Merge from CDK: Upgrade YaSSL to 2.4.2.

Author: rsomla1

cdk/extra/yassl/CMakeLists.txt

@@ -17,10 +17,9 @@ INCLUDE(install_macros)
 INCLUDE(msvc)
 
 INCLUDE_DIRECTORIES(
- ${CMAKE_BINARY_DIR}/include
- ${CMAKE_CURRENT_SOURCE_DIR}/include
- ${CMAKE_CURRENT_SOURCE_DIR}/taocrypt/include
- ${CMAKE_CURRENT_SOURCE_DIR}/taocrypt/mySTL)
+  ${CMAKE_CURRENT_SOURCE_DIR}/include
+  ${CMAKE_CURRENT_SOURCE_DIR}/taocrypt/include
+  ${CMAKE_CURRENT_SOURCE_DIR}/taocrypt/mySTL)
 
 ADD_DEFINITIONS(${SSL_DEFINES})
 
@@ -49,8 +48,8 @@ CHECK_TYPE_SIZE("long long" SIZEOF_LONG_LONG)
 ADD_DEFINITIONS(-DSIZEOF_LONG=${SIZEOF_LONG} -DSIZEOF_LONG_LONG=${SIZEOF_LONG_LONG})
 
 SET(YASSL_SOURCES  src/buffer.cpp src/cert_wrapper.cpp src/crypto_wrapper.cpp src/handshake.cpp src/lock.cpp
-				src/log.cpp src/socket_wrapper.cpp src/ssl.cpp src/timer.cpp src/yassl_error.cpp
-				src/yassl_imp.cpp src/yassl_int.cpp)
+        src/log.cpp src/socket_wrapper.cpp src/ssl.cpp src/timer.cpp src/yassl_error.cpp
+        src/yassl_imp.cpp src/yassl_int.cpp)
 
 ADD_LIBRARY(yassl STATIC ${YASSL_SOURCES})
 #RESTRICT_SYMBOL_EXPORTS(yassl)
@@ -68,4 +67,4 @@ ENDIF()
 #  if(NOT WINDOWS_RUNTIME_MD)
 #    CHANGE_MD_2_MT()
 #  endif()
-#endif()
+#endif()

cdk/extra/yassl/README

@@ -2,7 +2,7 @@
 
 yaSSL takes a different approach to certificate verification than OpenSSL does.
 The default policy for the client is to verify the server, this means that if
-you don't load CAs to verify the server you'll get a connect error, unable to 
+you don't load CAs to verify the server you'll get a connect error, unable to
 verify.  It you want to mimic OpenSSL behavior of not verifying the server and
 reducing security you can do this by calling:
 
@@ -12,6 +12,66 @@ before calling SSL_new();
 
