From 703990b83938302d81cdeb8cf382964e45c3beaf Mon Sep 17 00:00:00 2001
From: Andres AG <andres.amayagarcia@arm.com>
Date: Mon, 24 Oct 2016 11:23:36 +0100
Subject: [PATCH 1/5] Fix buffer overreads in mbedtls_pem_read_buffer()
---
ChangeLog | 7 +++++++
library/pem.c | 20 +++++++++++---------
2 files changed, 18 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f96786d72..cae68a638 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.x.x branch released xxxx-xx-xx
+
+Bugfix
+ * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
+ the input string in pem format to extract the different components. Found
+ by Eyal Itkin.
+
= mbed TLS 2.4.0 branch released 2016-10-17
Security
diff --git a/library/pem.c b/library/pem.c
index 1ee3966e1..d1c660412 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -249,7 +249,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
enc = 0;
- if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+ if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
{
#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
@@ -262,22 +262,22 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
#if defined(MBEDTLS_DES_C)
- if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+ if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
{
enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
s1 += 23;
- if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
+ if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
s1 += 16;
}
- else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+ else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
{
enc_alg = MBEDTLS_CIPHER_DES_CBC;
s1 += 18;
- if( pem_get_iv( s1, pem_iv, 8) != 0 )
+ if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
s1 += 16;
@@ -285,9 +285,11 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
#endif /* MBEDTLS_DES_C */
#if defined(MBEDTLS_AES_C)
- if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+ if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
{
- if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+ if( s2 - s1 < 22 )
+ return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+ else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
@@ -297,7 +299,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
s1 += 22;
- if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
+ if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
s1 += 32;
@@ -316,7 +318,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
}
- if( s1 == s2 )
+ if( s1 >= s2 )
return( MBEDTLS_ERR_PEM_INVALID_DATA );
ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );
From 6eb6e1bdc3ae45104f33642c6e1fd271dc543a84 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 25 Oct 2016 10:50:22 +0100
Subject: [PATCH 2/5] Prevent SLOTH attacks
---
ChangeLog | 6 ++++++
library/ssl_tls.c | 3 +--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f96786d72..c7b39c9b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.4.x branch released 2016-xx-xx
+
+Security
+ * Removed MD5 from the allowed hash algorithms for CertificateRequest and
+ CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
+
= mbed TLS 2.4.0 branch released 2016-10-17
Security
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 84a04ae53..ee3cadb02 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7644,8 +7644,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
#if defined(MBEDTLS_MD5_C)
case MBEDTLS_SSL_HASH_MD5:
- ssl->handshake->calc_verify = ssl_calc_verify_tls;
- break;
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
#endif
#if defined(MBEDTLS_SHA1_C)
case MBEDTLS_SSL_HASH_SHA1:
From 9c94b6951cdd483eeee191b8dab7a0230d3fb4e8 Mon Sep 17 00:00:00 2001
From: Andres AG <andres.amayagarcia@arm.com>
Date: Mon, 24 Oct 2016 14:31:54 +0100
Subject: [PATCH 3/5] Add tests for overreads in pem_read_buffer()
---
ChangeLog | 2 +-
tests/suites/test_suite_pem.data | 9 +++++++++
tests/suites/test_suite_pem.function | 24 ++++++++++++++++++------
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index cae68a638..e0c74e677 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,7 @@ mbed TLS ChangeLog (Sorted per branch, date)
Bugfix
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
- the input string in pem format to extract the different components. Found
+ the input string in PEM format to extract the different components. Found
by Eyal Itkin.
= mbed TLS 2.4.0 branch released 2016-10-17
diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index 973c92325..9a62db8ea 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -15,3 +15,12 @@ mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102
PEM write (exactly two lines + 1)
mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"
+
+PEM read (DES-EDE3-CBC + invalid iv)
+mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":-4608
+
+PEM read (DES-CBC + invalid iv)
+mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":-4608
+
+PEM read (unknown encryption algorithm)
+mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":-4736
diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function
index 6a62bfed9..5e022109c 100644
--- a/tests/suites/test_suite_pem.function
+++ b/tests/suites/test_suite_pem.function
@@ -3,12 +3,7 @@
#include "mbedtls/pem.h"
/* END_HEADER */
-/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_PEM_WRITE_C
- * END_DEPENDENCIES
- */
-
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
void mbedtls_pem_write_buffer( char *start, char *end, char *buf_str, char *result_str )
{
unsigned char buf[5000];
@@ -38,3 +33,20 @@ exit:
mbedtls_free( check_buf );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */
+void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret )
+{
+ mbedtls_pem_context ctx;
+ size_t use_len = 0;
+
+ mbedtls_pem_init( &ctx );
+
+ TEST_ASSERT( mbedtls_pem_read_buffer( &ctx, header, footer,
+ (const unsigned char *)data, NULL, 0,
+ &use_len ) == ret );
+
+exit:
+ mbedtls_pem_free( &ctx );
+}
+/* END_CASE */
From 74ae020295e47a6612be4780d3818456f640ceb7 Mon Sep 17 00:00:00 2001
From: Simon Butcher <simon.butcher@arm.com>
Date: Thu, 2 Feb 2017 08:46:53 +0000
Subject: [PATCH 4/5] Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
---
library/base64.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/library/base64.c b/library/base64.c
index 305afc57b..f06b57b31 100644
--- a/library/base64.c
+++ b/library/base64.c
@@ -192,6 +192,10 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
return( 0 );
}
+ /* The following expression is to calculate the following formula without
+ * risk of integer overflow in n:
+ * n = ( ( n * 6 ) + 7 ) >> 3;
+ */
n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
n -= j;
From c709dfab9777b13fa98153e877fbee96524e0ab5 Mon Sep 17 00:00:00 2001
From: Simon Butcher <simon.butcher@arm.com>
Date: Sun, 5 Feb 2017 16:48:47 +0000
Subject: [PATCH 5/5] Add detail to ChangeLog for SLOTH fix
---
ChangeLog | 1 +
1 file changed, 1 insertion(+)
diff --git a/ChangeLog b/ChangeLog
index 3fd8e0e58..2489ce47d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@ mbed TLS ChangeLog (Sorted per branch, date)
Security
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
+ Introduced by interoperability fix for #513.
Bugfix
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could