[rpms/openssl] rebase_40beta: fix CVE-2013-6449 - crash when version in SSL structure is incorrect

[Tomas Mraz <tmraz@fedoraproject.org>]

            A new commit has been pushed.

            Repo   : rpms/openssl
            Branch : rebase_40beta
            Commit : 8978637f3bb04da478533bd930fcf94128a4c4fa
            Author : Tomas Mraz <tmraz@fedoraproject.org>
            Date   : 2013-12-20T14:14:15+01:00
            Stats  : +95/-1 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/openssl/c/8978637f3bb04da478533bd930fcf94128a4c4fa?branch=rebase_40beta

            Log:
            fix CVE-2013-6449 - crash when version in SSL structure is incorrect

- more FIPS validation requirement changes

---
diff --git a/openssl-1.0.1e-cve-2013-6449.patch b/openssl-1.0.1e-cve-2013-6449.patch
new file mode 100644
index 0000000..fe24be5
--- /dev/null
+++ b/openssl-1.0.1e-cve-2013-6449.patch
@@ -0,0 +1,88 @@
+Use version in SSL_METHOD not SSL structure.
+
+When deciding whether to use TLS 1.2 PRF and record hash algorithms
+use the version number in the corresponding SSL_METHOD structure
+instead of the SSL structure. The SSL structure version is sometimes
+inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
+(CVE-2013-6449)
+
+Also preventively check EVP errors for handshake digests.
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index bf832bb..c4ef273 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
+ long ssl_get_algorithm2(SSL *s)
+ 	{
+ 	long alg2 = s->s3->tmp.new_cipher->algorithm2;
+-	if (TLS1_get_version(s) >= TLS1_2_VERSION &&
++	if (s->method->version == TLS1_2_VERSION &&
+ 	    alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+ 		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+ 	return alg2;
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index ead01c8..1e5dcab 100644
+--- a/ssl/s3_both.c
++++ b/ssl/s3_both.c
+@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+ 
+ 		i=s->method->ssl3_enc->final_finish_mac(s,
+ 			sender,slen,s->s3->tmp.finish_md);
++		if (i == 0)
++			return 0;
+ 		s->s3->tmp.finish_md_len = i;
+ 		memcpy(p, s->s3->tmp.finish_md, i);
+ 		p+=i;
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index 804291e..c4bc4e7 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ 		slen=s->method->ssl3_enc->client_finished_label_len;
+ 		}
+ 
+-	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
++	i = s->method->ssl3_enc->final_finish_mac(s,
+ 		sender,slen,s->s3->tmp.peer_finish_md);
++	if (i == 0)
++		{
++		SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
++		return 0;
++		}
++	s->s3->tmp.peer_finish_md_len = i;
+ 
+ 	return(1);
+ 	}
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 809ad2e..72015f5 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
+ 		if (mask & ssl_get_algorithm2(s))
+ 			{
+ 			int hashsize = EVP_MD_size(md);
+-			if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
++			EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
++			if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
+ 				{
+ 				/* internal error: 'buf' is too small for this cipersuite! */
+ 				err = 1;
+ 				}
+ 			else
+ 				{
+-				EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
+-				EVP_DigestFinal_ex(&ctx,q,&i);
+-				if (i != (unsigned int)hashsize) /* can't really happen */
++				if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
++					!EVP_DigestFinal_ex(&ctx,q,&i) ||
++					(i != (unsigned int)hashsize))
+ 					err = 1;
+-				q+=i;
++				q+=hashsize;
+ 				}
+ 			}
+ 		}
+-- 
+1.8.3.1
+

diff --git a/openssl.spec b/openssl.spec
index 1964920..5ffa61f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 35%{?dist}
+Release: 36%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -84,6 +84,7 @@ Patch82: openssl-1.0.1e-backports.patch
 Patch83: openssl-1.0.1e-bad-mac.patch
 Patch84: openssl-1.0.1e-trusted-first.patch
 Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
+Patch86: openssl-1.0.1e-cve-2013-6449.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -203,6 +204,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch83 -p1 -b .bad-mac
 %patch84 -p1 -b .trusted-first
 %patch85 -p1 -b .armcap
+%patch86 -p1 -b .hash-crash
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -466,6 +468,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Dec 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-36
+- fix CVE-2013-6449 - crash when version in SSL structure is incorrect
+- more FIPS validation requirement changes
+
 * Wed Dec 18 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-35
 - drop weak ciphers from the default TLS ciphersuite list
 - add back some symbols that were dropped with update to 1.0.1 branch