Merge remote-tracking branch 'upstream-restricted/pr/433' into development-restricted
diff --git a/ChangeLog b/ChangeLog
index 6e6a6d6..9c2cb9c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -83,12 +83,20 @@
Reported by Yolan Romailler.
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
* Fix incorrect unit in benchmark output. #850
+ * Add size-checks for record and handshake message content, securing
+ fragile yet non-exploitable code-paths.
+ * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
+ MilenkoMitrovic, #1104
Changes
* Extend cert_write example program by options to set the CRT version
and the message digest. Further, allow enabling/disabling of authority
identifier, subject identifier and basic constraints extensions.
+New deprecations
+ * Deprecate usage of RSA primitives with non-matching key-type
+ (e.g., signing with a public key).
+
= mbed TLS 2.6.0 branch released 2017-08-10
Security
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 31591e2..d51bcde 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -75,7 +75,7 @@
* PKCS5 2 4 (Started from top)
* DHM 3 9
* PK 3 14 (Started from top)
- * RSA 4 9
+ * RSA 4 10
* ECP 4 8 (Started from top)
* MD 5 4
* CIPHER 6 6
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 7d7469d..d04e71d 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -48,6 +48,7 @@
#define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
#define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
+#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality */
/*
* RSA constants
@@ -250,6 +251,15 @@
* \param input buffer holding the data to be encrypted
* \param output buffer that will hold the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note The output buffer must be as large as the size
@@ -273,6 +283,15 @@
* \param input buffer holding the data to be encrypted
* \param output buffer that will hold the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note The output buffer must be as large as the size
@@ -299,6 +318,15 @@
* \param input buffer holding the data to be encrypted
* \param output buffer that will hold the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note The output buffer must be as large as the size
@@ -327,13 +355,22 @@
* \param output buffer that will hold the plaintext
* \param output_max_len maximum length of the output buffer
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note The output buffer length \c output_max_len should be
* as large as the size ctx->len of ctx->N (eg. 128 bytes
* if RSA-1024 is used) to be able to hold an arbitrary
* decrypted message. If it is not large enough to hold
- * the decryption of the particular ciphertext provided,
+ * the decryption of the particular ciphertext provided,
* the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
*
* \note The input buffer must be as large as the size
@@ -359,13 +396,22 @@
* \param output buffer that will hold the plaintext
* \param output_max_len maximum length of the output buffer
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note The output buffer length \c output_max_len should be
* as large as the size ctx->len of ctx->N (eg. 128 bytes
* if RSA-1024 is used) to be able to hold an arbitrary
* decrypted message. If it is not large enough to hold
- * the decryption of the particular ciphertext provided,
+ * the decryption of the particular ciphertext provided,
* the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
*
* \note The input buffer must be as large as the size
@@ -393,16 +439,25 @@
* \param output buffer that will hold the plaintext
* \param output_max_len maximum length of the output buffer
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
* \note The output buffer length \c output_max_len should be
* as large as the size ctx->len of ctx->N (eg. 128 bytes
* if RSA-1024 is used) to be able to hold an arbitrary
* decrypted message. If it is not large enough to hold
- * the decryption of the particular ciphertext provided,
+ * the decryption of the particular ciphertext provided,
* the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
*
- * \note The input buffer must be as large as the size
+ * \note The input buffer must be as large as the size
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
@@ -430,6 +485,15 @@
* \param hash buffer holding the message digest
* \param sig buffer that will hold the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if the signing operation was successful,
* or an MBEDTLS_ERR_RSA_XXX error code
*
@@ -460,6 +524,15 @@
* \param hash buffer holding the message digest
* \param sig buffer that will hold the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if the signing operation was successful,
* or an MBEDTLS_ERR_RSA_XXX error code
*
@@ -488,6 +561,15 @@
* \param hash buffer holding the message digest
* \param sig buffer that will hold the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if the signing operation was successful,
* or an MBEDTLS_ERR_RSA_XXX error code
*
@@ -522,6 +604,15 @@
* \param hash buffer holding the message digest
* \param sig buffer holding the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if the verify operation was successful,
* or an MBEDTLS_ERR_RSA_XXX error code
*
@@ -552,6 +643,15 @@
* \param hash buffer holding the message digest
* \param sig buffer holding the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if the verify operation was successful,
* or an MBEDTLS_ERR_RSA_XXX error code
*
@@ -580,6 +680,15 @@
* \param hash buffer holding the message digest
* \param sig buffer holding the ciphertext
*
+ * \deprecated It is deprecated and discouraged to call this function
+ * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ * are likely to remove the mode argument and have it implicitly
+ * set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note Alternative implementations of RSA need not support
+ * mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
* \return 0 if the verify operation was successful,
* or an MBEDTLS_ERR_RSA_XXX error code
*
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 8d3ab61..f87397f 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -24,6 +24,7 @@
#define MBEDTLS_SSL_INTERNAL_H
#include "ssl.h"
+#include "cipher.h"
#if defined(MBEDTLS_MD5_C)
#include "md5.h"
@@ -138,14 +139,34 @@
#define MBEDTLS_SSL_PADDING_ADD 0
#endif
-#define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
- + MBEDTLS_SSL_COMPRESSION_ADD \
- + 29 /* counter + header + IV */ \
- + MBEDTLS_SSL_MAC_ADD \
- + MBEDTLS_SSL_PADDING_ADD \
+#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
+ + MBEDTLS_SSL_COMPRESSION_ADD \
+ + MBEDTLS_MAX_IV_LENGTH \
+ + MBEDTLS_SSL_MAC_ADD \
+ + MBEDTLS_SSL_PADDING_ADD \
)
/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
+#error Bad configuration - record content too large.
+#endif
+
+#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
+#error Bad configuration - protected record payload too large.
+#endif
+
+/* Note: Even though the TLS record header is only 5 bytes
+ long, we're internally using 8 bytes to store the
+ implicit sequence number. */
+#define MBEDTLS_SSL_HEADER_LEN 13
+
+#define MBEDTLS_SSL_BUFFER_LEN \
+ ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
+
+/*
* TLS extension flags (for extensions with outgoing ServerHello content
* that need it (e.g. for RENEGOTIATION_INFO the server already knows because
* of state of the renegotiation flag, so no indicator is required)
diff --git a/library/error.c b/library/error.c
index db42381..23e4953 100644
--- a/library/error.c
+++ b/library/error.c
@@ -331,6 +331,8 @@
mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" );
if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) )
mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" );
+ if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) )
+ mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality" );
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_SSL_TLS_C)
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index c771d7f..47867f1 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -321,6 +321,7 @@
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free( &cache->mutex );
#endif
+ cache->chain = NULL;
}
#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d8df513..abafe4d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1271,6 +1271,14 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_msg, ssl->out_msglen );
+ if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
+ (unsigned) ssl->out_msglen,
+ MBEDTLS_SSL_MAX_CONTENT_LEN ) );
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+
/*
* Add MAC before if needed
*/
@@ -2742,6 +2750,15 @@
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
/* Make room for the additional DTLS fields */
+ if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
+ "size %u, maximum %u",
+ (unsigned) ( ssl->in_hslen - 4 ),
+ (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+
memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
ssl->out_msglen += 8;
len += 8;
diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function
index 270e2d9..09309d6 100644
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@@ -60,9 +60,12 @@
msg_len = unhexify( message_str, message_hex_string );
if( mbedtls_md_info_from_type( digest ) != NULL )
- TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 );
+ TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ),
+ message_str, msg_len, hash_result ) == 0 );
- TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result );
+ TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info,
+ MBEDTLS_RSA_PRIVATE, digest, 0,
+ hash_result, output ) == result );
if( result == 0 )
{
hexify( output_str, output, ctx.len );
@@ -71,7 +74,8 @@
}
exit:
- mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
+ mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
+ mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
mbedtls_rsa_free( &ctx );
}
/* END_CASE */
@@ -119,6 +123,7 @@
char *input_N, int radix_E, char *input_E,
char *result_hex_str )
{
+ int res;
unsigned char message_str[1000];
unsigned char hash_result[1000];
unsigned char output[1000];
@@ -157,7 +162,9 @@
unhexify( message_str, message_hex_string );
hash_len = unhexify( hash_result, hash_result_string );
- TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE, hash_len, hash_result, output ) == 0 );
+ TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info,
+ MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE,
+ hash_len, hash_result, output ) == 0 );
hexify( output_str, output, ctx.len );
@@ -169,13 +176,22 @@
memset( output, 0x00, 1000 );
memset( output_str, 0x00, 1000 );
- TEST_ASSERT( mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx,
+ res = mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx,
&rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE,
- hash_len, hash_result, output ) == 0 );
+ hash_len, hash_result, output );
- hexify( output_str, output, ctx.len );
+#if !defined(MBEDTLS_RSA_ALT)
+ TEST_ASSERT( res == 0 );
+#else
+ TEST_ASSERT( ( res == 0 ) ||
+ ( res == MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION ) );
+#endif
- TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+ if( res == 0 )
+ {
+ hexify( output_str, output, ctx.len );
+ TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+ }
}
exit:
@@ -190,6 +206,7 @@
char *input_N, int radix_E, char *input_E,
char *result_hex_str, int correct )
{
+ int res;
unsigned char message_str[1000];
unsigned char hash_result[1000];
unsigned char result_str[1000];
@@ -220,15 +237,25 @@
{
int ok;
- TEST_ASSERT( mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx,
+ res = mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx,
NULL, NULL, MBEDTLS_RSA_PUBLIC,
- &olen, result_str, output, sizeof( output ) ) == 0 );
+ &olen, result_str, output, sizeof( output ) );
- ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0;
- if( correct == 0 )
- TEST_ASSERT( ok == 1 );
- else
- TEST_ASSERT( ok == 0 );
+#if !defined(MBEDTLS_RSA_ALT)
+ TEST_ASSERT( res == 0 );
+#else
+ TEST_ASSERT( ( res == 0 ) ||
+ ( res == MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION ) );
+#endif
+
+ if( res == 0 )
+ {
+ ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0;
+ if( correct == 0 )
+ TEST_ASSERT( ok == 1 );
+ else
+ TEST_ASSERT( ok == 0 );
+ }
}
exit:
@@ -263,7 +290,9 @@
msg_len = unhexify( message_str, message_hex_string );
- TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result );
+ TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info,
+ MBEDTLS_RSA_PUBLIC, msg_len,
+ message_str, output ) == result );
if( result == 0 )
{
hexify( output_str, output, ctx.len );
@@ -301,7 +330,9 @@
msg_len = unhexify( message_str, message_hex_string );
- TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result );
+ TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL,
+ MBEDTLS_RSA_PUBLIC, msg_len,
+ message_str, output ) == result );
if( result == 0 )
{
hexify( output_str, output, ctx.len );