mirrors-yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls synced 2024-11-24 23:38:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix handling of long PSK identities

Browse source 
fixes #238
This commit is contained in:
Manuel Pégourié-Gonnard 2015-08-27 16:37:35 +02:00
parent ea35666f50
commit c6b5d833ec
3 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ChangeLog
View file

@ -30,6 +30,9 @@ Bugfix
result trying to unlock an unlocked mutex on invalid input (found by result trying to unlock an unlocked mutex on invalid input (found by
Fredrik Axelsson) (#257) Fredrik Axelsson) (#257)
* Fix -Wshadow warnings (found by hnrkp) (#240) * Fix -Wshadow warnings (found by hnrkp) (#240)
* Fix memory corruption on client with overlong PSK identity, around
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
Aleksandrs Saveljevs) (#238)
Changes Changes
* The PEM parser now accepts a trailing space at end of lines (#226). * The PEM parser now accepts a trailing space at end of lines (#226).

22
library/ssl_cli.c
View file

@ -1748,6 +1748,12 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
unsigned char *p = ssl->handshake->premaster + pms_offset; unsigned char *p = ssl->handshake->premaster + pms_offset;
if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
/* /*
* Generate (part of) the pre-master as * Generate (part of) the pre-master as
* struct { * struct {
@ -2522,6 +2528,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
i = 4; i = 4;
n = ssl->conf->psk_identity_len; n = ssl->conf->psk_identity_len;
if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
"SSL buffer too short" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n >> 8 );
ssl->out_msg[i++] = (unsigned char)( n ); ssl->out_msg[i++] = (unsigned char)( n );
@ -2550,6 +2564,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* ClientDiffieHellmanPublic public (DHM send G^X mod P) * ClientDiffieHellmanPublic public (DHM send G^X mod P)
*/ */
n = ssl->handshake->dhm_ctx.len; n = ssl->handshake->dhm_ctx.len;
if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
" or SSL buffer too short" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n >> 8 );
ssl->out_msg[i++] = (unsigned char)( n ); ssl->out_msg[i++] = (unsigned char)( n );

7
library/ssl_tls.c
View file

@ -5457,6 +5457,13 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
if( psk_len > MBEDTLS_PSK_MAX_LEN ) if( psk_len > MBEDTLS_PSK_MAX_LEN )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
/* Identity len will be encoded on two bytes */
if( ( psk_identity_len >> 16 ) != 0 ||
psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
if( conf->psk != NULL || conf->psk_identity != NULL ) if( conf->psk != NULL || conf->psk_identity != NULL )
{ {
mbedtls_free( conf->psk ); mbedtls_free( conf->psk );