 *** end Note ***
 
+yaSSL Release notes, version 2.4.2 (9/22/2016)
+    This release of yaSSL fixes a medium security vulnerability. A fix for
+    potential AES side channel leaks is included that a local user monitoring
+    the same CPU core cache could exploit.  VM users, hyper-threading users,
+    and users where potential attackers have access to the CPU cache will need
+    to update if they utilize AES.
+
+    DSA padding fixes for unusual sizes is included as well.  Users with DSA
+    certficiates should update.
+
+yaSSL Release notes, version 2.4.0 (5/20/2016)
+    This release of yaSSL fixes the OpenSSL compatibility function
+    SSL_CTX_load_verify_locations() when using the path directory to allow
+    unlimited path sizes.  Minor Windows build fixes are included.
+    No high level security fixes in this version but we always recommend
+    updating.
+
+
+yaSSL Release notes, version 2.3.9b (2/03/2016)
+    This release of yaSSL fixes the OpenSSL compatibility function
+    X509_NAME_get_index_by_NID() to use the actual index of the common name
+    instead of searching on the format prefix.  Thanks for the report from
+    [email protected]  .  Anyone using this function should update.
+
+yaSSL Release notes, version 2.3.9 (12/01/2015)
+    This release of yaSSL fixes two client side Diffie-Hellman problems.
+    yaSSL was only handling the cases of zero or one leading zeros for the key
+    agreement instead of potentially any number.  This caused about 1 in 50,000
+    connections to fail when using DHE cipher suites.  The second problem was
+    the case where a server would send a public value shorter than the prime
+    value, causing about 1 in 128 client connections to fail, and also
+    caused the yaSSL client to read off the end of memory.  All client side
+    DHE cipher suite users should update.
+    Thanks to Adam Langely ([email protected]) for the detailed report!
+
+yaSSL Release notes, version 2.3.8 (9/17/2015)
+    This release of yaSSL fixes a high security vulnerability.  All users
+    SHOULD update.  If using yaSSL for TLS on the server side with private
+    RSA keys allowing ephemeral key exchange you MUST update and regenerate
+    the RSA private keys.  This report is detailed in:
+    https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
+    yaSSL now detects RSA signature faults and returns an error.
+
+yaSSL Patch notes, version 2.3.7e (6/26/2015)
+    This release of yaSSL includes a fix for Date less than comparison.
+    Previously yaSSL would return true on less than comparisons if the Dates
+    were equal. Reported by Oracle. No security problem, but if a cert was
+    generated right now, a server started using it in the same second, and a
+    client tried to verify it in the same second it would report not yet valid.
+
+yaSSL Patch notes, version 2.3.7d (6/22/2015)
+    This release of yaSSL includes a fix for input_buffer set_current with
+    index 0.  SSL_peek() at front of waiting data could trigger.  Robert
+    Golebiowski of Oracle identified and suggested a fix, thanks!
+
+yaSSL Patch notes, version 2.3.7c (6/12/2015)
+    This release of yaSSL does certificate DATE comparisons to the second
+    instead of to the minute, helpful when using freshly generated certs.
+    Though keep in mind that time sync differences could still show up.
+
 yaSSL Patch notes, version 2.3.7b (3/18/2015)
     This release of yaSSL fixes a potential crash with corrupted private keys.
     Also detects bad keys earlier for user.
@@ -24,7 +84,7 @@ yaSSL Release notes, version 2.3.6 (11/25/2014)
 
     This release of yaSSL fixes some valgrind warnings/errors including
     uninitialized reads and off by one index errors induced from fuzzing
-    the handshake.  These were reported by Oracle. 
+    the handshake.  These were reported by Oracle.
 
 yaSSL Release notes, version 2.3.5 (9/29/2014)
 
@@ -113,7 +173,7 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
     This release of yaSSL contains bug fixes, the removal of assert() s and
     a security patch for a buffer overflow possibility in certificate name
-    processing. 
+    processing.
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
@@ -141,15 +201,15 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 *****************yaSSL Release notes, version 1.9.2 (9/24/08)
 
     This release of yaSSL contains bug fixes and improved certificate verify
-    callback support. 
+    callback support.
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
 
 *****************yaSSL Release notes, version 1.8.8 (5/7/08)
 
-    This release of yaSSL contains bug fixes, and better socket handling. 
+    This release of yaSSL contains bug fixes, and better socket handling.
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
@@ -159,7 +219,7 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
     This release of yaSSL contains bug fixes, and fixes security problems
     associated with using SSL 2.0 client hellos and improper input handling.
-    Please upgrade to this version if you are using a previous one. 
+    Please upgrade to this version if you are using a previous one.
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
@@ -168,7 +228,7 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 *****************yaSSL Release notes, version 1.7.5 (10/15/07)
 
     This release of yaSSL contains bug fixes, adds MSVC 2005 project support,
-    GCC 4.2 support, IPV6 support and test, and new test certificates. 
+    GCC 4.2 support, IPV6 support and test, and new test certificates.
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
@@ -177,7 +237,7 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 *****************yaSSL Release notes, version 1.7.2 (8/20/07)
 
     This release of yaSSL contains bug fixes and adds initial OpenVPN support.
-    Just configure at this point and beginning of build. 
+    Just configure at this point and beginning of build.
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
@@ -208,8 +268,8 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
 
     Since yaSSL now supports zlib, as does libcurl, the libcurl build test can
-    fail if yaSSL is built with zlib support since the zlib library isn't 
-    passed.  You can do two things to fix this: 
+    fail if yaSSL is built with zlib support since the zlib library isn't
+    passed.  You can do two things to fix this:
 
         1) build yaSSL w/o zlib --without-zlib
         2) or add flags to curl configure LDFLAGS="-lm -lz"
@@ -223,7 +283,7 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
         SSL_METHOD *TLSv1_1_server_method(void);
         SSL_METHOD *TLSv1_1_client_method(void);
-    
+
     or the SSLv23 versions (even though yaSSL doesn't support SSL 2.0 the v23
     means to pick the highest of SSL 3.0, TLS 1.0, or TLS 1.1).
 
