Hello community,

here is the log from the commit of package libsrtp for openSUSE:Factory checked 
in at 2017-08-12 19:36:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libsrtp (Old)
 and      /work/SRC/openSUSE:Factory/.libsrtp.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libsrtp"

Sat Aug 12 19:36:25 2017 rev:10 rq:514661 version:1.6.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/libsrtp/libsrtp.changes  2016-11-25 
12:27:56.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.libsrtp.new/libsrtp.changes     2017-08-12 
19:36:31.802137559 +0200
@@ -1,0 +2,13 @@
+Tue Aug  1 12:28:27 UTC 2017 - jeng...@inai.de
+
+- Update to new upstream release 1.6.0
+  * Fix incorrect result of rdb_increment on overflow
+  * Cipher type cleanup for AES.
+    When libSRTP is compiled with OpenSSL and the AES 256 ICM
+    cipher is used with RTCP, an incorrect initialization vector
+    is formed. This change will break backwards compatibility
+    with older versions (1.5, 2.0) of libSRTP when using the AES
+    256 ICM cipher with OpenSSL for RTCP.
+  * Sequence number incorrectly masked for AES GCM IV.
+
+-------------------------------------------------------------------

Old:
----
  libsrtp-1.5.4.tar.gz

New:
----
  libsrtp-1.6.0.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libsrtp.spec ++++++
--- /var/tmp/diff_new_pack.gyqTHR/_old  2017-08-12 19:36:32.969973782 +0200
+++ /var/tmp/diff_new_pack.gyqTHR/_new  2017-08-12 19:36:32.973973222 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package libsrtp
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %define soname 1
 Name:           libsrtp
-Version:        1.5.4
+Version:        1.6.0
 Release:        0
 Summary:        Secure Real-Time Transport Protocol (SRTP) library
 License:        BSD-3-Clause

++++++ libsrtp-1.5.4.tar.gz -> libsrtp-1.6.0.tar.gz ++++++
++++ 2340 lines of diff (skipped)
++++    retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libsrtp-1.5.4/CHANGES new/libsrtp-1.6.0/CHANGES
--- old/libsrtp-1.5.4/CHANGES   2016-02-02 20:56:49.000000000 +0100
+++ new/libsrtp-1.6.0/CHANGES   2017-08-01 13:57:38.000000000 +0200
@@ -1,5 +1,21 @@
 Changelog
 
+1.6.0
+
+  PR #293  Fix incorrect result of rdb_increment on overflow
+
+  PR #290 - Cipher type cleanup for AES
+    When libSRTP is compiled with OpenSSL and the AES 256 ICM cipher is used
+    with RTCP an incorrect initialization vector is formed.
+    This change will break backwards compatibility with older versions (1.5,
+    2.0) of libSRTP when using the AES 256 ICM cipher with OpenSSL for RTCP.
+
+  PR #281 - Sequence number incorrectly masked for AES GCM IV
+    The initialization vector for AES GCM encryption was incorrectly formed on
+    little endian machines.
+    This change will break backwards compatibility with older versions (1.5,
+    2.0) of libSRTP when using the AES GCM cipher for RTCP.
+
 1.5.4
 
   Use BE byte ordering of RTCP trailer.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libsrtp-1.5.4/VERSION new/libsrtp-1.6.0/VERSION
--- old/libsrtp-1.5.4/VERSION   2016-02-02 20:56:49.000000000 +0100
+++ new/libsrtp-1.6.0/VERSION   2017-08-01 13:57:38.000000000 +0200
@@ -1 +1 @@
-1.5.4
+1.6.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libsrtp-1.5.4/configure.in new/libsrtp-1.6.0/configure.in
--- old/libsrtp-1.5.4/configure.in      2016-02-02 20:56:49.000000000 +0100
+++ new/libsrtp-1.6.0/configure.in      2017-08-01 13:57:38.000000000 +0200
@@ -1,5 +1,5 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_INIT([libsrtp], [1.5.4], [https://github.com/cisco/libsrtp/issues])
+AC_INIT([libsrtp], [1.6.0], [https://github.com/cisco/libsrtp/issues])
 
 dnl Must come before AC_PROG_CC
 if test -z "$CFLAGS"; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libsrtp-1.5.4/crypto/replay/rdb.c new/libsrtp-1.6.0/crypto/replay/rdb.c
--- old/libsrtp-1.5.4/crypto/replay/rdb.c       2016-02-02 20:56:49.000000000 
+0100
+++ new/libsrtp-1.6.0/crypto/replay/rdb.c       2017-08-01 13:57:38.000000000 
+0200
@@ -130,8 +130,9 @@
 err_status_t
 rdb_increment(rdb_t *rdb) {
 
-  if (rdb->window_start++ > 0x7fffffff)
+  if (rdb->window_start >= 0x7fffffff)
     return err_status_key_expired;
+  ++rdb->window_start;
   return err_status_ok;
 }
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libsrtp-1.5.4/srtp/srtp.c new/libsrtp-1.6.0/srtp/srtp.c
--- old/libsrtp-1.5.4/srtp/srtp.c       2016-02-02 20:56:49.000000000 +0100
+++ new/libsrtp-1.6.0/srtp/srtp.c       2017-08-01 13:57:38.000000000 +0200
@@ -331,7 +331,7 @@
   err_status_t status;
   srtp_stream_ctx_t *str;
 
-  debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ssrc);
+  debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc));
 
   /* allocate srtp stream and set str_ptr */
   str = (srtp_stream_ctx_t *) crypto_alloc(sizeof(srtp_stream_ctx_t));
@@ -1491,7 +1491,7 @@
     if (ctx->stream_template != NULL) {
       stream = ctx->stream_template;
       debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
-                 hdr->ssrc);
+                 ntohl(hdr->ssrc));
       
       /* 
        * set estimated packet index to sequence number from header,
@@ -2251,9 +2251,13 @@
  *         seq_num - The SEQ value to use for the IV calculation.
  *         *hdr    - The RTP header, used to get the SSRC value
  *
+ * Returns: err_status_ok if no error or srtp_err_status_bad_param
+ *          if seq_num is invalid
+ *
  */
-static void srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv, 
-                                    uint32_t seq_num, srtcp_hdr_t *hdr)
+static err_status_t
+srtp_calc_aead_iv_srtcp(srtp_stream_ctx_t *stream, v128_t *iv,
+                        uint32_t seq_num, srtcp_hdr_t *hdr)
 {
     v128_t     in;
     v128_t     salt;
@@ -2264,7 +2268,13 @@
     in.v16[0] = 0;
     memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
     in.v16[3] = 0;
-    in.v32[2] = 0x7FFFFFFF & htonl(seq_num); /* bit 32 is suppose to be zero */
+    /*  The SRTCP index (seq_num) spans bits 0 through 30 inclusive.
+     *  The most significant bit should be zero.
+     */
+    if (seq_num & 0x80000000UL) {
+        return err_status_bad_param;
+    }
+    in.v32[2] = htonl(seq_num);
 
     debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
 
@@ -2278,6 +2288,8 @@
      * Finally, apply the SALT to the input
      */
     v128_xor(iv, &in, &salt);
+
+    return err_status_ok;
 }
 
 /*
@@ -2347,7 +2359,10 @@
     /*
      * Calculating the IV and pass it down to the cipher 
      */
-    srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
+    status = srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
+    if (status) {
+        return err_status_cipher_fail;
+    }
     status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_encrypt);
     if (status) {
         return err_status_cipher_fail;
@@ -2497,7 +2512,10 @@
     /*
      * Calculate and set the IV
      */
-    srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
+    status = srtp_calc_aead_iv_srtcp(stream, &iv, seq_num, hdr);
+    if (status) {
+        return err_status_cipher_fail;
+    }
     status = cipher_set_iv(stream->rtcp_cipher, &iv, direction_decrypt);
     if (status) {
         return err_status_cipher_fail;
@@ -2738,7 +2756,8 @@
   /* 
    * if we're using rindael counter mode, set nonce and seq 
    */
-  if (stream->rtcp_cipher->type->id == AES_ICM) {
+  if (stream->rtcp_cipher->type->id == AES_ICM ||
+      stream->rtcp_cipher->type->id == AES_256_ICM) {
     v128_t iv;
     
     iv.v32[0] = 0;
@@ -2866,7 +2885,7 @@
       }
 
       debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", 
-                 hdr->ssrc);
+                 ntohl(hdr->ssrc));
     } else {
       /* no template stream, so we return an error */
       return err_status_no_ctx;
@@ -2959,7 +2978,8 @@
   /* 
    * if we're using aes counter mode, set nonce and seq 
    */
-  if (stream->rtcp_cipher->type->id == AES_ICM) {
+  if (stream->rtcp_cipher->type->id == AES_ICM ||
+      stream->rtcp_cipher->type->id == AES_256_ICM) {
     v128_t iv;
 
     iv.v32[0] = 0;


Reply via email to