From 8db3efbc76243971adcae0d5abe439bc3af931f9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Feb 2018 19:16:20 +0100 Subject: [PATCH 1/8] Add missing MBEDTLS_DEPRECATED_REMOVED guards Add missing MBEDTLS_DEPRECATED_REMOVED guards around the definitions of mbedtls_aes_decrypt and mbedtls_aes_encrypt. This fixes the build under -Wmissing-prototypes -Werror. Fixes #1388 --- ChangeLog | 2 ++ library/aes.c | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5f49c0beb..9a61ec31d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ Bugfix * Fix the name of a DHE parameter that was accidentally changed in 2.7.0. Fixes #1358. * Fix test_suite_pk to work on 64-bit ILP32 systems. #849 + * Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under + MBEDTLS_DEPRECATED_REMOVED. #1388 Changes * Fix tag lengths and value ranges in the documentation of CCM encryption. diff --git a/library/aes.c b/library/aes.c index dba4a5f57..3d2eac82d 100644 --- a/library/aes.c +++ b/library/aes.c @@ -765,12 +765,14 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, } #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ +#if !defined(MBEDTLS_DEPRECATED_REMOVED) void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16] ) { mbedtls_internal_aes_encrypt( ctx, input, output ); } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /* * AES-ECB block decryption @@ -831,12 +833,14 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, } #endif /* !MBEDTLS_AES_DECRYPT_ALT */ +#if !defined(MBEDTLS_DEPRECATED_REMOVED) void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16] ) { mbedtls_internal_aes_decrypt( ctx, input, output ); } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /* * AES-ECB block encryption/decryption From 6013004fa922febabdfde40abe498b7756235cab Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 14 Feb 2018 11:33:30 +0100 Subject: [PATCH 2/8] Note in the changelog that this fixes an interoperability issue. Fixes #1339 --- ChangeLog | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 56342e6ac..932e28065 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,9 @@ mbed TLS ChangeLog (Sorted per branch, date) Features * Extend PKCS#8 interface by introducing support for the entire SHA algorithms family when encrypting private keys using PKCS#5 v2.0. - Submitted by Antonio Quartulli, OpenVPN Inc. + This allows reading encrypted PEM files produced by software that + uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, + OpenVPN Inc. Fixes #1339 Bugfix * Fix setting version TLSv1 as minimal version, even if TLS 1 From 9e1839bc43536c20cc15dabca0fc8cacebb44f88 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 14 Mar 2018 11:20:46 +0100 Subject: [PATCH 3/8] Add bounds check before length read --- library/ssl_cli.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 2534346a4..585750ef2 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2057,6 +2057,12 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, * * opaque psk_identity_hint<0..2^16-1>; */ + if( (*p) > end - 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " + "(psk_identity_hint length)" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } len = (*p)[0] << 8 | (*p)[1]; *p += 2; From 8e0b1166b67abc55abfb4969d11d01fc47d940a8 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 14 Mar 2018 11:21:35 +0100 Subject: [PATCH 4/8] Prevent arithmetic overflow on bounds check --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 585750ef2..759a4562a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2066,7 +2066,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, len = (*p)[0] << 8 | (*p)[1]; *p += 2; - if( (*p) + len > end ) + if( (*p) > end - len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " "(psk_identity_hint length)" ) ); From bcb814951059a425f86f173a766cd0b504450be9 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 14 Mar 2018 11:23:34 +0100 Subject: [PATCH 5/8] Update change log --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8db021591..725a6b1a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,8 @@ Security * Change default choice of DHE parameters from untrustworthy RFC 5114 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve manner. + * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a + crash on invalid input. Features * Allow comments in test data files. @@ -180,6 +182,8 @@ Bugfix * In mbedtls_entropy_free(), properly free the message digest context. * Fix status handshake status message in programs/ssl/dtls_client.c. Found and fixed by muddog. + * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that + could cause a key exchange to fail on valid data. Changes * Extend cert_write example program by options to set the certificate version From b3e8f9e2e6d6ac4314d8a8a754e684f5bdae7183 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 14 Mar 2018 11:40:55 +0100 Subject: [PATCH 6/8] Add bounds check before signature --- library/ssl_cli.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 2534346a4..54a290c4e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2478,6 +2478,13 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) /* * Read signature */ + if( p > end - 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } sig_len = ( p[0] << 8 ) | p[1]; p += 2; From b5609f3ca55628f6b88ddc863569cf54ce383471 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 14 Mar 2018 11:41:47 +0100 Subject: [PATCH 7/8] Prevent arithmetic overflow on bould check --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 54a290c4e..2eec7665b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2488,7 +2488,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) sig_len = ( p[0] << 8 ) | p[1]; p += 2; - if( end != p + sig_len ) + if( p != end - sig_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, From 4e0141fc00165d12db4453c9b3baa461cf96a4a2 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 14 Mar 2018 11:43:00 +0100 Subject: [PATCH 8/8] Update change log --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8db021591..cc550fc86 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,8 @@ Security * Change default choice of DHE parameters from untrustworthy RFC 5114 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve manner. + * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause + a crash on invalid input. Features * Allow comments in test data files. @@ -180,6 +182,8 @@ Bugfix * In mbedtls_entropy_free(), properly free the message digest context. * Fix status handshake status message in programs/ssl/dtls_client.c. Found and fixed by muddog. + * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() + that could cause a key exchange to fail on valid data. Changes * Extend cert_write example program by options to set the certificate version