Merge remote-tracking branch 'upstream-restricted/pr/426' into mbedtls-1.3-restricted

This commit is contained in:
Gilles Peskine 2017-12-01 18:03:15 +01:00
commit 258bf599d6
4 changed files with 36 additions and 28 deletions

View file

@ -3,6 +3,12 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 1.3.22 branch released 2017-xx-xx = mbed TLS 1.3.22 branch released 2017-xx-xx
Security Security
* Fix heap corruption in implementation of truncated HMAC extension.
When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to crash or
remote code execution. This can be triggered remotely from either
side.
* Fix buffer overflow in RSA-PSS verification when the hash is too * Fix buffer overflow in RSA-PSS verification when the hash is too
large for the key size. Found by Seth Terashima, Qualcomm Product large for the key size. Found by Seth Terashima, Qualcomm Product
Security Initiative, Qualcomm Technologies Inc. Security Initiative, Qualcomm Technologies Inc.
@ -26,6 +32,8 @@ Security
after keypair generation. after keypair generation.
Bugfix Bugfix
* Fix typo in ssl.h leading to a too small value of SSL_MAC_ADD
in case CBC is disabled but ARC4 is enabled.
* Fix memory leak in ssl_set_hostname() when called multiple times. * Fix memory leak in ssl_set_hostname() when called multiple times.
Found by projectgus and jethrogb, #836. Found by projectgus and jethrogb, #836.
* Fix usage help in ssl_server2 example. Found and fixed by Bei Lin. * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.

View file

@ -303,7 +303,7 @@
#define SSL_COMPRESSION_ADD 0 #define SSL_COMPRESSION_ADD 0
#endif #endif
#if defined(POLARSSL_RC4_C) || defined(POLARSSL_CIPHER_MODE_CBC) #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_MODE_CBC)
/* Ciphersuites using HMAC */ /* Ciphersuites using HMAC */
#if defined(POLARSSL_SHA512_C) #if defined(POLARSSL_SHA512_C)
#define SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ #define SSL_MAC_ADD 48 /* SHA-384 used for HMAC */

View file

@ -1141,12 +1141,16 @@ static int ssl_encrypt_buf( ssl_context *ssl )
defined(POLARSSL_SSL_PROTO_TLS1_2) defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= SSL_MINOR_VERSION_1 ) if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
{ {
unsigned char mac[SSL_MAC_ADD];
md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 ); md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
md_hmac_update( &ssl->transform_out->md_ctx_enc, md_hmac_update( &ssl->transform_out->md_ctx_enc,
ssl->out_msg, ssl->out_msglen ); ssl->out_msg, ssl->out_msglen );
md_hmac_finish( &ssl->transform_out->md_ctx_enc, md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
ssl->out_msg + ssl->out_msglen );
md_hmac_reset( &ssl->transform_out->md_ctx_enc ); md_hmac_reset( &ssl->transform_out->md_ctx_enc );
memcpy( ssl->out_msg + ssl->out_msglen, mac,
ssl->transform_out->maclen );
} }
else else
#endif #endif
@ -1155,7 +1159,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
} }
SSL_DEBUG_BUF( 4, "computed mac", SSL_DEBUG_BUF( 4, "expected mac",
ssl->out_msg + ssl->out_msglen, ssl->out_msg + ssl->out_msglen,
ssl->transform_out->maclen ); ssl->transform_out->maclen );
@ -1419,8 +1423,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
return( 0 ); return( 0 );
} }
#define POLARSSL_SSL_MAX_MAC_SIZE 48
static int ssl_decrypt_buf( ssl_context *ssl ) static int ssl_decrypt_buf( ssl_context *ssl )
{ {
size_t i; size_t i;
@ -1588,7 +1590,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED ) if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED )
{ {
unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE]; unsigned char mac_expect[SSL_MAC_ADD];
unsigned char pseudo_hdr[13]; unsigned char pseudo_hdr[13];
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
@ -1606,15 +1608,15 @@ static int ssl_decrypt_buf( ssl_context *ssl )
md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec, md_hmac_update( &ssl->transform_in->md_ctx_dec,
ssl->in_iv, ssl->in_msglen ); ssl->in_iv, ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac ); md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
md_hmac_reset( &ssl->transform_in->md_ctx_dec ); md_hmac_reset( &ssl->transform_in->md_ctx_dec );
SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
ssl->transform_in->maclen ); ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "computed mac", computed_mac, SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
ssl->transform_in->maclen ); ssl->transform_in->maclen );
if( safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac, if( safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
ssl->transform_in->maclen ) != 0 ) ssl->transform_in->maclen ) != 0 )
{ {
SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
@ -1775,15 +1777,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
#if defined(POLARSSL_SOME_MODES_USE_MAC) #if defined(POLARSSL_SOME_MODES_USE_MAC)
if( auth_done == 0 ) if( auth_done == 0 )
{ {
unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE]; unsigned char mac_expect[SSL_MAC_ADD];
ssl->in_msglen -= ssl->transform_in->maclen; ssl->in_msglen -= ssl->transform_in->maclen;
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 ); ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen ); ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
#if defined(POLARSSL_SSL_PROTO_SSL3) #if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{ {
@ -1820,8 +1820,8 @@ static int ssl_decrypt_buf( ssl_context *ssl )
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 ); md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
ssl->in_msglen ); ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec, md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
ssl->in_msg + ssl->in_msglen );
/* Call md_process at least once due to cache attacks */ /* Call md_process at least once due to cache attacks */
for( j = 0; j < extra_run + 1; j++ ) for( j = 0; j < extra_run + 1; j++ )
md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
@ -1836,11 +1836,11 @@ static int ssl_decrypt_buf( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
} }
SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen ); SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen ); ssl->transform_in->maclen );
if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen, if( safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
ssl->transform_in->maclen ) != 0 ) ssl->transform_in->maclen ) != 0 )
{ {
#if defined(POLARSSL_SSL_DEBUG_ALL) #if defined(POLARSSL_SSL_DEBUG_ALL)

View file

@ -511,40 +511,40 @@ run_test "Truncated HMAC: client default, server default" \
"$P_SRV debug_level=4" \ "$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \ 0 \
-s "dumping 'computed mac' (20 bytes)" \ -s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)" -S "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client disabled, server default" \ run_test "Truncated HMAC: client disabled, server default" \
"$P_SRV debug_level=4" \ "$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=0" \ trunc_hmac=0" \
0 \ 0 \
-s "dumping 'computed mac' (20 bytes)" \ -s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)" -S "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server default" \ run_test "Truncated HMAC: client enabled, server default" \
"$P_SRV debug_level=4" \ "$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \ trunc_hmac=1" \
0 \ 0 \
-S "dumping 'computed mac' (20 bytes)" \ -S "dumping 'expected mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)" -s "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server disabled" \ run_test "Truncated HMAC: client enabled, server disabled" \
"$P_SRV debug_level=4 trunc_hmac=0" \ "$P_SRV debug_level=4 trunc_hmac=0" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \ trunc_hmac=1" \
0 \ 0 \
-s "dumping 'computed mac' (20 bytes)" \ -s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)" -S "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server enabled" \ run_test "Truncated HMAC: client enabled, server enabled" \
"$P_SRV debug_level=4 trunc_hmac=1" \ "$P_SRV debug_level=4 trunc_hmac=1" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \ trunc_hmac=1" \
0 \ 0 \
-S "dumping 'computed mac' (20 bytes)" \ -S "dumping 'expected mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)" -s "dumping 'expected mac' (10 bytes)"
# Tests for Encrypt-then-MAC extension # Tests for Encrypt-then-MAC extension