Merge memory leak fix into branch 'mbedtls-1.3'

Merge of fix for memory leak in RSA-SSA signing - #372
This commit is contained in:
Simon Butcher 2016-01-02 00:08:13 +00:00
parent 7d3f3a8ac8
commit 14400c8fb0
6 changed files with 67 additions and 29 deletions

View File

@ -2,6 +2,12 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 1.3.16 released 2015-12-xx = mbed TLS 1.3.16 released 2015-12-xx
Security
* Fix potential double free when mbedtls_asn1_store_named_data() fails to
allocate memory. Only used for certificate generation, not triggerable
remotely in SSL/TLS. Found by Rafał Przywara. #367
* Disable MD5 handshake signatures in TLS 1.2 by default
Bugfix Bugfix
* Fix over-restricive length limit in GCM. Found by Andreas-N. #362 * Fix over-restricive length limit in GCM. Found by Andreas-N. #362
* Fix bug in certificate validation that caused valid chains to be rejected * Fix bug in certificate validation that caused valid chains to be rejected
@ -10,6 +16,10 @@ Bugfix
* Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
JayaraghavendranK. #372 JayaraghavendranK. #372
Changes
* Add config.h option POLARSSL_SSL_ENABLE_MD5_SIGNATURES controlling
use of MD5-based signatures for TLS 1.2 handshake (disabled by default).
= mbed TLS 1.3.15 released 2015-11-04 = mbed TLS 1.3.15 released 2015-11-04
Security Security

View File

@ -1092,6 +1092,19 @@
*/ */
#define POLARSSL_SSL_TRUNCATED_HMAC #define POLARSSL_SSL_TRUNCATED_HMAC
/**
* \def POLARSSL_SSL_ENABLE_MD5_SIGNATURES
*
* Offer, accept and do MD5-based signatures in the TLS 1.2 handshake.
* Has no effect on which algorithms are accepted for certificates.
* Has no effect on other SSL/TLS versions.
*
* \warning Enabling this could be a security risk!
*
* Uncomment to enable MD5 signatures in TLS 1.2
*/
//#define POLARSSL_SSL_ENABLE_MD5_SIGNATURES
/** /**
* \def POLARSSL_SSL_SET_CURVES * \def POLARSSL_SSL_SET_CURVES
* *

View File

@ -342,19 +342,18 @@ asn1_named_data *asn1_store_named_data( asn1_named_data **head,
} }
else if( cur->val.len < val_len ) else if( cur->val.len < val_len )
{ {
// Enlarge existing value buffer if needed /*
// * Enlarge existing value buffer if needed
polarssl_free( cur->val.p ); * Preserve old data until the allocation succeeded, to leave list in
cur->val.p = NULL; * a consistent state in case allocation fails.
*/
cur->val.len = val_len; void *p = polarssl_malloc( val_len );
cur->val.p = polarssl_malloc( val_len ); if( p == NULL )
if( cur->val.p == NULL )
{
polarssl_free( cur->oid.p );
polarssl_free( cur );
return( NULL ); return( NULL );
}
polarssl_free( cur->val.p );
cur->val.p = p;
cur->val.len = val_len;
} }
if( val != NULL ) if( val != NULL )

View File

@ -34,7 +34,7 @@
* [3] GNU Multi-Precision Arithmetic Library * [3] GNU Multi-Precision Arithmetic Library
* https://gmplib.org/manual/index.html * https://gmplib.org/manual/index.html
* *
*/ */
#if !defined(POLARSSL_CONFIG_FILE) #if !defined(POLARSSL_CONFIG_FILE)
#include "polarssl/config.h" #include "polarssl/config.h"
@ -1218,22 +1218,28 @@ int mpi_mul_int( mpi *X, const mpi *A, t_sint b )
} }
/* /*
* Unsigned integer divide - 64bit dividend and 32bit divisor * Unsigned integer divide - double t_uint, dividend, u1/u0, and t_uint
* divisor, d
*/ */
static t_uint int_div_int(t_uint u1, t_uint u0, t_uint d, t_uint *r) static t_uint int_div_int( t_uint u1, t_uint u0, t_uint d, t_uint *r )
{ {
#if defined(POLARSSL_HAVE_UDBL) #if defined(POLARSSL_HAVE_UDBL)
t_udbl dividend, quotient; t_udbl dividend, quotient;
#else
const t_uint radix = 1 << biH;
t_uint d0, d1, q0, q1, rAX, r0, quotient;
t_uint u0_msw, u0_lsw;
int s;
#endif #endif
/* /*
* Check for overflow * Check for overflow
*/ */
if(( 0 == d ) || ( u1 >= d )) if( 0 == d || u1 >= d )
{ {
if (r != NULL) *r = (~0); if ( r != NULL ) *r = ~0;
return (~0); return ( ~0 );
} }
#if defined(POLARSSL_HAVE_UDBL) #if defined(POLARSSL_HAVE_UDBL)
@ -1248,10 +1254,6 @@ static t_uint int_div_int(t_uint u1, t_uint u0, t_uint d, t_uint *r)
return (t_uint) quotient; return (t_uint) quotient;
#else #else
const t_uint radix = 1 << biH;
t_uint d0, d1, q0, q1, rAX, r0, quotient;
t_uint u0_msw, u0_lsw;
int s;
/* /*
* Algorithm D, Section 4.3.1 - The Art of Computer Programming * Algorithm D, Section 4.3.1 - The Art of Computer Programming
@ -1265,7 +1267,7 @@ static t_uint int_div_int(t_uint u1, t_uint u0, t_uint d, t_uint *r)
d = d << s; d = d << s;
u1 = u1 << s; u1 = u1 << s;
u1 |= (u0 >> (32 - s)) & ( (-s) >> 31); u1 |= ( u0 >> ( 32 - s ) ) & ( -s >> 31 );
u0 = u0 << s; u0 = u0 << s;
d1 = d >> biH; d1 = d >> biH;
@ -1288,7 +1290,7 @@ static t_uint int_div_int(t_uint u1, t_uint u0, t_uint d, t_uint *r)
if ( r0 >= radix ) break; if ( r0 >= radix ) break;
} }
rAX = (u1 * radix) + (u0_msw - q1 * d); rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
q0 = rAX / d1; q0 = rAX / d1;
r0 = rAX - q0 * d1; r0 = rAX - q0 * d1;
@ -1301,7 +1303,7 @@ static t_uint int_div_int(t_uint u1, t_uint u0, t_uint d, t_uint *r)
} }
if (r != NULL) if (r != NULL)
*r = (rAX * radix + u0_lsw - q0 * d) >> s; *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
quotient = q1 * radix + q0; quotient = q1 * radix + q0;

View File

@ -191,7 +191,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
/* SHA1 + RSA signature */ /* SHA1 + RSA signature */
sig_alg_len += 2; sig_alg_len += 2;
#endif #endif
#if defined(POLARSSL_MD5_C) #if defined(POLARSSL_MD5_C) && defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
/* MD5 + RSA signature */ /* MD5 + RSA signature */
sig_alg_len += 2; sig_alg_len += 2;
#endif #endif
@ -209,7 +209,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
/* SHA1 + ECDSA signature */ /* SHA1 + ECDSA signature */
sig_alg_len += 2; sig_alg_len += 2;
#endif #endif
#if defined(POLARSSL_MD5_C) #if defined(POLARSSL_MD5_C) && defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
/* MD5 + ECDSA signature */ /* MD5 + ECDSA signature */
sig_alg_len += 2; sig_alg_len += 2;
#endif #endif
@ -243,7 +243,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1; sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
#endif #endif
#if defined(POLARSSL_MD5_C) #if defined(POLARSSL_MD5_C) && defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
sig_alg_list[sig_alg_len++] = SSL_HASH_MD5; sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
#endif #endif
@ -265,7 +265,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1; sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
#endif #endif
#if defined(POLARSSL_MD5_C) #if defined(POLARSSL_MD5_C) && defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
sig_alg_list[sig_alg_len++] = SSL_HASH_MD5; sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
#endif #endif
@ -2035,6 +2035,14 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
} }
#if !defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
if( md_alg == POLARSSL_MD_MD5 )
{
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
#endif
} }
else else
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */ #endif /* POLARSSL_SSL_PROTO_TLS1_2 */

View File

@ -492,6 +492,12 @@ static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
* So, just look at the HashAlgorithm part. * So, just look at the HashAlgorithm part.
*/ */
for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) { for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
#if !defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
/* Skip MD5 */
if( *md_cur == POLARSSL_MD_MD5 )
continue;
#endif
for( p = buf + 2; p < end; p += 2 ) { for( p = buf + 2; p < end; p += 2 ) {
if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) { if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
ssl->handshake->sig_alg = p[0]; ssl->handshake->sig_alg = p[0];