File CVE-2018-0488.patch of Package mbedtls.7991
From: Karol Babioch <kbabioch@suse.com>
Date: Wed Feb 14 12:22:17 CET 2018
References: 992b6872f3ca717282ae367749a47f006d337a87
References: 464147cadc694379b7717afb7b517fe05cdb323f
Upstream: merged
Backport of several upstream commits to fix CVE-2018-0487
---
library/ssl_tls.c | 58 +++++++++++++++++++++++++++++-------------------------
1 file changed, 32 insertions(+), 26 deletions(-)
Index: library/ssl_tls.c
===================================================================
--- library/ssl_tls.c.orig
+++ library/ssl_tls.c
@@ -1050,9 +1050,11 @@ int ssl_psk_derive_premaster( ssl_contex
/*
* SSLv3.0 MAC functions
*/
-static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
- unsigned char *buf, size_t len,
- unsigned char *ctr, int type )
+static void ssl_mac( md_context_t *md_ctx,
+ const unsigned char *secret,
+ const unsigned char *buf, size_t len,
+ const unsigned char *ctr, int type,
+ unsigned char out[20] )
{
unsigned char header[11];
unsigned char padding[48];
@@ -1077,14 +1079,14 @@ static void ssl_mac( md_context_t *md_ct
md_update( md_ctx, padding, padlen );
md_update( md_ctx, header, 11 );
md_update( md_ctx, buf, len );
- md_finish( md_ctx, buf + len );
+ md_finish( md_ctx, out );
memset( padding, 0x5C, padlen );
md_starts( md_ctx );
md_update( md_ctx, secret, md_size );
md_update( md_ctx, padding, padlen );
- md_update( md_ctx, buf + len, md_size );
- md_finish( md_ctx, buf + len );
+ md_update( md_ctx, out, md_size );
+ md_finish( md_ctx, out );
}
#endif /* POLARSSL_SSL_PROTO_SSL3 */
@@ -1130,10 +1132,15 @@ static int ssl_encrypt_buf( ssl_context
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
+ unsigned char mac[20]; /* SHA-1 at most */
+
ssl_mac( &ssl->transform_out->md_ctx_enc,
ssl->transform_out->mac_enc,
ssl->out_msg, ssl->out_msglen,
- ssl->out_ctr, ssl->out_msgtype );
+ ssl->out_ctr, ssl->out_msgtype,
+ mac );
+
+ memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
}
else
#endif
@@ -1141,12 +1148,15 @@ static int ssl_encrypt_buf( ssl_context
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
{
+ unsigned char mac[SSL_MAC_ADD];
+
md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
md_hmac_update( &ssl->transform_out->md_ctx_enc,
ssl->out_msg, ssl->out_msglen );
- md_hmac_finish( &ssl->transform_out->md_ctx_enc,
- ssl->out_msg + ssl->out_msglen );
+ md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+ memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
}
else
#endif
@@ -1419,8 +1429,6 @@ static int ssl_encrypt_buf( ssl_context
return( 0 );
}
-#define POLARSSL_SSL_MAX_MAC_SIZE 48
-
static int ssl_decrypt_buf( ssl_context *ssl )
{
size_t i;
@@ -1588,7 +1596,7 @@ static int ssl_decrypt_buf( ssl_context
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED )
{
- unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE];
+ unsigned char mac_expect[SSL_MAC_ADD];
unsigned char pseudo_hdr[13];
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
@@ -1606,15 +1614,15 @@ static int ssl_decrypt_buf( ssl_context
md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec,
ssl->in_iv, ssl->in_msglen );
- md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
+ md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
md_hmac_reset( &ssl->transform_in->md_ctx_dec );
SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
ssl->transform_in->maclen );
- SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
+ SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
ssl->transform_in->maclen );
- if( safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
+ if( safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
ssl->transform_in->maclen ) != 0 )
{
SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
@@ -1775,22 +1783,21 @@ static int ssl_decrypt_buf( ssl_context
#if defined(POLARSSL_SOME_MODES_USE_MAC)
if( auth_done == 0 )
{
- unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
+ unsigned char mac_expect[SSL_MAC_ADD];
ssl->in_msglen -= ssl->transform_in->maclen;
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
- memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
-
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
ssl_mac( &ssl->transform_in->md_ctx_dec,
ssl->transform_in->mac_dec,
ssl->in_msg, ssl->in_msglen,
- ssl->in_ctr, ssl->in_msgtype );
+ ssl->in_ctr, ssl->in_msgtype,
+ mac_expect );
}
else
#endif /* POLARSSL_SSL_PROTO_SSL3 */
@@ -1820,8 +1827,7 @@ static int ssl_decrypt_buf( ssl_context
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
ssl->in_msglen );
- md_hmac_finish( &ssl->transform_in->md_ctx_dec,
- ssl->in_msg + ssl->in_msglen );
+ md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
/* Call md_process at least once due to cache attacks */
for( j = 0; j < extra_run + 1; j++ )
md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
@@ -1836,12 +1842,12 @@ static int ssl_decrypt_buf( ssl_context
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
- SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
- SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
- ssl->transform_in->maclen );
+ SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
+ SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen,
+ ssl->transform_in->maclen );
- if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
- ssl->transform_in->maclen ) != 0 )
+ if( safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
+ ssl->transform_in->maclen ) != 0 )
{
#if defined(POLARSSL_SSL_DEBUG_ALL)
SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
