Add FI countermeasures for sensitive switch instructions

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2024-11-22 11:25:42 +01:00 · 2020-06-19 10:04:27 +02:00 · 2020-06-19 10:04:27 +02:00 · 78fc139121
commit 78fc139121
parent 98c847a483
1 changed files with 18 additions and 3 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -7112,7 +7112,7 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
 static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
                                        mbedtls_x509_crt *chain )
 {
-    int ret;
+    volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
    int crt_cnt=0;
 #endif
@ -7224,10 +7224,25 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
        switch( ret )
        {
-            case 0: /*ok*/
+            case 0: /* ok */
+                mbedtls_platform_random_delay();
+                if( ret != 0 )
+                {
+                    alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+                    ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+                    goto crt_parse_der_failed;
+                }
+                break;
            case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
                /* Ignore certificate with an unknown algorithm: maybe a
-                   prior certificate was already trusted. */
+                 * prior certificate was already trusted. */
+                mbedtls_platform_random_delay();
+                if( ret != MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND )
+                {
+                    alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+                    ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+                    goto crt_parse_der_failed;
+                }
                break;

            case MBEDTLS_ERR_X509_ALLOC_FAILED: