Fix TLS 1.3 PSK binder length wraparound

2026-06-03 11:52:17 +00:00
parent 684e265a0c
commit f25a5492d8
1 changed files with 43 additions and 4 deletions
--- a/matrixssl/tls13DecodeExt.c
+++ b/matrixssl/tls13DecodeExt.c
@@ -893,16 +893,50 @@ int32_t tls13VerifyBinder(ssl_t *ssl,

    hmacAlg = tls13GetPskHmacAlg(ssl->sec.tls13ChosenPsk);
    hmacLen = tls13GetPskHashLen(ssl->sec.tls13ChosenPsk);
+    if (hmacAlg == 0 || hmacLen <= 0 || hmacLen > MAX_TLS_1_3_HASH_SIZE)
+    {
+        psTraceErrr("Invalid TLS 1.3 PSK binder hash algorithm\n");
+        goto out_decode_error;
+    }

-    tls13TranscriptHashUpdate(ssl,
+    /*
+      The ClientHello transcript hash is split at the start of the
+      binders vector.  tls13BindersLen is attacker-controlled through the
+      pre_shared_key extension, while tls13CHLen is the length of the
+      buffered ClientHello.  MatrixSSL 4.x used to subtract these values
+      without checking for wraparound.  Since psSize_t is 16 bit on this
+      code base, a malformed extension could make the subtraction wrap and
+      cause hashing beyond the ClientHello buffer (CVE-2023-24609).
+    */
+    if (ssl->sec.tls13CHStart == NULL ||
+            ssl->sec.tls13BindersLen < 2 ||
+            ssl->sec.tls13BindersLen > ssl->sec.tls13CHLen)
+    {
+        psTraceErrr("Invalid TLS 1.3 PSK binder length\n");
+        goto out_decode_error;
+    }
+
+    rc = tls13TranscriptHashUpdate(ssl,
            ssl->sec.tls13CHStart,
            ssl->sec.tls13CHLen - ssl->sec.tls13BindersLen);
-    tls13TranscriptHashSnapshot(ssl,
+    if (rc < 0)
+    {
+        goto out_internal_error;
+    }
+    rc = tls13TranscriptHashSnapshot(ssl,
            ssl->sec.tls13TrHashSnapshotCHWithoutBinders);
-    tls13TranscriptHashUpdate(ssl,
+    if (rc < 0)
+    {
+        goto out_internal_error;
+    }
+    rc = tls13TranscriptHashUpdate(ssl,
            ssl->sec.tls13CHStart +
            ssl->sec.tls13CHLen - ssl->sec.tls13BindersLen,
            ssl->sec.tls13BindersLen);
+    if (rc < 0)
+    {
+        goto out_internal_error;
+    }

    /* Find the binder corresponding to the PSK we have chosen. */
    ix = 0;
@@ -1245,7 +1279,12 @@ int32_t tls13ParsePreSharedKey(ssl_t *ssl,

        if (foundPsk)
        {
-            ssl->sec.tls13BindersLen = bindersLen + 2;
+            if (bindersLen > (psSizeL_t) ((psSize_t) ~0) - 2)
+            {
+                psTraceErrr("TLS 1.3 PSK binders vector too large\n");
+                goto out_decode_error;
+            }
+            ssl->sec.tls13BindersLen = (psSize_t) bindersLen + 2;

            rc = tls13VerifyBinder(ssl, pb);
            if (rc < 0)