Merge multiple backported vulnerability fixes
diff --git a/ChangeLog b/ChangeLog
index b26b4b0..d8d6798 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,30 +1,37 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS 1.3.14 released 2015-10-??
+= mbed TLS 1.3.14 released 2015-10-xx
Security
+ * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
+ overflow of the hostname or session ticket. Found by Guido Vranken,
+ Intelworks.
* Fix stack buffer overflow in pkcs12 decryption (used by
- mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
- Found by Guido Vranken. Not triggerable remotely.
+ mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by
+ Guido Vranken, Intelworks. Not triggerable remotely.
* Fix potential buffer overflow in mbedtls_mpi_read_string().
- Found by Guido Vranken. Not exploitable remotely in the context of TLS,
- but might be in other uses. On 32 bit machines, requires reading a string
- of close to or larger than 1GB to exploit; on 64 bit machines, would require
- reading a string of close to or larger than 2^62 bytes.
+ Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
+ of TLS, but might be in other uses. On 32 bit machines, requires reading a
+ string of close to or larger than 1GB to exploit; on 64 bit machines, would
+ require reading a string of close to or larger than 2^62 bytes.
* Fix potential random memory allocation in mbedtls_pem_read_buffer()
- on crafted PEM input data. Found and fix provided by Guido Vranken.
- Not triggerable remotely in TLS. Triggerable remotely if you accept PEM
- data from an untrusted source.
+ on crafted PEM input data. Found and fix provided by Guido Vranken,
+ Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
+ accept PEM data from an untrusted source.
* Fix potential double-free if ssl_set_psk() is called repeatedly on
- the same ssl_context object and some memory allocations fail.
- Found by Guido Vranken. Can not be forced remotely.
+ the same ssl_context object and some memory allocations fail. Found by
+ Guido Vranken, Intelworks. Can not be forced remotely.
* Fix possible heap buffer overflow in base64_encode() when the input
- buffer is 512MB or larger on 32-bit platforms.
- Found by Guido Vranken. Not trigerrable remotely in TLS.
+ buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
+ Intelworks. Found by Guido Vranken. Not trigerrable remotely in TLS.
* Fix potential heap buffer overflow in servers that perform client
authentication against a crafted CA cert. Cannot be triggered remotely
- unless you allow third parties to pick trust CAs for client auth.
- Found by Guido Vranken.
+ unless you allow third parties to pick trust CAs for client auth. Found by
+ Guido Vranken, Intelworks.
+
+Changes
+ * Added checking of hostname length in ssl_set_hostname() to ensure domain
+ names are compliant with RFC 1035.
= mbed TLS 1.3.13 released 2015-09-17
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 1f9f8be..0d84663 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -198,6 +198,8 @@
#endif /* POLARSSL_SSL_PROTO_TLS1_1 */
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+#define SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
+
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
* NONE must be zero so that memset()ing structure to zero works */
#define SSL_MAX_FRAG_LEN_NONE 0 /*!< don't use this extension */
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index f603cff..39dc02e 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -65,6 +65,7 @@
size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
*olen = 0;
@@ -74,6 +75,12 @@
SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
ssl->hostname ) );
+ if( end < p || (size_t)( end - p ) < ssl->hostname_len + 9 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
/*
* struct {
* NameType name_type;
@@ -117,6 +124,7 @@
size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
*olen = 0;
@@ -125,6 +133,12 @@
SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
+ if( end < p || (size_t)(end - p) < 5 + ssl->verify_data_len )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
/*
* Secure renegotiation
*/
@@ -151,6 +165,7 @@
size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
size_t sig_alg_len = 0;
#if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
unsigned char *sig_alg_list = buf + 6;
@@ -163,9 +178,54 @@
SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
+#if defined(POLARSSL_RSA_C)
+#if defined(POLARSSL_SHA512_C)
+ /* SHA512 + RSA signature, SHA384 + RSA signature */
+ sig_alg_len += 4;
+#endif
+#if defined(POLARSSL_SHA256_C)
+ /* SHA256 + RSA signature, SHA224 + RSA signature */
+ sig_alg_len += 4;
+#endif
+#if defined(POLARSSL_SHA1_C)
+ /* SHA1 + RSA signature */
+ sig_alg_len += 2;
+#endif
+#if defined(POLARSSL_MD5_C)
+ /* MD5 + RSA signature */
+ sig_alg_len += 2;
+#endif
+#endif /* POLARSSL_RSA_C */
+#if defined(POLARSSL_ECDSA_C)
+#if defined(POLARSSL_SHA512_C)
+ /* SHA512 + ECDSA signature, SHA384 + ECDSA signature */
+ sig_alg_len += 4;
+#endif
+#if defined(POLARSSL_SHA256_C)
+ /* SHA256 + ECDSA signature, SHA224 + ECDSA signature */
+ sig_alg_len += 4;
+#endif
+#if defined(POLARSSL_SHA1_C)
+ /* SHA1 + ECDSA signature */
+ sig_alg_len += 2;
+#endif
+#if defined(POLARSSL_MD5_C)
+ /* MD5 + ECDSA signature */
+ sig_alg_len += 2;
+#endif
+#endif /* POLARSSL_ECDSA_C */
+
+ if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
/*
* Prepare signature_algorithms extension (TLS 1.2)
*/
+ sig_alg_len = 0;
+
#if defined(POLARSSL_RSA_C)
#if defined(POLARSSL_SHA512_C)
sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
@@ -248,6 +308,7 @@
size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
unsigned char *elliptic_curve_list = p + 6;
size_t elliptic_curve_len = 0;
const ecp_curve_info *info;
@@ -269,6 +330,25 @@
for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
{
#endif
+ elliptic_curve_len += 2;
+ }
+
+ if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
+ elliptic_curve_len = 0;
+
+#if defined(POLARSSL_SSL_SET_CURVES)
+ for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
+ {
+ info = ecp_curve_info_from_grp_id( *grp_id );
+#else
+ for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
+ {
+#endif
elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
@@ -294,12 +374,18 @@
size_t *olen )
{
unsigned char *p = buf;
- ((void) ssl);
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
*olen = 0;
SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
+ if( end < p || (size_t)( end - p ) < 6 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
@@ -319,14 +405,21 @@
size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
- if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
- *olen = 0;
+ *olen = 0;
+
+ if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE )
return;
- }
SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
+ if( end < p || (size_t)( end - p ) < 5 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
@@ -344,15 +437,21 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+ *olen = 0;
if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
- {
- *olen = 0;
return;
- }
SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+ if( end < p || (size_t)( end - p ) < 4 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
@@ -368,17 +467,25 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+ *olen = 0;
if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
{
- *olen = 0;
return;
}
SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
"extension" ) );
+ if( end < p || (size_t)( end - p ) < 4 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
@@ -394,17 +501,25 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+ *olen = 0;
if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
{
- *olen = 0;
return;
}
SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
"extension" ) );
+ if( end < p || (size_t)( end - p ) < 4 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
@@ -420,16 +535,22 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
size_t tlen = ssl->session_negotiate->ticket_len;
+ *olen = 0;
+
if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
- {
- *olen = 0;
return;
- }
SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
+ if( end < p || (size_t)( end - p ) < 4 + tlen )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
@@ -457,16 +578,26 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+ size_t alpnlen = 0;
const char **cur;
+ *olen = 0;
+
if( ssl->alpn_list == NULL )
- {
- *olen = 0;
return;
- }
SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
+ for( cur = ssl->alpn_list; *cur != NULL; cur++ )
+ alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
+
+ if( end < p || (size_t)( end - p ) < 6 + alpnlen )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
*p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
@@ -746,13 +877,13 @@
ext_len += olen;
#endif
-#if defined(POLARSSL_SSL_SESSION_TICKETS)
- ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+#if defined(POLARSSL_SSL_ALPN)
+ ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
-#if defined(POLARSSL_SSL_ALPN)
- ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+ ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f16bb53..7fc9d99 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4150,6 +4150,9 @@
if( ssl->hostname_len + 1 == 0 )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+ if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
ssl->hostname = polarssl_malloc( ssl->hostname_len + 1 );
if( ssl->hostname == NULL )