Merge pull request #295 from ARMmbed/mbedtls-1.3-restricted
Merge of mbedtls-1.3-restricted
diff --git a/ChangeLog b/ChangeLog
index 2030ceb..18486b3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,14 @@
= mbed TLS 1.3.13 reladsed 2015-??-??
+Security
+ * Fix possible client-side NULL pointer dereference (read) when the client
+ tries to continue the handshake after it failed (a misuse of the API).
+ (Found by GDS Labs using afl-fuzz, patch provided by GDS Labs.)
+ * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
+ signatures. (Found by Florian Weimer, Red Hat.)
+ https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
+
Bugfix
* Setting SSL_MIN_DHM_BYTES in config.h had no effect (overriden in ssl.h)
(found by Fabio Solari) (#256)
diff --git a/library/rsa.c b/library/rsa.c
index c4e83c0..59ec35f 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -52,6 +52,8 @@
#else
#include <stdio.h>
#define polarssl_printf printf
+#define polarssl_malloc malloc
+#define polarssl_free free
#endif
/*
@@ -1005,6 +1007,11 @@
size_t nb_pad, olen, oid_size = 0;
unsigned char *p = sig;
const char *oid = NULL;
+ unsigned char *sig_try = NULL, *verif = NULL;
+ size_t i;
+ unsigned char diff;
+ volatile unsigned char diff_no_optimize;
+ int ret;
if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
@@ -1067,9 +1074,39 @@
memcpy( p, hash, hashlen );
}
- return( ( mode == RSA_PUBLIC )
- ? rsa_public( ctx, sig, sig )
- : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
+ if( mode == RSA_PUBLIC )
+ return( rsa_public( ctx, sig, sig ) );
+
+ /*
+ * In order to prevent Lenstra's attack, make the signature in a
+ * temporary buffer and check it before returning it.
+ */
+ sig_try = polarssl_malloc( ctx->len );
+ verif = polarssl_malloc( ctx->len );
+ if( sig_try == NULL || verif == NULL )
+ return( POLARSSL_ERR_MPI_MALLOC_FAILED );
+
+ MPI_CHK( rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
+ MPI_CHK( rsa_public( ctx, sig_try, verif ) );
+
+ /* Compare in constant time just in case */
+ for( diff = 0, i = 0; i < ctx->len; i++ )
+ diff |= verif[i] ^ sig[i];
+ diff_no_optimize = diff;
+
+ if( diff_no_optimize != 0 )
+ {
+ ret = POLARSSL_ERR_RSA_PRIVATE_FAILED;
+ goto cleanup;
+ }
+
+ memcpy( sig, sig_try, ctx->len );
+
+cleanup:
+ polarssl_free( sig_try );
+ polarssl_free( verif );
+
+ return( ret );
}
#endif /* POLARSSL_PKCS1_V15 */
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 7f46cbb..f603cff 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1602,6 +1602,12 @@
ssl->handshake->pmslen = 48;
+ if( ssl->session_negotiate->peer_cert == NULL )
+ {
+ SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+ return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
+
/*
* Now write it out, encrypted
*/
@@ -1699,6 +1705,12 @@
int ret;
const ecp_keypair *peer_key;
+ if( ssl->session_negotiate->peer_cert == NULL )
+ {
+ SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+ return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
+
if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
POLARSSL_PK_ECKEY ) )
{
@@ -2012,6 +2024,12 @@
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
(unsigned int) ( md_info_from_type( md_alg ) )->size );
+ if( ssl->session_negotiate->peer_cert == NULL )
+ {
+ SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+ return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
+
/*
* Verify signature
*/