Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key and

 Changes between 1.0.0g and 1.0.0h [xx XXX xxxx]

  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness

     in CMS and PKCS7 code. When RSA decryption fails use a random key for

     content decryption and always return the same error. Note: this attack

     needs on average 2^20 messages so it only affects automated senders. The

     old behaviour can be reenabled in the CMS code by setting the

     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where

     an MMA defence is not necessary.

     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering

     this issue. (CVE-2012-0884)

     [Steve Henson]

  *) Fix CVE-2011-4619: make sure we really are receiving a 

     client hello before rejecting multiple SGC restarts. Thanks to

     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.

#define CMS_PARTIAL			0x4000

#define CMS_REUSE_DIGEST		0x8000

#define CMS_USE_KEYID			0x10000

#define CMS_DEBUG_DECRYPT		0x20000

const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms);

	const EVP_CIPHER *ciph;

	X509_ALGOR *calg = ec->contentEncryptionAlgorithm;

	unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;

	unsigned char *tkey = NULL;

	size_t tkeylen;

	int ok = 0;

				CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);

		goto err;

		}

	if (enc && !ec->key)

	/* Generate random session key */

	if (!enc || !ec->key)

		{

		/* Generate random key */

		if (!ec->keylen)

			ec->keylen = EVP_CIPHER_CTX_key_length(ctx);

		ec->key = OPENSSL_malloc(ec->keylen);

		if (!ec->key)

		tkeylen = EVP_CIPHER_CTX_key_length(ctx);

		tkey = OPENSSL_malloc(tkeylen);

		if (!tkey)

			{

			CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,

							ERR_R_MALLOC_FAILURE);

			goto err;

			}

		if (EVP_CIPHER_CTX_rand_key(ctx, ec->key) <= 0)

		if (EVP_CIPHER_CTX_rand_key(ctx, tkey) <= 0)

			goto err;

		}

	if (!ec->key)

		{

		ec->key = tkey;

		ec->keylen = tkeylen;

		tkey = NULL;

		if (enc)

			keep_key = 1;

		else

			ERR_clear_error();

		}

	else if (ec->keylen != (unsigned int)EVP_CIPHER_CTX_key_length(ctx))

	if (ec->keylen != tkeylen)

		{

		/* If necessary set key length */

		if (EVP_CIPHER_CTX_set_key_length(ctx, ec->keylen) <= 0)

			{

			/* Only reveal failure if debugging so we don't

			 * leak information which may be useful in MMA.

			 */

			if (ec->debug)

				{

				CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,

						CMS_R_INVALID_KEY_LENGTH);

				goto err;

				}

			else

				{

				/* Use random key */

				OPENSSL_cleanse(ec->key, ec->keylen);

				OPENSSL_free(ec->key);

				ec->key = tkey;

				ec->keylen = tkeylen;

				tkey = NULL;

				ERR_clear_error();

				}

			}

		}

	if (EVP_CipherInit_ex(ctx, NULL, NULL, ec->key, piv, enc) <= 0)

		OPENSSL_free(ec->key);

		ec->key = NULL;

		}

	if (tkey)

		{

		OPENSSL_cleanse(tkey, tkeylen);

		OPENSSL_free(tkey);

		}

	if (ok)

		return b;

	BIO_free(b);

	unsigned char *ek = NULL;

	size_t eklen;

	int ret = 0;

	CMS_EncryptedContentInfo *ec;

	ec = cms->d.envelopedData->encryptedContentInfo;

	if (ktri->pkey == NULL)

		{

	ret = 1;

	cms->d.envelopedData->encryptedContentInfo->key = ek;

	cms->d.envelopedData->encryptedContentInfo->keylen = eklen;

	if (ec->key)

		{

		OPENSSL_cleanse(ec->key, ec->keylen);

		OPENSSL_free(ec->key);

		}

	ec->key = ek;

	ec->keylen = eklen;

	err:

	if (pctx)

	const EVP_CIPHER *cipher;

	unsigned char *key;

	size_t keylen;

	/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */

	int debug;

	};

struct CMS_RecipientInfo_st