From 1d94461365a9bd97d22ead3a2d339af6b741f916 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 16 Dec 2011 12:22:47 +0100 Subject: [PATCH 01/14] Raise version number after cloning 5.0.95 --- configure.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.in b/configure.in index a06f726c738..908171ca857 100644 --- a/configure.in +++ b/configure.in @@ -7,7 +7,7 @@ AC_INIT(sql/mysqld.cc) AC_CANONICAL_SYSTEM # The Docs Makefile.am parses this line! # remember to also change ndb version below and update version.c in ndb -AM_INIT_AUTOMAKE(mysql, 5.0.95) +AM_INIT_AUTOMAKE(mysql, 5.0.96) AM_CONFIG_HEADER([include/config.h:config.h.in]) PROTOCOL_VERSION=10 @@ -23,7 +23,7 @@ NDB_SHARED_LIB_VERSION=$NDB_SHARED_LIB_MAJOR_VERSION:0:0 # ndb version NDB_VERSION_MAJOR=5 NDB_VERSION_MINOR=0 -NDB_VERSION_BUILD=95 +NDB_VERSION_BUILD=96 NDB_VERSION_STATUS="" # Set all version vars based on $VERSION. How do we do this more elegant ? From c67d63ca5baecb84426d584a07a571c97f448bb7 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 16 Dec 2011 12:24:05 +0100 Subject: [PATCH 02/14] Raise version number after cloning 5.1.61 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index 080de523c1b..fb6155aa0be 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.61], [], [mysql]) +AC_INIT([MySQL Server], [5.1.62], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM From 86505c3c545d3866a85464b0762b452d85599993 Mon Sep 17 00:00:00 2001 From: Vasil Dimov Date: Thu, 22 Dec 2011 12:55:44 +0200 Subject: [PATCH 03/14] Fix Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD. CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB; INSERT INTO bug13510739 VALUES (1), (2), (3), (4); DELETE FROM bug13510739 WHERE c=2; HANDLER bug13510739 OPEN; HANDLER bug13510739 READ `primary` = (2); HANDLER bug13510739 READ `primary` NEXT; <-- crash The bug is that in the particular testcase row_search_for_mysql() picked up a delete-marked record and quit, leaving the cursor non-positioned state and on the subsequent 'get next' call the code crashed because of the non-positioned cursor. In row0sel.cc (line numbers from mysql-trunk): 4653 if (rec_get_deleted_flag(rec, comp)) { ... 4679 if (index == clust_index && unique_search) { 4680 4681 err = DB_RECORD_NOT_FOUND; 4682 4683 goto normal_return; 4684 } it quit from here, not storing the cursor position. In contrast, if the record=2 is not found at all (e.g. sleep(1) after DELETE to let the purge wipe it away completely) then 'get = 2' does find record=3 and quits from here: 4366 if (0 != cmp_dtuple_rec(search_tuple, rec, offsets)) { ... 4394 btr_pcur_store_position(pcur, &mtr); 4395 4396 err = DB_RECORD_NOT_FOUND; 4397 #if 0 4398 ut_print_name(stderr, trx, FALSE, index->name); 4399 fputs(" record not found 3\n", stderr); 4400 #endif 4401 4402 goto normal_return; Another fix could be to extend the condition on line 4366 to hold only if seach_tuple matches rec AND if rec is not delete marked. Notice that in the above test case if we wait about 1 second somewhere after DELETE and before 'get = 2', then the testcase does not crash and returns 4 instead. Not sure if this is the correct behavior, but this bugfix removes the crash and makes the code return what it also returns in the non-crashing case (if rec=2 is not found during 'get = 2', e.g. we have sleep(1) there). Approved by: Marko (http://bur03.no.oracle.com/rb/r/863/) --- .../suite/innodb/r/innodb_bug13510739.result | 10 ++++++++++ .../suite/innodb/t/innodb_bug13510739.test | 20 +++++++++++++++++++ .../innodb_plugin/r/innodb_bug13510739.result | 10 ++++++++++ .../innodb_plugin/t/innodb_bug13510739.test | 20 +++++++++++++++++++ storage/innobase/row/row0sel.c | 4 +++- storage/innodb_plugin/ChangeLog | 5 +++++ storage/innodb_plugin/row/row0sel.c | 4 +++- 7 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 mysql-test/suite/innodb/r/innodb_bug13510739.result create mode 100644 mysql-test/suite/innodb/t/innodb_bug13510739.test create mode 100644 mysql-test/suite/innodb_plugin/r/innodb_bug13510739.result create mode 100644 mysql-test/suite/innodb_plugin/t/innodb_bug13510739.test diff --git a/mysql-test/suite/innodb/r/innodb_bug13510739.result b/mysql-test/suite/innodb/r/innodb_bug13510739.result new file mode 100644 index 00000000000..8aa4323eeb0 --- /dev/null +++ b/mysql-test/suite/innodb/r/innodb_bug13510739.result @@ -0,0 +1,10 @@ +CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB; +INSERT INTO bug13510739 VALUES (1), (2), (3), (4); +DELETE FROM bug13510739 WHERE c=2; +HANDLER bug13510739 OPEN; +HANDLER bug13510739 READ `primary` = (2); +c +HANDLER bug13510739 READ `primary` NEXT; +c +4 +DROP TABLE bug13510739; diff --git a/mysql-test/suite/innodb/t/innodb_bug13510739.test b/mysql-test/suite/innodb/t/innodb_bug13510739.test new file mode 100644 index 00000000000..f10bcd8e272 --- /dev/null +++ b/mysql-test/suite/innodb/t/innodb_bug13510739.test @@ -0,0 +1,20 @@ +# +# Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD. +# + +-- source include/have_innodb.inc + +CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB; + +INSERT INTO bug13510739 VALUES (1), (2), (3), (4); + +DELETE FROM bug13510739 WHERE c=2; + +HANDLER bug13510739 OPEN; + +HANDLER bug13510739 READ `primary` = (2); + +# this one crashes the server if the bug is present +HANDLER bug13510739 READ `primary` NEXT; + +DROP TABLE bug13510739; diff --git a/mysql-test/suite/innodb_plugin/r/innodb_bug13510739.result b/mysql-test/suite/innodb_plugin/r/innodb_bug13510739.result new file mode 100644 index 00000000000..8aa4323eeb0 --- /dev/null +++ b/mysql-test/suite/innodb_plugin/r/innodb_bug13510739.result @@ -0,0 +1,10 @@ +CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB; +INSERT INTO bug13510739 VALUES (1), (2), (3), (4); +DELETE FROM bug13510739 WHERE c=2; +HANDLER bug13510739 OPEN; +HANDLER bug13510739 READ `primary` = (2); +c +HANDLER bug13510739 READ `primary` NEXT; +c +4 +DROP TABLE bug13510739; diff --git a/mysql-test/suite/innodb_plugin/t/innodb_bug13510739.test b/mysql-test/suite/innodb_plugin/t/innodb_bug13510739.test new file mode 100644 index 00000000000..b8ffcc7b22b --- /dev/null +++ b/mysql-test/suite/innodb_plugin/t/innodb_bug13510739.test @@ -0,0 +1,20 @@ +# +# Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD. +# + +-- source include/have_innodb_plugin.inc + +CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB; + +INSERT INTO bug13510739 VALUES (1), (2), (3), (4); + +DELETE FROM bug13510739 WHERE c=2; + +HANDLER bug13510739 OPEN; + +HANDLER bug13510739 READ `primary` = (2); + +# this one crashes the server if the bug is present +HANDLER bug13510739 READ `primary` NEXT; + +DROP TABLE bug13510739; diff --git a/storage/innobase/row/row0sel.c b/storage/innobase/row/row0sel.c index 9ab6424a012..915cc8339d4 100644 --- a/storage/innobase/row/row0sel.c +++ b/storage/innobase/row/row0sel.c @@ -4208,7 +4208,9 @@ no_gap_lock: applicable to unique secondary indexes. Current behaviour is to widen the scope of a lock on an already delete marked record if the same record is deleted twice by the same transaction */ - if (index == clust_index && unique_search) { + if (index == clust_index && unique_search + && !prebuilt->used_in_HANDLER) { + err = DB_RECORD_NOT_FOUND; goto normal_return; diff --git a/storage/innodb_plugin/ChangeLog b/storage/innodb_plugin/ChangeLog index d836b390c52..ab0c68ee297 100644 --- a/storage/innodb_plugin/ChangeLog +++ b/storage/innodb_plugin/ChangeLog @@ -1,3 +1,8 @@ +2011-12-22 The InnoDB Team + + * row/row0sel.c: + Fix Bug#63775 Server crash on handler read next after delete record. + 2011-12-13 The InnoDB Team * handler/ha_innodb.cc, innodb.test, innodb.result: diff --git a/storage/innodb_plugin/row/row0sel.c b/storage/innodb_plugin/row/row0sel.c index 32f21dbe198..54172e71a47 100644 --- a/storage/innodb_plugin/row/row0sel.c +++ b/storage/innodb_plugin/row/row0sel.c @@ -4362,7 +4362,9 @@ no_gap_lock: applicable to unique secondary indexes. Current behaviour is to widen the scope of a lock on an already delete marked record if the same record is deleted twice by the same transaction */ - if (index == clust_index && unique_search) { + if (index == clust_index && unique_search + && !prebuilt->used_in_HANDLER) { + err = DB_RECORD_NOT_FOUND; goto normal_return; From b8291e2b60b311b621b15aff1dfec817da1bbf4c Mon Sep 17 00:00:00 2001 From: Jon Olav Hauglid Date: Mon, 9 Jan 2012 11:28:02 +0100 Subject: [PATCH 04/14] Backport from mysql-trunk of: ------------------------------------------------------------ revno: 3258 committer: Jon Olav Hauglid branch nick: mysql-trunk-bug12663165 timestamp: Thu 2011-07-14 10:05:12 +0200 message: Bug#12663165 SP DEAD CODE REMOVAL DOESN'T UNDERSTAND CONTINUE HANDLERS When stored routines are loaded, a simple optimizer tries to locate and remove dead code. The problem was that this dead code removal did not work correctly with CONTINUE handlers. If a statement triggers a CONTINUE handler, the following statement will be executed after the handler statement has completed. This means that the following statement is not dead code even if the previous statement unconditionally alters control flow. This fact was lost on the dead code removal routine, which ended up with removing instructions that could have been executed. This could then lead to assertions, crashes and generally bad behavior when the stored routine was executed. This patch fixes the problem by marking as live code all stored routine instructions that are in the same scope as a CONTINUE handler. Test case added to sp.test. --- mysql-test/r/sp.result | 20 ++++++++++++++++++++ mysql-test/t/sp.test | 29 +++++++++++++++++++++++++++++ sql/sp_head.cc | 17 +++++++++++++++++ sql/sp_head.h | 12 +++++++++++- sql/sql_yacc.yy | 12 +++++++++--- 5 files changed, 86 insertions(+), 4 deletions(-) diff --git a/mysql-test/r/sp.result b/mysql-test/r/sp.result index f5ed4fbd901..11d6ff02756 100644 --- a/mysql-test/r/sp.result +++ b/mysql-test/r/sp.result @@ -7087,6 +7087,26 @@ COUNT(DISTINCT d) 2 DROP FUNCTION f1; DROP TABLE t1, t2; +# +# Bug#12663165 SP DEAD CODE REMOVAL DOESN'T UNDERSTAND CONTINUE HANDLERS +# +DROP FUNCTION IF EXISTS f1; +CREATE FUNCTION f1() RETURNS INT +BEGIN +DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END; +BEGIN +DECLARE CONTINUE HANDLER FOR SQLEXCEPTION RETURN f1(); +BEGIN +DECLARE CONTINUE HANDLER FOR SQLEXCEPTION RETURN f1(); +RETURN f1(); +END; +END; +RETURN 1; +END $ +SELECT f1(); +f1() +1 +DROP FUNCTION f1; # ------------------------------------------------------------------ # -- End of 5.1 tests # ------------------------------------------------------------------ diff --git a/mysql-test/t/sp.test b/mysql-test/t/sp.test index 141d1604065..ae4e1dd588e 100644 --- a/mysql-test/t/sp.test +++ b/mysql-test/t/sp.test @@ -8397,6 +8397,35 @@ DROP FUNCTION f1; DROP TABLE t1, t2; +--echo # +--echo # Bug#12663165 SP DEAD CODE REMOVAL DOESN'T UNDERSTAND CONTINUE HANDLERS +--echo # + +--disable_warnings +DROP FUNCTION IF EXISTS f1; +--enable_warnings + +delimiter $; +CREATE FUNCTION f1() RETURNS INT +BEGIN + DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END; + BEGIN + DECLARE CONTINUE HANDLER FOR SQLEXCEPTION RETURN f1(); + BEGIN + DECLARE CONTINUE HANDLER FOR SQLEXCEPTION RETURN f1(); + RETURN f1(); + END; + END; +RETURN 1; +END $ +delimiter ;$ + +# This used to cause an assertion. +SELECT f1(); + +DROP FUNCTION f1; + + --echo # ------------------------------------------------------------------ --echo # -- End of 5.1 tests --echo # ------------------------------------------------------------------ diff --git a/sql/sp_head.cc b/sql/sp_head.cc index 8bea0be0f56..dec76615ec7 100644 --- a/sql/sp_head.cc +++ b/sql/sp_head.cc @@ -3356,6 +3356,23 @@ sp_instr_hpush_jump::opt_mark(sp_head *sp, List *leads) m_optdest= sp->get_instr(m_dest); } sp->add_mark_lead(m_dest, leads); + + /* + For continue handlers, all instructions in the scope of the handler + are possible leads. For example, the instruction after freturn might + be executed if the freturn triggers the condition handled by the + continue handler. + + m_dest marks the start of the handler scope. It's added as a lead + above, so we start on m_dest+1 here. + m_opt_hpop is the hpop marking the end of the handler scope. + */ + if (m_type == SP_HANDLER_CONTINUE) + { + for (uint scope_ip= m_dest+1; scope_ip <= m_opt_hpop; scope_ip++) + sp->add_mark_lead(scope_ip, leads); + } + return m_ip+1; } diff --git a/sql/sp_head.h b/sql/sp_head.h index da490527f42..a026ac47221 100644 --- a/sql/sp_head.h +++ b/sql/sp_head.h @@ -1000,7 +1000,7 @@ class sp_instr_hpush_jump : public sp_instr_jump public: sp_instr_hpush_jump(uint ip, sp_pcontext *ctx, int htype, uint fp) - : sp_instr_jump(ip, ctx), m_type(htype), m_frame(fp) + : sp_instr_jump(ip, ctx), m_type(htype), m_frame(fp), m_opt_hpop(0) { m_cond.empty(); } @@ -1022,6 +1022,15 @@ public: return m_ip; } + virtual void backpatch(uint dest, sp_pcontext *dst_ctx) + { + DBUG_ASSERT(!m_dest || !m_opt_hpop); + if (!m_dest) + m_dest= dest; + else + m_opt_hpop= dest; + } + inline void add_condition(struct sp_cond_type *cond) { m_cond.push_front(cond); @@ -1031,6 +1040,7 @@ private: int m_type; ///< Handler type uint m_frame; + uint m_opt_hpop; // hpop marking end of handler scope. List m_cond; }; // class sp_instr_hpush_jump : public sp_instr_jump diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index facbc6d3e95..7e7ff7e91ca 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -2532,9 +2532,15 @@ sp_decl: sp_instr_hpush_jump *i= new sp_instr_hpush_jump(sp->instructions(), ctx, $2, ctx->current_var_count()); - if (i == NULL || - sp->add_instr(i) || - sp->push_backpatch(i, ctx->push_label((char *)"", 0))) + if (i == NULL || sp->add_instr(i)) + MYSQL_YYABORT; + + /* For continue handlers, mark end of handler scope. */ + if ($2 == SP_HANDLER_CONTINUE && + sp->push_backpatch(i, ctx->last_label())) + MYSQL_YYABORT; + + if (sp->push_backpatch(i, ctx->push_label(empty_c_string, 0))) MYSQL_YYABORT; } sp_hcond_list sp_proc_stmt From 316a60af6db522a71879960f4f5fbdd215a8d262 Mon Sep 17 00:00:00 2001 From: Joerg Bruehe Date: Thu, 19 Jan 2012 17:05:47 +0100 Subject: [PATCH 05/14] Compile fix needed for AIX, to work around the lack of a bzero() prototype. include/m_string.h: AIX does have bzero() in its system libraries, and the configure phase detects it, including the prototype (sets both HAVE_BZERO and HAVE_DECL_BZERO), but the declaration is missing when the source is compiled. Several attempts all failed. This patch takes the brute force approach to always map "bzero()" to "memset()" on AIX, like is done on platforms where "bzero()" is not found at all. --- include/m_string.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/m_string.h b/include/m_string.h index e1cf7651519..dc916792f60 100644 --- a/include/m_string.h +++ b/include/m_string.h @@ -60,7 +60,9 @@ # define bfill(A,B,C) memset((A),(C),(B)) #endif -#if !defined(bzero) && (!defined(HAVE_BZERO) || !defined(HAVE_DECL_BZERO)) +#if !defined(bzero) && (!defined(HAVE_BZERO) || !HAVE_DECL_BZERO || defined(_AIX)) +/* See autoconf doku: "HAVE_DECL_symbol" will be defined after configure, to 0 or 1 */ +/* AIX has bzero() as a function, but the declaration prototype is strangely hidden */ # define bzero(A,B) memset((A),0,(B)) #endif From 26c52659c9fb2ddbdabb661f0a089705d16a46c1 Mon Sep 17 00:00:00 2001 From: Tor Didriksen Date: Fri, 27 Jan 2012 11:13:13 +0100 Subject: [PATCH 06/14] Bug#13580775 ASSERTION FAILED: RECORD_LENGTH == M_RECORD_LENGTH Bug#13011410 CRASH IN FILESORT CODE WITH GROUP BY/ROLLUP The assert in 13580775 is visible in 5.6 only, but shows that all versions are vulnerable. 13011410 crashes in all versions. filesort tries to re-use the sort buffer between invocations in order to save malloc/free overhead. The fix for Bug 11748783 - 37359: FILESORT CAN BE MORE EFFICIENT. added an assert that buffer properties (num_records, record_length) are consistent between invocations. Indeed, they are not necessarily consistent. Fix: re-allocate the sort buffer if properties change. mysql-test/r/partition.result: New tests. mysql-test/t/partition.test: New tests. sql/filesort.cc: If we already have allocated a sort buffer in a previous execution, then verify that it is big enough for the current one. sql/table.h: Add sort_keys_size; Number of bytes allocated for the sort_keys buffer. --- mysql-test/r/partition.result | 40 +++++++++++++++++++++++++++++ mysql-test/t/partition.test | 45 ++++++++++++++++++++++++++++++++ sql/filesort.cc | 48 ++++++++++++++++++++++++++--------- sql/table.h | 1 + 4 files changed, 122 insertions(+), 12 deletions(-) diff --git a/mysql-test/r/partition.result b/mysql-test/r/partition.result index 379f7499e11..49fe208d9bd 100644 --- a/mysql-test/r/partition.result +++ b/mysql-test/r/partition.result @@ -2206,4 +2206,44 @@ TRUNCATE TABLE t1; INSERT INTO t1 VALUES(0); DROP TABLE t1; SET GLOBAL myisam_use_mmap=default; +# +# Bug#13580775 ASSERTION FAILED: RECORD_LENGTH == M_RECORD_LENGTH, +# FILE FILESORT_UTILS.CC +# +CREATE TABLE t1 ( +a INT PRIMARY KEY, +b INT, +c CHAR(1), +d INT, +KEY (c,d) +) PARTITION BY KEY () PARTITIONS 1; +INSERT INTO t1 VALUES (1,1,'a',1), (2,2,'a',1); +SELECT 1 FROM t1 WHERE 1 IN +(SELECT group_concat(b) +FROM t1 +WHERE c > geomfromtext('point(1 1)') +GROUP BY b +); +1 +1 +1 +DROP TABLE t1; +# +# Bug#13011410 CRASH IN FILESORT CODE WITH GROUP BY/ROLLUP +# +CREATE TABLE t1 ( +a INT, +b MEDIUMINT, +c VARCHAR(300) CHARACTER SET hp8 COLLATE hp8_bin, +PRIMARY KEY (a,c(299))) +ENGINE=myisam +PARTITION BY LINEAR KEY () PARTITIONS 2; +INSERT INTO t1 VALUES (1,2,'test'), (2,3,'hi'), (4,5,'bye'); +SELECT 1 FROM t1 WHERE b < SOME +( SELECT 1 FROM t1 WHERE a >= 1 +GROUP BY b WITH ROLLUP +HAVING b > geomfromtext("") +); +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/partition.test b/mysql-test/t/partition.test index 341e8780b2b..134bbd0527d 100644 --- a/mysql-test/t/partition.test +++ b/mysql-test/t/partition.test @@ -2218,4 +2218,49 @@ INSERT INTO t1 VALUES(0); DROP TABLE t1; SET GLOBAL myisam_use_mmap=default; +--echo # +--echo # Bug#13580775 ASSERTION FAILED: RECORD_LENGTH == M_RECORD_LENGTH, +--echo # FILE FILESORT_UTILS.CC +--echo # + +CREATE TABLE t1 ( + a INT PRIMARY KEY, + b INT, + c CHAR(1), + d INT, + KEY (c,d) +) PARTITION BY KEY () PARTITIONS 1; + +INSERT INTO t1 VALUES (1,1,'a',1), (2,2,'a',1); + +SELECT 1 FROM t1 WHERE 1 IN +(SELECT group_concat(b) + FROM t1 + WHERE c > geomfromtext('point(1 1)') + GROUP BY b +); + +DROP TABLE t1; + +--echo # +--echo # Bug#13011410 CRASH IN FILESORT CODE WITH GROUP BY/ROLLUP +--echo # + +CREATE TABLE t1 ( + a INT, + b MEDIUMINT, + c VARCHAR(300) CHARACTER SET hp8 COLLATE hp8_bin, + PRIMARY KEY (a,c(299))) +ENGINE=myisam +PARTITION BY LINEAR KEY () PARTITIONS 2; + +INSERT INTO t1 VALUES (1,2,'test'), (2,3,'hi'), (4,5,'bye'); +SELECT 1 FROM t1 WHERE b < SOME +( SELECT 1 FROM t1 WHERE a >= 1 + GROUP BY b WITH ROLLUP + HAVING b > geomfromtext("") +); + +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/filesort.cc b/sql/filesort.cc index 715528bcd52..ed198549890 100644 --- a/sql/filesort.cc +++ b/sql/filesort.cc @@ -41,8 +41,9 @@ if (my_b_write((file),(uchar*) (from),param->ref_length)) \ /* functions defined in this file */ -static char **make_char_array(char **old_pos, register uint fields, - uint length, myf my_flag); +static size_t char_array_size(uint fields, uint length); +static uchar **make_char_array(uchar **old_pos, uint fields, + uint length, myf my_flag); static uchar *read_buffpek_from_file(IO_CACHE *buffer_file, uint count, uchar *buf); static ha_rows find_all_keys(SORTPARAM *param,SQL_SELECT *select, @@ -221,10 +222,22 @@ ha_rows filesort(THD *thd, TABLE *table, SORT_FIELD *sortorder, uint s_length, ulong old_memavl; ulong keys= memavl/(param.rec_length+sizeof(char*)); param.keys=(uint) min(records+1, keys); + + if (table_sort.sort_keys && + table_sort.sort_keys_size != char_array_size(param.keys, + param.rec_length)) + { + x_free((uchar*) table_sort.sort_keys); + table_sort.sort_keys= NULL; + table_sort.sort_keys_size= 0; + } if ((table_sort.sort_keys= - (uchar **) make_char_array((char **) table_sort.sort_keys, - param.keys, param.rec_length, MYF(0)))) + make_char_array(table_sort.sort_keys, + param.keys, param.rec_length, MYF(0)))) + { + table_sort.sort_keys_size= char_array_size(param.keys, param.rec_length); break; + } old_memavl=memavl; if ((memavl=memavl/4*3) < min_sort_memory && old_memavl > min_sort_memory) memavl= min_sort_memory; @@ -306,6 +319,7 @@ ha_rows filesort(THD *thd, TABLE *table, SORT_FIELD *sortorder, uint s_length, { x_free((uchar*) sort_keys); table_sort.sort_keys= 0; + table_sort.sort_keys_size= 0; x_free((uchar*) buffpek); table_sort.buffpek= 0; table_sort.buffpek_len= 0; @@ -353,6 +367,7 @@ void filesort_free_buffers(TABLE *table, bool full) { x_free((uchar*) table->sort.sort_keys); table->sort.sort_keys= 0; + table->sort.sort_keys_size= 0; } if (table->sort.buffpek) { @@ -372,19 +387,28 @@ void filesort_free_buffers(TABLE *table, bool full) /** Make a array of string pointers. */ -static char **make_char_array(char **old_pos, register uint fields, - uint length, myf my_flag) +static size_t char_array_size(uint fields, uint length) { - register char **pos; - char *char_pos; + return fields * (length + sizeof(uchar*)); +} + + +static uchar **make_char_array(uchar **old_pos, uint fields, + uint length, myf my_flag) +{ + register uchar **pos; + uchar *char_pos; DBUG_ENTER("make_char_array"); if (old_pos || - (old_pos= (char**) my_malloc((uint) fields*(length+sizeof(char*)), - my_flag))) + (old_pos= (uchar**) my_malloc(char_array_size(fields, length), my_flag))) { - pos=old_pos; char_pos=((char*) (pos+fields)) -length; - while (fields--) *(pos++) = (char_pos+= length); + pos=old_pos; + char_pos= ((uchar*)(pos+fields)) -length; + while (fields--) + { + *(pos++) = (char_pos+= length); + } } DBUG_RETURN(old_pos); diff --git a/sql/table.h b/sql/table.h index 20f11f4e7e1..690abdff714 100644 --- a/sql/table.h +++ b/sql/table.h @@ -157,6 +157,7 @@ typedef struct st_filesort_info { IO_CACHE *io_cache; /* If sorted through filesort */ uchar **sort_keys; /* Buffer for sorting keys */ + size_t sort_keys_size; /* Number of bytes allocated */ uchar *buffpek; /* Buffer for buffpek structures */ uint buffpek_len; /* Max number of buffpeks in the buffer */ uchar *addon_buf; /* Pointer to a buffer if sorted with fields */ From 7f0f18cd6ecd5a40f45393bfcc678350855f1513 Mon Sep 17 00:00:00 2001 From: Gopal Shankar Date: Mon, 30 Jan 2012 11:57:33 +0530 Subject: [PATCH 07/14] Bug#13105873 :Valgrind Warning: CRASH IN FOREIGN KEY HANDLING ON SUBSEQUENT CREATE TABLE IF NOT EXISTS PROBLEM: -------- Consider a SP routine which does CREATE TABLE with REFERENCES clause. The first call to this routine invokes parser and the parsed items are cached, so as to avoid parsing for the second execution of the routine. It is obsevered that valgrind reports a warning upon read of thd->lex->alter_info->key_list->Foreign_key object, which seem to be pointing to a invalid memory address during second time execution of the routine. Accessing this object theoretically could cause a crash. ANALYSIS: --------- The problem stems from the fact that for some reason elements of ref_columns list in thd->lex->alter_info-> key_list->Foreign_key object are changed to point to objects allocated on runtime memory root. During the first execution of routine we create a copy of thd->lex->alter_info object. As part of this process we create a clones of objects in Alter_info::key_list and of Foreign_key object in particular. Then Foreign_key object is cloned for some reason we perform shallow copies of both Foreign_key::ref_columns and Foreign_key::columns list. So new instance of Foreign_key object starts to SHARE contents of ref_columns and columns list with the original instance. After that as part of cloning process we call list_copy_and_replace_each_value() for elements of ref_columns list. As result ref_columns lists in both original and cloned Foreign_key object start to contain pointers to Key_part_spec objects allocated on runtime memory root because of shallow copy. So when we start copying of thd->lex->alter_info object during the second execution of stored routine we indeed encounter pointer to the Key_part_spec object allocated on runtime mem-root which was cleared during at the end of previous execution. This is done in sp_head::execute(), by a call to free_root(&execute_mem_root,MYF(0)); As result we get valgrind warnings about accessing unreferenced memory. FIX: ---- The safest solution to this problem is to fix Foreign_key(Foreign_key, MEM_ROOT) constructor to do a deep copy of columns lists, similar to Key(Key, MEM_ROOT) constructor. --- mysql-test/r/sp-bugs.result | 19 +++++++++++++++++++ mysql-test/t/sp-bugs.test | 24 ++++++++++++++++++++++++ sql/sql_class.cc | 4 ++-- 3 files changed, 45 insertions(+), 2 deletions(-) diff --git a/mysql-test/r/sp-bugs.result b/mysql-test/r/sp-bugs.result index 507c73c2683..59588768d14 100644 --- a/mysql-test/r/sp-bugs.result +++ b/mysql-test/r/sp-bugs.result @@ -109,4 +109,23 @@ DROP FUNCTION db1.f1; DROP TABLE db1.t1; DROP DATABASE db1; DROP DATABASE db2; +# +# Bug#13105873:valgrind warning:possible crash in foreign +# key handling on subsequent create table if not exists +# +DROP DATABASE IF EXISTS testdb; +CREATE DATABASE testdb; +USE testdb; +CREATE TABLE t1 (id1 INT PRIMARY KEY); +CREATE PROCEDURE `p1`() +BEGIN +CREATE TABLE IF NOT EXISTS t2(id INT PRIMARY KEY, +CONSTRAINT FK FOREIGN KEY (id) REFERENCES t1( id1 )); +END$ +CALL p1(); +# below stmt should not return valgrind warnings +CALL p1(); +Warnings: +Note 1050 Table 't2' already exists +DROP DATABASE testdb; End of 5.1 tests diff --git a/mysql-test/t/sp-bugs.test b/mysql-test/t/sp-bugs.test index fe52632c784..a23ccea8189 100644 --- a/mysql-test/t/sp-bugs.test +++ b/mysql-test/t/sp-bugs.test @@ -138,4 +138,28 @@ DROP FUNCTION db1.f1; DROP TABLE db1.t1; DROP DATABASE db1; DROP DATABASE db2; + +--echo # +--echo # Bug#13105873:valgrind warning:possible crash in foreign +--echo # key handling on subsequent create table if not exists +--echo # + +--disable_warnings +DROP DATABASE IF EXISTS testdb; +--enable_warnings +CREATE DATABASE testdb; +USE testdb; +CREATE TABLE t1 (id1 INT PRIMARY KEY); +DELIMITER $; +CREATE PROCEDURE `p1`() +BEGIN + CREATE TABLE IF NOT EXISTS t2(id INT PRIMARY KEY, + CONSTRAINT FK FOREIGN KEY (id) REFERENCES t1( id1 )); +END$ +DELIMITER ;$ +CALL p1(); +--echo # below stmt should not return valgrind warnings +CALL p1(); +DROP DATABASE testdb; + --echo End of 5.1 tests diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 7fb1d2ade5f..32e2e90acd7 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -122,9 +122,9 @@ Key::Key(const Key &rhs, MEM_ROOT *mem_root) */ Foreign_key::Foreign_key(const Foreign_key &rhs, MEM_ROOT *mem_root) - :Key(rhs), + :Key(rhs,mem_root), ref_table(rhs.ref_table), - ref_columns(rhs.ref_columns), + ref_columns(rhs.ref_columns,mem_root), delete_opt(rhs.delete_opt), update_opt(rhs.update_opt), match_opt(rhs.match_opt) From 9ada2f8ec5d29c036bcd185a411f64eea17d8132 Mon Sep 17 00:00:00 2001 From: Martin Hansson Date: Tue, 7 Feb 2012 14:16:09 +0100 Subject: [PATCH 08/14] Bug #11765810 58813: SERVER THREAD HANGS WHEN JOIN + WHERE + GROUP BY IS EXECUTED TWICE FROM P This bug is a duplicate of bug 12567331, which was pushed to the optimizer backporting tree on 2011-06-11. This is just a back-port of the fix. Both test cases are included as they differ somewhat. --- mysql-test/r/join_outer.result | 58 ++++++++++++++++++++++++++++++++++ mysql-test/t/join_outer.test | 58 ++++++++++++++++++++++++++++++++++ sql/sql_select.cc | 10 ------ 3 files changed, 116 insertions(+), 10 deletions(-) diff --git a/mysql-test/r/join_outer.result b/mysql-test/r/join_outer.result index d9c4ac5478e..d8a734a7158 100644 --- a/mysql-test/r/join_outer.result +++ b/mysql-test/r/join_outer.result @@ -1427,4 +1427,62 @@ WHERE t1.f1 = 4 AND t2.f1 IS NOT NULL AND t2.f2 IS NOT NULL GROUP BY t2.f1, t2.f2; f1 f1 f2 DROP TABLE t1,t2; + +# BUG#12567331 - INFINITE LOOP WHEN RESOLVING AN ALIASED COLUMN +# USED IN GROUP BY + +CREATE TABLE t1 ( +col_varchar_1024_latin1_key varchar(1024), +col_varchar_10_latin1 varchar(10), +col_int int(11), +pk int(11) +); +CREATE TABLE t2 ( +col_int_key int(11), +col_int int(11), +pk int(11) +); +PREPARE prep_stmt_9846 FROM ' +SELECT alias1.pk AS field1 FROM +t1 AS alias1 +LEFT JOIN +( + t2 AS alias2 + RIGHT JOIN + ( + t2 AS alias3 + JOIN t1 AS alias4 + ON 1 + ) + ON 1 +) +ON 1 +GROUP BY field1'; +execute prep_stmt_9846; +field1 +execute prep_stmt_9846; +field1 +drop table t1,t2; +# +# Bug #11765810 58813: SERVER THREAD HANGS WHEN JOIN + WHERE + GROUP BY +# IS EXECUTED TWICE FROM P +# +CREATE TABLE t1 ( a INT ) ENGINE = MYISAM; +INSERT INTO t1 VALUES (1); +PREPARE prep_stmt FROM ' + SELECT 1 AS f FROM t1 + LEFT JOIN t1 t2 + RIGHT JOIN t1 t3 + JOIN t1 t4 + ON 1 + ON 1 + ON 1 + GROUP BY f'; +EXECUTE prep_stmt; +f +1 +EXECUTE prep_stmt; +f +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/join_outer.test b/mysql-test/t/join_outer.test index 3251ff292b6..1ba29fdd4cf 100644 --- a/mysql-test/t/join_outer.test +++ b/mysql-test/t/join_outer.test @@ -1010,4 +1010,62 @@ GROUP BY t2.f1, t2.f2; DROP TABLE t1,t2; + +--echo +--echo # BUG#12567331 - INFINITE LOOP WHEN RESOLVING AN ALIASED COLUMN +--echo # USED IN GROUP BY +--echo +CREATE TABLE t1 ( + col_varchar_1024_latin1_key varchar(1024), + col_varchar_10_latin1 varchar(10), + col_int int(11), + pk int(11) +); +CREATE TABLE t2 ( + col_int_key int(11), + col_int int(11), + pk int(11) +); + +PREPARE prep_stmt_9846 FROM ' +SELECT alias1.pk AS field1 FROM +t1 AS alias1 +LEFT JOIN +( + t2 AS alias2 + RIGHT JOIN + ( + t2 AS alias3 + JOIN t1 AS alias4 + ON 1 + ) + ON 1 +) +ON 1 +GROUP BY field1'; +execute prep_stmt_9846; +execute prep_stmt_9846; +drop table t1,t2; + +--echo # +--echo # Bug #11765810 58813: SERVER THREAD HANGS WHEN JOIN + WHERE + GROUP BY +--echo # IS EXECUTED TWICE FROM P +--echo # +CREATE TABLE t1 ( a INT ) ENGINE = MYISAM; +INSERT INTO t1 VALUES (1); +PREPARE prep_stmt FROM ' + SELECT 1 AS f FROM t1 + LEFT JOIN t1 t2 + RIGHT JOIN t1 t3 + JOIN t1 t4 + ON 1 + ON 1 + ON 1 + GROUP BY f'; +EXECUTE prep_stmt; +EXECUTE prep_stmt; + +DROP TABLE t1; + + --echo End of 5.1 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 72c826ff32d..5f1efabfc97 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -8947,11 +8947,9 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top) } /* Flatten nested joins that can be flattened. */ - TABLE_LIST *right_neighbor= NULL; li.rewind(); while ((table= li++)) { - bool fix_name_res= FALSE; nested_join= table->nested_join; if (nested_join && !table->on_expr) { @@ -8963,15 +8961,7 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top) tbl->join_list= table->join_list; } li.replace(nested_join->join_list); - /* Need to update the name resolution table chain when flattening joins */ - fix_name_res= TRUE; - table= *li.ref(); } - if (fix_name_res) - table->next_name_resolution_table= right_neighbor ? - right_neighbor->first_leaf_for_name_resolution() : - NULL; - right_neighbor= table; } DBUG_RETURN(conds); } From d3de138311dd7fcabf2ade7b2c024c3edcab5094 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 10 Feb 2012 11:10:07 +0200 Subject: [PATCH 09/14] Bug#13706621 : UNIFY THE YASSL VERSIONS THAT WE USE BY BACKPORTING 5.1 AND 5.5 YASSL FIXES. Took the 5.5 yassl code and applied it to the 5.0 codebase, keeping the compilation files. --- extra/yassl/include/cert_wrapper.hpp | 6 +- extra/yassl/include/openssl/prefix_ssl.h | 4 +- extra/yassl/include/openssl/ssl.h | 12 +- extra/yassl/include/yassl_error.hpp | 5 +- extra/yassl/include/yassl_imp.hpp | 7 +- extra/yassl/include/yassl_int.hpp | 15 +- extra/yassl/include/yassl_types.hpp | 13 +- extra/yassl/src/cert_wrapper.cpp | 40 +++-- extra/yassl/src/crypto_wrapper.cpp | 7 +- extra/yassl/src/socket_wrapper.cpp | 4 +- extra/yassl/src/ssl.cpp | 31 +++- extra/yassl/src/yassl_error.cpp | 11 +- extra/yassl/src/yassl_imp.cpp | 187 +++++++++++++--------- extra/yassl/src/yassl_int.cpp | 101 +++++++++--- extra/yassl/taocrypt/include/blowfish.hpp | 8 +- extra/yassl/taocrypt/include/misc.hpp | 4 +- extra/yassl/taocrypt/include/runtime.hpp | 18 +-- extra/yassl/taocrypt/src/aes.cpp | 5 +- extra/yassl/taocrypt/src/algebra.cpp | 9 +- extra/yassl/taocrypt/src/blowfish.cpp | 5 +- extra/yassl/taocrypt/src/coding.cpp | 4 +- extra/yassl/taocrypt/src/integer.cpp | 34 ++-- extra/yassl/taocrypt/src/misc.cpp | 25 +-- extra/yassl/taocrypt/src/random.cpp | 64 +------- extra/yassl/taocrypt/src/twofish.cpp | 5 +- extra/yassl/testsuite/test.hpp | 16 +- 26 files changed, 376 insertions(+), 264 deletions(-) diff --git a/extra/yassl/include/cert_wrapper.hpp b/extra/yassl/include/cert_wrapper.hpp index ce8003aa4cf..d07e5b627b0 100644 --- a/extra/yassl/include/cert_wrapper.hpp +++ b/extra/yassl/include/cert_wrapper.hpp @@ -1,5 +1,6 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -34,6 +35,7 @@ #include "yassl_types.hpp" // SignatureAlgorithm #include "buffer.hpp" // input_buffer #include "asn.hpp" // SignerList +#include "openssl/ssl.h" // internal and external use #include STL_LIST_FILE #include STL_ALGORITHM_FILE @@ -87,6 +89,7 @@ class CertManager { bool verifyNone_; // no error if verify fails bool failNoCert_; bool sendVerify_; + VerifyCallback verifyCallback_; // user verify callback public: CertManager(); ~CertManager(); @@ -118,6 +121,7 @@ public: void setFailNoCert(); void setSendVerify(); void setPeerX509(X509*); + void setVerifyCallback(VerifyCallback); private: CertManager(const CertManager&); // hide copy CertManager& operator=(const CertManager&); // and assign diff --git a/extra/yassl/include/openssl/prefix_ssl.h b/extra/yassl/include/openssl/prefix_ssl.h index 5906ecbbbce..024cb0a9aff 100644 --- a/extra/yassl/include/openssl/prefix_ssl.h +++ b/extra/yassl/include/openssl/prefix_ssl.h @@ -1,5 +1,6 @@ /* - Copyright (C) 2006, 2007 MySQL AB + Copyright (c) 2006, 2007 MySQL AB, 2008 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -70,6 +71,7 @@ #define SSL_load_error_strings yaSSL_load_error_strings #define SSL_set_session yaSSL_set_session #define SSL_get_session yaSSL_get_session +#define SSL_flush_sessions yaSSL_flush_sessions #define SSL_SESSION_set_timeout yaSSL_SESSION_set_timeout #define SSL_CTX_set_session_cache_mode yaSSL_CTX_set_session_cache_mode #define SSL_get_peer_certificate yaSSL_get_peer_certificate diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h index c0b87f804ad..ba5fa51f34c 100644 --- a/extra/yassl/include/openssl/ssl.h +++ b/extra/yassl/include/openssl/ssl.h @@ -1,5 +1,6 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -170,8 +171,9 @@ enum { /* X509 Constants */ X509_V_ERR_CRL_SIGNATURE_FAILURE = 10, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 11, X509_V_ERR_CRL_HAS_EXPIRED = 12, - X509_V_ERR_CERT_REVOKED = 13 - + X509_V_ERR_CERT_REVOKED = 13, + X509_V_FLAG_CRL_CHECK = 14, + X509_V_FLAG_CRL_CHECK_ALL = 15 }; @@ -202,7 +204,8 @@ SSL_CTX* SSL_CTX_new(SSL_METHOD*); SSL* SSL_new(SSL_CTX*); int SSL_set_fd (SSL*, YASSL_SOCKET_T); YASSL_SOCKET_T SSL_get_fd(const SSL*); -int SSL_connect(SSL*); +int SSL_connect(SSL*); /* if you get an error from connect + see note at top of REAMDE */ int SSL_write(SSL*, const void*, int); int SSL_read(SSL*, void*, int); int SSL_accept(SSL*); @@ -227,6 +230,7 @@ void SSL_load_error_strings(void); int SSL_set_session(SSL *ssl, SSL_SESSION *session); SSL_SESSION* SSL_get_session(SSL* ssl); +void SSL_flush_sessions(SSL_CTX *ctx, long tm); long SSL_SESSION_set_timeout(SSL_SESSION*, long); long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode); X509* SSL_get_peer_certificate(SSL*); diff --git a/extra/yassl/include/yassl_error.hpp b/extra/yassl/include/yassl_error.hpp index 63fa9a761ba..87bb4c55e96 100644 --- a/extra/yassl/include/yassl_error.hpp +++ b/extra/yassl/include/yassl_error.hpp @@ -1,5 +1,6 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005-2007 MySQL AB, 2010 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -64,7 +65,7 @@ enum YasslError { enum Library { yaSSL_Lib = 0, CryptoLib, SocketLib }; enum { MAX_ERROR_SZ = 80 }; -void SetErrorString(YasslError, char*); +void SetErrorString(unsigned long, char*); /* remove for now, if go back to exceptions use this wrapper // Base class for all yaSSL exceptions diff --git a/extra/yassl/include/yassl_imp.hpp b/extra/yassl/include/yassl_imp.hpp index f6434443cb0..04e85c16a04 100644 --- a/extra/yassl/include/yassl_imp.hpp +++ b/extra/yassl/include/yassl_imp.hpp @@ -1,5 +1,6 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -667,10 +668,12 @@ struct Parameters { Cipher suites_[MAX_SUITE_SZ]; char cipher_name_[MAX_SUITE_NAME]; char cipher_list_[MAX_CIPHERS][MAX_SUITE_NAME]; + bool removeDH_; // for server's later use Parameters(ConnectionEnd, const Ciphers&, ProtocolVersion, bool haveDH); - void SetSuites(ProtocolVersion pv, bool removeDH = false); + void SetSuites(ProtocolVersion pv, bool removeDH = false, + bool removeRSA = false, bool removeDSA = false); void SetCipherNames(); private: Parameters(const Parameters&); // hide copy diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp index b207f0bffbd..433649c545b 100644 --- a/extra/yassl/include/yassl_int.hpp +++ b/extra/yassl/include/yassl_int.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -34,9 +34,8 @@ #include "openssl/ssl.h" // ASN1_STRING and DH // Check if _POSIX_THREADS should be forced -#if !defined(_POSIX_THREADS) && (defined(__NETWARE__) || defined(__hpux)) +#if !defined(_POSIX_THREADS) && defined(__hpux) // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented -// Netware supports pthreads but does not announce it #define _POSIX_THREADS #endif @@ -268,12 +267,14 @@ class Sessions { STL::list list_; RandomPool random_; // for session cleaning Mutex mutex_; // no-op for single threaded + int count_; // flush counter - Sessions() {} // only GetSessions can create + Sessions() : count_(0) {} // only GetSessions can create public: SSL_SESSION* lookup(const opaque*, SSL_SESSION* copy = 0); void add(const SSL&); void remove(const opaque*); + void Flush(); ~Sessions(); @@ -425,8 +426,10 @@ private: pem_password_cb passwordCb_; void* userData_; bool sessionCacheOff_; + bool sessionCacheFlushOff_; Stats stats_; Mutex mutex_; // for Stats + VerifyCallback verifyCallback_; public: explicit SSL_CTX(SSL_METHOD* meth); ~SSL_CTX(); @@ -437,18 +440,22 @@ public: const Ciphers& GetCiphers() const; const DH_Parms& GetDH_Parms() const; const Stats& GetStats() const; + VerifyCallback getVerifyCallback() const; pem_password_cb GetPasswordCb() const; void* GetUserData() const; bool GetSessionCacheOff() const; + bool GetSessionCacheFlushOff() const; void setVerifyPeer(); void setVerifyNone(); void setFailNoCert(); + void setVerifyCallback(VerifyCallback); bool SetCipherList(const char*); bool SetDH(const DH&); void SetPasswordCb(pem_password_cb cb); void SetUserData(void*); void SetSessionCacheOff(); + void SetSessionCacheFlushOff(); void IncrementStats(StatsField); void AddCA(x509* ca); diff --git a/extra/yassl/include/yassl_types.hpp b/extra/yassl/include/yassl_types.hpp index e4b81f98fff..c73a54a7c15 100644 --- a/extra/yassl/include/yassl_types.hpp +++ b/extra/yassl/include/yassl_types.hpp @@ -1,5 +1,6 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,6 +30,13 @@ #include "type_traits.hpp" +#ifdef _MSC_VER + // disable conversion warning + // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy + #pragma warning(disable:4244 4996) +#endif + + namespace yaSSL { #define YASSL_LIB @@ -163,7 +171,7 @@ const int RMD_LEN = 20; // RIPEMD-160 digest length const int PREFIX = 3; // up to 3 prefix letters for secret rounds const int KEY_PREFIX = 7; // up to 7 prefix letters for key rounds const int FORTEZZA_MAX = 128; // Maximum Fortezza Key length -const int MAX_SUITE_SZ = 64; // 32 max suites * sizeof(suite) +const int MAX_SUITE_SZ = 128; // 64 max suites * sizeof(suite) const int MAX_SUITE_NAME = 48; // max length of suite name const int MAX_CIPHERS = 32; // max supported ciphers for cipher list const int SIZEOF_ENUM = 1; // SSL considers an enum 1 byte, not 4 @@ -205,6 +213,7 @@ const int SEED_LEN = RAN_LEN * 2; // TLS seed, client + server random const int DEFAULT_TIMEOUT = 500; // Default Session timeout in seconds const int MAX_RECORD_SIZE = 16384; // 2^14, max size by standard const int COMPRESS_EXTRA = 1024; // extra compression possible addition +const int SESSION_FLUSH_COUNT = 256; // when to flush session cache typedef uint8 Cipher; // first byte is always 0x00 for SSLv3 & TLS diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp index 12da19962ef..d8660533f2e 100644 --- a/extra/yassl/src/cert_wrapper.cpp +++ b/extra/yassl/src/cert_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. + Copyright (c) 2005-2007 MySQL AB, 2008, 2009 Sun Microsystems, Inc. Use is subject to license terms. This program is free software; you can redistribute it and/or modify @@ -25,6 +25,7 @@ #include "runtime.hpp" #include "cert_wrapper.hpp" #include "yassl_int.hpp" +#include "error.hpp" #if defined(USE_CML_LIB) #include "cmapi_cpp.h" @@ -91,7 +92,7 @@ opaque* x509::use_buffer() //CertManager CertManager::CertManager() : peerX509_(0), verifyPeer_(false), verifyNone_(false), failNoCert_(false), - sendVerify_(false) + sendVerify_(false), verifyCallback_(0) {} @@ -155,6 +156,12 @@ void CertManager::setSendVerify() } +void CertManager::setVerifyCallback(VerifyCallback vc) +{ + verifyCallback_ = vc; +} + + void CertManager::AddPeerCert(x509* x) { peerList_.push_back(x); // take ownership @@ -237,7 +244,7 @@ uint CertManager::get_privateKeyLength() const int CertManager::Validate() { CertList::reverse_iterator last = peerList_.rbegin(); - size_t count= peerList_.size(); + size_t count = peerList_.size(); while ( count > 1 ) { TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); @@ -258,7 +265,8 @@ int CertManager::Validate() TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_); - if (int err = cert.GetError().What()) + int err = cert.GetError().What(); + if ( err ) return err; uint sz = cert.GetPublicKey().size(); @@ -270,13 +278,25 @@ int CertManager::Validate() else peerKeyType_ = dsa_sa_algo; - size_t iSz= strlen(cert.GetIssuer()) + 1; - size_t sSz= strlen(cert.GetCommonName()) + 1; - size_t bSz= strlen(cert.GetBeforeDate()) + 1; - size_t aSz= strlen(cert.GetAfterDate()) + 1; + size_t iSz = strlen(cert.GetIssuer()) + 1; + size_t sSz = strlen(cert.GetCommonName()) + 1; + int bSz = (int)strlen(cert.GetBeforeDate()) + 1; + int aSz = (int)strlen(cert.GetAfterDate()) + 1; peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(), - sSz, cert.GetBeforeDate(), (int) bSz, - cert.GetAfterDate(), (int) aSz); + sSz, cert.GetBeforeDate(), bSz, + cert.GetAfterDate(), aSz); + + if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) { + X509_STORE_CTX store; + store.error = err; + store.error_depth = static_cast(count) - 1; + store.current_cert = peerX509_; + + int ok = verifyCallback_(0, &store); + if (ok) return 0; + } + + if (err == TaoCrypt::SIG_OTHER_E) return err; } return 0; } diff --git a/extra/yassl/src/crypto_wrapper.cpp b/extra/yassl/src/crypto_wrapper.cpp index 28d7f1b5693..e6168d4d69c 100644 --- a/extra/yassl/src/crypto_wrapper.cpp +++ b/extra/yassl/src/crypto_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -953,8 +953,9 @@ x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info) info->set = true; } } - fgets(line,sizeof(line), file); // get blank line - begin = ftell(file); + // get blank line + if (fgets(line, sizeof(line), file)) + begin = ftell(file); } } diff --git a/extra/yassl/src/socket_wrapper.cpp b/extra/yassl/src/socket_wrapper.cpp index eee5d47377f..3cf6c14c4b3 100644 --- a/extra/yassl/src/socket_wrapper.cpp +++ b/extra/yassl/src/socket_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,7 +37,7 @@ #include #endif // _WIN32 -#if defined(__sun) || defined(__SCO_VERSION__) || defined(__NETWARE__) +#if defined(__sun) || defined(__SCO_VERSION__) #include #endif diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp index b5fe774fa1a..67d2d428e51 100644 --- a/extra/yassl/src/ssl.cpp +++ b/extra/yassl/src/ssl.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. + Copyright (c) 2005-2007 MySQL AB, 2008-2010 Sun Microsystems, Inc. Use is subject to license terms. This program is free software; you can redistribute it and/or modify @@ -246,6 +246,7 @@ YASSL_SOCKET_T SSL_get_fd(const SSL* ssl) } +// if you get an error from connect see note at top of README int SSL_connect(SSL* ssl) { if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ)) @@ -448,6 +449,9 @@ long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode) if (mode == SSL_SESS_CACHE_OFF) ctx->SetSessionCacheOff(); + if (mode == SSL_SESS_CACHE_NO_AUTO_CLEAR) + ctx->SetSessionCacheFlushOff(); + return SSL_SUCCESS; } @@ -494,6 +498,15 @@ long SSL_get_default_timeout(SSL* /*ssl*/) } +void SSL_flush_sessions(SSL_CTX *ctx, long /* tm */) +{ + if (ctx->GetSessionCacheOff()) + return; + + GetSessions().Flush(); +} + + const char* SSL_get_cipher_name(SSL* ssl) { return SSL_get_cipher(ssl); @@ -561,7 +574,7 @@ int SSL_get_error(SSL* ssl, int /*previous*/) only need to turn on for client, becuase server on by default if built in but calling for server will tell you whether it's available or not */ -int SSL_set_compression(SSL* ssl) +int SSL_set_compression(SSL* ssl) /* Chad didn't rename to ya~ because it is prob. bug. */ { return ssl->SetCompression(); } @@ -605,13 +618,13 @@ char* X509_NAME_oneline(X509_NAME* name, char* buffer, int sz) { if (!name->GetName()) return buffer; - size_t len= strlen(name->GetName()) + 1; - int copySz = min((int) len, sz); + int len = (int)strlen(name->GetName()) + 1; + int copySz = min(len, sz); if (!buffer) { buffer = (char*)malloc(len); if (!buffer) return buffer; - copySz = (int) len; + copySz = len; } if (copySz == 0) @@ -694,7 +707,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format) } -void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) +void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc) { if (mode & SSL_VERIFY_PEER) ctx->setVerifyPeer(); @@ -704,6 +717,8 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) ctx->setFailNoCert(); + + ctx->setVerifyCallback(vc); } @@ -977,7 +992,7 @@ char* ERR_error_string(unsigned long errNumber, char* buffer) static char* msg = (char*)"Please supply a buffer for error string"; if (buffer) { - SetErrorString(YasslError(errNumber), buffer); + SetErrorString(errNumber, buffer); return buffer; } @@ -1451,6 +1466,8 @@ unsigned long err_helper(bool peek = false) default : return 0; } + + return 0; // shut up compiler } diff --git a/extra/yassl/src/yassl_error.cpp b/extra/yassl/src/yassl_error.cpp index dc120028e13..e167075b984 100644 --- a/extra/yassl/src/yassl_error.cpp +++ b/extra/yassl/src/yassl_error.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +26,11 @@ #include "openssl/ssl.h" // SSL_ERROR_WANT_READ #include // strncpy +#ifdef _MSC_VER + // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy + #pragma warning(disable: 4996) +#endif + namespace yaSSL { @@ -50,7 +55,7 @@ Library Error::get_lib() const */ -void SetErrorString(YasslError error, char* buffer) +void SetErrorString(unsigned long error, char* buffer) { using namespace TaoCrypt; const int max = MAX_ERROR_SZ; // shorthand @@ -123,7 +128,7 @@ void SetErrorString(YasslError error, char* buffer) break; case badVersion_error : - strncpy(buffer, "protocl version mismatch", max); + strncpy(buffer, "protocol version mismatch", max); break; case compress_error : diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp index 2030163d35a..d981605d35a 100644 --- a/extra/yassl/src/yassl_imp.cpp +++ b/extra/yassl/src/yassl_imp.cpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2008 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -137,9 +136,19 @@ void DH_Server::build(SSL& ssl) const CertManager& cert = ssl.getCrypto().get_certManager(); if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo) + { + if (cert.get_keyType() != rsa_sa_algo) { + ssl.SetError(privateKey_error); + return; + } auth.reset(NEW_YS RSA(cert.get_privateKey(), cert.get_privateKeyLength(), false)); + } else { + if (cert.get_keyType() != dsa_sa_algo) { + ssl.SetError(privateKey_error); + return; + } auth.reset(NEW_YS DSS(cert.get_privateKey(), cert.get_privateKeyLength(), false)); sigSz += DSS_ENCODED_EXTRA; @@ -437,18 +446,21 @@ Parameters::Parameters(ConnectionEnd ce, const Ciphers& ciphers, pending_ = true; // suite not set yet strncpy(cipher_name_, "NONE", 5); + removeDH_ = !haveDH; // only use on server side for set suites + if (ciphers.setSuites_) { // use user set list suites_size_ = ciphers.suiteSz_; memcpy(suites_, ciphers.suites_, ciphers.suiteSz_); SetCipherNames(); } else - SetSuites(pv, ce == server_end && !haveDH); // defaults + SetSuites(pv, ce == server_end && removeDH_); // defaults } -void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) +void Parameters::SetSuites(ProtocolVersion pv, bool removeDH, bool removeRSA, + bool removeDSA) { int i = 0; // available suites, best first @@ -457,67 +469,87 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) if (isTLS(pv)) { if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; + } } - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; - - if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; } - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; - - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; - if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; - - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; - } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; + } + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; + } + if (!removeDH) { + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; + } + } } - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_RC4_128_MD5; - - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; + suites_[i++] = 0x00; + suites_[i++] = SSL_RSA_WITH_RC4_128_MD5; + suites_[i++] = 0x00; + suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; + suites_[i++] = 0x00; + suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; + } if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; - - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; + } } suites_size_ = i; @@ -852,21 +884,19 @@ void Alert::Process(input_buffer& input, SSL& ssl) else hmac(ssl, verify, data, aSz, alert, true); - // read mac and fill + // read mac and skip fill int digestSz = ssl.getCrypto().get_digest().get_digestSize(); opaque mac[SHA_LEN]; input.read(mac, digestSz); if (ssl.getSecurity().get_parms().cipher_type_ == block) { int ivExtra = 0; - opaque fill; if (ssl.isTLSv1_1()) ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra - aSz - digestSz; - for (int i = 0; i < padSz; i++) - fill = input[AUTO]; + input.set_current(input.get_current() + padSz); } // verify @@ -949,17 +979,17 @@ output_buffer& operator<<(output_buffer& output, const Data& data) void Data::Process(input_buffer& input, SSL& ssl) { int msgSz = ssl.getSecurity().get_parms().encrypt_size_; - int pad = 0, padByte = 0; + int pad = 0, padSz = 0; int ivExtra = 0; if (ssl.getSecurity().get_parms().cipher_type_ == block) { if (ssl.isTLSv1_1()) // IV ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); pad = *(input.get_buffer() + input.get_current() + msgSz -ivExtra - 1); - padByte = 1; + padSz = 1; } int digestSz = ssl.getCrypto().get_digest().get_digestSize(); - int dataSz = msgSz - ivExtra - digestSz - pad - padByte; + int dataSz = msgSz - ivExtra - digestSz - pad - padSz; opaque verify[SHA_LEN]; const byte* rawData = input.get_buffer() + input.get_current(); @@ -988,14 +1018,10 @@ void Data::Process(input_buffer& input, SSL& ssl) hmac(ssl, verify, rawData, dataSz, application_data, true); } - // read mac and fill + // read mac and skip fill opaque mac[SHA_LEN]; - opaque fill; input.read(mac, digestSz); - for (int i = 0; i < pad; i++) - fill = input[AUTO]; - if (padByte) - fill = input[AUTO]; + input.set_current(input.get_current() + pad + padSz); // verify if (dataSz) { @@ -1472,7 +1498,19 @@ void ClientHello::Process(input_buffer&, SSL& ssl) // downgrade to SSLv3 ssl.useSecurity().use_connection().TurnOffTLS(); ProtocolVersion pv = ssl.getSecurity().get_connection().version_; - ssl.useSecurity().use_parms().SetSuites(pv); // reset w/ SSL suites + bool removeDH = ssl.getSecurity().get_parms().removeDH_; + bool removeRSA = false; + bool removeDSA = false; + + const CertManager& cm = ssl.getCrypto().get_certManager(); + if (cm.get_keyType() == rsa_sa_algo) + removeDSA = true; + else + removeRSA = true; + + // reset w/ SSL suites + ssl.useSecurity().use_parms().SetSuites(pv, removeDH, removeRSA, + removeDSA); } else if (ssl.isTLSv1_1() && client_version_.minor_ == 1) // downgrade to TLSv1, but use same suites @@ -1518,6 +1556,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl) return; } ssl.matchSuite(cipher_suites_, suite_len_); + if (ssl.GetError()) return; ssl.set_pending(ssl.getSecurity().get_parms().suite_[1]); if (compression_methods_ == zlib) @@ -2028,11 +2067,9 @@ void Finished::Process(input_buffer& input, SSL& ssl) if (ssl.isTLSv1_1()) ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); - opaque fill; int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra - HANDSHAKE_HEADER - finishedSz - digestSz; - for (int i = 0; i < padSz; i++) - fill = input[AUTO]; + input.set_current(input.get_current() + padSz); // verify mac if (memcmp(mac, verifyMAC, digestSz)) { diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index 18acf752e98..66a854e6922 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -41,28 +40,28 @@ void* operator new(size_t sz, yaSSL::new_t) { - void* ptr = malloc(sz ? sz : 1); - if (!ptr) abort(); + void* ptr = malloc(sz ? sz : 1); + if (!ptr) abort(); - return ptr; + return ptr; } void operator delete(void* ptr, yaSSL::new_t) { - if (ptr) free(ptr); + if (ptr) free(ptr); } void* operator new[](size_t sz, yaSSL::new_t nt) { - return ::operator new(sz, nt); + return ::operator new(sz, nt); } void operator delete[](void* ptr, yaSSL::new_t nt) { - ::operator delete(ptr, nt); + ::operator delete(ptr, nt); } namespace yaSSL { @@ -309,6 +308,20 @@ SSL::SSL(SSL_CTX* ctx) SetError(YasslError(err)); return; } + else if (serverSide && !(ctx->GetCiphers().setSuites_)) { + // remove RSA or DSA suites depending on cert key type + ProtocolVersion pv = secure_.get_connection().version_; + + bool removeDH = secure_.use_parms().removeDH_; + bool removeRSA = false; + bool removeDSA = false; + + if (cm.get_keyType() == rsa_sa_algo) + removeDSA = true; + else + removeRSA = true; + secure_.use_parms().SetSuites(pv, removeDH, removeRSA, removeDSA); + } } else if (serverSide) { SetError(no_key_file); @@ -321,6 +334,7 @@ SSL::SSL(SSL_CTX* ctx) cm.setVerifyNone(); if (ctx->getMethod()->failNoCert()) cm.setFailNoCert(); + cm.setVerifyCallback(ctx->getVerifyCallback()); if (serverSide) crypto_.SetDH(ctx->GetDH_Parms()); @@ -1040,7 +1054,7 @@ void SSL::fillData(Data& data) data.set_length(0); // output, actual data filled dataSz = min(dataSz, bufferedData()); - for (uint i = 0; i < elements; i++) { + for (size_t i = 0; i < elements; i++) { input_buffer* front = buffers_.getData().front(); uint frontSz = front->get_remaining(); uint readSz = min(dataSz - data.get_length(), frontSz); @@ -1064,7 +1078,7 @@ void SSL::fillData(Data& data) void SSL::PeekData(Data& data) { if (GetError()) return; - uint dataSz = data.get_length(); // input, data size to fill + uint dataSz = data.get_length(); // input, data size to fill size_t elements = buffers_.getData().size(); data.set_length(0); // output, actual data filled @@ -1101,7 +1115,7 @@ void SSL::flushBuffer() output_buffer out(sz); size_t elements = buffers_.getHandShake().size(); - for (uint i = 0; i < elements; i++) { + for (size_t i = 0; i < elements; i++) { output_buffer* front = buffers_.getHandShake().front(); out.write(front->get_buffer(), front->get_size()); @@ -1277,6 +1291,7 @@ void SSL::matchSuite(const opaque* peer, uint length) if (secure_.use_parms().suites_[i] == peer[j]) { secure_.use_parms().suite_[0] = 0x00; secure_.use_parms().suite_[1] = peer[j]; + return; } @@ -1285,7 +1300,7 @@ void SSL::matchSuite(const opaque* peer, uint length) void SSL::set_session(SSL_SESSION* s) -{ +{ if (getSecurity().GetContext()->GetSessionCacheOff()) return; @@ -1566,13 +1581,19 @@ Errors& GetErrors() typedef Mutex::Lock Lock; + void Sessions::add(const SSL& ssl) { if (ssl.getSecurity().get_connection().sessionID_Set_) { - Lock guard(mutex_); - list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); + Lock guard(mutex_); + list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); + count_++; } + + if (count_ > SESSION_FLUSH_COUNT) + if (!ssl.getSecurity().GetContext()->GetSessionCacheFlushOff()) + Flush(); } @@ -1661,6 +1682,25 @@ void Sessions::remove(const opaque* id) } +// flush expired sessions from cache +void Sessions::Flush() +{ + Lock guard(mutex_); + sess_iterator next = list_.begin(); + uint current = lowResTimer(); + + while (next != list_.end()) { + sess_iterator si = next; + ++next; + if ( ((*si)->GetBornOn() + (*si)->GetTimeOut()) < current) { + del_ptr_zero()(*si); + list_.erase(si); + } + } + count_ = 0; // reset flush counter +} + + // remove a self thread error void Errors::Remove() { @@ -1765,7 +1805,8 @@ bool SSL_METHOD::multipleProtocol() const SSL_CTX::SSL_CTX(SSL_METHOD* meth) : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0), - userData_(0), sessionCacheOff_(false) + userData_(0), sessionCacheOff_(false), sessionCacheFlushOff_(false), + verifyCallback_(0) {} @@ -1792,6 +1833,12 @@ SSL_CTX::GetCA_List() const } +VerifyCallback SSL_CTX::getVerifyCallback() const +{ + return verifyCallback_; +} + + const x509* SSL_CTX::getCert() const { return certificate_; @@ -1852,6 +1899,12 @@ bool SSL_CTX::GetSessionCacheOff() const } +bool SSL_CTX::GetSessionCacheFlushOff() const +{ + return sessionCacheFlushOff_; +} + + void SSL_CTX::SetUserData(void* data) { userData_ = data; @@ -1864,6 +1917,12 @@ void SSL_CTX::SetSessionCacheOff() } +void SSL_CTX::SetSessionCacheFlushOff() +{ + sessionCacheFlushOff_ = true; +} + + void SSL_CTX::setVerifyPeer() { method_->setVerifyPeer(); @@ -1882,6 +1941,12 @@ void SSL_CTX::setFailNoCert() } +void SSL_CTX::setVerifyCallback(VerifyCallback vc) +{ + verifyCallback_ = vc; +} + + bool SSL_CTX::SetDH(const DH& dh) { dhParms_.p_ = dh.p->int_; @@ -2317,7 +2382,7 @@ X509::X509(const char* i, size_t iSz, const char* s, size_t sSz, : issuer_(i, iSz), subject_(s, sSz), beforeDate_(b, bSz), afterDate_(a, aSz) {} - + X509_NAME* X509::GetIssuer() { @@ -2355,10 +2420,10 @@ ASN1_STRING* X509_NAME::GetEntry(int i) memcpy(entry_.data, &name_[i], sz_ - i); if (entry_.data[sz_ -i - 1]) { entry_.data[sz_ - i] = 0; - entry_.length = (int) (sz_ - i); + entry_.length = int(sz_) - i; } else - entry_.length = (int) (sz_ - i - 1); + entry_.length = int(sz_) - i - 1; entry_.type = 0; return &entry_; diff --git a/extra/yassl/taocrypt/include/blowfish.hpp b/extra/yassl/taocrypt/include/blowfish.hpp index 90d2c014b4c..99d932353df 100644 --- a/extra/yassl/taocrypt/include/blowfish.hpp +++ b/extra/yassl/taocrypt/include/blowfish.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -51,7 +51,7 @@ public: enum { BLOCK_SIZE = BLOWFISH_BLOCK_SIZE, ROUNDS = 16 }; Blowfish(CipherDir DIR, Mode MODE) - : Mode_BASE(BLOCK_SIZE, DIR, MODE) {} + : Mode_BASE(BLOCK_SIZE, DIR, MODE), sbox_(pbox_ + ROUNDS + 2) {} #ifdef DO_BLOWFISH_ASM void Process(byte*, const byte*, word32); @@ -62,8 +62,8 @@ private: static const word32 p_init_[ROUNDS + 2]; static const word32 s_init_[4 * 256]; - word32 pbox_[ROUNDS + 2]; - word32 sbox_[4 * 256]; + word32 pbox_[ROUNDS + 2 + 4 * 256]; + word32* sbox_; void crypt_block(const word32 in[2], word32 out[2]) const; void AsmProcess(const byte* in, byte* out) const; diff --git a/extra/yassl/taocrypt/include/misc.hpp b/extra/yassl/taocrypt/include/misc.hpp index 96648a39aa1..a375b17eb1e 100644 --- a/extra/yassl/taocrypt/include/misc.hpp +++ b/extra/yassl/taocrypt/include/misc.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -125,7 +125,7 @@ void CleanUp(); // no gas on these systems ?, disable for now -#if defined(__sun__) || defined (__QNX__) || defined (__APPLE__) +#if defined(__sun__) || defined (__APPLE__) #define TAOCRYPT_DISABLE_X86ASM #endif diff --git a/extra/yassl/taocrypt/include/runtime.hpp b/extra/yassl/taocrypt/include/runtime.hpp index 99bbe3ac8a3..ad66a5bf9d0 100644 --- a/extra/yassl/taocrypt/include/runtime.hpp +++ b/extra/yassl/taocrypt/include/runtime.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -35,10 +35,7 @@ // Handler for pure virtual functions namespace __Crun { - static void pure_error(void) - { - assert("Pure virtual method called." == "Aborted"); - } + void pure_error(void); } // namespace __Crun #endif // __sun @@ -54,16 +51,7 @@ extern "C" { #else #include "kernelc.hpp" #endif - -/* Disallow inline __cxa_pure_virtual() */ -static int __cxa_pure_virtual() __attribute__((noinline, used)); -static int __cxa_pure_virtual() -{ - // oops, pure virtual called! - assert("Pure virtual method called." == "Aborted"); - return 0; -} - + int __cxa_pure_virtual () __attribute__ ((weak)); } // extern "C" #endif // __GNUC__ > 2 diff --git a/extra/yassl/taocrypt/src/aes.cpp b/extra/yassl/taocrypt/src/aes.cpp index b2b42d3dcf0..21b21dc4856 100644 --- a/extra/yassl/taocrypt/src/aes.cpp +++ b/extra/yassl/taocrypt/src/aes.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -51,7 +51,7 @@ void AES::Process(byte* out, const byte* in, word32 sz) out += BLOCK_SIZE; in += BLOCK_SIZE; } - else if (mode_ == CBC) + else if (mode_ == CBC) { if (dir_ == ENCRYPTION) while (blocks--) { r_[0] ^= *(word32*)in; @@ -78,6 +78,7 @@ void AES::Process(byte* out, const byte* in, word32 sz) out += BLOCK_SIZE; in += BLOCK_SIZE; } + } } #endif // DO_AES_ASM diff --git a/extra/yassl/taocrypt/src/algebra.cpp b/extra/yassl/taocrypt/src/algebra.cpp index 33a1c5c3945..20a152d1a9d 100644 --- a/extra/yassl/taocrypt/src/algebra.cpp +++ b/extra/yassl/taocrypt/src/algebra.cpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -187,10 +186,10 @@ Integer AbstractGroup::CascadeScalarMultiply(const Element &x, struct WindowSlider { - WindowSlider(const Integer &exp, bool fastNegate, + WindowSlider(const Integer &expIn, bool fastNegateIn, unsigned int windowSizeIn=0) - : exp(exp), windowModulus(Integer::One()), windowSize(windowSizeIn), - windowBegin(0), fastNegate(fastNegate), firstTime(true), + : exp(expIn), windowModulus(Integer::One()), windowSize(windowSizeIn), + windowBegin(0), fastNegate(fastNegateIn), firstTime(true), finished(false) { if (windowSize == 0) diff --git a/extra/yassl/taocrypt/src/blowfish.cpp b/extra/yassl/taocrypt/src/blowfish.cpp index 66ff4d829d7..8ee2f3fe569 100644 --- a/extra/yassl/taocrypt/src/blowfish.cpp +++ b/extra/yassl/taocrypt/src/blowfish.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -53,7 +53,7 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz) out += BLOCK_SIZE; in += BLOCK_SIZE; } - else if (mode_ == CBC) + else if (mode_ == CBC) { if (dir_ == ENCRYPTION) while (blocks--) { r_[0] ^= *(word32*)in; @@ -78,6 +78,7 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz) out += BLOCK_SIZE; in += BLOCK_SIZE; } + } } #endif // DO_BLOWFISH_ASM diff --git a/extra/yassl/taocrypt/src/coding.cpp b/extra/yassl/taocrypt/src/coding.cpp index 7a9d50aaac9..7c6a6a8bd8b 100644 --- a/extra/yassl/taocrypt/src/coding.cpp +++ b/extra/yassl/taocrypt/src/coding.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -185,7 +185,7 @@ void Base64Decoder::Decode() { word32 bytes = coded_.size(); word32 plainSz = bytes - ((bytes + (pemLineSz - 1)) / pemLineSz); - plainSz = (plainSz * 3 + 3) / 4; + plainSz = ((plainSz * 3) / 4) + 3; decoded_.New(plainSz); word32 i = 0; diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp index 85733b88aa9..c00815df8cf 100644 --- a/extra/yassl/taocrypt/src/integer.cpp +++ b/extra/yassl/taocrypt/src/integer.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -283,21 +283,23 @@ DWord() {} word GetHighHalfAsBorrow() const {return 0-halfs_.high;} private: + struct dword_struct + { + #ifdef LITTLE_ENDIAN_ORDER + word low; + word high; + #else + word high; + word low; + #endif + }; + union { #ifdef TAOCRYPT_NATIVE_DWORD_AVAILABLE dword whole_; #endif - struct - { - #ifdef LITTLE_ENDIAN_ORDER - word low; - word high; - #else - word high; - word low; - #endif - } halfs_; + struct dword_struct halfs_; }; }; @@ -1214,20 +1216,24 @@ public: #define AS1(x) #x ";" #define AS2(x, y) #x ", " #y ";" #define AddPrologue \ + word res; \ __asm__ __volatile__ \ ( \ "push %%ebx;" /* save this manually, in case of -fPIC */ \ - "mov %2, %%ebx;" \ + "mov %3, %%ebx;" \ ".intel_syntax noprefix;" \ "push ebp;" #define AddEpilogue \ "pop ebp;" \ ".att_syntax prefix;" \ "pop %%ebx;" \ - : \ + "mov %%eax, %0;" \ + : "=g" (res) \ : "c" (C), "d" (A), "m" (B), "S" (N) \ : "%edi", "memory", "cc" \ - ); + ); \ + return res; + #define MulPrologue \ __asm__ __volatile__ \ ( \ diff --git a/extra/yassl/taocrypt/src/misc.cpp b/extra/yassl/taocrypt/src/misc.cpp index 402645c93fd..6045ea3e42b 100644 --- a/extra/yassl/taocrypt/src/misc.cpp +++ b/extra/yassl/taocrypt/src/misc.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -84,12 +84,23 @@ namespace STL = STL_NAMESPACE; } -#if defined(__ICC) || defined(__INTEL_COMPILER) +#ifdef __sun + +// Handler for pure virtual functions +namespace __Crun { + void pure_error() { + assert(!"Aborted: pure virtual method called."); + } +} + +#endif + +#if defined(__ICC) || defined(__INTEL_COMPILER) || (__GNUC__ > 2) extern "C" { int __cxa_pure_virtual() { - assert("Pure virtual method called." == "Aborted"); + assert(!"Aborted: pure virtual method called."); return 0; } @@ -166,14 +177,6 @@ word Crop(word value, unsigned int size) #ifdef TAOCRYPT_X86ASM_AVAILABLE -#ifndef _MSC_VER - static jmp_buf s_env; - static void SigIllHandler(int) - { - longjmp(s_env, 1); - } -#endif - bool HaveCpuId() { diff --git a/extra/yassl/taocrypt/src/random.cpp b/extra/yassl/taocrypt/src/random.cpp index 89fd5f7c7bc..1be0fed612f 100644 --- a/extra/yassl/taocrypt/src/random.cpp +++ b/extra/yassl/taocrypt/src/random.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -27,7 +27,6 @@ #include #if defined(_WIN32) - #define _WIN32_WINNT 0x0400 #include #include #else @@ -93,67 +92,6 @@ void OS_Seed::GenerateSeed(byte* output, word32 sz) } -#elif defined(__NETWARE__) - -/* The OS_Seed implementation for Netware */ - -#include -#include - -// Loop on high resulution Read Time Stamp Counter -static void NetwareSeed(byte* output, word32 sz) -{ - word32 tscResult; - - for (word32 i = 0; i < sz; i += sizeof(tscResult)) { - #if defined(__GNUC__) - asm volatile("rdtsc" : "=A" (tscResult)); - #else - #ifdef __MWERKS__ - asm { - #else - __asm { - #endif - rdtsc - mov tscResult, eax - } - #endif - - memcpy(output, &tscResult, sizeof(tscResult)); - output += sizeof(tscResult); - - NXThreadYield(); // induce more variance - } -} - - -OS_Seed::OS_Seed() -{ -} - - -OS_Seed::~OS_Seed() -{ -} - - -void OS_Seed::GenerateSeed(byte* output, word32 sz) -{ - /* - Try to use NXSeedRandom as it will generate a strong - seed using the onboard 82802 chip - - As it's not always supported, fallback to default - implementation if an error is returned - */ - - if (NXSeedRandom(sz, output) != 0) - { - NetwareSeed(output, sz); - } -} - - #else /* The default OS_Seed implementation */ diff --git a/extra/yassl/taocrypt/src/twofish.cpp b/extra/yassl/taocrypt/src/twofish.cpp index 84dd35f9191..272a0def169 100644 --- a/extra/yassl/taocrypt/src/twofish.cpp +++ b/extra/yassl/taocrypt/src/twofish.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -54,7 +54,7 @@ void Twofish::Process(byte* out, const byte* in, word32 sz) out += BLOCK_SIZE; in += BLOCK_SIZE; } - else if (mode_ == CBC) + else if (mode_ == CBC) { if (dir_ == ENCRYPTION) while (blocks--) { r_[0] ^= *(word32*)in; @@ -82,6 +82,7 @@ void Twofish::Process(byte* out, const byte* in, word32 sz) out += BLOCK_SIZE; in += BLOCK_SIZE; } + } } #endif // DO_TWOFISH_ASM diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp index 4555080f84c..e14cdc54ae0 100644 --- a/extra/yassl/testsuite/test.hpp +++ b/extra/yassl/testsuite/test.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2006, 2007 MySQL AB + Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -50,8 +50,7 @@ #endif /* _WIN32 */ -#if !defined(_SOCKLEN_T) && \ - (defined(_WIN32) || defined(__NETWARE__) || defined(__APPLE__)) +#if !defined(_SOCKLEN_T) && (defined(_WIN32) || defined(__APPLE__)) typedef int socklen_t; #endif @@ -60,18 +59,14 @@ #if defined(__hpux) // HPUX uses int* for third parameter to accept typedef int* ACCEPT_THIRD_T; -#elif defined(__NETWARE__) -// NetWare uses size_t* for third parameter to accept - typedef size_t* ACCEPT_THIRD_T; #else typedef socklen_t* ACCEPT_THIRD_T; #endif // Check if _POSIX_THREADS should be forced -#if !defined(_POSIX_THREADS) && (defined(__NETWARE__) || defined(__hpux)) +#if !defined(_POSIX_THREADS) && defined(__hpux) // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented -// Netware supports pthreads but does not announce it #define _POSIX_THREADS #endif @@ -178,6 +173,11 @@ inline void err_sys(const char* msg) } +extern "C" { + static int PasswordCallBack(char*, int, int, void*); +} + + static int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) { strncpy(passwd, "12345678", sz); From c77656dcb357b2e2fea8433ef8063d32699b3033 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 10 Feb 2012 11:35:36 +0200 Subject: [PATCH 10/14] Bug#13706621 : UNIFY THE YASSL VERSIONS THAT WE USE BY BACKPORTING 5.1 AND 5.5 YASSL FIXES. Took the 5.5 yassl directory and moved it to the 5.1 tree, while preserving the makefiles. --- extra/yassl/include/cert_wrapper.hpp | 5 +- extra/yassl/include/openssl/ssl.h | 5 +- extra/yassl/include/yassl_error.hpp | 5 +- extra/yassl/include/yassl_imp.hpp | 5 +- extra/yassl/include/yassl_int.hpp | 11 ++-- extra/yassl/include/yassl_types.hpp | 5 +- extra/yassl/src/buffer.cpp | 5 +- extra/yassl/src/cert_wrapper.cpp | 5 +- extra/yassl/src/crypto_wrapper.cpp | 5 +- extra/yassl/src/handshake.cpp | 5 +- extra/yassl/src/socket_wrapper.cpp | 4 +- extra/yassl/src/ssl.cpp | 5 +- extra/yassl/src/yassl_error.cpp | 5 +- extra/yassl/src/yassl_imp.cpp | 5 +- extra/yassl/src/yassl_int.cpp | 5 +- extra/yassl/taocrypt/include/asn.hpp | 5 +- extra/yassl/taocrypt/include/block.hpp | 5 +- extra/yassl/taocrypt/include/blowfish.hpp | 5 +- extra/yassl/taocrypt/include/misc.hpp | 4 +- extra/yassl/taocrypt/include/modes.hpp | 5 +- extra/yassl/taocrypt/include/runtime.hpp | 5 +- extra/yassl/taocrypt/src/aes.cpp | 5 +- extra/yassl/taocrypt/src/algebra.cpp | 5 +- extra/yassl/taocrypt/src/asn.cpp | 5 +- extra/yassl/taocrypt/src/blowfish.cpp | 5 +- extra/yassl/taocrypt/src/coding.cpp | 5 +- extra/yassl/taocrypt/src/integer.cpp | 5 +- extra/yassl/taocrypt/src/misc.cpp | 5 +- extra/yassl/taocrypt/src/random.cpp | 69 ++--------------------- extra/yassl/taocrypt/src/twofish.cpp | 5 +- extra/yassl/testsuite/test.hpp | 9 +-- 31 files changed, 93 insertions(+), 134 deletions(-) diff --git a/extra/yassl/include/cert_wrapper.hpp b/extra/yassl/include/cert_wrapper.hpp index 755a3925c8e..d07e5b627b0 100644 --- a/extra/yassl/include/cert_wrapper.hpp +++ b/extra/yassl/include/cert_wrapper.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h index 9ffd4c0328e..ba5fa51f34c 100644 --- a/extra/yassl/include/openssl/ssl.h +++ b/extra/yassl/include/openssl/ssl.h @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* ssl.h defines openssl compatibility layer diff --git a/extra/yassl/include/yassl_error.hpp b/extra/yassl/include/yassl_error.hpp index d9bbbc2dc69..87bb4c55e96 100644 --- a/extra/yassl/include/yassl_error.hpp +++ b/extra/yassl/include/yassl_error.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/include/yassl_imp.hpp b/extra/yassl/include/yassl_imp.hpp index ee29d89332a..04e85c16a04 100644 --- a/extra/yassl/include/yassl_imp.hpp +++ b/extra/yassl/include/yassl_imp.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* yaSSL implementation header defines all strucutres from the SSL.v3 diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp index adb9f5ea67a..433649c545b 100644 --- a/extra/yassl/include/yassl_int.hpp +++ b/extra/yassl/include/yassl_int.hpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2008, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -12,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ @@ -34,9 +34,8 @@ #include "openssl/ssl.h" // ASN1_STRING and DH // Check if _POSIX_THREADS should be forced -#if !defined(_POSIX_THREADS) && (defined(__NETWARE__) || defined(__hpux)) +#if !defined(_POSIX_THREADS) && defined(__hpux) // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented -// Netware supports pthreads but does not announce it #define _POSIX_THREADS #endif diff --git a/extra/yassl/include/yassl_types.hpp b/extra/yassl/include/yassl_types.hpp index e898befda3a..c73a54a7c15 100644 --- a/extra/yassl/include/yassl_types.hpp +++ b/extra/yassl/include/yassl_types.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* yaSSL types header defines all constants, enums, and typedefs diff --git a/extra/yassl/src/buffer.cpp b/extra/yassl/src/buffer.cpp index a774cf4a26a..86c1bcf3388 100644 --- a/extra/yassl/src/buffer.cpp +++ b/extra/yassl/src/buffer.cpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp index 308ca70c748..d8660533f2e 100644 --- a/extra/yassl/src/cert_wrapper.cpp +++ b/extra/yassl/src/cert_wrapper.cpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/src/crypto_wrapper.cpp b/extra/yassl/src/crypto_wrapper.cpp index 8d596b84200..e6168d4d69c 100644 --- a/extra/yassl/src/crypto_wrapper.cpp +++ b/extra/yassl/src/crypto_wrapper.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* The crypto wrapper source implements the policies for the cipher diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp index 1059df1d63e..08fae4ac17d 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/src/socket_wrapper.cpp b/extra/yassl/src/socket_wrapper.cpp index eee5d47377f..3cf6c14c4b3 100644 --- a/extra/yassl/src/socket_wrapper.cpp +++ b/extra/yassl/src/socket_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,7 +37,7 @@ #include #endif // _WIN32 -#if defined(__sun) || defined(__SCO_VERSION__) || defined(__NETWARE__) +#if defined(__sun) || defined(__SCO_VERSION__) #include #endif diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp index 9d1cc9407ea..67d2d428e51 100644 --- a/extra/yassl/src/ssl.cpp +++ b/extra/yassl/src/ssl.cpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* SSL source implements all openssl compatibility API functions diff --git a/extra/yassl/src/yassl_error.cpp b/extra/yassl/src/yassl_error.cpp index f4862fe0a7c..e167075b984 100644 --- a/extra/yassl/src/yassl_error.cpp +++ b/extra/yassl/src/yassl_error.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp index a152ebb2e19..d981605d35a 100644 --- a/extra/yassl/src/yassl_imp.cpp +++ b/extra/yassl/src/yassl_imp.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* yaSSL source implements all SSL.v3 secification structures. diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index 7fea438622d..66a854e6922 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/taocrypt/include/asn.hpp b/extra/yassl/taocrypt/include/asn.hpp index 986686c93d2..ece7140741a 100644 --- a/extra/yassl/taocrypt/include/asn.hpp +++ b/extra/yassl/taocrypt/include/asn.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* asn.hpp provides ASN1 BER, PublicKey, and x509v3 decoding diff --git a/extra/yassl/taocrypt/include/block.hpp b/extra/yassl/taocrypt/include/block.hpp index 6263cfeb80d..ad3dcf2db59 100644 --- a/extra/yassl/taocrypt/include/block.hpp +++ b/extra/yassl/taocrypt/include/block.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/taocrypt/include/blowfish.hpp b/extra/yassl/taocrypt/include/blowfish.hpp index 1ca7588cc44..99d932353df 100644 --- a/extra/yassl/taocrypt/include/blowfish.hpp +++ b/extra/yassl/taocrypt/include/blowfish.hpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* blowfish.hpp defines Blowfish diff --git a/extra/yassl/taocrypt/include/misc.hpp b/extra/yassl/taocrypt/include/misc.hpp index 96648a39aa1..a375b17eb1e 100644 --- a/extra/yassl/taocrypt/include/misc.hpp +++ b/extra/yassl/taocrypt/include/misc.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -125,7 +125,7 @@ void CleanUp(); // no gas on these systems ?, disable for now -#if defined(__sun__) || defined (__QNX__) || defined (__APPLE__) +#if defined(__sun__) || defined (__APPLE__) #define TAOCRYPT_DISABLE_X86ASM #endif diff --git a/extra/yassl/taocrypt/include/modes.hpp b/extra/yassl/taocrypt/include/modes.hpp index 6c04c4e4457..2285bd0e845 100644 --- a/extra/yassl/taocrypt/include/modes.hpp +++ b/extra/yassl/taocrypt/include/modes.hpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* modes.hpp provides ECB and CBC modes for block cipher encryption/decryption diff --git a/extra/yassl/taocrypt/include/runtime.hpp b/extra/yassl/taocrypt/include/runtime.hpp index 3b62ead22fd..ad66a5bf9d0 100644 --- a/extra/yassl/taocrypt/include/runtime.hpp +++ b/extra/yassl/taocrypt/include/runtime.hpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* runtime.hpp provides C++ runtime support functions when building a pure C diff --git a/extra/yassl/taocrypt/src/aes.cpp b/extra/yassl/taocrypt/src/aes.cpp index ea4a68fc19a..21b21dc4856 100644 --- a/extra/yassl/taocrypt/src/aes.cpp +++ b/extra/yassl/taocrypt/src/aes.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* C++ based on Wei Dai's aes.cpp from CryptoPP */ diff --git a/extra/yassl/taocrypt/src/algebra.cpp b/extra/yassl/taocrypt/src/algebra.cpp index 31f09d9d683..20a152d1a9d 100644 --- a/extra/yassl/taocrypt/src/algebra.cpp +++ b/extra/yassl/taocrypt/src/algebra.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* based on Wei Dai's algebra.cpp from CryptoPP */ diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp index c7afb682c75..1b81db4f0a4 100644 --- a/extra/yassl/taocrypt/src/asn.cpp +++ b/extra/yassl/taocrypt/src/asn.cpp @@ -12,8 +12,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* asn.cpp implements ASN1 BER, PublicKey, and x509v3 decoding diff --git a/extra/yassl/taocrypt/src/blowfish.cpp b/extra/yassl/taocrypt/src/blowfish.cpp index 85af10beac5..8ee2f3fe569 100644 --- a/extra/yassl/taocrypt/src/blowfish.cpp +++ b/extra/yassl/taocrypt/src/blowfish.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* C++ code based on Wei Dai's blowfish.cpp from CryptoPP */ diff --git a/extra/yassl/taocrypt/src/coding.cpp b/extra/yassl/taocrypt/src/coding.cpp index 9481497dc4d..7c6a6a8bd8b 100644 --- a/extra/yassl/taocrypt/src/coding.cpp +++ b/extra/yassl/taocrypt/src/coding.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* coding.cpp implements hex and base64 encoding/decoing diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp index f59b768c9ff..c00815df8cf 100644 --- a/extra/yassl/taocrypt/src/integer.cpp +++ b/extra/yassl/taocrypt/src/integer.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ diff --git a/extra/yassl/taocrypt/src/misc.cpp b/extra/yassl/taocrypt/src/misc.cpp index 6e9b101bf0f..6045ea3e42b 100644 --- a/extra/yassl/taocrypt/src/misc.cpp +++ b/extra/yassl/taocrypt/src/misc.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* based on Wei Dai's misc.cpp from CryptoPP */ diff --git a/extra/yassl/taocrypt/src/random.cpp b/extra/yassl/taocrypt/src/random.cpp index 2a2ac83ca34..1be0fed612f 100644 --- a/extra/yassl/taocrypt/src/random.cpp +++ b/extra/yassl/taocrypt/src/random.cpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -12,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ @@ -92,67 +92,6 @@ void OS_Seed::GenerateSeed(byte* output, word32 sz) } -#elif defined(__NETWARE__) - -/* The OS_Seed implementation for Netware */ - -#include -#include - -// Loop on high resulution Read Time Stamp Counter -static void NetwareSeed(byte* output, word32 sz) -{ - word32 tscResult; - - for (word32 i = 0; i < sz; i += sizeof(tscResult)) { - #if defined(__GNUC__) - asm volatile("rdtsc" : "=A" (tscResult)); - #else - #ifdef __MWERKS__ - asm { - #else - __asm { - #endif - rdtsc - mov tscResult, eax - } - #endif - - memcpy(output, &tscResult, sizeof(tscResult)); - output += sizeof(tscResult); - - NXThreadYield(); // induce more variance - } -} - - -OS_Seed::OS_Seed() -{ -} - - -OS_Seed::~OS_Seed() -{ -} - - -void OS_Seed::GenerateSeed(byte* output, word32 sz) -{ - /* - Try to use NXSeedRandom as it will generate a strong - seed using the onboard 82802 chip - - As it's not always supported, fallback to default - implementation if an error is returned - */ - - if (NXSeedRandom(sz, output) != 0) - { - NetwareSeed(output, sz); - } -} - - #else /* The default OS_Seed implementation */ diff --git a/extra/yassl/taocrypt/src/twofish.cpp b/extra/yassl/taocrypt/src/twofish.cpp index e33abd41ea5..272a0def169 100644 --- a/extra/yassl/taocrypt/src/twofish.cpp +++ b/extra/yassl/taocrypt/src/twofish.cpp @@ -11,8 +11,9 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; see the file COPYING. If not, write to the + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301 USA. */ /* C++ based on Wei Dai's twofish.cpp from CryptoPP */ diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp index 8107090842b..e14cdc54ae0 100644 --- a/extra/yassl/testsuite/test.hpp +++ b/extra/yassl/testsuite/test.hpp @@ -50,8 +50,7 @@ #endif /* _WIN32 */ -#if !defined(_SOCKLEN_T) && \ - (defined(_WIN32) || defined(__NETWARE__) || defined(__APPLE__)) +#if !defined(_SOCKLEN_T) && (defined(_WIN32) || defined(__APPLE__)) typedef int socklen_t; #endif @@ -60,18 +59,14 @@ #if defined(__hpux) // HPUX uses int* for third parameter to accept typedef int* ACCEPT_THIRD_T; -#elif defined(__NETWARE__) -// NetWare uses size_t* for third parameter to accept - typedef size_t* ACCEPT_THIRD_T; #else typedef socklen_t* ACCEPT_THIRD_T; #endif // Check if _POSIX_THREADS should be forced -#if !defined(_POSIX_THREADS) && (defined(__NETWARE__) || defined(__hpux)) +#if !defined(_POSIX_THREADS) && defined(__hpux) // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented -// Netware supports pthreads but does not announce it #define _POSIX_THREADS #endif From 937302d6a887523c56331a7c05e68b71cf9abb7b Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 10 Feb 2012 16:33:27 +0200 Subject: [PATCH 11/14] Bug #13706828: UPGRADE YASSL FROM 1.7.2 TO 2.1.4 $SUBJ$ 1. Took a diff between the previous base version and the mysql sources. 2. Added the new 2.1.4 base version. 3. Reviewed and re-applied the diff from step #1. --- extra/yassl/CMakeLists.txt | 0 extra/yassl/INSTALL | 103 +++--- extra/yassl/README | 122 ++++++- extra/yassl/certs/ca-cert.pem | 71 ++-- extra/yassl/certs/ca-key.pem | 9 + extra/yassl/certs/client-cert.der | Bin 699 -> 782 bytes extra/yassl/certs/client-cert.pem | 69 ++-- extra/yassl/certs/client-key.der | Bin 318 -> 319 bytes extra/yassl/certs/client-key.pem | 14 +- extra/yassl/certs/client-keyEnc.pem | 12 + extra/yassl/certs/client-keyEnc3.pem | 12 + extra/yassl/certs/dsa-cert.pem | 58 ++-- extra/yassl/certs/dsa512.der | Bin 250 -> 249 bytes extra/yassl/certs/server-cert.pem | 49 +-- extra/yassl/certs/server-key.pem | 14 +- extra/yassl/certs/server-keyEnc.pem | 12 + extra/yassl/certs/taoCert.txt | 12 + extra/yassl/examples/client/client.cpp | 22 +- .../yassl/examples/echoclient/echoclient.cpp | 6 +- .../yassl/examples/echoserver/echoserver.cpp | 12 +- extra/yassl/examples/server/server.cpp | 17 +- extra/yassl/include/buffer.hpp | 10 +- extra/yassl/include/openssl/ssl.h | 49 ++- extra/yassl/include/socket_wrapper.hpp | 4 +- extra/yassl/include/yassl_int.hpp | 62 ++-- extra/yassl/include/yassl_types.hpp | 30 +- extra/yassl/src/buffer.cpp | 12 - extra/yassl/src/cert_wrapper.cpp | 6 +- extra/yassl/src/crypto_wrapper.cpp | 2 +- extra/yassl/src/handshake.cpp | 47 ++- extra/yassl/src/make.bat | 0 extra/yassl/src/socket_wrapper.cpp | 23 +- extra/yassl/src/ssl.cpp | 123 ++++--- extra/yassl/src/yassl.cpp | 6 +- extra/yassl/src/yassl_error.cpp | 16 +- extra/yassl/src/yassl_imp.cpp | 41 +-- extra/yassl/src/yassl_int.cpp | 51 ++- extra/yassl/taocrypt/README | 2 +- extra/yassl/taocrypt/benchmark/benchmark.cpp | 18 +- extra/yassl/taocrypt/benchmark/benchmark.dsp | 10 +- extra/yassl/taocrypt/benchmark/dh1024.der | Bin 140 -> 138 bytes extra/yassl/taocrypt/benchmark/dsa1024.der | Bin 448 -> 445 bytes extra/yassl/taocrypt/benchmark/make.bat | 0 extra/yassl/taocrypt/benchmark/rsa1024.der | Bin 610 -> 606 bytes extra/yassl/taocrypt/certs/client-cert.der | Bin 0 -> 782 bytes extra/yassl/taocrypt/certs/client-key.der | Bin 0 -> 319 bytes extra/yassl/taocrypt/certs/dh1024.dat | 1 + extra/yassl/taocrypt/certs/dsa512.der | Bin 0 -> 249 bytes extra/yassl/taocrypt/include/asn.hpp | 1 + extra/yassl/taocrypt/include/block.hpp | 12 +- extra/yassl/taocrypt/include/blowfish.hpp | 8 +- extra/yassl/taocrypt/include/des.hpp | 2 +- extra/yassl/taocrypt/include/hash.hpp | 4 +- extra/yassl/taocrypt/include/hc128.hpp | 63 ++++ extra/yassl/taocrypt/include/integer.hpp | 7 - extra/yassl/taocrypt/include/kernelc.hpp | 12 - extra/yassl/taocrypt/include/misc.hpp | 45 +-- extra/yassl/taocrypt/include/modes.hpp | 7 +- extra/yassl/taocrypt/include/pwdbased.hpp | 5 +- extra/yassl/taocrypt/include/rabbit.hpp | 65 ++++ extra/yassl/taocrypt/include/rsa.hpp | 4 +- extra/yassl/taocrypt/include/runtime.hpp | 5 +- extra/yassl/taocrypt/include/types.hpp | 2 +- extra/yassl/taocrypt/mySTL/stdexcept.hpp | 3 +- extra/yassl/taocrypt/mySTL/vector.hpp | 7 +- extra/yassl/taocrypt/src/Makefile.am | 2 +- extra/yassl/taocrypt/src/aes.cpp | 39 ++- extra/yassl/taocrypt/src/aestables.cpp | 2 - extra/yassl/taocrypt/src/algebra.cpp | 3 +- extra/yassl/taocrypt/src/arc4.cpp | 2 +- extra/yassl/taocrypt/src/asn.cpp | 196 +++++++---- extra/yassl/taocrypt/src/blowfish.cpp | 36 +- extra/yassl/taocrypt/src/coding.cpp | 16 +- extra/yassl/taocrypt/src/dsa.cpp | 3 +- extra/yassl/taocrypt/src/hash.cpp | 17 +- extra/yassl/taocrypt/src/hc128.cpp | 317 ++++++++++++++++++ extra/yassl/taocrypt/src/integer.cpp | 95 +----- extra/yassl/taocrypt/src/make.bat | 0 extra/yassl/taocrypt/src/md4.cpp | 2 +- extra/yassl/taocrypt/src/md5.cpp | 18 +- extra/yassl/taocrypt/src/misc.cpp | 22 +- extra/yassl/taocrypt/src/rabbit.cpp | 250 ++++++++++++++ extra/yassl/taocrypt/src/random.cpp | 6 +- extra/yassl/taocrypt/src/ripemd.cpp | 16 +- extra/yassl/taocrypt/src/rsa.cpp | 7 +- extra/yassl/taocrypt/src/sha.cpp | 16 +- extra/yassl/taocrypt/src/template_instnt.cpp | 1 - extra/yassl/taocrypt/src/twofish.cpp | 2 - extra/yassl/taocrypt/taocrypt.dsp | 16 + extra/yassl/taocrypt/test/make.bat | 0 extra/yassl/taocrypt/test/memory.cpp | 29 ++ extra/yassl/taocrypt/test/test.cpp | 158 ++++++++- extra/yassl/testsuite/make.bat | 0 extra/yassl/testsuite/test.hpp | 95 +++++- extra/yassl/testsuite/testsuite.cpp | 8 +- 95 files changed, 1956 insertions(+), 797 deletions(-) mode change 100755 => 100644 extra/yassl/CMakeLists.txt create mode 100644 extra/yassl/certs/ca-key.pem create mode 100644 extra/yassl/certs/client-keyEnc.pem create mode 100644 extra/yassl/certs/client-keyEnc3.pem create mode 100644 extra/yassl/certs/server-keyEnc.pem mode change 100644 => 100755 extra/yassl/src/make.bat mode change 100644 => 100755 extra/yassl/taocrypt/benchmark/make.bat create mode 100644 extra/yassl/taocrypt/certs/client-cert.der create mode 100644 extra/yassl/taocrypt/certs/client-key.der create mode 100644 extra/yassl/taocrypt/certs/dh1024.dat create mode 100644 extra/yassl/taocrypt/certs/dsa512.der create mode 100644 extra/yassl/taocrypt/include/hc128.hpp create mode 100644 extra/yassl/taocrypt/include/rabbit.hpp create mode 100644 extra/yassl/taocrypt/src/hc128.cpp mode change 100644 => 100755 extra/yassl/taocrypt/src/make.bat create mode 100644 extra/yassl/taocrypt/src/rabbit.cpp mode change 100644 => 100755 extra/yassl/taocrypt/test/make.bat mode change 100644 => 100755 extra/yassl/testsuite/make.bat diff --git a/extra/yassl/CMakeLists.txt b/extra/yassl/CMakeLists.txt old mode 100755 new mode 100644 diff --git a/extra/yassl/INSTALL b/extra/yassl/INSTALL index 54caf7c190f..5458714e1e2 100644 --- a/extra/yassl/INSTALL +++ b/extra/yassl/INSTALL @@ -1,13 +1,19 @@ -Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002 Free Software -Foundation, Inc. +Installation Instructions +************************* - This file is free documentation; the Free Software Foundation gives +Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, +2006 Free Software Foundation, Inc. + +This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Basic Installation ================== - These are generic installation instructions. +Briefly, the shell commands `./configure; make; make install' should +configure, build, and install this package. The following +more-detailed instructions are generic; see the `README' file for +instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses @@ -20,9 +26,9 @@ debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. (Caching is +the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale -cache files.) +cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail @@ -32,20 +38,17 @@ some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You only need -`configure.ac' if you want to change it or regenerate `configure' using -a newer version of `autoconf'. +`configure' by a program called `autoconf'. You need `configure.ac' if +you want to change it or regenerate `configure' using a newer version +of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. If you're - using `csh' on an old version of System V, you might need to type - `sh ./configure' instead to prevent `csh' from trying to execute - `configure' itself. + `./configure' to configure the package for your system. - Running `configure' takes awhile. While running, it prints some - messages telling which features it is checking for. + Running `configure' might take a while. While running, it prints + some messages telling which features it is checking for. 2. Type `make' to compile the package. @@ -67,51 +70,49 @@ The simplest way to compile this package is: Compilers and Options ===================== - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' -for details on some of the pertinent environment variables. +Some systems require unusual options for compilation or linking that the +`configure' script does not know about. Run `./configure --help' for +details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: - ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix + ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== - You can compile the package for more than one kind of computer at the +You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their -own directory. To do this, you must use a version of `make' that -supports the `VPATH' variable, such as GNU `make'. `cd' to the +own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. - If you have to use a `make' that does not support the `VPATH' -variable, you have to compile the package for one architecture at a -time in the source code directory. After you have installed the -package for one architecture, use `make distclean' before reconfiguring -for another architecture. + With a non-GNU `make', it is safer to compile the package for one +architecture at a time in the source code directory. After you have +installed the package for one architecture, use `make distclean' before +reconfiguring for another architecture. Installation Names ================== - By default, `make install' will install the package's files in -`/usr/local/bin', `/usr/local/man', etc. You can specify an -installation prefix other than `/usr/local' by giving `configure' the -option `--prefix=PATH'. +By default, `make install' installs the package's commands under +`/usr/local/bin', include files under `/usr/local/include', etc. You +can specify an installation prefix other than `/usr/local' by giving +`configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you -give `configure' the option `--exec-prefix=PATH', the package will use -PATH as the prefix for installing programs and libraries. -Documentation and other data files will still use the regular prefix. +pass the option `--exec-prefix=PREFIX' to `configure', the package uses +PREFIX as the prefix for installing programs and libraries. +Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give -options like `--bindir=PATH' to specify different values for particular +options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. @@ -122,7 +123,7 @@ option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= - Some packages pay attention to `--enable-FEATURE' options to +Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The @@ -137,11 +138,11 @@ you can use the `configure' options `--x-includes=DIR' and Specifying the System Type ========================== - There may be some features `configure' cannot figure out -automatically, but needs to determine by the type of machine the package -will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints -a message saying it cannot guess the machine type, give it the +There may be some features `configure' cannot figure out automatically, +but needs to determine by the type of machine the package will run on. +Usually, assuming the package is built to be run on the _same_ +architectures, `configure' can figure that out, but if it prints a +message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: @@ -156,7 +157,7 @@ where SYSTEM can have one of these forms: need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should -use the `--target=TYPE' option to select the type of system they will +use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a @@ -167,9 +168,9 @@ eventually be run) with `--host=TYPE'. Sharing Defaults ================ - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. +If you want to set default values for `configure' scripts to share, you +can create a site shell script called `config.site' that gives default +values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. @@ -178,7 +179,7 @@ A warning: not all `configure' scripts look for a site script. Defining Variables ================== - Variables not defined in a site shell script can be set in the +Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set @@ -186,14 +187,18 @@ them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc -will cause the specified gcc to be used as the C compiler (unless it is +causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). +Unfortunately, this technique does not work for `CONFIG_SHELL' due to +an Autoconf bug. Until the bug is fixed you can use this workaround: + + CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash + `configure' Invocation ====================== - `configure' recognizes the following options to control how it -operates. +`configure' recognizes the following options to control how it operates. `--help' `-h' diff --git a/extra/yassl/README b/extra/yassl/README index 6c4d101efc0..0ca656bb932 100644 --- a/extra/yassl/README +++ b/extra/yassl/README @@ -1,3 +1,121 @@ +*** Note, Please read *** + +yaSSL takes a different approach to certificate verification than OpenSSL does. +The default policy for the client is to verify the server, this means that if +you don't load CAs to verify the server you'll get a connect error, unable to +verify. It you want to mimic OpenSSL behavior of not verifying the server and +reducing security you can do this by calling: + +SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); + +before calling SSL_new(); + +*** end Note *** + +yaSSL Release notes, version 2.1.2 (9/2/2011) + + This release of yaSSL contains bug fixes, better non-blocking support with + SSL_write, and OpenSSL RSA public key format support. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.9.9 (1/26/2010) +yaSSL Release notes, version 2.0.0 (7/6/2010) + + This release of yaSSL contains bug fixes, new testing certs, + and a security patch for a potential heap overflow on forged application + data processing. Vulnerability discovered by Matthieu Bonetti from VUPEN + Security http://www.vupen.com. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.9.9 (1/26/2010) + + This release of yaSSL contains bug fixes, the removal of assert() s and + a security patch for a buffer overflow possibility in certificate name + processing. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.9.8 (10/14/09) + + This release of yaSSL contains bug fixes and adds new stream ciphers + Rabbit and HC-128 + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.9.6 (11/13/08) + + This release of yaSSL contains bug fixes, adds autconf shared library + support and has better server suite detection based on certficate and + private key. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.9.2 (9/24/08) + + This release of yaSSL contains bug fixes and improved certificate verify + callback support. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.8.8 (5/7/08) + + This release of yaSSL contains bug fixes, and better socket handling. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.8.6 (1/31/08) + + This release of yaSSL contains bug fixes, and fixes security problems + associated with using SSL 2.0 client hellos and improper input handling. + Please upgrade to this version if you are using a previous one. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.7.5 (10/15/07) + + This release of yaSSL contains bug fixes, adds MSVC 2005 project support, + GCC 4.2 support, IPV6 support and test, and new test certificates. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.7.2 (8/20/07) + + This release of yaSSL contains bug fixes and adds initial OpenVPN support. + Just configure at this point and beginning of build. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + +*****************yaSSL Release notes, version 1.6.8 (4/16/07) + + This release of yaSSL contains bug fixes and adds SHA-256, SHA-512, SHA-224, + and SHA-384. + +See normal build instructions below under 1.0.6. +See libcurl build instructions below under 1.3.0 and note in 1.5.8. + + *****************yaSSL Release notes, version 1.6.0 (2/22/07) This release of yaSSL contains bug fixes, portability enhancements, and @@ -13,7 +131,7 @@ See libcurl build instructions below under 1.3.0 and note in 1.5.8. - Since yaSSL now supports zlib, as does libcur, the libcurl build test can + Since yaSSL now supports zlib, as does libcurl, the libcurl build test can fail if yaSSL is built with zlib support since the zlib library isn't passed. You can do two things to fix this: @@ -518,7 +636,7 @@ in the source and include files. ********************* Contact: please send comments or questions to Todd A Ouska at todd@yassl.com -and/or Larry Stefonic at larry@yassl.com or 425-741-6858. +and/or Larry Stefonic at larry@yassl.com. diff --git a/extra/yassl/certs/ca-cert.pem b/extra/yassl/certs/ca-cert.pem index e353d118712..6a0cf898e53 100644 --- a/extra/yassl/certs/ca-cert.pem +++ b/extra/yassl/certs/ca-cert.pem @@ -1,53 +1,56 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 0 (0x0) + Serial Number: + 8a:37:22:65:73:f5:aa:e8 Signature Algorithm: md5WithRSAEncryption - Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Issuer: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com Validity - Not Before: Mar 7 03:10:11 2005 GMT - Not After : Apr 1 03:10:11 2046 GMT - Subject: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Not Before: Jun 30 18:47:10 2010 GMT + Not After : Mar 26 18:47:10 2013 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): - 00:ef:c1:e3:9a:3c:6e:6e:cb:26:6f:05:be:e0:cb: - 57:a0:4b:68:e6:1b:f9:95:db:01:92:aa:6e:a6:b5: - 2d:b1:2b:50:fd:db:13:f2:c5:d8:b8:4f:75:28:53: - 72:e8:e5:11:9d:bb:c3:4f:4f:09:fd:4c:e7:46:d5: - 1d:bb:35:02:af + 00:97:30:b9:1a:92:ef:25:4f:ca:4c:11:31:95:1a: + e1:c0:10:19:0a:20:b9:37:80:1a:57:38:02:4e:1b: + c5:0f:28:4f:da:e3:c9:16:aa:50:bd:4a:fb:b7:71: + c7:35:cc:63:81:c1:dd:9d:33:f9:38:16:88:32:a0: + aa:56:23:03:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: - 1D:EF:A1:B8:81:78:12:47:E8:57:06:08:74:18:F7:D3:AA:D8:F7:BD + 3B:66:FD:A0:40:C6:F4:E2:70:CF:21:1A:0C:4F:67:FE:B7:4B:42:09 X509v3 Authority Key Identifier: - keyid:1D:EF:A1:B8:81:78:12:47:E8:57:06:08:74:18:F7:D3:AA:D8:F7:BD - DirName:/C=US/ST=Oregon/L=Portland/O=sawtooth/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com - serial:00 + keyid:3B:66:FD:A0:40:C6:F4:E2:70:CF:21:1A:0C:4F:67:FE:B7:4B:42:09 + DirName:/C=US/ST=Montana/L=Bozeman/O=sawtooth/OU=consulting/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + serial:8A:37:22:65:73:F5:AA:E8 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption - d9:77:e3:07:d9:2e:ec:2f:9b:8e:9e:ca:b4:00:0b:ef:c7:74: - cb:f4:f6:44:2f:02:75:17:a5:74:3e:26:b2:26:fd:1f:ab:3a: - df:d5:e3:05:14:08:d0:8c:1d:c9:3e:e1:59:6f:b3:38:5d:af: - 78:60:e3:c5:6a:69:96:80:7d:00 + 32:65:a2:b1:dc:6d:e0:8d:8b:c8:58:29:8e:b8:18:4b:62:88: + 13:67:f8:6c:75:46:75:8f:8a:19:a6:a3:d5:3c:fc:57:4e:7a: + 68:a9:fc:93:dc:ae:29:7d:bb:4e:ec:ea:55:fa:a4:e3:00:61: + f4:b0:34:6d:d1:d5:a4:64:24:f8 -----BEGIN CERTIFICATE----- -MIIC7zCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx -DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxETAPBgNVBAoTCHNh -d3Rvb3RoMSQwIgYDVQQDExt3d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAb -BgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTA1MDMwNzAzMTAxMVoXDTQ2 -MDQwMTAzMTAxMVowgYkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAP -BgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290aDEkMCIGA1UEAxMbd3d3 -LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlh -c3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDvweOaPG5uyyZvBb7gy1eg -S2jmG/mV2wGSqm6mtS2xK1D92xPyxdi4T3UoU3Lo5RGdu8NPTwn9TOdG1R27NQKv -AgMBAAGjgekwgeYwHQYDVR0OBBYEFB3vobiBeBJH6FcGCHQY99Oq2Pe9MIG2BgNV -HSMEga4wgauAFB3vobiBeBJH6FcGCHQY99Oq2Pe9oYGPpIGMMIGJMQswCQYDVQQG -EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDERMA8GA1UE -ChMIc2F3dG9vdGgxJDAiBgNVBAMTG3d3dy5zYXd0b290aC1jb25zdWx0aW5nLmNv -bTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb22CAQAwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQQFAANBANl34wfZLuwvm46eyrQAC+/HdMv09kQvAnUXpXQ+ -JrIm/R+rOt/V4wUUCNCMHck+4Vlvszhdr3hg48VqaZaAfQA= +MIIDQDCCAuqgAwIBAgIJAIo3ImVz9aroMA0GCSqGSIb3DQEBBAUAMIGeMQswCQYD +VQQGEwJVUzEQMA4GA1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8G +A1UEChMIc2F3dG9vdGgxEzARBgNVBAsTCmNvbnN1bHRpbmcxJDAiBgNVBAMTG3d3 +dy5zYXd0b290aC1jb25zdWx0aW5nLmNvbTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5 +YXNzbC5jb20wHhcNMTAwNjMwMTg0NzEwWhcNMTMwMzI2MTg0NzEwWjCBnjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAP +BgNVBAoTCHNhd3Rvb3RoMRMwEQYDVQQLEwpjb25zdWx0aW5nMSQwIgYDVQQDExt3 +d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A +eWFzc2wuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJcwuRqS7yVPykwRMZUa +4cAQGQoguTeAGlc4Ak4bxQ8oT9rjyRaqUL1K+7dxxzXMY4HB3Z0z+TgWiDKgqlYj +A6MCAwEAAaOCAQcwggEDMB0GA1UdDgQWBBQ7Zv2gQMb04nDPIRoMT2f+t0tCCTCB +0wYDVR0jBIHLMIHIgBQ7Zv2gQMb04nDPIRoMT2f+t0tCCaGBpKSBoTCBnjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAP +BgNVBAoTCHNhd3Rvb3RoMRMwEQYDVQQLEwpjb25zdWx0aW5nMSQwIgYDVQQDExt3 +d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A +eWFzc2wuY29tggkAijciZXP1qugwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQF +AANBADJlorHcbeCNi8hYKY64GEtiiBNn+Gx1RnWPihmmo9U8/FdOemip/JPcril9 +u07s6lX6pOMAYfSwNG3R1aRkJPg= -----END CERTIFICATE----- diff --git a/extra/yassl/certs/ca-key.pem b/extra/yassl/certs/ca-key.pem new file mode 100644 index 00000000000..45d7b149857 --- /dev/null +++ b/extra/yassl/certs/ca-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOQIBAAJBAJcwuRqS7yVPykwRMZUa4cAQGQoguTeAGlc4Ak4bxQ8oT9rjyRaq +UL1K+7dxxzXMY4HB3Z0z+TgWiDKgqlYjA6MCAwEAAQJAEQ9TY7c+uuQU/J5YDO4a +mRR37tegbq3Kyxqrz+p8QuhqLDtVh13GaF7rVU70vyNHm+cgihUyzho/PViAkPBo +qQIhAMU8/RDhDLgL5BxID4sxKIVBtg+imFSbyKVyg7oQLUcXAiEAxDu94O45Cf4a +np9R0thumY/QqWpCkycWAB7fFEuaf1UCIEH+bg4/vqm2ENUFp23DPPOZUPlaRe3J +UhFJh5mx3/RxAiBq++8vfHFYg1Lb/BxOCXVy/zdRxf753ytdcXdJx1Y56QIgVgpN +FNfYJofQfWaP96sjlc0usrT28uceHx0QmHqolVc= +-----END RSA PRIVATE KEY----- diff --git a/extra/yassl/certs/client-cert.der b/extra/yassl/certs/client-cert.der index c2a75119e54275743b5dc77e1812756668f4a72d..9c2ef138bf6fc2630912ef6de6d3b6cf0301c25e 100644 GIT binary patch delta 430 zcmdnZ+Q+78(8SDV(8RQ30W%XL6B8%H(d#*aW*8YanlEU|?o!U}#}%X>1uK&TD9F zU~FUt;+hyl5o?O>WD`b-`n`c(B7d_aTX>8u{-_(xna=%Zi9|xC-_08p0o*SYVz0>- z$ndDlS8h6E#dvkP_@?5Vw)0y*K0TMgb90f9WzDBxCT2zk#>I`_3>rTh$O0WG%f}+d zA`8onY+3rTP|bJe|B%m|@@pPSMm~KL{`e#JrvA^Gud|Q+Qa84nc%j_+eHbdf4FMwtMEwo8{+90e$+E;Q#;t delta 344 zcmeBU+s&$I(8RPIh!YnuGchtTF)|qNvTg_UF*-vSGfP!agAgD-Wuh^HZzSi z?`&4gn)2+b+Ka+~O={gTa`vU0E^khs%Ja8OBlYSzp{99k42wALp0iTB>!!89wUCLK zk%4h><5h#kO9rw)hsg4=h_Q&QQ;qxOyEt0A{oY5duTBU4pWC`+twG}=ki0TW<1B;5 z=?xGyqG*a1)-0()cjv?|9p)xRhRN%g6dWQY*Gc=O&O7yShwcC4aiVPk(|hccj8^-V uE-z^Q^jm-ZKQ)b){#QY?)V-Vd8(NC0wDn4 zM18Ssb(*B)>6>jE5mfR!`GzLBxER$nNIt2t9S#B^0N5JSLP*YUd!+;PnLAD&B}QzU zvtajORva>HMXB6L-vS{3rWv#PasflN&Kx6LFRvqGNBFqb2*162BVmR%D6H;0sG5}K)h6h1P_ibA93DS) zveUC?l??rMC}q{o5`vxv0HO)q&N?RDMk=61aRLJY009C(Uk184Rd0i^Z|i@I0F5P| z_+>Hj#u7hK_5p7td@{iFghCjjIhmezk-#qJ#XQmN!M442X6iCPK*Q2QXb2!d0wDnJ zrUj&?pl(26QkX%QfJyK6z{X=~1daPKOUPe)Ie!@fApqMRVn$`uk+YNWH-En$5%y}m zTabyn=MDKKhQT%=JQ)HYW<@ijP*zMsfnlc0U00!+W-In delta 11 Scmey#_=|DEDMsFjr}P0I^#teu diff --git a/extra/yassl/certs/server-cert.pem b/extra/yassl/certs/server-cert.pem index 30608f5f65b..1ec53c02628 100644 --- a/extra/yassl/certs/server-cert.pem +++ b/extra/yassl/certs/server-cert.pem @@ -3,36 +3,37 @@ Certificate: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption - Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Issuer: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com Validity - Not Before: Mar 8 03:00:47 2005 GMT - Not After : Apr 2 03:00:47 2046 GMT - Subject: C=US, ST=Oregon, L=Portland, O=taoSoftDev, CN=www.taosoftdev.com/emailAddress=info@yassl.com + Not Before: Jun 30 18:52:17 2010 GMT + Not After : Mar 26 18:52:17 2013 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=yaSSL, OU=support, CN=www.yassl.com/emailAddress=info@yassl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): - 00:a4:68:bb:bc:b7:27:5f:3c:f5:78:c6:1a:af:b9: - 95:fc:7e:61:1f:a8:81:0a:ca:43:88:9a:03:e0:d0: - a6:79:70:16:34:b9:7c:75:54:ca:70:19:66:38:be: - 6e:28:7e:a5:ff:6b:3c:83:2f:39:42:c3:15:f3:bd: - f2:25:93:22:e7 + 00:c6:7b:c0:68:81:2f:de:82:3f:f9:ac:c3:86:4a: + 66:b7:ec:d4:f1:f6:64:21:ff:f5:a2:34:42:d0:38: + 9f:c6:dd:3b:6e:26:65:6a:54:96:dd:d2:7b:eb:36: + a2:ae:7e:2a:9e:7e:56:a5:b6:87:9f:15:c7:18:66: + 7e:16:77:e2:a7 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption - 36:72:12:3b:ac:e4:58:83:09:86:4f:71:2a:3a:0d:8a:05:27: - 75:f3:3e:62:4f:ab:b8:70:20:cd:ad:70:ab:91:11:68:f8:82: - 33:e2:78:85:a8:16:f5:66:bd:68:2c:5a:26:15:12:1e:6e:83: - c7:6d:62:b9:c3:ff:e1:86:e4:e6 + 58:a9:98:e7:16:52:4c:40:e7:e1:47:92:19:1b:3a:8f:97:6c: + 7b:b7:b0:cb:20:6d:ad:b5:d3:47:58:d8:e4:f2:3e:32:e9:ef: + 87:77:e5:54:36:f4:8d:50:8d:07:b4:77:45:ea:9d:a4:33:36: + 9b:0b:e0:74:58:11:c5:01:7b:4d -----BEGIN CERTIFICATE----- -MIIB9zCCAaECAQEwDQYJKoZIhvcNAQEEBQAwgYkxCzAJBgNVBAYTAlVTMQ8wDQYD -VQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290 -aDEkMCIGA1UEAxMbd3d3LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZI -hvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0wNTAzMDgwMzAwNDdaFw00NjA0MDIw -MzAwNDdaMIGCMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQH -EwhQb3J0bGFuZDETMBEGA1UEChMKdGFvU29mdERldjEbMBkGA1UEAxMSd3d3LnRh -b3NvZnRkZXYuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTBcMA0G -CSqGSIb3DQEBAQUAA0sAMEgCQQCkaLu8tydfPPV4xhqvuZX8fmEfqIEKykOImgPg -0KZ5cBY0uXx1VMpwGWY4vm4ofqX/azyDLzlCwxXzvfIlkyLnAgMBAAEwDQYJKoZI -hvcNAQEEBQADQQA2chI7rORYgwmGT3EqOg2KBSd18z5iT6u4cCDNrXCrkRFo+IIz -4niFqBb1Zr1oLFomFRIeboPHbWK5w//hhuTm +MIICFDCCAb4CAQEwDQYJKoZIhvcNAQEEBQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYD +VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhzYXd0b290 +aDETMBEGA1UECxMKY29uc3VsdGluZzEkMCIGA1UEAxMbd3d3LnNhd3Rvb3RoLWNv +bnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0x +MDA2MzAxODUyMTdaFw0xMzAzMjYxODUyMTdaMIGKMQswCQYDVQQGEwJVUzEQMA4G +A1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjEOMAwGA1UEChMFeWFTU0wx +EDAOBgNVBAsTB3N1cHBvcnQxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkq +hkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB +AMZ7wGiBL96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpUlt3Se+s2oq5+ +Kp5+VqW2h58VxxhmfhZ34qcCAwEAATANBgkqhkiG9w0BAQQFAANBAFipmOcWUkxA +5+FHkhkbOo+XbHu3sMsgba2100dY2OTyPjLp74d35VQ29I1QjQe0d0XqnaQzNpsL +4HRYEcUBe00= -----END CERTIFICATE----- diff --git a/extra/yassl/certs/server-key.pem b/extra/yassl/certs/server-key.pem index d6055c4cfd8..154d661b1df 100644 --- a/extra/yassl/certs/server-key.pem +++ b/extra/yassl/certs/server-key.pem @@ -1,9 +1,9 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBAKRou7y3J1889XjGGq+5lfx+YR+ogQrKQ4iaA+DQpnlwFjS5fHVU -ynAZZji+bih+pf9rPIMvOULDFfO98iWTIucCAwEAAQJABLVvMw931DV1vljGKORC -1HF2LKbx0zJJzt7CX6z6J54vcE79K3NYXdU6o7/j1WTtfD47tFG+4ljGvSYPmrCI -2QIhANfiY6is6JUJGGgeMxyWeQRPXfaE9Yrk6OhxHhpYf5CTAiEAwvWraeLPy/NE -B+0w80mh8tCv2tpuKaYMOG53XpYX3N0CIDy/Bj3rUZLGOWjqvoUXzjupPY5lgVYw -7Vyin87YAiUjAiAgM8X5em5KSMc+6+2+8bWfTtsNMjEqDfRMyepLpE0SvQIgTSYL -WWfcZoRUPDM9GEuQ40nifVNjobzvjTW4aYyHCEI= +MIIBOwIBAAJBAMZ7wGiBL96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpU +lt3Se+s2oq5+Kp5+VqW2h58VxxhmfhZ34qcCAwEAAQJBAJSbGxgjgV+rTZL2Ev58 +viN/IoB25cm/Bn4Heu7DNn2A2kpdGX2cCaf7rEQoIKCiHxvopvxOcd/7nLS/gNli +dCECIQD/cX/9fvB1Uajw0fmvwNON9+3P9uJSqpig90zL32pwjQIhAMbqee9TBMN4 +TxXbgWqA92PrCXe8WDZ3PwoJqdR6MRUDAiEAny+TDF1z6hiWiGTCDgXDkKBlwgjf +p5aKgR077XzwLu0CICVpWEGg1ZaF/CnaPP7w/pZ2UDOK4vRrfRnAM4bY7H5NAiBS +1eXJ/MCZ2uPfpl7XK2BU9P69KdKUk5WHxdRchVvcDg== -----END RSA PRIVATE KEY----- diff --git a/extra/yassl/certs/server-keyEnc.pem b/extra/yassl/certs/server-keyEnc.pem new file mode 100644 index 00000000000..d3500a1b647 --- /dev/null +++ b/extra/yassl/certs/server-keyEnc.pem @@ -0,0 +1,12 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-CBC,08132C1FFF5BC8CC + +gsvuAsGmB8AkR23M25w4E6wuywfBey1Jqh3g71gJcnsUYwynex9dvfAU0lTowOXh +sb7ld1KNjEMzrht9AC1IC0iE1rLqvRQZOdJ7h3n7aHZQ4a/HjcwAhqJq0ZW45m6Q +mpoO5fRISjx2VbKFRUz6Xj2x0/do3IjQhpuUDVrTFFe1sEySM6APZ6CVpcnTOyPR +ADyLDKzOi2E+sj1UXs58pct56FaqTIZPUEflICU3k6q9FPU6gsYANRLfzegclkv4 +JAx6mKVSJuYnjCCppx8WBwGJa1J1GcYRJ3qFfdbUzL4bcXTvoFkJEnDkHsXgDUS6 +xmT0XGT3IMaW8cwQ8KD8m5YYI/L26Mas/w3eA2ekyMR8pYICjXp/YZtcKxxkQSVE +Uv/+D+20KbNAHIW5Mrxf61cX/CggGEbVP8ZhDY1flh8= +-----END RSA PRIVATE KEY----- diff --git a/extra/yassl/certs/taoCert.txt b/extra/yassl/certs/taoCert.txt index 585293e4f2b..f1132c0b5b8 100644 --- a/extra/yassl/certs/taoCert.txt +++ b/extra/yassl/certs/taoCert.txt @@ -47,4 +47,16 @@ to convert rsa private PEM to DER : b) openssl rsa -in key.pem -outform DER -out key.der +**** To encrypt rsa key already in pem ********** + +a) openssl rsa server-keyEnc.pem + +note location of des, pass = yassl123 + + +*** To make a public key from a private key ****** + + +openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub + diff --git a/extra/yassl/examples/client/client.cpp b/extra/yassl/examples/client/client.cpp index a80a8c2f1a2..d05c31d4d63 100644 --- a/extra/yassl/examples/client/client.cpp +++ b/extra/yassl/examples/client/client.cpp @@ -36,15 +36,20 @@ void ClientError(SSL_CTX* ctx, SSL* ssl, SOCKET_T& sockfd, const char* msg) void NonBlockingSSL_Connect(SSL* ssl, SSL_CTX* ctx, SOCKET_T& sockfd) { int ret = SSL_connect(ssl); - while (ret =! SSL_SUCCESS && SSL_get_error(ssl, 0) == - SSL_ERROR_WANT_READ) { - printf("... client would block\n"); + int err = SSL_get_error(ssl, 0); + while (ret != SSL_SUCCESS && (err == SSL_ERROR_WANT_READ || + err == SSL_ERROR_WANT_WRITE)) { + if (err == SSL_ERROR_WANT_READ) + printf("... client would read block\n"); + else + printf("... client would write block\n"); #ifdef _WIN32 Sleep(1000); #else sleep(1); #endif ret = SSL_connect(ssl); + err = SSL_get_error(ssl, 0); } if (ret != SSL_SUCCESS) ClientError(ctx, ssl, sockfd, "SSL_connect failed"); @@ -81,7 +86,8 @@ void client_test(void* args) #ifdef NON_BLOCKING NonBlockingSSL_Connect(ssl, ctx, sockfd); #else - if (SSL_connect(ssl) != SSL_SUCCESS) + // if you get an error here see note at top of README + if (SSL_connect(ssl) != SSL_SUCCESS) ClientError(ctx, ssl, sockfd, "SSL_connect failed"); #endif showPeer(ssl); @@ -105,7 +111,7 @@ void client_test(void* args) int input = SSL_read(ssl, reply, sizeof(reply)); if (input > 0) { reply[input] = 0; - printf("Server response: %s\n", reply); + printf("Server response: %s\n", reply); } #ifdef TEST_RESUME @@ -121,18 +127,18 @@ void client_test(void* args) tcp_connect(sockfd); SSL_set_fd(sslResume, sockfd); SSL_set_session(sslResume, session); - + if (SSL_connect(sslResume) != SSL_SUCCESS) ClientError(ctx, sslResume, sockfd, "SSL_resume failed"); showPeer(sslResume); - + if (SSL_write(sslResume, msg, sizeof(msg)) != sizeof(msg)) ClientError(ctx, sslResume, sockfd, "SSL_write failed"); input = SSL_read(sslResume, reply, sizeof(reply)); if (input > 0) { reply[input] = 0; - printf("Server response: %s\n", reply); + printf("Server response: %s\n", reply); } SSL_shutdown(sslResume); diff --git a/extra/yassl/examples/echoclient/echoclient.cpp b/extra/yassl/examples/echoclient/echoclient.cpp index 787e554f8bf..c2b8ff66ac9 100644 --- a/extra/yassl/examples/echoclient/echoclient.cpp +++ b/extra/yassl/examples/echoclient/echoclient.cpp @@ -74,10 +74,10 @@ void echoclient_test(void* args) char send[1024]; char reply[1024]; - + while (fgets(send, sizeof(send), fin)) { - int sendSz = strlen(send) + 1; + int sendSz = (int)strlen(send) + 1; if (SSL_write(ssl, send, sendSz) != sendSz) EchoClientError(ctx, ssl, sockfd, "SSL_write failed"); @@ -86,7 +86,7 @@ void echoclient_test(void* args) break; } - if (SSL_read(ssl, reply, sizeof(reply)) > 0) + if (SSL_read(ssl, reply, sizeof(reply)) > 0) fputs(reply, fout); } diff --git a/extra/yassl/examples/echoserver/echoserver.cpp b/extra/yassl/examples/echoserver/echoserver.cpp index a3ba8c12c60..bd044e70e8b 100644 --- a/extra/yassl/examples/echoserver/echoserver.cpp +++ b/extra/yassl/examples/echoserver/echoserver.cpp @@ -93,11 +93,11 @@ THREAD_RETURN YASSL_API echoserver_test(void* args) #endif while (!shutdown) { - sockaddr_in client; + SOCKADDR_IN_T client; socklen_t client_len = sizeof(client); SOCKET_T clientfd = accept(sockfd, (sockaddr*)&client, (ACCEPT_THIRD_T)&client_len); - if (clientfd == -1) { + if (clientfd == (SOCKET_T) -1) { SSL_CTX_free(ctx); tcp_close(sockfd); err_sys("tcp accept failed"); @@ -111,11 +111,11 @@ THREAD_RETURN YASSL_API echoserver_test(void* args) tcp_close(clientfd); continue; } - + char command[1024]; int echoSz(0); while ( (echoSz = SSL_read(ssl, command, sizeof(command))) > 0) { - + if ( strncmp(command, "quit", 4) == 0) { printf("client sent quit command: shutting down!\n"); shutdown = true; @@ -127,7 +127,7 @@ THREAD_RETURN YASSL_API echoserver_test(void* args) char header[] = "\n
\n";
                 char body[]   = "greetings from yaSSL\n";
                 char footer[] = "\r\n\r\n";
-            
+
                 strncpy(command, type, sizeof(type));
                 echoSz = sizeof(type) - 1;
 
@@ -140,7 +140,7 @@ THREAD_RETURN YASSL_API echoserver_test(void* args)
 
                 if (SSL_write(ssl, command, echoSz) != echoSz)
                     EchoError(ctx, ssl, sockfd, clientfd, "SSL_write failed");
-
+               
                 break;
             }
             command[echoSz] = 0;
diff --git a/extra/yassl/examples/server/server.cpp b/extra/yassl/examples/server/server.cpp
index 8b8066eace5..3fac40e88c4 100644
--- a/extra/yassl/examples/server/server.cpp
+++ b/extra/yassl/examples/server/server.cpp
@@ -35,15 +35,20 @@ void ServerError(SSL_CTX* ctx, SSL* ssl, SOCKET_T& sockfd, const char* msg)
     void NonBlockingSSL_Accept(SSL* ssl, SSL_CTX* ctx, SOCKET_T& clientfd)
     {
         int ret = SSL_accept(ssl);
-        while (ret != SSL_SUCCESS && SSL_get_error(ssl, 0) ==
-                                     SSL_ERROR_WANT_READ) {
-            printf("... server would block\n");
+        int err = SSL_get_error(ssl, 0);
+        while (ret != SSL_SUCCESS && (err == SSL_ERROR_WANT_READ ||
+                                      err == SSL_ERROR_WANT_WRITE)) {
+            if (err == SSL_ERROR_WANT_READ)
+                printf("... server would read block\n");
+            else
+                printf("... server would write block\n");
             #ifdef _WIN32
                 Sleep(1000);
             #else
                 sleep(1);
             #endif
             ret = SSL_accept(ssl);
+            err = SSL_get_error(ssl, 0);
         }
         if (ret != SSL_SUCCESS)
             ServerError(ctx, ssl, clientfd, "SSL_accept failed");
@@ -78,14 +83,14 @@ THREAD_RETURN YASSL_API server_test(void* args)
 
