openssl/sme8/openssl-fips-0.9.8e-cve-2015-0293.patch

diff -up openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_lib.c
--- openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert        2015-04-01 12:41:28.023403066 +0200
+++ openssl-fips-0.9.8e/ssl/s2_lib.c    2015-04-02 15:29:37.468346462 +0200
@@ -410,7 +410,7 @@ int ssl2_generate_key_material(SSL *s)
 
                OPENSSL_assert(s->session->master_key_length >= 0
                    && s->session->master_key_length
-                   < (int)sizeof(s->session->master_key));
+                   <= (int)sizeof(s->session->master_key));
                EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
                EVP_DigestUpdate(&ctx,&c,1);
                c++;
diff -up openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_srvr.c
--- openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert       2015-04-01 12:41:27.950401420 +0200
+++ openssl-fips-0.9.8e/ssl/s2_srvr.c   2015-04-02 15:33:51.109049368 +0200
@@ -363,7 +363,8 @@ end:
 
 static int get_client_master_key(SSL *s)
        {
-       int is_export,i,n,keya,ek;
+       int is_export,i,n,keya;
+       unsigned int ek;
        unsigned long len;
        unsigned char *p;
        SSL_CIPHER *cp;
@@ -445,9 +446,6 @@ static int get_client_master_key(SSL *s)
                SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
                return(-1);
                }
-       i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
-               &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
-               (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
 
        is_export=SSL_C_IS_EXPORT(s->session->cipher);
        
@@ -466,21 +464,61 @@ static int get_client_master_key(SSL *s)
        else
                ek=5;
 
+       /*
+        * The format of the CLIENT-MASTER-KEY message is
+        * 1 byte message type
+        * 3 bytes cipher
+        * 2-byte clear key length (stored in s->s2->tmp.clear)
+        * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+        * 2-byte key args length (IV etc)
+        * clear key
+        * encrypted key
+        * key args
+        *
+        * If the cipher is an export cipher, then the encrypted key bytes
+        * are a fixed portion of the total key (5 or 8 bytes). The size of
+        * this portion is in |ek|. If the cipher is not an export cipher,
+        * then the entire key material is encrypted (i.e., clear key length
+        * must be zero).
+        */
+        if ((!is_export && s->s2->tmp.clear != 0) ||
+               (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c)))
+               {
+               ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+               return -1;
+               }
+       /*
+        * The encrypted blob must decrypt to the encrypted portion of the key.
+        * Decryption can't be expanding, so if we don't have enough encrypted
+        * bytes to fit the key in the buffer, stop now.
+        */
+       if ((is_export && s->s2->tmp.enc < ek) ||
+               (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c)))
+               {
+               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+               return -1;
+               }
+
+       i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+               &(p[s->s2->tmp.clear]),
+               &(p[s->s2->tmp.clear]),
+               (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING);
+
        /* bad decrypt */
 #if 1
        /* If a bad decrypt, continue with protocol but with a
         * random master secret (Bleichenbacher attack) */
-       if ((i < 0) ||
-               ((!is_export && (i != EVP_CIPHER_key_length(c)))
-               || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
-                       (unsigned int)EVP_CIPHER_key_length(c))))))
+       if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+               || (is_export && i != (int)ek)))
                {
                ERR_clear_error();
                if (is_export)
                        i=ek;
                else
                        i=EVP_CIPHER_key_length(c);
-               if (RAND_pseudo_bytes(p,i) <= 0)
+               if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0)
                        return 0;
                }
 #else
@@ -504,7 +542,8 @@ static int get_client_master_key(SSL *s)
                }
 #endif
 
-       if (is_export) i+=s->s2->tmp.clear;
+       if (is_export)
+               i = EVP_CIPHER_key_length(c);
 
        if (i > SSL_MAX_MASTER_KEY_LENGTH)
                {
1	diff -up openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_lib.c
2	--- openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert 2015-04-01 12:41:28.023403066 +0200
3	+++ openssl-fips-0.9.8e/ssl/s2_lib.c 2015-04-02 15:29:37.468346462 +0200
4	@@ -410,7 +410,7 @@ int ssl2_generate_key_material(SSL *s)
5
6	OPENSSL_assert(s->session->master_key_length >= 0
7	&& s->session->master_key_length
8	- < (int)sizeof(s->session->master_key));
9	+ <= (int)sizeof(s->session->master_key));
10	EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
11	EVP_DigestUpdate(&ctx,&c,1);
12	c++;
13	diff -up openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_srvr.c
14	--- openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert 2015-04-01 12:41:27.950401420 +0200
15	+++ openssl-fips-0.9.8e/ssl/s2_srvr.c 2015-04-02 15:33:51.109049368 +0200
16	@@ -363,7 +363,8 @@ end:
17
18	static int get_client_master_key(SSL *s)
19	{
20	- int is_export,i,n,keya,ek;
21	+ int is_export,i,n,keya;
22	+ unsigned int ek;
23	unsigned long len;
24	unsigned char *p;
25	SSL_CIPHER *cp;
26	@@ -445,9 +446,6 @@ static int get_client_master_key(SSL *s)
27	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
28	return(-1);
29	}
30	- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
31	- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
32	- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
33
34	is_export=SSL_C_IS_EXPORT(s->session->cipher);
35
36	@@ -466,21 +464,61 @@ static int get_client_master_key(SSL *s)
37	else
38	ek=5;
39
40	+ /*
41	+ * The format of the CLIENT-MASTER-KEY message is
42	+ * 1 byte message type
43	+ * 3 bytes cipher
44	+ * 2-byte clear key length (stored in s->s2->tmp.clear)
45	+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
46	+ * 2-byte key args length (IV etc)
47	+ * clear key
48	+ * encrypted key
49	+ * key args
50	+ *
51	+ * If the cipher is an export cipher, then the encrypted key bytes
52	+ * are a fixed portion of the total key (5 or 8 bytes). The size of
53	+ * this portion is in \|ek\|. If the cipher is not an export cipher,
54	+ * then the entire key material is encrypted (i.e., clear key length
55	+ * must be zero).
56	+ */
57	+ if ((!is_export && s->s2->tmp.clear != 0) \|\|
58	+ (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c)))
59	+ {
60	+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
61	+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
62	+ return -1;
63	+ }
64	+ /*
65	+ * The encrypted blob must decrypt to the encrypted portion of the key.
66	+ * Decryption can't be expanding, so if we don't have enough encrypted
67	+ * bytes to fit the key in the buffer, stop now.
68	+ */
69	+ if ((is_export && s->s2->tmp.enc < ek) \|\|
70	+ (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c)))
71	+ {
72	+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
73	+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
74	+ return -1;
75	+ }
76	+
77	+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
78	+ &(p[s->s2->tmp.clear]),
79	+ &(p[s->s2->tmp.clear]),
80	+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING);
81	+
82	/* bad decrypt */
83	#if 1
84	/* If a bad decrypt, continue with protocol but with a
85	* random master secret (Bleichenbacher attack) */
86	- if ((i < 0) \|\|
87	- ((!is_export && (i != EVP_CIPHER_key_length(c)))
88	- \|\| (is_export && ((i != ek) \|\| (s->s2->tmp.clear+(unsigned int)i !=
89	- (unsigned int)EVP_CIPHER_key_length(c))))))
90	+ if ((i < 0) \|\| ((!is_export && i != EVP_CIPHER_key_length(c))
91	+ \|\| (is_export && i != (int)ek)))
92	{
93	ERR_clear_error();
94	if (is_export)
95	i=ek;
96	else
97	i=EVP_CIPHER_key_length(c);
98	- if (RAND_pseudo_bytes(p,i) <= 0)
99	+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0)
100	return 0;
101	}
102	#else
103	@@ -504,7 +542,8 @@ static int get_client_master_key(SSL *s)
104	}
105	#endif
106
107	- if (is_export) i+=s->s2->tmp.clear;
108	+ if (is_export)
109	+ i = EVP_CIPHER_key_length(c);
110
111	if (i > SSL_MAX_MASTER_KEY_LENGTH)
112	{