[Pkg-openssl-changes] r597 - in openssl/trunk/debian: . patches
Kurt Roeckx
kroeckx at alioth.debian.org
Mon Mar 18 19:30:23 UTC 2013
Author: kroeckx
Date: 2013-03-18 19:30:23 +0000 (Mon, 18 Mar 2013)
New Revision: 597
Added:
openssl/trunk/debian/patches/dtls_version.patch
Modified:
openssl/trunk/debian/changelog
openssl/trunk/debian/patches/series
Log:
Fix problem with DTLS version check (Closes: #701826)
Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog 2013-03-18 19:29:46 UTC (rev 596)
+++ openssl/trunk/debian/changelog 2013-03-18 19:30:23 UTC (rev 597)
@@ -3,6 +3,7 @@
* Bump shlibs. It's needed for the udeb.
* Make cpuid work on cpu's that don't set ecx (Closes: #699692)
* Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
+ * Fix problem with DTLS version check (Closes: #701826)
-- Kurt Roeckx <kurt at roeckx.be> Mon, 18 Mar 2013 20:19:58 +0100
Added: openssl/trunk/debian/patches/dtls_version.patch
===================================================================
--- openssl/trunk/debian/patches/dtls_version.patch (rev 0)
+++ openssl/trunk/debian/patches/dtls_version.patch 2013-03-18 19:30:23 UTC (rev 597)
@@ -0,0 +1,25 @@
+From: David Woodhouse <dwmw2 at infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
+Bug-Debian: http://bugs.debian.org/701826
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+
Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series 2013-03-18 19:29:46 UTC (rev 596)
+++ openssl/trunk/debian/patches/series 2013-03-18 19:30:23 UTC (rev 597)
@@ -34,3 +34,4 @@
ssltest_no_sslv2.patch
cpuid.patch
aesni-mac.patch
+dtls_version.patch
More information about the Pkg-openssl-changes
mailing list