From 594e1b5e4439368066e545430bd2f9a6ade05a09 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:39:08 +0800 Subject: [PATCH 1/7] mbedtls: disable truncated HMAC This is a workaround for CVE-2018-0488. Ref. https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Ref. https://github.com/espressif/esp-idf/issues/1730 --- components/mbedtls/port/include/mbedtls/esp_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index c81bf1a06..3d6596935 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -1326,7 +1326,7 @@ * * Comment this macro to disable support for truncated HMAC in SSL */ -#define MBEDTLS_SSL_TRUNCATED_HMAC +//#define MBEDTLS_SSL_TRUNCATED_HMAC /** * \def MBEDTLS_THREADING_ALT From 0a97cb62efd48479b292e591a593597686ee0c3c Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:40:06 +0800 Subject: [PATCH 2/7] mbedtls: disable support for RSASSA-PSS signatures This is a workaround for CVE-2018-0487. Ref. https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Ref. https://github.com/espressif/esp-idf/issues/1730 --- components/mbedtls/port/include/mbedtls/esp_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 3d6596935..b844dcef9 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -926,7 +926,7 @@ * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -#define MBEDTLS_PKCS1_V21 +//#define MBEDTLS_PKCS1_V21 /** * \def MBEDTLS_RSA_NO_CRT @@ -1420,7 +1420,7 @@ * * Comment this macro to disallow using RSASSA-PSS in certificates. */ -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT +//#define MBEDTLS_X509_RSASSA_PSS_SUPPORT /** * \def MBEDTLS_ZLIB_SUPPORT From 67ba85650d726fdc4f2fa85800744713b78409b8 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:42:56 +0800 Subject: [PATCH 3/7] mbedtls: Prevent bounds check bypass through overflow in PSK identity parsing This is a patch for CVE-2017-18187. Cherry-picked from https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 Ref. https://github.com/espressif/esp-idf/issues/1730 --- components/mbedtls/library/ssl_srv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/mbedtls/library/ssl_srv.c b/components/mbedtls/library/ssl_srv.c index f137c3dce..97d7a9e80 100644 --- a/components/mbedtls/library/ssl_srv.c +++ b/components/mbedtls/library/ssl_srv.c @@ -3436,7 +3436,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha /* * Receive client pre-shared key identity name */ - if( *p + 2 > end ) + if( end - *p < 2 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); @@ -3445,7 +3445,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha n = ( (*p)[0] << 8 ) | (*p)[1]; *p += 2; - if( n < 1 || n > 65535 || *p + n > end ) + if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); From b42ba1b0a5229101dbcd81d508beb05a9ce9f473 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:45:54 +0800 Subject: [PATCH 4/7] mbedtls: Prevent arithmetic overflow on bounds check Part of the patch for CVE-2018-9988. Cherry-pick of https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1 Ref. https://github.com/espressif/esp-idf/issues/1860 --- components/mbedtls/library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/mbedtls/library/ssl_cli.c b/components/mbedtls/library/ssl_cli.c index a2b9f8cfe..c0ade43ad 100644 --- a/components/mbedtls/library/ssl_cli.c +++ b/components/mbedtls/library/ssl_cli.c @@ -2473,7 +2473,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) sig_len = ( p[0] << 8 ) | p[1]; p += 2; - if( end != p + sig_len ) + if( p != end - sig_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, From f58c664e2bcf58cc62dd208eaeb98f1481e7d154 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:48:31 +0800 Subject: [PATCH 5/7] mbedtls: Add bounds check before signature length read Part of the patch for CVE-2018-9988. Cherry-picked from https://github.com/ARMmbed/mbedtls/commit/a1098f81c252b317ad34ea978aea2bc47760b215 Ref. https://github.com/espressif/esp-idf/issues/1860 --- components/mbedtls/library/ssl_cli.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/components/mbedtls/library/ssl_cli.c b/components/mbedtls/library/ssl_cli.c index c0ade43ad..42363f0ea 100644 --- a/components/mbedtls/library/ssl_cli.c +++ b/components/mbedtls/library/ssl_cli.c @@ -2470,6 +2470,14 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) /* * Read signature */ + + if( p > end - 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } sig_len = ( p[0] << 8 ) | p[1]; p += 2; From ffab6084f0fb2276f24d54facbb254333310e4de Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:50:11 +0800 Subject: [PATCH 6/7] mbedtls: Prevent arithmetic overflow on bounds check Part of the patch for CVE-2018-9989. Cherry-picked from https://github.com/ARMmbed/mbedtls/commit/5224a7544c95552553e2e6be0b4a789956a6464e. Ref. https://github.com/espressif/esp-idf/issues/1860 --- components/mbedtls/library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/mbedtls/library/ssl_cli.c b/components/mbedtls/library/ssl_cli.c index 42363f0ea..f9109a755 100644 --- a/components/mbedtls/library/ssl_cli.c +++ b/components/mbedtls/library/ssl_cli.c @@ -2052,7 +2052,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, len = (*p)[0] << 8 | (*p)[1]; *p += 2; - if( (*p) + len > end ) + if( (*p) > end - len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " "(psk_identity_hint length)" ) ); From 8de29499ce67d4b8cd77a4ab477f0081cc863ea6 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 19 Apr 2018 11:51:27 +0800 Subject: [PATCH 7/7] mbedtls: Add bounds check before length read This is part of the patch for CVE-2018-9989. Cherry-picked from https://github.com/ARMmbed/mbedtls/commit/740b218386083dc708ce98ccc94a63a95cd5629e Ref. https://github.com/espressif/esp-idf/issues/1860 --- components/mbedtls/library/ssl_cli.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/components/mbedtls/library/ssl_cli.c b/components/mbedtls/library/ssl_cli.c index f9109a755..99f492819 100644 --- a/components/mbedtls/library/ssl_cli.c +++ b/components/mbedtls/library/ssl_cli.c @@ -2049,6 +2049,12 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, * * opaque psk_identity_hint<0..2^16-1>; */ + if( (*p) > end - 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " + "(psk_identity_hint length)" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } len = (*p)[0] << 8 | (*p)[1]; *p += 2;