From 37e5999ac3568173b57edfaa415e77c16c2eec49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 10 Jun 2022 09:25:01 +0200 Subject: [PATCH] Fix potential buffer overread with USE_PSA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using opaque keys for static ECDH is not supported in this branch (will be introduced in 3.2). In case we reach that point, error out cleanly instead of miscasting a pointer. Since opaque keys were introduced, mbedtls_pk_can_do() was no longer a precise enough check. Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/buf-overread-use-psa-static-ecdh.txt | 6 ++++++ library/ssl_srv.c | 7 +++++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/buf-overread-use-psa-static-ecdh.txt diff --git a/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt b/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt new file mode 100644 index 0000000000..023c730821 --- /dev/null +++ b/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt @@ -0,0 +1,6 @@ +Security + * Fix a potential heap buffer overread in TLS 1.2 server-side when + MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with + mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite + is selected. This may result in an application crash. No path to + information leak has been identified. diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 1733ec931f..a912ce1415 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3239,15 +3239,18 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_pk_context *own_key = mbedtls_ssl_own_key( ssl ); - if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) + /* We want to call mbedtls_pk_ec(), which only works on those types. */ + if( mbedtls_pk_get_type( own_key ) != MBEDTLS_PK_ECKEY && + mbedtls_pk_get_type( own_key ) != MBEDTLS_PK_ECKEY_DH ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); } if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, - mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), + mbedtls_pk_ec( *own_key ), MBEDTLS_ECDH_OURS ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );