Commit 918a8c46 authored by Chad MILLER's avatar Chad MILLER
Browse files

Bug#39178: non-RSA keys in connection to a RSA-keyed yaSSL-using server \ 

		using crashes server

When the server is configured to use a RSA key, and when the client sends
a cipher-suite list that contains a non-RSA key as acceptable, the server 
would try to process that key even though it was impossible.

Now, yaSSL sets its own acceptable-cipher list according to what kind of
key the server is started with, and will never explore and try to pair 
impossible combinations.

This involves a partial import of the current YaSSL tree, not the whole
thing, so as to try to avoid introducing new bugs.

(Updated to avoid many whitespace changes and make diff smaller.)
parent 60b8b18f

extra/yassl/include/cert_wrapper.hpp

+3 −0
Original line number Diff line number Diff line
@@ -34,6 +34,7 @@ 
#include "yassl_types.hpp"  // SignatureAlgorithm

#include "buffer.hpp"       // input_buffer

#include "asn.hpp"          // SignerList

#include "openssl/ssl.h"    // internal and external use

#include STL_LIST_FILE

#include STL_ALGORITHM_FILE
@@ -87,6 +88,7 @@ class CertManager { 
    bool verifyNone_;                   // no error if verify fails

    bool failNoCert_;

    bool sendVerify_;

    VerifyCallback verifyCallback_;     // user verify callback

public:

    CertManager();

    ~CertManager();
@@ -118,6 +120,7 @@ public: 
    void setFailNoCert();

    void setSendVerify();

    void setPeerX509(X509*);

    void setVerifyCallback(VerifyCallback);

private:

    CertManager(const CertManager&);            // hide copy

    CertManager& operator=(const CertManager&); // and assign

extra/yassl/include/openssl/prefix_ssl.h

+1 −0
Original line number Diff line number Diff line
@@ -52,6 +52,7 @@ 
#define SSL_load_error_strings yaSSL_load_error_strings

#define SSL_set_session yaSSL_set_session

#define SSL_get_session yaSSL_get_session

#define SSL_flush_sessions yaSSL_flush_sessions

#define SSL_SESSION_set_timeout yaSSL_SESSION_set_timeout

#define SSL_CTX_set_session_cache_mode yaSSL_CTX_set_session_cache_mode

#define SSL_get_peer_certificate yaSSL_get_peer_certificate

extra/yassl/include/openssl/ssl.h

+6 −3
Original line number Diff line number Diff line
@@ -170,8 +170,9 @@ enum { /* X509 Constants */ 
    X509_V_ERR_CRL_SIGNATURE_FAILURE          = 10,

    X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 11,

    X509_V_ERR_CRL_HAS_EXPIRED                = 12,

    X509_V_ERR_CERT_REVOKED                   = 13



    X509_V_ERR_CERT_REVOKED                   = 13,

    X509_V_FLAG_CRL_CHECK                     = 14,

    X509_V_FLAG_CRL_CHECK_ALL                 = 15

};
@@ -202,7 +203,8 @@ SSL_CTX* SSL_CTX_new(SSL_METHOD*); 
SSL* SSL_new(SSL_CTX*);

int  SSL_set_fd (SSL*, YASSL_SOCKET_T);

YASSL_SOCKET_T SSL_get_fd(const SSL*);

int  SSL_connect(SSL*);

int  SSL_connect(SSL*);                    // if you get an error from connect

                                           // see note at top of REAMDE

int  SSL_write(SSL*, const void*, int);

int  SSL_read(SSL*, void*, int);

int  SSL_accept(SSL*);
@@ -227,6 +229,7 @@ void SSL_load_error_strings(void); 


int          SSL_set_session(SSL *ssl, SSL_SESSION *session);

SSL_SESSION* SSL_get_session(SSL* ssl);

void         SSL_flush_sessions(SSL_CTX *ctx, long tm);

long         SSL_SESSION_set_timeout(SSL_SESSION*, long);

long         SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode);

X509*        SSL_get_peer_certificate(SSL*);

extra/yassl/include/yassl_imp.hpp

+3 −1
Original line number Diff line number Diff line
@@ -667,10 +667,12 @@ struct Parameters { 
    Cipher               suites_[MAX_SUITE_SZ];

    char                 cipher_name_[MAX_SUITE_NAME];

    char                 cipher_list_[MAX_CIPHERS][MAX_SUITE_NAME];

    bool                 removeDH_;                   // for server's later use



    Parameters(ConnectionEnd, const Ciphers&, ProtocolVersion, bool haveDH);



    void SetSuites(ProtocolVersion pv, bool removeDH = false);

    void SetSuites(ProtocolVersion pv, bool removeDH = false,

                   bool removeRSA = false, bool removeDSA = false);

    void SetCipherNames();

private:

    Parameters(const Parameters&);              // hide copy

extra/yassl/include/yassl_int.hpp

+10 −2
Original line number Diff line number Diff line 
/*

   Copyright (C) 2000-2007 MySQL AB

   Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc.



   This program is free software; you can redistribute it and/or modify

   it under the terms of the GNU General Public License as published by
@@ -268,12 +268,14 @@ class Sessions { 
    STL::list<SSL_SESSION*> list_;

    RandomPool random_;                 // for session cleaning

    Mutex      mutex_;                  // no-op for single threaded

    int        count_;                  // flush counter



    Sessions() {}                       // only GetSessions can create

    Sessions() : count_(0) {}           // only GetSessions can create

public: 

    SSL_SESSION* lookup(const opaque*, SSL_SESSION* copy = 0);

    void         add(const SSL&);

    void         remove(const opaque*);

    void         Flush();



    ~Sessions();
@@ -425,8 +427,10 @@ private: 
    pem_password_cb passwordCb_;

    void*           userData_;

    bool            sessionCacheOff_;

    bool            sessionCacheFlushOff_;

    Stats       stats_;

    Mutex       mutex_;         // for Stats

    VerifyCallback  verifyCallback_;

public:

    explicit SSL_CTX(SSL_METHOD* meth);

    ~SSL_CTX();
@@ -437,18 +441,22 @@ public: 
    const Ciphers&    GetCiphers()  const;

    const DH_Parms&   GetDH_Parms() const;

    const Stats&      GetStats()    const;

    const VerifyCallback getVerifyCallback() const;

    pem_password_cb   GetPasswordCb() const;

          void*       GetUserData()   const;

          bool        GetSessionCacheOff() const;

          bool        GetSessionCacheFlushOff() const;



    void setVerifyPeer();

    void setVerifyNone();

    void setFailNoCert();

    void setVerifyCallback(VerifyCallback);

    bool SetCipherList(const char*);

    bool SetDH(const DH&);

    void SetPasswordCb(pem_password_cb cb);

    void SetUserData(void*);

    void SetSessionCacheOff();

    void SetSessionCacheFlushOff();

   

    void            IncrementStats(StatsField);

    void            AddCA(x509* ca);