Fix for CVE-2013-2944

* debian/patches:
  - 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA
    signature verification when using openssl plugin (CVE-2013-2944).

2 files changed, 27 insertions, 0 deletions

diff --git a/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch b/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch
new file mode 100644
index 000000000..abd1f1921
--- /dev/null
+++ b/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch
@@ -0,0 +1,26 @@
+From 0faaab20cd9c4a519fb6269ab6c8be15d0b61864 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Tue, 9 Apr 2013 10:56:09 +0200
+Subject: Check return value of ECDSA_Verify() correctly
+
+---
+ src/libstrongswan/plugins/openssl/openssl_ec_public_key.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+index c8a45f7..38cc8be 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
++++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+@@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
+ 	if (openssl_hash_chunk(nid_hash, data, &hash))
+ 	{
+ 		valid = ECDSA_verify(0, hash.ptr, hash.len,
+-							 signature.ptr, signature.len, this->ec);
++							 signature.ptr, signature.len, this->ec) == 1;
+ 		free(hash.ptr);
+ 	}
+ 	return valid;
+-- 
+1.7.10.4
+
+
diff --git a/debian/patches/series b/debian/patches/series
index ff06f2f04..29c60134c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 02_add-LICENSE.patch
 03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
 04-Fixed-IPv6-source-address-lookup.patch
+0001-Check-return-value-of-ECDSA_Verify-correctly.patch