     SSL* ssl = SSL_new(ctx);
     SSL_set_fd(ssl, clientfd);
-   
+
 #ifdef NON_BLOCKING
     NonBlockingSSL_Accept(ssl, ctx, clientfd);
 #else
     if (SSL_accept(ssl) != SSL_SUCCESS)
         ServerError(ctx, ssl, clientfd, "SSL_accept failed");
 #endif
-
+     
     showPeer(ssl);
     printf("Using Cipher Suite: %s\n", SSL_get_cipher(ssl));
 
@@ -93,7 +98,7 @@ THREAD_RETURN YASSL_API server_test(void* args)
     int input = SSL_read(ssl, command, sizeof(command));
     if (input > 0) {
         command[input] = 0;
-    printf("First client command: %s\n", command);
+        printf("First client command: %s\n", command);
     }
 
     char msg[] = "I hear you, fa shizzle!";
diff --git a/extra/yassl/include/buffer.hpp b/extra/yassl/include/buffer.hpp
index a51bca9a630..2d7817a7ca2 100644
--- a/extra/yassl/include/buffer.hpp
+++ b/extra/yassl/include/buffer.hpp
@@ -46,12 +46,6 @@ typedef unsigned int  uint;
 const uint AUTO = 0xFEEDBEEF;
 
 
-// Checking Policy should implement a check function that tests whether the
-// index is within the size limit of the array
-struct Check {
-    void check(uint i, uint limit);
-};
-
 
 struct NoCheck {
     void check(uint, uint);
@@ -66,7 +60,7 @@ struct NoCheck {
  * write to the buffer bulk wise and have the correct size
  */
 
-class input_buffer : public Check {
+class input_buffer : public NoCheck {
     uint   size_;                // number of elements in buffer
     uint   current_;             // current offset position in buffer
     byte*  buffer_;              // storage for buffer
@@ -132,7 +126,7 @@ private:
  * Not using vector because need checked []access and the ability to
  * write to the buffer bulk wise and retain correct size
  */
-class output_buffer : public Check {
+class output_buffer : public NoCheck {
     uint    current_;                // current offset and elements in buffer
     byte*   buffer_;                 // storage for buffer
     byte*   end_;                    // end of storage marker
diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index ba5fa51f34c..0ae54f070bd 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -30,12 +30,12 @@
 #include "prefix_ssl.h"
 #endif
 
-#include    /* ERR_print fp */
+#include     /* ERR_print fp */
 #include "opensslv.h" /* for version number */
 #include "rsa.h"
 
 
-#define YASSL_VERSION "1.7.2"
+#define YASSL_VERSION "2.1.4"
 
 
 #if defined(__cplusplus)
@@ -43,9 +43,9 @@ extern "C" {
 #endif
 
  void yaSSL_CleanUp();   /* call once at end of application use to
-                                      free static singleton memory holders,
-                                      not a leak per se, but helpful when 
-                                      looking for them                      */
+                            free static singleton memory holders,
+                            not a leak per se, but helpful when
+                            looking for them                      */
 
 #if defined(__cplusplus)
 } // extern
@@ -70,11 +70,11 @@ extern "C" {
     class X509;
     class X509_NAME;
 #else
-    typedef struct SSL         SSL;          
+    typedef struct SSL          SSL;          
     typedef struct SSL_SESSION  SSL_SESSION;
-    typedef struct SSL_METHOD  SSL_METHOD;
-    typedef struct SSL_CTX     SSL_CTX;
-    typedef struct SSL_CIPHER  SSL_CIPHER;
+    typedef struct SSL_METHOD   SSL_METHOD;
+    typedef struct SSL_CTX      SSL_CTX;
+    typedef struct SSL_CIPHER   SSL_CIPHER;
 
     typedef struct RSA RSA;
 
@@ -107,6 +107,15 @@ RSA* RSA_generate_key(int, unsigned long, void(*)(int, int, void*), void*);
 
 /* X509 stuff, different file? */
 
+/* because mySQL dereferences to use error and current_cert, even after calling
+ * get functions for local references */
+typedef struct X509_STORE_CTX {
+    int   error;
+    int   error_depth;
+    X509* current_cert;
+} X509_STORE_CTX;
+
+
 typedef struct X509_STORE         X509_STORE;
 typedef struct X509_LOOKUP        X509_LOOKUP;
 typedef struct X509_OBJECT { char c; } X509_OBJECT;
@@ -125,16 +134,6 @@ typedef struct BIO BIO;
 
 
 
-/* because mySQL dereferences to use error and current_cert, even after calling
- * get functions for local references */
-typedef struct X509_STORE_CTX {
-    int   error;
-    int   error_depth;
-    X509* current_cert;
-} X509_STORE_CTX;
-
-
-
 X509* X509_STORE_CTX_get_current_cert(X509_STORE_CTX*);
 int   X509_STORE_CTX_get_error(X509_STORE_CTX*);
 int   X509_STORE_CTX_get_error_depth(X509_STORE_CTX*);
@@ -205,7 +204,7 @@ SSL* SSL_new(SSL_CTX*);
 int  SSL_set_fd (SSL*, YASSL_SOCKET_T);
 YASSL_SOCKET_T SSL_get_fd(const SSL*);
 int  SSL_connect(SSL*);                    /* if you get an error from connect
-                                              see note at top of REAMDE */
+                                              see note at top of README       */
 int  SSL_write(SSL*, const void*, int);
 int  SSL_read(SSL*, void*, int);
 int  SSL_accept(SSL*);
@@ -351,11 +350,11 @@ enum { /* ssl Constants */
     SSL_ERROR_ZERO_RETURN      = 84,
     SSL_ERROR_SSL              = 85,
 
-    SSL_SENT_SHUTDOWN     = 90,
-    SSL_RECEIVED_SHUTDOWN = 91,
+    SSL_ST_CONNECT        = 90,
+    SSL_ST_ACCEPT         = 91,
     SSL_CB_LOOP           = 92,
-    SSL_ST_CONNECT        = 93,
-    SSL_ST_ACCEPT         = 94,
+    SSL_SENT_SHUTDOWN     = 93,
+    SSL_RECEIVED_SHUTDOWN = 94,
     SSL_CB_ALERT          = 95,
     SSL_CB_READ           = 96,
     SSL_CB_HANDSHAKE_DONE = 97
@@ -366,7 +365,7 @@ enum { /* ssl Constants */
 SSL_METHOD *SSLv3_method(void);
 SSL_METHOD *SSLv3_server_method(void);
 SSL_METHOD *SSLv3_client_method(void);
-SSL_METHOD *TLSv1_server_method(void);  
+SSL_METHOD *TLSv1_server_method(void);
 SSL_METHOD *TLSv1_client_method(void);
 SSL_METHOD *TLSv1_1_server_method(void);
 SSL_METHOD *TLSv1_1_client_method(void);
diff --git a/extra/yassl/include/socket_wrapper.hpp b/extra/yassl/include/socket_wrapper.hpp
index 308704c2af0..2372e64e56c 100644
--- a/extra/yassl/include/socket_wrapper.hpp
+++ b/extra/yassl/include/socket_wrapper.hpp
@@ -26,7 +26,6 @@
 #ifndef yaSSL_SOCKET_WRAPPER_HPP
 #define yaSSL_SOCKET_WRAPPER_HPP
 
-#include 
 
 #ifdef _WIN32
     #include 
@@ -73,7 +72,8 @@ public:
     uint     get_ready() const;
     socket_t get_fd()    const;
 
-    uint send(const byte* buf, unsigned int len, int flags = 0) const;
+    uint send(const byte* buf, unsigned int len, unsigned int& sent,
+              int flags = 0);
     uint receive(byte* buf, unsigned int len, int flags = 0);
 
     bool wait();
diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp
index 433649c545b..686e958d7e1 100644
--- a/extra/yassl/include/yassl_int.hpp
+++ b/extra/yassl/include/yassl_int.hpp
@@ -168,7 +168,7 @@ private:
 
 // openSSL X509 names
 class X509_NAME {
-    char* name_;
+    char*       name_;
     size_t      sz_;
     ASN1_STRING entry_;
 public:
@@ -246,11 +246,11 @@ public:
     SSL_SESSION(const SSL&, RandomPool&);
     ~SSL_SESSION();
 
-    const opaque* GetID()      const;
-    const opaque* GetSecret()  const;
-    const Cipher* GetSuite()   const;
-          uint    GetBornOn()  const;
-          uint    GetTimeOut() const;
+    const opaque* GetID()       const;
+    const opaque* GetSecret()   const;
+    const Cipher* GetSuite()    const;
+          uint    GetBornOn()   const;
+          uint    GetTimeOut()  const;
           X509*   GetPeerX509() const;
           void    SetTimeOut(uint);
 
@@ -417,33 +417,33 @@ class SSL_CTX {
 public:
     typedef STL::list CertList;
 private:
-    SSL_METHOD* method_;
-    x509*       certificate_;
-    x509*       privateKey_;
-    CertList    caList_;
-    Ciphers     ciphers_;
-    DH_Parms    dhParms_;
+    SSL_METHOD*     method_;
+    x509*           certificate_;
+    x509*           privateKey_;
+    CertList        caList_;
+    Ciphers         ciphers_;
+    DH_Parms        dhParms_;
     pem_password_cb passwordCb_;
     void*           userData_;
     bool            sessionCacheOff_;
     bool            sessionCacheFlushOff_;
-    Stats       stats_;
-    Mutex       mutex_;         // for Stats
+    Stats           stats_;
+    Mutex           mutex_;         // for Stats
     VerifyCallback  verifyCallback_;
 public:
     explicit SSL_CTX(SSL_METHOD* meth);
     ~SSL_CTX();
 
-    const x509*       getCert()     const;
-    const x509*       getKey()      const;
-    const SSL_METHOD* getMethod()   const;
-    const Ciphers&    GetCiphers()  const;
-    const DH_Parms&   GetDH_Parms() const;
-    const Stats&      GetStats()    const;
-    VerifyCallback    getVerifyCallback() const;
+    const x509*       getCert()       const;
+    const x509*       getKey()        const;
+    const SSL_METHOD* getMethod()     const;
+    const Ciphers&    GetCiphers()    const;
+    const DH_Parms&   GetDH_Parms()   const;
+    const Stats&      GetStats()      const;
+    const VerifyCallback getVerifyCallback() const;
     pem_password_cb   GetPasswordCb() const;
           void*       GetUserData()   const;
-          bool        GetSessionCacheOff() const;
+          bool        GetSessionCacheOff()      const;
           bool        GetSessionCacheFlushOff() const;
 
     void setVerifyPeer();
@@ -532,10 +532,13 @@ class Buffers {
 public: 
     typedef STL::list  inputList;
     typedef STL::list outputList;
+    int prevSent;     // previous plain text bytes sent when got WANT_WRITE
+    int plainSz;      // plain text bytes in buffer to send when got WANT_WRITE 
 private:
-    inputList  dataList_;                // list of users app data / handshake
-    outputList handShakeList_;           // buffered handshake msgs
-    input_buffer* rawInput_;             // buffered raw input yet to process
+    inputList      dataList_;             // list of users app data / handshake
+    outputList     handShakeList_;        // buffered handshake msgs
+    input_buffer*  rawInput_;             // buffered raw input yet to process
+    output_buffer* output_;               // WANT_WRITE buffered output 
 public:
     Buffers();
     ~Buffers();
@@ -546,11 +549,13 @@ public:
     inputList&  useData();
     outputList& useHandShake();
 
-    void          SetRawInput(input_buffer*);  // takes ownership
-    input_buffer* TakeRawInput();              // takes ownership 
+    void           SetRawInput(input_buffer*);  // takes ownership
+    input_buffer*  TakeRawInput();              // takes ownership 
+    void           SetOutput(output_buffer*);   // takes ownership
+    output_buffer* TakeOutput();                // takes ownership 
 private:
     Buffers(const Buffers&);             // hide copy
-    Buffers& operator=(const Buffers&); // and assign   
+    Buffers& operator=(const Buffers&);  // and assign   
 };
 
 
@@ -652,6 +657,7 @@ public:
     void deriveKeys();
     void deriveTLSKeys();
     void Send(const byte*, uint);
+    void SendWriteBuffered();
 
     uint bufferedData();
     uint get_SEQIncrement(bool);
diff --git a/extra/yassl/include/yassl_types.hpp b/extra/yassl/include/yassl_types.hpp
index c73a54a7c15..a9e22833eb1 100644
--- a/extra/yassl/include/yassl_types.hpp
+++ b/extra/yassl/include/yassl_types.hpp
@@ -26,7 +26,6 @@
 #define yaSSL_TYPES_HPP
 
 #include 
-#include 
 #include "type_traits.hpp"
 
 
@@ -37,6 +36,13 @@
 #endif
 
 
+#ifdef _MSC_VER
+    // disable conversion warning
+    // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy
+    #pragma warning(disable:4244 4996)
+#endif
+
+
 namespace yaSSL {
 
 #define YASSL_LIB
@@ -63,29 +69,29 @@ namespace yaSSL {
     template
     void ysDelete(T* ptr)
     {
-    if (ptr) ptr->~T();
-    ::operator delete(ptr, yaSSL::ys);
+        if (ptr) ptr->~T();
+        ::operator delete(ptr, yaSSL::ys);
     }
 
     template
     void ysArrayDelete(T* ptr)
     {
-    // can't do array placement destruction since not tracking size in
-    // allocation, only allow builtins to use array placement since they
-    // don't need destructors called
-    typedef char builtin[TaoCrypt::IsFundamentalType::Yes ? 1 : -1];
-    (void)sizeof(builtin);
+        // can't do array placement destruction since not tracking size in
+        // allocation, only allow builtins to use array placement since they
+        // don't need destructors called
+        typedef char builtin[TaoCrypt::IsFundamentalType::Yes ? 1 : -1];
+        (void)sizeof(builtin);
 
-    ::operator delete[](ptr, yaSSL::ys);
+        ::operator delete[](ptr, yaSSL::ys);
     }
 
     #define NEW_YS new (yaSSL::ys)
 
     // to resolve compiler generated operator delete on base classes with
-    // virtual destructors (when on stack), make sure doesn't get called
+    // virtual destructors (when on stack)
     class virtual_base {
     public:
-    static void operator delete(void*) { assert(0); }
+        static void operator delete(void*) { }
     };
 
 
@@ -124,7 +130,7 @@ typedef opaque byte;
 
 typedef unsigned int uint;
 
- 
+
 #ifdef USE_SYS_STL
     // use system STL
     #define STL_VECTOR_FILE    
diff --git a/extra/yassl/src/buffer.cpp b/extra/yassl/src/buffer.cpp
index 86c1bcf3388..f8174098249 100644
--- a/extra/yassl/src/buffer.cpp
+++ b/extra/yassl/src/buffer.cpp
@@ -32,14 +32,6 @@ namespace yaSSL {
 
 
 
-// Checking Policy should implement a check function that tests whether the
-// index is within the size limit of the array
-
-void Check::check(uint i, uint limit) 
-{ 
-    assert(i < limit);
-}
-
 
 void NoCheck::check(uint, uint) 
 {
@@ -83,7 +75,6 @@ input_buffer::~input_buffer()
 // users can pass defualt zero length buffer and then allocate
 void input_buffer::allocate(uint s) 
 { 
-    assert(!buffer_);       // find realloc error
     buffer_ = NEW_YS byte[s];
     end_ = buffer_ + s; 
 }
@@ -141,7 +132,6 @@ void input_buffer::set_current(uint i)
 // user passes in AUTO index for ease of use
 const byte& input_buffer::operator[](uint i) 
 {
-    assert (i == AUTO);
     check(current_, size_);
     return buffer_[current_++];
 }
@@ -238,7 +228,6 @@ void output_buffer::set_current(uint c)
 // users can pass defualt zero length buffer and then allocate
 void output_buffer::allocate(uint s) 
 { 
-    assert(!buffer_);   // find realloc error
     buffer_ = NEW_YS byte[s]; end_ = buffer_ + s; 
 }
 
@@ -254,7 +243,6 @@ const byte* output_buffer::get_buffer() const
 // user passes in AUTO as index for ease of use
 byte& output_buffer::operator[](uint i) 
 {
-    assert(i == AUTO);
     check(current_, get_capacity());
     return buffer_[current_++];
 }
diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp
index d8660533f2e..7e73464001a 100644
--- a/extra/yassl/src/cert_wrapper.cpp
+++ b/extra/yassl/src/cert_wrapper.cpp
@@ -250,7 +250,8 @@ int CertManager::Validate()
         TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length());
         TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_);
 
-        if (int err = cert.GetError().What())
+        int err = cert.GetError().What();
+        if ( err )
             return err;
 
         const TaoCrypt::PublicKey& key = cert.GetPublicKey();
@@ -266,7 +267,7 @@ int CertManager::Validate()
         TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_);
 
         int err = cert.GetError().What();
-        if ( err )
+        if ( err && err != TaoCrypt::SIG_OTHER_E)
             return err;
 
         uint sz = cert.GetPublicKey().size();
@@ -327,7 +328,6 @@ int CertManager::SetPrivateKey(const x509& key)
 // Store OpenSSL type peer's cert
 void CertManager::setPeerX509(X509* x)
 {
-    assert(peerX509_ == 0);
     if (x == 0) return;
 
     X509_NAME* issuer   = x->GetIssuer();
diff --git a/extra/yassl/src/crypto_wrapper.cpp b/extra/yassl/src/crypto_wrapper.cpp
index e6168d4d69c..ccd43c442c9 100644
--- a/extra/yassl/src/crypto_wrapper.cpp
+++ b/extra/yassl/src/crypto_wrapper.cpp
@@ -955,7 +955,7 @@ x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info)
             }
             // get blank line
             if (fgets(line, sizeof(line), file))
-              begin = ftell(file);
+            begin = ftell(file);
         }
           
     }
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
index 08fae4ac17d..c1ee61d043e 100644
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -50,7 +50,7 @@ void buildClientHello(SSL& ssl, ClientHello& hello)
     hello.suite_len_ = ssl.getSecurity().get_parms().suites_size_;
     memcpy(hello.cipher_suites_, ssl.getSecurity().get_parms().suites_,
            hello.suite_len_);
-    hello.comp_len_ = 1;                   
+    hello.comp_len_ = 1;
 
     hello.set_length(sizeof(ProtocolVersion) +
                      RAN_LEN +
@@ -528,8 +528,9 @@ void ProcessOldClientHello(input_buffer& input, SSL& ssl)
     input.read(len, sizeof(len));
     uint16 randomLen;
     ato16(len, randomLen);
+
     if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
-        randomLen > RAN_LEN) {
+                                        randomLen > RAN_LEN) {
         ssl.SetError(bad_input);
         return;
     }
@@ -707,7 +708,7 @@ int DoProcessReply(SSL& ssl)
 {
     // wait for input if blocking
     if (!ssl.useSocket().wait()) {
-      ssl.SetError(receive_error);
+        ssl.SetError(receive_error);
         return 0;
     }
     uint ready = ssl.getSocket().get_ready();
@@ -750,8 +751,8 @@ int DoProcessReply(SSL& ssl)
         if (static_cast(RECORD_HEADER) > buffer.get_remaining())
             needHdr = true;
         else {
-        buffer >> hdr;
-        ssl.verifyState(hdr);
+            buffer >> hdr;
+            ssl.verifyState(hdr);
         }
 
         // make sure we have enough input in buffer to process this record
@@ -789,9 +790,8 @@ int DoProcessReply(SSL& ssl)
 void processReply(SSL& ssl)
 {
     if (ssl.GetError()) return;
-
-    if (DoProcessReply(ssl))
-    {
+  
+    if (DoProcessReply(ssl)) {
         // didn't complete process
         if (!ssl.getSocket().IsNonBlocking()) {
             // keep trying now, blocking ok
@@ -857,6 +857,7 @@ void sendServerKeyExchange(SSL& ssl, BufferOutput buffer)
     if (ssl.GetError()) return;
     ServerKeyExchange sk(ssl);
     sk.build(ssl);
+    if (ssl.GetError()) return;
 
     RecordLayerHeader rlHeader;
     HandShakeHeader   hsHeader;
@@ -875,8 +876,7 @@ void sendServerKeyExchange(SSL& ssl, BufferOutput buffer)
 // send change cipher
 void sendChangeCipher(SSL& ssl, BufferOutput buffer)
 {
-    if (ssl.getSecurity().get_parms().entity_ == server_end)
-    {
+    if (ssl.getSecurity().get_parms().entity_ == server_end) {
         if (ssl.getSecurity().get_resuming())
             ssl.verifyState(clientKeyExchangeComplete);
         else
@@ -913,7 +913,7 @@ void sendFinished(SSL& ssl, ConnectionEnd side, BufferOutput buffer)
     }
     else {
         if (!ssl.getSecurity().GetContext()->GetSessionCacheOff())
-        GetSessions().add(ssl);  // store session
+            GetSessions().add(ssl);  // store session
         if (side == client_end)
             buildFinished(ssl, ssl.useHashes().use_verify(), server); // server
     }   
@@ -929,12 +929,22 @@ void sendFinished(SSL& ssl, ConnectionEnd side, BufferOutput buffer)
 // send data
 int sendData(SSL& ssl, const void* buffer, int sz)
 {
+    int sent = 0;
+
     if (ssl.GetError() == YasslError(SSL_ERROR_WANT_READ))
         ssl.SetError(no_error);
 
+    if (ssl.GetError() == YasslError(SSL_ERROR_WANT_WRITE)) {
+        ssl.SetError(no_error);
+        ssl.SendWriteBuffered();
+        if (!ssl.GetError()) {
+            // advance sent to prvevious sent + plain size just sent
+            sent = ssl.useBuffers().prevSent + ssl.useBuffers().plainSz;
+        }
+    }
+
     ssl.verfiyHandShakeComplete();
     if (ssl.GetError()) return -1;
-    int sent = 0;
 
     for (;;) {
         int len = min(sz - sent, MAX_RECORD_SIZE);
@@ -943,6 +953,8 @@ int sendData(SSL& ssl, const void* buffer, int sz)
 
         Data data;
 
+        if (sent == sz) break;
+
         if (ssl.CompressionOn()) {
             if (Compress(static_cast(buffer) + sent, len,
                          tmp) == -1) {
@@ -957,9 +969,14 @@ int sendData(SSL& ssl, const void* buffer, int sz)
         buildMessage(ssl, out, data);
         ssl.Send(out.get_buffer(), out.get_size());
 
-        if (ssl.GetError()) return -1;
+        if (ssl.GetError()) {
+            if (ssl.GetError() == YasslError(SSL_ERROR_WANT_WRITE)) {
+                ssl.useBuffers().plainSz  = len;
+                ssl.useBuffers().prevSent = sent;
+            }
+            return -1;
+        }
         sent += len;
-        if (sent == sz) break;
     }
     ssl.useLog().ShowData(sent, true);
     return sent;
@@ -992,7 +1009,7 @@ int receiveData(SSL& ssl, Data& data, bool peek)
     if (peek)
         ssl.PeekData(data);
     else
-    ssl.fillData(data);
+        ssl.fillData(data);
 
     ssl.useLog().ShowData(data.get_length());
     if (ssl.GetError()) return -1;
diff --git a/extra/yassl/src/make.bat b/extra/yassl/src/make.bat
old mode 100644
new mode 100755
diff --git a/extra/yassl/src/socket_wrapper.cpp b/extra/yassl/src/socket_wrapper.cpp
index 3cf6c14c4b3..d88df13c08e 100644
--- a/extra/yassl/src/socket_wrapper.cpp
+++ b/extra/yassl/src/socket_wrapper.cpp
@@ -109,19 +109,28 @@ uint Socket::get_ready() const
 }
 
 
-uint Socket::send(const byte* buf, unsigned int sz, int flags) const
+uint Socket::send(const byte* buf, unsigned int sz, unsigned int& written,
+                  int flags)
 {
     const byte* pos = buf;
     const byte* end = pos + sz;
 
+    wouldBlock_ = false;
+
     while (pos != end) {
         int sent = ::send(socket_, reinterpret_cast(pos),
                           static_cast(end - pos), flags);
-
-    if (sent == -1)
-        return 0;
-
+        if (sent == -1) {
+            if (get_lastError() == SOCKET_EWOULDBLOCK || 
+                get_lastError() == SOCKET_EAGAIN) {
+                wouldBlock_  = true; // would have blocked this time only
+                nonBlocking_ = true; // nonblocking, win32 only way to tell 
+                return 0;
+            }
+            return static_cast(-1);
+        }
         pos += sent;
+        written += sent;
     }
 
     return sz;
@@ -140,8 +149,8 @@ uint Socket::receive(byte* buf, unsigned int sz, int flags)
             get_lastError() == SOCKET_EAGAIN) {
             wouldBlock_  = true; // would have blocked this time only
             nonBlocking_ = true; // socket nonblocking, win32 only way to tell
-        return 0;
-    }
+            return 0;
+        }
     }
     else if (recvd == 0)
         return static_cast(-1);
diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp
index 67d2d428e51..00a3b885f88 100644
--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -252,60 +252,73 @@ int SSL_connect(SSL* ssl)
     if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ))
         ssl->SetError(no_error);
 
+    if (ssl->GetError() == YasslError(SSL_ERROR_WANT_WRITE)) {
+    
+        ssl->SetError(no_error);
+        ssl->SendWriteBuffered();
+        if (!ssl->GetError())
+            ssl->useStates().UseConnect() =
+                             ConnectState(ssl->getStates().GetConnect() + 1);
+    }
+
     ClientState neededState;
 
     switch (ssl->getStates().GetConnect()) {
 
     case CONNECT_BEGIN :
-    sendClientHello(*ssl);
+        sendClientHello(*ssl);
         if (!ssl->GetError())
             ssl->useStates().UseConnect() = CLIENT_HELLO_SENT;
 
     case CLIENT_HELLO_SENT :
         neededState = ssl->getSecurity().get_resuming() ?
-        serverFinishedComplete : serverHelloDoneComplete;
-    while (ssl->getStates().getClient() < neededState) {
-        if (ssl->GetError()) break;
-    processReply(*ssl);
-    }
+                      serverFinishedComplete : serverHelloDoneComplete;
+        while (ssl->getStates().getClient() < neededState) {
+            if (ssl->GetError()) break;
+            processReply(*ssl);
+            // if resumption failed, reset needed state 
+            if (neededState == serverFinishedComplete)
+                if (!ssl->getSecurity().get_resuming())
+                    neededState = serverHelloDoneComplete;
+        }
         if (!ssl->GetError())
             ssl->useStates().UseConnect() = FIRST_REPLY_DONE;
 
     case FIRST_REPLY_DONE :
-    if(ssl->getCrypto().get_certManager().sendVerify())
-        sendCertificate(*ssl);
+        if(ssl->getCrypto().get_certManager().sendVerify())
+            sendCertificate(*ssl);
 
-    if (!ssl->getSecurity().get_resuming())
-        sendClientKeyExchange(*ssl);
+        if (!ssl->getSecurity().get_resuming())
+            sendClientKeyExchange(*ssl);
 
-    if(ssl->getCrypto().get_certManager().sendVerify())
-        sendCertificateVerify(*ssl);
+        if(ssl->getCrypto().get_certManager().sendVerify())
+            sendCertificateVerify(*ssl);
 
-    sendChangeCipher(*ssl);
-    sendFinished(*ssl, client_end);
-    ssl->flushBuffer();
+        sendChangeCipher(*ssl);
+        sendFinished(*ssl, client_end);
+        ssl->flushBuffer();
 
         if (!ssl->GetError())
             ssl->useStates().UseConnect() = FINISHED_DONE;
 
     case FINISHED_DONE :
-    if (!ssl->getSecurity().get_resuming())
-        while (ssl->getStates().getClient() < serverFinishedComplete) {
-            if (ssl->GetError()) break;
-        processReply(*ssl);
-        }
+        if (!ssl->getSecurity().get_resuming())
+            while (ssl->getStates().getClient() < serverFinishedComplete) {
+                if (ssl->GetError()) break;
+                processReply(*ssl);
+            }
         if (!ssl->GetError())
             ssl->useStates().UseConnect() = SECOND_REPLY_DONE;
 
     case SECOND_REPLY_DONE :
-    ssl->verifyState(serverFinishedComplete);
-    ssl->useLog().ShowTCP(ssl->getSocket().get_fd());
+        ssl->verifyState(serverFinishedComplete);
+        ssl->useLog().ShowTCP(ssl->getSocket().get_fd());
 
         if (ssl->GetError()) {
             GetErrors().Add(ssl->GetError());
-        return SSL_FATAL_ERROR;
+            return SSL_FATAL_ERROR;
         }   
-    return SSL_SUCCESS;
+        return SSL_SUCCESS;
 
     default :
         return SSL_FATAL_ERROR; // unkown state
@@ -331,27 +344,36 @@ int SSL_accept(SSL* ssl)
     if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ))
         ssl->SetError(no_error);
 
+    if (ssl->GetError() == YasslError(SSL_ERROR_WANT_WRITE)) {
+    
+        ssl->SetError(no_error);
+        ssl->SendWriteBuffered();
+        if (!ssl->GetError())
+            ssl->useStates().UseAccept() =
+                             AcceptState(ssl->getStates().GetAccept() + 1);
+    }
+
     switch (ssl->getStates().GetAccept()) {
 
     case ACCEPT_BEGIN :
-    processReply(*ssl);
+        processReply(*ssl);
         if (!ssl->GetError())
             ssl->useStates().UseAccept() = ACCEPT_FIRST_REPLY_DONE;
 
     case ACCEPT_FIRST_REPLY_DONE :
-    sendServerHello(*ssl);
+        sendServerHello(*ssl);
 
-    if (!ssl->getSecurity().get_resuming()) {
-        sendCertificate(*ssl);
+        if (!ssl->getSecurity().get_resuming()) {
+            sendCertificate(*ssl);
 
-        if (ssl->getSecurity().get_connection().send_server_key_)
-            sendServerKeyExchange(*ssl);
+            if (ssl->getSecurity().get_connection().send_server_key_)
+                sendServerKeyExchange(*ssl);
 
-        if(ssl->getCrypto().get_certManager().verifyPeer())
-            sendCertificateRequest(*ssl);
+            if(ssl->getCrypto().get_certManager().verifyPeer())
+                sendCertificateRequest(*ssl);
 
-        sendServerHelloDone(*ssl);
-        ssl->flushBuffer();
+            sendServerHelloDone(*ssl);
+            ssl->flushBuffer();
         }
       
         if (!ssl->GetError())
@@ -359,40 +381,40 @@ int SSL_accept(SSL* ssl)
 
     case SERVER_HELLO_DONE :
         if (!ssl->getSecurity().get_resuming()) {
-        while (ssl->getStates().getServer() < clientFinishedComplete) {
-            if (ssl->GetError()) break;
-            processReply(*ssl);
+            while (ssl->getStates().getServer() < clientFinishedComplete) {
+                if (ssl->GetError()) break;
+                processReply(*ssl);
+            }
         }
-    }
         if (!ssl->GetError())
             ssl->useStates().UseAccept() = ACCEPT_SECOND_REPLY_DONE;
 
     case ACCEPT_SECOND_REPLY_DONE :
-    sendChangeCipher(*ssl);
-    sendFinished(*ssl, server_end);
-    ssl->flushBuffer();
+        sendChangeCipher(*ssl);
+        sendFinished(*ssl, server_end);
+        ssl->flushBuffer();
 
         if (!ssl->GetError())
             ssl->useStates().UseAccept() = ACCEPT_FINISHED_DONE;
 
     case ACCEPT_FINISHED_DONE :
-    if (ssl->getSecurity().get_resuming()) {
-        while (ssl->getStates().getServer() < clientFinishedComplete) {
-          if (ssl->GetError()) break;
-          processReply(*ssl);
-      }
-    }
+        if (ssl->getSecurity().get_resuming()) {
+            while (ssl->getStates().getServer() < clientFinishedComplete) {
+                if (ssl->GetError()) break;
+                processReply(*ssl);
+            }
+        }
         if (!ssl->GetError())
             ssl->useStates().UseAccept() = ACCEPT_THIRD_REPLY_DONE;
 
     case ACCEPT_THIRD_REPLY_DONE :
-    ssl->useLog().ShowTCP(ssl->getSocket().get_fd());
+        ssl->useLog().ShowTCP(ssl->getSocket().get_fd());
 
         if (ssl->GetError()) {
             GetErrors().Add(ssl->GetError());
-        return SSL_FATAL_ERROR;
+            return SSL_FATAL_ERROR;
         }
-    return SSL_SUCCESS;
+        return SSL_SUCCESS;
 
     default:
         return SSL_FATAL_ERROR; // unknown state
@@ -1097,7 +1119,6 @@ int EVP_BytesToKey(const EVP_CIPHER* type, const EVP_MD* md, const byte* salt,
             ivLeft    -= store;
         }
     }
-    assert(keyOutput == (keyLen + ivLen));
     return keyOutput;
 }
 
diff --git a/extra/yassl/src/yassl.cpp b/extra/yassl/src/yassl.cpp
index 815277ce6f3..99a1da5371b 100644
--- a/extra/yassl/src/yassl.cpp
+++ b/extra/yassl/src/yassl.cpp
@@ -69,13 +69,13 @@ void SetUpBase(Base& base, ConnectionEnd end, SOCKET_T s)
 
     if (base.ca_)
         if (SSL_CTX_load_verify_locations(base.ctx_,
-            base.ca_, 0) != SSL_SUCCESS) assert(0);
+            base.ca_, 0) != SSL_SUCCESS) throw(0);
     if (base.cert_)
         if (SSL_CTX_use_certificate_file(base.ctx_,
-            base.cert_, SSL_FILETYPE_PEM) != SSL_SUCCESS) assert(0);
+            base.cert_, SSL_FILETYPE_PEM) != SSL_SUCCESS) throw(0);
     if (base.key_)
         if (SSL_CTX_use_PrivateKey_file(base.ctx_, base.key_,
-            SSL_FILETYPE_PEM) != SSL_SUCCESS) assert(0);
+            SSL_FILETYPE_PEM) != SSL_SUCCESS) throw(0);
 
     if (end == server_end) SetDH(base);
 
diff --git a/extra/yassl/src/yassl_error.cpp b/extra/yassl/src/yassl_error.cpp
index e167075b984..74735347841 100644
--- a/extra/yassl/src/yassl_error.cpp
+++ b/extra/yassl/src/yassl_error.cpp
@@ -31,6 +31,11 @@
     #pragma warning(disable: 4996)
 #endif
 
+#ifdef _MSC_VER
+    // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy
+    #pragma warning(disable: 4996)
+#endif
+
 namespace yaSSL {
 
 
@@ -59,8 +64,9 @@ void SetErrorString(unsigned long error, char* buffer)
 {
     using namespace TaoCrypt;
     const int max = MAX_ERROR_SZ;  // shorthand
+    int localError = error;        // errors from a few enums 
 
-    switch (error) {
+    switch (localError) {
 
         // yaSSL proper errors
     case range_error :
@@ -121,7 +127,7 @@ void SetErrorString(unsigned long error, char* buffer)
 
     case certificate_error :
         strncpy(buffer, "unable to proccess cerificate", max);
-        break; 
+        break;
 
     case privateKey_error :
         strncpy(buffer, "unable to proccess private key, bad format", max);
@@ -130,7 +136,7 @@ void SetErrorString(unsigned long error, char* buffer)
     case badVersion_error :
         strncpy(buffer, "protocol version mismatch", max);
         break;
-        
+
     case compress_error :
         strncpy(buffer, "compression error", max);
         break;
@@ -148,6 +154,10 @@ void SetErrorString(unsigned long error, char* buffer)
         strncpy(buffer, "the read operation would block", max);
         break;
 
+    case SSL_ERROR_WANT_WRITE :
+        strncpy(buffer, "the write operation would block", max);
+        break;
+
     case CERTFICATE_ERROR :
         strncpy(buffer, "Unable to verify certificate", max);
         break;
diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
index d981605d35a..6d2549749f2 100644
--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
@@ -117,7 +117,7 @@ void ClientDiffieHellmanPublic::build(SSL& ssl)
     if (*dhClient.get_agreedKey() == 0) 
         ssl.set_preMaster(dhClient.get_agreedKey() + 1, keyLength - 1);
     else
-    ssl.set_preMaster(dhClient.get_agreedKey(), keyLength);
+        ssl.set_preMaster(dhClient.get_agreedKey(), keyLength);
 }
 
 
@@ -135,8 +135,7 @@ void DH_Server::build(SSL& ssl)
     mySTL::auto_ptr auth;
     const CertManager& cert = ssl.getCrypto().get_certManager();
     
-    if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo)
-    {
+    if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo) {
         if (cert.get_keyType() != rsa_sa_algo) {
             ssl.SetError(privateKey_error);
             return;
@@ -925,8 +924,6 @@ Data::Data(uint16 len, opaque* b)
 
 void Data::SetData(uint16 len, const opaque* buffer)
 {
-    assert(write_buffer_ == 0);
-
     length_ = len;
     write_buffer_ = buffer;
 }
@@ -992,6 +989,11 @@ void Data::Process(input_buffer& input, SSL& ssl)
     int dataSz = msgSz - ivExtra - digestSz - pad - padSz;
     opaque verify[SHA_LEN];
 
+    if (dataSz < 0) {
+        ssl.SetError(bad_input);
+        return;
+    }
+
     const byte* rawData = input.get_buffer() + input.get_current();
 
     // read data
@@ -1006,10 +1008,10 @@ void Data::Process(input_buffer& input, SSL& ssl)
                                             tmp.get_buffer(), tmp.get_size()));
         }
         else {
-        input_buffer* data;
-        ssl.addData(data = NEW_YS input_buffer(dataSz));
-        input.read(data->get_buffer(), dataSz);
-        data->add_size(dataSz);
+            input_buffer* data;
+            ssl.addData(data = NEW_YS input_buffer(dataSz));
+            input.read(data->get_buffer(), dataSz);
+            data->add_size(dataSz);
         }
 
         if (ssl.isTLS())
@@ -1294,12 +1296,11 @@ void ServerHello::Process(input_buffer&, SSL& ssl)
     ssl.set_pending(cipher_suite_[1]);
     ssl.set_random(random_, server_end);
     if (id_len_)
-    ssl.set_sessionID(session_id_);
+        ssl.set_sessionID(session_id_);
     else
         ssl.useSecurity().use_connection().sessionID_Set_ = false;
 
-    if (ssl.getSecurity().get_resuming())
-    {
+    if (ssl.getSecurity().get_resuming()) {
         if (memcmp(session_id_, ssl.getSecurity().get_resume().GetID(),
                    ID_LEN) == 0) {
             ssl.set_masterSecret(ssl.getSecurity().get_resume().GetSecret());
@@ -1423,7 +1424,7 @@ input_buffer& operator>>(input_buffer& input, ClientHello& hello)
     if (hello.id_len_) input.read(hello.session_id_, ID_LEN);
     
     // Suites
-    byte tmp[2];
+    byte   tmp[2];
     uint16 len;
     tmp[0] = input[AUTO];
     tmp[1] = input[AUTO];
@@ -1431,8 +1432,8 @@ input_buffer& operator>>(input_buffer& input, ClientHello& hello)
 
     hello.suite_len_ = min(len, static_cast(MAX_SUITE_SZ));
     input.read(hello.cipher_suites_, hello.suite_len_);
-    if (len > hello.suite_len_) // ignore extra suites
-        input.set_current(input.get_current() + len -  hello.suite_len_);
+    if (len > hello.suite_len_)  // ignore extra suites
+        input.set_current(input.get_current() + len - hello.suite_len_);
 
     // Compression
     hello.comp_len_ = input[AUTO];
@@ -1496,8 +1497,9 @@ void ClientHello::Process(input_buffer&, SSL& ssl)
     if (ssl.GetMultiProtocol()) {   // SSLv23 support
         if (ssl.isTLS() && client_version_.minor_ < 1) {
             // downgrade to SSLv3
-        ssl.useSecurity().use_connection().TurnOffTLS();
-        ProtocolVersion pv = ssl.getSecurity().get_connection().version_;
+            ssl.useSecurity().use_connection().TurnOffTLS();
+            
+            ProtocolVersion pv = ssl.getSecurity().get_connection().version_;
             bool removeDH  = ssl.getSecurity().get_parms().removeDH_;
             bool removeRSA = false;
             bool removeDSA = false;
@@ -1511,7 +1513,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl)
             // reset w/ SSL suites
             ssl.useSecurity().use_parms().SetSuites(pv, removeDH, removeRSA,
                                                     removeDSA);
-    }
+        }
         else if (ssl.isTLSv1_1() && client_version_.minor_ == 1)
             // downgrade to TLSv1, but use same suites
             ssl.useSecurity().use_connection().TurnOffTLS1_1();
@@ -1542,6 +1544,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl)
         ssl.set_session(session);
         ssl.useSecurity().set_resuming(true);
         ssl.matchSuite(session->GetSuite(), SUITE_LEN);
+        if (ssl.GetError()) return;
         ssl.set_pending(ssl.getSecurity().get_parms().suite_[1]);
         ssl.set_masterSecret(session->GetSecret());
 
@@ -2038,7 +2041,7 @@ void Finished::Process(input_buffer& input, SSL& ssl)
     // verify hashes
     const  Finished& verify = ssl.getHashes().get_verify();
     uint finishedSz = ssl.isTLS() ? TLS_FINISHED_SZ : FINISHED_SZ;
-
+    
     input.read(hashes_.md5_, finishedSz);
 
     if (memcmp(&hashes_, &verify.hashes_, finishedSz)) {
diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp
index 66a854e6922..15a85e36909 100644
--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
@@ -308,7 +308,7 @@ SSL::SSL(SSL_CTX* ctx)
             SetError(YasslError(err));
             return;
         }
-        else if (serverSide && !(ctx->GetCiphers().setSuites_)) {
+        else if (serverSide) {
             // remove RSA or DSA suites depending on cert key type
             ProtocolVersion pv = secure_.get_connection().version_;
             
@@ -1128,8 +1128,28 @@ void SSL::flushBuffer()
 
 void SSL::Send(const byte* buffer, uint sz)
 {
-    if (socket_.send(buffer, sz) != sz)
-        SetError(send_error);
+    unsigned int sent = 0;
+
+    if (socket_.send(buffer, sz, sent) != sz) {
+        if (socket_.WouldBlock()) {
+            buffers_.SetOutput(NEW_YS output_buffer(sz - sent, buffer + sent,
+                                                    sz - sent));
+            SetError(YasslError(SSL_ERROR_WANT_WRITE));
+        }
+        else
+            SetError(send_error);
+    }
+}
+
+
+void SSL::SendWriteBuffered()
+{
+    output_buffer* out = buffers_.TakeOutput();
+
+    if (out) {
+        mySTL::auto_ptr tmp(out);
+        Send(out->get_buffer(), out->get_size());
+    }
 }
 
 
@@ -1291,7 +1311,6 @@ void SSL::matchSuite(const opaque* peer, uint length)
             if (secure_.use_parms().suites_[i] == peer[j]) {
                 secure_.use_parms().suite_[0] = 0x00;
                 secure_.use_parms().suite_[1] = peer[j];
-
                 return;
             }
 
@@ -1435,7 +1454,6 @@ void SSL::addBuffer(output_buffer* b)
 
 void SSL_SESSION::CopyX509(X509* x)
 {
-    assert(peerX509_ == 0);
     if (x == 0) return;
 
     X509_NAME* issuer   = x->GetIssuer();
@@ -1833,7 +1851,7 @@ SSL_CTX::GetCA_List() const
 }
 
 
-VerifyCallback SSL_CTX::getVerifyCallback() const
+const VerifyCallback SSL_CTX::getVerifyCallback() const
 {
     return verifyCallback_;
 }
@@ -2232,7 +2250,7 @@ Hashes& sslHashes::use_certVerify()
 }
 
 
-Buffers::Buffers() : rawInput_(0)
+Buffers::Buffers() : prevSent(0), plainSz(0), rawInput_(0), output_(0)
 {}
 
 
@@ -2243,12 +2261,18 @@ Buffers::~Buffers()
     STL::for_each(dataList_.begin(), dataList_.end(),
                   del_ptr_zero()) ;
     ysDelete(rawInput_);
+    ysDelete(output_);
+}
+
+
+void Buffers::SetOutput(output_buffer* ob)
+{
+    output_ = ob;
 }
 
 
 void Buffers::SetRawInput(input_buffer* ib)
 {
-    assert(rawInput_ == 0);
     rawInput_ = ib;
 }
 
@@ -2262,6 +2286,15 @@ input_buffer* Buffers::TakeRawInput()
 }
 
 
+output_buffer* Buffers::TakeOutput()
+{
+    output_buffer* ret = output_;
+    output_ = 0;
+
+    return ret;
+}
+
+
 const Buffers::inputList& Buffers::getData() const
 {
     return dataList_;
@@ -2536,14 +2569,12 @@ ASN1_STRING* StringHolder::GetString()
     // these versions should never get called
     int Compress(const byte* in, int sz, input_buffer& buffer)
     {
-        assert(0);  
         return -1;
     } 
 
 
     int DeCompress(input_buffer& in, int sz, input_buffer& out)
     {
-        assert(0);  
         return -1;
     } 
 
diff --git a/extra/yassl/taocrypt/README b/extra/yassl/taocrypt/README
index 0a7ff301786..bd786b7ce54 100644
--- a/extra/yassl/taocrypt/README
+++ b/extra/yassl/taocrypt/README
@@ -21,7 +21,7 @@ Stream Ciphers: ARC4
 Public Key Crypto: RSA, DSA, Diffie-Hellman
 Password based key derivation: PBKDF2 from PKCS #5
 Pseudo Random Number Generators
-Lare Integer Support
+Large Integer Support
 Base 16/64 encoding/decoding
 DER encoding/decoding
 X.509 processing
diff --git a/extra/yassl/taocrypt/benchmark/benchmark.cpp b/extra/yassl/taocrypt/benchmark/benchmark.cpp
index 55e94275b20..225a1a0fa46 100644
--- a/extra/yassl/taocrypt/benchmark/benchmark.cpp
+++ b/extra/yassl/taocrypt/benchmark/benchmark.cpp
@@ -117,7 +117,7 @@ void bench_des()
 
     double persec = 1 / total * megs;
 
-    printf("3DES     %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("3DES     %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                              persec);
 }
 
@@ -137,7 +137,7 @@ void bench_aes(bool show)
     double persec = 1 / total * megs;
 
     if (show)
-        printf("AES      %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+        printf("AES      %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                                  persec);
 }
 
@@ -156,7 +156,7 @@ void bench_twofish()
 
     double persec = 1 / total * megs;
 
-    printf("Twofish  %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("Twofish  %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                             persec);
 
 }
@@ -176,7 +176,7 @@ void bench_blowfish()
 
     double persec = 1 / total * megs;
 
-    printf("Blowfish %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("Blowfish %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                              persec);
 }
 
@@ -195,7 +195,7 @@ void bench_arc4()
 
     double persec = 1 / total * megs;
 
-    printf("ARC4     %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("ARC4     %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                              persec);
 }
 
@@ -217,7 +217,7 @@ void bench_md5()
 
     double persec = 1 / total * megs;
 
-    printf("MD5      %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("MD5      %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                              persec);
 }
 
@@ -245,7 +245,7 @@ void bench_sha()
 
     double persec = 1 / total * megs;
 
-    printf("SHA      %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("SHA      %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                              persec);
 }
 
@@ -267,7 +267,7 @@ void bench_ripemd()
 
     double persec = 1 / total * megs;
 
-    printf("RIPEMD   %d megs took %5.3f seconds, %5.2f MB/s\n", megs, total,
+    printf("RIPEMD   %d megs took %5.3f seconds, %6.2f MB/s\n", megs, total,
                                                              persec);
 }
 
@@ -290,7 +290,7 @@ void bench_rsa()
     byte      message[] = "Everyone gets Friday off.";
     byte      cipher[128];  // for 1024 bit
     byte      plain[128];   // for 1024 bit
-    const int len = strlen((char*)message);
+    const int len = (word32)strlen((char*)message);
     
     int i;    
     double start = current_time();
diff --git a/extra/yassl/taocrypt/benchmark/benchmark.dsp b/extra/yassl/taocrypt/benchmark/benchmark.dsp
index 878dc2b2783..449299a1c8d 100644
--- a/extra/yassl/taocrypt/benchmark/benchmark.dsp
+++ b/extra/yassl/taocrypt/benchmark/benchmark.dsp
@@ -49,8 +49,8 @@ BSC32=bscmake.exe
 # ADD BASE BSC32 /nologo
 # ADD BSC32 /nologo
 LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 
 !ELSEIF  "$(CFG)" == "benchmark - Win32 Debug"
 
@@ -64,7 +64,7 @@ LINK32=link.exe
 # PROP Output_Dir "Debug"
 # PROP Intermediate_Dir "Debug"
 # PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ  /c
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
 # ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\mySTL" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ  /c
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -72,8 +72,8 @@ BSC32=bscmake.exe
 # ADD BASE BSC32 /nologo
 # ADD BSC32 /nologo
 LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 
 !ENDIF 
 
diff --git a/extra/yassl/taocrypt/benchmark/dh1024.der b/extra/yassl/taocrypt/benchmark/dh1024.der
index 1a85d90f3f73bfac8eadcce347ac184517b7696f..09f81ee14c1433f2976ecbd6f005f08bab148fc9 100644
GIT binary patch
delta 6
NcmeBS>|&hI1po&q0y6*r

delta 9
QcmeBT>|vbH#l*!001e>+NdN!<

diff --git a/extra/yassl/taocrypt/benchmark/dsa1024.der b/extra/yassl/taocrypt/benchmark/dsa1024.der
index 1fcb37fad6a8faa17c04840ad011e4c8244e588d..3a6dfca4b8f4a175a86291c7a763b924de848584 100644
GIT binary patch
delta 9
RcmX@Wyq9^xn~85P0st2L1y29~

delta 14
WcmdnXe1Lhv8%ExVZ!R)%aRC4=Wd(8o

diff --git a/extra/yassl/taocrypt/benchmark/make.bat b/extra/yassl/taocrypt/benchmark/make.bat
old mode 100644
new mode 100755
diff --git a/extra/yassl/taocrypt/benchmark/rsa1024.der b/extra/yassl/taocrypt/benchmark/rsa1024.der
index 8fc918144723bb1eca7eb973a17d3807f4ae0665..5ba3fbe6c9c1924168019953bfd98aa3820aab5c 100644
GIT binary patch
delta 14
WcmaFFa*t(#!A8S4#>o>HF8}~6Xa&9i

delta 21
ccmcb|@`z=E0VD55gE&S;-pPH87nr!X084@e?EnA(

diff --git a/extra/yassl/taocrypt/certs/client-cert.der b/extra/yassl/taocrypt/certs/client-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..9c2ef138bf6fc2630912ef6de6d3b6cf0301c25e
GIT binary patch
literal 782
zcmXqLV&*ewV%o8QnTe5!iId^z^&CO752gt37V!S$Cd{c2w
z+xe{@pPtL$xw%NlvgT7T6Eh6`G!AGtU6f7X1Ree9RIvE9TA<<2M1$?+Gmul%m|
XpzgmxZ4lSP1`oI0Ghf~;KUWF>dNSg%

literal 0
HcmV?d00001

diff --git a/extra/yassl/taocrypt/certs/client-key.der b/extra/yassl/taocrypt/certs/client-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..649406c441767b2fc535821ce7c97bd4e0d6d582
GIT binary patch
literal 319
zcmV-F0l@w+f&n}N0RRF)0KHL46#Z%$gbXt{{3kM;mka!)7+`5m+1Pkc3+W(T)*Wyh
z3?!c;g3LMr)t48tb8LpswejW7Xbjn+5;=VGQvw44009C(RAJUGQsJhn*RVks3iY8J
zCMcedit&X;&KR0KB-Gnop9+L4$c$`V0)_@SMRl3I=r&fTY?)V-Vd8(NC0wDn4
zM18Ssb(*B)>6>jE5mfR!`GzLBxER$nNIt2t9S#B^0N5JSLP*YUd!+;PnLAD&B}QzU
zvtajORva>HMXB6L-vS{3rWv#PasflN&Kx6LFRv7+`|v^
zVG1Ri@*x3g&8mzy=gMZ=R`d^jdeIoULj4;N0u=zQB`K>4p9vhntpgx-f2OzHO#=x6
zKoW?V+UL*c!cZIQhO-Q%7jd2qIS;
zyLXY#TQ=?UB!ZBN&5(TCclj4Bb93*zxq<=|BZKF@YOJKk3>*_>cJA226^%Byxu9@E

literal 0
HcmV?d00001

diff --git a/extra/yassl/taocrypt/include/asn.hpp b/extra/yassl/taocrypt/include/asn.hpp
index ece7140741a..c20387d86c7 100644
--- a/extra/yassl/taocrypt/include/asn.hpp
+++ b/extra/yassl/taocrypt/include/asn.hpp
@@ -167,6 +167,7 @@ public:
     void Decode(RSA_PublicKey&);
 private:
     void ReadHeader();
+    void ReadHeaderOpenSSL();
 };
 
 
diff --git a/extra/yassl/taocrypt/include/block.hpp b/extra/yassl/taocrypt/include/block.hpp
index ad3dcf2db59..ae3df8a3009 100644
--- a/extra/yassl/taocrypt/include/block.hpp
+++ b/extra/yassl/taocrypt/include/block.hpp
@@ -61,10 +61,6 @@ public:
     void          destroy(pointer p) {p->~T();}
     size_type     max_size() const {return ~size_type(0)/sizeof(T);}
 protected:
-    static void CheckSize(size_t n)
-    {
-        assert(n <= ~size_t(0) / sizeof(T));
-    }
 };
 
 
@@ -101,7 +97,8 @@ public:
 
     pointer allocate(size_type n, const void* = 0)
     {
-        this->CheckSize(n);
+        if (n > this->max_size())
+            return 0;
         if (n == 0)
             return 0;
         return NEW_TC T[n];
@@ -144,9 +141,8 @@ public:
         return *this;
     }
 
-    T& operator[] (word32 i) { assert(i < sz_); return buffer_[i]; }
-    const T& operator[] (word32 i) const 
-        { assert(i < sz_); return buffer_[i]; }
+    T& operator[] (word32 i) { return buffer_[i]; }
+    const T& operator[] (word32 i) const { return buffer_[i]; }
 
     T* operator+ (word32 i) { return buffer_ + i; }
     const T* operator+ (word32 i) const { return buffer_ + i; }
diff --git a/extra/yassl/taocrypt/include/blowfish.hpp b/extra/yassl/taocrypt/include/blowfish.hpp
index 99d932353df..3ad2aedc587 100644
--- a/extra/yassl/taocrypt/include/blowfish.hpp
+++ b/extra/yassl/taocrypt/include/blowfish.hpp
@@ -59,11 +59,11 @@ public:
     void SetKey(const byte* key, word32 sz, CipherDir fake = ENCRYPTION);
     void SetIV(const byte* iv) { memcpy(r_, iv, BLOCK_SIZE); }
 private:
-	static const word32 p_init_[ROUNDS + 2];
-	static const word32 s_init_[4 * 256];
+    static const word32 p_init_[ROUNDS + 2];
+    static const word32 s_init_[4 * 256];
 
-	word32 pbox_[ROUNDS + 2 + 4 * 256];
-	word32* sbox_;
+    word32 pbox_[ROUNDS + 2 + 4 * 256];
+    word32* sbox_;
 
     void crypt_block(const word32 in[2], word32 out[2]) const;
     void AsmProcess(const byte* in, byte* out) const;
diff --git a/extra/yassl/taocrypt/include/des.hpp b/extra/yassl/taocrypt/include/des.hpp
index f99a289392f..2bc41fc2628 100644
--- a/extra/yassl/taocrypt/include/des.hpp
+++ b/extra/yassl/taocrypt/include/des.hpp
@@ -84,7 +84,7 @@ private:
 // DES_EDE3
 class DES_EDE3 : public Mode_BASE {
 public:
-    DES_EDE3(CipherDir DIR, Mode MODE) 
+    DES_EDE3(CipherDir DIR, Mode MODE)
         : Mode_BASE(DES_BLOCK_SIZE, DIR, MODE) {}
 
     void SetKey(const byte*, word32, CipherDir dir);
diff --git a/extra/yassl/taocrypt/include/hash.hpp b/extra/yassl/taocrypt/include/hash.hpp
index fa5f6c04720..4ebc82e073d 100644
--- a/extra/yassl/taocrypt/include/hash.hpp
+++ b/extra/yassl/taocrypt/include/hash.hpp
@@ -63,8 +63,8 @@ protected:
     word32          buffLen_;   // in bytes
     HashLengthType  loLen_;     // length in bytes
     HashLengthType  hiLen_;     // length in bytes
-    word32  digest_[MaxDigestSz];
-    word32  buffer_[MaxBufferSz / sizeof(word32)];
+    word32          digest_[MaxDigestSz];
+    word32          buffer_[MaxBufferSz / sizeof(word32)];
 
     virtual void Transform() = 0;
 
diff --git a/extra/yassl/taocrypt/include/hc128.hpp b/extra/yassl/taocrypt/include/hc128.hpp
new file mode 100644
index 00000000000..d1cf5f075f2
--- /dev/null
+++ b/extra/yassl/taocrypt/include/hc128.hpp
@@ -0,0 +1,63 @@
+/*
+   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ 
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+ 
+   You should have received a copy of the GNU General Public License
+   along with this program; see the file COPYING. If not, write to the
+   Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+   MA  02110-1301  USA.
+*/
+
+/* hc128.hpp defines HC128
+*/
+
+
+#ifndef TAO_CRYPT_HC128_HPP
+#define TAO_CRYPT_HC128_HPP
+
+#include "misc.hpp"
+
+namespace TaoCrypt {
+
+
+// HC128 encryption and decryption
+class HC128 {
+public:
+
+    typedef HC128 Encryption;
+    typedef HC128 Decryption;
+
+
+    HC128() {}
+
+    void Process(byte*, const byte*, word32);
+    void SetKey(const byte*, const byte*);
+private:
+    word32 T_[1024];             /* P[i] = T[i];  Q[i] = T[1024 + i ]; */
+    word32 X_[16];
+    word32 Y_[16];
+    word32 counter1024_;         /* counter1024 = i mod 1024 at the ith step */
+    word32 key_[8];
+    word32 iv_[8];
+
+    void SetIV(const byte*);
+    void GenerateKeystream(word32*);
+    void SetupUpdate();
+
+    HC128(const HC128&);                  // hide copy
+    const HC128 operator=(const HC128&);  // and assign
+};
+
+} // namespace
+
+
+#endif // TAO_CRYPT_HC128_HPP
+
diff --git a/extra/yassl/taocrypt/include/integer.hpp b/extra/yassl/taocrypt/include/integer.hpp
index 186d62bb866..256573cf622 100644
--- a/extra/yassl/taocrypt/include/integer.hpp
+++ b/extra/yassl/taocrypt/include/integer.hpp
@@ -110,13 +110,6 @@ namespace TaoCrypt {
 #endif
 
 
-// general MIN
-template inline
-const T& min(const T& a, const T& b)
-{
-    return a < b ? a : b;
-}
-
 
 // general MAX
 template inline
diff --git a/extra/yassl/taocrypt/include/kernelc.hpp b/extra/yassl/taocrypt/include/kernelc.hpp
index daa3762d5dd..5bdf1cffa3f 100644
--- a/extra/yassl/taocrypt/include/kernelc.hpp
+++ b/extra/yassl/taocrypt/include/kernelc.hpp
@@ -30,17 +30,5 @@ extern "C" void* memcpy(void*, const void*, size_t);
 extern "C" void* memset(void*, int, size_t);
 extern "C" void  printk(char *fmt, ...);
 
-#define KERN_ERR "<3>"   /* error conditions */
-
-#if defined(NDEBUG)
-    #define assert(p)  	((void)0)
-#else
-    #define assert(expr)   \
-    if (!(expr))         { \
-         printk(KERN_ERR "Assertion failed! %s,%s,%s,line=%d\n", \
-         #expr,__FILE__,__FUNCTION__,__LINE__); }
-#endif
-
-
 
 #endif // TAOCRYPT_KERNELC_HPP
diff --git a/extra/yassl/taocrypt/include/misc.hpp b/extra/yassl/taocrypt/include/misc.hpp
index a375b17eb1e..b6925f916f8 100644
--- a/extra/yassl/taocrypt/include/misc.hpp
+++ b/extra/yassl/taocrypt/include/misc.hpp
@@ -24,7 +24,6 @@
 
 #if !defined(DO_TAOCRYPT_KERNEL_MODE)
     #include 
-    #include 
     #include 
 #else
     #include "kernelc.hpp"
@@ -62,30 +61,30 @@ void CleanUp();
     template
     void tcDelete(T* ptr)
     {
-    if (ptr) ptr->~T();
-    ::operator delete(ptr, TaoCrypt::tc);
+        if (ptr) ptr->~T();
+        ::operator delete(ptr, TaoCrypt::tc);
     }
 
     template
     void tcArrayDelete(T* ptr)
     {
-    // can't do array placement destruction since not tracking size in
-    // allocation, only allow builtins to use array placement since they
-    // don't need destructors called
-    typedef char builtin[IsFundamentalType::Yes ? 1 : -1];
-    (void)sizeof(builtin);
+        // can't do array placement destruction since not tracking size in
+        // allocation, only allow builtins to use array placement since they
+        // don't need destructors called
+        typedef char builtin[IsFundamentalType::Yes ? 1 : -1];
+        (void)sizeof(builtin);
 
-    ::operator delete[](ptr, TaoCrypt::tc);
+        ::operator delete[](ptr, TaoCrypt::tc);
     }
 
     #define NEW_TC new (TaoCrypt::tc)
 
 
     // to resolve compiler generated operator delete on base classes with
-    // virtual destructors (when on stack), make sure doesn't get called
+    // virtual destructors (when on stack)
     class virtual_base {
     public:
-    static void operator delete(void*) { assert(0); }
+        static void operator delete(void*) { }
     };
 
 #else // YASSL_PURE_C
@@ -366,7 +365,6 @@ inline bool IsPowerOf2(T n)
 template 
 inline T2 ModPowerOf2(T1 a, T2 b)
 {
-    assert(IsPowerOf2(b));
     return T2(a) & (b-1);
 }
 
@@ -409,14 +407,12 @@ inline bool IsAligned(const void* p, T* dummy = 0)	// VC60 workaround
 
 template  inline T rotlFixed(T x, unsigned int y)
 {
-    assert(y < sizeof(T)*8);
-        return (x<>(sizeof(T)*8-y));
+    return (x<>(sizeof(T)*8-y));
 }
 
 template  inline T rotrFixed(T x, unsigned int y)
 {
-    assert(y < sizeof(T)*8);
-        return (x>>y) | (x<<(sizeof(T)*8-y));
+    return (x>>y) | (x<<(sizeof(T)*8-y));
 }
 
 #ifdef INTEL_INTRINSICS
@@ -425,13 +421,11 @@ template  inline T rotrFixed(T x, unsigned int y)
 
 template<> inline word32 rotlFixed(word32 x, word32 y)
 {
-    assert(y < 32);
     return y ? _lrotl(x, y) : x;
 }
 
 template<> inline word32 rotrFixed(word32 x, word32 y)
 {
-    assert(y < 32);
     return y ? _lrotr(x, y) : x;
 }
 
@@ -441,7 +435,9 @@ template<> inline word32 rotrFixed(word32 x, word32 y)
 #undef min
 #endif 
 
-inline word32 min(word32 a, word32 b)
+
+template 
+inline const T& min(const T& a, const T& b)
 {
     return a < b ? a : b;
 }
@@ -486,7 +482,6 @@ inline word64 ByteReverse(word64 value)
 template 
 inline void ByteReverse(T* out, const T* in, word32 byteCount)
 {
-    assert(byteCount % sizeof(T) == 0);
     word32 count = byteCount/sizeof(T);
     for (word32 i=0; i
 inline T GetWord(bool assumeAligned, ByteOrder order, const byte *block)
 {
     if (assumeAligned)
-    {
-        assert(IsAligned(block));
         return ByteReverseIf(*reinterpret_cast(block), order);
-    }
     else
         return UnalignedGetWord(order, block);
 }
@@ -699,7 +691,6 @@ inline void PutWord(bool assumeAligned, ByteOrder order, byte* block, T value,
 {
     if (assumeAligned)
     {
-        assert(IsAligned(block));
         if (xorBlock)
             *reinterpret_cast(block) = ByteReverseIf(value, order) 
                 ^ *reinterpret_cast(xorBlock);
@@ -812,7 +803,6 @@ inline T SafeLeftShift(T value)
 inline
 word ShiftWordsLeftByBits(word* r, unsigned int n, unsigned int shiftBits)
 {
-    assert (shiftBits=0; i--)
diff --git a/extra/yassl/taocrypt/include/modes.hpp b/extra/yassl/taocrypt/include/modes.hpp
index 2285bd0e845..5fd36b80d3e 100644
--- a/extra/yassl/taocrypt/include/modes.hpp
+++ b/extra/yassl/taocrypt/include/modes.hpp
@@ -61,9 +61,7 @@ public:
     explicit Mode_BASE(int sz, CipherDir dir, Mode mode) 
         : blockSz_(sz), reg_(reinterpret_cast(r_)),
           tmp_(reinterpret_cast(t_)), dir_(dir), mode_(mode)
-    { 
-        assert(sz <= MaxBlockSz);
-    }
+    {}
     virtual ~Mode_BASE() {}
 
     virtual void Process(byte*, const byte*, word32);
@@ -96,8 +94,7 @@ inline void Mode_BASE::Process(byte* out, const byte* in, word32 sz)
 {
     if (mode_ == ECB)
         ECB_Process(out, in, sz);
-    else if (mode_ == CBC)
-    {
+    else if (mode_ == CBC) {
         if (dir_ == ENCRYPTION)
             CBC_Encrypt(out, in, sz);
         else
diff --git a/extra/yassl/taocrypt/include/pwdbased.hpp b/extra/yassl/taocrypt/include/pwdbased.hpp
index 5ece1a8f43b..f40a336e2c3 100644
--- a/extra/yassl/taocrypt/include/pwdbased.hpp
+++ b/extra/yassl/taocrypt/include/pwdbased.hpp
@@ -48,8 +48,9 @@ word32 PBKDF2_HMAC::DeriveKey(byte* derived, word32 dLen, const byte* pwd,
                                  word32 pLen, const byte* salt, word32 sLen,
                                  word32 iterations) const
 {
-	assert(dLen <= MaxDerivedKeyLength());
-	assert(iterations > 0);
+	if (dLen > MaxDerivedKeyLength())
+        return 0;
+
 
     ByteBlock buffer(T::DIGEST_SIZE);
 	HMAC   hmac;
diff --git a/extra/yassl/taocrypt/include/rabbit.hpp b/extra/yassl/taocrypt/include/rabbit.hpp
new file mode 100644
index 00000000000..1e7276dd8ec
--- /dev/null
+++ b/extra/yassl/taocrypt/include/rabbit.hpp
@@ -0,0 +1,65 @@
+/*
+   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ 
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+ 
+   You should have received a copy of the GNU General Public License
+   along with this program; see the file COPYING. If not, write to the
+   Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+   MA  02110-1301  USA.
+*/
+
+/* rabbit.hpp defines Rabbit
+*/
+
+
+#ifndef TAO_CRYPT_RABBIT_HPP
+#define TAO_CRYPT_RABBIT_HPP
+
+#include "misc.hpp"
+
+namespace TaoCrypt {
+
+
+// Rabbit encryption and decryption
+class Rabbit {
+public:
+
+    typedef Rabbit Encryption;
+    typedef Rabbit Decryption;
+
+    enum RabbitCtx { Master = 0, Work = 1 };
+
+    Rabbit() {}
+
+    void Process(byte*, const byte*, word32);
+    void SetKey(const byte*, const byte*);
+private:
+    struct Ctx {
+        word32 x[8];
+        word32 c[8];
+        word32 carry;
+    };
+
+    Ctx masterCtx_;
+    Ctx workCtx_;
+
+    void NextState(RabbitCtx);
+    void SetIV(const byte*);
+
+    Rabbit(const Rabbit&);                  // hide copy
+    const Rabbit operator=(const Rabbit&);  // and assign
+};
+
+} // namespace
+
+
+#endif // TAO_CRYPT_RABBIT_HPP
+
diff --git a/extra/yassl/taocrypt/include/rsa.hpp b/extra/yassl/taocrypt/include/rsa.hpp
index c895ab6fd34..11a4ccfd039 100644
--- a/extra/yassl/taocrypt/include/rsa.hpp
+++ b/extra/yassl/taocrypt/include/rsa.hpp
@@ -178,7 +178,8 @@ void RSA_Encryptor::Encrypt(const byte* plain, word32 sz, byte* cipher,
                                  RandomNumberGenerator& rng)
 {
     PK_Lengths lengths(key_.GetModulus());
-    assert(sz <= lengths.FixedMaxPlaintextLength());
+    if (sz > lengths.FixedMaxPlaintextLength())
+        return;
 
     ByteBlock paddedBlock(lengths.PaddedBlockByteLength());
     padding_.Pad(plain, sz, paddedBlock.get_buffer(),
@@ -195,7 +196,6 @@ word32 RSA_Decryptor::Decrypt(const byte* cipher, word32 sz, byte* plain,
                                    RandomNumberGenerator& rng)
 {
     PK_Lengths lengths(key_.GetModulus());
-    assert(sz == lengths.FixedCiphertextLength());
 
     if (sz != lengths.FixedCiphertextLength())
         return 0;
diff --git a/extra/yassl/taocrypt/include/runtime.hpp b/extra/yassl/taocrypt/include/runtime.hpp
index ad66a5bf9d0..568c0b3afd8 100644
--- a/extra/yassl/taocrypt/include/runtime.hpp
+++ b/extra/yassl/taocrypt/include/runtime.hpp
@@ -31,7 +31,6 @@
 
 #ifdef __sun
  
-#include 
 
 // Handler for pure virtual functions
 namespace __Crun {
@@ -46,9 +45,7 @@ namespace __Crun {
 #if __GNUC__ > 2
 
 extern "C" {
-#if !defined(DO_TAOCRYPT_KERNEL_MODE)
-    #include 
-#else
+#if defined(DO_TAOCRYPT_KERNEL_MODE)
     #include "kernelc.hpp"
 #endif
     int __cxa_pure_virtual () __attribute__ ((weak));
diff --git a/extra/yassl/taocrypt/include/types.hpp b/extra/yassl/taocrypt/include/types.hpp
index 3efdcdfbccb..5d8bc9f0683 100644
--- a/extra/yassl/taocrypt/include/types.hpp
+++ b/extra/yassl/taocrypt/include/types.hpp
@@ -62,7 +62,7 @@ typedef unsigned int   word32;
 // compilers we've found 64-bit multiply insructions for
 #if defined(__GNUC__) || defined(_MSC_VER) || defined(__DECCXX)
     #if !(defined(__ICC) || defined(__INTEL_COMPILER))
-    #define HAVE_64_MULTIPLY
+        #define HAVE_64_MULTIPLY
     #endif
 #endif
 
diff --git a/extra/yassl/taocrypt/mySTL/stdexcept.hpp b/extra/yassl/taocrypt/mySTL/stdexcept.hpp
index 9696995248d..15533eebc02 100644
--- a/extra/yassl/taocrypt/mySTL/stdexcept.hpp
+++ b/extra/yassl/taocrypt/mySTL/stdexcept.hpp
@@ -26,7 +26,6 @@
 
 
 #include   // strncpy
-#include   // assert
 #include   // size_t
 
 
@@ -41,7 +40,7 @@ public:
     virtual const char* what() const { return ""; }
 
     // for compiler generated call, never used
-    static void operator delete(void*) { assert(0); }
+    static void operator delete(void*) { }
 private:
     // don't allow dynamic creation of exceptions
     static void* operator new(size_t);
diff --git a/extra/yassl/taocrypt/mySTL/vector.hpp b/extra/yassl/taocrypt/mySTL/vector.hpp
index 8ba8813ca70..35b92610942 100644
--- a/extra/yassl/taocrypt/mySTL/vector.hpp
+++ b/extra/yassl/taocrypt/mySTL/vector.hpp
@@ -26,7 +26,6 @@
 
 #include "helpers.hpp"    // construct, destory, fill, etc.
 #include "algorithm.hpp"  // swap
-#include        // assert
 
 
 namespace mySTL {
@@ -141,9 +140,9 @@ private:
     // for growing, n must be bigger than other size
     vector(size_t n, const vector& other) : vec_(n)
     {
-        assert(n > other.size());
-        vec_.finish_ = uninit_copy(other.vec_.start_, other.vec_.finish_,
-                                   vec_.start_);   
+        if (n > other.size())
+            vec_.finish_ = uninit_copy(other.vec_.start_, other.vec_.finish_,
+                                       vec_.start_);
     }
 };
 
diff --git a/extra/yassl/taocrypt/src/Makefile.am b/extra/yassl/taocrypt/src/Makefile.am
index 760205a625c..9fa0861babf 100644
--- a/extra/yassl/taocrypt/src/Makefile.am
+++ b/extra/yassl/taocrypt/src/Makefile.am
@@ -21,7 +21,7 @@ libtaocrypt_la_SOURCES  = aes.cpp aestables.cpp algebra.cpp arc4.cpp \
         asn.cpp bftables.cpp blowfish.cpp coding.cpp des.cpp dh.cpp \
         dsa.cpp file.cpp hash.cpp integer.cpp md2.cpp md4.cpp md5.cpp misc.cpp \
         random.cpp ripemd.cpp rsa.cpp sha.cpp template_instnt.cpp \
-        tftables.cpp twofish.cpp
+        tftables.cpp twofish.cpp crypto.cpp rabbit.cpp hc128.cpp
 
 libtaocrypt_la_CXXFLAGS = @yassl_taocrypt_extra_cxxflags@ -DYASSL_PURE_C \
 			  @yassl_thread_cxxflags@
diff --git a/extra/yassl/taocrypt/src/aes.cpp b/extra/yassl/taocrypt/src/aes.cpp
index 21b21dc4856..811b483b0c9 100644
--- a/extra/yassl/taocrypt/src/aes.cpp
+++ b/extra/yassl/taocrypt/src/aes.cpp
@@ -78,7 +78,7 @@ void AES::Process(byte* out, const byte* in, word32 sz)
                 out += BLOCK_SIZE;
                 in  += BLOCK_SIZE;
             }
-    }
+   }
 }
 
 #endif // DO_AES_ASM
@@ -86,8 +86,13 @@ void AES::Process(byte* out, const byte* in, word32 sz)
 
 void AES::SetKey(const byte* userKey, word32 keylen, CipherDir /*dummy*/)
 {
-    assert( (keylen == 16) || (keylen == 24) || (keylen == 32) );
-
+    if (keylen <= 16)
+        keylen = 16;
+    else if (keylen >= 32)
+        keylen = 32;
+    else if (keylen != 24)
+        keylen = 24;
+    
     rounds_ = keylen/4 + 6;
 
     word32 temp, *rk = key_;
@@ -245,34 +250,34 @@ void AES::encrypt(const byte* inBlock, const byte* xorBlock,
     for (;;) {
         t0 =
             Te0[GETBYTE(s0, 3)] ^
-            Te1[GETBYTE(s1, 2)] ^
-            Te2[GETBYTE(s2, 1)] ^
-            Te3[GETBYTE(s3, 0)] ^
+            Te1[GETBYTE(s1, 2)]  ^
+            Te2[GETBYTE(s2, 1)]  ^
+            Te3[GETBYTE(s3, 0)]  ^
             rk[4];
         t1 =
             Te0[GETBYTE(s1, 3)] ^
-            Te1[GETBYTE(s2, 2)] ^
-            Te2[GETBYTE(s3, 1)] ^
-            Te3[GETBYTE(s0, 0)] ^
+            Te1[GETBYTE(s2, 2)]  ^
+            Te2[GETBYTE(s3, 1)]  ^
+            Te3[GETBYTE(s0, 0)]  ^
             rk[5];
         t2 =
             Te0[GETBYTE(s2, 3)] ^
-            Te1[GETBYTE(s3, 2)] ^
-            Te2[GETBYTE(s0, 1)] ^
-            Te3[GETBYTE(s1, 0)] ^
+            Te1[GETBYTE(s3, 2)]  ^
+            Te2[GETBYTE(s0, 1)]  ^
+            Te3[GETBYTE(s1, 0)]  ^
             rk[6];
         t3 =
             Te0[GETBYTE(s3, 3)] ^
-            Te1[GETBYTE(s0, 2)] ^
-            Te2[GETBYTE(s1, 1)] ^
-            Te3[GETBYTE(s2, 0)] ^
+            Te1[GETBYTE(s0, 2)]  ^
+            Te2[GETBYTE(s1, 1)]  ^
+            Te3[GETBYTE(s2, 0)]  ^
             rk[7];
 
         rk += 8;
         if (--r == 0) {
             break;
         }
-
+        
         s0 =
             Te0[GETBYTE(t0, 3)] ^
             Te1[GETBYTE(t1, 2)] ^
@@ -421,7 +426,7 @@ void AES::decrypt(const byte* inBlock, const byte* xorBlock,
         (Td4[GETBYTE(t3, 2)] & 0x00ff0000) ^
         (Td4[GETBYTE(t2, 1)] & 0x0000ff00) ^
         (Td4[GETBYTE(t1, 0)] & 0x000000ff) ^
-    rk[0];
+        rk[0];
     s1 =
         (Td4[GETBYTE(t1, 3)] & 0xff000000) ^
         (Td4[GETBYTE(t0, 2)] & 0x00ff0000) ^
diff --git a/extra/yassl/taocrypt/src/aestables.cpp b/extra/yassl/taocrypt/src/aestables.cpp
index e9d6b7a80cb..05c2c3b8e62 100644
--- a/extra/yassl/taocrypt/src/aestables.cpp
+++ b/extra/yassl/taocrypt/src/aestables.cpp
@@ -33,6 +33,4 @@ const word32 AES::rcon_[] = {
 };
 
 
-
-
 } // namespace
diff --git a/extra/yassl/taocrypt/src/algebra.cpp b/extra/yassl/taocrypt/src/algebra.cpp
index 20a152d1a9d..73423d47546 100644
--- a/extra/yassl/taocrypt/src/algebra.cpp
+++ b/extra/yassl/taocrypt/src/algebra.cpp
@@ -247,7 +247,6 @@ void AbstractGroup::SimultaneousMultiply(Integer *results, const Integer &base,
 
     for (i=0; iNotNegative());
         exponents.push_back(WindowSlider(*expBegin++, InversionIsFast(), 0));
         exponents[i].FindNextWindow();
         buckets[i].resize(1<<(exponents[i].windowSize-1), Identity());
@@ -288,7 +287,7 @@ void AbstractGroup::SimultaneousMultiply(Integer *results, const Integer &base,
         r = buckets[i][buckets[i].size()-1];
         if (buckets[i].size() > 1)
         {
-            for (int j= (unsigned int) (buckets[i].size()) - 2; j >= 1; j--)
+            for (size_t j = buckets[i].size()-2; j >= 1; j--)
             {
                 Accumulate(buckets[i][j], buckets[i][j+1]);
                 Accumulate(r, buckets[i][j]);
diff --git a/extra/yassl/taocrypt/src/arc4.cpp b/extra/yassl/taocrypt/src/arc4.cpp
index 0944cc31837..4630adcb11a 100644
--- a/extra/yassl/taocrypt/src/arc4.cpp
+++ b/extra/yassl/taocrypt/src/arc4.cpp
@@ -104,7 +104,7 @@ void ARC4::Process(byte* out, const byte* in, word32 length)
 #ifdef DO_ARC4_ASM
 
 #ifdef _MSC_VER
-    __declspec(naked) 
+    __declspec(naked)
 #else
     __attribute__ ((noinline))
 #endif
diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp
index 1b81db4f0a4..72cbd092f9d 100644
--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
@@ -111,7 +111,8 @@ bool ValidateDate(const byte* date, byte format, CertDecoder::DateType dt)
     GetTime(certTime.tm_min,  date, i); 
     GetTime(certTime.tm_sec,  date, i); 
 
-    assert(date[i] == 'Z');     // only Zulu supported for this profile
+    if (date[i] != 'Z')     // only Zulu supported for this profile
+        return false;
 
     time_t ltime = time(0);
     tm* localTime = gmtime(<ime);
@@ -214,9 +215,9 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
 Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h)
     : key_(k, kSz)
 {
-        size_t sz = strlen(n);
-        memcpy(name_, n, sz);
-        name_[sz] = 0;
+    size_t sz = strlen(n);
+    memcpy(name_, n, sz);
+    name_[sz] = 0;
 
     memcpy(hash_, h, SHA::DIGEST_SIZE);
 }
@@ -364,12 +365,59 @@ void RSA_Public_Decoder::Decode(RSA_PublicKey& key)
     ReadHeader();
     if (source_.GetError().What()) return;
 
+    ReadHeaderOpenSSL();   // may or may not be
+    if (source_.GetError().What()) return;
+
     // public key
     key.SetModulus(GetInteger(Integer().Ref()));
     key.SetPublicExponent(GetInteger(Integer().Ref()));
 }
 
 
+// Read OpenSSL format public header
+void RSA_Public_Decoder::ReadHeaderOpenSSL()
+{
+    byte b = source_.next();  // peek
+    source_.prev();
+
+    if (b != INTEGER) { // have OpenSSL public format
+        GetSequence();
+        b = source_.next();
+        if (b != OBJECT_IDENTIFIER) {
+            source_.SetError(OBJECT_ID_E);
+            return;
+        }
+
+        word32 len = GetLength(source_);
+        source_.advance(len);
+
+        b = source_.next();
+        if (b == TAG_NULL) {   // could have NULL tag and 0 terminator, may not 
+            b = source_.next();
+            if (b != 0) {
+                source_.SetError(EXPECT_0_E);
+                return; 
+            }
+        }
+        else
+            source_.prev();   // put back
+
+        b = source_.next();
+        if (b != BIT_STRING) {   
+            source_.SetError(BIT_STR_E);
+            return; 
+        }
+
+        len = GetLength(source_); 
+        b = source_.next();
+        if (b != 0)           // could have 0
+            source_.prev();   // put back
+        
+        GetSequence();
+    }
+}
+
+
 void RSA_Public_Decoder::ReadHeader()
 {
     GetSequence();
@@ -420,12 +468,12 @@ CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers,
                          bool noVerify, CertType ct)
     : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0),
       signature_(0), verify_(!noVerify)
-{ 
+{
     issuer_[0] = 0;
     subject_[0] = 0;
 
     if (decode)
-        Decode(signers, ct); 
+        Decode(signers, ct);
 
 }
 
@@ -470,9 +518,9 @@ void CertDecoder::Decode(SignerList* signers, CertType ct)
         source_.SetError(SIG_OID_E);
         return;
     }
-
+    
     if (ct != CA && verify_ && !ValidateSignature(signers))
-            source_.SetError(SIG_OTHER_E);
+        source_.SetError(SIG_OTHER_E);
 }
 
 
@@ -585,21 +633,19 @@ word32 CertDecoder::GetAlgoId()
     while(length--)
         oid += source_.next();        // just sum it up for now
 
-    if (oid != SHAwDSA && oid != DSAk) {
-        b = source_.next();               // should have NULL tag and 0
-
-        if (b != TAG_NULL) {
-            source_.SetError(TAG_NULL_E);
-            return 0;
-        }
-
+    // could have NULL tag and 0 terminator, but may not
+    b = source_.next();
+    if (b == TAG_NULL) {
         b = source_.next();
         if (b != 0) {
             source_.SetError(EXPECT_0_E);
             return 0;
         }
     }
- 
+    else
+        // go back, didn't have it
+        b = source_.prev();
+
     return oid;
 }
 
@@ -653,20 +699,22 @@ word32 CertDecoder::GetDigest()
 }
 
 
-char *CertDecoder::AddTag(char *ptr, const char *buf_end, 
-                          const char *tag_name, word32 tag_name_length,
-                          word32 tag_value_length)
+// memory length checked add tag to buffer
+char* CertDecoder::AddTag(char* ptr, const char* buf_end, const char* tag_name,
+                          word32 tag_name_length, word32 tag_value_length)
 {
-  if (ptr + tag_name_length + tag_value_length > buf_end)
-      return 0;
-    
-  memcpy(ptr, tag_name, tag_name_length);
-  ptr+= tag_name_length;
-  
-  memcpy(ptr, source_.get_current(), tag_value_length);
-  ptr+= tag_value_length;
-  
-  return ptr;
+    if (ptr + tag_name_length + tag_value_length > buf_end) {
+        source_.SetError(CONTENT_E);
+        return 0;
+    }
+
+    memcpy(ptr, tag_name, tag_name_length);
+    ptr += tag_name_length;
+
+    memcpy(ptr, source_.get_current(), tag_value_length);
+    ptr += tag_value_length;
+
+    return ptr;
 }
 
 
@@ -679,18 +727,19 @@ void CertDecoder::GetName(NameType nt)
     word32 length = GetSequence();  // length of all distinguished names
 
     if (length >= ASN_NAME_MAX)
-        goto err;
+        return;
     length += source_.get_index();
-
-    char *ptr, *buf_end;
+    
+    char* ptr;
+    char* buf_end;
 
     if (nt == ISSUER) {
-        ptr= issuer_;
-        buf_end= ptr + sizeof(issuer_) - 1;  // 1 byte for trailing 0
+        ptr = issuer_;
+        buf_end = ptr + sizeof(issuer_) - 1;   // 1 byte for trailing 0
     }
     else {
-        ptr= subject_;
-        buf_end= ptr + sizeof(subject_) - 1;  // 1 byte for trailing 0
+        ptr = subject_;
+        buf_end = ptr + sizeof(subject_) - 1;  // 1 byte for trailing 0
     }
 
     while (source_.get_index() < length) {
@@ -716,39 +765,39 @@ void CertDecoder::GetName(NameType nt)
 
             switch (id) {
             case COMMON_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/CN=", 4, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
+                    return;
                 break;
             case SUR_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/SN=", 4, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/SN=", 4, strLen)))
+                    return;
                 break;
             case COUNTRY_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/C=", 3, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/C=", 3, strLen)))
+                    return;
                 break;
             case LOCALITY_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/L=", 3, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/L=", 3, strLen)))
+                    return;
                 break;
             case STATE_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/ST=", 4, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/ST=", 4, strLen)))
+                    return;
                 break;
             case ORG_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/O=", 3, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/O=", 3, strLen)))
+                    return;
                 break;
             case ORGUNIT_NAME:
-                if (!(ptr= AddTag(ptr, buf_end, "/OU=", 4, strLen)))
-                  goto err;
+                if (!(ptr = AddTag(ptr, buf_end, "/OU=", 4, strLen)))
+                    return;
                 break;
             }
 
             sha.Update(source_.get_current(), strLen);
             source_.advance(strLen);
         }
-        else {
+        else { 
             bool email = false;
             if (joint[0] == 0x2a && joint[1] == 0x86)  // email id hdr
                 email = true;
@@ -756,20 +805,23 @@ void CertDecoder::GetName(NameType nt)
             source_.advance(oidSz + 1);
             word32 length = GetLength(source_);
 
-            if (email && !(ptr= AddTag(ptr, buf_end, "/emailAddress=", 14, length)))
-                goto err;
+            if (email) {
+                if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) {
+                    source_.SetError(CONTENT_E);
+                    return; 
+                }
+            }
 
             source_.advance(length);
         }
     }
-    *ptr= 0;
 
-    sha.Final(nt == ISSUER ? issuerHash_ : subjectHash_);
-        
-    return;
-    
-err:
-    source_.SetError(CONTENT_E);
+    *ptr = 0;
+
+    if (nt == ISSUER)
+        sha.Final(issuerHash_);
+    else
+        sha.Final(subjectHash_);
 }
 
 
@@ -794,8 +846,7 @@ void CertDecoder::GetDate(DateType dt)
     memcpy(date, source_.get_current(), length);
     source_.advance(length);
 
-    if (!ValidateDate(date, b, dt) && verify_)
-    {
+    if (!ValidateDate(date, b, dt) && verify_) {
         if (dt == BEFORE)
             source_.SetError(BEFORE_DATE_E);
         else
@@ -856,7 +907,8 @@ void CertDecoder::GetCompareHash(const byte* plain, word32 sz, byte* digest,
 // validate signature signed by someone else
 bool CertDecoder::ValidateSignature(SignerList* signers)
 {
-    assert(signers);
+    if (!signers)
+        return false;
 
     SignerList::iterator first = signers->begin();
     SignerList::iterator last  = signers->end();
@@ -1077,8 +1129,7 @@ word32 DecodeDSA_Signature(byte* decoded, const byte* encoded, word32 sz)
         return 0;
     }
     word32 rLen = GetLength(source);
-    if (rLen != 20)
-    {
+    if (rLen != 20) {
         if (rLen == 21) {       // zero at front, eat
             source.next();
             --rLen;
@@ -1101,8 +1152,7 @@ word32 DecodeDSA_Signature(byte* decoded, const byte* encoded, word32 sz)
         return 0;
     }
     word32 sLen = GetLength(source);
-    if (sLen != 20)
-    {
+    if (sLen != 20) {
         if (sLen == 21) {
             source.next();          // zero at front, eat
             --sLen;
@@ -1123,6 +1173,7 @@ word32 DecodeDSA_Signature(byte* decoded, const byte* encoded, word32 sz)
 }
 
 
+/*
 // Get Cert in PEM format from BEGIN to END
 int GetCert(Source& source)
 {
@@ -1174,12 +1225,10 @@ void PKCS12_Decoder::Decode()
 
 
     // Get MacData optional
-    /*
-    mac     digestInfo  like certdecoder::getdigest?
-    macsalt octet string
-    iter    integer
+    // mac     digestInfo  like certdecoder::getdigest?
+    // macsalt octet string
+    // iter    integer
     
-    */
 }
 
 
@@ -1199,6 +1248,7 @@ int GetPKCS_Cert(const char* password, Source& source)
 
     return 0;
 }
+*/
 
 
 
diff --git a/extra/yassl/taocrypt/src/blowfish.cpp b/extra/yassl/taocrypt/src/blowfish.cpp
index 8ee2f3fe569..64e8f0a84aa 100644
--- a/extra/yassl/taocrypt/src/blowfish.cpp
+++ b/extra/yassl/taocrypt/src/blowfish.cpp
@@ -86,7 +86,10 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz)
 
 void Blowfish::SetKey(const byte* key_string, word32 keylength, CipherDir dir)
 {
-	assert(keylength >= 4 && keylength <= 56);
+    if (keylength < 4)
+        keylength = 4;
+    else if (keylength > 56)
+        keylength = 56;
 
 	unsigned i, j=0, k;
 	word32 data, dspace[2] = {0, 0};
@@ -165,16 +168,21 @@ void Blowfish::crypt_block(const word32 in[2], word32 out[2]) const
 	word32 left  = in[0];
 	word32 right = in[1];
 
+	const word32  *const s = sbox_;
 	const word32* p = pbox_;
-    word32 tmp;
 
 	left ^= p[0];
 
-    BF_ROUNDS
+    // roll back up and use s and p index instead of just p
+    for (unsigned i = 0; i < ROUNDS / 2; i++) {
+        right ^= (((s[GETBYTE(left,3)] + s[256+GETBYTE(left,2)])
+            ^ s[2*256+GETBYTE(left,1)]) + s[3*256+GETBYTE(left,0)])
+            ^ p[2*i+1];
 
-#if ROUNDS == 20
-    BF_EXTRA_ROUNDS
-#endif
+        left ^= (((s[GETBYTE(right,3)] + s[256+GETBYTE(right,2)])
+            ^ s[2*256+GETBYTE(right,1)]) + s[3*256+GETBYTE(right,0)])
+            ^ p[2*i+2];
+    }
 
 	right ^= p[ROUNDS + 1];
 
@@ -188,17 +196,23 @@ typedef BlockGetAndPut gpBlock;
 void Blowfish::ProcessAndXorBlock(const byte* in, const byte* xOr, byte* out)
     const
 {
-    word32 tmp, left, right;
+    word32 left, right;
+	const word32  *const s = sbox_;
     const word32* p = pbox_;
     
     gpBlock::Get(in)(left)(right);
 	left ^= p[0];
 
-    BF_ROUNDS
+    // roll back up and use s and p index instead of just p
+    for (unsigned i = 0; i < ROUNDS / 2; i++) {
+        right ^= (((s[GETBYTE(left,3)] + s[256+GETBYTE(left,2)])
+            ^ s[2*256+GETBYTE(left,1)]) + s[3*256+GETBYTE(left,0)])
+            ^ p[2*i+1];
 
-#if ROUNDS == 20
-    BF_EXTRA_ROUNDS
-#endif
+        left ^= (((s[GETBYTE(right,3)] + s[256+GETBYTE(right,2)])
+            ^ s[2*256+GETBYTE(right,1)]) + s[3*256+GETBYTE(right,0)])
+            ^ p[2*i+2];
+    }
 
 	right ^= p[ROUNDS + 1];
 
diff --git a/extra/yassl/taocrypt/src/coding.cpp b/extra/yassl/taocrypt/src/coding.cpp
index 7c6a6a8bd8b..8647ea13f20 100644
--- a/extra/yassl/taocrypt/src/coding.cpp
+++ b/extra/yassl/taocrypt/src/coding.cpp
@@ -95,7 +95,6 @@ void HexEncoder::Encode()
 void HexDecoder::Decode()
 {
     word32 bytes = coded_.size();
-    assert((bytes % 2) == 0);
     decoded_.New(bytes / 2);
 
     word32 i(0);
@@ -104,15 +103,9 @@ void HexDecoder::Decode()
         byte b  = coded_.next() - 0x30;  // 0 starts at 0x30
         byte b2 = coded_.next() - 0x30;
 
-        // sanity checks
-        assert( b  < sizeof(hexDecode)/sizeof(hexDecode[0]) );
-        assert( b2 < sizeof(hexDecode)/sizeof(hexDecode[0]) );
-
         b  = hexDecode[b];
         b2 = hexDecode[b2];
-        
-        assert( b != bad && b2 != bad );
-        
+
         decoded_[i++] = (b << 4) | b2;
         bytes -= 2;
     }
@@ -174,9 +167,9 @@ void Base64Encoder::Encode()
     } 
 
     encoded_[i++] = '\n';
-    assert(i == outSz);
-
-    plain_.reset(encoded_);
+    
+    if (i == outSz)
+        plain_.reset(encoded_);
 }
 
 
@@ -197,7 +190,6 @@ void Base64Decoder::Decode()
         byte e3 = coded_.next();
         byte e4 = coded_.next();
 
-        // do asserts first
         if (e1 == 0)            // end file 0's
             break;
 
diff --git a/extra/yassl/taocrypt/src/dsa.cpp b/extra/yassl/taocrypt/src/dsa.cpp
index 79ee91e76f9..a4e9c9503e7 100644
--- a/extra/yassl/taocrypt/src/dsa.cpp
+++ b/extra/yassl/taocrypt/src/dsa.cpp
@@ -183,7 +183,8 @@ word32 DSA_Signer::Sign(const byte* sha_digest, byte* sig,
     Integer kInv = k.InverseMod(q);
     s_ = (kInv * (H + x*r_)) % q;
 
-    assert(!!r_ && !!s_);
+    if (!(!!r_ && !!s_))
+        return -1;
 
     int rSz = r_.ByteCount();
 
diff --git a/extra/yassl/taocrypt/src/hash.cpp b/extra/yassl/taocrypt/src/hash.cpp
index c51dc42a909..b36a486368c 100644
--- a/extra/yassl/taocrypt/src/hash.cpp
+++ b/extra/yassl/taocrypt/src/hash.cpp
@@ -21,7 +21,6 @@
 
 #include "runtime.hpp"
 #include 
-#include 
 
 #include "hash.hpp"
 
@@ -31,8 +30,6 @@ namespace TaoCrypt {
 
 HASHwithTransform::HASHwithTransform(word32 digSz, word32 buffSz)
 {
-    assert(digSz  <= MaxDigestSz);
-    assert(buffSz <= MaxBufferSz);
 }
 
 
@@ -73,15 +70,15 @@ void HASHwithTransform::Update(const byte* data, word32 len)
 // Final process, place digest in hash
 void HASHwithTransform::Final(byte* hash)
 {
-    word32    blockSz   = getBlockSize();
-    word32    digestSz  = getDigestSize();
-    word32    padSz     = getPadSize();
-    ByteOrder order     = getByteOrder();
+    word32    blockSz  = getBlockSize();
+    word32    digestSz = getDigestSize();
+    word32    padSz    = getPadSize();
+    ByteOrder order    = getByteOrder();
 
     AddLength(buffLen_);                        // before adding pads
     HashLengthType preLoLen = GetBitCountLo();
     HashLengthType preHiLen = GetBitCountHi();
-    byte*     local     = reinterpret_cast(buffer_);
+    byte*     local         = reinterpret_cast(buffer_);
 
     local[buffLen_++] = 0x80;  // add 1
 
@@ -95,7 +92,7 @@ void HASHwithTransform::Final(byte* hash)
         buffLen_ = 0;
     }
     memset(&local[buffLen_], 0, padSz - buffLen_);
-
+   
     ByteReverseIf(local, local, blockSz, order);
     
     memcpy(&local[padSz],   order ? &preHiLen : &preLoLen, sizeof(preLoLen));
@@ -113,8 +110,6 @@ void HASHwithTransform::Final(byte* hash)
 
