From bfc1772d6ed0eed161dde5e54ba858b5c5c02244 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 3 May 2016 18:29:16 +0200
Subject: [PATCH] Multiple security issues fixed.

- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
---
 openssl-1.0.1e-cve-2016-2105.patch | 40 +++++++++++++++++
 openssl-1.0.1e-cve-2016-2106.patch | 12 +++++
 openssl-1.0.1e-cve-2016-2107.patch | 20 +++++++++
 openssl-1.0.1e-cve-2016-2108.patch | 69 ++++++++++++++++++++++++++++
 openssl-1.0.1e-cve-2016-2109.patch | 72 ++++++++++++++++++++++++++++++
 openssl.spec                       | 19 +++++++-
 6 files changed, 231 insertions(+), 1 deletion(-)
 create mode 100644 openssl-1.0.1e-cve-2016-2105.patch
 create mode 100644 openssl-1.0.1e-cve-2016-2106.patch
 create mode 100644 openssl-1.0.1e-cve-2016-2107.patch
 create mode 100644 openssl-1.0.1e-cve-2016-2108.patch
 create mode 100644 openssl-1.0.1e-cve-2016-2109.patch

diff --git a/openssl-1.0.1e-cve-2016-2105.patch b/openssl-1.0.1e-cve-2016-2105.patch
new file mode 100644
index 0000000..b6351a0
--- /dev/null
+++ b/openssl-1.0.1e-cve-2016-2105.patch
@@ -0,0 +1,40 @@
+diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-overflow openssl-1.0.1e/crypto/evp/encode.c
+--- openssl-1.0.1e/crypto/evp/encode.c.b64-overflow	2016-04-07 15:45:20.000000000 +0200
++++ openssl-1.0.1e/crypto/evp/encode.c	2016-04-29 12:46:34.232656522 +0200
+@@ -132,12 +132,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
+ 	     const unsigned char *in, int inl)
+ 	{
+ 	int i,j;
+-	unsigned int total=0;
++	size_t total=0;
+ 
+ 	*outl=0;
+ 	if (inl == 0) return;
+ 	OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
+-	if ((ctx->num+inl) < ctx->length)
++	if (ctx->length - ctx->num > inl)
+ 		{
+ 		memcpy(&(ctx->enc_data[ctx->num]),in,inl);
+ 		ctx->num+=inl;
+@@ -156,7 +156,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
+ 		*out='\0';
+ 		total=j+1;
+ 		}
+-	while (inl >= ctx->length)
++	while (inl >= ctx->length && total <= INT_MAX)
+ 		{
+ 		j=EVP_EncodeBlock(out,in,ctx->length);
+ 		in+=ctx->length;
+@@ -166,6 +166,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
+ 		*out='\0';
+ 		total+=j+1;
+ 		}
++	if (total > INT_MAX)
++		{
++		/* Too much output data! */
++		*outl = 0;
++		return;
++		}
+ 	if (inl != 0)
+ 		memcpy(&(ctx->enc_data[0]),in,inl);
+ 	ctx->num=inl;
diff --git a/openssl-1.0.1e-cve-2016-2106.patch b/openssl-1.0.1e-cve-2016-2106.patch
new file mode 100644
index 0000000..ada5f75
--- /dev/null
+++ b/openssl-1.0.1e-cve-2016-2106.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.enc-overflow openssl-1.0.1e/crypto/evp/evp_enc.c
+--- openssl-1.0.1e/crypto/evp/evp_enc.c.enc-overflow	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/evp/evp_enc.c	2016-04-29 12:56:50.253736555 +0200
+@@ -408,7 +408,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
+ 	OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
+ 	if (i != 0)
+ 		{
+-		if (i+inl < bl)
++		if (bl - i > inl)
+ 			{
+ 			memcpy(&(ctx->buf[i]),in,inl);
+ 			ctx->buf_len+=inl;
diff --git a/openssl-1.0.1e-cve-2016-2107.patch b/openssl-1.0.1e-cve-2016-2107.patch
new file mode 100644
index 0000000..340267e
--- /dev/null
+++ b/openssl-1.0.1e-cve-2016-2107.patch
@@ -0,0 +1,20 @@
+diff -up openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c.padding-check openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c
+--- openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c.padding-check	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c	2016-04-29 13:10:13.441125487 +0200
+@@ -59,6 +59,7 @@
+ #include <openssl/aes.h>
+ #include <openssl/sha.h>
+ #include "evp_locl.h"
++#include "constant_time_locl.h"
+ 
+ #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
+ #define EVP_CIPH_FLAG_AEAD_CIPHER	0x200000
+@@ -278,6 +279,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV
+ 			maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
+ 			maxpad &= 255;
+ 
++			ret &= constant_time_ge(maxpad, pad);
++
+ 			inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
+ 			mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
+ 			inp_len &= mask;
diff --git a/openssl-1.0.1e-cve-2016-2108.patch b/openssl-1.0.1e-cve-2016-2108.patch
new file mode 100644
index 0000000..9520ed6
--- /dev/null
+++ b/openssl-1.0.1e-cve-2016-2108.patch
@@ -0,0 +1,69 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_int.c.asn1-negative openssl-1.0.1e/crypto/asn1/a_int.c
+--- openssl-1.0.1e/crypto/asn1/a_int.c.asn1-negative	2016-04-29 13:23:05.221797998 +0200
++++ openssl-1.0.1e/crypto/asn1/a_int.c	2016-04-29 13:26:51.030957218 +0200
+@@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
+ 		{
+ 		ret=a->length;
+ 		i=a->data[0];
++		if (ret == 1 && i == 0)
++			neg = 0;
+ 		if (!neg && (i > 127)) {
+ 			pad=1;
+ 			pb=0;
+@@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
+ 		p += a->length - 1;
+ 		i = a->length;
+ 		/* Copy zeros to destination as long as source is zero */
+-		while(!*n) {
++		while(!*n && i > 1) {
+ 			*(p--) = 0;
+ 			n--;
+ 			i--;
+@@ -415,7 +417,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const B
+ 		ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
+ 		goto err;
+ 		}
+-	if (BN_is_negative(bn))
++	if (BN_is_negative(bn) && !BN_is_zero(bn))
+ 		ret->type = V_ASN1_NEG_INTEGER;
+ 	else ret->type=V_ASN1_INTEGER;
+ 	j=BN_num_bits(bn);
+diff -up openssl-1.0.1e/crypto/asn1/a_type.c.asn1-negative openssl-1.0.1e/crypto/asn1/a_type.c
+--- openssl-1.0.1e/crypto/asn1/a_type.c.asn1-negative	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/asn1/a_type.c	2016-04-29 13:28:40.202443787 +0200
+@@ -131,9 +131,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
+ 		result = 0;	/* They do not have content. */
+ 		break;
+ 	case V_ASN1_INTEGER:
+-	case V_ASN1_NEG_INTEGER:
+ 	case V_ASN1_ENUMERATED:
+-	case V_ASN1_NEG_ENUMERATED:
+ 	case V_ASN1_BIT_STRING:
+ 	case V_ASN1_OCTET_STRING:
+ 	case V_ASN1_SEQUENCE:
+diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.asn1-negative openssl-1.0.1e/crypto/asn1/tasn_dec.c
+--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.asn1-negative	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c	2016-04-29 13:30:08.560456293 +0200
+@@ -1011,9 +1011,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
+ 		break;
+ 
+ 		case V_ASN1_INTEGER:
+-		case V_ASN1_NEG_INTEGER:
+ 		case V_ASN1_ENUMERATED:
+-		case V_ASN1_NEG_ENUMERATED:
+ 		tint = (ASN1_INTEGER **)pval;
+ 		if (!c2i_ASN1_INTEGER(tint, &cont, len))
+ 			goto err;
+diff -up openssl-1.0.1e/crypto/asn1/tasn_enc.c.asn1-negative openssl-1.0.1e/crypto/asn1/tasn_enc.c
+--- openssl-1.0.1e/crypto/asn1/tasn_enc.c.asn1-negative	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/tasn_enc.c	2016-04-29 13:30:34.688051394 +0200
+@@ -638,9 +638,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
+ 		break;
+ 
+ 		case V_ASN1_INTEGER:
+-		case V_ASN1_NEG_INTEGER:
+ 		case V_ASN1_ENUMERATED:
+-		case V_ASN1_NEG_ENUMERATED:
+ 		/* These are all have the same content format
+ 		 * as ASN1_INTEGER
+ 		 */
diff --git a/openssl-1.0.1e-cve-2016-2109.patch b/openssl-1.0.1e-cve-2016-2109.patch
new file mode 100644
index 0000000..dd7de61
--- /dev/null
+++ b/openssl-1.0.1e-cve-2016-2109.patch
@@ -0,0 +1,72 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos openssl-1.0.1e/crypto/asn1/a_d2i_fp.c
+--- openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos	2013-02-11 16:02:47.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/a_d2i_fp.c	2016-04-29 13:44:52.205538739 +0200
+@@ -139,6 +139,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
+ #endif
+ 
+ #define HEADER_SIZE   8
++#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
+ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
+ 	{
+ 	BUF_MEM *b;
+@@ -230,6 +231,8 @@ static int asn1_d2i_read_bio(BIO *in, BU
+ 			want=c.slen;
+ 			if (want > (len-off))
+ 				{
++				size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
++
+ 				want-=(len-off);
+ 				if (want > INT_MAX /* BIO_read takes an int length */ ||
+ 					len+want < len)
+@@ -237,24 +240,38 @@ static int asn1_d2i_read_bio(BIO *in, BU
+ 						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+ 						goto err;
+ 						}
+-				if (!BUF_MEM_grow_clean(b,len+want))
+-					{
+-					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
+-					goto err;
+-					}
+ 				while (want > 0)
+ 					{
+-					i=BIO_read(in,&(b->data[len]),want);
+-					if (i <= 0)
++					/*
++					 * Read content in chunks of increasing size
++					 * so we can return an error for EOF without
++					 * having to allocate the entire content length
++					 * in one go.
++					 */
++					size_t chunk = want > chunk_max ? chunk_max : want;
++
++					if (!BUF_MEM_grow_clean(b, len + chunk))
+ 						{
+-						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+-						    ASN1_R_NOT_ENOUGH_DATA);
++						ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
+ 						goto err;
+ 						}
+-					/* This can't overflow because
+-					 * |len+want| didn't overflow. */
+-					len+=i;
+-					want-=i;
++					want -= chunk;
++					while (chunk > 0)
++						{
++						i = BIO_read(in, &(b->data[len]), chunk);
++						if (i <= 0)
++							{
++							ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
++								ASN1_R_NOT_ENOUGH_DATA);
++							goto err;
++							}
++						/* This can't overflow because
++						 * |len+want| didn't overflow. */
++						len += i;
++						chunk -= i;
++						}
++					if (chunk_max < INT_MAX/2)
++						chunk_max *= 2;
+ 					}
+ 				}
+ 			if (off + c.slen < off)
diff --git a/openssl.spec b/openssl.spec
index 13b992f..53a1e05 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1k
-Release: 14%{?dist}
+Release: 15%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -111,6 +111,11 @@ Patch117: openssl-1.0.1k-cve-2016-0702.patch
 Patch118: openssl-1.0.1e-cve-2016-0705.patch
 Patch119: openssl-1.0.1e-cve-2016-0797.patch
 Patch120: openssl-1.0.1k-cve-2016-0799.patch
+Patch121: openssl-1.0.1e-cve-2016-2105.patch
+Patch122: openssl-1.0.1e-cve-2016-2106.patch
+Patch123: openssl-1.0.1e-cve-2016-2107.patch
+Patch124: openssl-1.0.1e-cve-2016-2108.patch
+Patch125: openssl-1.0.1e-cve-2016-2109.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -255,6 +260,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch118 -p1 -b .dsa-doublefree
 %patch119 -p1 -b .bn-hex
 %patch120 -p1 -b .bio-printf
+%patch121 -p1 -b .b64-overflow
+%patch122 -p1 -b .enc-overflow
+%patch123 -p1 -b .padding-check
+%patch124 -p1 -b .asn1-negative
+%patch125 -p1 -b .asn1-bio-dos
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -527,6 +537,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Tue May  3 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-15
+- fix CVE-2016-2105 - possible overflow in base64 encoding
+- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
+- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
+- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
+- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
+
 * Wed Mar  2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-14
 - fix CVE-2016-0702 - side channel attack on modular exponentiation
 - fix CVE-2016-0705 - double-free in DSA private key parsing