- Remove second patch (already in version)
- Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the
other side of the key exchange had a similar bug.
- When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written as
an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit
of information on average and could cause the value to be 1 byte too
large for the output buffer.
- The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the
same blinding value was generated. This reduced the effectiveness of
the countermeasure and leaked information about the private key
through side channels. Reported by Jack Lloyd.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2018-0497: Remote plaintext recovery on use of CBC based ciphersuites
through a timing side-channel
- CVE-2018-0498: Plaintext recovery on use of CBC based ciphersuites through
a cache based side-channel
For more info, see the advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Extract from release announcement:
- (2.9, 2.7, 2.1) Fixed an issue in the X.509 module which could lead
to a buffer overread during certificate validation. Additionally, the
issue could also lead to unnecessary callback checks being made or to
some validation checks to be omitted. The overread could be triggered
remotely, while the other issues would require a non DER-compliant
certificate to be correctly signed by a trusted CA, or a trusted CA with
a non DER-compliant certificate. Found by luocm. Fixes#825.
- (2.9, 2.7, 2.1) Fixed the buffer length assertion in the
ssl_parse_certificate_request() function which could lead to an
arbitrary overread of the message buffer. The overreads could be caused
by receiving a malformed algorithms section which was too short. In
builds with debug output, this overread data was output with the debug
data.
- (2.9, 2.7, 2.1) Fixed a client-side bug in the validation of the
server's ciphersuite choice which could potentially lead to the client
accepting a ciphersuite it didn't offer or a ciphersuite that could not
be used with the TLS or DTLS version chosen by the server. This could
lead to corruption of internal data structures for some configurations.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The release announcement mentions these security fixes:
Defend against Bellcore glitch attacks by verifying the results of RSA
private key operations.
Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the HMAC
key of a single, uninterrupted connection (with no resumption of the
session).
Reject CRLs containing unsupported critical extensions.
Fix a buffer overread in ssl_parse_server_key_exchange() that could
cause a crash on invalid input. (CVE-2018-9988)
Fix a buffer overread in ssl_parse_server_psk_hint() that could cause
a crash on invalid input. (CVE-2018-9989)
Drop upstream patch.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2018-0487: Remote attackers can execute arbitrary code or cause a
denial of service (buffer overflow) via a crafted certificate chain that
is mishandled during RSASSA-PSS signature verification within a TLS or
DTLS session.
CVE-2018-0488: When the truncated HMAC extension and CBC are used,
allows remote attackers to execute arbitrary code or cause a denial of
service (heap corruption) via a crafted application packet within a TLS
or DTLS session.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-2784 - Freeing of memory allocated on stack when validating a
public key with a secp224k1 curve.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add the mbed TLS library, formerly known as PolarSSL.
The 2.0+ version can live side-by-side with polarssl since it was
renamed, hence can be added with no conflict.
Use the Apache-2.0 license variant since it's somewhat more flexible,
the codebase is the same as the GPLv2 variant, just copyright
headers/license file changed.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>