Sat Feb 8 03:17:55 UTC 2014

2 files changed, 126 insertions, 4 deletions

diff --git a/extra/libsrtp/7713d5706524f9f1ee94fd6b55125357e63656d5.patch b/extra/libsrtp/7713d5706524f9f1ee94fd6b55125357e63656d5.patch
new file mode 100644
index 000000000..bbfb4388a
--- /dev/null
+++ b/extra/libsrtp/7713d5706524f9f1ee94fd6b55125357e63656d5.patch
@@ -0,0 +1,116 @@
+From 8884f4d8eb4ca7122dfcbd640b933b98ef4bab80 Mon Sep 17 00:00:00 2001
+From: jfigus <jfig_us@yahoo.com>
+Date: Thu, 30 May 2013 12:36:07 -0400
+Subject: [PATCH 1/3] Remove double-invocations to prevent buffer-overflow
+ vulnerability.
+
+---
+ srtp/srtp.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 839c1ee..41e263c 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -2063,23 +2063,18 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length)
+   switch(profile) {
+   case srtp_profile_aes128_cm_sha1_80:
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+     crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+-    crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_80:
+     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+-    crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_32:
+     crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+-- 
+1.8.5.1
+
+
+From 8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621 Mon Sep 17 00:00:00 2001
+From: jfigus <jfig_us@yahoo.com>
+Date: Thu, 30 May 2013 13:36:33 -0400
+Subject: [PATCH 2/3] Fix 32-bit tag policies to use correct profile.
+
+---
+ srtp/srtp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 41e263c..95c1ab4 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -2095,7 +2095,7 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length)
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
++    crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+@@ -2104,7 +2104,7 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length)
+     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_32:
+-    crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
++    crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+-- 
+1.8.5.1
+
+
+From 0acbb039c12b790621839facf56bfedbd071b74d Mon Sep 17 00:00:00 2001
+From: jfigus <jfig_us@yahoo.com>
+Date: Thu, 30 May 2013 16:47:02 -0400
+Subject: [PATCH 3/3] Undo the changes to the RTCP profile helper function. 
+ The prior commit was not compliant with RFC 3711.
+
+---
+ srtp/srtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 95c1ab4..7fd19e6 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -2095,7 +2095,9 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length)
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+-    crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
++    /* We do not honor the 32-bit auth tag request since
++     * this is not compliant with RFC 3711 */
++    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+@@ -2104,7 +2106,9 @@ static inline int base_key_length(const cipher_type_t *cipher, int key_length)
+     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_32:
+-    crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
++    /* We do not honor the 32-bit auth tag request since
++     * this is not compliant with RFC 3711 */
++    crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+-- 
+1.8.5.1
+
diff --git a/extra/libsrtp/PKGBUILD b/extra/libsrtp/PKGBUILD
index 7107d8c49..b43a3783a 100644
--- a/extra/libsrtp/PKGBUILD
+++ b/extra/libsrtp/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id: PKGBUILD 197763 2013-10-29 19:24:02Z eric $
+# $Id: PKGBUILD 205552 2014-02-06 23:19:34Z eric $
 # Maintainer:
 # Contributor: Sergej Pupykin <pupykin.s+arch@gmail.com>
 # Contributor: Yejun Yang <yejunx AT gmail DOT com>
@@ -6,21 +6,27 @@
 
 pkgname=libsrtp
 pkgver=15.1c9bd90
-pkgrel=2
+pkgrel=3
 pkgdesc="Open-source implementation of the Secure Real-time Transport Protocol (SRTP)"
 url="http://srtp.sourceforge.net/srtp.html"
 arch=('i686' 'x86_64')
 license=('BSD')
 depends=('glibc')
 makedepends=('git')
-source=("git://git.linphone.org/srtp.git#commit=1c9bd90")
-md5sums=('SKIP')
+source=("git://git.linphone.org/srtp.git#commit=1c9bd90" 7713d5706524f9f1ee94fd6b55125357e63656d5.patch)
+md5sums=('SKIP'
+         '33b3ba860560a4d9dee244caf73eceef')
 
 pkgver() {
   cd srtp
   echo $(git rev-list --count HEAD).$(git rev-parse --short HEAD)
 }
 
+prepare() {
+  cd srtp
+  patch -p1 -i ../7713d5706524f9f1ee94fd6b55125357e63656d5.patch
+}
+
 build() {
   cd srtp
   autoconf