crash on long PSK identity

[asaveljevs]

Function ssl_set_psk() seems to allow to set a PSK identity of arbitrary length. However, after that PSK identity is used in a TLS handshake and is attempted to be freed, a TLS client program crashes.

The crash is easiest to reproduce using example programs provided with mbed TLS. For instance, start the server using the following command:

$ ./mbedtls_ssl_server2 psk_identity=a psk=11 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA

Here, "psk_identity" and "psk" are set to arbitrary values, and "force_ciphersuite" is specified to force the use of PSK, rather than certificates.

Now, here is the behavior of the TLS client with varying lengths of "psk_identity":

$ ./mbedtls_ssl_client2 psk_identity=$(printf %20000s | tr " " "a") psk=11

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok
  . Connecting to tcp/localhost/4433... ok
  . Setting up the SSL/TLS structure... ok
  . Performing the SSL/TLS handshake... failed
  ! mbedtls_ssl_handshake returned -0x7100

Last error was: -0x7100 - SSL - Bad input parameters to function

*** Error in `./mbedtls_ssl_client2': free(): invalid next size (normal): 0x0000000000a38b30 ***
Aborted

$ ./mbedtls_ssl_client2 psk_identity=$(printf %17000s | tr " " "a") psk=11

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok
  . Connecting to tcp/localhost/4433... ok
  . Setting up the SSL/TLS structure... ok
  . Performing the SSL/TLS handshake...Segmentation fault

$ ./mbedtls_ssl_client2 psk_identity=$(printf %16500s | tr " " "a") psk=11

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok
  . Connecting to tcp/localhost/4433... ok
  . Setting up the SSL/TLS structure... ok
  . Performing the SSL/TLS handshake... failed
  ! mbedtls_ssl_handshake returned -0x50

Last error was: -0x50 - NET - Connection was reset by peer

The most important are the first two cases, where mbed TLS crashes, presumably when trying to free something. The third case is notable, too, because the server says that an invalid TLS record was received (which the client probably should not have sent):

$ ./mbedtls_ssl_server2 psk_identity=a psk=11 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA

...

  . Waiting for a remote connection ... ok
  . Performing the SSL/TLS handshake... failed
  ! mbedtls_ssl_handshake returned -0x7200

Last error was: -29184 - SSL - An invalid SSL record was received

Tested with mbed TLS versions 1.3.11, 1.3.12, and 2.0.0.

[mpg]

Thanks for your report! I'll investigate.

[mpg]

Nice catch! Just curious, how did you discover that?

[asaveljevs]

Thank you!

At Zabbix, we are in the process of adding TLS encryption to the communication between Zabbix components. I was testing one of the components to see how it behaves with long PSK identities and noticed a crash. My colleague then discovered that it was a bug in mbed TLS, rather than Zabbix, so we reported a problem here.

See subissue (74) on this particular problem and ZBXNEXT-1263 for the whole feature request.

[mpg]

Thanks for the info.

FYI, in case it isn't obvious from the patch, ssl_set_psk() will now reject identities longer that MBEDTLS_SSL_MAX_CONTENT_LEN, which is 16384 (2^14) bytes by default, but identifies that are close to this limit will cause a failure (a clean one, not a crash...) later in the handshake. The reason why we don't reject them straight away in mbedtls_ssl_set_psk() is that we can't know what the exact limit is unless the ciphersuite has been negotiated.