ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-06-18 10:28:43 +08:00
Code Issues Releases Wiki Activity

Merge pull request #1318 from davidhorstmann-arm/calc-finished-check-return

Browse Source 
TLS1.2: Check for failures in Finished calculation
This commit is contained in:
David Horstmann 2025-03-12 17:35:37 +00:00 committed by GitHub
commit a492a34fc3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog.d/tls12-check-finished-calc.txt Normal file
View File

@ -0,0 +1,6 @@
Security
* Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
or there was a cryptographic hardware failure when calculating the
Finished message, it could be calculated incorrectly. This would break
the security guarantees of the TLS handshake.
CVE-2025-27810

2
library/ssl_tls.c
View File

@ -7570,6 +7570,7 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
return ret;
}
/*
@ -7683,6 +7684,7 @@ int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
return ret;
}
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {