From 84cc74e82b8bbee3bdb9caf716cb5b33b5c02efa Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 11 May 2018 11:06:29 +0200 Subject: [PATCH] Fix undefined shifts - in x509_profile_check_pk_alg - in x509_profile_check_md_alg - in x509_profile_check_key and in ssl_cli.c : unsigned char gets promoted to signed integer --- ChangeLog | 6 ++++++ library/ssl_cli.c | 4 ++-- library/x509_crt.c | 9 +++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e2c68a954..35324cfa4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.7.6 branch released xxxx-xx-xx + +Bugfix + * Fix undefined shifts with negative values in certificates parsing + (found by Catena cyber using oss-fuzz) + = mbed TLS 2.7.5 branch released 2018-07-25 Security diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7e068c7cd..8b1db9280 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3315,8 +3315,8 @@ static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); - lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | - ( msg[2] << 8 ) | ( msg[3] ); + lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) | + ( msg[2] << 8 ) | ( msg[3] ); ticket_len = ( msg[4] << 8 ) | ( msg[5] ); diff --git a/library/x509_crt.c b/library/x509_crt.c index 6751da0d2..5fa388bc2 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -152,6 +152,9 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb = static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile, mbedtls_md_type_t md_alg ) { + if( md_alg == MBEDTLS_MD_NONE ) + return( -1 ); + if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 ) return( 0 ); @@ -165,6 +168,9 @@ static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile, static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile, mbedtls_pk_type_t pk_alg ) { + if( pk_alg == MBEDTLS_PK_NONE ) + return( -1 ); + if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 ) return( 0 ); @@ -196,6 +202,9 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile, { mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id; + if( gid == MBEDTLS_ECP_DP_NONE ) + return( -1 ); + if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 ) return( 0 );