openssl/sme8/openssl-fips-0.9.8e-cve-2015-0204.patch

diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod
--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral   2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2015-02-03 10:26:12.735168700 +0100
@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us
 
 =item SSL_OP_EPHEMERAL_RSA
 
-Always use ephemeral (temporary) RSA key when doing RSA operations
-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
-According to the specifications this is only done, when a RSA key
-can only be used for signature operations (namely under export ciphers
-with restricted RSA keylength). By setting this option, ephemeral
-RSA keys are always used. This option breaks compatibility with the
-SSL/TLS specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with EDH (ephemeral
-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
 
 =item SSL_OP_CIPHER_SERVER_PREFERENCE
 
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral  2006-12-06 10:12:28.000000000 +0100
+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod        2015-02-03 10:26:12.735168700 +0100
@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H
 in order to achieve forward secrecy (see
 L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
 
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
-and must be explicitly enabled  using the SSL_OP_EPHEMERAL_RSA option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
-standard. When ephemeral RSA key exchange is required for export ciphers,
-it will automatically be used without this option!
-
-An application may either directly specify the key or can supply the key via
-a callback function. The callback approach has the advantage, that the
-callback may generate the key only in case it is actually needed. As the
-generation of a RSA key is however costly, it will lead to a significant
-delay in the handshake procedure.  Another advantage of the callback function
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
-usage) while the explicit setting of the key is only useful for key size of
-512 bits to satisfy the export restricted ciphers and does give away key length
-if a longer key would be allowed.
+An application may either directly specify the key or can supply the key via a
+callback function. The callback approach has the advantage, that the callback
+may generate the key only in case it is actually needed. As the generation of a
+RSA key is however costly, it will lead to a significant delay in the handshake
+procedure.  Another advantage of the callback function is that it can supply
+keys of different size while the explicit setting of the key is only useful for
+key size of 512 bits to satisfy the export restricted ciphers and does give
+away key length if a longer key would be allowed.
 
 The B<tmp_rsa_callback> is called with the B<keylength> needed and
 the B<is_export> information. The B<is_export> flag is set, when the
diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/d1_srvr.c
--- openssl-fips-0.9.8e/ssl/d1_srvr.c.rsa-ephemeral     2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/ssl/d1_srvr.c   2015-02-03 10:26:12.738168768 +0100
@@ -323,23 +323,11 @@ int dtls1_accept(SSL *s)
 
                        /* clear this, it may get reset by
                         * send_server_key_exchange */
-                       if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                               && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
-                               )
-                               /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-                                * even when forbidden by protocol specs
-                                * (handshake may fail as clients are not required to
-                                * be able to handle this) */
-                               s->s3->tmp.use_rsa_tmp=1;
-                       else
-                               s->s3->tmp.use_rsa_tmp=0;
+                       s->s3->tmp.use_rsa_tmp=0;
 
                        /* only send if a DH key exchange, fortezza or
                         * RSA but we have a sign only certificate */
-                       if (s->s3->tmp.use_rsa_tmp
-                           || (l & (SSL_DH|SSL_kFZA))
+                       if ((l & (SSL_DH|SSL_kFZA))
                            || ((l & SSL_kRSA)
                                && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
                                    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
diff -up openssl-fips-0.9.8e/ssl/ssl.h.rsa-ephemeral openssl-fips-0.9.8e/ssl/ssl.h
--- openssl-fips-0.9.8e/ssl/ssl.h.rsa-ephemeral 2014-10-15 16:33:56.329898526 +0200
+++ openssl-fips-0.9.8e/ssl/ssl.h       2015-02-03 10:26:12.741168836 +0100
@@ -514,9 +514,8 @@ typedef struct ssl_session_st
 #define SSL_OP_SINGLE_ECDH_USE                         0x00080000L
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L
-/* Set to always use the tmp_rsa key when doing RSA operations,
- * even when this violates protocol specs */
-#define SSL_OP_EPHEMERAL_RSA                           0x00200000L
+/* Does nothing: retained for compatibiity */
+#define SSL_OP_EPHEMERAL_RSA                           0x0
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE                        0x00400000L
diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/s3_clnt.c
--- openssl-fips-0.9.8e/ssl/s3_clnt.c.rsa-ephemeral     2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/ssl/s3_clnt.c   2015-02-03 10:27:12.018509441 +0100
@@ -1086,6 +1086,13 @@ int ssl3_get_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_RSA
        if (alg & SSL_kRSA)
                {
+               /* Temporary RSA keys only allowed in export ciphersuites */
+               if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                       goto f_err;
+                       }
                if ((rsa=RSA_new()) == NULL)
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/s3_srvr.c
--- openssl-fips-0.9.8e/ssl/s3_srvr.c.rsa-ephemeral     2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/ssl/s3_srvr.c   2015-02-03 10:26:12.740168813 +0100
@@ -332,18 +332,7 @@ int ssl3_accept(SSL *s)
 
                        /* clear this, it may get reset by
                         * send_server_key_exchange */
-                       if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                               && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
-                               )
-                               /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-                                * even when forbidden by protocol specs
-                                * (handshake may fail as clients are not required to
-                                * be able to handle this) */
-                               s->s3->tmp.use_rsa_tmp=1;
-                       else
-                               s->s3->tmp.use_rsa_tmp=0;
+                       s->s3->tmp.use_rsa_tmp=0;
 
 
                        /* only send if a DH key exchange, fortezza or
@@ -355,8 +344,7 @@ int ssl3_accept(SSL *s)
                         * server certificate contains the server's 
                         * public key for key exchange.
                         */
-                       if (s->s3->tmp.use_rsa_tmp
-                           || (l & SSL_kECDHE)
+                       if ((l & SSL_kECDHE)
                            || (l & (SSL_DH|SSL_kFZA))
                            || ((l & SSL_kRSA)
                                && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
1	vip-ire	1.1	diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod
2			--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200
3			+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2015-02-03 10:26:12.735168700 +0100
4			@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us
5
6			=item SSL_OP_EPHEMERAL_RSA
7
8			-Always use ephemeral (temporary) RSA key when doing RSA operations
9			-(see L<SSL_CTX_set_tmp_rsa_callback(3)\|SSL_CTX_set_tmp_rsa_callback(3)>).
10			-According to the specifications this is only done, when a RSA key
11			-can only be used for signature operations (namely under export ciphers
12			-with restricted RSA keylength). By setting this option, ephemeral
13			-RSA keys are always used. This option breaks compatibility with the
14			-SSL/TLS specifications and may lead to interoperability problems with
15			-clients and should therefore never be used. Ciphers with EDH (ephemeral
16			-Diffie-Hellman) key exchange should be used instead.
17			+This option is no longer implemented and is treated as no op.
18
19			=item SSL_OP_CIPHER_SERVER_PREFERENCE
20
21			diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
22			--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral 2006-12-06 10:12:28.000000000 +0100
23			+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-02-03 10:26:12.735168700 +0100
24			@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H
25			in order to achieve forward secrecy (see
26			L<SSL_CTX_set_tmp_dh_callback(3)\|SSL_CTX_set_tmp_dh_callback(3)>).
27
28			-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
29			-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
30			-L<SSL_CTX_set_options(3)\|SSL_CTX_set_options(3)>, violating the TLS/SSL
31			-standard. When ephemeral RSA key exchange is required for export ciphers,
32			-it will automatically be used without this option!
33			-
34			-An application may either directly specify the key or can supply the key via
35			-a callback function. The callback approach has the advantage, that the
36			-callback may generate the key only in case it is actually needed. As the
37			-generation of a RSA key is however costly, it will lead to a significant
38			-delay in the handshake procedure. Another advantage of the callback function
39			-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
40			-usage) while the explicit setting of the key is only useful for key size of
41			-512 bits to satisfy the export restricted ciphers and does give away key length
42			-if a longer key would be allowed.
43			+An application may either directly specify the key or can supply the key via a
44			+callback function. The callback approach has the advantage, that the callback
45			+may generate the key only in case it is actually needed. As the generation of a
46			+RSA key is however costly, it will lead to a significant delay in the handshake
47			+procedure. Another advantage of the callback function is that it can supply
48			+keys of different size while the explicit setting of the key is only useful for
49			+key size of 512 bits to satisfy the export restricted ciphers and does give
50			+away key length if a longer key would be allowed.
51
52			The B<tmp_rsa_callback> is called with the B<keylength> needed and
53			the B<is_export> information. The B<is_export> flag is set, when the
54			diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/d1_srvr.c
55			--- openssl-fips-0.9.8e/ssl/d1_srvr.c.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200
56			+++ openssl-fips-0.9.8e/ssl/d1_srvr.c 2015-02-03 10:26:12.738168768 +0100
57			@@ -323,23 +323,11 @@ int dtls1_accept(SSL *s)
58
59			/* clear this, it may get reset by
60			* send_server_key_exchange */
61			- if ((s->options & SSL_OP_EPHEMERAL_RSA)
62			-#ifndef OPENSSL_NO_KRB5
63			- && !(l & SSL_KRB5)
64			-#endif /* OPENSSL_NO_KRB5 */
65			- )
66			- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
67			- * even when forbidden by protocol specs
68			- * (handshake may fail as clients are not required to
69			- * be able to handle this) */
70			- s->s3->tmp.use_rsa_tmp=1;
71			- else
72			- s->s3->tmp.use_rsa_tmp=0;
73			+ s->s3->tmp.use_rsa_tmp=0;
74
75			/* only send if a DH key exchange, fortezza or
76			* RSA but we have a sign only certificate */
77			- if (s->s3->tmp.use_rsa_tmp
78			- \|\| (l & (SSL_DH\|SSL_kFZA))
79			+ if ((l & (SSL_DH\|SSL_kFZA))
80			\|\| ((l & SSL_kRSA)
81			&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
82			\|\| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
83			diff -up openssl-fips-0.9.8e/ssl/ssl.h.rsa-ephemeral openssl-fips-0.9.8e/ssl/ssl.h
84			--- openssl-fips-0.9.8e/ssl/ssl.h.rsa-ephemeral 2014-10-15 16:33:56.329898526 +0200
85			+++ openssl-fips-0.9.8e/ssl/ssl.h 2015-02-03 10:26:12.741168836 +0100
86			@@ -514,9 +514,8 @@ typedef struct ssl_session_st
87			#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
88			/* If set, always create a new key when using tmp_dh parameters */
89			#define SSL_OP_SINGLE_DH_USE 0x00100000L
90			-/* Set to always use the tmp_rsa key when doing RSA operations,
91			- * even when this violates protocol specs */
92			-#define SSL_OP_EPHEMERAL_RSA 0x00200000L
93			+/* Does nothing: retained for compatibiity */
94			+#define SSL_OP_EPHEMERAL_RSA 0x0
95			/* Set on servers to choose the cipher according to the server's
96			* preferences */
97			#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
98			diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/s3_clnt.c
99			--- openssl-fips-0.9.8e/ssl/s3_clnt.c.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200
100			+++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2015-02-03 10:27:12.018509441 +0100
101			@@ -1086,6 +1086,13 @@ int ssl3_get_key_exchange(SSL *s)
102			#ifndef OPENSSL_NO_RSA
103			if (alg & SSL_kRSA)
104			{
105			+ /* Temporary RSA keys only allowed in export ciphersuites */
106			+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
107			+ {
108			+ al=SSL_AD_UNEXPECTED_MESSAGE;
109			+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
110			+ goto f_err;
111			+ }
112			if ((rsa=RSA_new()) == NULL)
113			{
114			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
115			diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.rsa-ephemeral openssl-fips-0.9.8e/ssl/s3_srvr.c
116			--- openssl-fips-0.9.8e/ssl/s3_srvr.c.rsa-ephemeral 2014-08-08 11:54:24.000000000 +0200
117			+++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2015-02-03 10:26:12.740168813 +0100
118			@@ -332,18 +332,7 @@ int ssl3_accept(SSL *s)
119
120			/* clear this, it may get reset by
121			* send_server_key_exchange */
122			- if ((s->options & SSL_OP_EPHEMERAL_RSA)
123			-#ifndef OPENSSL_NO_KRB5
124			- && !(l & SSL_KRB5)
125			-#endif /* OPENSSL_NO_KRB5 */
126			- )
127			- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
128			- * even when forbidden by protocol specs
129			- * (handshake may fail as clients are not required to
130			- * be able to handle this) */
131			- s->s3->tmp.use_rsa_tmp=1;
132			- else
133			- s->s3->tmp.use_rsa_tmp=0;
134			+ s->s3->tmp.use_rsa_tmp=0;
135
136
137			/* only send if a DH key exchange, fortezza or
138			@@ -355,8 +344,7 @@ int ssl3_accept(SSL *s)
139			* server certificate contains the server's
140			* public key for key exchange.
141			*/
142			- if (s->s3->tmp.use_rsa_tmp
143			- \|\| (l & SSL_kECDHE)
144			+ if ((l & SSL_kECDHE)
145			\|\| (l & (SSL_DH\|SSL_kFZA))
146			\|\| ((l & SSL_kRSA)
147			&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL