mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 16:04:23 +01:00
Merge fix for IOTSSL-474 PKCS12 Overflow
Fix stack buffer overflow in PKCS12
This commit is contained in:
commit
d5ba4672b2
@ -4,10 +4,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||||||
|
|
||||||
Security
|
Security
|
||||||
* Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
|
* Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
|
||||||
overflow of the hostname or session ticket. (Found by Guido Vranken).
|
overflow of the hostname or session ticket. Found by Guido Vranken.
|
||||||
* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
|
* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
|
||||||
once in the same handhake and mbedtls_ssl_conf_psk() was used.
|
once in the same handhake and mbedtls_ssl_conf_psk() was used.
|
||||||
Found and patch provided by Guido Vranken. Cannot be forced remotely.
|
Found and patch provided by Guido Vranken. Cannot be forced remotely.
|
||||||
|
* Fix stack buffer overflow in pkcs12 decryption (used by
|
||||||
|
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
|
||||||
|
Found by Guido Vranken. Not triggerable remotely.
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
||||||
|
@ -86,6 +86,8 @@ static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define PKCS12_MAX_PWDLEN 128
|
||||||
|
|
||||||
static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
|
static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
unsigned char *key, size_t keylen,
|
unsigned char *key, size_t keylen,
|
||||||
@ -94,7 +96,10 @@ static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_ty
|
|||||||
int ret, iterations;
|
int ret, iterations;
|
||||||
mbedtls_asn1_buf salt;
|
mbedtls_asn1_buf salt;
|
||||||
size_t i;
|
size_t i;
|
||||||
unsigned char unipwd[258];
|
unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
|
||||||
|
|
||||||
|
if( pwdlen > PKCS12_MAX_PWDLEN )
|
||||||
|
return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
|
||||||
|
|
||||||
memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
|
memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
|
||||||
memset( &unipwd, 0, sizeof(unipwd) );
|
memset( &unipwd, 0, sizeof(unipwd) );
|
||||||
@ -125,6 +130,8 @@ static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_ty
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#undef PKCS12_MAX_PWDLEN
|
||||||
|
|
||||||
int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
|
int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
const unsigned char *data, size_t len,
|
const unsigned char *data, size_t len,
|
||||||
|
Loading…
Reference in New Issue
Block a user