From b51130dd5ce743f27762a0c1b9685b4ad5aa32d5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 27 Sep 2019 14:00:36 +0200 Subject: [PATCH 1/7] Parse HelloVerifyRequest: avoid buffer overread on the cookie In ssl_parse_hello_verify_request, we print cookie_len bytes without checking that there are that many bytes left in ssl->in_msg. This could potentially log data outside the received message (not a big deal) and could potentially read from memory outside of the receive buffer (which would be a remotely exploitable crash). --- library/ssl_cli.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 57e5d8ab9..9e0accc7e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1605,8 +1605,6 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) } cookie_len = *p++; - MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); - if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, @@ -1615,6 +1613,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } + MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); mbedtls_free( ssl->handshake->verify_cookie ); From b64bf0638feba116beb8ee4e5e2145449de27127 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 27 Sep 2019 14:02:44 +0200 Subject: [PATCH 2/7] Parse HelloVerifyRequest: avoid buffer overread at the start In ssl_parse_hello_verify_request, we read 3 bytes (version and cookie length) without checking that there are that many bytes left in ssl->in_msg. This could potentially read from memory outside of the ssl->receive buffer (which would be a remotely exploitable crash). --- library/ssl_cli.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 9e0accc7e..af5ccf6cc 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1577,6 +1577,19 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); + /* Check that there is enough room for: + * - 2 bytes of version + * - 1 byte of cookie_len + */ + if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "incoming HelloVerifyRequest message is too short" ) ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } + /* * struct { * ProtocolVersion server_version; From 1c668136afd261994af042d7d0585262c41fc64e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 27 Sep 2019 14:07:00 +0200 Subject: [PATCH 3/7] Parse HelloVerifyRequest buffer overread: add changelog entry --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index f16c97e8f..2dafb0e4b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.xx.x branch released xxxx-xx-xx + +Security + * Fix a potentially remotely exploitable buffer overread in a + DTLS client when parsing the Hello Verify Request message. + = mbed TLS 2.19.0 branch released 2019-09-06 Security From a4aa89b16eb655999e45d873563e6712eece1c36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Mar 2020 12:41:29 +0100 Subject: [PATCH 4/7] Fix leakage of projective coordinates in ECC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See the comments in the code for how an attack would go, and the ChangeLog entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar over several signatures translates to full private key recovery using a lattice attack.) Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog | 7 +++++++ library/ecp.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/ChangeLog b/ChangeLog index bcceebb7d..491b86a71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,13 @@ New deprecations * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the SSL module for hardware acceleration of individual records. +Security + * Fix side channel in ECC code that allowed an adversary with access to + precise enough timing and memory access information (typically an + untrusted operating system attacking a secure enclave) to fully recover + an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, + Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932 + Bugfix * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled. diff --git a/library/ecp.c b/library/ecp.c index ee0a460ab..d3e42a94d 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -2016,6 +2016,20 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp, final_norm: #endif + /* + * Knowledge of the jacobian coordinates may leak the last few bits of the + * scalar [1], and since our MPI implementation isn't constant-flow, + * inversion (used for coordinate normalization) may leak the full value + * of its input via side-channels [2]. + * + * [1] https://eprint.iacr.org/2003/191 + * [2] https://eprint.iacr.org/2020/055 + * + * Avoid the leak by randomizing coordinates before we normalize them. + */ + if( f_rng != 0 ) + MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) ); + MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV ); MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) ); @@ -2388,6 +2402,20 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) ); } + /* + * Knowledge of the projective coordinates may leak the last few bits of the + * scalar [1], and since our MPI implementation isn't constant-flow, + * inversion (used for coordinate normalization) may leak the full value + * of its input via side-channels [2]. + * + * [1] https://eprint.iacr.org/2003/191 + * [2] https://eprint.iacr.org/2020/055 + * + * Avoid the leak by randomizing coordinates before we normalize them. + */ + if( f_rng != NULL ) + MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) ); cleanup: From ee85686339609a65652272ef5d6fd224b4c9d671 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 8 Apr 2020 16:58:36 +0100 Subject: [PATCH 5/7] Add missing ChangeLog entry The MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH build option has been added since the last release, but there was no entry for it in the ChangeLog. Signed-off-by: Janos Follath --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5c4a84621..a6983a791 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,11 @@ Security an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932 +Features + * The new build option MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH automatically + resizes the I/O buffers before and after handshakes, reducing the memory + consumption during application data transfer. + Bugfix * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled. From 876e0259d50a9672bdd7b41853467eed2b1f51a7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 8 Apr 2020 17:15:18 +0100 Subject: [PATCH 6/7] Bump version to Mbed TLS 2.22.0 Signed-off-by: Janos Follath --- ChangeLog | 2 +- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- tests/suites/test_suite_version.data | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index a6983a791..509c74cd8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx += mbed TLS 2.22.0 branch released 2020-04-14 New deprecations * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 8e2539de0..749d5c1eb 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -24,7 +24,7 @@ */ /** - * @mainpage mbed TLS v2.21.0 source code documentation + * @mainpage mbed TLS v2.22.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 148fa279a..418318da5 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.21.0" +PROJECT_NAME = "mbed TLS v2.22.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 35af4cc43..b89e36efd 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -39,7 +39,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 21 +#define MBEDTLS_VERSION_MINOR 22 #define MBEDTLS_VERSION_PATCH 0 /** @@ -47,9 +47,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02150000 -#define MBEDTLS_VERSION_STRING "2.21.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.21.0" +#define MBEDTLS_VERSION_NUMBER 0x02160000 +#define MBEDTLS_VERSION_STRING "2.22.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.22.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 14dfa221b..fd98fa50e 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -187,19 +187,19 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.21.0 SOVERSION 4) + set_target_properties(mbedcrypto PROPERTIES VERSION 2.22.0 SOVERSION 4) target_link_libraries(mbedcrypto ${libs}) target_include_directories(mbedcrypto PUBLIC ${MBEDTLS_DIR}/include/) add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.21.0 SOVERSION 1) + set_target_properties(mbedx509 PROPERTIES VERSION 2.22.0 SOVERSION 1) target_link_libraries(mbedx509 ${libs} mbedcrypto) target_include_directories(mbedx509 PUBLIC ${MBEDTLS_DIR}/include/) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.21.0 SOVERSION 13) + set_target_properties(mbedtls PROPERTIES VERSION 2.22.0 SOVERSION 13) target_link_libraries(mbedtls ${libs} mbedx509) target_include_directories(mbedtls PUBLIC ${MBEDTLS_DIR}/include/) diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 868fe06d5..5dc81d334 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.21.0" +check_compiletime_version:"2.22.0" Check runtime library version -check_runtime_version:"2.21.0" +check_runtime_version:"2.22.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0 From 940bc0048ccdce640a3bc5ff3b7770f9832b7503 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 9 Apr 2020 09:34:47 +0100 Subject: [PATCH 7/7] Add missing ChangeLog entry Signed-off-by: Janos Follath --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 509c74cd8..c1463f2d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,8 @@ Bugfix MBEDTLS_SSL_HW_RECORD_ACCEL are enabled. * Remove a spurious check in ssl_parse_client_psk_identity that triggered a warning with some compilers. Fix contributed by irwir in #2856. + * Fix a function name in a debug message. Contributed by Ercan Ozturk in + #3013. Changes * Mbed Crypto is no longer a Git submodule. The crypto part of the library