Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.
Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index ce0fd4d..0b696dd 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -474,17 +474,18 @@
/*
* SSLv3.0 MAC functions
*/
-static void ssl_mac( mbedtls_md_context_t *md_ctx,
- const unsigned char *secret,
- const unsigned char *buf, size_t len,
- const unsigned char *ctr, int type,
- unsigned char out[SSL3_MAC_MAX_BYTES] )
+static int ssl_mac( mbedtls_md_context_t *md_ctx,
+ const unsigned char *secret,
+ const unsigned char *buf, size_t len,
+ const unsigned char *ctr, int type,
+ unsigned char out[SSL3_MAC_MAX_BYTES] )
{
unsigned char header[11];
unsigned char padding[48];
int padlen;
int md_size = mbedtls_md_get_size( md_ctx->md_info );
int md_type = mbedtls_md_get_type( md_ctx->md_info );
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* Only MD5 and SHA-1 supported */
if( md_type == MBEDTLS_MD_MD5 )
@@ -497,19 +498,43 @@
MBEDTLS_PUT_UINT16_BE( len, header, 9);
memset( padding, 0x36, padlen );
- mbedtls_md_starts( md_ctx );
- mbedtls_md_update( md_ctx, secret, md_size );
- mbedtls_md_update( md_ctx, padding, padlen );
- mbedtls_md_update( md_ctx, header, 11 );
- mbedtls_md_update( md_ctx, buf, len );
- mbedtls_md_finish( md_ctx, out );
+ ret = mbedtls_md_starts( md_ctx );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, secret, md_size );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, padding, padlen );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, header, 11 );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, buf, len );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_finish( md_ctx, out );
+ if( ret != 0 )
+ return( ret );
memset( padding, 0x5C, padlen );
- mbedtls_md_starts( md_ctx );
- mbedtls_md_update( md_ctx, secret, md_size );
- mbedtls_md_update( md_ctx, padding, padlen );
- mbedtls_md_update( md_ctx, out, md_size );
- mbedtls_md_finish( md_ctx, out );
+ ret = mbedtls_md_starts( md_ctx );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, secret, md_size );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, padding, padlen );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_update( md_ctx, out, md_size );
+ if( ret != 0 )
+ return( ret );
+ ret = mbedtls_md_finish( md_ctx, out );
+ if( ret != 0 )
+ return( ret );
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
@@ -714,10 +739,17 @@
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
unsigned char mac[SSL3_MAC_MAX_BYTES];
- ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
- data, rec->data_len, rec->ctr, rec->type, mac );
- memcpy( data + rec->data_len, mac, transform->maclen );
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ret = ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
+ data, rec->data_len, rec->ctr, rec->type, mac );
+ if( ret == 0 )
+ memcpy( data + rec->data_len, mac, transform->maclen );
mbedtls_platform_zeroize( mac, transform->maclen );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_mac", ret );
+ return( ret );
+ }
}
else
#endif
@@ -726,19 +758,35 @@
if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
{
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
- mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
- add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_enc,
- data, rec->data_len );
- mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
- mbedtls_md_hmac_reset( &transform->md_ctx_enc );
+ ret = mbedtls_md_hmac_update( &transform->md_ctx_enc,
+ add_data, add_data_len );
+ if( ret != 0 )
+ goto hmac_failed_etm_disabled;
+ ret = mbedtls_md_hmac_update( &transform->md_ctx_enc,
+ data, rec->data_len );
+ if( ret != 0 )
+ goto hmac_failed_etm_disabled;
+ ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
+ if( ret != 0 )
+ goto hmac_failed_etm_disabled;
+ ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
+ if( ret != 0 )
+ goto hmac_failed_etm_disabled;
memcpy( data + rec->data_len, mac, transform->maclen );
+
+ hmac_failed_etm_disabled:
mbedtls_platform_zeroize( mac, transform->maclen );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac_xxx", ret );
+ return( ret );
+ }
}
else
#endif
@@ -1011,19 +1059,34 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
- add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_enc,
- data, rec->data_len );
- mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
- mbedtls_md_hmac_reset( &transform->md_ctx_enc );
+ ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
+ add_data_len );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
+ ret = mbedtls_md_hmac_update( &transform->md_ctx_enc,
+ data, rec->data_len );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
+ ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
+ ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
memcpy( data + rec->data_len, mac, transform->maclen );
rec->data_len += transform->maclen;
post_avail -= transform->maclen;
auth_done++;
+
+ hmac_failed_etm_enabled:
mbedtls_platform_zeroize( mac, transform->maclen );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "HMAC calculation failed", ret );
+ return( ret );
+ }
}
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
}
@@ -1295,12 +1358,20 @@
/* Calculate expected MAC. */
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
- add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_dec,
+ ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
+ add_data_len );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
+ ret = mbedtls_md_hmac_update( &transform->md_ctx_dec,
data, rec->data_len );
- mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
- mbedtls_md_hmac_reset( &transform->md_ctx_dec );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
+ ret = mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
+ ret = mbedtls_md_hmac_reset( &transform->md_ctx_dec );
+ if( ret != 0 )
+ goto hmac_failed_etm_enabled;
MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
transform->maclen );
@@ -1308,7 +1379,6 @@
transform->maclen );
/* Compare expected MAC with MAC at the end of the record. */
- ret = 0;
if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect,
transform->maclen ) != 0 )
{
@@ -1321,7 +1391,11 @@
hmac_failed_etm_enabled:
mbedtls_platform_zeroize( mac_expect, transform->maclen );
if( ret != 0 )
+ {
+ if( ret != MBEDTLS_ERR_SSL_INVALID_MAC )
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hmac_xxx", ret );
return( ret );
+ }
}
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
@@ -1539,11 +1613,16 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
- ssl_mac( &transform->md_ctx_dec,
- transform->mac_dec,
- data, rec->data_len,
- rec->ctr, rec->type,
- mac_expect );
+ ret = ssl_mac( &transform->md_ctx_dec,
+ transform->mac_dec,
+ data, rec->data_len,
+ rec->ctr, rec->type,
+ mac_expect );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_mac", ret );
+ goto hmac_failed_etm_disabled;
+ }
memcpy( mac_peer, data + rec->data_len, transform->maclen );
}
else
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9757f86..537adc2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -442,19 +442,37 @@
goto exit;
}
- mbedtls_md_hmac_starts( &md_ctx, S1, hs );
- mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
- mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+ ret = mbedtls_md_hmac_starts( &md_ctx, S1, hs );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+ if( ret != 0 )
+ goto exit;
for( i = 0; i < dlen; i += 16 )
{
- mbedtls_md_hmac_reset ( &md_ctx );
- mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
- mbedtls_md_hmac_finish( &md_ctx, h_i );
+ ret = mbedtls_md_hmac_reset ( &md_ctx );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
+ if( ret != 0 )
+ goto exit;
- mbedtls_md_hmac_reset ( &md_ctx );
- mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
- mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+ ret = mbedtls_md_hmac_reset ( &md_ctx );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+ if( ret != 0 )
+ goto exit;
k = ( i + 16 > dlen ) ? dlen % 16 : 16;
@@ -478,19 +496,37 @@
goto exit;
}
- mbedtls_md_hmac_starts( &md_ctx, S2, hs );
- mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
- mbedtls_md_hmac_finish( &md_ctx, tmp );
+ ret = mbedtls_md_hmac_starts( &md_ctx, S2, hs );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
+ if( ret != 0 )
+ goto exit;
for( i = 0; i < dlen; i += 20 )
{
- mbedtls_md_hmac_reset ( &md_ctx );
- mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
- mbedtls_md_hmac_finish( &md_ctx, h_i );
+ ret = mbedtls_md_hmac_reset ( &md_ctx );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
+ if( ret != 0 )
+ goto exit;
- mbedtls_md_hmac_reset ( &md_ctx );
- mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
- mbedtls_md_hmac_finish( &md_ctx, tmp );
+ ret = mbedtls_md_hmac_reset ( &md_ctx );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
+ if( ret != 0 )
+ goto exit;
k = ( i + 20 > dlen ) ? dlen % 20 : 20;
@@ -680,19 +716,37 @@
if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
goto exit;
- mbedtls_md_hmac_starts( &md_ctx, secret, slen );
- mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
- mbedtls_md_hmac_finish( &md_ctx, tmp );
+ ret = mbedtls_md_hmac_starts( &md_ctx, secret, slen );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
+ if( ret != 0 )
+ goto exit;
for( i = 0; i < dlen; i += md_len )
{
- mbedtls_md_hmac_reset ( &md_ctx );
- mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
- mbedtls_md_hmac_finish( &md_ctx, h_i );
+ ret = mbedtls_md_hmac_reset ( &md_ctx );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
+ if( ret != 0 )
+ goto exit;
- mbedtls_md_hmac_reset ( &md_ctx );
- mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
- mbedtls_md_hmac_finish( &md_ctx, tmp );
+ ret = mbedtls_md_hmac_reset ( &md_ctx );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
+ if( ret != 0 )
+ goto exit;
+ ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
+ if( ret != 0 )
+ goto exit;
k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
@@ -1232,8 +1286,14 @@
For AEAD-based ciphersuites, there is nothing to do here. */
if( mac_key_len != 0 )
{
- mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
- mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
+ ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc,
+ mac_enc, mac_key_len );
+ if( ret != 0 )
+ goto end;
+ ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec,
+ mac_dec, mac_key_len );
+ if( ret != 0 )
+ goto end;
}
}
else