From f27bc95204f0377e59335bab3142a9b895bcee27 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 09 2016 03:43:40 +0000
Subject: import openssl098e-0.9.8e-29.el7_2.3


---

diff --git a/SOURCES/openssl-fips-0.9.8e-cve-2015-0293.patch b/SOURCES/openssl-fips-0.9.8e-cve-2015-0293.patch
new file mode 100644
index 0000000..3e9cfd6
--- /dev/null
+++ b/SOURCES/openssl-fips-0.9.8e-cve-2015-0293.patch
@@ -0,0 +1,112 @@
+diff -up openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_lib.c
+--- openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert	2015-04-01 12:41:28.023403066 +0200
++++ openssl-fips-0.9.8e/ssl/s2_lib.c	2015-04-02 15:29:37.468346462 +0200
+@@ -410,7 +410,7 @@ int ssl2_generate_key_material(SSL *s)
+ 
+ 		OPENSSL_assert(s->session->master_key_length >= 0
+ 		    && s->session->master_key_length
+-		    < (int)sizeof(s->session->master_key));
++		    <= (int)sizeof(s->session->master_key));
+ 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
+ 		EVP_DigestUpdate(&ctx,&c,1);
+ 		c++;
+diff -up openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_srvr.c
+--- openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert	2015-04-01 12:41:27.950401420 +0200
++++ openssl-fips-0.9.8e/ssl/s2_srvr.c	2015-04-02 15:33:51.109049368 +0200
+@@ -363,7 +363,8 @@ end:
+ 
+ static int get_client_master_key(SSL *s)
+ 	{
+-	int is_export,i,n,keya,ek;
++	int is_export,i,n,keya;
++	unsigned int ek;
+ 	unsigned long len;
+ 	unsigned char *p;
+ 	SSL_CIPHER *cp;
+@@ -445,9 +446,6 @@ static int get_client_master_key(SSL *s)
+ 		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
+ 		return(-1);
+ 		}
+-	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
+-		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
+-		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+ 
+ 	is_export=SSL_C_IS_EXPORT(s->session->cipher);
+ 	
+@@ -466,21 +464,61 @@ static int get_client_master_key(SSL *s)
+ 	else
+ 		ek=5;
+ 
++	/*
++	 * The format of the CLIENT-MASTER-KEY message is
++	 * 1 byte message type
++	 * 3 bytes cipher
++	 * 2-byte clear key length (stored in s->s2->tmp.clear)
++	 * 2-byte encrypted key length (stored in s->s2->tmp.enc)
++	 * 2-byte key args length (IV etc)
++	 * clear key
++	 * encrypted key
++	 * key args
++	 *
++	 * If the cipher is an export cipher, then the encrypted key bytes
++	 * are a fixed portion of the total key (5 or 8 bytes). The size of
++	 * this portion is in |ek|. If the cipher is not an export cipher,
++	 * then the entire key material is encrypted (i.e., clear key length
++	 * must be zero).
++	 */
++	 if ((!is_export && s->s2->tmp.clear != 0) ||
++		(is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c)))
++		{
++		ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
++		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
++		return -1;
++		}
++	/*
++	 * The encrypted blob must decrypt to the encrypted portion of the key.
++	 * Decryption can't be expanding, so if we don't have enough encrypted
++	 * bytes to fit the key in the buffer, stop now.
++	 */
++	if ((is_export && s->s2->tmp.enc < ek) ||
++		(!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c)))
++		{
++		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
++		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
++		return -1;
++		}
++
++	i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
++		&(p[s->s2->tmp.clear]),
++		&(p[s->s2->tmp.clear]),
++		(s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING);
++
+ 	/* bad decrypt */
+ #if 1
+ 	/* If a bad decrypt, continue with protocol but with a
+ 	 * random master secret (Bleichenbacher attack) */
+-	if ((i < 0) ||
+-		((!is_export && (i != EVP_CIPHER_key_length(c)))
+-		|| (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
+-			(unsigned int)EVP_CIPHER_key_length(c))))))
++	if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
++		|| (is_export && i != (int)ek)))
+ 		{
+ 		ERR_clear_error();
+ 		if (is_export)
+ 			i=ek;
+ 		else
+ 			i=EVP_CIPHER_key_length(c);
+-		if (RAND_pseudo_bytes(p,i) <= 0)
++		if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0)
+ 			return 0;
+ 		}
+ #else
+@@ -504,7 +542,8 @@ static int get_client_master_key(SSL *s)
+ 		}
+ #endif
+ 
+-	if (is_export) i+=s->s2->tmp.clear;
++	if (is_export)
++		i = EVP_CIPHER_key_length(c);
+ 
+ 	if (i > SSL_MAX_MASTER_KEY_LENGTH)
+ 		{
diff --git a/SOURCES/openssl-fips-0.9.8e-cve-2015-3197.patch b/SOURCES/openssl-fips-0.9.8e-cve-2015-3197.patch
new file mode 100644
index 0000000..028bde3
--- /dev/null
+++ b/SOURCES/openssl-fips-0.9.8e-cve-2015-3197.patch
@@ -0,0 +1,42 @@
+diff -up openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-ciphers openssl-fips-0.9.8e/ssl/s2_srvr.c
+--- openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-ciphers	2015-04-02 15:33:51.109049368 +0200
++++ openssl-fips-0.9.8e/ssl/s2_srvr.c	2016-02-18 19:15:21.164380375 +0100
+@@ -393,7 +393,7 @@ static int get_client_master_key(SSL *s)
+ 			}
+ 
+ 		cp=ssl2_get_cipher_by_char(p);
