Commit 5b49c7ce authored by Joerg Bruehe's avatar Joerg Bruehe

Further upgrade the yaSSL library to version 2.2.0

to pick up some new security fixes that are in it.

Patch provided by Georgi Kodinov.
parent c3b04553
...@@ -21,8 +21,7 @@ See normal build instructions below under 1.0.6. ...@@ -21,8 +21,7 @@ See normal build instructions below under 1.0.6.
See libcurl build instructions below under 1.3.0 and note in 1.5.8. See libcurl build instructions below under 1.3.0 and note in 1.5.8.
*****************yaSSL Release notes, version 1.9.9 (1/26/2010) *****************yaSSL Release notes, version 2.0.0 (7/6/2010)
yaSSL Release notes, version 2.0.0 (7/6/2010)
This release of yaSSL contains bug fixes, new testing certs, This release of yaSSL contains bug fixes, new testing certs,
and a security patch for a potential heap overflow on forged application and a security patch for a potential heap overflow on forged application
......
/* /*
Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms. Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
...@@ -35,7 +35,7 @@ ...@@ -35,7 +35,7 @@
#include "rsa.h" #include "rsa.h"
#define YASSL_VERSION "2.1.4" #define YASSL_VERSION "2.2.0"
#if defined(__cplusplus) #if defined(__cplusplus)
......
/* /*
Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl) ...@@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl)
uint32 list_sz; uint32 list_sz;
byte tmp[3]; byte tmp[3];
if (input.get_remaining() < sizeof(tmp)) {
ssl.SetError(YasslError(bad_input));
return;
}
tmp[0] = input[AUTO]; tmp[0] = input[AUTO];
tmp[1] = input[AUTO]; tmp[1] = input[AUTO];
tmp[2] = input[AUTO]; tmp[2] = input[AUTO];
c24to32(tmp, list_sz); c24to32(tmp, list_sz);
if (list_sz > (uint)MAX_RECORD_SIZE) { // sanity check
ssl.SetError(YasslError(bad_input));
return;
}
while (list_sz) { while (list_sz) {
// cert size // cert size
uint32 cert_sz; uint32 cert_sz;
if (input.get_remaining() < sizeof(tmp)) {
ssl.SetError(YasslError(bad_input));
return;
}
tmp[0] = input[AUTO]; tmp[0] = input[AUTO];
tmp[1] = input[AUTO]; tmp[1] = input[AUTO];
tmp[2] = input[AUTO]; tmp[2] = input[AUTO];
c24to32(tmp, cert_sz); c24to32(tmp, cert_sz);
if (cert_sz > (uint)MAX_RECORD_SIZE || input.get_remaining() < cert_sz){
ssl.SetError(YasslError(bad_input));
return;
}
x509* myCert; x509* myCert;
cm.AddPeerCert(myCert = NEW_YS x509(cert_sz)); cm.AddPeerCert(myCert = NEW_YS x509(cert_sz));
input.read(myCert->use_buffer(), myCert->get_length()); input.read(myCert->use_buffer(), myCert->get_length());
......
/* /*
Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx) ...@@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx)
SetError(YasslError(err)); SetError(YasslError(err));
return; return;
} }
else if (serverSide) { else if (serverSide && ctx->GetCiphers().setSuites_ == 0) {
// remove RSA or DSA suites depending on cert key type // remove RSA or DSA suites depending on cert key type
// but don't override user sets
ProtocolVersion pv = secure_.get_connection().version_; ProtocolVersion pv = secure_.get_connection().version_;
bool removeDH = secure_.use_parms().removeDH_; bool removeDH = secure_.use_parms().removeDH_;
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (C) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -39,25 +39,32 @@ public: ...@@ -39,25 +39,32 @@ public:
explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {} explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {}
Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {} Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {}
word32 remaining() { if (GetError().What()) return 0;
else return buffer_.size() - current_; }
word32 size() const { return buffer_.size(); } word32 size() const { return buffer_.size(); }
void grow(word32 sz) { buffer_.CleanGrow(sz); } void grow(word32 sz) { buffer_.CleanGrow(sz); }
bool IsLeft(word32 sz) { if (remaining() >= sz) return true;
else { SetError(CONTENT_E); return false; } }
const byte* get_buffer() const { return buffer_.get_buffer(); } const byte* get_buffer() const { return buffer_.get_buffer(); }
const byte* get_current() const { return &buffer_[current_]; } const byte* get_current() const { return &buffer_[current_]; }
word32 get_index() const { return current_; } word32 get_index() const { return current_; }
void set_index(word32 i) { current_ = i; } void set_index(word32 i) { if (i < size()) current_ = i; }
byte operator[] (word32 i) { current_ = i; return next(); } byte operator[] (word32 i) { current_ = i; return next(); }
byte next() { return buffer_[current_++]; } byte next() { if (IsLeft(1)) return buffer_[current_++]; else return 0; }
byte prev() { return buffer_[--current_]; } byte prev() { if (current_) return buffer_[--current_]; else return 0; }
void add(const byte* data, word32 len) void add(const byte* data, word32 len)
{ {
if (IsLeft(len)) {
memcpy(buffer_.get_buffer() + current_, data, len); memcpy(buffer_.get_buffer() + current_, data, len);
current_ += len; current_ += len;
} }
}
void advance(word32 i) { current_ += i; } void advance(word32 i) { if (IsLeft(i)) current_ += i; }
void reset(ByteBlock&); void reset(ByteBlock&);
Error GetError() { return error_; } Error GetError() { return error_; }
......
/* /*
Copyright (c) 2005-2007 MySQL AB, 2009, 2010 Sun Microsystems, Inc. Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms. Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
...@@ -144,6 +144,8 @@ word32 GetLength(Source& source) ...@@ -144,6 +144,8 @@ word32 GetLength(Source& source)
if (b >= LONG_LENGTH) { if (b >= LONG_LENGTH) {
word32 bytes = b & 0x7F; word32 bytes = b & 0x7F;
if (source.IsLeft(bytes) == false) return 0;
while (bytes--) { while (bytes--) {
b = source.next(); b = source.next();
length = (length << 8) | b; length = (length << 8) | b;
...@@ -578,8 +580,10 @@ void CertDecoder::StoreKey() ...@@ -578,8 +580,10 @@ void CertDecoder::StoreKey()
read = source_.get_index() - read; read = source_.get_index() - read;
length += read; length += read;
if (source_.GetError().What()) return;
while (read--) source_.prev(); while (read--) source_.prev();
if (source_.IsLeft(length) == false) return;
key_.SetSize(length); key_.SetSize(length);
key_.SetKey(source_.get_current()); key_.SetKey(source_.get_current());
source_.advance(length); source_.advance(length);
...@@ -611,6 +615,8 @@ void CertDecoder::AddDSA() ...@@ -611,6 +615,8 @@ void CertDecoder::AddDSA()
word32 length = GetLength(source_); word32 length = GetLength(source_);
length += source_.get_index() - idx; length += source_.get_index() - idx;
if (source_.IsLeft(length) == false) return;
key_.AddToEnd(source_.get_buffer() + idx, length); key_.AddToEnd(source_.get_buffer() + idx, length);
} }
...@@ -621,6 +627,8 @@ word32 CertDecoder::GetAlgoId() ...@@ -621,6 +627,8 @@ word32 CertDecoder::GetAlgoId()
if (source_.GetError().What()) return 0; if (source_.GetError().What()) return 0;
word32 length = GetSequence(); word32 length = GetSequence();
if (source_.GetError().What()) return 0;
byte b = source_.next(); byte b = source_.next();
if (b != OBJECT_IDENTIFIER) { if (b != OBJECT_IDENTIFIER) {
source_.SetError(OBJECT_ID_E); source_.SetError(OBJECT_ID_E);
...@@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId() ...@@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId()
} }
length = GetLength(source_); length = GetLength(source_);
word32 oid = 0; if (source_.IsLeft(length) == false) return 0;
word32 oid = 0;
while(length--) while(length--)
oid += source_.next(); // just sum it up for now oid += source_.next(); // just sum it up for now
...@@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature() ...@@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature()
} }
sigLength_ = GetLength(source_); sigLength_ = GetLength(source_);
if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) {
source_.SetError(CONTENT_E);
return 0;
}
b = source_.next(); b = source_.next();
if (b != 0) { if (b != 0) {
...@@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt) ...@@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt)
if (length >= ASN_NAME_MAX) if (length >= ASN_NAME_MAX)
return; return;
if (source_.IsLeft(length) == false) return;
length += source_.get_index(); length += source_.get_index();
char* ptr; char* ptr;
...@@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt) ...@@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt)
} }
word32 oidSz = GetLength(source_); word32 oidSz = GetLength(source_);
if (source_.IsLeft(oidSz) == false) return;
byte joint[2]; byte joint[2];
if (source_.IsLeft(sizeof(joint)) == false) return;
memcpy(joint, source_.get_current(), sizeof(joint)); memcpy(joint, source_.get_current(), sizeof(joint));
// v1 name types // v1 name types
...@@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt) ...@@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt)
b = source_.next(); // strType b = source_.next(); // strType
word32 strLen = GetLength(source_); word32 strLen = GetLength(source_);
if (source_.IsLeft(strLen) == false) return;
switch (id) { switch (id) {
case COMMON_NAME: case COMMON_NAME:
if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen))) if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
...@@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt) ...@@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt)
source_.advance(oidSz + 1); source_.advance(oidSz + 1);
word32 length = GetLength(source_); word32 length = GetLength(source_);
if (source_.IsLeft(length) == false) return;
if (email) { if (email) {
if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) { if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) {
...@@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt) ...@@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt)
} }
word32 length = GetLength(source_); word32 length = GetLength(source_);
if (source_.IsLeft(length) == false) return;
byte date[MAX_DATE_SZ]; byte date[MAX_DATE_SZ];
if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) { if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) {
source_.SetError(DATE_SZ_E); source_.SetError(DATE_SZ_E);
......
/* /*
Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -2587,12 +2587,15 @@ void Integer::Decode(Source& source) ...@@ -2587,12 +2587,15 @@ void Integer::Decode(Source& source)
} }
word32 length = GetLength(source); word32 length = GetLength(source);
if (length == 0 || source.GetError().What()) return;
if ( (b = source.next()) == 0x00) if ( (b = source.next()) == 0x00)
length--; length--;
else else
source.prev(); source.prev();
if (source.IsLeft(length) == false) return;
unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE; unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE;
words = RoundupSize(words); words = RoundupSize(words);
if (words > reg_.size()) reg_.CleanNew(words); if (words > reg_.size()) reg_.CleanNew(words);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment