if DEBUG +#if DEBUG_PRINT printf("protected data len: %d\n", *opaque_len); printf("protected data: %s\n", octet_string_hex_string(opaque, *opaque_len)); @@ -517,7 +517,7 @@ null_dec(void *key, } else { -#if DEBUG +#if DEBUG_PRINT printf("NULL DEC using key %s\n", octet_string_hex_string(key, KEY_LEN)); printf("protected data len: %d\n", *opaque_len); @@ -526,11 +526,11 @@ null_dec(void *key, #endif auth_tag = opaque; auth_tag += (*opaque_len - NULL_TAG_LEN); -#if DEBUG +#if DEBUG_PRINT printf("iv: %s\n", octet_string_hex_string(iv, IV_LEN)); #endif *opaque_len -= NULL_TAG_LEN; -#if DEBUG +#if DEBUG_PRINT printf("plaintext len: %d\n", *opaque_len); printf("plaintext: %s\n", octet_string_hex_string(opaque, *opaque_len)); Index: srtp/srtp/srtp.c =================================================================== --- srtp.orig/srtp/srtp.c +++ srtp/srtp/srtp.c @@ -1609,6 +1609,8 @@ srtp_unprotect_rtcp(srtp_t ctx, void *sr srtp_stream_ctx_t *stream; int prefix_len; uint32_t seq_num; + int e_bit_in_packet; /* whether the E-bit was found in the packet */ + int sec_serv_confidentiality; /* whether confidentiality was requested */ /* we assume the hdr is 32-bit aligned to start */ /* @@ -1630,6 +1632,9 @@ srtp_unprotect_rtcp(srtp_t ctx, void *sr } } + sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || + stream->rtcp_services == sec_serv_conf_and_auth; + /* get tag length from stream context */ tag_len = auth_get_tag_length(stream->rtcp_auth); @@ -1648,8 +1653,13 @@ srtp_unprotect_rtcp(srtp_t ctx, void *sr * multiples of 32-bits (RFC 3550 6.1) */ trailer = (uint32_t *) ((char *) hdr + - *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); - if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) { + *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t))); + e_bit_in_packet = + (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; + if (e_bit_in_packet != sec_serv_confidentiality) { + return err_status_cant_check; + } + if (sec_serv_confidentiality) { enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; } else { enc_octet_len = 0; ++++++ srtp-automake.diff ++++++ From: Jan Engelhardt <[email protected]> Date: 2011-10-25 17:51:31.000000000 +0200 Switch to stress-free automake with libtool library generation. Also add a pkgconfig file for easy detection of presence and paths by secondary projects. --- Makefile.am | 99 +++++++++++++++++++++++++++++++++++++++++++++ configure.in | 13 ++++- crypto/include/Makefile.am | 7 +++ include/Makefile.am | 4 + libsrtp.pc.in | 11 +++++ 5 files changed, 131 insertions(+), 3 deletions(-) Index: srtp/Makefile.am =================================================================== --- /dev/null +++ srtp/Makefile.am @@ -0,0 +1,99 @@ +# -*- Makefile -*- + +SUBDIRS = crypto/include include + +AM_CPPFLAGS = -I${top_srcdir}/crypto/include -I${top_srcdir}/include + +pkgconfdir = ${libdir}/pkgconfig +pkgconf_DATA = libsrtp.pc + +lib_LTLIBRARIES = libsrtp.la + +noinst_LTLIBRARIES = libcryptomath.la + +ciphers = crypto/cipher/cipher.c crypto/cipher/null_cipher.c \ + crypto/cipher/aes.c crypto/cipher/aes_icm.c \ + crypto/cipher/aes_cbc.c + +hashes = crypto/hash/null_auth.c crypto/hash/sha1.c \ + crypto/hash/hmac.c crypto/hash/auth.c # crypto/hash/tmmhv2.c + +replay = crypto/replay/rdb.c crypto/replay/rdbx.c \ + crypto/replay/ut_sim.c + +math = crypto/math/datatypes.c crypto/math/stat.c + +ust = crypto/ust/ust.c + +rng = crypto/rng/prng.c crypto/rng/ctr_prng.c +if RAND_LINUX_KERNEL +rng += crypto/rng/rand_linux_kernel.c +else +rng += crypto/rng/rand_source.c +endif + +err = crypto/kernel/err.c + +kernel = crypto/kernel/crypto_kernel.c crypto/kernel/alloc.c \ + crypto/kernel/key.c ${rng} ${err} # ${ust} + +cryptsrc = ${ciphers} ${hashes} ${math} ${stat} ${kernel} ${replay} +srtpsrc = srtp/srtp.c + +# gdoi is the group domain of interpretation for isakmp, a group key +# management system which can provide keys for srtp +if GDOI +gdoi = gdoi/srtp+gdoi.c +endif + +# so.1 was used in srtp-sharedlib.diff.. +libsrtp_la_SOURCES = ${srtpsrc} ${cryptsrc} ${gdoi} +libsrtp_la_LDFLAGS = -version-info 1:0:0 + +libcryptomath_la_SOURCES = crypto/math/math.c crypto/math/gf2_8.c + +# test applications + +check_PROGRAMS = crypto/test/aes_calc crypto/test/cipher_driver \ + crypto/test/datatypes_driver crypto/test/kernel_driver \ + crypto/test/rand_gen crypto/test/sha1_driver \ + crypto/test/stat_driver \ + test/srtp_driver test/replay_driver test/roc_driver test/rdbx_driver \ + test/rtpw test/dtls_srtp_driver + +test_rtpw_SOURCES = test/rtpw.c test/rtp.c test/getopt_s.c +test_rtpw_LDADD = libsrtp.la + +test_srtp_driver_SOURCES = test/srtp_driver.c test/getopt_s.c +test_srtp_driver_LDADD = libsrtp.la + +test_rdbx_driver_SOURCES = test/rdbx_driver.c test/getopt_s.c +test_rdbx_driver_LDADD = libsrtp.la + +test_dtls_srtp_driver_SOURCES = test/dtls_srtp_driver.c test/getopt_s.c +test_dtls_srtp_driver_LDADD = libsrtp.la + +memtest: test/srtp_driver + @test/srtp_driver -v -d "alloc" > tmp + @grep freed tmp | wc -l > freed + @grep allocated tmp | wc -l > allocated + @echo "checking for memory leaks (only works with --enable-stdout)" + cmp -s allocated freed + @echo "passed (same number of alloc() and dealloc() calls found)" + @rm freed allocated tmp + +# tables_apps are used to generate the tables used in the crypto +# implementations; these need only be generated during porting, not +# for building libsrtp or the test applications + +check_PROGRAMS += tables/aes_tables + +tables_aes_tables_SOURCES = tables/aes_tables.c +tables_aes_tables_LDADD = libcryptomath.la + +# the target 'plot' runs the timing test (test/srtp_driver -t) then +# uses gnuplot to produce plots of the results - see the script file +# 'timing' + +plot: test/srtp_driver + test/srtp_driver -t > timing.dat Index: srtp/configure.in =================================================================== --- srtp.orig/configure.in +++ srtp/configure.in @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT(srtp) +AC_INIT([srtp], [1.4.4]) dnl Must come before AC_PROG_CC if test -z "$CFLAGS"; then @@ -8,9 +8,13 @@ if test -z "$CFLAGS"; then fi dnl Checks for programs. -AC_PROG_RANLIB +AM_INIT_AUTOMAKE([-Wall foreign subdir-objects no-dist-gzip dist-xz tar-pax]) AC_PROG_CC +AM_PROG_CC_C_O AC_PROG_INSTALL +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) +AC_DISABLE_STATIC +AC_PROG_LIBTOOL AC_ARG_ENABLE(kernel-linux, @@ -46,6 +50,7 @@ else fi fi AC_SUBST(RNG_OBJS) +AM_CONDITIONAL([RAND_LINUX_KERNEL], [test "$enable_linux_kernel" = yes]) dnl Checks for header files. @@ -186,10 +191,12 @@ if test "$enable_gdoi" = "yes"; then AC_SUBST(GDOI_OBJS) fi AC_MSG_RESULT($enable_gdoi) +AM_CONDITIONAL([GDOI], [test "$enable_gdoi" = "yes"]) AC_CONFIG_HEADER(crypto/include/config.h:config_in.h) -AC_OUTPUT(Makefile crypto/Makefile doc/Makefile) +AC_CONFIG_FILES([Makefile crypto/Makefile crypto/include/Makefile doc/Makefile include/Makefile libsrtp.pc]) +AC_OUTPUT # This is needed when building outside the source dir. AS_MKDIR_P(crypto/ae_xfm) Index: srtp/crypto/include/Makefile.am =================================================================== --- /dev/null +++ srtp/crypto/include/Makefile.am @@ -0,0 +1,7 @@ +# -*- Makefile -*- + +pkginclude_HEADERS = \ + aes.h aes_cbc.h aes_icm.h alloc.h auth.h cipher.h crypto.h \ + crypto_kernel.h crypto_math.h crypto_types.h cryptoalg.h datatypes.h \ + err.h gf2_8.h hmac.h integers.h kernel_compat.h key.h null_auth.h \ + null_cipher.h prng.h rand_source.h rdb.h rdbx.h sha1.h stat.h xfm.h Index: srtp/include/Makefile.am =================================================================== --- /dev/null +++ srtp/include/Makefile.am @@ -0,0 +1,4 @@ +# -*- Makefile -*- + +pkginclude_HEADERS = \ + getopt_s.h rtp.h rtp_priv.h srtp.h srtp_priv.h ut_sim.h Index: srtp/libsrtp.pc.in =================================================================== --- /dev/null +++ srtp/libsrtp.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libsrtp +Description: Secure Real-time Transport Protocol library +Version: 1.4.4 +URL: http://srtp.sf.net/ +Libs: -L${libdir} -lsrtp +Cflags: -I${includedir}/srtp -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
