mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 07:55:46 +01:00
Merge remote-tracking branch 'public/pr/1846' into mbedtls-2.1
This commit is contained in:
commit
eebee76f93
@ -21,6 +21,9 @@ Bugfix
|
|||||||
Changes
|
Changes
|
||||||
* Change the shebang line in Perl scripts to look up perl in the PATH.
|
* Change the shebang line in Perl scripts to look up perl in the PATH.
|
||||||
Contributed by fbrosson in #1533.
|
Contributed by fbrosson in #1533.
|
||||||
|
* Adds of lengths checks in different functions (not a security issue as
|
||||||
|
original buffer is overgrown) thanks to Philippe Antoine from Catena
|
||||||
|
cyber. #1663.
|
||||||
|
|
||||||
= mbed TLS 2.1.13 branch released 2018-06-18
|
= mbed TLS 2.1.13 branch released 2018-06-18
|
||||||
|
|
||||||
|
@ -1141,12 +1141,12 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
|
|||||||
size_t list_size;
|
size_t list_size;
|
||||||
const unsigned char *p;
|
const unsigned char *p;
|
||||||
|
|
||||||
list_size = buf[0];
|
if( len == 0 || (size_t)( buf[0] + 1 ) != len )
|
||||||
if( list_size + 1 != len )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
|
list_size = buf[0];
|
||||||
|
|
||||||
p = buf + 1;
|
p = buf + 1;
|
||||||
while( list_size > 0 )
|
while( list_size > 0 )
|
||||||
@ -2494,7 +2494,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
|||||||
* therefore the buffer length at this point must be greater than that
|
* therefore the buffer length at this point must be greater than that
|
||||||
* regardless of the actual code path.
|
* regardless of the actual code path.
|
||||||
*/
|
*/
|
||||||
if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
|
if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
|
||||||
|
@ -97,6 +97,13 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
|
||||||
|
|
||||||
|
if( len < 2 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
}
|
||||||
servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
||||||
if( servername_list_size + 2 != len )
|
if( servername_list_size + 2 != len )
|
||||||
{
|
{
|
||||||
@ -105,7 +112,7 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
|
|
||||||
p = buf + 2;
|
p = buf + 2;
|
||||||
while( servername_list_size > 0 )
|
while( servername_list_size > 2 )
|
||||||
{
|
{
|
||||||
hostname_len = ( ( p[1] << 8 ) | p[2] );
|
hostname_len = ( ( p[1] << 8 ) | p[2] );
|
||||||
if( hostname_len + 3 > servername_list_size )
|
if( hostname_len + 3 > servername_list_size )
|
||||||
@ -211,6 +218,12 @@ static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
|
|||||||
mbedtls_md_type_t md_cur;
|
mbedtls_md_type_t md_cur;
|
||||||
mbedtls_pk_type_t sig_cur;
|
mbedtls_pk_type_t sig_cur;
|
||||||
|
|
||||||
|
if ( len < 2 ) {
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
}
|
||||||
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
||||||
if( sig_alg_list_size + 2 != len ||
|
if( sig_alg_list_size + 2 != len ||
|
||||||
sig_alg_list_size % 2 != 0 )
|
sig_alg_list_size % 2 != 0 )
|
||||||
@ -276,6 +289,12 @@ static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
|
|||||||
const unsigned char *p;
|
const unsigned char *p;
|
||||||
const mbedtls_ecp_curve_info *curve_info, **curves;
|
const mbedtls_ecp_curve_info *curve_info, **curves;
|
||||||
|
|
||||||
|
if ( len < 2 ) {
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
}
|
||||||
list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
||||||
if( list_size + 2 != len ||
|
if( list_size + 2 != len ||
|
||||||
list_size % 2 != 0 )
|
list_size % 2 != 0 )
|
||||||
@ -327,12 +346,12 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
|
|||||||
size_t list_size;
|
size_t list_size;
|
||||||
const unsigned char *p;
|
const unsigned char *p;
|
||||||
|
|
||||||
list_size = buf[0];
|
if( len == 0 || (size_t)( buf[0] + 1 ) != len )
|
||||||
if( list_size + 1 != len )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
}
|
}
|
||||||
|
list_size = buf[0];
|
||||||
|
|
||||||
p = buf + 1;
|
p = buf + 1;
|
||||||
while( list_size > 0 )
|
while( list_size > 0 )
|
||||||
@ -1573,10 +1592,16 @@ read_record_header:
|
|||||||
|
|
||||||
while( ext_len != 0 )
|
while( ext_len != 0 )
|
||||||
{
|
{
|
||||||
unsigned int ext_id = ( ( ext[0] << 8 )
|
unsigned int ext_id;
|
||||||
| ( ext[1] ) );
|
unsigned int ext_size;
|
||||||
unsigned int ext_size = ( ( ext[2] << 8 )
|
if ( ext_len < 4 ) {
|
||||||
| ( ext[3] ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
}
|
||||||
|
ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
|
||||||
|
ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
|
||||||
|
|
||||||
if( ext_size + 4 > ext_len )
|
if( ext_size + 4 > ext_len )
|
||||||
{
|
{
|
||||||
@ -3166,6 +3191,10 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
|
if ( p + 2 > end ) {
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
||||||
|
}
|
||||||
if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
|
if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
|
||||||
*p++ != ( ( len ) & 0xFF ) )
|
*p++ != ( ( len ) & 0xFF ) )
|
||||||
{
|
{
|
||||||
|
@ -1132,6 +1132,9 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
|
|||||||
* other_secret already set by the ClientKeyExchange message,
|
* other_secret already set by the ClientKeyExchange message,
|
||||||
* and is 48 bytes long
|
* and is 48 bytes long
|
||||||
*/
|
*/
|
||||||
|
if( end - p < 2 )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
*p++ = 0;
|
*p++ = 0;
|
||||||
*p++ = 48;
|
*p++ = 48;
|
||||||
p += 48;
|
p += 48;
|
||||||
@ -4461,6 +4464,12 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
while( i < ssl->in_hslen )
|
while( i < ssl->in_hslen )
|
||||||
{
|
{
|
||||||
|
if ( i + 3 > ssl->in_hslen ) {
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
|
||||||
|
}
|
||||||
if( ssl->in_msg[i] != 0 )
|
if( ssl->in_msg[i] != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
|
||||||
|
Loading…
Reference in New Issue
Block a user