 HASH64withTransform::HASH64withTransform(word32 digSz, word32 buffSz)
 {
-    assert(digSz  <= MaxDigestSz);
-    assert(buffSz <= MaxBufferSz);
 }
 
 
diff --git a/extra/yassl/taocrypt/src/hc128.cpp b/extra/yassl/taocrypt/src/hc128.cpp
new file mode 100644
index 00000000000..aac92f0abb4
--- /dev/null
+++ b/extra/yassl/taocrypt/src/hc128.cpp
@@ -0,0 +1,317 @@
+/*
+   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ 
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+ 
+   You should have received a copy of the GNU General Public License
+   along with this program; see the file COPYING. If not, write to the
+   Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+   MA  02110-1301  USA.
+*/
+
+
+#include "runtime.hpp"
+#include "hc128.hpp"
+
+
+
+namespace TaoCrypt {
+
+
+
+
+#ifdef BIG_ENDIAN_ORDER
+    #define LITTLE32(x) ByteReverse((word32)x)
+#else
+    #define LITTLE32(x) (x)
+#endif
+
+
+/*h1 function*/
+#define h1(x, y) {                              \
+     byte a,c;                                  \
+     a = (byte) (x);                            \
+     c = (byte) ((x) >> 16);                    \
+     y = (T_[512+a])+(T_[512+256+c]);           \
+}
+
+/*h2 function*/
+#define h2(x, y) {                              \
+     byte a,c;                                  \
+     a = (byte) (x);                            \
+     c = (byte) ((x) >> 16);                    \
+     y = (T_[a])+(T_[256+c]);                   \
+}
+
+/*one step of HC-128, update P and generate 32 bits keystream*/
+#define step_P(u,v,a,b,c,d,n){                  \
+     word32 tem0,tem1,tem2,tem3;                \
+     h1((X_[(d)]),tem3);                        \
+     tem0 = rotrFixed((T_[(v)]),23);            \
+     tem1 = rotrFixed((X_[(c)]),10);            \
+     tem2 = rotrFixed((X_[(b)]),8);             \
+     (T_[(u)]) += tem2+(tem0 ^ tem1);           \
+     (X_[(a)]) = (T_[(u)]);                     \
+     (n) = tem3 ^ (T_[(u)]) ;                   \
+}       
+
+/*one step of HC-128, update Q and generate 32 bits keystream*/
+#define step_Q(u,v,a,b,c,d,n){                  \
+     word32 tem0,tem1,tem2,tem3;                \
+     h2((Y_[(d)]),tem3);                        \
+     tem0 = rotrFixed((T_[(v)]),(32-23));       \
+     tem1 = rotrFixed((Y_[(c)]),(32-10));       \
+     tem2 = rotrFixed((Y_[(b)]),(32-8));        \
+     (T_[(u)]) += tem2 + (tem0 ^ tem1);         \
+     (Y_[(a)]) = (T_[(u)]);                     \
+     (n) = tem3 ^ (T_[(u)]) ;                   \
+}   
+
+
+/*16 steps of HC-128, generate 512 bits keystream*/
+void HC128::GenerateKeystream(word32* keystream)  
+{
+   word32 cc,dd;
+   cc = counter1024_ & 0x1ff;
+   dd = (cc+16)&0x1ff;
+
+   if (counter1024_ < 512)	
+   {   		
+      counter1024_ = (counter1024_ + 16) & 0x3ff;
+      step_P(cc+0, cc+1, 0, 6, 13,4, keystream[0]);
+      step_P(cc+1, cc+2, 1, 7, 14,5, keystream[1]);
+      step_P(cc+2, cc+3, 2, 8, 15,6, keystream[2]);
+      step_P(cc+3, cc+4, 3, 9, 0, 7, keystream[3]);
+      step_P(cc+4, cc+5, 4, 10,1, 8, keystream[4]);
+      step_P(cc+5, cc+6, 5, 11,2, 9, keystream[5]);
+      step_P(cc+6, cc+7, 6, 12,3, 10,keystream[6]);
+      step_P(cc+7, cc+8, 7, 13,4, 11,keystream[7]);
+      step_P(cc+8, cc+9, 8, 14,5, 12,keystream[8]);
+      step_P(cc+9, cc+10,9, 15,6, 13,keystream[9]);
+      step_P(cc+10,cc+11,10,0, 7, 14,keystream[10]);
+      step_P(cc+11,cc+12,11,1, 8, 15,keystream[11]);
+      step_P(cc+12,cc+13,12,2, 9, 0, keystream[12]);
+      step_P(cc+13,cc+14,13,3, 10,1, keystream[13]);
+      step_P(cc+14,cc+15,14,4, 11,2, keystream[14]);
+      step_P(cc+15,dd+0, 15,5, 12,3, keystream[15]);
+   }
+   else				    
+   {
+	  counter1024_ = (counter1024_ + 16) & 0x3ff;
+      step_Q(512+cc+0, 512+cc+1, 0, 6, 13,4, keystream[0]);
+      step_Q(512+cc+1, 512+cc+2, 1, 7, 14,5, keystream[1]);
+      step_Q(512+cc+2, 512+cc+3, 2, 8, 15,6, keystream[2]);
+      step_Q(512+cc+3, 512+cc+4, 3, 9, 0, 7, keystream[3]);
+      step_Q(512+cc+4, 512+cc+5, 4, 10,1, 8, keystream[4]);
+      step_Q(512+cc+5, 512+cc+6, 5, 11,2, 9, keystream[5]);
+      step_Q(512+cc+6, 512+cc+7, 6, 12,3, 10,keystream[6]);
+      step_Q(512+cc+7, 512+cc+8, 7, 13,4, 11,keystream[7]);
+      step_Q(512+cc+8, 512+cc+9, 8, 14,5, 12,keystream[8]);
+      step_Q(512+cc+9, 512+cc+10,9, 15,6, 13,keystream[9]);
+      step_Q(512+cc+10,512+cc+11,10,0, 7, 14,keystream[10]);
+      step_Q(512+cc+11,512+cc+12,11,1, 8, 15,keystream[11]);
+      step_Q(512+cc+12,512+cc+13,12,2, 9, 0, keystream[12]);
+      step_Q(512+cc+13,512+cc+14,13,3, 10,1, keystream[13]);
+      step_Q(512+cc+14,512+cc+15,14,4, 11,2, keystream[14]);
+      step_Q(512+cc+15,512+dd+0, 15,5, 12,3, keystream[15]);
+   }
+}
+
+
+/* The following defines the initialization functions */
+#define f1(x)  (rotrFixed((x),7)  ^ rotrFixed((x),18) ^ ((x) >> 3))
+#define f2(x)  (rotrFixed((x),17) ^ rotrFixed((x),19) ^ ((x) >> 10))
+
+/*update table P*/
+#define update_P(u,v,a,b,c,d){                      \
+     word32 tem0,tem1,tem2,tem3;                    \
+     tem0 = rotrFixed((T_[(v)]),23);                \
+     tem1 = rotrFixed((X_[(c)]),10);                \
+     tem2 = rotrFixed((X_[(b)]),8);                 \
+     h1((X_[(d)]),tem3);                            \
+     (T_[(u)]) = ((T_[(u)]) + tem2+(tem0^tem1)) ^ tem3;     \
+     (X_[(a)]) = (T_[(u)]);                         \
+}  
+
+/*update table Q*/
+#define update_Q(u,v,a,b,c,d){                      \
+     word32 tem0,tem1,tem2,tem3;                    \
+     tem0 = rotrFixed((T_[(v)]),(32-23));           \
+     tem1 = rotrFixed((Y_[(c)]),(32-10));           \
+     tem2 = rotrFixed((Y_[(b)]),(32-8));            \
+     h2((Y_[(d)]),tem3);                            \
+     (T_[(u)]) = ((T_[(u)]) + tem2+(tem0^tem1)) ^ tem3;     \
+     (Y_[(a)]) = (T_[(u)]);                         \
+}     
+
+/*16 steps of HC-128, without generating keystream, */
+/*but use the outputs to update P and Q*/
+void HC128::SetupUpdate()  /*each time 16 steps*/
+{
+   word32 cc,dd;
+   cc = counter1024_ & 0x1ff;
+   dd = (cc+16)&0x1ff;
+
+   if (counter1024_ < 512)	
+   {   		
+      counter1024_ = (counter1024_ + 16) & 0x3ff;
+      update_P(cc+0, cc+1, 0, 6, 13, 4);
+      update_P(cc+1, cc+2, 1, 7, 14, 5);
+      update_P(cc+2, cc+3, 2, 8, 15, 6);
+      update_P(cc+3, cc+4, 3, 9, 0,  7);
+      update_P(cc+4, cc+5, 4, 10,1,  8);
+      update_P(cc+5, cc+6, 5, 11,2,  9);
+      update_P(cc+6, cc+7, 6, 12,3,  10);
+      update_P(cc+7, cc+8, 7, 13,4,  11);
+      update_P(cc+8, cc+9, 8, 14,5,  12);
+      update_P(cc+9, cc+10,9, 15,6,  13);
+      update_P(cc+10,cc+11,10,0, 7,  14);
+      update_P(cc+11,cc+12,11,1, 8,  15);
+      update_P(cc+12,cc+13,12,2, 9,  0);
+      update_P(cc+13,cc+14,13,3, 10, 1);
+      update_P(cc+14,cc+15,14,4, 11, 2);
+      update_P(cc+15,dd+0, 15,5, 12, 3);   
+   }
+   else				    
+   {
+      counter1024_ = (counter1024_ + 16) & 0x3ff;
+      update_Q(512+cc+0, 512+cc+1, 0, 6, 13, 4);
+      update_Q(512+cc+1, 512+cc+2, 1, 7, 14, 5);
+      update_Q(512+cc+2, 512+cc+3, 2, 8, 15, 6);
+      update_Q(512+cc+3, 512+cc+4, 3, 9, 0,  7);
+      update_Q(512+cc+4, 512+cc+5, 4, 10,1,  8);
+      update_Q(512+cc+5, 512+cc+6, 5, 11,2,  9);
+      update_Q(512+cc+6, 512+cc+7, 6, 12,3,  10);
+      update_Q(512+cc+7, 512+cc+8, 7, 13,4,  11);
+      update_Q(512+cc+8, 512+cc+9, 8, 14,5,  12);
+      update_Q(512+cc+9, 512+cc+10,9, 15,6,  13);
+      update_Q(512+cc+10,512+cc+11,10,0, 7,  14);
+      update_Q(512+cc+11,512+cc+12,11,1, 8,  15);
+      update_Q(512+cc+12,512+cc+13,12,2, 9,  0);
+      update_Q(512+cc+13,512+cc+14,13,3, 10, 1);
+      update_Q(512+cc+14,512+cc+15,14,4, 11, 2);
+      update_Q(512+cc+15,512+dd+0, 15,5, 12, 3); 
+   }       
+}
+
+
+/* for the 128-bit key:  key[0]...key[15]
+*  key[0] is the least significant byte of ctx->key[0] (K_0);
+*  key[3] is the most significant byte of ctx->key[0]  (K_0);
+*  ...
+*  key[12] is the least significant byte of ctx->key[3] (K_3)
+*  key[15] is the most significant byte of ctx->key[3]  (K_3)
+*
+*  for the 128-bit iv:  iv[0]...iv[15]
+*  iv[0] is the least significant byte of ctx->iv[0] (IV_0);
+*  iv[3] is the most significant byte of ctx->iv[0]  (IV_0);
+*  ...
+*  iv[12] is the least significant byte of ctx->iv[3] (IV_3)
+*  iv[15] is the most significant byte of ctx->iv[3]  (IV_3)
+*/
+
+
+
+void HC128::SetIV(const byte* iv)
+{ 
+    word32 i;
+	
+	for (i = 0; i < (128 >> 5); i++)
+        iv_[i] = LITTLE32(((word32*)iv)[i]);
+	
+    for (; i < 8; i++) iv_[i] = iv_[i-4];
+  
+    /* expand the key and IV into the table T */ 
+    /* (expand the key and IV into the table P and Q) */ 
+	
+	for (i = 0; i < 8;  i++)   T_[i] = key_[i];
+	for (i = 8; i < 16; i++)   T_[i] = iv_[i-8];
+
+    for (i = 16; i < (256+16); i++) 
+		T_[i] = f2(T_[i-2]) + T_[i-7] + f1(T_[i-15]) + T_[i-16]+i;
+    
+	for (i = 0; i < 16;  i++)  T_[i] = T_[256+i];
+
+	for (i = 16; i < 1024; i++) 
+		T_[i] = f2(T_[i-2]) + T_[i-7] + f1(T_[i-15]) + T_[i-16]+256+i;
+    
+    /* initialize counter1024, X and Y */
+	counter1024_ = 0;
+	for (i = 0; i < 16; i++) X_[i] = T_[512-16+i];
+    for (i = 0; i < 16; i++) Y_[i] = T_[512+512-16+i];
+    
+    /* run the cipher 1024 steps before generating the output */
+	for (i = 0; i < 64; i++)  SetupUpdate();  
+}
+
+
+void HC128::SetKey(const byte* key, const byte* iv)
+{ 
+  word32 i;  
+
+  /* Key size in bits 128 */ 
+  for (i = 0; i < (128 >> 5); i++)
+      key_[i] = LITTLE32(((word32*)key)[i]);
+ 
+  for ( ; i < 8 ; i++) key_[i] = key_[i-4];
+
+  SetIV(iv);
+}
+
+
+/* The following defines the encryption of data stream */
+void HC128::Process(byte* output, const byte* input, word32 msglen)
+{
+  word32 i, keystream[16];
+
+  for ( ; msglen >= 64; msglen -= 64, input += 64, output += 64)
+  {
+	  GenerateKeystream(keystream);
+
+      /* unroll loop */
+	  ((word32*)output)[0]  = ((word32*)input)[0]  ^ LITTLE32(keystream[0]);
+	  ((word32*)output)[1]  = ((word32*)input)[1]  ^ LITTLE32(keystream[1]);
+	  ((word32*)output)[2]  = ((word32*)input)[2]  ^ LITTLE32(keystream[2]);
+	  ((word32*)output)[3]  = ((word32*)input)[3]  ^ LITTLE32(keystream[3]);
+	  ((word32*)output)[4]  = ((word32*)input)[4]  ^ LITTLE32(keystream[4]);
+	  ((word32*)output)[5]  = ((word32*)input)[5]  ^ LITTLE32(keystream[5]);
+	  ((word32*)output)[6]  = ((word32*)input)[6]  ^ LITTLE32(keystream[6]);
+	  ((word32*)output)[7]  = ((word32*)input)[7]  ^ LITTLE32(keystream[7]);
+	  ((word32*)output)[8]  = ((word32*)input)[8]  ^ LITTLE32(keystream[8]);
+	  ((word32*)output)[9]  = ((word32*)input)[9]  ^ LITTLE32(keystream[9]);
+	  ((word32*)output)[10] = ((word32*)input)[10] ^ LITTLE32(keystream[10]);
+	  ((word32*)output)[11] = ((word32*)input)[11] ^ LITTLE32(keystream[11]);
+	  ((word32*)output)[12] = ((word32*)input)[12] ^ LITTLE32(keystream[12]);
+	  ((word32*)output)[13] = ((word32*)input)[13] ^ LITTLE32(keystream[13]);
+	  ((word32*)output)[14] = ((word32*)input)[14] ^ LITTLE32(keystream[14]);
+	  ((word32*)output)[15] = ((word32*)input)[15] ^ LITTLE32(keystream[15]);
+  }
+
+  if (msglen > 0)
+  {
+      GenerateKeystream(keystream);
+
+#ifdef BIG_ENDIAN_ORDER
+      {
+          word32 wordsLeft = msglen / sizeof(word32);
+          if (msglen % sizeof(word32)) wordsLeft++;
+          
+          ByteReverse(keystream, keystream, wordsLeft * sizeof(word32));
+      }
+#endif
+
+      for (i = 0; i < msglen; i++)
+	      output[i] = input[i] ^ ((byte*)keystream)[i];
+  }
+
+}
+
+
+}  // namespace
diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp
index c00815df8cf..2d55f48e91f 100644
--- a/extra/yassl/taocrypt/src/integer.cpp
+++ b/extra/yassl/taocrypt/src/integer.cpp
@@ -73,7 +73,8 @@ template 
 CPP_TYPENAME AlignedAllocator::pointer AlignedAllocator::allocate(
                                            size_type n, const void *)
 {
-    CheckSize(n);
+    if (n > max_size())
+        return 0;
     if (n == 0)
         return 0;
     if (n >= 4)
@@ -91,16 +92,13 @@ CPP_TYPENAME AlignedAllocator::pointer AlignedAllocator::allocate(
     #endif
 
     #ifdef TAOCRYPT_NO_ALIGNED_ALLOC
-        assert(m_pBlock == 0);
         m_pBlock = p;
         if (!IsAlignedOn(p, 16))
         {
-            assert(IsAlignedOn(p, 8));
             p = (byte *)p + 8;
         }
     #endif
 
-        assert(IsAlignedOn(p, 16));
         return (T*)p;
     }
     return NEW_TC T[n];
@@ -116,7 +114,6 @@ void AlignedAllocator::deallocate(void* p, size_type n)
         #ifdef TAOCRYPT_MM_MALLOC_AVAILABLE
             _mm_free(p);
         #elif defined(TAOCRYPT_NO_ALIGNED_ALLOC)
-            assert(m_pBlock == p || (byte*)m_pBlock+8 == p);
             free(m_pBlock);
             m_pBlock = 0;
         #else
@@ -284,14 +281,14 @@ DWord() {}
 
 private:
     struct dword_struct
-    {
-    #ifdef LITTLE_ENDIAN_ORDER
-        word low;
-        word high;
-    #else
-        word high;
-        word low;
-    #endif
+        {
+        #ifdef LITTLE_ENDIAN_ORDER
+            word low;
+            word high;
+        #else
+            word high;
+            word low;
+        #endif
     };
 
     union
@@ -365,9 +362,6 @@ private:
 template 
 S DivideThreeWordsByTwo(S* A, S B0, S B1, D* dummy_VC6_WorkAround = 0)
 {
-    // assert {A[2],A[1]} < {B1,B0}, so quotient can fit in a S
-    assert(A[2] < B1 || (A[2]==B1 && A[1] < B0));
-
     // estimate the quotient: do a 2 S by 1 S divide
     S Q;
     if (S(B1+1) == 0)
@@ -393,7 +387,6 @@ S DivideThreeWordsByTwo(S* A, S B0, S B1, D* dummy_VC6_WorkAround = 0)
         A[1] = u.GetLowHalf();
         A[2] += u.GetHighHalf();
         Q++;
-        assert(Q);	// shouldn't overflow
     }
 
     return Q;
@@ -491,7 +484,6 @@ static int Compare(const word *A, const word *B, unsigned int N)
 
 static word Increment(word *A, unsigned int N, word B=1)
 {
-    assert(N);
     word t = A[0];
     A[0] = t+B;
     if (A[0] >= t)
@@ -504,7 +496,6 @@ static word Increment(word *A, unsigned int N, word B=1)
 
 static word Decrement(word *A, unsigned int N, word B=1)
 {
-    assert(N);
     word t = A[0];
     A[0] = t-B;
     if (A[0] <= t)
@@ -538,14 +529,11 @@ static word LinearMultiply(word *C, const word *A, word B, unsigned int N)
 
 static word AtomicInverseModPower2(word A)
 {
-    assert(A%2==1);
-
     word R=A%8;
 
     for (unsigned i=3; i=2 && N%2==0);
-
     if (LowLevel::MultiplyRecursionLimit() >= 8 && N==8)
         LowLevel::Multiply8(R, A, B);
     else if (LowLevel::MultiplyRecursionLimit() >= 4 && N==4)
@@ -2188,7 +2169,6 @@ void RecursiveMultiply(word *R, word *T, const word *A, const word *B,
         carry += LowLevel::Add(T0, T0, R2, N);
         carry += LowLevel::Add(R1, R1, T0, N);
 
-        assert (carry >= 0 && carry <= 2);
         Increment(R3, N2, carry);
     }
 }
@@ -2196,9 +2176,6 @@ void RecursiveMultiply(word *R, word *T, const word *A, const word *B,
 
 void RecursiveSquare(word *R, word *T, const word *A, unsigned int N)                     
 {
-    assert(N && N%2==0);
-    if (LowLevel::SquareRecursionLimit() >= 8 && N==8)
-        LowLevel::Square8(R, A);
     if (LowLevel::SquareRecursionLimit() >= 4 && N==4)
         LowLevel::Square4(R, A);
     else if (N==2)
@@ -2227,7 +2204,6 @@ void RecursiveSquare(word *R, word *T, const word *A, unsigned int N)
 void RecursiveMultiplyBottom(word *R, word *T, const word *A, const word *B,
                              unsigned int N)
 {
-    assert(N>=2 && N%2==0);
     if (LowLevel::MultiplyBottomRecursionLimit() >= 8 && N==8)
         LowLevel::Multiply8Bottom(R, A, B);
     else if (LowLevel::MultiplyBottomRecursionLimit() >= 4 && N==4)
@@ -2250,8 +2226,6 @@ void RecursiveMultiplyBottom(word *R, word *T, const word *A, const word *B,
 void RecursiveMultiplyTop(word *R, word *T, const word *L, const word *A,
                           const word *B, unsigned int N)
 {
-    assert(N>=2 && N%2==0);
-
     if (N==4)
     {
         LowLevel::Multiply4(T, A, B);
@@ -2315,7 +2289,6 @@ void RecursiveMultiplyTop(word *R, word *T, const word *L, const word *A,
         carry += Increment(R0, N2, c2+t);
         carry += LowLevel::Add(R0, R0, T1, N2);
         carry += LowLevel::Add(R0, R0, T3, N2);
-        assert (carry >= 0 && carry <= 2);
 
         CopyWords(R1, T3, N2);
         Increment(R1, N2, carry);
@@ -2364,9 +2337,6 @@ void AsymmetricMultiply(word *R, word *T, const word *A, unsigned int NA,
         STL::swap(NA, NB);
     }
 
-    assert(NB % NA == 0);
-    assert((NB/NA)%2 == 0); 	// NB is an even multiple of NA
-
     if (NA==2 && !A[1])
     {
         switch (A[0])
@@ -2433,8 +2403,6 @@ static inline unsigned int EvenWordCount(const word *X, unsigned int N)
 unsigned int AlmostInverse(word *R, word *T, const word *A, unsigned int NA,
                            const word *M, unsigned int N)
 {
-    assert(NA<=N && N && N%2==0);
-
     word *b = T;
     word *c = T+N;
     word *f = T+2*N;
@@ -2460,7 +2428,6 @@ unsigned int AlmostInverse(word *R, word *T, const word *A, unsigned int NA,
 
             ShiftWordsRightByWords(f, fgLen, 1);
             if (c[bcLen-1]) bcLen+=2;
-            assert(bcLen <= N);
             ShiftWordsLeftByWords(c, bcLen, 1);
             k+=WORD_BITS;
             t=f[0];
@@ -2489,7 +2456,6 @@ unsigned int AlmostInverse(word *R, word *T, const word *A, unsigned int NA,
         {
             c[bcLen] = t;
             bcLen+=2;
-            assert(bcLen <= N);
         }
 
         if (f[fgLen-2]==0 && g[fgLen-2]==0 && f[fgLen-1]==0 && g[fgLen-1]==0)
@@ -2508,7 +2474,6 @@ unsigned int AlmostInverse(word *R, word *T, const word *A, unsigned int NA,
         {
             b[bcLen] = 1;
             bcLen+=2;
-            assert(bcLen <= N);
         }
     }
 }
@@ -2741,8 +2706,6 @@ void Integer::Randomize(RandomNumberGenerator& rng, unsigned int nbits)
 void Integer::Randomize(RandomNumberGenerator& rng, const Integer& min,
                         const Integer& max)
 {
-    assert(min <= max);
-
     Integer range = max - min;
     const unsigned int nbits = range.BitCount();
 
@@ -2881,7 +2844,7 @@ Integer& Integer::operator++()
     else
     {
         word borrow = Decrement(reg_.get_buffer(), reg_.size());
-        assert(!borrow);
+        (void)borrow;           // shut up compiler
         if (WordCount()==0)
             *this = Zero();
     }
@@ -2998,7 +2961,6 @@ void PositiveSubtract(Integer &diff, const Integer &a, const Integer& b)
                                b.reg_.get_buffer(), bSize);
         CopyWords(diff.reg_+bSize, a.reg_+bSize, aSize-bSize);
         borrow = Decrement(diff.reg_+bSize, aSize-bSize, borrow);
-        assert(!borrow);
         diff.sign_ = Integer::POSITIVE;
     }
     else
@@ -3007,7 +2969,6 @@ void PositiveSubtract(Integer &diff, const Integer &a, const Integer& b)
                                a.reg_.get_buffer(), aSize);
         CopyWords(diff.reg_+aSize, b.reg_+aSize, bSize-aSize);
         borrow = Decrement(diff.reg_+aSize, bSize-aSize, borrow);
-        assert(!borrow);
         diff.sign_ = Integer::NEGATIVE;
     }
 }
@@ -3067,7 +3028,6 @@ bool Integer::GetBit(unsigned int n) const
 
 unsigned long Integer::GetBits(unsigned int i, unsigned int n) const
 {
-    assert(n <= sizeof(unsigned long)*8);
     unsigned long v = 0;
     for (unsigned int j=0; j(reg_[1]);
     return sign_ == POSITIVE ? value : -(signed long)value;
@@ -3227,11 +3185,9 @@ static inline void AtomicDivide(word *Q, const word *A, const word *B)
     {
         // multiply quotient and divisor and add remainder, make sure it 
         // equals dividend
-        assert(!T[2] && !T[3] && (T[1] < B[1] || (T[1]==B[1] && T[0]= 0)
     {
         R[N] -= Subtract(R, R, B, N);
         Q[1] += (++Q[0]==0);
-        assert(Q[0] || Q[1]); // no overflow
     }
 }
 
@@ -3280,10 +3233,6 @@ static void CorrectQuotientEstimate(word *R, word *T, word *Q, const word *B,
 void Divide(word* R, word* Q, word* T, const word* A, unsigned int NA,
             const word* B, unsigned int NB)
 {
-    assert(NA && NB && NA%2==0 && NB%2==0);
-    assert(B[NB-1] || B[NB-2]);
-    assert(NB <= NA);
-
     // set up temporary work space
     word *const TA=T;
     word *const TB=T+NA+2;
@@ -3294,7 +3243,6 @@ void Divide(word* R, word* Q, word* T, const word* A, unsigned int NA,
     TB[0] = TB[NB-1] = 0;
     CopyWords(TB+shiftWords, B, NB-shiftWords);
     unsigned shiftBits = WORD_BITS - BitPrecision(TB[NB-1]);
-    assert(shiftBits < WORD_BITS);
     ShiftWordsLeftByBits(TB, NB, shiftBits);
 
     // copy A into TA and normalize it
@@ -3314,7 +3262,6 @@ void Divide(word* R, word* Q, word* T, const word* A, unsigned int NA,
     else
     {
         NA+=2;
-        assert(Compare(TA+NA-NB, TB, NB) < 0);
     }
 
     word BT[2];
@@ -3340,8 +3287,6 @@ void PositiveDivide(Integer& remainder, Integer& quotient,
     unsigned aSize = a.WordCount();
     unsigned bSize = b.WordCount();
 
-    assert(bSize);
-
     if (a.PositiveCompare(b) == -1)
     {
         remainder = a;
@@ -3429,8 +3374,6 @@ Integer Integer::Modulo(const Integer &b) const
 void Integer::Divide(word &remainder, Integer "ient,
                      const Integer ÷nd, word divisor)
 {
-    assert(divisor);
-
     if ((divisor & (divisor-1)) == 0)	// divisor is a power of 2
     {
         quotient = dividend >> (BitPrecision(divisor)-1);
@@ -3470,8 +3413,6 @@ Integer Integer::DividedBy(word b) const
 
 word Integer::Modulo(word divisor) const
 {
-    assert(divisor);
-
     word remainder;
 
     if ((divisor & (divisor-1)) == 0)	// divisor is a power of 2
@@ -3517,7 +3458,6 @@ Integer Integer::SquareRoot() const
 
     // overestimate square root
     Integer x, y = Power2((BitCount()+1)/2);
-    assert(y*y >= *this);
 
     do
     {
@@ -3562,8 +3502,6 @@ Integer Integer::Gcd(const Integer &a, const Integer &b)
 
 Integer Integer::InverseMod(const Integer &m) const
 {
-    assert(m.NotNegative());
-
     if (IsNegative() || *this>=m)
         return (*this%m).InverseMod(m);
 
@@ -3806,7 +3744,7 @@ void MontgomeryReduce(word *R, word *T, const word *X, const word *M,
     word borrow = Subtract(T, X+N, T, N);
     // defend against timing attack by doing this Add even when not needed
     word carry = Add(T+N, T, M, N);
-    assert(carry || !borrow);
+    (void)carry;            // shut up compiler
     CopyWords(R, T + (borrow ? N : 0), N);
 }
 
@@ -3862,7 +3800,6 @@ MontgomeryRepresentation::MontgomeryRepresentation(const Integer &m)
       u((word)0, modulus.reg_.size()),
       workspace(5*modulus.reg_.size())
 {
-    assert(modulus.IsOdd());
     RecursiveInverseModPower2(u.reg_.get_buffer(), workspace.get_buffer(),
                               modulus.reg_.get_buffer(), modulus.reg_.size());
 }
@@ -3873,7 +3810,6 @@ const Integer& MontgomeryRepresentation::Multiply(const Integer &a,
     word *const T = workspace.begin();
     word *const R = result.reg_.begin();
     const unsigned int N = modulus.reg_.size();
-    assert(a.reg_.size()<=N && b.reg_.size()<=N);
 
     AsymmetricMultiply(T, T+2*N, a.reg_.get_buffer(), a.reg_.size(),
                        b.reg_.get_buffer(), b.reg_.size());
@@ -3888,7 +3824,6 @@ const Integer& MontgomeryRepresentation::Square(const Integer &a) const
     word *const T = workspace.begin();
     word *const R = result.reg_.begin();
     const unsigned int N = modulus.reg_.size();
-    assert(a.reg_.size()<=N);
 
     TaoCrypt::Square(T, T+2*N, a.reg_.get_buffer(), a.reg_.size());
     SetWords(T+2*a.reg_.size(), 0, 2*N-2*a.reg_.size());
@@ -3902,7 +3837,6 @@ Integer MontgomeryRepresentation::ConvertOut(const Integer &a) const
     word *const T = workspace.begin();
     word *const R = result.reg_.begin();
     const unsigned int N = modulus.reg_.size();
-    assert(a.reg_.size()<=N);
 
     CopyWords(T, a.reg_.get_buffer(), a.reg_.size());
     SetWords(T+a.reg_.size(), 0, 2*N-a.reg_.size());
@@ -3919,7 +3853,6 @@ const Integer& MontgomeryRepresentation::MultiplicativeInverse(
     word *const T = workspace.begin();
     word *const R = result.reg_.begin();
     const unsigned int N = modulus.reg_.size();
-    assert(a.reg_.size()<=N);
 
     CopyWords(T, a.reg_.get_buffer(), a.reg_.size());
     SetWords(T+a.reg_.size(), 0, 2*N-a.reg_.size());
diff --git a/extra/yassl/taocrypt/src/make.bat b/extra/yassl/taocrypt/src/make.bat
old mode 100644
new mode 100755
diff --git a/extra/yassl/taocrypt/src/md4.cpp b/extra/yassl/taocrypt/src/md4.cpp
index cf17c218809..54820f4c944 100644
--- a/extra/yassl/taocrypt/src/md4.cpp
+++ b/extra/yassl/taocrypt/src/md4.cpp
@@ -27,7 +27,7 @@
     #include "algorithm.hpp"
 #endif
 
-   
+
 namespace STL = STL_NAMESPACE;
    
 
diff --git a/extra/yassl/taocrypt/src/md5.cpp b/extra/yassl/taocrypt/src/md5.cpp
index f18e0290c90..4d0a8bd03be 100644
--- a/extra/yassl/taocrypt/src/md5.cpp
+++ b/extra/yassl/taocrypt/src/md5.cpp
@@ -30,7 +30,7 @@
 
 namespace STL = STL_NAMESPACE;
 
-   
+
 
 namespace TaoCrypt {
 
@@ -108,14 +108,14 @@ void MD5::Update(const byte* data, word32 len)
 
     // at once for asm
     if (buffLen_ == 0) {
-            word32 times = len / BLOCK_SIZE;
-            if (times) {
-                AsmTransform(data, times);
-                const word32 add = BLOCK_SIZE * times;
-                AddLength(add);
-                len  -= add;
-                data += add;
-            }
+        word32 times = len / BLOCK_SIZE;
+        if (times) {
+            AsmTransform(data, times);
+            const word32 add = BLOCK_SIZE * times;
+            AddLength(add);
+            len  -= add;
+            data += add;
+        }
     }
 
     // cache any data left
diff --git a/extra/yassl/taocrypt/src/misc.cpp b/extra/yassl/taocrypt/src/misc.cpp
index 6045ea3e42b..5ffa2a2a07a 100644
--- a/extra/yassl/taocrypt/src/misc.cpp
+++ b/extra/yassl/taocrypt/src/misc.cpp
@@ -41,28 +41,28 @@ namespace STL = STL_NAMESPACE;
 
     void* operator new(size_t sz, TaoCrypt::new_t)
     {
-    void* ptr = malloc(sz ? sz : 1);
-    if (!ptr) abort();
+        void* ptr = malloc(sz ? sz : 1);
+        if (!ptr) abort();
 
-    return ptr;
+        return ptr;
     }
 
 
     void operator delete(void* ptr, TaoCrypt::new_t)
     {
-    if (ptr) free(ptr);
+        if (ptr) free(ptr);
     }
 
 
     void* operator new[](size_t sz, TaoCrypt::new_t nt)
     {
-    return ::operator new(sz, nt);
+        return ::operator new(sz, nt);
     }
 
 
     void operator delete[](void* ptr, TaoCrypt::new_t nt)
     {
-    ::operator delete(ptr, nt);
+        ::operator delete(ptr, nt);
     }
 
 
@@ -89,7 +89,6 @@ namespace STL = STL_NAMESPACE;
 // Handler for pure virtual functions
 namespace __Crun {
     void pure_error() {
-      assert(!"Aborted: pure virtual method called.");
     }
 }
 
@@ -100,7 +99,6 @@ namespace __Crun {
 extern "C" {
 
     int __cxa_pure_virtual() {
-      assert(!"Aborted: pure virtual method called.");
       return 0;
     }
 
@@ -196,8 +194,8 @@ bool HaveCpuId()
     return true;
 #else
     word32 eax, ebx;
-        __asm__ __volatile
-        (
+    __asm__ __volatile
+    (
         /* Put EFLAGS in eax and ebx */
         "pushf;"
         "pushf;"
@@ -214,9 +212,9 @@ bool HaveCpuId()
         "pop %0;"
         "popf"
         : "=r" (eax), "=r" (ebx)
-            :
+        :
         : "cc"
-        );
+    );
 
     if (eax == ebx)
         return false;
diff --git a/extra/yassl/taocrypt/src/rabbit.cpp b/extra/yassl/taocrypt/src/rabbit.cpp
new file mode 100644
index 00000000000..0ea4146618a
--- /dev/null
+++ b/extra/yassl/taocrypt/src/rabbit.cpp
@@ -0,0 +1,250 @@
+/*
+   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ 
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+ 
+   You should have received a copy of the GNU General Public License
+   along with this program; see the file COPYING. If not, write to the
+   Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+   MA  02110-1301  USA.
+*/
+
+
+#include "runtime.hpp"
+#include "rabbit.hpp"
+
+
+
+namespace TaoCrypt {
+
+
+#define U32V(x)  (word32)(x)
+
+
+#ifdef BIG_ENDIAN_ORDER
+    #define LITTLE32(x) ByteReverse((word32)x)
+#else
+    #define LITTLE32(x) (x)
+#endif
+
+
+// local
+namespace {
+
+
+/* Square a 32-bit unsigned integer to obtain the 64-bit result and return */
+/* the upper 32 bits XOR the lower 32 bits */
+word32 RABBIT_g_func(word32 x)
+{
+    /* Temporary variables */
+    word32 a, b, h, l;
+
+    /* Construct high and low argument for squaring */
+    a = x&0xFFFF;
+    b = x>>16;
+
+    /* Calculate high and low result of squaring */
+    h = (((U32V(a*a)>>17) + U32V(a*b))>>15) + b*b;
+    l = x*x;
+
+    /* Return high XOR low */
+    return U32V(h^l);
+}
+
+
+} // namespace local
+
+
+/* Calculate the next internal state */
+void Rabbit::NextState(RabbitCtx which)
+{
+    /* Temporary variables */
+    word32 g[8], c_old[8], i;
+
+    Ctx* ctx;
+
+    if (which == Master)
+        ctx = &masterCtx_;
+    else
+        ctx = &workCtx_;
+
+    /* Save old counter values */
+    for (i=0; i<8; i++)
+        c_old[i] = ctx->c[i];
+
+    /* Calculate new counter values */
+    ctx->c[0] = U32V(ctx->c[0] + 0x4D34D34D + ctx->carry);
+    ctx->c[1] = U32V(ctx->c[1] + 0xD34D34D3 + (ctx->c[0] < c_old[0]));
+    ctx->c[2] = U32V(ctx->c[2] + 0x34D34D34 + (ctx->c[1] < c_old[1]));
+    ctx->c[3] = U32V(ctx->c[3] + 0x4D34D34D + (ctx->c[2] < c_old[2]));
+    ctx->c[4] = U32V(ctx->c[4] + 0xD34D34D3 + (ctx->c[3] < c_old[3]));
+    ctx->c[5] = U32V(ctx->c[5] + 0x34D34D34 + (ctx->c[4] < c_old[4]));
+    ctx->c[6] = U32V(ctx->c[6] + 0x4D34D34D + (ctx->c[5] < c_old[5]));
+    ctx->c[7] = U32V(ctx->c[7] + 0xD34D34D3 + (ctx->c[6] < c_old[6]));
+    ctx->carry = (ctx->c[7] < c_old[7]);
+   
+    /* Calculate the g-values */
+    for (i=0;i<8;i++)
+        g[i] = RABBIT_g_func(U32V(ctx->x[i] + ctx->c[i]));
+
+    /* Calculate new state values */
+    ctx->x[0] = U32V(g[0] + rotlFixed(g[7],16) + rotlFixed(g[6], 16));
+    ctx->x[1] = U32V(g[1] + rotlFixed(g[0], 8) + g[7]);
+    ctx->x[2] = U32V(g[2] + rotlFixed(g[1],16) + rotlFixed(g[0], 16));
+    ctx->x[3] = U32V(g[3] + rotlFixed(g[2], 8) + g[1]);
+    ctx->x[4] = U32V(g[4] + rotlFixed(g[3],16) + rotlFixed(g[2], 16));
+    ctx->x[5] = U32V(g[5] + rotlFixed(g[4], 8) + g[3]);
+    ctx->x[6] = U32V(g[6] + rotlFixed(g[5],16) + rotlFixed(g[4], 16));
+    ctx->x[7] = U32V(g[7] + rotlFixed(g[6], 8) + g[5]);
+}
+
+
+/* IV setup */
+void Rabbit::SetIV(const byte* iv)
+{
+    /* Temporary variables */
+    word32 i0, i1, i2, i3, i;
+      
+    /* Generate four subvectors */
+    i0 = LITTLE32(*(word32*)(iv+0));
+    i2 = LITTLE32(*(word32*)(iv+4));
+    i1 = (i0>>16) | (i2&0xFFFF0000);
+    i3 = (i2<<16) | (i0&0x0000FFFF);
+
+    /* Modify counter values */
+    workCtx_.c[0] = masterCtx_.c[0] ^ i0;
+    workCtx_.c[1] = masterCtx_.c[1] ^ i1;
+    workCtx_.c[2] = masterCtx_.c[2] ^ i2;
+    workCtx_.c[3] = masterCtx_.c[3] ^ i3;
+    workCtx_.c[4] = masterCtx_.c[4] ^ i0;
+    workCtx_.c[5] = masterCtx_.c[5] ^ i1;
+    workCtx_.c[6] = masterCtx_.c[6] ^ i2;
+    workCtx_.c[7] = masterCtx_.c[7] ^ i3;
+
+    /* Copy state variables */
+    for (i=0; i<8; i++)
+        workCtx_.x[i] = masterCtx_.x[i];
+    workCtx_.carry = masterCtx_.carry;
+
+    /* Iterate the system four times */
+    for (i=0; i<4; i++)
+        NextState(Work);
+}
+
+
+/* Key setup */
+void Rabbit::SetKey(const byte* key, const byte* iv)
+{
+    /* Temporary variables */
+    word32 k0, k1, k2, k3, i;
+
+    /* Generate four subkeys */
+    k0 = LITTLE32(*(word32*)(key+ 0));
+    k1 = LITTLE32(*(word32*)(key+ 4));
+    k2 = LITTLE32(*(word32*)(key+ 8));
+    k3 = LITTLE32(*(word32*)(key+12));
+
+    /* Generate initial state variables */
+    masterCtx_.x[0] = k0;
+    masterCtx_.x[2] = k1;
+    masterCtx_.x[4] = k2;
+    masterCtx_.x[6] = k3;
+    masterCtx_.x[1] = U32V(k3<<16) | (k2>>16);
+    masterCtx_.x[3] = U32V(k0<<16) | (k3>>16);
+    masterCtx_.x[5] = U32V(k1<<16) | (k0>>16);
+    masterCtx_.x[7] = U32V(k2<<16) | (k1>>16);
+
+    /* Generate initial counter values */
+    masterCtx_.c[0] = rotlFixed(k2, 16);
+    masterCtx_.c[2] = rotlFixed(k3, 16);
+    masterCtx_.c[4] = rotlFixed(k0, 16);
+    masterCtx_.c[6] = rotlFixed(k1, 16);
+    masterCtx_.c[1] = (k0&0xFFFF0000) | (k1&0xFFFF);
+    masterCtx_.c[3] = (k1&0xFFFF0000) | (k2&0xFFFF);
+    masterCtx_.c[5] = (k2&0xFFFF0000) | (k3&0xFFFF);
+    masterCtx_.c[7] = (k3&0xFFFF0000) | (k0&0xFFFF);
+
+    /* Clear carry bit */
+    masterCtx_.carry = 0;
+
+    /* Iterate the system four times */
+    for (i=0; i<4; i++)
+        NextState(Master);
+
+    /* Modify the counters */
+    for (i=0; i<8; i++)
+        masterCtx_.c[i] ^= masterCtx_.x[(i+4)&0x7];
+
+    /* Copy master instance to work instance */
+    for (i=0; i<8; i++) {
+        workCtx_.x[i] = masterCtx_.x[i];
+        workCtx_.c[i] = masterCtx_.c[i];
+    }
+    workCtx_.carry = masterCtx_.carry;
+
+    if (iv) SetIV(iv);    
+}
+
+
+/* Encrypt/decrypt a message of any size */
+void Rabbit::Process(byte* output, const byte* input, word32 msglen)
+{
+    /* Temporary variables */
+    word32 i;
+    byte buffer[16];
+
+    /* Encrypt/decrypt all full blocks */
+    while (msglen >= 16) {
+        /* Iterate the system */
+        NextState(Work);
+
+        /* Encrypt/decrypt 16 bytes of data */
+        *(word32*)(output+ 0) = *(word32*)(input+ 0) ^
+                   LITTLE32(workCtx_.x[0] ^ (workCtx_.x[5]>>16) ^
+                   U32V(workCtx_.x[3]<<16));
+        *(word32*)(output+ 4) = *(word32*)(input+ 4) ^
+                   LITTLE32(workCtx_.x[2] ^ (workCtx_.x[7]>>16) ^
+                   U32V(workCtx_.x[5]<<16));
+        *(word32*)(output+ 8) = *(word32*)(input+ 8) ^
+                   LITTLE32(workCtx_.x[4] ^ (workCtx_.x[1]>>16) ^
+                   U32V(workCtx_.x[7]<<16));
+        *(word32*)(output+12) = *(word32*)(input+12) ^
+                   LITTLE32(workCtx_.x[6] ^ (workCtx_.x[3]>>16) ^
+                   U32V(workCtx_.x[1]<<16));
+
+        /* Increment pointers and decrement length */
+        input  += 16;
+        output += 16;
+        msglen -= 16;
+    }
+
+    /* Encrypt/decrypt remaining data */
+    if (msglen) {
+        /* Iterate the system */
+        NextState(Work);
+
+        /* Generate 16 bytes of pseudo-random data */
+        *(word32*)(buffer+ 0) = LITTLE32(workCtx_.x[0] ^
+                  (workCtx_.x[5]>>16) ^ U32V(workCtx_.x[3]<<16));
+        *(word32*)(buffer+ 4) = LITTLE32(workCtx_.x[2] ^ 
+                  (workCtx_.x[7]>>16) ^ U32V(workCtx_.x[5]<<16));
+        *(word32*)(buffer+ 8) = LITTLE32(workCtx_.x[4] ^ 
+                  (workCtx_.x[1]>>16) ^ U32V(workCtx_.x[7]<<16));
+        *(word32*)(buffer+12) = LITTLE32(workCtx_.x[6] ^ 
+                  (workCtx_.x[3]>>16) ^ U32V(workCtx_.x[1]<<16));
+
+        /* Encrypt/decrypt the data */
+        for (i=0; i maxOutputLen) || invalid;
@@ -179,7 +179,8 @@ word32 RSA_BlockType1::UnPad(const byte* pkcsBlock, word32 pkcsBlockLen,
     unsigned i=1;
     while (i maxOutputLen) || invalid;
diff --git a/extra/yassl/taocrypt/src/sha.cpp b/extra/yassl/taocrypt/src/sha.cpp
index ef165a342ad..1ae42d94e4c 100644
--- a/extra/yassl/taocrypt/src/sha.cpp
+++ b/extra/yassl/taocrypt/src/sha.cpp
@@ -344,14 +344,14 @@ void SHA::Update(const byte* data, word32 len)
 
