Updated yassl to yassl-2.3.8

(cherry picked from commit 7f9941eab55ed672bfcccd382dafbdbcfdc75aaa)
2015-09-18 11:18:25 +02:00 · 2015-09-18 11:18:25 +02:00 · b9768521bd
commit b9768521bd
parent 0243a2d432
6 changed files with 31 additions and 3 deletions
--- a/extra/yassl/README
+++ b/extra/yassl/README
@ -12,6 +12,14 @@ before calling SSL_new();
 *** end Note ***
 yaSSL Release notes, version 2.3.8 (9/17/2015)
    This release of yaSSL fixes a high security vulnerability.  All users
    SHOULD update.  If using yaSSL for TLS on the server side with private
    RSA keys allowing ephemeral key exchange you MUST update and regenerate
    the RSA private keys.  This report is detailed in:
    https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
    yaSSL now detects RSA signature faults and returns an error.
 yaSSL Patch notes, version 2.3.7e (6/26/2015)
    This release of yaSSL includes a fix for Date less than comparison.
    Previously yaSSL would return true on less than comparisons if the Dates
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@ -35,7 +35,7 @@
 #include "rsa.h"
-#define YASSL_VERSION "2.3.7e"
+#define YASSL_VERSION "2.3.8"
 #if defined(__cplusplus)
--- a/extra/yassl/include/yassl_error.hpp
+++ b/extra/yassl/include/yassl_error.hpp
@ -53,7 +53,8 @@ enum YasslError {
    compress_error      = 118,
    decompress_error    = 119,
    pms_version_error   = 120,
-    sanityCipher_error  = 121
+    sanityCipher_error  = 121,
    rsaSignFault_error  = 122
    // !!!! add error message to .cpp !!!!
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@ -1172,6 +1172,8 @@ void sendCertificateVerify(SSL& ssl, BufferOutput buffer)
    CertificateVerify  verify;
    verify.Build(ssl);
    if (ssl.GetError()) return;
    RecordLayerHeader  rlHeader;
    HandShakeHeader    hsHeader;
    mySTL::auto_ptr<output_buffer> out(NEW_YS output_buffer);
--- a/extra/yassl/src/yassl_error.cpp
+++ b/extra/yassl/src/yassl_error.cpp
@ -148,6 +148,10 @@ void SetErrorString(YasslError error, char* buffer)
        strncpy(buffer, "sanity check on cipher text size error", max);
        break;
    case rsaSignFault_error:
        strncpy(buffer, "rsa signature fault error", max);
        break;
        // openssl errors
    case SSL_ERROR_WANT_READ :
        strncpy(buffer, "the read operation would block", max);
--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
@ -196,9 +196,16 @@ void DH_Server::build(SSL& ssl)
    sha.update(tmp.get_buffer(), tmp.get_size());
    sha.get_digest(&hash[MD5_LEN]);
-    if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo)
+    if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo) {
        auth->sign(signature_, hash, sizeof(hash),
                   ssl.getCrypto().get_random());
        // check for rsa signautre fault
        if (!auth->verify(hash, sizeof(hash), signature_,
                                              auth->get_signatureLength())) {
            ssl.SetError(rsaSignFault_error);
            return;
        }
    }
    else {
        auth->sign(signature_, &hash[MD5_LEN], SHA_LEN,
                   ssl.getCrypto().get_random());
@ -2159,6 +2166,12 @@ void CertificateVerify::Build(SSL& ssl)
        memcpy(sig.get(), len, VERIFY_HEADER);
        rsa.sign(sig.get() + VERIFY_HEADER, hashes_.md5_, sizeof(Hashes),
                 ssl.getCrypto().get_random());
        // check for rsa signautre fault
        if (!rsa.verify(hashes_.md5_, sizeof(Hashes), sig.get() + VERIFY_HEADER,
                                                      rsa.get_cipherLength())) {
            ssl.SetError(rsaSignFault_error);
            return;
        }
    }
    else {  // DSA
        DSS dss(cert.get_privateKey(), cert.get_privateKeyLength(), false);