From 3deda9482f825d3c2254103892ee175a86f03557 Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Jan 07 2009 15:39:14 +0000
Subject: - fix CVE-2008-5077 - incorrect checks for malformed signatures (#476671)

- add -no_ign_eof option (#462393)
- do not add tls extensions to server hello for SSLv3 either

---

diff --git a/openssl-0.9.8g-cve-2008-5077.patch b/openssl-0.9.8g-cve-2008-5077.patch
new file mode 100644
index 0000000..3fa36a7
--- /dev/null
+++ b/openssl-0.9.8g-cve-2008-5077.patch
@@ -0,0 +1,140 @@
+diff -up openssl-0.9.8g/apps/speed.c.verifysig openssl-0.9.8g/apps/speed.c
+--- openssl-0.9.8g/apps/speed.c.verifysig	2009-01-07 16:09:11.000000000 +0100
++++ openssl-0.9.8g/apps/speed.c	2009-01-07 16:11:13.000000000 +0100
+@@ -2132,7 +2132,7 @@ int MAIN(int argc, char **argv)
+ 				{
+ 				ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
+ 					rsa_num, rsa_key[j]);
+-				if (ret == 0)
++				if (ret <= 0)
+ 					{
+ 					BIO_printf(bio_err,
+ 						"RSA verify failure\n");
+diff -up openssl-0.9.8g/apps/verify.c.verifysig openssl-0.9.8g/apps/verify.c
+--- openssl-0.9.8g/apps/verify.c.verifysig	2004-11-29 12:28:07.000000000 +0100
++++ openssl-0.9.8g/apps/verify.c	2009-01-07 16:11:13.000000000 +0100
+@@ -266,7 +266,7 @@ static int check(X509_STORE *ctx, char *
+ 
+ 	ret=0;
+ end:
+-	if (i)
++	if (i > 0)
+ 		{
+ 		fprintf(stdout,"OK\n");
+ 		ret=1;
+@@ -367,4 +367,3 @@ static int MS_CALLBACK cb(int ok, X509_S
+ 		ERR_clear_error();
+ 	return(ok);
+ 	}
+-
+diff -up openssl-0.9.8g/apps/spkac.c.verifysig openssl-0.9.8g/apps/spkac.c
+--- openssl-0.9.8g/apps/spkac.c.verifysig	2005-04-05 21:11:18.000000000 +0200
++++ openssl-0.9.8g/apps/spkac.c	2009-01-07 16:11:13.000000000 +0100
+@@ -285,7 +285,7 @@ bad:
+ 	pkey = NETSCAPE_SPKI_get_pubkey(spki);
+ 	if(verify) {
+ 		i = NETSCAPE_SPKI_verify(spki, pkey);
+-		if(i) BIO_printf(bio_err, "Signature OK\n");
++		if (i > 0) BIO_printf(bio_err, "Signature OK\n");
+ 		else {
+ 			BIO_printf(bio_err, "Signature Failure\n");
+ 			ERR_print_errors(bio_err);
+diff -up openssl-0.9.8g/apps/x509.c.verifysig openssl-0.9.8g/apps/x509.c
+--- openssl-0.9.8g/apps/x509.c.verifysig	2005-07-16 13:13:03.000000000 +0200
++++ openssl-0.9.8g/apps/x509.c	2009-01-07 16:11:13.000000000 +0100
+@@ -1144,7 +1144,7 @@ static int x509_certify(X509_STORE *ctx,
+ 	/* NOTE: this certificate can/should be self signed, unless it was
+ 	 * a certificate request in which case it is not. */
+ 	X509_STORE_CTX_set_cert(&xsc,x);
+-	if (!reqfile && !X509_verify_cert(&xsc))
++	if (!reqfile && X509_verify_cert(&xsc) <= 0)
+ 		goto end;
+ 
+ 	if (!X509_check_private_key(xca,pkey))
+diff -up openssl-0.9.8g/ssl/s2_clnt.c.verifysig openssl-0.9.8g/ssl/s2_clnt.c
+--- openssl-0.9.8g/ssl/s2_clnt.c.verifysig	2007-09-06 14:43:53.000000000 +0200
++++ openssl-0.9.8g/ssl/s2_clnt.c	2009-01-07 16:11:32.000000000 +0100
+@@ -1044,7 +1044,7 @@ int ssl2_set_certificate(SSL *s, int typ
+ 
+ 	i=ssl_verify_cert_chain(s,sk);
+ 		
+-	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
++	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0))
+ 		{
+ 		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
+ 		goto err;
+diff -up openssl-0.9.8g/ssl/s2_srvr.c.verifysig openssl-0.9.8g/ssl/s2_srvr.c
+--- openssl-0.9.8g/ssl/s2_srvr.c.verifysig	2007-09-06 14:43:53.000000000 +0200
++++ openssl-0.9.8g/ssl/s2_srvr.c	2009-01-07 16:12:54.000000000 +0100
+@@ -1054,7 +1054,7 @@ static int request_certificate(SSL *s)
+ 
+ 	i=ssl_verify_cert_chain(s,sk);
+ 
+-	if (i)	/* we like the packet, now check the chksum */
++	if (i > 0)	/* we like the packet, now check the chksum */
+ 		{
+ 		EVP_MD_CTX ctx;
+ 		EVP_PKEY *pkey=NULL;
+@@ -1083,7 +1083,7 @@ static int request_certificate(SSL *s)
+ 		EVP_PKEY_free(pkey);
+ 		EVP_MD_CTX_cleanup(&ctx);
+ 
+-		if (i) 
++		if (i > 0) 
+ 			{
+ 			if (s->session->peer != NULL)
+ 				X509_free(s->session->peer);
+diff -up openssl-0.9.8g/ssl/s3_clnt.c.verifysig openssl-0.9.8g/ssl/s3_clnt.c
+--- openssl-0.9.8g/ssl/s3_clnt.c.verifysig	2009-01-07 16:09:11.000000000 +0100
++++ openssl-0.9.8g/ssl/s3_clnt.c	2009-01-07 16:11:32.000000000 +0100
+@@ -940,7 +940,7 @@ int ssl3_get_server_certificate(SSL *s)
+ 		}
+ 
+ 	i=ssl_verify_cert_chain(s,sk);
+-	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
++	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
+ #ifndef OPENSSL_NO_KRB5
+ 	        && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+ 	        != (SSL_aKRB5|SSL_kKRB5)
+@@ -1425,7 +1425,7 @@ int ssl3_get_key_exchange(SSL *s)
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,param,param_len);
+-			if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
++			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
+ 				{
+ 				/* bad signature */
+ 				al=SSL_AD_DECRYPT_ERROR;
+@@ -1443,7 +1443,7 @@ int ssl3_get_key_exchange(SSL *s)
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,param,param_len);
+-			if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
++			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
+ 				{
+ 				/* bad signature */
+ 				al=SSL_AD_DECRYPT_ERROR;
+diff -up openssl-0.9.8g/ssl/ssltest.c.verifysig openssl-0.9.8g/ssl/ssltest.c
+--- openssl-0.9.8g/ssl/ssltest.c.verifysig	2009-01-07 16:09:11.000000000 +0100
++++ openssl-0.9.8g/ssl/ssltest.c	2009-01-07 16:11:32.000000000 +0100
+@@ -2061,7 +2061,7 @@ static int MS_CALLBACK app_verify_callba
+ 
+ 	if (cb_arg->proxy_auth)
+ 		{
+-		if (ok)
++		if (ok > 0)
+ 			{
+ 			const char *cond_end = NULL;
+ 
+diff -up openssl-0.9.8g/ssl/s3_srvr.c.verifysig openssl-0.9.8g/ssl/s3_srvr.c
+--- openssl-0.9.8g/ssl/s3_srvr.c.verifysig	2007-09-30 20:55:59.000000000 +0200
++++ openssl-0.9.8g/ssl/s3_srvr.c	2009-01-07 16:11:32.000000000 +0100
+@@ -2519,7 +2519,7 @@ int ssl3_get_client_certificate(SSL *s)
+ 	else
+ 		{
+ 		i=ssl_verify_cert_chain(s,sk);
+-		if (!i)
++		if (i <= 0)
+ 			{
+ 			al=ssl_verify_alarm_type(s->verify_result);
+ 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch
index 2f0407a..de00d0c 100644
--- a/openssl-0.9.8g-no-extssl.patch
+++ b/openssl-0.9.8g-no-extssl.patch
@@ -1,17 +1,27 @@
-Skip adding tls extensions to client hello when protocol version is
-not TLS.
 diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
 --- openssl-0.9.8g/ssl/t1_lib.c.no-extssl	2007-10-19 09:44:10.000000000 +0200
-+++ openssl-0.9.8g/ssl/t1_lib.c	2007-12-13 17:22:10.000000000 +0100
++++ openssl-0.9.8g/ssl/t1_lib.c	2008-08-10 21:42:11.000000000 +0200
 @@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
  	int extdatalen=0;
  	unsigned char *ret = p;
  
 +	if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
-+	{
++		{
 +		return ret;
-+	}
++		}
 +
  	ret+=2;
  
  	if (ret>=limit) return NULL; /* this really never occurs, but ... */
+@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
++	if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
++		{
++		return ret;
++		}
++
+ 	ret+=2;
+ 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
+ 
diff --git a/openssl-0.9.8g-no-ign-eof.patch b/openssl-0.9.8g-no-ign-eof.patch
new file mode 100644
index 0000000..163cb92
--- /dev/null
+++ b/openssl-0.9.8g-no-ign-eof.patch
@@ -0,0 +1,20 @@
+diff -up openssl-0.9.8g/apps/s_client.c.no-ign-eof openssl-0.9.8g/apps/s_client.c
+--- openssl-0.9.8g/apps/s_client.c.no-ign-eof	2009-01-07 16:09:11.000000000 +0100
++++ openssl-0.9.8g/apps/s_client.c	2009-01-07 16:21:03.000000000 +0100
+@@ -216,6 +216,7 @@ static void sc_usage(void)
+ 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
+ 	BIO_printf(bio_err," -quiet        - no s_client output\n");
+ 	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
++	BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
+ 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
+ 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
+ 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
+@@ -427,6 +428,8 @@ int MAIN(int argc, char **argv)
+ 			}
+ 		else if	(strcmp(*argv,"-ign_eof") == 0)
+ 			c_ign_eof=1;
++		else if (strcmp(*argv,"-no_ign_eof") == 0)
++			c_ign_eof=0;
+ 		else if	(strcmp(*argv,"-pause") == 0)
+ 			c_Pause=1;
+ 		else if	(strcmp(*argv,"-debug") == 0)
diff --git a/openssl.spec b/openssl.spec
index 2b783f8..bdeb9b9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8g
-Release: 9%{?dist}
+Release: 9.12%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@@ -61,6 +61,8 @@ Patch50: openssl-0.9.8g-speed-bug.patch
 Patch51: openssl-0.9.8g-bn-mul-bug.patch
 Patch52: openssl-0.9.8g-cve-2008-0891.patch
 Patch53: openssl-0.9.8g-cve-2008-1671.patch
+Patch54: openssl-0.9.8g-cve-2008-5077.patch
+Patch55: openssl-0.9.8g-no-ign-eof.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -128,6 +130,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch51 -p1 -b .bn-mul-bug
 %patch52 -p0 -b .srvname-crash
 %patch53 -p0 -b .srv-kex-crash
+%patch54 -p1 -b .verifysig
+%patch55 -p1 -b .no-ign-eof
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -382,6 +386,11 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
 %postun -p /sbin/ldconfig
 
 %changelog
+* Wed Jan  7 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8g-9.12
+- fix CVE-2008-5077 - incorrect checks for malformed signatures (#476671)
+- add -no_ign_eof option (#462393)
+- do not add tls extensions to server hello for SSLv3 either
+
 * Wed May 28 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-9
 - fix CVE-2008-0891 - server name extension crash (#448492)
 - fix CVE-2008-1672 - server key exchange message omit crash (#448495)