Fix missing definition of mbedtls_zeroize when MBEDTLS_FS_IO is
disabled in the configuration.
Introduced by e298532394
Merge remote-tracking branch 'upstream-public/pr/1113' into mbedtls-1.3
The definition of SSL_MAC_ADD depends on the presence of the
configuration option POLARSSL_ARC4_C, which was misspelled as
POLARSSL_RC4_C in ssl.h, leading to a too small buffer and
subsequently to a buffer overflow during record processing.
This commit fixes the typo.
For a start, they don't even compile with Visual Studio due to strcasecmp
being missing. Secondly, on Windows Perl scripts aren't executable and have
to be run using the Perl interpreter directly; thankfully CMake is able to
find cygwin Perl straight away without problems.
The variable ret was always initialized in entropy_gather_internal,
but `gcc -Werror=maybe-uninitialized` rightfully complained that it
was unable to determine this statically. Therefore, tweak the
problematic case (ctx->source_count == 0) to not use ret in that case.
Previously, MAC validation for an incoming record proceeded as follows:
1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.
This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.
For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.
This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
restricting to the first 10 bytes if truncated HMAC is used.
A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
The function ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