@@ -260,7 +320,7 @@ See libcurl build instructions below under 1.3.0.
         2) follow the instructions in zlib from projects/visualc6/README.txt
            for how to add the zlib project into the yaSSL workspace noting that
            you'll need to add configuration support for "Win32 Debug" and
-           "Win32 Release" in note 3 under "To use:". 
+           "Win32 Release" in note 3 under "To use:".
         3) define HAVE_LIBZ when building yaSSL
 
 
@@ -272,7 +332,7 @@ See libcurl build instructions below under 1.3.0.
 
 
     This release of yaSSL contains bug fixes, portability enhancements,
-    nonblocking connect and accept, better OpenSSL error mapping, and 
+    nonblocking connect and accept, better OpenSSL error mapping, and
     certificate caching for session resumption.
 
 See normal  build instructions below under 1.0.6.
@@ -283,7 +343,7 @@ See libcurl build instructions below under 1.3.0.
 
 
     This release of yaSSL contains bug fixes, portability enhancements,
-    and libcurl 7.15.4 support (any newer versions may not build). 
+    and libcurl 7.15.4 support (any newer versions may not build).
 
 See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0.
@@ -325,12 +385,12 @@ See normal build instructions below under 1.0.6.
 
 --To build for libcurl on Win32:
 
-    Simply add the yaSSL project as a dependency to libcurl, add 
+    Simply add the yaSSL project as a dependency to libcurl, add
     yaSSL-Home\include and yaSSL-Home\include\openssl to the include list, and
     define USE_SSLEAY and USE_OPENSSL
 
     please email [email protected] if you have any questions.
-    
+
 
 *******************yaSSL Release notes, version 1.2.2 (03/27/06)
 
@@ -523,8 +583,8 @@ Please see build instructions in release notes 0.3.0.
 ******************yaSSL Release notes, version 0.4.0
 
 This release of yaSSL contains minor bug fixes, an optional memory tracker,
-an echo client and server with input/output redirection for load testing, 
-and initial session caching support. 
+an echo client and server with input/output redirection for load testing,
+and initial session caching support.
 
 
 Please see build instructions in release notes 0.3.0.
@@ -572,7 +632,7 @@ See the notes at the bottom of this page for build instructions.
 *******************yaSSL Release notes, version 0.2.0
 
 This release of yaSSL contains minor bug fixes and initial alternate crypto
-functionality. 
+functionality.
 
 *** Complete Build ***
 
@@ -588,7 +648,7 @@ gzip -cd yassl-update-0.2.0.tar.gz | tar xvf -
 
 to update the previous release.
 
-Then issue the make command on linux or rebuild the yaSSL project on Windows. 
+Then issue the make command on linux or rebuild the yaSSL project on Windows.
 
 *******************yaSSL Release notes, version 0.1.0
 
@@ -648,7 +708,7 @@ Building yassl on linux:
 
 use the ./buildall script to build everything.
 
-buildall will configure and build CML, CryptoPP, and yassl.  Testing was 
+buildall will configure and build CML, CryptoPP, and yassl.  Testing was
 preformed with gcc version 3.3.2 on kernel 2.4.22.
 
 

cdk/extra/yassl/certs/dsa-cert.pem

@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDqzCCA2ugAwIBAgIJAMGqrgDU6DyhMAkGByqGSM44BAMwgY4xCzAJBgNVBAYT
+MIIDrzCCA2+gAwIBAgIJAK1zRM7YFcNjMAkGByqGSM44BAMwgZAxCzAJBgNVBAYT
 AlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMRAwDgYDVQQK
-DAd3b2xmU1NMMRAwDgYDVQQLDAd0ZXN0aW5nMRYwFAYDVQQDDA13d3cueWFzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTEzMDQyMjIw
-MDk0NFoXDTE2MDExNzIwMDk0NFowgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZP
-cmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMRAwDgYDVQQKDAd3b2xmU1NMMRAwDgYD
-VQQLDAd0ZXN0aW5nMRYwFAYDVQQDDA13d3cueWFzc2wuY29tMR8wHQYJKoZIhvcN
-AQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBuDCCASwGByqGSM44BAEwggEfAoGBAL1R
-7koy4IrH6sbh6nDEUUPPKgfhxxLCWCVexF2+qzANEr+hC9M002haJXFOfeS9DyoO
-WFbL0qMZOuqv+22CaHnoUWl7q3PjJOAI3JH0P54ZyUPuU1909RzgTdIDp5+ikbr7
-KYjnltL73FQVMbjTZQKthIpPn3MjYcF+4jp2W2zFAhUAkcntYND6MGf+eYzIJDN2
-L7SonHUCgYEAklpxErfqznIZjVvqqHFaq+mgAL5J8QrKVmdhYZh/Y8z4jCjoCA8o
-TDoFKxf7s2ZzgaPKvglaEKiYqLqic9qY78DYJswzQMLFvjsF4sFZ+pYCBdWPQI4N
-PgxCiznK6Ce+JH9ikSBvMvG+tevjr2UpawDIHX3+AWYaZBZwKADAaboDgYUAAoGB
-AJ3LY89yHyvQ/TsQ6zlYbovjbk/ogndsMqPdNUvL4RuPTgJP/caaDDa0XJ7ak6A7
-TJ+QheLNwOXoZPYJC4EGFSDAXpYniGhbWIrVTCGe6lmZDfnx40WXS0kk3m/DHaC0
-3ElLAiybxVGxyqoUfbT3Zv1JwftWMuiqHH5uADhdXuXVo1AwTjAdBgNVHQ4EFgQU
-IJjk416o4v8qpH9LBtXlR9v8gccwHwYDVR0jBBgwFoAUIJjk416o4v8qpH9LBtXl
-R9v8gccwDAYDVR0TBAUwAwEB/zAJBgcqhkjOOAQDAy8AMCwCFCjGKIdOSV12LcTu
-k08owGM6YkO1AhQe+K173VuaO/OsDNsxZlKpyH8+1g==
+DAd3b2xmU1NMMRAwDgYDVQQLDAd0ZXN0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwOTIy
+MjEyMzA0WhcNMjIwMzE1MjEyMzA0WjCBkDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
+Bk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxEDAOBgNVBAoMB3dvbGZTU0wxEDAO
+BgNVBAsMB3Rlc3RpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCAbgwggEsBgcqhkjOOAQBMIIBHwKB
+gQC9Ue5KMuCKx+rG4epwxFFDzyoH4ccSwlglXsRdvqswDRK/oQvTNNNoWiVxTn3k
+vQ8qDlhWy9KjGTrqr/ttgmh56FFpe6tz4yTgCNyR9D+eGclD7lNfdPUc4E3SA6ef
+opG6+ymI55bS+9xUFTG402UCrYSKT59zI2HBfuI6dltsxQIVAJHJ7WDQ+jBn/nmM
+yCQzdi+0qJx1AoGBAJJacRK36s5yGY1b6qhxWqvpoAC+SfEKylZnYWGYf2PM+Iwo
+6AgPKEw6BSsX+7Nmc4Gjyr4JWhComKi6onPamO/A2CbMM0DCxb47BeLBWfqWAgXV
+j0CODT4MQos5yugnviR/YpEgbzLxvrXr469lKWsAyB19/gFmGmQWcCgAwGm6A4GF
+AAKBgQCdy2PPch8r0P07EOs5WG6L425P6IJ3bDKj3TVLy+Ebj04CT/3Gmgw2tFye
+2pOgO0yfkIXizcDl6GT2CQuBBhUgwF6WJ4hoW1iK1UwhnupZmQ358eNFl0tJJN5v
+wx2gtNxJSwIsm8VRscqqFH2092b9ScH7VjLoqhx+bgA4XV7l1aNQME4wHQYDVR0O
+BBYEFCCY5ONeqOL/KqR/SwbV5Ufb/IHHMB8GA1UdIwQYMBaAFCCY5ONeqOL/KqR/
+SwbV5Ufb/IHHMAwGA1UdEwQFMAMBAf8wCQYHKoZIzjgEAwMvADAsAhQRYSCVN/Ge
+agV3mffU3qNZ92fI0QIUPH7Jp+iASI7U1ocaYDc10qXGaGY=
 -----END CERTIFICATE-----

cdk/extra/yassl/include/crypto_wrapper.hpp

@@ -17,7 +17,7 @@
 */
 
 
-/*  The crypto wrapper header is used to define policies for the cipher 
+/*  The crypto wrapper header is used to define policies for the cipher
  *  components used by SSL.  There are 3 policies to consider:
  *
  *  1) MAC, the Message Authentication Code used for each Message
@@ -174,7 +174,7 @@ class HMAC_RMD : public Digest {
 };
 
 
-// BulkCipher policy should implement encrypt, decrypt, get block size, 
+// BulkCipher policy should implement encrypt, decrypt, get block size,
 // and set keys for encrypt and decrypt
 struct BulkCipher : public virtual_base {
     virtual void   encrypt(byte*, const byte*, unsigned int) = 0;
@@ -318,7 +318,7 @@ struct Auth : public virtual_base {
 // For use with NULL Authentication schemes
 struct NO_Auth : public Auth {
     void   sign(byte*, const byte*, unsigned int, const RandomPool&) {}
-    bool   verify(const byte*, unsigned int, const byte*, unsigned int) 
+    bool   verify(const byte*, unsigned int, const byte*, unsigned int)
                     { return true; }
 };
 
@@ -372,11 +372,12 @@ class DiffieHellman  {
     DiffieHellman(const Integer&, const Integer&, const RandomPool&);
     ~DiffieHellman();
 
-    DiffieHellman(const DiffieHellman&);  
+    DiffieHellman(const DiffieHellman&);
     DiffieHellman& operator=(const DiffieHellman&);
 
     uint        get_agreedKeyLength() const;
     const byte* get_agreedKey()       const;
+    uint        get_publicKeyLength() const;
     const byte* get_publicKey()       const;
     void        makeAgreement(const byte*, unsigned int);
 

cdk/extra/yassl/include/openssl/generate_prefix_files.pl

@@ -34,7 +34,7 @@
 #include "rsa.h"
 
 
-#define YASSL_VERSION "2.3.7b"
+#define YASSL_VERSION "2.4.2"
 
 
 #if defined(__cplusplus)
@@ -335,9 +335,6 @@ enum { /* ssl Constants */
     SSL_OP_ALL                              = 61,
     SSL_OP_SINGLE_DH_USE                    = 62,
     SSL_OP_EPHEMERAL_RSA                    = 63,
-    SSL_OP_NO_SSLv2                         = 64,
-    SSL_OP_NO_SSLv3                         = 65,
-    SSL_OP_NO_TLSv1                         = 66,
     SSL_OP_PKCS1_CHECK_1                    = 67,
     SSL_OP_PKCS1_CHECK_2                    = 68,
     SSL_OP_NETSCAPE_CA_DN_BUG               = 69,
@@ -358,8 +355,12 @@ enum { /* ssl Constants */
     SSL_RECEIVED_SHUTDOWN = 94,
     SSL_CB_ALERT          = 95,
     SSL_CB_READ           = 96,
-    SSL_CB_HANDSHAKE_DONE = 97
+    SSL_CB_HANDSHAKE_DONE = 97,
 
+    SSL_OP_NO_SSLv2                         = 128,
+    SSL_OP_NO_SSLv3                         = 256,
+    SSL_OP_NO_TLSv1                         = 512,
+    SSL_OP_NO_TLSv1_1                       = 1024,
 };
 
 

cdk/extra/yassl/include/openssl/ssl.h

@@ -53,7 +53,8 @@ enum YasslError {
     compress_error      = 118,
     decompress_error    = 119,
     pms_version_error   = 120,
-    sanityCipher_error  = 121
+    sanityCipher_error  = 121,
+    rsaSignFault_error  = 122
 
     // !!!! add error message to .cpp !!!!