Bug#20201864 : UPGRADE TO YASSL 2.3.7

Upgrading YaSSL from 2.3.5 to 2.3.7

Reviewed-by : Kristofer Pettersson <[email protected]>
Reviewed-by : Vamsikrishna Bhagi <[email protected]>

Author: harinvadodaria

extra/yassl/README

@@ -12,6 +12,16 @@ before calling SSL_new();
 
 *** end Note ***
 
+yaSSL Release notes, version 2.3.7 (12/10/2014)
+    This release of yaSSL fixes the potential to process duplicate handshake
+    messages by explicitly marking/checking received handshake messages.
+
+yaSSL Release notes, version 2.3.6 (11/25/2014)
+
+    This release of yaSSL fixes some valgrind warnings/errors including
+    uninitialized reads and off by one index errors induced from fuzzing
+    the handshake.  These were reported by Oracle. 
+
 yaSSL Release notes, version 2.3.5 (9/29/2014)
 
     This release of yaSSL fixes an RSA Padding check vulnerability reported by

extra/yassl/examples/client/client.cpp

@@ -18,6 +18,10 @@
 
 /* client.cpp  */
 
+// takes an optional command line argument of cipher list to make scripting
+// easier
+
+
 #include "../../testsuite/test.hpp"
 
 //#define TEST_RESUME
@@ -73,11 +77,16 @@ void client_test(void* args)
 #ifdef NON_BLOCKING
     tcp_set_nonblocking(sockfd);
 #endif
-
     SSL_METHOD* method = TLSv1_client_method();
     SSL_CTX*    ctx = SSL_CTX_new(method);
 
     set_certs(ctx);
+    if (argc >= 2) {
+        printf("setting cipher list to %s\n", argv[1]);
+        if (SSL_CTX_set_cipher_list(ctx, argv[1]) != SSL_SUCCESS) {
+            ClientError(ctx, NULL, sockfd, "set_cipher_list error\n");
+        }
+    }
     SSL* ssl = SSL_new(ctx);
 
     SSL_set_fd(ssl, sockfd);

extra/yassl/examples/server/server.cpp

@@ -18,6 +18,9 @@
 
 /* server.cpp */
 
+// takes 2 optional command line argument to make scripting
+// if the first  command line argument is 'n' client auth is disabled
+// if the second command line argument is 'd' DSA certs are used instead of RSA
 
 #include "../../testsuite/test.hpp"
 
@@ -69,6 +72,9 @@ THREAD_RETURN YASSL_API server_test(void* args)
     char**   argv     = 0;
 
     set_args(argc, argv, *static_cast<func_args*>(args));
+#ifdef SERVER_READY_FILE
+    set_file_ready("server_ready", *static_cast<func_args*>(args));
+#endif
     tcp_accept(sockfd, clientfd, *static_cast<func_args*>(args));
 
     tcp_close(sockfd);
@@ -77,8 +83,21 @@ THREAD_RETURN YASSL_API server_test(void* args)
     SSL_CTX*    ctx = SSL_CTX_new(method);
 
     //SSL_CTX_set_cipher_list(ctx, "RC4-SHA:RC4-MD5");
-    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
-    set_serverCerts(ctx);
+    
+    // should we disable client auth
+    if (argc >= 2 && argv[1][0] == 'n')
+        printf("disabling client auth\n");
+    else
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
+
+    // are we using DSA certs
+    if (argc >= 3 && argv[2][0] == 'd') {
+        printf("using DSA certs\n");
+        set_dsaServerCerts(ctx);
+    }
+    else {
+        set_serverCerts(ctx);
+    }
     DH* dh = set_tmpDH(ctx);
 
     SSL* ssl = SSL_new(ctx);

extra/yassl/include/openssl/ssl.h

@@ -35,7 +35,7 @@
 #include "rsa.h"
 
 
-#define YASSL_VERSION "2.3.5"
+#define YASSL_VERSION "2.3.7"
 
 
 #if defined(__cplusplus)

extra/yassl/include/yassl_int.hpp

@@ -107,6 +107,25 @@ enum AcceptState {
 };
 
 
+// track received messages to explicitly disallow duplicate messages
+struct RecvdMessages {
+    uint8 gotClientHello_;
+    uint8 gotServerHello_;
+    uint8 gotCert_;
+    uint8 gotServerKeyExchange_;
+    uint8 gotCertRequest_;
+    uint8 gotServerHelloDone_;
+    uint8 gotCertVerify_;
+    uint8 gotClientKeyExchange_;
+    uint8 gotFinished_;
+    RecvdMessages() : gotClientHello_(0), gotServerHello_(0), gotCert_(0),
+                      gotServerKeyExchange_(0), gotCertRequest_(0),
+                      gotServerHelloDone_(0), gotCertVerify_(0),
+                      gotClientKeyExchange_(0), gotFinished_(0)
+                    {} 
+};
+
+
 // combines all states
 class States {
     RecordLayerState recordLayer_;
@@ -115,6 +134,7 @@ class States {
     ServerState      serverState_;
     ConnectState     connectState_;
     AcceptState      acceptState_;
+    RecvdMessages    recvdMessages_;
     char             errorString_[MAX_ERROR_SZ];
     YasslError       what_;
 public:
@@ -137,6 +157,7 @@ class States {
     AcceptState&      UseAccept();
     char*             useString();
     void              SetError(YasslError);
+    int               SetMessageRecvd(HandShakeType);
 private:
     States(const States&);              // hide copy
     States& operator=(const States&);   // and assign

extra/yassl/src/yassl_imp.cpp

@@ -242,6 +242,7 @@ void EncryptedPreMasterSecret::read(SSL& ssl, input_buffer& input)
     }
 
     opaque preMasterSecret[SECRET_LEN];
+    memset(preMasterSecret, 0, sizeof(preMasterSecret));
     rsa.decrypt(preMasterSecret, secret_, length_, 
                 ssl.getCrypto().get_random());
 
@@ -300,6 +301,11 @@ void ClientDiffieHellmanPublic::read(SSL& ssl, input_buffer& input)
     tmp[1] = input[AUTO];
     ato16(tmp, keyLength);
 
+    if (keyLength < dh.get_agreedKeyLength()/2) {
+        ssl.SetError(bad_input);
+        return;
+    }
+
     alloc(keyLength);
     input.read(Yc_, keyLength);
     if (input.get_error()) {
@@ -408,6 +414,10 @@ void DH_Server::read(SSL& ssl, input_buffer& input)
     tmp[1] = input[AUTO];
     ato16(tmp, length);
 
+    if (length == 0) {
+        ssl.SetError(bad_input);
+        return;
+    }
     signature_ = NEW_YS byte[length];
     input.read(signature_, length);
     if (input.get_error()) {
@@ -864,6 +874,12 @@ void ChangeCipherSpec::Process(input_buffer& input, SSL& ssl)
         return;
     }
 
+    // detect duplicate change_cipher
+    if (ssl.getSecurity().get_parms().pending_ == false) {
+        ssl.order_error();
+        return;
+    }
+
     ssl.useSecurity().use_parms().pending_ = false;
     if (ssl.getSecurity().get_resuming()) {
         if (ssl.getSecurity().get_parms().entity_ == client_end)
@@ -2047,12 +2063,8 @@ input_buffer& operator>>(input_buffer& input, CertificateRequest& request)
         tmp[0] = input[AUTO];
         tmp[1] = input[AUTO];
         ato16(tmp, dnSz);
-        
-        DistinguishedName dn;
-        request.certificate_authorities_.push_back(dn = NEW_YS 
-                                                  byte[REQUEST_HEADER + dnSz]);
-        memcpy(dn, tmp, REQUEST_HEADER);
-        input.read(&dn[REQUEST_HEADER], dnSz);
+       
+        input.set_current(input.get_current() + dnSz);
 
         sz -= dnSz + REQUEST_HEADER;
 
@@ -2191,6 +2203,11 @@ input_buffer& operator>>(input_buffer& input, CertificateVerify& request)
     ato16(tmp, sz);
     request.set_length(sz);
 
+    if (sz == 0) {
+        input.set_error();
+        return input;
+    }
+
     request.signature_ = NEW_YS byte[sz];
     input.read(request.signature_, sz);
 

extra/yassl/src/yassl_int.cpp

@@ -255,6 +255,77 @@ void States::SetError(YasslError ye)
 }
 
 
+// mark message recvd, check for duplicates, return 0 on success
+int States::SetMessageRecvd(HandShakeType hst)
+{
+    switch (hst) {
+        case hello_request:
+            break;  // could send more than one
+
+        case client_hello:
+            if (recvdMessages_.gotClientHello_)
+                return -1;
+            recvdMessages_.gotClientHello_ = 1;
+            break;
+
+        case server_hello:
+            if (recvdMessages_.gotServerHello_)
+                return -1;
+            recvdMessages_.gotServerHello_ = 1;
+            break;
+
+        case certificate:
+            if (recvdMessages_.gotCert_)
+                return -1;
+            recvdMessages_.gotCert_ = 1;
+            break;
+
+        case server_key_exchange:
+            if (recvdMessages_.gotServerKeyExchange_)
+                return -1;
+            recvdMessages_.gotServerKeyExchange_ = 1;
+            break;
+
+        case certificate_request:
+            if (recvdMessages_.gotCertRequest_)
+                return -1;
+            recvdMessages_.gotCertRequest_ = 1;
+            break;
+
+        case server_hello_done:
+            if (recvdMessages_.gotServerHelloDone_)
+                return -1;
+            recvdMessages_.gotServerHelloDone_ = 1;
+            break;
+
+        case certificate_verify:
+            if (recvdMessages_.gotCertVerify_)
+                return -1;
+            recvdMessages_.gotCertVerify_ = 1;
+            break;
+
+        case client_key_exchange:
+            if (recvdMessages_.gotClientKeyExchange_)
+                return -1;
+            recvdMessages_.gotClientKeyExchange_ = 1;
+            break;
+
+        case finished:
+            if (recvdMessages_.gotFinished_)
+                return -1;
+            recvdMessages_.gotFinished_ = 1;
+            break;
+
+
+        default:
+            return -1;
+
+    }
+
+    return 0;
+}
+
+
 sslFactory::sslFactory() :           
         messageFactory_(InitMessageFactory),
         handShakeFactory_(InitHandShakeFactory),
@@ -1199,6 +1270,11 @@ void SSL::verifyState(const HandShakeHeader& hsHeader)
         return;
     }
 
+    if (states_.SetMessageRecvd(hsHeader.get_handshakeType()) != 0) {
+        order_error();
+        return;
+    }
+
     if (secure_.get_parms().entity_ == client_end)
         verifyClientState(hsHeader.get_handshakeType());
     else

extra/yassl/taocrypt/src/asn.cpp

@@ -672,7 +672,7 @@ word32 CertDecoder::GetSignature()
     }
 
     sigLength_ = GetLength(source_);
-    if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) {
+    if (sigLength_ <= 1 || source_.IsLeft(sigLength_) == false) {
         source_.SetError(CONTENT_E);
         return 0;
     }
@@ -1001,11 +1001,17 @@ bool CertDecoder::ConfirmSignature(Source& pub)
         RSA_PublicKey pubKey(pub);
         RSAES_Encryptor enc(pubKey);
 
+        if (pubKey.FixedCiphertextLength() != sigLength_) {
+            source_.SetError(SIG_LEN_E);
+            return false;
+        }
+
         return enc.SSL_Verify(build.get_buffer(), build.size(), signature_);
     }
     else  { // DSA
         // extract r and s from sequence
         byte seqDecoded[DSA_SIG_SZ];
+        memset(seqDecoded, 0, sizeof(seqDecoded));
         DecodeDSA_Signature(seqDecoded, signature_, sigLength_);
 
         DSA_PublicKey pubKey(pub);

extra/yassl/taocrypt/src/integer.cpp

@@ -2605,18 +2605,20 @@ void Integer::Decode(Source& source)
 void Integer::Decode(const byte* input, unsigned int inputLen, Signedness s)
 {
     unsigned int idx(0);
-    byte b = input[idx++];
+    byte b = 0; 
+    if (inputLen>0)
+        b = input[idx];   // peek
     sign_  = ((s==SIGNED) && (b & 0x80)) ? NEGATIVE : POSITIVE;
 
     while (inputLen>0 && (sign_==POSITIVE ? b==0 : b==0xff))
     {
-        inputLen--;
-        b = input[idx++];
+        idx++;   // skip
+        if (--inputLen>0)
+            b = input[idx];  // peek
     }
 
     reg_.CleanNew(RoundupSize(BytesToWords(inputLen)));
 
-    --idx;
     for (unsigned int i=inputLen; i > 0; i--)
     {
         b = input[idx++];