[Pkg-erlang-commits] r1703 - in erlang/trunk: . debian debian/patches debian/patterns
sgolovan at alioth.debian.org
sgolovan at alioth.debian.org
Wed May 27 05:19:19 UTC 2015
Author: sgolovan
Date: 2015-05-27 05:19:18 +0000 (Wed, 27 May 2015)
New Revision: 1703
Removed:
erlang/trunk/debian/patches/rpath.patch
erlang/trunk/debian/patches/ssl.patch
erlang/trunk/debian/patches/ssltlspoodle.patch
Modified:
erlang/trunk/
erlang/trunk/debian/changelog
erlang/trunk/debian/control
erlang/trunk/debian/patches/emacs.patch
erlang/trunk/debian/patches/gnu.patch
erlang/trunk/debian/patches/hppa.patch
erlang/trunk/debian/patches/java.patch
erlang/trunk/debian/patches/man.patch
erlang/trunk/debian/patches/series
erlang/trunk/debian/patches/sslv3disable.patch
erlang/trunk/debian/patterns/erlang-dev.patterns
erlang/trunk/debian/rules
Log:
[erlang]
* Upload into unstable.
* Removed the patch which fixes TLS POODLE vulnerability in the Erlang
SSL application (CVE-2015-2774) because it has been applied upstream.
Property changes on: erlang/trunk
___________________________________________________________________
Modified: svn:mergeinfo
- /erlang/branches/experimental:1283-1305,1468-1497,1591-1615
/erlang/trunk:1274-1282
+ /erlang/branches/experimental:1283-1305,1468-1497,1591-1615,1693-1702
/erlang/trunk:1274-1282
Modified: erlang/trunk/debian/changelog
===================================================================
--- erlang/trunk/debian/changelog 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/changelog 2015-05-27 05:19:18 UTC (rev 1703)
@@ -1,9 +1,30 @@
-erlang (1:17.3-dfsg-5) UNRELEASED; urgency=medium
+erlang (1:17.5-dfsg-2) unstable; urgency=medium
- * NOT RELEASED YET
+ * Upload into unstable.
+ * Removed the patch which fixes TLS POODLE vulnerability in the Erlang
+ SSL application (CVE-2015-2774) because it has been applied upstream.
- -- Sergei Golovan <sgolovan at debian.org> Mon, 06 Apr 2015 10:36:39 +0300
+ -- Sergei Golovan <sgolovan at debian.org> Wed, 27 May 2015 08:18:40 +0300
+erlang (1:17.5-dfsg-1) experimental; urgency=medium
+
+ * New upstream release.
+ * Put erl_interface.app and erl_interface.appup into the erlang-dev package.
+
+ -- Sergei Golovan <sgolovan at debian.org> Wed, 01 Apr 2015 12:04:55 +0300
+
+erlang (1:17.4-dfsg-1) experimental; urgency=medium
+
+ * New upstream release.
+ * Removed a patch which fixed empty SNI extension processing in the
+ ssl application because it has been applied upstream.
+ * Removed a patch which removes rpath from the crypto application binary
+ and use the new --with-ssl-rpath=no configure option instead.
+ * Search for an Erlang module manual page in section 3erl only in
+ Emacs Erlang mode (closes: #772876).
+
+ -- Sergei Golovan <sgolovan at debian.org> Sun, 14 Dec 2014 09:07:42 +0300
+
erlang (1:17.3-dfsg-4) unstable; urgency=medium
* Added a patch from upstream which fixes TLS POODLE vulnerability in
Modified: erlang/trunk/debian/control
===================================================================
--- erlang/trunk/debian/control 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/control 2015-05-27 05:19:18 UTC (rev 1703)
@@ -200,7 +200,7 @@
Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2)
Description: Erlang/OTP documentation stylesheets
The erl_docgen package includes XSLT stylesheets and document type
- definitions used for Erlang/OTP documentation. They allow to
+ definitions used for Erlang/OTP documentation. They allow one to
transform documentation to manpage, HTML, and PDF formats.
Modified: erlang/trunk/debian/patches/emacs.patch
===================================================================
--- erlang/trunk/debian/patches/emacs.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/emacs.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -67,7 +67,7 @@
(error "No Erlang module name given"))
(let ((dir-list erlang-man-dirs)
- (pat (concat "/" (regexp-quote module) "\\.\\([124-9]\\|3\\(erl\\)?\\)\\(\\.gz\\)?$"))
-+ (pat (concat "/" (regexp-quote module) "\\.\\([124-9]\\|3\\(erl\\)\\)\\(\\.gz\\)?$"))
++ (pat (concat "/" (regexp-quote module) "\\.\\(3\\(erl\\)\\)\\(\\.gz\\)?$"))
(file nil)
file-list)
(while (and dir-list (null file))
Modified: erlang/trunk/debian/patches/gnu.patch
===================================================================
--- erlang/trunk/debian/patches/gnu.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/gnu.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -61,7 +61,7 @@
--- a/erts/etc/common/erlexec.c
+++ b/erts/etc/common/erlexec.c
-@@ -1561,7 +1561,7 @@
+@@ -1562,7 +1562,7 @@
if (!bindir) {
/* Determine bindir from absolute path to executable */
char *p;
@@ -70,7 +70,7 @@
strncpy(buffer, argv[0], sizeof(buffer));
buffer[sizeof(buffer)-1] = '\0';
-@@ -1575,7 +1575,7 @@
+@@ -1576,7 +1576,7 @@
if (!rootdir) {
/* Determine rootdir from absolute path to bindir */
char *p;
Modified: erlang/trunk/debian/patches/hppa.patch
===================================================================
--- erlang/trunk/debian/patches/hppa.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/hppa.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -8,7 +8,7 @@
--- a/erts/configure.in
+++ b/erts/configure.in
-@@ -2160,6 +2160,14 @@
+@@ -2174,6 +2174,14 @@
AC_CHECK_DECLS([posix2time, time2posix],,,[#include <time.h>])
disable_vfork=false
Modified: erlang/trunk/debian/patches/java.patch
===================================================================
--- erlang/trunk/debian/patches/java.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/java.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -8,7 +8,7 @@
--- a/erts/configure.in
+++ b/erts/configure.in
-@@ -4682,7 +4682,8 @@
+@@ -4746,7 +4746,8 @@
dnl Make sure it's at least JDK 1.5
AC_CACHE_CHECK(for JDK version 1.5,
ac_cv_prog_javac_ver_1_5,
@@ -20,7 +20,7 @@
unset -v JAVAC
--- a/lib/test_server/src/configure.in
+++ b/lib/test_server/src/configure.in
-@@ -468,7 +468,8 @@
+@@ -484,7 +484,8 @@
dnl Make sure it's at least JDK 1.5
AC_CACHE_CHECK(for JDK version 1.5,
ac_cv_prog_javac_ver_1_5,
Modified: erlang/trunk/debian/patches/man.patch
===================================================================
--- erlang/trunk/debian/patches/man.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/man.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -6,7 +6,7 @@
--- a/erts/etc/common/erlexec.c
+++ b/erts/etc/common/erlexec.c
-@@ -722,8 +722,10 @@
+@@ -723,8 +723,10 @@
error("-man not supported on Windows");
#else
argv[i] = "man";
Deleted: erlang/trunk/debian/patches/rpath.patch
===================================================================
--- erlang/trunk/debian/patches/rpath.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/rpath.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -1,21 +0,0 @@
-Author: Sergei Golovan <sgolovan at debian.org>
-Description: A quick hack which removes rpath from crypto and ssl applications binaries to
- satisfy Debian policy.
-Forwarded: no
-Last-modified:Sat, 27 Feb 2010 09:34:43 +0300
-
---- a/erts/configure.in
-+++ b/erts/configure.in
-@@ -4540,9 +4540,9 @@
- SSL_CC_RUNTIME_LIBRARY_PATH=
- SSL_LD_RUNTIME_LIBRARY_PATH=
- SSL_DED_LD_RUNTIME_LIBRARY_PATH=
--cc_rflg="$CFLAG_RUNTIME_LIBRARY_PATH"
--ld_rflg="$LDFLAG_RUNTIME_LIBRARY_PATH"
--ded_ld_rflg="$DED_LD_FLAG_RUNTIME_LIBRARY_PATH"
-+cc_rflg=
-+ld_rflg=
-+ded_ld_rflg=
-
- if test "$SSL_APP" != "" && test "$SSL_DYNAMIC_ONLY" = "yes" && \
- { test "$cc_rflg" != "" || test "$ld_rflg" != "" || test "$ded_ld_rflg" != ""; } ; then
Modified: erlang/trunk/debian/patches/series
===================================================================
--- erlang/trunk/debian/patches/series 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/series 2015-05-27 05:19:18 UTC (rev 1703)
@@ -1,5 +1,4 @@
clean.patch
-rpath.patch
gnu.patch
sparc.patch
man.patch
@@ -8,8 +7,6 @@
java.patch
hppa.patch
javascript.patch
-ssl.patch
wx3.0-constants.patch
sslv3disable.patch
-ssltlspoodle.patch
beamload.patch
Deleted: erlang/trunk/debian/patches/ssl.patch
===================================================================
--- erlang/trunk/debian/patches/ssl.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/ssl.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -1,13 +0,0 @@
---- a/lib/ssl/src/ssl_handshake.erl
-+++ b/lib/ssl/src/ssl_handshake.erl
-@@ -1732,6 +1732,10 @@
- #ec_point_formats{ec_point_format_list =
- ECPointFormats}});
-
-+dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len), Rest/binary>>, Acc) when Len == 0 ->
-+ dec_hello_extensions(Rest, Acc#hello_extensions{sni = ""}); %% Server may send an empy SNI
-+
-+
- dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),
- ExtData:Len/binary, Rest/binary>>, Acc) ->
- <<?UINT16(_), NameList/binary>> = ExtData,
Deleted: erlang/trunk/debian/patches/ssltlspoodle.patch
===================================================================
--- erlang/trunk/debian/patches/ssltlspoodle.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/ssltlspoodle.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -1,571 +0,0 @@
-Author: Ingela Anderton Andin <ingela at erlang.org>
-Description: [PATCH] ssl: Reenable padding check for TLS-1.0 and provide
- backwards compatible disable option
-Last-Modified: Tue, 13 Jan 2015 15:16:20 +0100
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781839
-
---- a/lib/ssl/doc/src/ssl.xml
-+++ b/lib/ssl/doc/src/ssl.xml
-@@ -4,7 +4,7 @@
- <erlref>
- <header>
- <copyright>
-- <year>1999</year><year>2014</year>
-+ <year>1999</year><year>2015</year>
- <holder>Ericsson AB. All Rights Reserved.</holder>
- </copyright>
- <legalnotice>
-@@ -348,11 +348,23 @@ fun(srp, Username :: string(), UserState :: term()) ->
- </p>
- </item>
-
-+ <tag>{padding_check, boolean()}</tag>
-+ <item>
-+ <p> This option only affects TLS-1.0 connections.
-+ If set to false it disables the block cipher padding check
-+ to be able to interoperate with legacy software.
-+ </p>
-+
-+ <warning><p> Using this option makes TLS vulnerable to
-+ the Poodle attack</p></warning>
-+
-+ </item>
-+
- </taglist>
--
-+
- </section>
--
-- <section>
-+
-+ <section>
- <title>SSL OPTION DESCRIPTIONS - CLIENT SIDE</title>
-
- <p>Options described here are client specific or has a slightly different
---- a/lib/ssl/src/dtls_record.erl
-+++ b/lib/ssl/src/dtls_record.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 2013-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -146,7 +146,7 @@ decode_cipher_text(#ssl_tls{type = Type, version = Version,
- = ConnnectionStates0) ->
- CompressAlg = SecParams#security_parameters.compression_algorithm,
- {PlainFragment, Mac, ReadState1} = ssl_record:decipher(dtls_v1:corresponding_tls_version(Version),
-- CipherFragment, ReadState0),
-+ CipherFragment, ReadState0, true),
- MacHash = calc_mac_hash(ReadState1, Type, Version, Epoch, Seq, PlainFragment),
- case ssl_record:is_correct_mac(Mac, MacHash) of
- true ->
---- a/lib/ssl/src/ssl.erl
-+++ b/lib/ssl/src/ssl.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 1999-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 1999-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -656,7 +656,8 @@ handle_options(Opts0) ->
- log_alert = handle_option(log_alert, Opts, true),
- server_name_indication = handle_option(server_name_indication, Opts, undefined),
- honor_cipher_order = handle_option(honor_cipher_order, Opts, false),
-- protocol = proplists:get_value(protocol, Opts, tls)
-+ protocol = proplists:get_value(protocol, Opts, tls),
-+ padding_check = proplists:get_value(padding_check, Opts, true)
- },
-
- CbInfo = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),
-@@ -669,7 +670,7 @@ handle_options(Opts0) ->
- cb_info, renegotiate_at, secure_renegotiate, hibernate_after,
- erl_dist, next_protocols_advertised,
- client_preferred_next_protocols, log_alert,
-- server_name_indication, honor_cipher_order],
-+ server_name_indication, honor_cipher_order, padding_check],
-
- SockOpts = lists:foldl(fun(Key, PropList) ->
- proplists:delete(Key, PropList)
-@@ -847,6 +848,8 @@ validate_option(server_name_indication, undefined) ->
- undefined;
- validate_option(honor_cipher_order, Value) when is_boolean(Value) ->
- Value;
-+validate_option(padding_check, Value) when is_boolean(Value) ->
-+ Value;
- validate_option(Opt, Value) ->
- throw({error, {options, {Opt, Value}}}).
-
---- a/lib/ssl/src/ssl_cipher.erl
-+++ b/lib/ssl/src/ssl_cipher.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -33,8 +33,7 @@
- -include_lib("public_key/include/public_key.hrl").
-
- -export([security_parameters/2, security_parameters/3, suite_definition/1,
-- decipher/5, cipher/5,
-- suite/1, suites/1, all_suites/1,
-+ decipher/6, cipher/5, suite/1, suites/1, all_suites/1,
- ec_keyed_suites/0, anonymous_suites/0, psk_suites/1, srp_suites/0,
- openssl_suite/1, openssl_suite_name/1, filter/2, filter_suites/1,
- hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2]).
-@@ -143,17 +142,18 @@ block_cipher(Fun, BlockSz, #cipher_state{key=Key, iv=IV} = CS0,
- {T, CS0#cipher_state{iv=NextIV}}.
-
- %%--------------------------------------------------------------------
---spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(), ssl_record:ssl_version()) ->
-+-spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(),
-+ ssl_record:ssl_version(), boolean()) ->
- {binary(), binary(), #cipher_state{}} | #alert{}.
- %%
- %% Description: Decrypts the data and the MAC using cipher described
- %% by cipher_enum() and updating the cipher state.
- %%-------------------------------------------------------------------
--decipher(?NULL, _HashSz, CipherState, Fragment, _) ->
-+decipher(?NULL, _HashSz, CipherState, Fragment, _, _) ->
- {Fragment, <<>>, CipherState};
--decipher(?RC4, HashSz, CipherState, Fragment, _) ->
-+decipher(?RC4, HashSz, CipherState, Fragment, _, _) ->
- State0 = case CipherState#cipher_state.state of
-- undefined -> crypto:stream_init(rc4, CipherState#cipher_state.key);
-+ undefined -> crypto:stream_init(rc4, CipherState#cipher_state.key);
- S -> S
- end,
- try crypto:stream_decrypt(State0, Fragment) of
-@@ -171,23 +171,23 @@ decipher(?RC4, HashSz, CipherState, Fragment, _) ->
- ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
- end;
-
--decipher(?DES, HashSz, CipherState, Fragment, Version) ->
-+decipher(?DES, HashSz, CipherState, Fragment, Version, PaddingCheck) ->
- block_decipher(fun(Key, IV, T) ->
- crypto:block_decrypt(des_cbc, Key, IV, T)
-- end, CipherState, HashSz, Fragment, Version);
--decipher(?'3DES', HashSz, CipherState, Fragment, Version) ->
-+ end, CipherState, HashSz, Fragment, Version, PaddingCheck);
-+decipher(?'3DES', HashSz, CipherState, Fragment, Version, PaddingCheck) ->
- block_decipher(fun(<<K1:8/binary, K2:8/binary, K3:8/binary>>, IV, T) ->
- crypto:block_decrypt(des3_cbc, [K1, K2, K3], IV, T)
-- end, CipherState, HashSz, Fragment, Version);
--decipher(?AES, HashSz, CipherState, Fragment, Version) ->
-+ end, CipherState, HashSz, Fragment, Version, PaddingCheck);
-+decipher(?AES, HashSz, CipherState, Fragment, Version, PaddingCheck) ->
- block_decipher(fun(Key, IV, T) when byte_size(Key) =:= 16 ->
- crypto:block_decrypt(aes_cbc128, Key, IV, T);
- (Key, IV, T) when byte_size(Key) =:= 32 ->
- crypto:block_decrypt(aes_cbc256, Key, IV, T)
-- end, CipherState, HashSz, Fragment, Version).
-+ end, CipherState, HashSz, Fragment, Version, PaddingCheck).
-
- block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0,
-- HashSz, Fragment, Version) ->
-+ HashSz, Fragment, Version, PaddingCheck) ->
- try
- Text = Fun(Key, IV, Fragment),
- NextIV = next_iv(Fragment, IV),
-@@ -195,7 +195,7 @@ block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0,
- Content = GBC#generic_block_cipher.content,
- Mac = GBC#generic_block_cipher.mac,
- CipherState1 = CipherState0#cipher_state{iv=GBC#generic_block_cipher.next_iv},
-- case is_correct_padding(GBC, Version) of
-+ case is_correct_padding(GBC, Version, PaddingCheck) of
- true ->
- {Content, Mac, CipherState1};
- false ->
-@@ -1288,16 +1288,18 @@ generic_stream_cipher_from_bin(T, HashSz) ->
- #generic_stream_cipher{content=Content,
- mac=Mac}.
-
--%% For interoperability reasons we do not check the padding content in
--%% SSL 3.0 and TLS 1.0 as it is not strictly required and breaks
--%% interopability with for instance Google.
- is_correct_padding(#generic_block_cipher{padding_length = Len,
-- padding = Padding}, {3, N})
-- when N == 0; N == 1 ->
-- Len == byte_size(Padding);
--%% Padding must be check in TLS 1.1 and after
-+ padding = Padding}, {3, 0}, _) ->
-+ Len == byte_size(Padding); %% Only length check is done in SSL 3.0 spec
-+%% For interoperability reasons it is possible to disable
-+%% the padding check when using TLS 1.0, as it is not strictly required
-+%% in the spec (only recommended), howerver this makes TLS 1.0 vunrable to the Poodle attack
-+%% so by default this clause will not match
-+is_correct_padding(GenBlockCipher, {3, 1}, false) ->
-+ is_correct_padding(GenBlockCipher, {3, 0}, false);
-+%% Padding must be checked in TLS 1.1 and after
- is_correct_padding(#generic_block_cipher{padding_length = Len,
-- padding = Padding}, _) ->
-+ padding = Padding}, _, _) ->
- Len == byte_size(Padding) andalso
- list_to_binary(lists:duplicate(Len, Len)) == Padding.
-
---- a/lib/ssl/src/ssl_internal.hrl
-+++ b/lib/ssl/src/ssl_internal.hrl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -117,7 +117,8 @@
- server_name_indication = undefined,
- %% Should the server prefer its own cipher order over the one provided by
- %% the client?
-- honor_cipher_order = false
-+ honor_cipher_order = false,
-+ padding_check = true
- }).
-
- -record(socket_options,
---- a/lib/ssl/src/ssl_record.erl
-+++ b/lib/ssl/src/ssl_record.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 2013-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -48,7 +48,7 @@
- -export([compress/3, uncompress/3, compressions/0]).
-
- %% Payload encryption/decryption
---export([cipher/4, decipher/3, is_correct_mac/2]).
-+-export([cipher/4, decipher/4, is_correct_mac/2]).
-
- -export_type([ssl_version/0, ssl_atom_version/0]).
-
-@@ -376,8 +376,9 @@ cipher(Version, Fragment,
- {CipherFragment, CipherS1} =
- ssl_cipher:cipher(BulkCipherAlgo, CipherS0, MacHash, Fragment, Version),
- {CipherFragment, WriteState0#connection_state{cipher_state = CipherS1}}.
-+
- %%--------------------------------------------------------------------
---spec decipher(ssl_version(), binary(), #connection_state{}) -> {binary(), binary(), #connection_state{}} | #alert{}.
-+-spec decipher(ssl_version(), binary(), #connection_state{}, boolean()) -> {binary(), binary(), #connection_state{}} | #alert{}.
- %%
- %% Description: Payload decryption
- %%--------------------------------------------------------------------
-@@ -387,8 +388,8 @@ decipher(Version, CipherFragment,
- BulkCipherAlgo,
- hash_size = HashSz},
- cipher_state = CipherS0
-- } = ReadState) ->
-- case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version) of
-+ } = ReadState, PaddingCheck) ->
-+ case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version, PaddingCheck) of
- {PlainFragment, Mac, CipherS1} ->
- CS1 = ReadState#connection_state{cipher_state = CipherS1},
- {PlainFragment, Mac, CS1};
---- a/lib/ssl/src/tls_connection.erl
-+++ b/lib/ssl/src/tls_connection.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -482,8 +482,9 @@ next_record(#state{protocol_buffers = #protocol_buffers{tls_packets = [], tls_ci
- next_record(#state{protocol_buffers =
- #protocol_buffers{tls_packets = [], tls_cipher_texts = [CT | Rest]}
- = Buffers,
-- connection_states = ConnStates0} = State) ->
-- case tls_record:decode_cipher_text(CT, ConnStates0) of
-+ connection_states = ConnStates0,
-+ ssl_options = #ssl_options{padding_check = Check}} = State) ->
-+ case tls_record:decode_cipher_text(CT, ConnStates0, Check) of
- {Plain, ConnStates} ->
- {Plain, State#state{protocol_buffers =
- Buffers#protocol_buffers{tls_cipher_texts = Rest},
---- a/lib/ssl/src/tls_record.erl
-+++ b/lib/ssl/src/tls_record.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
-+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -34,7 +34,7 @@
- -export([get_tls_records/2]).
-
- %% Decoding
---export([decode_cipher_text/2]).
-+-export([decode_cipher_text/3]).
-
- %% Encoding
- -export([encode_plain_text/4]).
-@@ -142,19 +142,21 @@ encode_plain_text(Type, Version, Data,
- {CipherText, ConnectionStates#connection_states{current_write = WriteState#connection_state{sequence_number = Seq +1}}}.
-
- %%--------------------------------------------------------------------
---spec decode_cipher_text(#ssl_tls{}, #connection_states{}) ->
-+-spec decode_cipher_text(#ssl_tls{}, #connection_states{}, boolean()) ->
- {#ssl_tls{}, #connection_states{}}| #alert{}.
- %%
- %% Description: Decode cipher text
- %%--------------------------------------------------------------------
- decode_cipher_text(#ssl_tls{type = Type, version = Version,
-- fragment = CipherFragment} = CipherText, ConnnectionStates0) ->
-- ReadState0 = ConnnectionStates0#connection_states.current_read,
-- #connection_state{compression_state = CompressionS0,
-- sequence_number = Seq,
-- security_parameters = SecParams} = ReadState0,
-- CompressAlg = SecParams#security_parameters.compression_algorithm,
-- case ssl_record:decipher(Version, CipherFragment, ReadState0) of
-+ fragment = CipherFragment} = CipherText,
-+ #connection_states{current_read =
-+ #connection_state{
-+ compression_state = CompressionS0,
-+ sequence_number = Seq,
-+ security_parameters=
-+ #security_parameters{compression_algorithm = CompressAlg}
-+ } = ReadState0} = ConnnectionStates0, PaddingCheck) ->
-+ case ssl_record:decipher(Version, CipherFragment, ReadState0, PaddingCheck) of
- {PlainFragment, Mac, ReadState1} ->
- MacHash = calc_mac_hash(Type, Version, PlainFragment, ReadState1),
- case ssl_record:is_correct_mac(Mac, MacHash) of
---- a/lib/ssl/test/ssl_cipher_SUITE.erl
-+++ b/lib/ssl/test/ssl_cipher_SUITE.erl
-@@ -1,7 +1,7 @@
- %%
- %% %CopyrightBegin%
- %%
--%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
-+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
- %%
- %% The contents of this file are subject to the Erlang Public License,
- %% Version 1.1, (the "License"); you may not use this file except in
-@@ -38,7 +38,7 @@
- suite() -> [{ct_hooks,[ts_install_cth]}].
-
- all() ->
-- [aes_decipher_good, aes_decipher_good_tls11, aes_decipher_fail, aes_decipher_fail_tls11].
-+ [aes_decipher_good, aes_decipher_fail, padding_test].
-
- groups() ->
- [].
-@@ -73,93 +73,123 @@ end_per_testcase(_TestCase, Config) ->
- %% Test Cases --------------------------------------------------------
- %%--------------------------------------------------------------------
- aes_decipher_good() ->
-- [{doc,"Decipher a known cryptotext."}].
-+ [{doc,"Decipher a known cryptotext using a correct key"}].
-
- aes_decipher_good(Config) when is_list(Config) ->
- HashSz = 32,
-- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
-- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-- Content = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56, "HELLO\n">>,
-- Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
-- Version = {3,0},
-- {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-- Version1 = {3,1},
-- {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-- ok.
--
--%%--------------------------------------------------------------------
--
--aes_decipher_good_tls11() ->
-- [{doc,"Decipher a known TLS 1.1 cryptotext."}].
--
--%% the fragment is actuall a TLS 1.1 record, with
--%% Version = TLS 1.1, we get the correct NextIV in #cipher_state
--aes_decipher_good_tls11(Config) when is_list(Config) ->
-- HashSz = 32,
-- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
-- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-- Content = <<"HELLO\n">>,
-- NextIV = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
-- Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
-- Version = {3,2},
-- {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-- Version1 = {3,2},
-- {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-- ok.
-+ CipherState = correct_cipher_state(),
-+ decipher_check_good(HashSz, CipherState, {3,0}),
-+ decipher_check_good(HashSz, CipherState, {3,1}),
-+ decipher_check_good(HashSz, CipherState, {3,2}),
-+ decipher_check_good(HashSz, CipherState, {3,3}).
-
- %%--------------------------------------------------------------------
-
- aes_decipher_fail() ->
-- [{doc,"Decipher a known cryptotext."}].
-+ [{doc,"Decipher a known cryptotext using a incorrect key"}].
-
--%% same as above, last byte of key replaced
- aes_decipher_fail(Config) when is_list(Config) ->
- HashSz = 32,
-- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
-- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-- Version = {3,0},
-- {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-- 32 = byte_size(Content),
-- 32 = byte_size(Mac),
-- Version1 = {3,1},
-- {Content1, Mac1, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-- 32 = byte_size(Content1),
-- 32 = byte_size(Mac1),
-- ok.
-
--%%--------------------------------------------------------------------
--
--aes_decipher_fail_tls11() ->
-- [{doc,"Decipher a known TLS 1.1 cryptotext."}].
--
--%% same as above, last byte of key replaced
--%% stricter padding checks in TLS 1.1 mean we get an alert instead
--aes_decipher_fail_tls11(Config) when is_list(Config) ->
-- HashSz = 32,
-- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
-- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-- Version = {3,2},
-- #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} =
-- ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-- Version1 = {3,3},
-- #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} =
-- ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-- ok.
-+ CipherState = incorrect_cipher_state(),
-+ decipher_check_fail(HashSz, CipherState, {3,0}),
-+ decipher_check_fail(HashSz, CipherState, {3,1}),
-+ decipher_check_fail(HashSz, CipherState, {3,2}),
-+ decipher_check_fail(HashSz, CipherState, {3,3}).
-
- %%--------------------------------------------------------------------
-+padding_test(Config) when is_list(Config) ->
-+ HashSz = 16,
-+ CipherState = correct_cipher_state(),
-+ pad_test(HashSz, CipherState, {3,0}),
-+ pad_test(HashSz, CipherState, {3,1}),
-+ pad_test(HashSz, CipherState, {3,2}),
-+ pad_test(HashSz, CipherState, {3,3}).
-+
-+%%--------------------------------------------------------------------
-+% Internal functions --------------------------------------------------------
-+%%--------------------------------------------------------------------
-+decipher_check_good(HashSz, CipherState, Version) ->
-+ {Content, NextIV, Mac} = content_nextiv_mac(Version),
-+ {Content, Mac, #cipher_state{iv = NextIV}} =
-+ ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version, true).
-+
-+decipher_check_fail(HashSz, CipherState, Version) ->
-+ {Content, NextIV, Mac} = content_nextiv_mac(Version),
-+ true = {Content, Mac, #cipher_state{iv = NextIV}} =/=
-+ ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version, true).
-+
-+pad_test(HashSz, CipherState, {3,0} = Version) ->
-+ %% 3.0 does not have padding test
-+ {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
-+ {Content, Mac, #cipher_state{iv = NextIV}} =
-+ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, true),
-+ {Content, Mac, #cipher_state{iv = NextIV}} =
-+ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, false);
-+pad_test(HashSz, CipherState, {3,1} = Version) ->
-+ %% 3.1 should have padding test, but may be disabled
-+ {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
-+ BadCont = badpad_content(Content),
-+ {Content, Mac, #cipher_state{iv = NextIV}} =
-+ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,1}) , {3,1}, false),
-+ {BadCont, Mac, #cipher_state{iv = NextIV}} =
-+ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,1}), {3,1}, true);
-+pad_test(HashSz, CipherState, Version) ->
-+ %% 3.2 and 3.3 must have padding test
-+ {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
-+ BadCont = badpad_content(Content),
-+ {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState,
-+ badpad_aes_fragment(Version), Version, false),
-+ {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState,
-+ badpad_aes_fragment(Version), Version, true).
-+
-+aes_fragment({3,N}) when N == 0; N == 1->
-+ <<197,9,6,109,242,87,80,154,85,250,110,81,119,95,65,185,53,206,216,153,246,169,
-+ 119,177,178,238,248,174,253,220,242,81,33,0,177,251,91,44,247,53,183,198,165,
-+ 63,20,194,159,107>>;
-+
-+aes_fragment(_) ->
-+ <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-+ 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-+ 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-+ 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>.
-+
-+badpad_aes_fragment({3,N}) when N == 0; N == 1 ->
-+ <<186,139,125,10,118,21,26,248,120,108,193,104,87,118,145,79,225,55,228,10,105,
-+ 30,190,37,1,88,139,243,210,99,65,41>>;
-+badpad_aes_fragment(_) ->
-+ <<137,31,14,77,228,80,76,103,183,125,55,250,68,190,123,131,117,23,229,180,207,
-+ 94,121,137,117,157,109,99,113,61,190,138,131,229,201,120,142,179,172,48,77,
-+ 234,19,240,33,38,91,93>>.
-+
-+content_nextiv_mac({3,N}) when N == 0; N == 1 ->
-+ {<<"HELLO\n">>,
-+ <<33,0, 177,251, 91,44, 247,53, 183,198, 165,63, 20,194, 159,107>>,
-+ <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>};
-+content_nextiv_mac(_) ->
-+ {<<"HELLO\n">>,
-+ <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
-+ <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}.
-+
-+badpad_content_nextiv_mac({3,N}) when N == 0; N == 1 ->
-+ {<<"HELLO\n">>,
-+ <<225,55,228,10,105,30,190,37,1,88,139,243,210,99,65,41>>,
-+ <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
-+ };
-+badpad_content_nextiv_mac(_) ->
-+ {<<"HELLO\n">>,
-+ <<133,211,45,189,179,229,56,86,11,178,239,159,14,160,253,140>>,
-+ <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
-+ }.
-+
-+badpad_content(Content) ->
-+ %% BadContent will fail mac test
-+ <<16#F0, Content/binary>>.
-+
-+correct_cipher_state() ->
-+ #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-+ key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}.
-+
-+incorrect_cipher_state() ->
-+ #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-+ key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}.
Modified: erlang/trunk/debian/patches/sslv3disable.patch
===================================================================
--- erlang/trunk/debian/patches/sslv3disable.patch 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patches/sslv3disable.patch 2015-05-27 05:19:18 UTC (rev 1703)
@@ -42,7 +42,7 @@
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
-@@ -64,8 +64,8 @@
+@@ -67,8 +67,8 @@
-define(TRUE, 0).
-define(FALSE, 1).
Modified: erlang/trunk/debian/patterns/erlang-dev.patterns
===================================================================
--- erlang/trunk/debian/patterns/erlang-dev.patterns 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/patterns/erlang-dev.patterns 2015-05-27 05:19:18 UTC (rev 1703)
@@ -12,6 +12,7 @@
./usr/lib/erlang/lib/diameter-.*/include/
./usr/lib/erlang/lib/edoc-.*/include/
./usr/lib/erlang/lib/eldap-.*/include/
+./usr/lib/erlang/lib/erl_interface-.*/ebin/
./usr/lib/erlang/lib/erl_interface-.*/include/
./usr/lib/erlang/lib/erl_interface-.*/lib/
./usr/lib/erlang/lib/et-.*/include/
Modified: erlang/trunk/debian/rules
===================================================================
--- erlang/trunk/debian/rules 2015-04-06 07:36:42 UTC (rev 1702)
+++ erlang/trunk/debian/rules 2015-05-27 05:19:18 UTC (rev 1703)
@@ -194,6 +194,7 @@
--enable-sctp \
$(CLOCK_GETTIME_OPT) \
--enable-dynamic-ssl-lib \
+ --with-ssl-rpath=no \
--enable-ethread-pre-pentium4-compatibility \
--enable-shared-zlib \
--without-ssl-zlib
@@ -224,6 +225,7 @@
--enable-sctp \
$(CLOCK_GETTIME_OPT) \
--enable-dynamic-ssl-lib \
+ --with-ssl-rpath=no \
--enable-ethread-pre-pentium4-compatibility \
--enable-shared-zlib \
--without-ssl-zlib
@@ -313,9 +315,6 @@
#
touch manpages-stamp
-# CC_R_FLAG and LD_R_FLAG are empty because Debian doesn't recommend
-# RPATH definition in binaries
-# CC_R_OPT is used in percept
build-hipe: build-hipe-stamp
build-hipe-stamp: configure-hipe-stamp
dh_testdir
@@ -504,7 +503,7 @@
binary: binary-indep binary-arch
-REL=17.3
+REL=17.5
RELDIR=$(REL)
DEB_REL=$(REL)-dfsg
More information about the Pkg-erlang-commits
mailing list