add patches from upstream

openssl-1.0.0a-CVE-2006-7250_CVE-2012-1165.diff

@@ -0,0 +1,26 @@
+
+http://cvs.openssl.org/chngview?cn=22144 (CVE-2006-7250)
+http://cvs.openssl.org/chngview?cn=22252 (CVE-2012-1165)
+
+The CVE-2012-1165 fix corrects the CVE-2006-7250 fix
+
+--- crypto/asn1/asn_mime.c	2008-08-05 15:55:53.000000000 +0000
++++ crypto/asn1/asn_mime.c.oden	2012-03-26 10:52:42.000000000 +0000
+@@ -858,12 +858,17 @@ static int mime_hdr_addparam(MIME_HEADER
+ static int mime_hdr_cmp(const MIME_HEADER * const *a,
+ 			const MIME_HEADER * const *b)
+ {
++	if (!(*a)->name || !(*b)->name)
++		return !!(*a)->name - !!(*b)->name;
++
+ 	return(strcmp((*a)->name, (*b)->name));
+ }
+ 
+ static int mime_param_cmp(const MIME_PARAM * const *a,
+ 			const MIME_PARAM * const *b)
+ {
++	if (!(*a)->param_name || !(*b)->param_name)
++		return !!(*a)->param_name - !!(*b)->param_name;
+ 	return(strcmp((*a)->param_name, (*b)->param_name));
+ }
+ 

openssl-1.0.0a-CVE-2011-4576.diff

@@ -0,0 +1,15 @@
+
+http://cvs.openssl.org/chngview?cn=21940
+
+--- ssl/s3_enc.c	2009-04-16 17:22:50.000000000 +0000
++++ ssl/s3_enc.c.oden	2012-01-09 14:15:06.000000000 +0000
+@@ -512,6 +512,9 @@ int ssl3_enc(SSL *s, int send)
+ 
+ 			/* we need to add 'i-1' padding bytes */
+ 			l+=i;
++			/* the last of these zero bytes will be overwritten
++			 * with the padding length. */
++			memset(&rec->input[rec->length], 0, i);
+ 			rec->length+=i;
+ 			rec->input[l-1]=(i-1);
+ 			}

openssl-1.0.0a-CVE-2011-4619.diff

@@ -0,0 +1,97 @@
+
+http://cvs.openssl.org/chngview?cn=21927
+http://cvs.openssl.org/chngview?cn=21930
+
+diff -Naurp openssl-1.0.0a/ssl/s3_srvr.c openssl-1.0.0a.oden/ssl/s3_srvr.c
+--- openssl-1.0.0a/ssl/s3_srvr.c	2012-01-09 14:49:57.000000000 +0000
++++ openssl-1.0.0a.oden/ssl/s3_srvr.c	2012-01-09 14:53:04.000000000 +0000
+@@ -258,6 +258,7 @@ int ssl3_accept(SSL *s)
+ 				}
+ 
+ 			s->init_num=0;
++			s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
+ 
+ 			if (s->state != SSL_ST_RENEGOTIATE)
+ 				{
+@@ -755,6 +756,14 @@ int ssl3_check_client_hello(SSL *s)
+ 	int ok;
+ 	long n;
+ 
++	/* We only allow the client to restart the handshake once per
++	 * negotiation. */
++	if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
++		{
++		SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
++		return -1;
++		}
++
+ 	/* this function is called when we really expect a Certificate message,
+ 	 * so permit appropriate message length */
+ 	n=s->method->ssl_get_message(s,
+@@ -783,6 +792,7 @@ int ssl3_check_client_hello(SSL *s)
+ 			s->s3->tmp.ecdh = NULL;
+ 			}
+ #endif
++		s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
+ 		return 2;
+ 		}
+ 	return 1;
+diff -Naurp openssl-1.0.0a/ssl/ssl.h openssl-1.0.0a.oden/ssl/ssl.h
+--- openssl-1.0.0a/ssl/ssl.h	2010-01-06 17:37:38.000000000 +0000
++++ openssl-1.0.0a.oden/ssl/ssl.h	2012-01-09 14:53:04.000000000 +0000
+@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL3_CALLBACK_CTRL			 233
+ #define SSL_F_SSL3_CHANGE_CIPHER_STATE			 129
+ #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM		 130
++#define SSL_F_SSL3_CHECK_CLIENT_HELLO			 304
+ #define SSL_F_SSL3_CLIENT_HELLO				 131
+ #define SSL_F_SSL3_CONNECT				 132
+ #define SSL_F_SSL3_CTRL					 213
+@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_MISSING_TMP_RSA_KEY			 172
+ #define SSL_R_MISSING_TMP_RSA_PKEY			 173
+ #define SSL_R_MISSING_VERIFY_MESSAGE			 174
++#define SSL_R_MULTIPLE_SGC_RESTARTS			 346
+ #define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
+ #define SSL_R_NO_CERTIFICATES_RETURNED			 176
+ #define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
+diff -Naurp openssl-1.0.0a/ssl/ssl3.h openssl-1.0.0a.oden/ssl/ssl3.h
+--- openssl-1.0.0a/ssl/ssl3.h	2010-01-06 17:37:38.000000000 +0000
++++ openssl-1.0.0a.oden/ssl/ssl3.h	2012-01-09 14:53:07.000000000 +0000
+@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
+ #define SSL3_FLAGS_POP_BUFFER			0x0004
+ #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
++ 
++/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
++ * restart a handshake because of MS SGC and so prevents us
++ * from restarting the handshake in a loop. It's reset on a
++ * renegotiation, so effectively limits the client to one restart
++ * per negotiation. This limits the possibility of a DDoS
++ * attack where the client handshakes in a loop using SGC to
++ * restart. Servers which permit renegotiation can still be
++ * effected, but we can't prevent that.
++ */
++#define SSL3_FLAGS_SGC_RESTART_DONE		0x0040
+ 
+ typedef struct ssl3_state_st
+ 	{
+diff -Naurp openssl-1.0.0a/ssl/ssl_err.c openssl-1.0.0a.oden/ssl/ssl_err.c
+--- openssl-1.0.0a/ssl/ssl_err.c	2010-01-06 17:37:38.000000000 +0000
++++ openssl-1.0.0a.oden/ssl/ssl_err.c	2012-01-09 14:53:04.000000000 +0000
+@@ -137,6 +137,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),	"SSL3_CALLBACK_CTRL"},
+ {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),	"SSL3_CHANGE_CIPHER_STATE"},
+ {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM),	"SSL3_CHECK_CERT_AND_ALGORITHM"},
++{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO),	"SSL3_CHECK_CLIENT_HELLO"},
+ {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),	"SSL3_CLIENT_HELLO"},
+ {ERR_FUNC(SSL_F_SSL3_CONNECT),	"SSL3_CONNECT"},
+ {ERR_FUNC(SSL_F_SSL3_CTRL),	"SSL3_CTRL"},
+@@ -397,6 +398,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},
+ {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
+ {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
++{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
+ {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
+ {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
+ {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},

openssl-1.0.0a-CVE-2012-0027.diff

@@ -0,0 +1,31 @@
+
+http://cvs.openssl.org/chngview?cn=21957
+
+diff -Naurp openssl-1.0.0a/engines/ccgost/gost2001_keyx.c openssl-1.0.0a.oden/engines/ccgost/gost2001_keyx.c
+--- openssl-1.0.0a/engines/ccgost/gost2001_keyx.c	2009-06-16 16:39:20.000000000 +0000
++++ openssl-1.0.0a.oden/engines/ccgost/gost2001_keyx.c	2012-01-09 14:56:51.000000000 +0000
+@@ -280,6 +280,10 @@ int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *
+ 		}
+ 		
+ 	param = get_encryption_params(gkt->key_agreement_info->cipher);
++    if(!param){
++        goto err;
++    }
++
+ 	gost_init(&ctx,param->sblock);	
+ 	OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
+ 	memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
+diff -Naurp openssl-1.0.0a/engines/ccgost/gost94_keyx.c openssl-1.0.0a.oden/engines/ccgost/gost94_keyx.c
+--- openssl-1.0.0a/engines/ccgost/gost94_keyx.c	2010-05-22 00:40:58.000000000 +0000
++++ openssl-1.0.0a.oden/engines/ccgost/gost94_keyx.c	2012-01-09 14:56:51.000000000 +0000
+@@ -261,6 +261,10 @@ int pkey_GOST94cp_decrypt(EVP_PKEY_CTX *
+ 		}
+ 
+ 	param = get_encryption_params(gkt->key_agreement_info->cipher);
++    if(!param){
++        goto err;
++    }
++	
+ 	gost_init(&cctx,param->sblock);	
+ 	OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
+ 	memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);

openssl-1.0.0d-CVE-2011-1945.diff

@@ -0,0 +1,45 @@
+
+http://cvs.openssl.org/chngview?cn=20894
+http://cvs.openssl.org/chngview?cn=21300
+http://cvs.openssl.org/chngview?cn=20898
+
+diff -Naurp openssl-1.0.0d/crypto/ecdsa/ecs_ossl.c openssl-1.0.0d.oden/crypto/ecdsa/ecs_ossl.c
+--- openssl-1.0.0d/crypto/ecdsa/ecs_ossl.c	2009-12-01 17:32:33.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/ecdsa/ecs_ossl.c	2011-09-23 11:37:34.000000000 +0000
+@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *ecke
+ 			}
+ 		while (BN_is_zero(k));
+ 
++		/* We do not want timing information to leak the length of k,
++		 * so we compute G*k using an equivalent scalar of fixed
++		 * bit-length. */
++
++		if (!BN_add(k, k, order)) goto err;
++		if (BN_num_bits(k) <= BN_num_bits(order))
++			if (!BN_add(k, k, order)) goto err;
++
+ 		/* compute r the x-coordinate of generator * k */
+ 		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
+ 		{
+diff -Naurp openssl-1.0.0d/crypto/ocsp/ocsp_lib.c openssl-1.0.0d.oden/crypto/ocsp/ocsp_lib.c
+--- openssl-1.0.0d/crypto/ocsp/ocsp_lib.c	2006-11-13 13:18:28.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/ocsp/ocsp_lib.c	2011-09-23 11:37:38.000000000 +0000
+@@ -170,14 +170,14 @@ int OCSP_parse_url(char *url, char **pho
+ 
+ 	char *host, *port;
+ 
+-	/* dup the buffer since we are going to mess with it */
+-	buf = BUF_strdup(url);
+-	if (!buf) goto mem_err;
+-
+ 	*phost = NULL;
+ 	*pport = NULL;
+ 	*ppath = NULL;
+ 
++	/* dup the buffer since we are going to mess with it */
++	buf = BUF_strdup(url);
++	if (!buf) goto mem_err;
++
+ 	/* Check for initial colon */
+ 	p = strchr(buf, ':');
+ 

openssl-1.0.0d-CVE-2011-3207.diff

@@ -0,0 +1,23 @@
+
+http://cvs.openssl.org/chngview?cn=21349
+
+--- crypto/x509/x509_vfy.c	2010-11-02 15:57:40.000000000 +0000
++++ crypto/x509/x509_vfy.c.oden	2011-09-23 06:35:37.000000000 +0000
+@@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ct
+ 	x = sk_X509_value(ctx->chain, cnum);
+ 	ctx->current_cert = x;
+ 	ctx->current_issuer = NULL;
++	ctx->current_crl_score = 0;
+ 	ctx->current_reasons = 0;
+ 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
+ 		{
+@@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *
+ 	ctx->error_depth=0;
+ 	ctx->current_cert=NULL;
+ 	ctx->current_issuer=NULL;
++	ctx->current_crl=NULL;
++	ctx->current_crl_score=0;
++	ctx->current_reasons=0;
+ 	ctx->tree = NULL;
+ 	ctx->parent = NULL;
+ 

openssl-1.0.0d-CVE-2011-3210.diff

@@ -0,0 +1,112 @@
+
+http://cvs.openssl.org/chngview?cn=21337
+
+diff -Naurp openssl-1.0.0d/ssl/d1_srvr.c openssl-1.0.0d.oden/ssl/d1_srvr.c
+--- openssl-1.0.0d/ssl/d1_srvr.c	2010-02-01 16:49:42.000000000 +0000
++++ openssl-1.0.0d.oden/ssl/d1_srvr.c	2011-09-23 06:39:03.000000000 +0000
+@@ -1017,12 +1017,11 @@ int dtls1_send_server_key_exchange(SSL *
+ 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+ 				goto err;
+ 				}
+-			if (!EC_KEY_up_ref(ecdhp))
++			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
+ 				{
+ 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+ 				goto err;
+ 				}
+-			ecdh = ecdhp;
+ 
+ 			s->s3->tmp.ecdh=ecdh;
+ 			if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
+diff -Naurp openssl-1.0.0d/ssl/s3_lib.c openssl-1.0.0d.oden/ssl/s3_lib.c
+--- openssl-1.0.0d/ssl/s3_lib.c	2009-10-16 15:24:19.000000000 +0000
++++ openssl-1.0.0d.oden/ssl/s3_lib.c	2011-09-23 06:39:03.000000000 +0000
+@@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s)
+ 		}
+ #ifndef OPENSSL_NO_DH
+ 	if (s->s3->tmp.dh != NULL)
++		{
+ 		DH_free(s->s3->tmp.dh);
++		s->s3->tmp.dh = NULL;
++		}
+ #endif
+ #ifndef OPENSSL_NO_ECDH
+ 	if (s->s3->tmp.ecdh != NULL)
++		{
+ 		EC_KEY_free(s->s3->tmp.ecdh);
++		s->s3->tmp.ecdh = NULL;
++		}
+ #endif
+ 
+ 	rp = s->s3->rbuf.buf;
+diff -Naurp openssl-1.0.0d/ssl/s3_srvr.c openssl-1.0.0d.oden/ssl/s3_srvr.c
+--- openssl-1.0.0d/ssl/s3_srvr.c	2010-12-02 18:24:55.000000000 +0000
++++ openssl-1.0.0d.oden/ssl/s3_srvr.c	2011-09-23 06:39:03.000000000 +0000
+@@ -768,9 +768,7 @@ int ssl3_check_client_hello(SSL *s)
+ 	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
+ 		{
+ 		/* Throw away what we have done so far in the current handshake,
+-		 * which will now be aborted. (A full SSL_clear would be too much.)
+-		 * I hope that tmp.dh is the only thing that may need to be cleared
+-		 * when a handshake is not completed ... */
++		 * which will now be aborted. (A full SSL_clear would be too much.) */
+ #ifndef OPENSSL_NO_DH
+ 		if (s->s3->tmp.dh != NULL)
+ 			{
+@@ -778,6 +776,13 @@ int ssl3_check_client_hello(SSL *s)
+ 			s->s3->tmp.dh = NULL;
+ 			}
+ #endif
++#ifndef OPENSSL_NO_ECDH
++		if (s->s3->tmp.ecdh != NULL)
++			{
++			EC_KEY_free(s->s3->tmp.ecdh);
++			s->s3->tmp.ecdh = NULL;
++			}
++#endif
+ 		return 2;
+ 		}
+ 	return 1;
+@@ -1491,7 +1496,6 @@ int ssl3_send_server_key_exchange(SSL *s
+ 
+ 			if (s->s3->tmp.dh != NULL)
+ 				{
+-				DH_free(dh);
+ 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ 				goto err;
+ 				}
+@@ -1552,7 +1556,6 @@ int ssl3_send_server_key_exchange(SSL *s
+ 
+ 			if (s->s3->tmp.ecdh != NULL)
+ 				{
+-				EC_KEY_free(s->s3->tmp.ecdh); 
+ 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ 				goto err;
+ 				}
+@@ -1563,12 +1566,11 @@ int ssl3_send_server_key_exchange(SSL *s
+ 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+ 				goto err;
+ 				}
+-			if (!EC_KEY_up_ref(ecdhp))
++			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
+ 				{
+ 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+ 				goto err;
+ 				}
+-			ecdh = ecdhp;
+ 
+ 			s->s3->tmp.ecdh=ecdh;
+ 			if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
+@@ -2440,6 +2442,12 @@ int ssl3_get_client_key_exchange(SSL *s)
+ 			/* Get encoded point length */
+ 			i = *p; 
+ 			p += 1;
++			if (n != 1 + i)
++				{
++				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
++				    ERR_R_EC_LIB);
++				goto err;
++				}
+ 			if (EC_POINT_oct2point(group, 
+ 			    clnt_ecpoint, p, i, bn_ctx) == 0)
+ 				{

openssl-1.0.0d-CVE-2011-4108.diff

@@ -0,0 +1,68 @@
+
+http://cvs.openssl.org/chngview?cn=21931
+
+--- ssl/d1_pkt.c	2011-01-04 19:33:22.000000000 +0000
++++ ssl/d1_pkt.c.oden	2012-01-09 15:18:39.000000000 +0000
+@@ -375,6 +375,7 @@ dtls1_process_record(SSL *s)
+ 	SSL3_RECORD *rr;
+ 	unsigned int mac_size;
+ 	unsigned char md[EVP_MAX_MD_SIZE];
++	int decryption_failed_or_bad_record_mac = 0;
+ 
+ 
+ 	rr= &(s->s3->rrec);
+@@ -409,13 +410,10 @@ dtls1_process_record(SSL *s)
+ 	enc_err = s->method->ssl3_enc->enc(s,0);
+ 	if (enc_err <= 0)
+ 		{
+-		if (enc_err == 0)
+-			/* SSLerr() and ssl3_send_alert() have been called */
+-			goto err;
+-
+-		/* otherwise enc_err == -1 */
+-		al=SSL_AD_BAD_RECORD_MAC;
+-		goto f_err;
++		/* To minimize information leaked via timing, we will always
++		 * perform all computations before discarding the message.
++		 */
++		decryption_failed_or_bad_record_mac = 1;
+ 		}
+ 
+ #ifdef TLS_DEBUG
+@@ -445,7 +443,7 @@ printf("\n");
+ 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+ 			goto f_err;
+ #else
+-			goto err;
++			decryption_failed_or_bad_record_mac = 1;
+ #endif			
+ 			}
+ 		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+@@ -456,17 +454,25 @@ printf("\n");
+ 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
+ 			goto f_err;
+ #else
+-			goto err;
++			decryption_failed_or_bad_record_mac = 1;
+ #endif
+ 			}
+ 		rr->length-=mac_size;
+ 		i=s->method->ssl3_enc->mac(s,md,0);
+ 		if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+ 			{
+-			goto err;
++			decryption_failed_or_bad_record_mac = 1;
+ 			}
+ 		}
+ 
++	if (decryption_failed_or_bad_record_mac)
++		{
++		/* decryption failed, silently discard message */
++		rr->length = 0;
++		s->packet_length = 0;
++		goto err;
++		}
++
+ 	/* r->length is now just compressed */
+ 	if (s->expand != NULL)
+ 		{

openssl-1.0.0d-CVE-2012-0050.diff

@@ -0,0 +1,39 @@
+
+http://cvs.openssl.org/chngview?cn=22037
+
+--- ssl/d1_pkt.c	2012-01-29 10:39:58.000000000 +0000
++++ ssl/d1_pkt.c.oden	2012-01-29 10:39:45.000000000 +0000
+@@ -376,6 +376,7 @@ dtls1_process_record(SSL *s)
+ 	unsigned int mac_size;
+ 	unsigned char md[EVP_MAX_MD_SIZE];
+ 	int decryption_failed_or_bad_record_mac = 0;
++	unsigned char *mac = NULL;
+ 
+ 
+ 	rr= &(s->s3->rrec);
+@@ -447,19 +448,15 @@ printf("\n");
+ #endif			
+ 			}
+ 		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+-		if (rr->length < mac_size)
++		if (rr->length >= mac_size)
+ 			{
+-#if 0 /* OK only for stream ciphers */
+-			al=SSL_AD_DECODE_ERROR;
+-			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
+-			goto f_err;
+-#else
+-			decryption_failed_or_bad_record_mac = 1;
+-#endif
++			rr->length -= mac_size;
++			mac = &rr->data[rr->length];
+ 			}
+-		rr->length-=mac_size;
++		else
++			rr->length = 0;
+ 		i=s->method->ssl3_enc->mac(s,md,0);
+-		if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
++		if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
+ 			{
+ 			decryption_failed_or_bad_record_mac = 1;
+ 			}

