Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
Add ChangeLog entry for previous commit
cert_write : fix "Destination buffer is too small" error
Add ChangeLog entry for previous two commits
Test certificate "Server1 SHA1, key_usage" reissued.
Fix boolean values according to DER specs
Fix typo in an OID name
Disable reportedly broken assembly of Sparc(64)
ECHDE-PSK does not use a certificate
Actually ignore most non-fatal alerts
diff --git a/ChangeLog b/ChangeLog
index 593e751..57592b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,18 @@
= mbed TLS 1.3.15 released 2015-10-xx
+Security
+ * Fix potential double free if ssl_set_psk() is called more than once and
+ some allocation fails. Cannot be forced remotely. Found by Guido Vranken,
+ Intelworks.
+ * Fix potential heap corruption on Windows when
+ x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+ triggered remotely. Found by Guido Vranken, Interlworks.
+ * Fix potential buffer overflow in some asn1_write_xxx() functions.
+ Cannot be triggered remotely unless you create X.509 certificates based
+ on untrusted input or write keys of untrusted origin. Found by Guido
+ Vranken, Interlworks.
+
Bugfix
* Fix bug causing some handshakes to fail due to some non-fatal alerts not
begin properly ignored. Found by mancha and Kasom Koht-arsa, #308
diff --git a/library/asn1write.c b/library/asn1write.c
index 92282b1..6a7c9d3 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -88,7 +88,7 @@
{
size_t len = 0;
- if( *p - start < (int) size )
+ if( *p < start || (size_t)( *p - start ) < size )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size;
@@ -108,7 +108,7 @@
//
len = mpi_size( X );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -271,7 +271,7 @@
// Calculate byte length
//
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size + 1 )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size + 1;
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 35dbd0b..bb9514e 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -97,7 +97,7 @@
return( ret );
}
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
*p -= len;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 44e5582..d9eb0a9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -949,11 +949,16 @@
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
{
- if( end - p < 2 + (int) ssl->psk_len )
+ if( end - p < 2 )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( ssl->psk_len >> 8 );
*(p++) = (unsigned char)( ssl->psk_len );
+
+ if( end < p || (size_t)( end - p ) < ssl->psk_len )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+ memset( p, 0, ssl->psk_len );
p += ssl->psk_len;
}
else
@@ -1021,11 +1026,15 @@
}
/* opaque psk<0..2^16-1>; */
- if( end - p < 2 + (int) ssl->psk_len )
- return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+ if( end - p < 2 )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( ssl->psk_len >> 8 );
*(p++) = (unsigned char)( ssl->psk_len );
+
+ if( end < p || (size_t)( end - p ) < ssl->psk_len )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
memcpy( p, ssl->psk, ssl->psk_len );
p += ssl->psk_len;
@@ -4082,6 +4091,8 @@
{
polarssl_free( ssl->psk );
polarssl_free( ssl->psk_identity );
+ ssl->psk = NULL;
+ ssl->psk_identity = NULL;
}
if( ( ssl->psk = polarssl_malloc( psk_len ) ) == NULL ||
diff --git a/library/x509_create.c b/library/x509_create.c
index f505bab..b2cbdd4 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -265,13 +265,16 @@
int ret;
size_t len = 0;
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
len = size;
(*p) -= len;
memcpy( *p, sig, len );
+ if( *p - start < 1 )
+ return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
*--(*p) = 0;
len += 1;
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 3fb2b68..200f6bb 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -973,7 +973,7 @@
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
char *p;
- int len = (int) strlen( path );
+ size_t len = strlen( path );
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@@ -1007,7 +1007,7 @@
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW( file_data.cFileName ),
- p, len - 1,
+ p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );