Merge pull request #296 from ARMmbed/polarssl-1.2-restricted

Merge of polarssl-1.2-restricted

ChangeLog

@@ -2,6 +2,14 @@ PolarSSL ChangeLog
 
 = Version 1.2.16 released 2015-??-??
 
+Security
+   * Fix possible client-side NULL pointer dereference (read) when the client
+     tries to continue the handshake after it failed (a misuse of the API).
+     (Found by GDS Labs using afl-fuzz.)
+   * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
+     signatures. (Found by Florian Weimer, Red Hat.)
+     https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
+
 Bugfix
    * Fix unused function warning when using MBEDTLS_MDx_ALT or
      MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)

library/rsa.c

@@ -919,6 +919,11 @@ int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
 {
     size_t nb_pad, olen;
     unsigned char *p = sig;
+    unsigned char *sig_try = NULL, *verif = NULL;
+    size_t i;
+    unsigned char diff;
+    volatile unsigned char diff_no_optimize;
+    int ret;
 
     if( ctx->padding != RSA_PKCS_V15 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
@@ -1021,9 +1026,39 @@ int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
             return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
     }
 
-    return( ( mode == RSA_PUBLIC )
+    if( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, sig, sig )
+        return( rsa_public(  ctx, sig, sig ) );
-            : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
+
+    /*
+     * In order to prevent Lenstra's attack, make the signature in a
+     * temporary buffer and check it before returning it.
+     */
+    sig_try = malloc( ctx->len );
+    verif   = malloc( ctx->len );
+    if( sig_try == NULL || verif == NULL )
+        return( POLARSSL_ERR_MPI_MALLOC_FAILED );
+
+    MPI_CHK( rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
+    MPI_CHK( rsa_public( ctx, sig_try, verif ) );
+
+    /* Compare in constant time just in case */
+    for( diff = 0, i = 0; i < ctx->len; i++ )
+        diff |= verif[i] ^ sig[i];
+    diff_no_optimize = diff;
+
+    if( diff_no_optimize != 0 )
+    {
+        ret = POLARSSL_ERR_RSA_PRIVATE_FAILED;
+        goto cleanup;
+    }
+
+    memcpy( sig, sig_try, ctx->len );
+
+cleanup:
+    free( sig_try );
+    free( verif );
+
+    return( ret );
 }
 
 /*

library/ssl_cli.c

@@ -693,6 +693,12 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
     }
 
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
     SSL_DEBUG_BUF( 3,   "server key exchange", ssl->in_msg + 4, ssl->in_hslen - 4 );
 
     /*
@@ -1119,6 +1125,12 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
         /*
          * RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
          */
+        if( ssl->session_negotiate->peer_cert == NULL )
+        {
+            SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+            return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
         ssl->handshake->premaster[0] = (unsigned char) ssl->max_major_ver;
         ssl->handshake->premaster[1] = (unsigned char) ssl->max_minor_ver;
         ssl->handshake->pmslen = 48;