openssl-1.0.0d-CVE-2012-0884.diff

@@ -0,0 +1,363 @@
+
+http://cvs.openssl.org/chngview?cn=22228
+
+diff -Naurp openssl-1.0.0d/crypto/cms/cms.h openssl-1.0.0d.oden/crypto/cms/cms.h
+--- openssl-1.0.0d/crypto/cms/cms.h	2008-05-02 17:27:00.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/cms/cms.h	2012-03-26 11:45:36.000000000 +0000
+@@ -111,6 +111,7 @@ DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentI
+ #define CMS_PARTIAL			0x4000
+ #define CMS_REUSE_DIGEST		0x8000
+ #define CMS_USE_KEYID			0x10000
++#define CMS_DEBUG_DECRYPT		0x20000
+ 
+ const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms);
+ 
+diff -Naurp openssl-1.0.0d/crypto/cms/cms_enc.c openssl-1.0.0d.oden/crypto/cms/cms_enc.c
+--- openssl-1.0.0d/crypto/cms/cms_enc.c	2008-03-29 21:08:37.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/cms/cms_enc.c	2012-03-26 11:45:36.000000000 +0000
+@@ -73,6 +73,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_E
+ 	const EVP_CIPHER *ciph;
+ 	X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+ 	unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
++	unsigned char *tkey = NULL;
++	size_t tkeylen;
+ 
+ 	int ok = 0;
+ 
+@@ -137,32 +139,57 @@ BIO *cms_EncryptedContent_init_bio(CMS_E
+ 				CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
+ 		goto err;
+ 		}
+-
+-
+-	if (enc && !ec->key)
++	/* Generate random session key */
++	if (!enc || !ec->key)
+ 		{
+-		/* Generate random key */
+-		if (!ec->keylen)
+-			ec->keylen = EVP_CIPHER_CTX_key_length(ctx);
+-		ec->key = OPENSSL_malloc(ec->keylen);
+-		if (!ec->key)
++		tkeylen = EVP_CIPHER_CTX_key_length(ctx);
++		tkey = OPENSSL_malloc(tkeylen);
++		if (!tkey)
+ 			{
+ 			CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
+ 							ERR_R_MALLOC_FAILURE);
+ 			goto err;
+ 			}
+-		if (EVP_CIPHER_CTX_rand_key(ctx, ec->key) <= 0)
++		if (EVP_CIPHER_CTX_rand_key(ctx, tkey) <= 0)
+ 			goto err;
+-		keep_key = 1;
+ 		}
+-	else if (ec->keylen != (unsigned int)EVP_CIPHER_CTX_key_length(ctx))
++
++	if (!ec->key)
++		{
++		ec->key = tkey;
++		ec->keylen = tkeylen;
++		tkey = NULL;
++		if (enc)
++			keep_key = 1;
++		else
++			ERR_clear_error();
++		
++		}
++
++	if (ec->keylen != tkeylen)
+ 		{
+ 		/* If necessary set key length */
+ 		if (EVP_CIPHER_CTX_set_key_length(ctx, ec->keylen) <= 0)
+ 			{
+-			CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
+-				CMS_R_INVALID_KEY_LENGTH);
+-			goto err;
++			/* Only reveal failure if debugging so we don't
++			 * leak information which may be useful in MMA.
++			 */
++			if (ec->debug)
++				{
++				CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
++						CMS_R_INVALID_KEY_LENGTH);
++				goto err;
++				}
++			else
++				{
++				/* Use random key */
++				OPENSSL_cleanse(ec->key, ec->keylen);
++				OPENSSL_free(ec->key);
++				ec->key = tkey;
++				ec->keylen = tkeylen;
++				tkey = NULL;
++				ERR_clear_error();
++				}
+ 			}
+ 		}
+ 
+@@ -198,6 +225,11 @@ BIO *cms_EncryptedContent_init_bio(CMS_E
+ 		OPENSSL_free(ec->key);
+ 		ec->key = NULL;
+ 		}
++	if (tkey)
++		{
++		OPENSSL_cleanse(tkey, tkeylen);
++		OPENSSL_free(tkey);
++		}
+ 	if (ok)
+ 		return b;
+ 	BIO_free(b);
+diff -Naurp openssl-1.0.0d/crypto/cms/cms_env.c openssl-1.0.0d.oden/crypto/cms/cms_env.c
+--- openssl-1.0.0d/crypto/cms/cms_env.c	2008-03-26 17:40:22.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/cms/cms_env.c	2012-03-26 11:45:36.000000000 +0000
+@@ -371,6 +371,8 @@ static int cms_RecipientInfo_ktri_decryp
+ 	unsigned char *ek = NULL;
+ 	size_t eklen;
+ 	int ret = 0;
++	CMS_EncryptedContentInfo *ec;
++	ec = cms->d.envelopedData->encryptedContentInfo;
+ 
+ 	if (ktri->pkey == NULL)
+ 		{
+@@ -417,8 +419,14 @@ static int cms_RecipientInfo_ktri_decryp
+ 
+ 	ret = 1;
+ 
+-	cms->d.envelopedData->encryptedContentInfo->key = ek;
+-	cms->d.envelopedData->encryptedContentInfo->keylen = eklen;
++	if (ec->key)
++		{
++		OPENSSL_cleanse(ec->key, ec->keylen);
++		OPENSSL_free(ec->key);
++		}
++
++	ec->key = ek;
++	ec->keylen = eklen;
+ 
+ 	err:
+ 	if (pctx)
+diff -Naurp openssl-1.0.0d/crypto/cms/cms_lcl.h openssl-1.0.0d.oden/crypto/cms/cms_lcl.h
+--- openssl-1.0.0d/crypto/cms/cms_lcl.h	2008-03-28 19:43:16.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/cms/cms_lcl.h	2012-03-26 11:45:36.000000000 +0000
+@@ -175,6 +175,8 @@ struct CMS_EncryptedContentInfo_st
+ 	const EVP_CIPHER *cipher;
+ 	unsigned char *key;
+ 	size_t keylen;
++	/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
++	int debug;
+ 	};
+ 
+ struct CMS_RecipientInfo_st
+diff -Naurp openssl-1.0.0d/crypto/cms/cms_smime.c openssl-1.0.0d.oden/crypto/cms/cms_smime.c
+--- openssl-1.0.0d/crypto/cms/cms_smime.c	2009-03-25 12:53:51.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/cms/cms_smime.c	2012-03-26 11:45:36.000000000 +0000
+@@ -611,7 +611,10 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
+ 	STACK_OF(CMS_RecipientInfo) *ris;
+ 	CMS_RecipientInfo *ri;
+ 	int i, r;
++	int debug = 0;
+ 	ris = CMS_get0_RecipientInfos(cms);
++	if (ris)
++		debug = cms->d.envelopedData->encryptedContentInfo->debug;
+ 	for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
+ 		{
+ 		ri = sk_CMS_RecipientInfo_value(ris, i);
+@@ -625,17 +628,38 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
+ 			CMS_RecipientInfo_set0_pkey(ri, pk);
+ 			r = CMS_RecipientInfo_decrypt(cms, ri);
+ 			CMS_RecipientInfo_set0_pkey(ri, NULL);
+-			if (r > 0)
+-				return 1;
+ 			if (cert)
+ 				{
++				/* If not debugging clear any error and
++				 * return success to avoid leaking of
++				 * information useful to MMA
++				 */
++				if (!debug)
++					{
++					ERR_clear_error();
++					return 1;
++					}
++				if (r > 0)
++					return 1;
+ 				CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
+ 						CMS_R_DECRYPT_ERROR);
+ 				return 0;
+ 				}
+-			ERR_clear_error();
++			/* If no cert and not debugging don't leave loop
++			 * after first successful decrypt. Always attempt
++			 * to decrypt all recipients to avoid leaking timing
++			 * of a successful decrypt.
++			 */
++			else if (r > 0 && debug)
++				return 1;
+ 			}
+ 		}
++	/* If no cert and not debugging always return success */
++	if (!cert && !debug)
++		{
++		ERR_clear_error();
++		return 1;
++		}
+ 
+ 	CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
+ 	return 0;
+@@ -694,9 +718,14 @@ int CMS_decrypt(CMS_ContentInfo *cms, EV
+ 		}
+ 	if (!dcont && !check_content(cms))
+ 		return 0;
++	if (flags & CMS_DEBUG_DECRYPT)
++		cms->d.envelopedData->encryptedContentInfo->debug = 1;
++	else
++		cms->d.envelopedData->encryptedContentInfo->debug = 0;
++	if (!pk && !cert && !dcont && !out)
++		return 1;
+ 	if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
+ 		return 0;
+-
+ 	cont = CMS_dataInit(cms, dcont);
+ 	if (!cont)
+ 		return 0;
+diff -Naurp openssl-1.0.0d/crypto/pkcs7/pk7_doit.c openssl-1.0.0d.oden/crypto/pkcs7/pk7_doit.c
+--- openssl-1.0.0d/crypto/pkcs7/pk7_doit.c	2010-06-15 17:25:10.000000000 +0000
++++ openssl-1.0.0d.oden/crypto/pkcs7/pk7_doit.c	2012-03-26 11:45:36.000000000 +0000
+@@ -204,11 +204,11 @@ static int pkcs7_decrypt_rinfo(unsigned
+ 	unsigned char *ek = NULL;
+ 	size_t eklen;
+ 
+-	int ret = 0;
++	int ret = -1;
+ 
+ 	pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ 	if (!pctx)
+-		return 0;
++		return -1;
+ 
+ 	if (EVP_PKEY_decrypt_init(pctx) <= 0)
+ 		goto err;
+@@ -235,12 +235,19 @@ static int pkcs7_decrypt_rinfo(unsigned
+ 	if (EVP_PKEY_decrypt(pctx, ek, &eklen,
+ 				ri->enc_key->data, ri->enc_key->length) <= 0)
+ 		{
++		ret = 0;
+ 		PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
+ 		goto err;
+ 		}
+ 
+ 	ret = 1;
+ 
++	if (*pek)
++		{
++		OPENSSL_cleanse(*pek, *peklen);
++		OPENSSL_free(*pek);
++		}
++
+ 	*pek = ek;
+ 	*peklen = eklen;
+ 
+@@ -500,8 +507,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 		int max;
+ 		X509_OBJECT ret;
+ #endif
+-		unsigned char *ek = NULL;
+-		int eklen;
++		unsigned char *ek = NULL, *tkey = NULL;
++		int eklen, tkeylen;
+ 
+ 		if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
+ 			{
+@@ -534,29 +541,28 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 			}
+ 
+ 		/* If we haven't got a certificate try each ri in turn */
+-
+ 		if (pcert == NULL)
+ 			{
++			/* Always attempt to decrypt all rinfo even
++			 * after sucess as a defence against MMA timing
++			 * attacks.
++			 */
+ 			for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
+ 				{
+ 				ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
++				
+ 				if (pkcs7_decrypt_rinfo(&ek, &eklen,
+-							ri, pkey) > 0)
+-					break;
++							ri, pkey) < 0)
++					goto err;
+ 				ERR_clear_error();
+-				ri = NULL;
+-				}
+-			if (ri == NULL)
+-				{
+-				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+-				      PKCS7_R_NO_RECIPIENT_MATCHES_KEY);
+-				goto err;
+ 				}
+ 			}
+ 		else
+ 			{
+-			if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) <= 0)
++			/* Only exit on fatal errors, not decrypt failure */
++			if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ 				goto err;
++			ERR_clear_error();
+ 			}
+ 
+ 		evp_ctx=NULL;
+@@ -565,6 +571,19 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 			goto err;
+ 		if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
+ 			goto err;
++		/* Generate random key as MMA defence */
++		tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
++		tkey = OPENSSL_malloc(tkeylen);
++		if (!tkey)
++			goto err;
++		if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
++			goto err;
++		if (ek == NULL)
++			{
++			ek = tkey;
++			eklen = tkeylen;
++			tkey = NULL;
++			}
+ 
+ 		if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) {
+ 			/* Some S/MIME clients don't use the same key
+@@ -573,11 +592,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 			 */
+ 			if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen))
+ 				{
+-				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+-					PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH);
+-				goto err;
++				/* Use random key as MMA defence */
++				OPENSSL_cleanse(ek, eklen);
++				OPENSSL_free(ek);
++				ek = tkey;
++				eklen = tkeylen;
++				tkey = NULL;
+ 				}
+ 		} 
++		/* Clear errors so we don't leak information useful in MMA */
++		ERR_clear_error();
+ 		if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0)
+ 			goto err;
+ 
+@@ -586,6 +610,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 			OPENSSL_cleanse(ek,eklen);
+ 			OPENSSL_free(ek);
+ 			}
++		if (tkey)
++			{
++			OPENSSL_cleanse(tkey,tkeylen);
++			OPENSSL_free(tkey);
++			}
+ 
+ 		if (out == NULL)
+ 			out=etmp;

