File openssl-CVE-2019-1563.patch of Package openssl1

From e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 1 Sep 2019 00:16:28 +0200
Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and
 CMS_decrypt_set1_pkey

An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.

As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.

The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)

(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
---
 CHANGES                 | 14 ++++++++++++++
 crypto/cms/cms_env.c    | 18 +++++++++++++++++-
 crypto/cms/cms_lcl.h    |  2 ++
 crypto/cms/cms_smime.c  |  4 ++++
 crypto/pkcs7/pk7_doit.c | 12 ++++++++----
 5 files changed, 45 insertions(+), 5 deletions(-)

Index: openssl-1.0.1i/crypto/cms/cms_env.c
===================================================================
--- openssl-1.0.1i.orig/crypto/cms/cms_env.c
+++ openssl-1.0.1i/crypto/cms/cms_env.c
@@ -372,6 +372,7 @@ static int cms_RecipientInfo_ktri_decryp
 	unsigned char *ek = NULL;
 	size_t eklen;
 	int ret = 0;
+	size_t fixlen = 0;
 	CMS_EncryptedContentInfo *ec;
 	ec = cms->d.envelopedData->encryptedContentInfo;
 
@@ -382,6 +383,20 @@ static int cms_RecipientInfo_ktri_decryp
 		return 0;
 		}
 
+
+	if (cms->d.envelopedData->encryptedContentInfo->havenocert
+            && !cms->d.envelopedData->encryptedContentInfo->debug) {
+		X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+		const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+
+		if (ciph == NULL) {
+			CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
+			return 0;
+		}
+
+		fixlen = EVP_CIPHER_key_length(ciph);
+	}
+
 	pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
 	if (!pctx)
 		return 0;
@@ -411,8 +426,10 @@ static int cms_RecipientInfo_ktri_decryp
 		}
 
 	if (EVP_PKEY_decrypt(pctx, ek, &eklen,
-				ktri->encryptedKey->data,
-				ktri->encryptedKey->length) <= 0)
+			     ktri->encryptedKey->data,
+			     ktri->encryptedKey->length) <= 0
+	    || eklen == 0
+            || (fixlen != 0 && eklen != fixlen))
 		{
 		CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
 		goto err;
Index: openssl-1.0.1i/crypto/cms/cms_lcl.h
===================================================================
--- openssl-1.0.1i.orig/crypto/cms/cms_lcl.h
+++ openssl-1.0.1i/crypto/cms/cms_lcl.h
@@ -177,6 +177,8 @@ struct CMS_EncryptedContentInfo_st
 	size_t keylen;
 	/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
 	int debug;
+	/* Set to 1 if we have no cert and need extra safety measures for MMA */
+	int havenocert;
 	};
 
 struct CMS_RecipientInfo_st
Index: openssl-1.0.1i/crypto/cms/cms_smime.c
===================================================================
--- openssl-1.0.1i.orig/crypto/cms/cms_smime.c
+++ openssl-1.0.1i/crypto/cms/cms_smime.c
@@ -747,6 +747,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EV
 		cms->d.envelopedData->encryptedContentInfo->debug = 1;
 	else
 		cms->d.envelopedData->encryptedContentInfo->debug = 0;
+	if (!cert)
+		cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
+	else
+		cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
 	if (!pk && !cert && !dcont && !out)
 		return 1;
 	if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
Index: openssl-1.0.1i/crypto/pkcs7/pk7_doit.c
===================================================================
--- openssl-1.0.1i.orig/crypto/pkcs7/pk7_doit.c
+++ openssl-1.0.1i/crypto/pkcs7/pk7_doit.c
@@ -198,7 +198,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECI
 
 
 static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
-			       PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
+			       PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
+			       size_t fixlen)
 	{
 	EVP_PKEY_CTX *pctx = NULL;
 	unsigned char *ek = NULL;
@@ -233,7 +234,9 @@ static int pkcs7_decrypt_rinfo(unsigned
 		}
 
 	if (EVP_PKEY_decrypt(pctx, ek, &eklen,
-				ri->enc_key->data, ri->enc_key->length) <= 0)
+			     ri->enc_key->data, ri->enc_key->length) <= 0
+	    || eklen == 0
+	    || (fixlen != 0 && eklen != fixlen))
 		{
 		ret = 0;
 		PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
@@ -598,8 +601,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
 				{
 				ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
 				
-				if (pkcs7_decrypt_rinfo(&ek, &eklen,
-							ri, pkey) < 0)
+				if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
+							EVP_CIPHER_key_length(evp_cipher)) < 0)
 					goto err;
 				ERR_clear_error();
 				}
@@ -607,7 +610,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
 		else
 			{
 			/* Only exit on fatal errors, not decrypt failure */
-			if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+				if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
 				goto err;
 			ERR_clear_error();
 			}