From 6d133d25817f860d795bd1ccd0afaafdb2f1ae17 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 8 Feb 2016 14:52:29 +0000 Subject: [PATCH 1/8] Included tests for the overflow --- library/rsa.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index cb32bf46f..dc12955c9 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -523,7 +523,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, olen = ctx->len; hlen = mbedtls_md_get_size( md_info ); - if( olen < ilen + 2 * hlen + 2 ) + // first comparison checks for overflow + if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); memset( output, 0, olen ); @@ -588,8 +589,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); olen = ctx->len; - - if( olen < ilen + 11 ) + + // first comparison checks for overflow + if( ilen + 11 < ilen || olen < ilen + 11 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); nb_pad = olen - 3 - ilen; From 3415cc2f3593f7ca7ac87050f659eb08c5fe7261 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:25:55 +0000 Subject: [PATCH 2/8] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 19547689c..3d7fc2796 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 +Security + * Fix potential integer overflow to buffer overflow in + mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From 5ed30c1920c286bccc8ba7ccc3b2fe9ba159ad5b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 9 Feb 2016 14:51:35 +0000 Subject: [PATCH 3/8] Included test for integer underflow. --- library/rsa.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/rsa.c b/library/rsa.c index cb32bf46f..642b76278 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -714,6 +714,10 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, */ hlen = mbedtls_md_get_size( md_info ); + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + mbedtls_md_init( &md_ctx ); mbedtls_md_setup( &md_ctx, md_info, 0 ); From 3cbdbf918f10eea1ee9db1848bbc0ef8fd19b7ad Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:40:16 +0000 Subject: [PATCH 4/8] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 19547689c..2f9a6233d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 +Security + * Fix a potential integer underflow to buffer overread in + mbedtls_rsa_rsaes_oaep_decrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From e75f8c32c531eebb8b8069f1ed9c6d7c3cce2513 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:08:18 +0000 Subject: [PATCH 5/8] Moved underflow test to better reflect time constant behaviour. --- library/rsa.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 642b76278..de42bedd5 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -699,6 +699,12 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, if( md_info == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + hlen = mbedtls_md_get_size( md_info ); + + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + /* * RSA operation */ @@ -712,12 +718,6 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, /* * Unmask data and generate lHash */ - hlen = mbedtls_md_get_size( md_info ); - - // checking for integer underflow - if( 2 * hlen + 2 > ilen ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - mbedtls_md_init( &md_ctx ); mbedtls_md_setup( &md_ctx, md_info, 0 ); From 4d9bbc4e36ec33842cb0b1717bb2216ae7c69fed Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:15:44 +0000 Subject: [PATCH 6/8] Extended ChangeLog entry --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2f9a6233d..f0384fd36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,7 +8,8 @@ Security Security * Fix a potential integer underflow to buffer overread in - mbedtls_rsa_rsaes_oaep_decrypt + mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in + SSL/TLS. Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three From fe0e8d233176224ac81e7f37d9888b41fbedeeab Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 16 Mar 2016 23:08:18 +0000 Subject: [PATCH 7/8] Fix ChangeLog after merging fix for IOTSSL-628 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f0384fd36..bce9b9b78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,8 +5,6 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 - -Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. From 9ff2d96fe23655f4802dfcd93877b51d265c11ac Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 11:09:45 +0000 Subject: [PATCH 8/8] Fix Changelog for backport of IOTSSL-621 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ef9ee33b4..2be6ca898 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,8 +8,6 @@ Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. - -Security * Fix potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt