From 4dfecabb977ebf24d3cff66e43bc96aa21d2c077 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 14 Mar 2016 13:40:43 +0000 Subject: [PATCH 01/10] Update default configuration Change the default settings for SSL and modify the tests accordingly. --- ChangeLog | 1 + include/polarssl/config.h | 2 +- tests/compat.sh | 2 +- tests/scripts/all.sh | 21 +++++++++++++++++++++ tests/ssl-opt.sh | 18 ++++++++++++++++++ 5 files changed, 42 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c153a7b65..f3e6d1d9e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,7 @@ Changes * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, don't use the optimized assembly for bignum multiplication. This removes the need to pass -fomit-frame-pointer to avoid a build error with -O0. + * Disabled SSLv3 in the default configuration. = mbed TLS 1.3.16 released 2016-01-05 diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 4929aa1a9..8fdf36e84 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -1012,7 +1012,7 @@ * * Comment this macro to disable support for SSL 3.0 */ -#define POLARSSL_SSL_PROTO_SSL3 +//#define POLARSSL_SSL_PROTO_SSL3 /** * \def POLARSSL_SSL_PROTO_TLS1 diff --git a/tests/compat.sh b/tests/compat.sh index 04af41003..8d057af67 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -45,7 +45,7 @@ else fi # default values for options -MODES="ssl3 tls1 tls1_1 tls1_2" +MODES="tls1 tls1_1 tls1_2" VERIFIES="NO YES" TYPES="ECDSA RSA PSK" FILTER="" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index dfc0061ca..ae82f7ba7 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -103,6 +103,27 @@ cd tests ./compat.sh cd .. +msg "build: Default + SSLv3 (ASan build)" # ~ 6 min +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl set POLARSSL_SSL_PROTO_SSL3 +CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . +make + +msg "test: SSLv3 - main suites and selftest (ASan build)" # ~ 50s +make test +programs/test/selftest + +msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min +cd tests +./compat.sh -m 'ssl3 tls1 tls1_1 tls1_2' +cd .. + +msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min +cd tests +./ssl-opt.sh +cd .. + msg "build: cmake, full config, clang" # ~ 50s cleanup cp "$CONFIG_H" "$CONFIG_BAK" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e2efae91c..dcf9bb1c2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -66,6 +66,13 @@ get_options() { done } +# skip next test if the flag is not enabled in config.h +requires_config_enabled() { + if grep "^#define $1" $CONFIG_H > /dev/null; then :; else + SKIP_NEXT="YES" + fi +} + # skip next test if OpenSSL can't send SSLv2 ClientHello requires_openssl_with_sslv2() { if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then @@ -560,6 +567,7 @@ run_test "Encrypt then MAC: client disabled, server enabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Encrypt then MAC: client SSLv3, server enabled" \ "$P_SRV debug_level=3 min_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -572,6 +580,7 @@ run_test "Encrypt then MAC: client SSLv3, server enabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Encrypt then MAC: client enabled, server SSLv3" \ "$P_SRV debug_level=3 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -619,6 +628,7 @@ run_test "Extended Master Secret: client disabled, server enabled" \ -C "using extended master secret" \ -S "using extended master secret" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Extended Master Secret: client SSLv3, server enabled" \ "$P_SRV debug_level=3 min_version=ssl3" \ "$P_CLI debug_level=3 force_version=ssl3" \ @@ -630,6 +640,7 @@ run_test "Extended Master Secret: client SSLv3, server enabled" \ -C "using extended master secret" \ -S "using extended master secret" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Extended Master Secret: client enabled, server SSLv3" \ "$P_SRV debug_level=3 force_version=ssl3" \ "$P_CLI debug_level=3 min_version=ssl3" \ @@ -748,6 +759,7 @@ run_test "CBC Record splitting: TLS 1.0, splitting" \ -s "Read from client: 1 bytes read" \ -s "122 bytes read" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "CBC Record splitting: SSLv3, splitting" \ "$P_SRV min_version=ssl3" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -1454,6 +1466,7 @@ run_test "Authentication: client no cert, openssl server optional" \ -c "skip write certificate verify" \ -C "! ssl_handshake returned" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Authentication: client no cert, ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ @@ -2159,6 +2172,7 @@ run_test "PSK callback: wrong key" \ # Tests for ciphersuites per version +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Per-version suites: SSL3" \ "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=ssl3" \ @@ -2199,6 +2213,7 @@ run_test "ssl_get_bytes_avail: extra data" \ # Tests for small packets +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Small packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=1 force_version=ssl3 \ @@ -2206,6 +2221,7 @@ run_test "Small packet SSLv3 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Small packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1" \ "$P_CLI request_size=1 force_version=ssl3 \ @@ -2340,6 +2356,7 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \ # Test for large packets +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Large packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ @@ -2347,6 +2364,7 @@ run_test "Large packet SSLv3 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled POLARSSL_SSL_PROTO_SSL3 run_test "Large packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1" \ "$P_CLI request_size=16384 force_version=ssl3 \ From 19db48e16aaa7188749df761525fd029627dca58 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 9 Feb 2016 14:51:35 +0000 Subject: [PATCH 02/10] Included test for integer underflow. --- library/rsa.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 5ab636f52..6f652189f 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -710,8 +710,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, */ hlen = md_get_size( md_info ); - md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + + mbedtls_md_init( &md_ctx ); + mbedtls_md_setup( &md_ctx, md_info, 0 ); /* Generate lHash */ md( md_info, label, label_len, lhash ); From 45a5f7406de50a6e2dac0289009a2d19ea9c0798 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:40:16 +0000 Subject: [PATCH 03/10] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 86e000a22..7d3c5f26d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 +Security + * Fix a potential integer underflow to buffer overread in + mbedtls_rsa_rsaes_oaep_decrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From 1d114d2efa76ba77a4fa256bca4e412f32b611ac Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:08:18 +0000 Subject: [PATCH 04/10] Move underflow test to make time constant --- library/rsa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/rsa.c b/library/rsa.c index 6f652189f..54635001c 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -695,6 +695,12 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + hlen = mbedtls_md_get_size( md_info ); + + // checking for integer underflow + if( 2 * hlen + 2 > ilen ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + /* * RSA operation */ From e8864dd066699aad7b3c4fcfe630827454cdc539 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 11 Feb 2016 11:15:44 +0000 Subject: [PATCH 05/10] Extended ChangeLog entry --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7d3c5f26d..9173c3db5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,7 +8,8 @@ Security Security * Fix a potential integer underflow to buffer overread in - mbedtls_rsa_rsaes_oaep_decrypt + mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in + SSL/TLS. Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three From da51d9cbabe32dc5f22ee65c7e3bf3a55315f57b Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 16 Mar 2016 23:31:03 +0000 Subject: [PATCH 06/10] Fix ChangeLog after merging fix for IOTSSL-628 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9173c3db5..e54e74c18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,8 +5,6 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 - -Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. From 0bc725f2956da4f25fed2c93f058c67f8b6b26d1 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 00:57:18 +0000 Subject: [PATCH 07/10] Fix for backprt of IOTSSL-628 Corrections to constand and function names changed between 1.3 and 2.1 --- library/rsa.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 54635001c..1472bd09b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -695,11 +695,11 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( md_info == NULL ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_info ); + hlen = md_get_size( md_info ); // checking for integer underflow if( 2 * hlen + 2 > ilen ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); /* * RSA operation @@ -720,8 +720,8 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, if( 2 * hlen + 2 > ilen ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); - mbedtls_md_init( &md_ctx ); - mbedtls_md_setup( &md_ctx, md_info, 0 ); + md_init( &md_ctx ); + md_init_ctx( &md_ctx, md_info ); /* Generate lHash */ md( md_info, label, label_len, lhash ); From 7f1d78b56045de84910a45bc99b2509c0ab18cad Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 10 Feb 2016 16:25:55 +0000 Subject: [PATCH 08/10] Add Changelog entry for current branch --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index e54e74c18..aef64c11e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Security mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. +Security + * Fix potential integer overflow to buffer overflow in + mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt + Bugfix * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos From 6e5fb63cf61721ad56e490969b9112ae540c9a2e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 8 Feb 2016 14:52:29 +0000 Subject: [PATCH 09/10] Included tests for the overflow Conflicts: library/rsa.c --- library/rsa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 1472bd09b..e8aed73c8 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -519,7 +519,8 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx, olen = ctx->len; hlen = md_get_size( md_info ); - if( olen < ilen + 2 * hlen + 2 ) + // first comparison checks for overflow + if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); memset( output, 0, olen ); @@ -585,7 +586,8 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx, olen = ctx->len; - if( olen < ilen + 11 ) + // first comparison checks for overflow + if( ilen + 11 < ilen || olen < ilen + 11 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); nb_pad = olen - 3 - ilen; From fb2304a6407b4ad373e4fc3537e740128b5a375e Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 17 Mar 2016 11:03:14 +0000 Subject: [PATCH 10/10] Fix ChangeLog for backport of IOTSSL-621 --- ChangeLog | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aef64c11e..9cc7722ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,8 +8,6 @@ Security * Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. - -Security * Fix potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt