Further upgrade the yaSSL library to version 2.2.0

to pick up some new security fixes that are in it. Patch provided by Georgi Kodinov.

Further upgrade the yaSSL library to version 2.2.0
to pick up some new security fixes that are in it. Patch provided by Georgi Kodinov.
01dca16d · Joerg Bruehe · b6174b92 · 01dca16d · 01dca16d · 01dca16d
Commit 01dca16d authored Mar 02, 2012 by Joerg Bruehe
7 changed files
--- a/extra/yassl/README
+++ b/extra/yassl/README
@@ -21,8 +21,7 @@ See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.


-*****************yaSSL Release notes, version 1.9.9 (1/26/2010)
-yaSSL Release notes, version 2.0.0 (7/6/2010)
+*****************yaSSL Release notes, version 2.0.0 (7/6/2010)

    This release of yaSSL contains bug fixes, new testing certs,
    and a security patch for a potential heap overflow on forged application

--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   Use is subject to license terms.

   This program is free software; you can redistribute it and/or modify
@@ -35,7 +35,7 @@
 #include "rsa.h"


-#define YASSL_VERSION "2.1.4"
+#define YASSL_VERSION "2.2.0"


 #if defined(__cplusplus)

--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl)
    uint32 list_sz;
    byte   tmp[3];

+    if (input.get_remaining() < sizeof(tmp)) {
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
    tmp[0] = input[AUTO];
    tmp[1] = input[AUTO];
    tmp[2] = input[AUTO];
    c24to32(tmp, list_sz);
+
+    if (list_sz > (uint)MAX_RECORD_SIZE) { // sanity check
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
    
    while (list_sz) {
        // cert size
        uint32 cert_sz;
+
+        if (input.get_remaining() < sizeof(tmp)) {
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
        tmp[0] = input[AUTO];
        tmp[1] = input[AUTO];
        tmp[2] = input[AUTO];
        c24to32(tmp, cert_sz);
        
+        if (cert_sz > (uint)MAX_RECORD_SIZE || input.get_remaining() < cert_sz){
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
        x509* myCert;
        cm.AddPeerCert(myCert = NEW_YS x509(cert_sz));
        input.read(myCert->use_buffer(), myCert->get_length());

--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
 /*
-   Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx)
            SetError(YasslError(err));
            return;
        }
-        else if (serverSide) {
+        else if (serverSide && ctx->GetCiphers().setSuites_ == 0) {
            // remove RSA or DSA suites depending on cert key type
+            // but don't override user sets
            ProtocolVersion pv = secure_.get_connection().version_;
            
            bool removeDH  = secure_.use_parms().removeDH_;

--- a/extra/yassl/taocrypt/include/file.hpp
+++ b/extra/yassl/taocrypt/include/file.hpp
 /*
-   Copyright (C) 2000-2007 MySQL AB
+   Copyright (C) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -39,25 +39,32 @@ public:
    explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {}
    Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {}

+    word32 remaining()         { if (GetError().What()) return 0;
+                                 else return buffer_.size() - current_; } 
    word32 size() const        { return buffer_.size(); }
    void   grow(word32 sz)     { buffer_.CleanGrow(sz); }
+
+    bool IsLeft(word32 sz) { if (remaining() >= sz) return true;
+                             else { SetError(CONTENT_E); return false; } }
   
    const byte*  get_buffer()  const { return buffer_.get_buffer(); }
    const byte*  get_current() const { return &buffer_[current_]; }
    word32       get_index()   const { return current_; }
-    void         set_index(word32 i) { current_ = i; }
+    void         set_index(word32 i) { if (i < size()) current_ = i; }

    byte operator[] (word32 i) { current_ = i; return next(); }
-    byte next() { return buffer_[current_++]; }
-    byte prev() { return buffer_[--current_]; }
+    byte next() { if (IsLeft(1)) return buffer_[current_++]; else return 0; }
+    byte prev() { if (current_)  return buffer_[--current_]; else return 0; }

    void add(const byte* data, word32 len)
    {
-        memcpy(buffer_.get_buffer() + current_, data, len);
-        current_ += len;
+        if (IsLeft(len)) {
+            memcpy(buffer_.get_buffer() + current_, data, len);
+            current_ += len;
+        }
    }

-    void advance(word32 i) { current_ += i; }
+    void advance(word32 i) { if (IsLeft(i)) current_ += i; }
    void reset(ByteBlock&);

    Error  GetError()              { return error_; }

--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2009, 2010 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   Use is subject to license terms.

   This program is free software; you can redistribute it and/or modify
@@ -144,6 +144,8 @@ word32 GetLength(Source& source)
    if (b >= LONG_LENGTH) {        
        word32 bytes = b & 0x7F;

+        if (source.IsLeft(bytes) == false) return 0;
+
        while (bytes--) {
            b = source.next();
            length = (length << 8) | b;
@@ -578,8 +580,10 @@ void CertDecoder::StoreKey()
    read = source_.get_index() - read;
    length += read;

+    if (source_.GetError().What()) return;
    while (read--) source_.prev();

+    if (source_.IsLeft(length) == false) return;
    key_.SetSize(length);
    key_.SetKey(source_.get_current());
    source_.advance(length);
@@ -611,6 +615,8 @@ void CertDecoder::AddDSA()
    word32 length = GetLength(source_);
    length += source_.get_index() - idx;

+    if (source_.IsLeft(length) == false) return;
+
    key_.AddToEnd(source_.get_buffer() + idx, length);    
 }

@@ -620,6 +626,8 @@ word32 CertDecoder::GetAlgoId()
 {
    if (source_.GetError().What()) return 0;
    word32 length = GetSequence();
+
+    if (source_.GetError().What()) return 0;
    
    byte b = source_.next();
    if (b != OBJECT_IDENTIFIER) {
@@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId()
    }

    length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return 0;
+
    word32 oid = 0;
-    
    while(length--)
        oid += source_.next();        // just sum it up for now

@@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature()
    }

    sigLength_ = GetLength(source_);
+    if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) {
+        source_.SetError(CONTENT_E);
+        return 0;
+    }
  
    b = source_.next();
    if (b != 0) {
@@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt)

    if (length >= ASN_NAME_MAX)
        return;
+    if (source_.IsLeft(length) == false) return;
    length += source_.get_index();
    
    char* ptr;
@@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt)
        }

        word32 oidSz = GetLength(source_);
+        if (source_.IsLeft(oidSz) == false) return;
+
        byte joint[2];
+        if (source_.IsLeft(sizeof(joint)) == false) return;
        memcpy(joint, source_.get_current(), sizeof(joint));

        // v1 name types
@@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt)
            b              = source_.next();    // strType
            word32 strLen  = GetLength(source_);

+            if (source_.IsLeft(strLen) == false) return;
+
            switch (id) {
            case COMMON_NAME:
                if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
@@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt)

            source_.advance(oidSz + 1);
            word32 length = GetLength(source_);
+            if (source_.IsLeft(length) == false) return;

            if (email) {
                if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) {
@@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt)
    }

    word32 length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return;
+
    byte date[MAX_DATE_SZ];
    if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) {
        source_.SetError(DATE_SZ_E);

--- a/extra/yassl/taocrypt/src/integer.cpp
+++ b/extra/yassl/taocrypt/src/integer.cpp
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -2587,11 +2587,14 @@ void Integer::Decode(Source& source)
    }

    word32 length = GetLength(source);
+    if (length == 0 || source.GetError().What()) return;

    if ( (b = source.next()) == 0x00)
        length--;
    else
        source.prev();
+
+    if (source.IsLeft(length) == false) return;
 
    unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE;
    words = RoundupSize(words);