Further upgrade the yaSSL library to version 2.2.0

to pick up some new security fixes that are in it.

Patch provided by Georgi Kodinov.

7 files changed, 67 insertions, 17 deletions

diff --git a/extra/yassl/README b/extra/yassl/README
index 0ca656bb932..7720a9453dd 100644
--- a/extra/yassl/README
+++ b/extra/yassl/README
@@ -21,8 +21,7 @@ See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
 
-*****************yaSSL Release notes, version 1.9.9 (1/26/2010)
-yaSSL Release notes, version 2.0.0 (7/6/2010)
+*****************yaSSL Release notes, version 2.0.0 (7/6/2010)
 
     This release of yaSSL contains bug fixes, new testing certs,
     and a security patch for a potential heap overflow on forged application
diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index 0ae54f070bd..0d99888da88 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
    Use is subject to license terms.
 
    This program is free software; you can redistribute it and/or modify
@@ -35,7 +35,7 @@
 #include "rsa.h"
 
 
-#define YASSL_VERSION "2.1.4"
+#define YASSL_VERSION "2.2.0"
 
 
 #if defined(__cplusplus)
diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
index 6d2549749f2..66a173bece8 100644
--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl)
     uint32 list_sz;
     byte   tmp[3];
 
+    if (input.get_remaining() < sizeof(tmp)) {
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
     tmp[0] = input[AUTO];
     tmp[1] = input[AUTO];
     tmp[2] = input[AUTO];
     c24to32(tmp, list_sz);
+
+    if (list_sz > (uint)MAX_RECORD_SIZE) { // sanity check
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
     
     while (list_sz) {
         // cert size
         uint32 cert_sz;
+
+        if (input.get_remaining() < sizeof(tmp)) {
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
         tmp[0] = input[AUTO];
         tmp[1] = input[AUTO];
         tmp[2] = input[AUTO];
         c24to32(tmp, cert_sz);
         
+        if (cert_sz > (uint)MAX_RECORD_SIZE || input.get_remaining() < cert_sz){
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
         x509* myCert;
         cm.AddPeerCert(myCert = NEW_YS x509(cert_sz));
         input.read(myCert->use_buffer(), myCert->get_length());
diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp
index 15a85e36909..73f8f2330c5 100644
--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx)
             SetError(YasslError(err));
             return;
         }
-        else if (serverSide) {
+        else if (serverSide && ctx->GetCiphers().setSuites_ == 0) {
             // remove RSA or DSA suites depending on cert key type
+            // but don't override user sets
             ProtocolVersion pv = secure_.get_connection().version_;
             
             bool removeDH  = secure_.use_parms().removeDH_;
diff --git a/extra/yassl/taocrypt/include/file.hpp b/extra/yassl/taocrypt/include/file.hpp
index 0f85b46fdb2..820fd8ff431 100644
--- a/extra/yassl/taocrypt/include/file.hpp
+++ b/extra/yassl/taocrypt/include/file.hpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (C) 2000-2007 MySQL AB
+   Copyright (C) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -39,25 +39,32 @@ public:
     explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {}
     Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {}
 
+    word32 remaining()         { if (GetError().What()) return 0;
+                                 else return buffer_.size() - current_; } 
     word32 size() const        { return buffer_.size(); }
     void   grow(word32 sz)     { buffer_.CleanGrow(sz); }
+
+    bool IsLeft(word32 sz) { if (remaining() >= sz) return true;
+                             else { SetError(CONTENT_E); return false; } }
    
     const byte*  get_buffer()  const { return buffer_.get_buffer(); }
     const byte*  get_current() const { return &buffer_[current_]; }
     word32       get_index()   const { return current_; }
-    void         set_index(word32 i) { current_ = i; }
+    void         set_index(word32 i) { if (i < size()) current_ = i; }
 
     byte operator[] (word32 i) { current_ = i; return next(); }
-    byte next() { return buffer_[current_++]; }
-    byte prev() { return buffer_[--current_]; }
+    byte next() { if (IsLeft(1)) return buffer_[current_++]; else return 0; }
+    byte prev() { if (current_)  return buffer_[--current_]; else return 0; }
 
     void add(const byte* data, word32 len)
     {
-        memcpy(buffer_.get_buffer() + current_, data, len);
-        current_ += len;
+        if (IsLeft(len)) {
+            memcpy(buffer_.get_buffer() + current_, data, len);
+            current_ += len;
+        }
     }
 
-    void advance(word32 i) { current_ += i; }
+    void advance(word32 i) { if (IsLeft(i)) current_ += i; }
     void reset(ByteBlock&);
 
     Error  GetError()              { return error_; }
diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp
index 72cbd092f9d..a502666d15b 100644
--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2009, 2010 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
    Use is subject to license terms.
 
    This program is free software; you can redistribute it and/or modify
@@ -144,6 +144,8 @@ word32 GetLength(Source& source)
     if (b >= LONG_LENGTH) {        
         word32 bytes = b & 0x7F;
 
+        if (source.IsLeft(bytes) == false) return 0;
+
         while (bytes--) {
             b = source.next();
             length = (length << 8) | b;
@@ -578,8 +580,10 @@ void CertDecoder::StoreKey()
     read = source_.get_index() - read;
     length += read;
 
+    if (source_.GetError().What()) return;
     while (read--) source_.prev();
 
+    if (source_.IsLeft(length) == false) return;
     key_.SetSize(length);
     key_.SetKey(source_.get_current());
     source_.advance(length);
@@ -611,6 +615,8 @@ void CertDecoder::AddDSA()
     word32 length = GetLength(source_);
     length += source_.get_index() - idx;
 
+    if (source_.IsLeft(length) == false) return;
+
     key_.AddToEnd(source_.get_buffer() + idx, length);    
 }
 
@@ -620,6 +626,8 @@ word32 CertDecoder::GetAlgoId()
 {
     if (source_.GetError().What()) return 0;
     word32 length = GetSequence();
+
+    if (source_.GetError().What()) return 0;
     
     byte b = source_.next();
     if (b != OBJECT_IDENTIFIER) {
@@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId()
     }
 
     length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return 0;
+
     word32 oid = 0;
-    
     while(length--)
         oid += source_.next();        // just sum it up for now
 
@@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature()
     }
 
     sigLength_ = GetLength(source_);
+    if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) {
+        source_.SetError(CONTENT_E);
+        return 0;
+    }
   
     b = source_.next();
     if (b != 0) {
@@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt)
 
     if (length >= ASN_NAME_MAX)
         return;
+    if (source_.IsLeft(length) == false) return;
     length += source_.get_index();
     
     char* ptr;
@@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt)
         }
 
         word32 oidSz = GetLength(source_);
+        if (source_.IsLeft(oidSz) == false) return;
+
         byte joint[2];
+        if (source_.IsLeft(sizeof(joint)) == false) return;
         memcpy(joint, source_.get_current(), sizeof(joint));
 
         // v1 name types
@@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt)
             b              = source_.next();    // strType
             word32 strLen  = GetLength(source_);
 
+            if (source_.IsLeft(strLen) == false) return;
+
             switch (id) {
             case COMMON_NAME:
                 if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
@@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt)
 
             source_.advance(oidSz + 1);
             word32 length = GetLength(source_);
+            if (source_.IsLeft(length) == false) return;
 
             if (email) {
                 if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) {
@@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt)
     }
 
     word32 length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return;
+
     byte date[MAX_DATE_SZ];
     if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) {
         source_.SetError(DATE_SZ_E);
diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp
index 2d55f48e91f..bfced6d0c74 100644
--- a/extra/yassl/taocrypt/src/integer.cpp
+++ b/extra/yassl/taocrypt/src/integer.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -2587,11 +2587,14 @@ void Integer::Decode(Source& source)
     }
 
     word32 length = GetLength(source);
+    if (length == 0 || source.GetError().What()) return;
 
     if ( (b = source.next()) == 0x00)
         length--;
     else
         source.prev();
+
+    if (source.IsLeft(length) == false) return;
  
     unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE;
     words = RoundupSize(words);