From 6fb56a90544092fe393a0a319736bae1a5c77ff9 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Jan 07 2014 14:38:39 +0000
Subject: Merge branch 'master' into f20


---

diff --git a/openssl-1.0.1e-cve-2013-4353.patch b/openssl-1.0.1e-cve-2013-4353.patch
new file mode 100644
index 0000000..5f96116
--- /dev/null
+++ b/openssl-1.0.1e-cve-2013-4353.patch
@@ -0,0 +1,21 @@
+Fix for TLS record tampering bug. A carefully crafted invalid 
+handshake could crash OpenSSL with a NULL pointer exception.
+Thanks to Anton Johansson for reporting this issues.
+(CVE-2013-4353)
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index 1e5dcab..53b9390 100644
+--- a/ssl/s3_both.c
++++ b/ssl/s3_both.c
+@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
+ 	{
+ 	const char *sender;
+ 	int slen;
+-
++	/* If no new cipher setup return immediately: other functions will
++	 * set the appropriate error.
++	 */
++	if (s->s3->tmp.new_cipher == NULL)
++		return;
+ 	if (s->state & SSL_ST_CONNECT)
+ 		{
+ 		sender=s->method->ssl3_enc->server_finished_label;
diff --git a/openssl-1.0.1e-cve-2013-6449.patch b/openssl-1.0.1e-cve-2013-6449.patch
index fe24be5..d80a178 100644
--- a/openssl-1.0.1e-cve-2013-6449.patch
+++ b/openssl-1.0.1e-cve-2013-6449.patch
@@ -38,6 +38,15 @@ diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
 index 804291e..c4bc4e7 100644
 --- a/ssl/s3_pkt.c
 +++ b/ssl/s3_pkt.c
+@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
+ 			if (version != s->version)
+ 				{
+ 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+-                                if ((s->version & 0xFF00) == (version & 0xFF00))
++                                if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
+                                 	/* Send back error using their minor version number :-) */
+ 					s->version = (unsigned short)version;
+ 				al=SSL_AD_PROTOCOL_VERSION;
 @@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
  		slen=s->method->ssl3_enc->client_finished_label_len;
  		}
@@ -54,6 +63,20 @@ index 804291e..c4bc4e7 100644
  
  	return(1);
  	}
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index e5a8b3f..52efed3 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
+ 	    (s->version != DTLS1_VERSION && s->client_version < s->version))
+ 		{
+ 		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
+-		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
++		if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 
++			!s->enc_write_ctx && !s->write_hash)
+ 			{
+ 			/* similar to ssl3_get_record, send alert using remote version number */
+ 			s->version = s->client_version;
 diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
 index 809ad2e..72015f5 100644
 --- a/ssl/t1_enc.c
diff --git a/openssl-1.0.1e-cve-2013-6450.patch b/openssl-1.0.1e-cve-2013-6450.patch
new file mode 100644
index 0000000..fa096c8
--- /dev/null
+++ b/openssl-1.0.1e-cve-2013-6450.patch
@@ -0,0 +1,85 @@
+Fix DTLS retransmission from previous session.
+
+For DTLS we might need to retransmit messages from the previous session
+so keep a copy of write context in DTLS retransmission buffers instead
+of replacing it after sending CCS. CVE-2013-6450.
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 65ec001..7a5596a 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
+ static void
+ dtls1_hm_fragment_free(hm_fragment *frag)
+ 	{
++
++	if (frag->msg_header.is_ccs)
++		{
++		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
++		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
++		}
+ 	if (frag->fragment) OPENSSL_free(frag->fragment);
+ 	if (frag->reassembly) OPENSSL_free(frag->reassembly);
+ 	OPENSSL_free(frag);
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index 96ce9a7..e485907 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
+ extern SSL3_ENC_METHOD SSLv3_enc_data;
+ extern SSL3_ENC_METHOD DTLSv1_enc_data;
+ 
++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
++
+ #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
+ 				s_get_meth) \
+ const SSL_METHOD *func_name(void)  \
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 72015f5..56db834 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
+ 			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
+ 			else
+ 			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
+-		if (s->enc_write_ctx != NULL)
++		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
+ 			reuse_dd = 1;
+-		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
++		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
+ 			goto err;
+-		else
+-			/* make sure it's intialized in case we exit later with an error */
+-			EVP_CIPHER_CTX_init(s->enc_write_ctx);
+ 		dd= s->enc_write_ctx;
+-		mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
++		if (SSL_IS_DTLS(s))
++			{
++			mac_ctx = EVP_MD_CTX_create();
++			if (!mac_ctx)
++				goto err;
++			s->write_hash = mac_ctx;
++			}
++		else
++			mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+ #ifndef OPENSSL_NO_COMP
+ 		if (s->compress != NULL)
+ 			{
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 6fc469f..d14e8e4 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
+ 
+ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
+ 	{
+-	EVP_MD_CTX_cleanup(ctx);
+-	OPENSSL_free(ctx);
++	if (ctx)
++		{
++		EVP_MD_CTX_cleanup(ctx);
++		OPENSSL_free(ctx);
++		}
+ 	}
+ 
+ /* This call frees resources associated with the context */
diff --git a/openssl-1.0.1e-new-fips-reqs.patch b/openssl-1.0.1e-new-fips-reqs.patch
index 59b3e90..7054955 100644
--- a/openssl-1.0.1e-new-fips-reqs.patch
+++ b/openssl-1.0.1e-new-fips-reqs.patch
@@ -29,7 +29,7 @@ diff -up openssl-1.0.1e/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1e/crypto/dh/
  	if (BN_cmp(pub_key,q)>=0)
  		*ret|=DH_CHECK_PUBKEY_TOO_LARGE;
 +#ifdef OPENSSL_FIPS
-+	if (FIPS_mode())
++	if (FIPS_mode() && dh->q != NULL)
 +		{
 +		BN_CTX *ctx = NULL;
  
diff --git a/openssl.spec b/openssl.spec
index 7faf37a..a19e20c 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 36%{?dist}
+Release: 37%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -85,6 +85,8 @@ Patch83: openssl-1.0.1e-bad-mac.patch
 Patch84: openssl-1.0.1e-trusted-first.patch
 Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
 Patch86: openssl-1.0.1e-cve-2013-6449.patch
+Patch87: openssl-1.0.1e-cve-2013-6450.patch
+Patch88: openssl-1.0.1e-cve-2013-4353.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -205,6 +207,8 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch84 -p1 -b .trusted-first
 %patch85 -p1 -b .armcap
 %patch86 -p1 -b .hash-crash
+%patch87 -p1 -b .dtls1-mitm
+%patch88 -p1 -b .handshake-crash
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -468,6 +472,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Tue Jan  7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37
+- fix CVE-2013-4353 - Invalid TLS handshake crash
+- fix CVE-2013-6450 - possible MiTM attack on DTLS1
+
 * Fri Dec 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-36
 - fix CVE-2013-6449 - crash when version in SSL structure is incorrect
 - more FIPS validation requirement changes