Merge pull request #3468 from piotr-now/fic_flow_monitor

Add flow monitor for memory block operations
2024-11-22 11:15:43 +01:00 · 2020-08-13 09:34:00 +02:00 · 2020-08-13 09:34:00 +02:00 · c2b682ab71
commit c2b682ab71
parent 2bb1376560 305a5ec496
7 changed files with 209 additions and 61 deletions
--- a/include/mbedtls/platform_util.h
+++ b/include/mbedtls/platform_util.h
@ -161,8 +161,11 @@ MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
 * \param buf   Buffer to be zeroized
 * \param len   Length of the buffer in bytes
 *
+ * \return      The value of \p buf if the operation was successful.
+ * \return      NULL if a potential FI attack was detected or input parameters
+ *              are not valid.
 */
-void mbedtls_platform_zeroize( void *buf, size_t len );
+void *mbedtls_platform_zeroize( void *buf, size_t len );

 /**
 * \brief       Secure memset
@ -176,7 +179,8 @@ void mbedtls_platform_zeroize( void *buf, size_t len );
 * \param value Value to be used when setting the buffer.
 * \param num   The length of the buffer in bytes.
 *
- * \return      The value of \p ptr.
+ * \return      The value of \p ptr if the operation was successful.
+ * \return      NULL if a potential FI attack was detected.
 */
 void *mbedtls_platform_memset( void *ptr, int value, size_t num );

@ -193,6 +197,7 @@ void *mbedtls_platform_memset( void *ptr, int value, size_t num );
 * \param num   The length of the buffers in bytes.
 *
 * \return      The value of \p dst.
+ * \return      NULL if a potential FI attack was detected.
 */
 void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num );

--- a/library/entropy.c
+++ b/library/entropy.c
@ -462,9 +462,10 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len )
    for( i = 0; i < ctx->source_count; i++ )
        ctx->source[i].size = 0;

-    mbedtls_platform_memcpy( output, buf, len );
-
-    ret = 0;
+    if( output == mbedtls_platform_memcpy( output, buf, len ) )
+    {
+        ret = 0;
+    }

 exit:
    mbedtls_platform_zeroize( buf, sizeof( buf ) );
--- a/library/pkparse.c
+++ b/library/pkparse.c
@ -561,9 +561,13 @@ static int uecc_public_key_read_binary( mbedtls_uecc_keypair *uecc_keypair,
    if( buf[0] != 0x04 )
        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );

-    mbedtls_platform_memcpy( uecc_keypair->public_key, buf + 1, 2 * NUM_ECC_BYTES );
+    if( mbedtls_platform_memcpy( uecc_keypair->public_key, buf + 1, 2 * NUM_ECC_BYTES ) ==
+                                 uecc_keypair->public_key )
+    {
+        return( 0 );
+    }

-    return( 0 );
+    return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
 }

 static int pk_get_ueccpubkey( unsigned char **p,
@ -976,7 +980,11 @@ static int pk_parse_key_sec1_der( mbedtls_uecc_keypair *keypair,
    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );

-    mbedtls_platform_memcpy( keypair->private_key, p, len );
+    if( mbedtls_platform_memcpy( keypair->private_key, p, len ) !=
+                                 keypair->private_key )
+    {
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+    }

    p += len;

--- a/library/platform_util.c
+++ b/library/platform_util.c
@ -95,61 +95,136 @@
 void *mbedtls_platform_memset( void *, int, size_t );
 static void * (* const volatile memset_func)( void *, int, size_t ) = mbedtls_platform_memset;

-void mbedtls_platform_zeroize( void *buf, size_t len )
+void *mbedtls_platform_zeroize( void *buf, size_t len )
 {
-    MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL );
+    volatile size_t vlen = len;

-    if( len > 0 )
-        memset_func( buf, 0, len );
+    MBEDTLS_INTERNAL_VALIDATE_RET( ( len == 0 || buf != NULL ), NULL );
+
+    if( vlen > 0 )
+    {
+        return memset_func( buf, 0, vlen );
+    }
+    else
+    {
+        mbedtls_platform_random_delay();
+        if( vlen == 0 && vlen == len )
+        {
+            return buf;
+        }
+    }
+    return NULL;
 }
 #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */

 void *mbedtls_platform_memset( void *ptr, int value, size_t num )
 {
-    /* Randomize start offset. */
-    size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
-    /* Randomize data */
-    uint32_t data = mbedtls_platform_random_in_range( 256 );
+    size_t i, start_offset;
+    volatile size_t flow_counter = 0;
+    volatile char *b = ptr;
+    char rnd_data;

-    /* Perform a pair of memset operations from random locations with
-     * random data */
-    memset( (void *) ( (unsigned char *) ptr + start_offset ), data,
-            ( num - start_offset ) );
-    memset( (void *) ptr, data, start_offset );
+    start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
+    rnd_data = (char) mbedtls_platform_random_in_range( 256 );

-    /* Perform the original memset */
-    return( memset( ptr, value, num ) );
+    /* Perform a memset operations with random data and start from a random
+     * location */
+    for( i = start_offset; i < num; ++i )
+    {
+        b[i] = rnd_data;
+        flow_counter++;
+    }
+
+    /* Start from a random location with target data */
+    for( i = start_offset; i < num; ++i )
+    {
+        b[i] = value;
+        flow_counter++;
+    }
+
+    /* Second memset operation with random data */
+    for( i = 0; i < start_offset; ++i )
+    {
+        b[i] = rnd_data;
+        flow_counter++;
+    }
+
+    /* Finish memset operation with correct data */
+    for( i = 0; i < start_offset; ++i )
+    {
+        b[i] = value;
+        flow_counter++;
+    }
+
+    /* check the correct number of iterations */
+    if( flow_counter == 2 * num )
+    {
+        mbedtls_platform_random_delay();
+        if( flow_counter == 2 * num )
+        {
+            return ptr;
+        }
+    }
+    return NULL;
 }

 void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num )
 {
-    /* Randomize start offset. */
-    size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
-    /* Randomize initial data to prevent leakage while copying */
-    uint32_t data = mbedtls_platform_random_in_range( 256 );
+    size_t i;
+    volatile size_t flow_counter = 0;

-    /* Use memset with random value at first to increase security - memset is
-       not normally part of the memcpy function and here can be useed
-       with regular, unsecured implementation */
-    memset( (void *) dst, data, num );
-    memcpy( (void *) ( (unsigned char *) dst + start_offset ),
-            (void *) ( (unsigned char *) src + start_offset ),
-            ( num - start_offset ) );
-    return( memcpy( (void *) dst, (void *) src, start_offset ) );
+    if( num > 0 )
+    {
+        /* Randomize start offset. */
+        size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
+        /* Randomize initial data to prevent leakage while copying */
+        uint32_t data = mbedtls_platform_random_in_range( 256 );
+
+        /* Use memset with random value at first to increase security - memset is
+        not normally part of the memcpy function and here can be useed
+        with regular, unsecured implementation */
+        memset( (void *) dst, data, num );
+
+        /* Make a copy starting from a random location. */
+        i = start_offset;
+        do
+        {
+            ( (char*) dst )[i] = ( (char*) src )[i];
+            flow_counter++;
+        }
+        while( ( i = ( i + 1 ) % num ) != start_offset );
+    }
+
+    /* check the correct number of iterations */
+    if( flow_counter == num )
+    {
+        mbedtls_platform_random_delay();
+        if( flow_counter == num )
+        {
+            return dst;
+        }
+    }
+    return NULL;
 }

 int mbedtls_platform_memmove( void *dst, const void *src, size_t num )
 {
+    void *ret1 = NULL;
+    void *ret2 = NULL;
    /* The buffers can have a common part, so we cannot do a copy from a random
     * location. By using a temporary buffer we can do so, but the cost of it
     * is using more memory and longer transfer time. */
    void *tmp = mbedtls_calloc( 1, num );
    if( tmp != NULL )
    {
-        mbedtls_platform_memcpy( tmp, src, num );
-        mbedtls_platform_memcpy( dst, tmp, num );
+        ret1 = mbedtls_platform_memcpy( tmp, src, num );
+        ret2 = mbedtls_platform_memcpy( dst, tmp, num );
        mbedtls_free( tmp );
-        return 0;
+        if( ret1 == tmp && ret2 == dst )
+        {
+            return 0;
+        }
+        return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
    }

    return MBEDTLS_ERR_PLATFORM_ALLOC_FAILED;
--- a/library/rsa.c
+++ b/library/rsa.c
@ -60,9 +60,9 @@
 #include <stdlib.h>
 #endif

-#if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
-#else
+
+#if !defined(MBEDTLS_PLATFORM_C)
 #include <stdio.h>
 #define mbedtls_printf printf
 #define mbedtls_calloc calloc
@ -1974,8 +1974,11 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
    /* Are we signing raw data? */
    if( md_alg == MBEDTLS_MD_NONE )
    {
-        mbedtls_platform_memcpy( p, hash, hashlen );
-        return( 0 );
+        if( mbedtls_platform_memcpy( p, hash, hashlen ) == p )
+        {
+            return( 0 );
+        }
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
    }

    /* Signing hashed data, add corresponding ASN.1 structure
@ -2003,7 +2006,10 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
    *p++ = 0x00;
    *p++ = MBEDTLS_ASN1_OCTET_STRING;
    *p++ = (unsigned char) hashlen;
-    mbedtls_platform_memcpy( p, hash, hashlen );
+    if( mbedtls_platform_memcpy( p, hash, hashlen ) != p )
+    {
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+    }
    p += hashlen;

    /* Just a sanity-check, should be automatic
@ -2029,7 +2035,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
                               const unsigned char *hash,
                               unsigned char *sig )
 {
-    int ret;
+    int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
    unsigned char *sig_try = NULL, *verif = NULL;

    RSA_VALIDATE_RET( ctx != NULL );
@ -2087,7 +2093,10 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
        goto cleanup;
    }

-    mbedtls_platform_memcpy( sig, sig_try, ctx->len );
+    if( mbedtls_platform_memcpy( sig, sig_try, ctx->len ) != sig )
+    {
+        ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+    }

 cleanup:
    mbedtls_free( sig_try );
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -92,7 +92,11 @@ int mbedtls_ssl_ecdh_read_peerkey( mbedtls_ssl_context *ssl,
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
    }

-    mbedtls_platform_memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES );
+    if( mbedtls_platform_memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES ) !=
+                                 ssl->handshake->ecdh_peerkey )
+    {
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+    }

    *p += secp256r1_uncompressed_point_length;
    return( 0 );
@ -1886,9 +1890,13 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
        return( ret );
    }

-    mbedtls_platform_zeroize( handshake->premaster,
-                              sizeof(handshake->premaster) );
-    return( 0 );
+    if( handshake->premaster == mbedtls_platform_zeroize(
+                    handshake->premaster, sizeof(handshake->premaster) ) )
+    {
+        return( 0 );
+    }
+
+    return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
 }

 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
@ -2289,7 +2297,10 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
    if( end < p || (size_t)( end - p ) < psk_len )
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );

-    mbedtls_platform_memcpy( p, psk, psk_len );
+    if( mbedtls_platform_memcpy( p, psk, psk_len ) != p )
+    {
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+    }
    p += psk_len;

    ssl->handshake->pmslen = p - ssl->handshake->premaster;
@ -4491,8 +4502,16 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )

            /* Handshake hashes are computed without fragmentation,
             * so set frag_offset = 0 and frag_len = hs_len for now */
-            mbedtls_platform_memset( ssl->out_msg + 6, 0x00, 3 );
-            mbedtls_platform_memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
+            if( mbedtls_platform_memset( ssl->out_msg + 6, 0x00, 3 ) !=
+                                         ssl->out_msg + 6 )
+            {
+                return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+            }
+            if( mbedtls_platform_memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ) !=
+                                         ssl->out_msg + 9 )
+            {
+                return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+            }
        }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */

@ -6123,9 +6142,24 @@ static int ssl_buffer_message( mbedtls_ssl_context *ssl )

                /* Prepare final header: copy msg_type, length and message_seq,
                 * then add standardised fragment_offset and fragment_length */
-                mbedtls_platform_memcpy( hs_buf->data, ssl->in_msg, 6 );
-                mbedtls_platform_memset( hs_buf->data + 6, 0, 3 );
-                mbedtls_platform_memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
+                if( mbedtls_platform_memcpy( hs_buf->data, ssl->in_msg, 6 ) !=
+                                             hs_buf->data )
+                {
+                    ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+                    goto exit;
+                }
+                if( mbedtls_platform_memset( hs_buf->data + 6, 0, 3 ) !=
+                                             hs_buf->data + 6 )
+                {
+                    ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+                    goto exit;
+                }
+                if( mbedtls_platform_memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ) !=
+                                             hs_buf->data + 9 )
+                {
+                    ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+                    goto exit;
+                }

                hs_buf->is_valid = 1;

@ -11175,11 +11209,19 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
    n = ( len < ssl->in_msglen )
        ? len : ssl->in_msglen;

-    mbedtls_platform_memcpy( buf, ssl->in_offt, n );
+    if( mbedtls_platform_memcpy( buf, ssl->in_offt, n ) !=
+                                 buf )
+    {
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+    }
    ssl->in_msglen -= n;

    // clear incoming data after it's copied to buffer
-    mbedtls_platform_memset(ssl->in_offt, 0, n);
+    if( mbedtls_platform_memset( ssl->in_offt, 0, n ) !=
+                                 ssl->in_offt )
+    {
+        return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+    }

    if( ssl->in_msglen == 0 )
    {
@ -11269,7 +11311,10 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
         */
        ssl->out_msglen = len;
        ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
-        mbedtls_platform_memcpy( ssl->out_msg, buf, len );
+        if( mbedtls_platform_memcpy( ssl->out_msg, buf, len ) != ssl->out_msg )
+        {
+            return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+        }

 #if defined(MBEDTLS_FI_COUNTERMEASURES) && !defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
        /*
--- a/tinycrypt/ecc_dh.c
+++ b/tinycrypt/ecc_dh.c
@ -81,7 +81,10 @@ int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key,
 	/* This function is designed for test purposes-only (such as validating NIST
 	 * test vectors) as it uses a provided value for d instead of generating
 	 * it uniformly at random. */
-	mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES);
+	if( mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES) != _private )
+	{
+		goto exit;
+	}

 	/* Computing public-key from private: */
 	ret = EccPoint_compute_public_key(_public, _private);
@ -186,7 +189,9 @@ int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key,
 	uECC_vli_nativeToBytes(secret, num_bytes, _public);

 	/* erasing temporary buffer used to store secret: */
-	mbedtls_platform_zeroize(_private, sizeof(_private));
+	if (_private == mbedtls_platform_zeroize(_private, sizeof(_private))) {
+		return r;
+	}

-	return r;
+	return UECC_FAULT_DETECTED;
 }