+-		if (cp == NULL)
++		if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ 			{
+ 			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -692,9 +692,13 @@ static int get_client_hello(SSL *s)
+ 		    prio = cs;
+ 		    allow = cl;
+ 		    }
++
++		/* Generate list of SSLv2 ciphers shared between client and server */
+ 		for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
+ 			{
+-			if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++			const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++			if ((cp->algorithms & SSL_SSLV2) == 0 ||
++				sk_SSL_CIPHER_find(allow,cp) < 0)
+ 				{
+ 				(void)sk_SSL_CIPHER_delete(prio,z);
+ 				z--;
+@@ -705,6 +709,14 @@ static int get_client_hello(SSL *s)
+ 		    sk_SSL_CIPHER_free(s->session->ciphers);
+ 		    s->session->ciphers = prio;
+ 		    }
++
++		/* Make sure we have at least one cipher in common */
++		if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++		    {
++		    ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++		    SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++		    return -1;
++		    }
+ 		/* s->session->ciphers should now have a list of
+ 		 * ciphers that are on both the client and server.
+ 		 * This list is ordered by the order the client sent
diff --git a/SOURCES/openssl-fips-0.9.8e-disable-sslv2.patch b/SOURCES/openssl-fips-0.9.8e-disable-sslv2.patch
new file mode 100644
index 0000000..f724578
--- /dev/null
+++ b/SOURCES/openssl-fips-0.9.8e-disable-sslv2.patch
@@ -0,0 +1,83 @@
+diff -up openssl-fips-0.9.8e/doc/apps/ciphers.pod.disable-sslv2 openssl-fips-0.9.8e/doc/apps/ciphers.pod
+--- openssl-fips-0.9.8e/doc/apps/ciphers.pod.disable-sslv2	2007-04-25 15:15:50.000000000 +0200
++++ openssl-fips-0.9.8e/doc/apps/ciphers.pod	2016-02-24 15:49:57.949108087 +0100
+@@ -383,11 +383,11 @@ Note: these ciphers can also be used in
+ =head2 SSL v2.0 cipher suites.
+ 
+  SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
++ SSL_CK_RC4_128_EXPORT40_WITH_MD5        Not implemented.
++ SSL_CK_RC2_128_CBC_WITH_MD5             RC2-CBC-MD5
++ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    Not implemented.
+  SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
++ SSL_CK_DES_64_CBC_WITH_MD5              Not implemented.
+  SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
+ 
+ =head1 NOTES
+diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.disable-sslv2 openssl-fips-0.9.8e/ssl/ssl_lib.c
+--- openssl-fips-0.9.8e/ssl/ssl_lib.c.disable-sslv2	2016-02-24 15:49:57.927107582 +0100
++++ openssl-fips-0.9.8e/ssl/ssl_lib.c	2016-02-24 15:49:57.948108064 +0100
+@@ -1548,6 +1548,8 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
+ 	 */
+ 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++	ret->options |= SSL_OP_NO_SSLv2;
++
+ 	return(ret);
+ err:
+ 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
+diff -up openssl-fips-0.9.8e/ssl/s2_lib.c.disable-sslv2 openssl-fips-0.9.8e/ssl/s2_lib.c
+--- openssl-fips-0.9.8e/ssl/s2_lib.c.disable-sslv2	2016-02-24 15:49:57.949108087 +0100
++++ openssl-fips-0.9.8e/ssl/s2_lib.c	2016-02-24 15:52:27.697544452 +0100
+@@ -97,6 +97,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#if 0
+ /* RC4_128_EXPORT40_WITH_MD5 */
+ 	{
+ 	1,
+@@ -110,6 +111,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ /* RC2_128_CBC_WITH_MD5 */
+ 	{
+ 	1,
+@@ -123,6 +125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#if 0
+ /* RC2_128_CBC_EXPORT40_WITH_MD5 */
+ 	{
+ 	1,
+@@ -136,7 +139,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
+-/* IDEA_128_CBC_WITH_MD5 */
++#endif
+ #ifndef OPENSSL_NO_IDEA
+ 	{
+ 	1,
+@@ -151,6 +154,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]
+ 	SSL_ALL_STRENGTHS,
+ 	},
+ #endif
++#if 0
+ /* DES_64_CBC_WITH_MD5 */
+ 	{
+ 	1,
+@@ -164,6 +168,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]
+ 	SSL_ALL_CIPHERS,
+ 	SSL_ALL_STRENGTHS,
+ 	},
++#endif
+ /* DES_192_EDE3_CBC_WITH_MD5 */
+ 	{
+ 	1,
diff --git a/SPECS/openssl098e.spec b/SPECS/openssl098e.spec
index 2ff8471..f90d6ac 100644
--- a/SPECS/openssl098e.spec
+++ b/SPECS/openssl098e.spec
@@ -18,7 +18,7 @@
 Summary: A compatibility version of a general cryptography and TLS library
 Name: openssl098e
 Version: 0.9.8e
-Release: 29%{?dist}.2
+Release: 29%{?dist}.3
 # The tarball is based on the openssl-fips-1.2.0-test.tar.gz tarball
 Source: openssl-fips-%{version}-usa.tar.bz2
 Source1: hobble-openssl
@@ -90,6 +90,9 @@ Patch105: openssl-fips-0.9.8e-secure-getenv.patch
 Patch106: openssl-fips-0.9.8e-cve-2013-0166.patch
 Patch107: openssl-fips-0.9.8e-cve-2013-0169.patch
 Patch108: openssl-fips-0.9.8e-cve-2014-0224.patch
+Patch122: openssl-fips-0.9.8e-cve-2015-0293.patch
+Patch128: openssl-fips-0.9.8e-cve-2015-3197.patch
+Patch129: openssl-fips-0.9.8e-disable-sslv2.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -99,12 +102,16 @@ BuildRequires: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp
 BuildRequires: /usr/bin/rename
 Requires: mktemp, ca-certificates >= 2008-5
 
+# for compatibility with previous versions, not needed for (and doesn't build
+# on) newly added platforms
+ExcludeArch: aarch64 ppc64le
+
 %description
 The OpenSSL toolkit provides support for secure communications between
 machines. OpenSSL includes a certificate management tool and shared
 libraries which provide various cryptographic algorithms and
 protocols. This version of OpenSSL package is provided for compatibility
-with the previous CentOS Linux release.
+with the previous Red Hat Enterprise Linux release.
 
 
 %prep
@@ -175,6 +182,9 @@ with the previous CentOS Linux release.
 %patch106 -p1 -b .ocsp-dos
 %patch107 -p1 -b .lucky13
 %patch108 -p1 -b .keying-mitm
+%patch122 -p1 -b .ssl2-assert
+%patch128 -p1 -b .ssl2-ciphers
+%patch129 -p1 -b .disable-sslv2
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -307,8 +317,10 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}
 %postun -p /sbin/ldconfig
 
 %changelog
-* Tue Jun 19 2014 Johnny Hughes <johnny@centos.org> 0.9.8e-29.2.el7.centos
-- Roll in SPEC Branding Changes
+* Fri Mar  4 2016 Tomas Mraz <tmraz@redhat.com> 0.9.8e-29.3
+- fix CVE-2015-0293 - triggerable assert in SSLv2 server
+- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
+- disable SSLv2 in the generic TLS method
 
 * Tue Jun  3 2014 Tomas Mraz <tmraz@redhat.com> 0.9.8e-29.2
 - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability