OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 19-Feb-2003 16:21:01
Branch: OPENPKG_1_1_SOLID HEAD Handle: 2003021915205901
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_1_SOLID)
openpkg-src/openssl openssl.patch openssl.spec
Log:
SA-2003.013-openssl; CAN-2003-0078
Summary:
Revision Changes Path
1.6.2.1 +93 -0 openpkg-src/openssl/openssl.patch
1.29.2.2 +4 -4 openpkg-src/openssl/openssl.spec
1.3364 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/openssl/openssl.patch
============================================================================
$ cvs diff -u -r1.6 -r1.6.2.1 openssl.patch
--- openpkg-src/openssl/openssl.patch 9 Aug 2002 13:32:25 -0000 1.6
+++ openpkg-src/openssl/openssl.patch 19 Feb 2003 15:21:00 -0000 1.6.2.1
@@ -29,3 +29,96 @@
"nextstep", "cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:::",
"nextstep3.3", "cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:::",
# NCR MP-RAS UNIX ver 02.03.01
+--- ssl/s3_pkt.c 6 May 2002 10:42:56 -0000 1.37.2.10
++++ ssl/s3_pkt.c 18 Feb 2003 16:38:22 -0000
+@@ -238,6 +238,8 @@
+ unsigned int mac_size;
+ int clear=0;
+ size_t extra;
++ int decryption_failed_or_bad_record_mac = 0;
++ unsigned char *mac = NULL;
+
+ rr= &(s->s3->rrec);
+ sess=s->session;
+@@ -353,8 +355,11 @@
+ /* SSLerr() and ssl3_send_alert() have been called */
+ goto err;
+
+- /* otherwise enc_err == -1 */
+- goto decryption_failed_or_bad_record_mac;
++ /* Otherwise enc_err == -1, which indicates bad padding
++ * (rec->length has not been changed in this case).
++ * To minimize information leaked via timing, we will perform
++ * the MAC computation anyway. */
++ decryption_failed_or_bad_record_mac = 1;
+ }
+
+ #ifdef TLS_DEBUG
+@@ -380,28 +385,46 @@
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+ goto f_err;
+ #else
+- goto decryption_failed_or_bad_record_mac;
++ decryption_failed_or_bad_record_mac = 1;
+ #endif
+ }
+ /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+- if (rr->length < mac_size)
++ if (rr->length >= mac_size)
+ {
++ rr->length -= mac_size;
++ mac = &rr->data[rr->length];
++ }
++ else
++ {
++ /* record (minus padding) is too short to contain a MAC */
+ #if 0 /* OK only for stream ciphers */
+ al=SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ #else
+- goto decryption_failed_or_bad_record_mac;
++ decryption_failed_or_bad_record_mac = 1;
++ rr->length = 0;
+ #endif
+ }
+- rr->length-=mac_size;
+ i=s->method->ssl3_enc->mac(s,md,0);
+- if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
++ if (mac == NULL || memcmp(md, mac, mac_size) != 0)
+ {
+- goto decryption_failed_or_bad_record_mac;
++ decryption_failed_or_bad_record_mac = 1;
+ }
+ }
+
++ if (decryption_failed_or_bad_record_mac)
++ {
++ /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
++ * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
++ * failure is directly visible from the ciphertext anyway,
++ * we should not reveal which kind of error occured -- this
++ * might become visible to an attacker (e.g. via a logfile) */
++ al=SSL_AD_BAD_RECORD_MAC;
++
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
++ goto f_err;
++ }
++
+ /* r->length is now just compressed */
+ if (s->expand != NULL)
+ {
+@@ -443,14 +466,6 @@
+
+ return(1);
+
+-decryption_failed_or_bad_record_mac:
+- /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+- * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
+- * failure is directly visible from the ciphertext anyway,
+- * we should not reveal which kind of error occured -- this
+- * might become visible to an attacker (e.g. via logfile) */
+- al=SSL_AD_BAD_RECORD_MAC;
+- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ f_err:
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ err:
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/openssl/openssl.spec
============================================================================
$ cvs diff -u -r1.29.2.1 -r1.29.2.2 openssl.spec
--- openpkg-src/openssl/openssl.spec 26 Aug 2002 19:54:27 -0000 1.29.2.1
+++ openpkg-src/openssl/openssl.spec 19 Feb 2003 15:21:00 -0000 1.29.2.2
@@ -1,8 +1,8 @@
##
## openssl.spec -- OpenPKG RPM Specification
-## Copyright (c) 2000-2002 Cable & Wireless Deutschland GmbH
-## Copyright (c) 2000-2002 The OpenPKG Project <http://www.openpkg.org/>
-## Copyright (c) 2000-2002 Ralf S. Engelschall <[EMAIL PROTECTED]>
+## Copyright (c) 2000-2003 Cable & Wireless Deutschland GmbH
+## Copyright (c) 2000-2003 The OpenPKG Project <http://www.openpkg.org/>
+## Copyright (c) 2000-2003 Ralf S. Engelschall <[EMAIL PROTECTED]>
##
## Permission to use, copy, modify, and distribute this software for
## any purpose with or without fee is hereby granted, provided that
@@ -33,7 +33,7 @@
Group: Cryptography
License: BSD-style
Version: 0.9.6g
-Release: 1.1.0
+Release: 1.1.1
# list of sources
Source0: ftp://ftp.openssl.org/source/openssl-%{version}.tar.gz
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.3363 -r1.3364 news.txt
--- openpkg-web/news.txt 19 Feb 2003 14:03:45 -0000 1.3363
+++ openpkg-web/news.txt 19 Feb 2003 15:20:59 -0000 1.3364
@@ -1,3 +1,4 @@
+19-Feb-2003: Upgraded package: P<openssl-0.9.6g-1.1.1>
19-Feb-2003: Upgraded package: P<openssl-0.9.7a-20030219>
19-Feb-2003: Upgraded package: P<dhcpd-3.0.1rc9-1.1.2>
19-Feb-2003: Upgraded package: P<dhcpd-3.0.1rc11-1.2.1>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