     // all at once for asm
     if (buffLen_ == 0) {
-            word32 times = len / BLOCK_SIZE;
-            if (times) {
-                AsmTransform(data, times);
-                const word32 add = BLOCK_SIZE * times;
-                AddLength(add);
-                 len  -= add;
-                data += add;
-            }
+        word32 times = len / BLOCK_SIZE;
+        if (times) {
+            AsmTransform(data, times);
+            const word32 add = BLOCK_SIZE * times;
+            AddLength(add);
+            len  -= add;
+            data += add;
+        }
     }
 
     // cache any data left
diff --git a/extra/yassl/taocrypt/src/template_instnt.cpp b/extra/yassl/taocrypt/src/template_instnt.cpp
index 390da58e191..b472d18236f 100644
--- a/extra/yassl/taocrypt/src/template_instnt.cpp
+++ b/extra/yassl/taocrypt/src/template_instnt.cpp
@@ -61,7 +61,6 @@ template class PBKDF2_HMAC;
 template class HMAC;
 template class HMAC;
 template class HMAC;
-
 }
 
 namespace mySTL {
diff --git a/extra/yassl/taocrypt/src/twofish.cpp b/extra/yassl/taocrypt/src/twofish.cpp
index 272a0def169..4ff1304a4cd 100644
--- a/extra/yassl/taocrypt/src/twofish.cpp
+++ b/extra/yassl/taocrypt/src/twofish.cpp
@@ -140,8 +140,6 @@ inline word32 Twofish::h(word32 x, const word32* key, unsigned int kLen)
 
 void Twofish::SetKey(const byte* userKey, word32 keylen, CipherDir /*dummy*/)
 {
-	assert(keylen >= 16 && keylen <= 32);
-
 	unsigned int len = (keylen <= 16 ? 2 : (keylen <= 24 ? 3 : 4));
     word32 key[8];
 	GetUserKey(LittleEndianOrder, key, len*2, userKey, keylen);
diff --git a/extra/yassl/taocrypt/taocrypt.dsp b/extra/yassl/taocrypt/taocrypt.dsp
index 3f1b47990ad..9c8e74da8c8 100644
--- a/extra/yassl/taocrypt/taocrypt.dsp
+++ b/extra/yassl/taocrypt/taocrypt.dsp
@@ -138,6 +138,10 @@ SOURCE=.\src\hash.cpp
 # End Source File
 # Begin Source File
 
+SOURCE=.\src\hc128.cpp
+# End Source File
+# Begin Source File
+
 SOURCE=.\src\integer.cpp
 # End Source File
 # Begin Source File
@@ -158,6 +162,10 @@ SOURCE=.\src\misc.cpp
 # End Source File
 # Begin Source File
 
+SOURCE=.\src\rabbit.cpp
+# End Source File
+# Begin Source File
+
 SOURCE=.\src\random.cpp
 # End Source File
 # Begin Source File
@@ -238,6 +246,10 @@ SOURCE=.\include\hash.hpp
 # End Source File
 # Begin Source File
 
+SOURCE=.\include\hc128.hpp
+# End Source File
+# Begin Source File
+
 SOURCE=.\include\hmac.hpp
 # End Source File
 # Begin Source File
@@ -274,6 +286,10 @@ SOURCE=.\include\pwdbased.hpp
 # End Source File
 # Begin Source File
 
+SOURCE=.\include\rabbit.hpp
+# End Source File
+# Begin Source File
+
 SOURCE=.\include\random.hpp
 # End Source File
 # Begin Source File
diff --git a/extra/yassl/taocrypt/test/make.bat b/extra/yassl/taocrypt/test/make.bat
old mode 100644
new mode 100755
diff --git a/extra/yassl/taocrypt/test/memory.cpp b/extra/yassl/taocrypt/test/memory.cpp
index bac8f9c2e97..ec398a64c45 100644
--- a/extra/yassl/taocrypt/test/memory.cpp
+++ b/extra/yassl/taocrypt/test/memory.cpp
@@ -328,3 +328,32 @@ void operator delete[](void* ptr)
 {
     ::operator delete(ptr);
 }
+
+
+extern "C" {
+
+void* XMALLOC(size_t sz, void* head)
+{
+    return ::operator new(sz);
+}
+
+void* XREALLOC(void* ptr, size_t sz, void* heap)
+{
+    void* ret = ::operator new(sz);
+
+    if (ret && ptr)
+        memcpy(ret, ptr, sz);
+
+    if (ret)
+        ::operator delete(ptr);
+    return ret;
+}
+
+
+void XFREE(void* ptr, void* heap)
+{
+    ::operator delete(ptr);
+}
+
+}  // extern "C"
+
diff --git a/extra/yassl/taocrypt/test/test.cpp b/extra/yassl/taocrypt/test/test.cpp
index f8177b31e2f..4cd5dba8ac6 100644
--- a/extra/yassl/taocrypt/test/test.cpp
+++ b/extra/yassl/taocrypt/test/test.cpp
@@ -41,6 +41,8 @@
 #include "coding.hpp"
 #include "random.hpp"
 #include "pwdbased.hpp"
+#include "rabbit.hpp"
+#include "hc128.hpp"
 
 
 
@@ -100,16 +102,18 @@ using TaoCrypt::PBKDF2_HMAC;
 using TaoCrypt::tcArrayDelete;
 using TaoCrypt::GetCert;
 using TaoCrypt::GetPKCS_Cert;
-
+using TaoCrypt::Rabbit;
+using TaoCrypt::HC128;
 
 struct testVector {
     byte*  input_;
     byte*  output_; 
-    size_t inLen_;
-    size_t outLen_;
+    word32 inLen_;
+    word32 outLen_;
 
     testVector(const char* in, const char* out) : input_((byte*)in),
-               output_((byte*)out), inLen_(strlen(in)), outLen_(strlen(out)) {}
+               output_((byte*)out), inLen_((word32)strlen(in)),
+               outLen_((word32)strlen(out)) {}
 };
 
 int  sha_test();
@@ -134,13 +138,15 @@ int  dsa_test();
 int  dh_test();
 int  pwdbased_test();
 int  pkcs12_test();
+int  rabbit_test();
+int  hc128_test();
 
 TaoCrypt::RandomNumberGenerator rng;
 
 
 void err_sys(const char* msg, int es)
 {
-    printf("%s", msg);
+    printf("%s\n", msg);
     exit(es);    
 }
 
@@ -176,7 +182,7 @@ byte* cipher = 0;   // block output
 void taocrypt_test(void* args)
 {
     ((func_args*)args)->return_code = -1; // error state
-    
+
     msg    = NEW_TC byte[24];
     plain  = NEW_TC byte[24];
     cipher = NEW_TC byte[24];
@@ -243,6 +249,16 @@ void taocrypt_test(void* args)
     else
         printf( "ARC4     test passed!\n");
 
+    if ( (ret = rabbit_test()) )
+        err_sys("Rabbit   test failed!\n", ret);
+    else
+        printf( "Rabbit   test passed!\n");
+
+    if ( (ret = hc128_test()) )
+        err_sys("HC128    test failed!\n", ret);
+    else
+        printf( "HC128    test passed!\n");
+
     if ( (ret = des_test()) )
         err_sys("DES      test failed!\n", ret);
     else
@@ -320,16 +336,16 @@ void taocrypt_test(void* args)
 void file_test(const char* file, byte* check)
 {
     FILE* f;
-    int   i(0);
-    MD5   md5;
-    byte  buf[1024];
-    byte  md5sum[MD5::DIGEST_SIZE];
+    int i = 0;
+    MD5    md5;
+    byte   buf[1024];
+    byte   md5sum[MD5::DIGEST_SIZE];
     
     if( !( f = fopen( file, "rb" ) )) {
         printf("Can't open %s\n", file);
         return;
     }
-    while( ( i = fread(buf, 1, sizeof(buf), f )) > 0 )
+    while( ( i = (int)fread(buf, 1, sizeof(buf), f )) > 0 )
         md5.Update(buf, i);
     
     md5.Final(md5sum);
@@ -718,7 +734,7 @@ int hmac_test()
 
     int times( sizeof(test_hmacMD5) / sizeof(testVector) );
     for (int i = 0; i < times; ++i) {
-        hmacMD5.SetKey((byte*)keys[i], strlen(keys[i]));
+        hmacMD5.SetKey((byte*)keys[i], (word32)strlen(keys[i]));
         hmacMD5.Update(test_hmacMD5[i].input_, test_hmacMD5[i].inLen_);
         hmacMD5.Final(hash);
 
@@ -761,8 +777,8 @@ int arc4_test()
         ARC4::Encryption enc;
         ARC4::Decryption dec;
 
-        enc.SetKey((byte*)keys[i], strlen(keys[i]));
-        dec.SetKey((byte*)keys[i], strlen(keys[i]));
+        enc.SetKey((byte*)keys[i], (word32)strlen(keys[i]));
+        dec.SetKey((byte*)keys[i], (word32)strlen(keys[i]));
 
         enc.Process(cipher, test_arc4[i].input_, test_arc4[i].outLen_);
         dec.Process(plain,  cipher, test_arc4[i].outLen_);
@@ -778,6 +794,114 @@ int arc4_test()
 }
 
 
+int rabbit_test()
+{
+    byte cipher[16];
+    byte plain[16];
+
+    const char* keys[] = 
+    {           
+        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\xAC\xC3\x51\xDC\xF1\x62\xFC\x3B\xFE\x36\x3D\x2E\x29\x13\x28\x91"
+    };
+
+    const char* ivs[] =
+    {
+        "\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\x59\x7E\x26\xC1\x75\xF5\x73\xC3",
+        0
+    };
+
+
+    testVector test_rabbit[] =
+    {
+        testVector("\x00\x00\x00\x00\x00\x00\x00\x00",
+                   "\xED\xB7\x05\x67\x37\x5D\xCD\x7C"),
+        testVector("\x00\x00\x00\x00\x00\x00\x00\x00",
+                   "\x6D\x7D\x01\x22\x92\xCC\xDC\xE0"),
+        testVector("\x00\x00\x00\x00\x00\x00\x00\x00",
+                   "\x9C\x51\xE2\x87\x84\xC3\x7F\xE9")
+    };
+
+
+    int times( sizeof(test_rabbit) / sizeof(testVector) );
+    for (int i = 0; i < times; ++i) {
+        Rabbit::Encryption enc;
+        Rabbit::Decryption dec;
+
+        enc.SetKey((byte*)keys[i], (byte*)ivs[i]);
+        dec.SetKey((byte*)keys[i], (byte*)ivs[i]);
+
+        enc.Process(cipher, test_rabbit[i].input_, test_rabbit[i].outLen_);
+        dec.Process(plain,  cipher, test_rabbit[i].outLen_);
+
+        if (memcmp(plain, test_rabbit[i].input_, test_rabbit[i].outLen_))
+            return -230 - i;
+
+        if (memcmp(cipher, test_rabbit[i].output_, test_rabbit[i].outLen_))
+            return -240 - i;
+    }
+
+    return 0;
+}
+
+
+int hc128_test()
+{
+    byte cipher[16];
+    byte plain[16];
+
+    const char* keys[] = 
+    {           
+        "\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\x00\x53\xA6\xF9\x4C\x9F\xF2\x45\x98\xEB\x3E\x91\xE4\x37\x8A\xDD",
+        "\x0F\x62\xB5\x08\x5B\xAE\x01\x54\xA7\xFA\x4D\xA0\xF3\x46\x99\xEC"
+    };
+
+    const char* ivs[] =
+    {
+        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        "\x0D\x74\xDB\x42\xA9\x10\x77\xDE\x45\xAC\x13\x7A\xE1\x48\xAF\x16",
+        "\x28\x8F\xF6\x5D\xC4\x2B\x92\xF9\x60\xC7\x2E\x95\xFC\x63\xCA\x31"
+    };
+
+    testVector test_hc128[] =
+    {
+        testVector("\x00\x00\x00\x00\x00\x00\x00\x00",
+                   "\x37\x86\x02\xB9\x8F\x32\xA7\x48"),
+        testVector("\x00\x00\x00\x00\x00\x00\x00\x00",
+                   "\x33\x7F\x86\x11\xC6\xED\x61\x5F"),
+        testVector("\x00\x00\x00\x00\x00\x00\x00\x00",
+                   "\x2E\x1E\xD1\x2A\x85\x51\xC0\x5A"),
+      testVector("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+                 "\x1C\xD8\xAE\xDD\xFE\x52\xE2\x17\xE8\x35\xD0\xB7\xE8\x4E\x29")
+    };
+
+    int times( sizeof(test_hc128) / sizeof(testVector) );
+    for (int i = 0; i < times; ++i) {
+        HC128::Encryption enc;
+        HC128::Decryption dec;
+
+        enc.SetKey((byte*)keys[i], (byte*)ivs[i]);
+        dec.SetKey((byte*)keys[i], (byte*)ivs[i]);
+
+        enc.Process(cipher, test_hc128[i].input_, test_hc128[i].outLen_);
+        dec.Process(plain,  cipher, test_hc128[i].outLen_);
+
+        if (memcmp(plain, test_hc128[i].input_, test_hc128[i].outLen_))
+            return -330 - i;
+
+        if (memcmp(cipher, test_hc128[i].output_, test_hc128[i].outLen_))
+            return -340 - i;
+    }
+
+    return 0;
+}
+
+
 int des_test()
 {
     //ECB mode
@@ -1040,7 +1164,7 @@ int rsa_test()
 
     RSAES_Encryptor enc(priv);
     byte message[] = "Everyone gets Friday off.";
-    const int len(strlen((char*)message));
+    const word32 len = (word32)strlen((char*)message);
     byte cipher[64];
     enc.Encrypt(message, len, cipher, rng);
 
@@ -1068,6 +1192,8 @@ int rsa_test()
         }
     }
     CertDecoder cd(source2, true, 0, false, CertDecoder::CA);
+    if (cd.GetError().What())
+        err_sys("cert error", -80);
     Source source3(cd.GetPublicKey().GetKey(), cd.GetPublicKey().size());
     RSA_PublicKey pub(source3);
  
@@ -1188,6 +1314,7 @@ int pwdbased_test()
 }
 
 
+/*
 int pkcs12_test()
 {
     Source cert;
@@ -1220,4 +1347,5 @@ int pkcs12_test()
 
     return 0;
 }
+*/
 
diff --git a/extra/yassl/testsuite/make.bat b/extra/yassl/testsuite/make.bat
old mode 100644
new mode 100755
diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp
index e14cdc54ae0..1f10095b945 100644
--- a/extra/yassl/testsuite/test.hpp
+++ b/extra/yassl/testsuite/test.hpp
@@ -23,6 +23,7 @@
 
 #include "runtime.hpp"
 #include "openssl/ssl.h"   /* openssl compatibility test */
+#include "error.hpp"
 #include 
 #include 
 #include 
@@ -32,6 +33,10 @@
 #ifdef _WIN32
     #include 
     #include 
+    #ifdef TEST_IPV6            // don't require newer SDK for IPV4
+	    #include 
+        #include 
+    #endif
     #define SOCKET_T unsigned int
 #else
     #include 
@@ -42,6 +47,9 @@
     #include 
     #include 
     #include 
+    #ifdef TEST_IPV6
+        #include 
+    #endif
     #include 
 #ifdef NON_BLOCKING
     #include 
@@ -50,6 +58,13 @@
 #endif /* _WIN32 */
 
 
+#ifdef _MSC_VER
+    // disable conversion warning
+    // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy
+    #pragma warning(disable:4244 4996)
+#endif
+
+
 #if !defined(_SOCKLEN_T) && (defined(_WIN32) || defined(__APPLE__))
     typedef int socklen_t;
 #endif
@@ -64,6 +79,15 @@
 #endif
 
 
+#ifdef TEST_IPV6
+    typedef sockaddr_in6 SOCKADDR_IN_T;
+    #define AF_INET_V    AF_INET6
+#else
+    typedef sockaddr_in  SOCKADDR_IN_T;
+    #define AF_INET_V    AF_INET
+#endif
+   
+
 // Check if _POSIX_THREADS should be forced
 #if !defined(_POSIX_THREADS) && defined(__hpux)
 // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented
@@ -73,7 +97,7 @@
 
 #ifndef _POSIX_THREADS
     typedef unsigned int  THREAD_RETURN;
-    typedef unsigned long THREAD_TYPE;
+    typedef HANDLE        THREAD_TYPE;
     #define YASSL_API __stdcall
 #else
     typedef void*         THREAD_RETURN;
@@ -120,8 +144,8 @@ void start_thread(THREAD_FUNC, func_args*, THREAD_TYPE*);
 void join_thread(THREAD_TYPE);
 
 // yaSSL
-const char* const    yasslIP   = "127.0.0.1";
-const unsigned short yasslPort = 11111;
+const char* const    yasslIP      = "127.0.0.1";
+const unsigned short yasslPort    =  11111;
 
 
 // client
@@ -180,7 +204,7 @@ extern "C" {
 
 static int PasswordCallBack(char* passwd, int sz, int rw, void* userdata)
 {
-    strncpy(passwd, "12345678", sz);
+    strncpy(passwd, "yassl123", sz);
     return 8;
 }
 
@@ -300,14 +324,35 @@ inline void tcp_set_nonblocking(SOCKET_T& sockfd)
 }
 
 
-inline void tcp_socket(SOCKET_T& sockfd, sockaddr_in& addr)
+inline void tcp_socket(SOCKET_T& sockfd, SOCKADDR_IN_T& addr)
 {
-    sockfd = socket(AF_INET, SOCK_STREAM, 0);
+    sockfd = socket(AF_INET_V, SOCK_STREAM, 0);
     memset(&addr, 0, sizeof(addr));
-    addr.sin_family = AF_INET;
 
+#ifdef TEST_IPV6
+    addr.sin6_family = AF_INET_V;
+    addr.sin6_port = htons(yasslPort);
+    addr.sin6_addr = in6addr_loopback;
+
+    /* // for external testing later 
+    addrinfo hints;
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family   = AF_INET_V;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags    = AI_PASSIVE;
+
+    getaddrinfo(yasslIP6, yasslPortStr, &hints, info);
+    // then use info connect(sockfd, info->ai_addr, info->ai_addrlen)
+
+    if (*info == 0)
+        err_sys("getaddrinfo failed");
+        */   // end external testing later
+#else
+    addr.sin_family = AF_INET_V;
     addr.sin_port = htons(yasslPort);
     addr.sin_addr.s_addr = inet_addr(yasslIP);
+#endif
+
 }
 
 
@@ -318,13 +363,13 @@ inline void tcp_close(SOCKET_T& sockfd)
 #else
     close(sockfd);
 #endif
-    sockfd = -1;
+    sockfd = (SOCKET_T) -1;
 }
 
 
 inline void tcp_connect(SOCKET_T& sockfd)
 {
-    sockaddr_in addr;
+    SOCKADDR_IN_T addr;
     tcp_socket(sockfd, addr);
 
     if (connect(sockfd, (const sockaddr*)&addr, sizeof(addr)) != 0) {
@@ -336,9 +381,15 @@ inline void tcp_connect(SOCKET_T& sockfd)
 
 inline void tcp_listen(SOCKET_T& sockfd)
 {
-    sockaddr_in addr;
+    SOCKADDR_IN_T addr;
     tcp_socket(sockfd, addr);
 
+#ifndef _WIN32
+    int       on  = 1;
+    socklen_t len = sizeof(on);
+    setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &on, len);
+#endif
+
     if (bind(sockfd, (const sockaddr*)&addr, sizeof(addr)) != 0) {
         tcp_close(sockfd);
         err_sys("tcp bind failed");
@@ -355,7 +406,7 @@ inline void tcp_accept(SOCKET_T& sockfd, SOCKET_T& clientfd, func_args& args)
 {
     tcp_listen(sockfd);
 
-    sockaddr_in client;
+    SOCKADDR_IN_T client;
     socklen_t client_len = sizeof(client);
 
 #if defined(_POSIX_THREADS) && defined(NO_MAIN_DRIVER)
@@ -369,7 +420,7 @@ inline void tcp_accept(SOCKET_T& sockfd, SOCKET_T& clientfd, func_args& args)
 
     clientfd = accept(sockfd, (sockaddr*)&client, (ACCEPT_THIRD_T)&client_len);
 
-    if (clientfd == -1) {
+    if (clientfd == (SOCKET_T) -1) {
         tcp_close(sockfd);
         err_sys("tcp accept failed");
     }
@@ -387,10 +438,8 @@ inline void showPeer(SSL* ssl)
         char* issuer  = X509_NAME_oneline(X509_get_issuer_name(peer), 0, 0);
         char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0);
 
-        printf("peer's cert info:\n");
-        printf("issuer : %s\n", issuer);
-        printf("subject: %s\n", subject);
-
+        printf("peer's cert info:\n issuer : %s\n subject: %s\n", issuer,
+                                                                  subject);
         free(subject);
         free(issuer);
     }
@@ -436,5 +485,19 @@ inline DH* set_tmpDH(SSL_CTX* ctx)
 }
 
 
+inline int verify_callback(int preverify_ok, X509_STORE_CTX* ctx)
+{
+    X509* err_cert = X509_STORE_CTX_get_current_cert(ctx);
+    int   err      = X509_STORE_CTX_get_error(ctx);
+    int   depth    = X509_STORE_CTX_get_error_depth(ctx);
+
+    // test allow self signed
+    if (err_cert && depth == 0 && err == TaoCrypt::SIG_OTHER_E)
+        return 1;
+
+    return 0;
+}
+
+
 #endif // yaSSL_TEST_HPP
 
diff --git a/extra/yassl/testsuite/testsuite.cpp b/extra/yassl/testsuite/testsuite.cpp
index 5ddb9bb4dab..fa8c997e7c2 100644
--- a/extra/yassl/testsuite/testsuite.cpp
+++ b/extra/yassl/testsuite/testsuite.cpp
@@ -119,7 +119,7 @@ int main(int argc, char** argv)
 void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread)
 {
 #ifndef _POSIX_THREADS
-    *thread = _beginthreadex(0, 0, fun, args, 0, 0);
+    *thread = (HANDLE)_beginthreadex(0, 0, fun, args, 0, 0);
 #else
     pthread_create(thread, 0, fun, args);
 #endif
@@ -129,9 +129,9 @@ void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread)
 void join_thread(THREAD_TYPE thread)
 {
 #ifndef _POSIX_THREADS
-    int res = WaitForSingleObject(reinterpret_cast(thread), INFINITE);
+    int res = WaitForSingleObject(thread, INFINITE);
     assert(res == WAIT_OBJECT_0);
-    res = CloseHandle(reinterpret_cast(thread));
+    res = CloseHandle(thread);
     assert(res);
 #else
     pthread_join(thread, 0);
@@ -158,7 +158,7 @@ int test_openSSL_des()
 {
     /* test des encrypt/decrypt */
     char data[] = "this is my data ";
-    int  dataSz = strlen(data);
+    int  dataSz = (int)strlen(data);
     DES_key_schedule key[3];
     byte iv[8];
     EVP_BytesToKey(EVP_des_ede3_cbc(), EVP_md5(), NULL, (byte*)data, dataSz, 1,

From c3b04553c475f5780fb3371c6a7492fc203d2dbd Mon Sep 17 00:00:00 2001
From: Joerg Bruehe 
Date: Tue, 28 Feb 2012 12:42:02 +0100
Subject: [PATCH 12/14] The current year is 2012, and nobody noticed ... Update
 the year in the copyright notice, file "README".

---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 795d325e2d5..acc98e400bd 100644
--- a/README
+++ b/README
@@ -5,7 +5,7 @@ For the avoidance of doubt, this particular copy of the software
 is released under the version 2 of the GNU General Public License. 
 MySQL is brought to you by Oracle.
 
-Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 
 License information can be found in the COPYING file.
 

From 2efa0ec676d203083aa63123651a6e09abfd8129 Mon Sep 17 00:00:00 2001
From: Karen Langford 
Date: Tue, 28 Feb 2012 17:20:30 +0100
Subject: [PATCH 13/14] AIX builds fail for comments using //

---
 client/mysqldump.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/client/mysqldump.c b/client/mysqldump.c
index a69c9306b4b..8601b533849 100644
--- a/client/mysqldump.c
+++ b/client/mysqldump.c
@@ -2331,10 +2331,10 @@ static uint dump_routines_for_db(char *db)
           {
             if (opt_xml)
             {
-              if (i)                            // Procedures.
+              if (i)                            /* Procedures. */
                 print_xml_row(sql_file, "routine", routine_res, &row,
                               "Create Procedure");
-              else                              // Functions.
+              else                              /* Functions. */
                 print_xml_row(sql_file, "routine", routine_res, &row,
                               "Create Function");
               continue;

From 5b49c7ce916be1bbf306d2fd9175ed2b5ddeeed9 Mon Sep 17 00:00:00 2001
From: Joerg Bruehe 
Date: Fri, 2 Mar 2012 13:12:07 +0100
Subject: [PATCH 14/14] Further upgrade the yaSSL library to version 2.2.0 to
 pick up some new security fixes that are in it.

Patch provided by Georgi Kodinov.
---
 extra/yassl/README                    |  3 +--
 extra/yassl/include/openssl/ssl.h     |  4 ++--
 extra/yassl/src/yassl_imp.cpp         | 20 +++++++++++++++++++-
 extra/yassl/src/yassl_int.cpp         |  5 +++--
 extra/yassl/taocrypt/include/file.hpp | 21 ++++++++++++++-------
 extra/yassl/taocrypt/src/asn.cpp      | 26 ++++++++++++++++++++++++--
 extra/yassl/taocrypt/src/integer.cpp  |  5 ++++-
 7 files changed, 67 insertions(+), 17 deletions(-)

diff --git a/extra/yassl/README b/extra/yassl/README
index 0ca656bb932..7720a9453dd 100644
--- a/extra/yassl/README
+++ b/extra/yassl/README
@@ -21,8 +21,7 @@ See normal  build instructions below under 1.0.6.
 See libcurl build instructions below under 1.3.0 and note in 1.5.8.
 
 
-*****************yaSSL Release notes, version 1.9.9 (1/26/2010)
-yaSSL Release notes, version 2.0.0 (7/6/2010)
+*****************yaSSL Release notes, version 2.0.0 (7/6/2010)
 
     This release of yaSSL contains bug fixes, new testing certs,
     and a security patch for a potential heap overflow on forged application
diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index 0ae54f070bd..0d99888da88 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
    Use is subject to license terms.
 
    This program is free software; you can redistribute it and/or modify
@@ -35,7 +35,7 @@
 #include "rsa.h"
 
 
-#define YASSL_VERSION "2.1.4"
+#define YASSL_VERSION "2.2.0"
 
 
 #if defined(__cplusplus)
diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
index 6d2549749f2..66a173bece8 100644
--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1087,19 +1087,37 @@ void Certificate::Process(input_buffer& input, SSL& ssl)
     uint32 list_sz;
     byte   tmp[3];
 
+    if (input.get_remaining() < sizeof(tmp)) {
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
     tmp[0] = input[AUTO];
     tmp[1] = input[AUTO];
     tmp[2] = input[AUTO];
     c24to32(tmp, list_sz);
+
+    if (list_sz > (uint)MAX_RECORD_SIZE) { // sanity check
+        ssl.SetError(YasslError(bad_input));
+        return;
+    }
     
     while (list_sz) {
         // cert size
         uint32 cert_sz;
+
+        if (input.get_remaining() < sizeof(tmp)) {
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
         tmp[0] = input[AUTO];
         tmp[1] = input[AUTO];
         tmp[2] = input[AUTO];
         c24to32(tmp, cert_sz);
         
+        if (cert_sz > (uint)MAX_RECORD_SIZE || input.get_remaining() < cert_sz){
+            ssl.SetError(YasslError(bad_input));
+            return;
+        }
         x509* myCert;
         cm.AddPeerCert(myCert = NEW_YS x509(cert_sz));
         input.read(myCert->use_buffer(), myCert->get_length());
diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp
index 15a85e36909..73f8f2330c5 100644
--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -308,8 +308,9 @@ SSL::SSL(SSL_CTX* ctx)
             SetError(YasslError(err));
             return;
         }
-        else if (serverSide) {
+        else if (serverSide && ctx->GetCiphers().setSuites_ == 0) {
             // remove RSA or DSA suites depending on cert key type
+            // but don't override user sets
             ProtocolVersion pv = secure_.get_connection().version_;
             
             bool removeDH  = secure_.use_parms().removeDH_;
diff --git a/extra/yassl/taocrypt/include/file.hpp b/extra/yassl/taocrypt/include/file.hpp
index 0f85b46fdb2..820fd8ff431 100644
--- a/extra/yassl/taocrypt/include/file.hpp
+++ b/extra/yassl/taocrypt/include/file.hpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (C) 2000-2007 MySQL AB
+   Copyright (C) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -39,25 +39,32 @@ public:
     explicit Source(word32 sz = 0) : buffer_(sz), current_(0) {}
     Source(const byte* b, word32 sz) : buffer_(b, sz), current_(0) {}
 
+    word32 remaining()         { if (GetError().What()) return 0;
+                                 else return buffer_.size() - current_; } 
     word32 size() const        { return buffer_.size(); }
     void   grow(word32 sz)     { buffer_.CleanGrow(sz); }
+
+    bool IsLeft(word32 sz) { if (remaining() >= sz) return true;
+                             else { SetError(CONTENT_E); return false; } }
    
     const byte*  get_buffer()  const { return buffer_.get_buffer(); }
     const byte*  get_current() const { return &buffer_[current_]; }
     word32       get_index()   const { return current_; }
-    void         set_index(word32 i) { current_ = i; }
+    void         set_index(word32 i) { if (i < size()) current_ = i; }
 
     byte operator[] (word32 i) { current_ = i; return next(); }
-    byte next() { return buffer_[current_++]; }
-    byte prev() { return buffer_[--current_]; }
+    byte next() { if (IsLeft(1)) return buffer_[current_++]; else return 0; }
+    byte prev() { if (current_)  return buffer_[--current_]; else return 0; }
 
     void add(const byte* data, word32 len)
     {
-        memcpy(buffer_.get_buffer() + current_, data, len);
-        current_ += len;
+        if (IsLeft(len)) {
+            memcpy(buffer_.get_buffer() + current_, data, len);
+            current_ += len;
+        }
     }
 
-    void advance(word32 i) { current_ += i; }
+    void advance(word32 i) { if (IsLeft(i)) current_ += i; }
     void reset(ByteBlock&);
 
     Error  GetError()              { return error_; }
diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp
index 72cbd092f9d..a502666d15b 100644
--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005-2007 MySQL AB, 2009, 2010 Sun Microsystems, Inc.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
    Use is subject to license terms.
 
    This program is free software; you can redistribute it and/or modify
@@ -144,6 +144,8 @@ word32 GetLength(Source& source)
     if (b >= LONG_LENGTH) {        
         word32 bytes = b & 0x7F;
 
+        if (source.IsLeft(bytes) == false) return 0;
+
         while (bytes--) {
             b = source.next();
             length = (length << 8) | b;
@@ -578,8 +580,10 @@ void CertDecoder::StoreKey()
     read = source_.get_index() - read;
     length += read;
 
+    if (source_.GetError().What()) return;
     while (read--) source_.prev();
 
+    if (source_.IsLeft(length) == false) return;
     key_.SetSize(length);
     key_.SetKey(source_.get_current());
     source_.advance(length);
@@ -611,6 +615,8 @@ void CertDecoder::AddDSA()
     word32 length = GetLength(source_);
     length += source_.get_index() - idx;
 
+    if (source_.IsLeft(length) == false) return;
+
     key_.AddToEnd(source_.get_buffer() + idx, length);    
 }
 
@@ -620,6 +626,8 @@ word32 CertDecoder::GetAlgoId()
 {
     if (source_.GetError().What()) return 0;
     word32 length = GetSequence();
+
+    if (source_.GetError().What()) return 0;
     
     byte b = source_.next();
     if (b != OBJECT_IDENTIFIER) {
@@ -628,8 +636,9 @@ word32 CertDecoder::GetAlgoId()
     }
 
     length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return 0;
+
     word32 oid = 0;
-    
     while(length--)
         oid += source_.next();        // just sum it up for now
 
@@ -662,6 +671,10 @@ word32 CertDecoder::GetSignature()
     }
 
     sigLength_ = GetLength(source_);
+    if (sigLength_ == 0 || source_.IsLeft(sigLength_) == false) {
+        source_.SetError(CONTENT_E);
+        return 0;
+    }
   
     b = source_.next();
     if (b != 0) {
@@ -728,6 +741,7 @@ void CertDecoder::GetName(NameType nt)
 
     if (length >= ASN_NAME_MAX)
         return;
+    if (source_.IsLeft(length) == false) return;
     length += source_.get_index();
     
     char* ptr;
@@ -753,7 +767,10 @@ void CertDecoder::GetName(NameType nt)
         }
 
         word32 oidSz = GetLength(source_);
+        if (source_.IsLeft(oidSz) == false) return;
+
         byte joint[2];
+        if (source_.IsLeft(sizeof(joint)) == false) return;
         memcpy(joint, source_.get_current(), sizeof(joint));
 
         // v1 name types
@@ -763,6 +780,8 @@ void CertDecoder::GetName(NameType nt)
             b              = source_.next();    // strType
             word32 strLen  = GetLength(source_);
 
+            if (source_.IsLeft(strLen) == false) return;
+
             switch (id) {
             case COMMON_NAME:
                 if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
@@ -804,6 +823,7 @@ void CertDecoder::GetName(NameType nt)
 
             source_.advance(oidSz + 1);
             word32 length = GetLength(source_);
+            if (source_.IsLeft(length) == false) return;
 
             if (email) {
                 if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length))) {
@@ -837,6 +857,8 @@ void CertDecoder::GetDate(DateType dt)
     }
 
     word32 length = GetLength(source_);
+    if (source_.IsLeft(length) == false) return;
+
     byte date[MAX_DATE_SZ];
     if (length > MAX_DATE_SZ || length < MIN_DATE_SZ) {
         source_.SetError(DATE_SZ_E);
diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp
index 2d55f48e91f..bfced6d0c74 100644
--- a/extra/yassl/taocrypt/src/integer.cpp
+++ b/extra/yassl/taocrypt/src/integer.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -2587,11 +2587,14 @@ void Integer::Decode(Source& source)
     }
 
     word32 length = GetLength(source);
+    if (length == 0 || source.GetError().What()) return;
 
     if ( (b = source.next()) == 0x00)
         length--;
     else
         source.prev();
+
+    if (source.IsLeft(length) == false) return;
  
     unsigned int words = (length + WORD_SIZE - 1) / WORD_SIZE;
     words = RoundupSize(words);