Bug #20168526 YASSL: CORRUPT SSL-KEY CRASHES CLIENT

Affects at least 5.6 and 5.7. In customer case, the "client" happened to
be a replication slave, therefore his server crashed.

Bug-fix:
The bug was in yassl. Todd Ouska has provided us with the patch.

(cherry picked from commit 42ffa91aad898b02f0793b669ffd04f5c178ce39)

5 files changed, 38 insertions, 2 deletions

diff --git a/extra/yassl/README b/extra/yassl/README
index da399c3d141..d245d20ce5f 100644
--- a/extra/yassl/README
+++ b/extra/yassl/README
@@ -12,6 +12,10 @@ before calling SSL_new();
 
 *** end Note ***
 
+yaSSL Patch notes, version 2.3.7b (3/18/2015)
+    This release of yaSSL fixes a potential crash with corrupted private keys.
+    Also detects bad keys earlier for user.
+
 yaSSL Release notes, version 2.3.7 (12/10/2014)
     This release of yaSSL fixes the potential to process duplicate handshake
     messages by explicitly marking/checking received handshake messages.
diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index 24acc7e86b9..e10fb5299f7 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -35,7 +35,7 @@
 #include "rsa.h"
 
 
-#define YASSL_VERSION "2.3.7"
+#define YASSL_VERSION "2.3.7b"
 
 
 #if defined(__cplusplus)
diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp
index a47b175e635..845b35bac8b 100644
--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -37,6 +37,8 @@
 #include "file.hpp"             // for TaoCrypt Source
 #include "coding.hpp"           // HexDecoder
 #include "helpers.hpp"          // for placement new hack
+#include "rsa.hpp"              // for TaoCrypt RSA key decode
+#include "dsa.hpp"              // for TaoCrypt DSA key decode
 #include <stdio.h>
 
 #ifdef _WIN32
@@ -54,6 +56,8 @@ namespace yaSSL {
 
 int read_file(SSL_CTX* ctx, const char* file, int format, CertType type)
 {
+    int ret = SSL_SUCCESS;
+
     if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM)
         return SSL_BAD_FILETYPE;
 
@@ -141,8 +145,31 @@ int read_file(SSL_CTX* ctx, const char* file, int format, CertType type)
             }
         }
     }
+
+    if (type == PrivateKey && ctx->privateKey_) {
+        // see if key is valid early
+        TaoCrypt::Source rsaSource(ctx->privateKey_->get_buffer(),
+                                   ctx->privateKey_->get_length());
+        TaoCrypt::RSA_PrivateKey rsaKey;
+        rsaKey.Initialize(rsaSource);
+
+        if (rsaSource.GetError().What()) {
+            // rsa failed see if DSA works
+
+            TaoCrypt::Source dsaSource(ctx->privateKey_->get_buffer(),
+                                       ctx->privateKey_->get_length());
+            TaoCrypt::DSA_PrivateKey dsaKey;
+            dsaKey.Initialize(dsaSource);
+
+            if (rsaSource.GetError().What()) {
+                // neither worked
+                ret = SSL_FAILURE;
+            }
+        }
+    }
+
     fclose(input);
-    return SSL_SUCCESS;
+    return ret;
 }
 
 
diff --git a/extra/yassl/taocrypt/src/rsa.cpp b/extra/yassl/taocrypt/src/rsa.cpp
index 79a8a8f1c4f..73f678e2674 100644
--- a/extra/yassl/taocrypt/src/rsa.cpp
+++ b/extra/yassl/taocrypt/src/rsa.cpp
@@ -140,6 +140,10 @@ word32 RSA_BlockType2::UnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
 void RSA_BlockType1::Pad(const byte* input, word32 inputLen, byte* pkcsBlock,
                          word32 pkcsBlockLen, RandomNumberGenerator&) const
 {
+    // sanity checks
+    if (input == NULL || pkcsBlock == NULL)
+        return;
+
     // convert from bit length to byte length
     if (pkcsBlockLen % 8 != 0)
     {
diff --git a/extra/yassl/testsuite/cipher-test.sh b/extra/yassl/testsuite/cipher-test.sh
index 5ce29459d07..d3e69146097 100644
--- a/extra/yassl/testsuite/cipher-test.sh
+++ b/extra/yassl/testsuite/cipher-test.sh
@@ -4,6 +4,7 @@
 # 
 
 
+no_pid=-1
 server_pid=$no_pid