--- polarssl-0.12.1.orig/debian/compat +++ polarssl-0.12.1/debian/compat @@ -0,0 +1 @@ +7 --- polarssl-0.12.1.orig/debian/README.source +++ polarssl-0.12.1/debian/README.source @@ -0,0 +1,2 @@ +This package uses quilt. +See /usr/share/doc/quilt/README.source --- polarssl-0.12.1.orig/debian/watch +++ polarssl-0.12.1/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://polarssl.org/?page=download_overview .*polarssl-([0-9\.]*)-gpl.* --- polarssl-0.12.1.orig/debian/control +++ polarssl-0.12.1/debian/control @@ -0,0 +1,24 @@ +Source: polarssl +Section: libs +Priority: optional +Maintainer: Roland Stigge +Standards-Version: 3.8.3 +Build-Depends: debhelper (>= 7.0.50~), quilt +Homepage: http://polarssl.org + +Package: libpolarssl-dev +Architecture: any +Section: libdevel +Depends: libc6-dev, ${misc:Depends} +Description: lightweight crypto and SSL/TLS library + PolarSSL is a fork of the abandonned project XySSL. It is a lean crypto + library providing SSL and TLS support in your programs. It features: + - AES, Triple-DES, DES, ARC4, Camellia, XTEA + - MD2, MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512 + - HAVEGE random number generator + - RSA with PKCS#1 v1.5 padding + - SSLv3 and TLSv1 client support + - X.509 certificate and CRL reading + . + This package contains the static library and the header files. + --- polarssl-0.12.1.orig/debian/changelog +++ polarssl-0.12.1/debian/changelog @@ -0,0 +1,100 @@ +polarssl (0.12.1-1squeeze1build0.10.04.1) lucid-security; urgency=low + + * fake sync from Debian + + -- Jamie Strandboge Fri, 15 Feb 2013 11:38:58 -0600 + +polarssl (0.12.1-1squeeze1) stable-security; urgency=low + + * Security fix for CVE-2013-0169: Lucky 13 TLS protocol timing flaw + including CVE-2013-1621 and CVE-2013-1622, backported from upstream + diff from 1.2.4 to 1.2.5. (Closes: #699887) + + -- Roland Stigge Thu, 07 Feb 2013 22:17:00 +0100 + +polarssl (0.12.1-1) unstable; urgency=low + + * New upstream release. + * Use dh --with quilt for sexyness. + * Bump standards-version, no change needed. + * Tighten up dh build depend version. + * Add debian/README.source. + * Update watch file. + * Refresh patches. + + -- Arnaud Cornet Sat, 07 Nov 2009 22:38:20 +0000 + +polarssl (0.11.1-1) unstable; urgency=low + + * Fork xyssl package to polarssl to reflect upstream fork/takeover (Closes: + #536697). + * Refresh patches. + * Switch to DH 7. + * Bump Standards-Version, no change needed. + + -- Arnaud Cornet Thu, 16 Jul 2009 14:34:32 +0200 + +xyssl (0.9-2) unstable; urgency=low + + * Include md2 and md4 hashes algorithms (Closes: #496328). + + -- Arnaud Cornet Mon, 25 Aug 2008 18:28:22 +0200 + +xyssl (0.9-1) unstable; urgency=low + + * Add Homepage header. + * Fix watch file to match tarball name change (Closes: #453609). + * New Upstream Version + * Move libxyssl-dev to libdevel section. + * Move standards-version to 3.7.3 (no change). + * Licence change from LGPL to GPL, fix debian/copyright. + + -- Arnaud Cornet Mon, 22 Oct 2007 23:35:33 +0200 + +xyssl (0.8-1) unstable; urgency=low + + * New Upstream Version + * Drop makefile-install.patch. + * Update my mail address. + + -- Arnaud Cornet Mon, 22 Oct 2007 23:22:53 +0200 + +xyssl (0.7-1) unstable; urgency=low + + * New Upstream Version. + * Switch to quilt patch system. + * Dropped old makefile fix. Made new makefile fix in makefile-install.patch. + * Updated examples list. + + -- Arnaud Cornet Sun, 08 Jul 2007 17:59:16 +0200 + +xyssl (0.6-1) unstable; urgency=low + + * New upstream release + * Make watchfile stricter. + * makefile.patch: Fix completly wrong Makefile. + + -- Arnaud Cornet Sun, 08 Apr 2007 11:39:33 +0200 + +xyssl (0.3-1) unstable; urgency=low + + * New upstream release. + * No need for a dfsg anymore (files removed upstream). + * Now build/works on all archs (Closes:#402467). + + -- Arnaud Cornet Mon, 1 Jan 2007 15:22:48 +0100 + +xyssl (0.2.dfsg.1-1) unstable; urgency=low + + * New upstream release + * New architectures supported: arm and mips. + * Removed files that had an unclear copyright and licence from source + tarball (hence the dfsg in version). + + -- Arnaud Cornet Fri, 8 Dec 2006 00:08:22 +0100 + +xyssl (0.1-1) unstable; urgency=low + + * Initial release. (Closes:#396927) + + -- Arnaud Cornet Thu, 02 Nov 2006 19:36:08 +0100 --- polarssl-0.12.1.orig/debian/libpolarssl-dev.examples +++ polarssl-0.12.1/debian/libpolarssl-dev.examples @@ -0,0 +1,5 @@ +programs/aes +programs/hash +programs/pkey +programs/ssl +programs/test --- polarssl-0.12.1.orig/debian/rules +++ polarssl-0.12.1/debian/rules @@ -0,0 +1,18 @@ +#!/usr/bin/make -f + +%: + dh --with quilt $@ + +override_dh_auto_build: + $(MAKE) -C library + +override_dh_auto_configure: + : + +override_dh_installexamples: + dh_installexamples -XCMakeLists.txt + +override_dh_auto_clean: + dh_auto_clean + rm -f tests/data_files/mpi_write + --- polarssl-0.12.1.orig/debian/copyright +++ polarssl-0.12.1/debian/copyright @@ -0,0 +1,41 @@ +This package was debianized by Arnaud Cornet +on Thu, 02 Nov 2006 19:36:08 +0100. + +The current Debian maintainer is Arnaud Cornet . + +It was downloaded from http://xyssl.org/code/ +Upstream Author: Christophe Devine + +Copyright: 2006 Christophe Devine. + +Files library/havege.c include/xyssl/havege.h are Copright 2006 Andre Seznec, +Olivier Rochecouste. + +File library/timing.c is Copyright 2006 Christophe Devine, Brian Gladman. + +All other files in library/ and programs/ are Copyright 2003-2007 Christophe +Devine. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +On Debian GNU/Linux systems, the complete text of the GNU Lesser General +Public License can be found in `/usr/share/common-licenses/LGPL'. + +The Debian packaging is (C) 2006, Arnaud Cornet and +is licensed under the GPL. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + --- polarssl-0.12.1.orig/debian/patches/series +++ polarssl-0.12.1/debian/patches/series @@ -0,0 +1,3 @@ +config.diff +makefile-destdir-fix.diff +CVE-2013-0169.diff --- polarssl-0.12.1.orig/debian/patches/CVE-2013-0169.diff +++ polarssl-0.12.1/debian/patches/CVE-2013-0169.diff @@ -0,0 +1,125 @@ +Description: Fix for CVE-2013-0169 + This patch fixes CVE-2013-0169: Lucky 13 TLS protocol timing flaw + This also refers to CVE-2013-1621 and CVE-2013-1622. It is a backport from + upstreams diff between versions 1.2.4 to 1.2.5, doing only minimal changes + addressing the CVE. +Author: Roland Stigge +Bug-Debian: http://bugs.debian.org/699887 + +--- polarssl-0.12.1.orig/library/ssl_tls.c ++++ polarssl-0.12.1/library/ssl_tls.c +@@ -601,7 +601,7 @@ + + static int ssl_decrypt_buf( ssl_context *ssl ) + { +- int i, padlen; ++ int i, padlen = 0, correct = 1; + unsigned char tmp[20]; + + SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); +@@ -616,7 +616,6 @@ + if( ssl->ivlen == 0 ) + { + #if defined(POLARSSL_ARC4_C) +- padlen = 0; + arc4_crypt( (arc4_context *) ssl->ctx_dec, + ssl->in_msg, ssl->in_msglen ); + #else +@@ -625,6 +624,7 @@ + } + else + { ++ size_t minlen = 0, fake_padlen; + /* + * Decrypt and check the padding + */ +@@ -635,6 +635,17 @@ + return( POLARSSL_ERR_SSL_INVALID_MAC ); + } + ++ if( ssl->minor_ver >= SSL_MINOR_VERSION_2 ) ++ minlen += ssl->ivlen; ++ ++ if( ssl->in_msglen < minlen + ssl->ivlen || ++ ssl->in_msglen < minlen + ssl->maclen + 1 ) ++ { ++ SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )", ++ ssl->in_msglen, ssl->ivlen, ssl->maclen ) ); ++ return( POLARSSL_ERR_SSL_INVALID_MAC ); ++ } ++ + switch( ssl->ivlen ) + { + #if defined(POLARSSL_DES_C) +@@ -676,13 +687,20 @@ + + padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; + ++ fake_padlen = 256 - padlen; ++ ++ if( ssl->in_msglen < ssl->maclen + padlen ) ++ { ++ padlen = 0; ++ fake_padlen = 256; ++ correct = 0; ++ } ++ + if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) + { + if( padlen > ssl->ivlen ) + { +- SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " +- "should be no more than %d", +- padlen, ssl->ivlen ) ); ++ correct = 0; + padlen = 0; + } + } +@@ -695,12 +713,18 @@ + { + if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 ) + { +- SSL_DEBUG_MSG( 1, ( "bad padding byte: should be " +- "%02x, but is %02x", padlen - 1, +- ssl->in_msg[ssl->in_msglen - i] ) ); ++ correct = 0; ++ fake_padlen = 256 - i; + padlen = 0; + } + } ++ for( i = 1; i <= fake_padlen; i++ ) ++ { ++ if( ssl->in_msg[i + 1] != fake_padlen - 1 ) ++ minlen = 0; ++ else ++ minlen = 1; ++ } + } + } + +@@ -715,7 +739,7 @@ + ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 ); + ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen ); + +- memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 ); ++ memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->maclen ); + + if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) + { +@@ -748,14 +772,14 @@ + ssl->maclen ) != 0 ) + { + SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); +- return( POLARSSL_ERR_SSL_INVALID_MAC ); ++ correct = 0; + } + + /* + * Finally check the padding length; bad padding + * will produce the same error as an invalid MAC. + */ +- if( ssl->ivlen != 0 && padlen == 0 ) ++ if( correct == 0 ) + return( POLARSSL_ERR_SSL_INVALID_MAC ); + + if( ssl->in_msglen == 0 ) --- polarssl-0.12.1.orig/debian/patches/config.diff +++ polarssl-0.12.1/debian/patches/config.diff @@ -0,0 +1,34 @@ +Index: polarssl-0.12.1/include/polarssl/config.h +=================================================================== +--- polarssl-0.12.1.orig/include/polarssl/config.h 2009-10-04 16:39:55.000000000 +0100 ++++ polarssl-0.12.1/include/polarssl/config.h 2009-11-07 22:58:13.164765209 +0000 +@@ -46,8 +46,8 @@ + /* + * Uncomment if the compiler supports long long. + * +-#define POLARSSL_HAVE_LONGLONG + */ ++#define POLARSSL_HAVE_LONGLONG + + /* + * Uncomment to enable the use of assembly code. +@@ -194,8 +194,8 @@ + * + * Uncomment to enable support for (rare) MD2-signed X.509 certs. + * +-#define POLARSSL_MD2_C + */ ++#define POLARSSL_MD2_C + + /* + * Module: library/md4.c +@@ -203,8 +203,8 @@ + * + * Uncomment to enable support for (rare) MD4-signed X.509 certs. + * +-#define POLARSSL_MD4_C + */ ++#define POLARSSL_MD4_C + + /* + * Module: library/md5.c --- polarssl-0.12.1.orig/debian/patches/makefile-destdir-fix.diff +++ polarssl-0.12.1/debian/patches/makefile-destdir-fix.diff @@ -0,0 +1,29 @@ +Index: polarssl-0.12.1/Makefile +=================================================================== +--- polarssl-0.12.1.orig/Makefile 2009-07-28 21:29:34.000000000 +0100 ++++ polarssl-0.12.1/Makefile 2009-11-07 22:58:16.056765271 +0000 +@@ -10,18 +10,18 @@ + cd tests && make all && cd .. + + install: +- mkdir -p $(DESTDIR)/include/polarssl +- cp -r include/polarssl $(DESTDIR)/include ++ mkdir -p $(DESTDIR)/usr/include/polarssl ++ cp -r include/polarssl $(DESTDIR)/usr/include + +- mkdir -p $(DESTDIR)/lib +- cp library/libpolarssl.* $(DESTDIR)/lib ++ mkdir -p $(DESTDIR)/usr/lib ++ cp library/libpolarssl.* $(DESTDIR)/usr/lib + +- mkdir -p $(DESTDIR)/bin ++ mkdir -p $(DESTDIR)/usr/bin + for p in programs/*/* ; do \ + if [ -x $$p ] && [ ! -d $$p ] ; \ + then \ + f=$(PREFIX)`basename $$p` ; \ +- cp $$p $(DESTDIR)/bin/$$f ; \ ++ cp $$p $(DESTDIR)/usr/bin/$$f ; \ + fi \ + done +