openssl.spec

@@ -18,7 +18,7 @@
 Summary:	Secure Sockets Layer communications libs & utils
 Name:		openssl
 Version:	%{maj}d
-Release:	%mkrel 3
+Release:	%mkrel 4
 License:	BSD-like
 Group:		System/Libraries
 URL:		http://www.openssl.org/
@@ -44,6 +44,16 @@ Patch13:	openssl-0.9.7-beta5-version-add-engines.patch
 Patch15:        openssl-0.9.8e-crt.patch
 # http://blogs.sun.com/janp/
 Patch16:	pkcs11_engine-1.0.0.diff
+Patch17:	openssl-1.0.0d-CVE-2011-1945.diff
+Patch18:	openssl-1.0.0d-CVE-2011-3207.diff
+Patch19:	openssl-1.0.0d-CVE-2011-3210.diff
+Patch20:	openssl-1.0.0d-CVE-2011-4108.diff
+Patch21:	openssl-1.0.0a-CVE-2011-4576.diff
+Patch22:	openssl-1.0.0a-CVE-2011-4619.diff
+Patch23:	openssl-1.0.0a-CVE-2012-0027.diff
+Patch24:	openssl-1.0.0d-CVE-2012-0050.diff
+Patch25:	openssl-1.0.0a-CVE-2006-7250_CVE-2012-1165.diff
+Patch26:	openssl-1.0.0d-CVE-2012-0884.diff
 # MIPS and ARM support
 Patch300:	openssl-1.0.0-mips.patch
 Patch301:	openssl-1.0.0-arm.patch
@@ -135,6 +145,17 @@ cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
 %patch15 -p1 -b .crt
 %patch16 -p1 -b .pkcs11_engine
 
+%patch17 -p1 -b .CVE-2011-1945
+%patch18 -p0 -b .CVE-2011-3207
+%patch19 -p1 -b .CVE-2011-3210
+%patch20 -p0 -b .CVE-2011-4108
+%patch21 -p0 -b .CVE-2011-4576
+%patch22 -p1 -b .CVE-2011-4619
+%patch23 -p1 -b .CVE-2012-0027
+%patch24 -p0 -b .CVE-2012-0050
+%patch25 -p0 -b .CVE-2006-7250_CVE-2012-1165
+%patch26 -p1 -b .CVE-2012-0884
+
 %patch300 -p1 -b .mips
 %patch301 -p1 -b .arm
 %patch302 -p1 -b .engines
@@ -174,6 +195,7 @@ sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM"
 sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
 %endif
 
+
 # ia64, x86_64, ppc, ppc64 are OK by default
 # Configure the build tree.  Override OpenSSL defaults with known-good defaults
 # usable on all platforms.  The Configure script already knows to use -fPIC and
@@ -189,6 +211,7 @@ sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
 # marked as not requiring an executable stack.
 RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack"
+
 make depend
 make all build-shared
 
@@ -354,8 +377,23 @@ rm -fr %{buildroot}
 
 
 %changelog
-* Tue Feb 21 2012 abf
-- The release updated by ABF
+* Mon Mar 26 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.4
+- P25: security fix for CVE-2006-7250_CVE-2012-1165 (upstream)
+- P26: security fix for CVE-2012-0884 (upstream)
+
+* Sun Jan 29 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.3
+- P24: security fix for CVE-2012-0050 (upstream)
+
+* Mon Jan 09 2012 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.2
+- P20: security fix for CVE-2011-4108 (upstream)
+- P21: security fix for CVE-2011-4576 (upstream)
+- P22: security fix for CVE-2011-4619 (upstream)
+- P23: security fix for CVE-2012-0027 (upstream)
+
+* Fri Sep 23 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2.1
+- P17: security fix for CVE-2011-1945 (upstream)
+- P18: security fix for CVE-2011-3207 (upstream)
+- P19: security fix for CVE-2011-3210 (upstream)
 
 * Mon May 02 2011 Oden Eriksson <oeriksson@mandriva.com> 1.0.0d-2mdv2011.0
 + Revision: 661710