Improve the FI resistance in ssl_tls.c key switching

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2020-09-19 12:45:20 +02:00
parent f7df0d37ab
commit 69bafce7a3
No known key found for this signature in database
GPG Key ID: 89A90840DC388527

View File

@ -63,12 +63,14 @@ static int mbedtls_ssl_switch_key( mbedtls_ssl_transform *transform,
const mbedtls_operation_t operation ) const mbedtls_operation_t operation )
{ {
unsigned char * key; unsigned char * key;
int ret; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
int flow_ctrl = 0;
#if defined(MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY) #if defined(MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY)
uint32_t hash; uint32_t hash;
#endif #endif
if( operation == MBEDTLS_ENCRYPT ) if( operation == MBEDTLS_ENCRYPT )
{ {
flow_ctrl++;
key = transform->key_enc; key = transform->key_enc;
#if defined(MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY) #if defined(MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY)
hash = transform->key_enc_hash; hash = transform->key_enc_hash;
@ -76,6 +78,7 @@ static int mbedtls_ssl_switch_key( mbedtls_ssl_transform *transform,
} }
else if ( operation == MBEDTLS_DECRYPT ) else if ( operation == MBEDTLS_DECRYPT )
{ {
flow_ctrl++;
key = transform->key_dec; key = transform->key_dec;
#if defined(MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY) #if defined(MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY)
hash = transform->key_dec_hash; hash = transform->key_dec_hash;
@ -91,6 +94,12 @@ static int mbedtls_ssl_switch_key( mbedtls_ssl_transform *transform,
{ {
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
else
{
flow_ctrl++;
}
#else
flow_ctrl++;
#endif #endif
if( operation != transform->cipher_ctx.operation ) if( operation != transform->cipher_ctx.operation )
{ {
@ -102,7 +111,11 @@ static int mbedtls_ssl_switch_key( mbedtls_ssl_transform *transform,
return( ret ); return( ret );
} }
} }
if( flow_ctrl == 2 )
{
return( 0 ); return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif #endif