From 01dca16d610f8687b6c67163c69faea522599203 Mon Sep 17 00:00:00 2001 From: Joerg Bruehe Date: Fri, 2 Mar 2012 13:12:07 +0100 Subject: [PATCH] Further upgrade the yaSSL library to version 2.2.0 to pick up some new security fixes that are in it. Patch provided by Georgi Kodinov. --- extra/yassl/README | 3 +-- extra/yassl/include/openssl/ssl.h | 4 ++-- extra/yassl/src/yassl_imp.cpp | 20 +++++++++++++++++++- extra/yassl/src/yassl_int.cpp | 5 +++-- extra/yassl/taocrypt/include/file.hpp | 21 ++++++++++++++------- extra/yassl/taocrypt/src/asn.cpp | 26 ++++++++++++++++++++++++-- extra/yassl/taocrypt/src/integer.cpp | 5 ++++- 7 files changed, 67 insertions(+), 17 deletions(-) diff --git a/extra/yassl/README b/extra/yassl/README index 0ca656bb932..7720a9453dd 100644 --- a/extra/yassl/README +++ b/extra/yassl/README @@ -21,8 +21,7 @@ See normal build instructions below under 1.0.6. See libcurl build instructions below under 1.3.0 and note in 1.5.8. -*****************yaSSL Release notes, version 1.9.9 (1/26/2010) -yaSSL Release notes, version 2.0.0 (7/6/2010) +*****************yaSSL Release notes, version 2.0.0 (7/6/2010) This release of yaSSL contains bug fixes, new testing certs, and a security patch for a potential heap overflow on forged application diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h index 0ae54f070bd..0d99888da88 100644 --- a/extra/yassl/include/openssl/ssl.h +++ b/extra/yassl/include/openssl/ssl.h @@ -1,5 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. + Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. Use is subject to license terms. This program is free software; you can redistribute it and/or modify @@ -35,7 +35,7 @@ #include "rsa.h" -#define YASSL_VERSION "2.1.4" +#define YASSL_VERSION "2.2.0" #if defined(__cplusplus) diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp index 6d2549749f2..66a173bece8 100644 --- a/extra/yassl/src/yassl_imp.cpp +++ b/extra/yassl/src/yassl_imp.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl) uint32 list_sz; byte tmp[3]; + if (input.get_remaining() < sizeof(tmp)) { + ssl.SetError(YasslError(bad_input)); + return; + } tmp[0] = input[AUTO]; tmp[1] = input[AUTO]; tmp[2] = input[AUTO]; c24to32(tmp, list_sz); + + if (list_sz > (uint)MAX_RECORD_SIZE) { // sanity check + ssl.SetError(YasslError(bad_input)); + return; + } while (list_sz) { // cert size uint32 cert_sz; + + if (input.get_remaining() < sizeof(tmp)) { + ssl.SetError(YasslError(bad_input)); + return; + } tmp[0] = input[AUTO]; tmp[1] = input[AUTO]; tmp[2] = input[AUTO]; c24to32(tmp, cert_sz); + if (cert_sz > (uint)MAX_RECORD_SIZE || input.get_remaining() < cert_sz){ + ssl.SetError(YasslError(bad_input)); + return; + } x509* myCert; cm.AddPeerCert(myCert = NEW_YS x509(cert_sz)); input.read(myCert->use_buffer(), myCert->get_length()); diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index 15a85e36909..73f8f2330c5 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx) SetError(YasslError(err)); return; } - else if (serverSide) { + else if (serverSide && ctx->GetCiphers().setSuites_ == 0) { // remove RSA or DSA suites depending on cert key type + // but don't override user sets ProtocolVersion pv = secure_.get_connection().version_; bool removeDH = secure_.use_parms().removeDH_; diff --git a/extra/yassl/taocrypt/include/file.hpp b/extra/yassl/taocrypt/include/file.hpp index 0f85b46fdb2..820fd8ff431 100644 --- a/extra/yassl/taocrypt/include/file.hpp +++ b/extra/yassl/taocrypt/include/file.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (C) 2000, 2012, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -39,25 +39,32 @@ public: explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {} Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {} + word32 remaining() { if (GetError().What()) return 0; + else return buffer_.size() - current_; } word32 size() const { return buffer_.size(); } void grow(word32 sz) { buffer_.CleanGrow(sz); } + + bool IsLeft(word32 sz) { if (remaining() >= sz) return true; + else { SetError(CONTENT_E); return false; } } const byte* get_buffer() const { return buffer_.get_buffer(); } const byte* get_current() const { return &buffer_[current_]; } word32 get_index() const { return current_; } - void set_index(word32 i) { current_ = i; } + void set_index(word32 i) { if (i < size()) current_ = i; } byte operator[] (word32 i) { current_ = i; return next(); } - byte next() { return buffer_[current_++]; } - byte prev() { return buffer_[--current_]; } + byte next() { if (IsLeft(1)) return buffer_[current_++]; else return 0; } + byte prev() { if (current_) return buffer_[--current_]; else return 0; } void add(const byte* data, word32 len) { - memcpy(buffer_.get_buffer() + current_, data, len); - current_ += len; + if (IsLeft(len)) { + memcpy(buffer_.get_buffer() + current_, data, len); + current_ += len; + } } - void advance(word32 i) { current_ += i; } + void advance(word32 i) { if (IsLeft(i)) current_ += i; } void reset(ByteBlock&); Error GetError() { return error_; } diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp index 72cbd092f9d..a502666d15b 100644 --- a/extra/yassl/taocrypt/src/asn.cpp +++ b/extra/yassl/taocrypt/src/asn.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009, 2010 Sun Microsystems, Inc. + Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. Use is subject to license terms. This program is free software; you can redistribute it and/or modify @@ -144,6 +144,8 @@ word32 GetLength(Source& source) if (b >= LONG_LENGTH) { word32 bytes = b & 0x7F; + if (source.IsLeft(bytes) == false) return 0; + while (bytes--) { b = source.next(); length = (length << 8) | b; @@ -578,8 +580,10 @@ void CertDecoder::StoreKey() read = source_.get_index() - read; length += read; + if (source_.GetError().What()) return; while (read--) source_.prev(); + if (source_.IsLeft(length) == false) return; key_.SetSize(length); key_.SetKey(source_.get_current()); source_.advance(length); @@ -611,6 +615,8 @@ void CertDecoder::AddDSA() word32 length = GetLength(source_); length += source_.get_index() - idx; + if (source_.IsLeft(length) == false) return; + key_.AddToEnd(source_.get_buffer() + idx, length); } @@ -620,6 +626,8 @@ word32 CertDecoder::GetAlgoId() { if (source_.GetError().What()) return 0; word32 length = GetSequence(); + + if (source_.GetError().What()) return 0; byte b = source_.next(); if (b != OBJECT_IDENTIFIER) { @@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId() } length = GetLength(source_); + if (source_.IsLeft(length) == false) return 0; + word32 oid = 0; - while(length--) oid += source_.next(); // just sum it up for now @@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature() } sigLength_ = GetLength(source_); + if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) { + source_.SetError(CONTENT_E); + return 0; + } b = source_.next(); if (b != 0) { @@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt) if (length >= ASN_NAME_MAX) return; + if (source_.IsLeft(length) == false) return; length += source_.get_index(); char* ptr; @@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt) } word32 oidSz = GetLength(source_); + if (source_.IsLeft(oidSz) == false) return; + byte joint[2]; + if (source_.IsLeft(sizeof(joint)) == false) return; memcpy(joint, source_.get_current(), sizeof(joint)); // v1 name types @@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt) b = source_.next(); // strType word32 strLen = GetLength(source_); + if (source_.IsLeft(strLen) == false) return; + switch (id) { case COMMON_NAME: if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen))) @@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt) source_.advance(oidSz + 1); word32 length = GetLength(source_); + if (source_.IsLeft(length) == false) return; if (email) { if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) { @@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt) } word32 length = GetLength(source_); + if (source_.IsLeft(length) == false) return; + byte date[MAX_DATE_SZ]; if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) { source_.SetError(DATE_SZ_E); diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp index 2d55f48e91f..bfced6d0c74 100644 --- a/extra/yassl/taocrypt/src/integer.cpp +++ b/extra/yassl/taocrypt/src/integer.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -2587,11 +2587,14 @@ void Integer::Decode(Source& source) } word32 length = GetLength(source); + if (length == 0 || source.GetError().What()) return; if ( (b = source.next()) == 0x00) length--; else source.prev(); + + if (source.IsLeft(length) == false) return; unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE; words = RoundupSize(words);