[Pkg-openssl-changes] r597 - in openssl/trunk/debian: . patches

Kurt Roeckx kroeckx at alioth.debian.org
Mon Mar 18 19:30:23 UTC 2013 

Author: kroeckx
Date: 2013-03-18 19:30:23 +0000 (Mon, 18 Mar 2013)
New Revision: 597

Added:
   openssl/trunk/debian/patches/dtls_version.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/series
Log:
Fix problem with DTLS version check (Closes: #701826)


Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog	2013-03-18 19:29:46 UTC (rev 596)
+++ openssl/trunk/debian/changelog	2013-03-18 19:30:23 UTC (rev 597)
@@ -3,6 +3,7 @@
   * Bump shlibs.  It's needed for the udeb.
   * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
   * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
+  * Fix problem with DTLS version check (Closes: #701826)
 
  -- Kurt Roeckx <kurt at roeckx.be>  Mon, 18 Mar 2013 20:19:58 +0100
 

Added: openssl/trunk/debian/patches/dtls_version.patch
===================================================================
--- openssl/trunk/debian/patches/dtls_version.patch	                        (rev 0)
+++ openssl/trunk/debian/patches/dtls_version.patch	2013-03-18 19:30:23 UTC (rev 597)
@@ -0,0 +1,25 @@
+From: David Woodhouse <dwmw2 at infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
+Bug-Debian: http://bugs.debian.org/701826
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ 	unsigned padding_length, good, to_check, i;
+ 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ 	/* Check if version requires explicit IV */
+-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ 		{
+ 		/* These lengths are all public so we can test them in
+ 		 * non-constant time.
+

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2013-03-18 19:29:46 UTC (rev 596)
+++ openssl/trunk/debian/patches/series	2013-03-18 19:30:23 UTC (rev 597)
@@ -34,3 +34,4 @@
 ssltest_no_sslv2.patch
 cpuid.patch
 aesni-mac.patch
+dtls_version.patch

More information about the Pkg-openssl-changes mailing list