weave merge mysql-5.0->mysql-5.0-security

65a94c3a · Georgi Kodinov · bd21f317 · e990b8da · 65a94c3a · 65a94c3a
Commit 65a94c3a authored Mar 21, 2012 by Georgi Kodinov
8 changed files
--- a/README
+++ b/README
@@ -5,7 +5,7 @@ For the avoidance of doubt, this particular copy of the software
 is released under the version 2 of the GNU General Public License. 
 MySQL is brought to you by Oracle.
-Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 License information can be found in the COPYING file.

--- a/extra/yassl/README
+++ b/extra/yassl/README
@@ -21,8 +21,7 @@ See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
-*****************yaSSL Release notes, version 1.9.9 (1/26/2010)
+*****************yaSSL Release notes, version 2.0.0 (7/6/2010)
-yaSSL Release notes, version 2.0.0 (7/6/2010)
    This release of yaSSL contains bug fixes, new testing certs,
    and a security patch for a potential heap overflow on forged application

--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   Use is subject to license terms.
   This program is free software; you can redistribute it and/or modify
@@ -35,7 +35,7 @@
 #include "rsa.h"
-#define YASSL_VERSION "2.1.4"
+#define YASSL_VERSION "2.2.0"
 #if defined(__cplusplus)

--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl)
    uint32 list_sz;
    byte   tmp[3];
+    if (input.get_remaining() < sizeof(tmp)) {
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
    tmp[0] = input[AUTO];
    tmp[1] = input[AUTO];
    tmp[2] = input[AUTO];
    c24to32(tmp, list_sz);
+    if (list_sz > (uint)MAX_RECORD_SIZE) { // sanity check
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
    while (list_sz) {
        // cert size
        uint32 cert_sz;
+        if (input.get_remaining() < sizeof(tmp)) {
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
        tmp[0] = input[AUTO];
        tmp[1] = input[AUTO];
        tmp[2] = input[AUTO];
        c24to32(tmp, cert_sz);
+        if (cert_sz > (uint)MAX_RECORD_SIZE || input.get_remaining() < cert_sz){
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
        x509* myCert;
        cm.AddPeerCert(myCert = NEW_YS x509(cert_sz));
        input.read(myCert->use_buffer(), myCert->get_length());

--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
 /*
-   Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx)
            SetError(YasslError(err));
            return;
        }
-        else if (serverSide) {
+        else if (serverSide && ctx->GetCiphers().setSuites_ == 0) {
            // remove RSA or DSA suites depending on cert key type
+            // but don't override user sets
            ProtocolVersion pv = secure_.get_connection().version_;
            bool removeDH  = secure_.use_parms().removeDH_;

--- a/extra/yassl/taocrypt/include/file.hpp
+++ b/extra/yassl/taocrypt/include/file.hpp
 /*
-   Copyright (C) 2000-2007 MySQL AB
+   Copyright (C) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -39,25 +39,32 @@ public:
    explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {}
    Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {}
+    word32 remaining()         { if (GetError().What()) return 0;
+                                 else return buffer_.size() - current_; } 
    word32 size() const        { return buffer_.size(); }
    void   grow(word32 sz)     { buffer_.CleanGrow(sz); }
+    bool IsLeft(word32 sz) { if (remaining() >= sz) return true;
+                             else { SetError(CONTENT_E); return false; } }
    const byte*  get_buffer()  const { return buffer_.get_buffer(); }
    const byte*  get_current() const { return &buffer_[current_]; }
    word32       get_index()   const { return current_; }
-    void         set_index(word32 i) { current_ = i; }
+    void         set_index(word32 i) { if (i < size()) current_ = i; }
    byte operator[] (word32 i) { current_ = i; return next(); }
-    byte next() { return buffer_[current_++]; }
+    byte next() { if (IsLeft(1)) return buffer_[current_++]; else return 0; }
-    byte prev() { return buffer_[--current_]; }
+    byte prev() { if (current_)  return buffer_[--current_]; else return 0; }
    void add(const byte* data, word32 len)
    {
+        if (IsLeft(len)) {
            memcpy(buffer_.get_buffer() + current_, data, len);
            current_ += len;
        }
+    }
-    void advance(word32 i) { current_ += i; }
+    void advance(word32 i) { if (IsLeft(i)) current_ += i; }
    void reset(ByteBlock&);
    Error  GetError()              { return error_; }

--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2009, 2010 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   Use is subject to license terms.
   This program is free software; you can redistribute it and/or modify
@@ -144,6 +144,8 @@ word32 GetLength(Source& source)
    if (b >= LONG_LENGTH) {        
        word32 bytes = b & 0x7F;
+        if (source.IsLeft(bytes) == false) return 0;
        while (bytes--) {
            b = source.next();
            length = (length << 8) | b;
@@ -578,8 +580,10 @@ void CertDecoder::StoreKey()
    read = source_.get_index() - read;
    length += read;
+    if (source_.GetError().What()) return;
    while (read--) source_.prev();
+    if (source_.IsLeft(length) == false) return;
    key_.SetSize(length);
    key_.SetKey(source_.get_current());
    source_.advance(length);
@@ -611,6 +615,8 @@ void CertDecoder::AddDSA()
    word32 length = GetLength(source_);
    length += source_.get_index() - idx;
+    if (source_.IsLeft(length) == false) return;
    key_.AddToEnd(source_.get_buffer() + idx, length);    
 }
@@ -621,6 +627,8 @@ word32 CertDecoder::GetAlgoId()
    if (source_.GetError().What()) return 0;
    word32 length = GetSequence();
+    if (source_.GetError().What()) return 0;
    byte b = source_.next();
    if (b != OBJECT_IDENTIFIER) {
        source_.SetError(OBJECT_ID_E);
@@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId()
    }
    length = GetLength(source_);
-    word32 oid = 0;
+    if (source_.IsLeft(length) == false) return 0;
+    word32 oid = 0;
    while(length--)
        oid += source_.next();        // just sum it up for now
@@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature()
    }
    sigLength_ = GetLength(source_);
+    if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) {
+        source_.SetError(CONTENT_E);
+        return 0;
+    }
    b = source_.next();
    if (b != 0) {
@@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt)
    if (length >= ASN_NAME_MAX)
        return;
+    if (source_.IsLeft(length) == false) return;
    length += source_.get_index();
    char* ptr;
@@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt)
        }
        word32 oidSz = GetLength(source_);
+        if (source_.IsLeft(oidSz) == false) return;
        byte joint[2];
+        if (source_.IsLeft(sizeof(joint)) == false) return;
        memcpy(joint, source_.get_current(), sizeof(joint));
        // v1 name types
@@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt)
            b              = source_.next();    // strType
            word32 strLen  = GetLength(source_);
+            if (source_.IsLeft(strLen) == false) return;
            switch (id) {
            case COMMON_NAME:
                if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
@@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt)
            source_.advance(oidSz + 1);
            word32 length = GetLength(source_);
+            if (source_.IsLeft(length) == false) return;
            if (email) {
                if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) {
@@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt)
    }
    word32 length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return;
    byte date[MAX_DATE_SZ];
    if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) {
        source_.SetError(DATE_SZ_E);

--- a/extra/yassl/taocrypt/src/integer.cpp
+++ b/extra/yassl/taocrypt/src/integer.cpp
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -2587,12 +2587,15 @@ void Integer::Decode(Source& source)
    }
    word32 length = GetLength(source);
+    if (length == 0 || source.GetError().What()) return;
    if ( (b = source.next()) == 0x00)
        length--;
    else
        source.prev();
+    if (source.IsLeft(length) == false) return;
    unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE;
    words = RoundupSize(words);
    if (words > reg_.size()) reg_.CleanNew(words);