diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 8d00eba9f..c65c8532b 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -161,8 +161,11 @@ MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t; * \param buf Buffer to be zeroized * \param len Length of the buffer in bytes * + * \return The value of \p buf if the operation was successful. + * \return NULL if a potential FI attack was detected or input parameters + * are not valid. */ -void mbedtls_platform_zeroize( void *buf, size_t len ); +void *mbedtls_platform_zeroize( void *buf, size_t len ); /** * \brief Secure memset @@ -176,7 +179,8 @@ void mbedtls_platform_zeroize( void *buf, size_t len ); * \param value Value to be used when setting the buffer. * \param num The length of the buffer in bytes. * - * \return The value of \p ptr. + * \return The value of \p ptr if the operation was successful. + * \return NULL if a potential FI attack was detected. */ void *mbedtls_platform_memset( void *ptr, int value, size_t num ); @@ -193,6 +197,7 @@ void *mbedtls_platform_memset( void *ptr, int value, size_t num ); * \param num The length of the buffers in bytes. * * \return The value of \p dst. + * \return NULL if a potential FI attack was detected. */ void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); diff --git a/library/entropy.c b/library/entropy.c index 8db3d94f1..2b1e7ef3a 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -462,9 +462,10 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) for( i = 0; i < ctx->source_count; i++ ) ctx->source[i].size = 0; - mbedtls_platform_memcpy( output, buf, len ); - - ret = 0; + if( output == mbedtls_platform_memcpy( output, buf, len ) ) + { + ret = 0; + } exit: mbedtls_platform_zeroize( buf, sizeof( buf ) ); diff --git a/library/pkparse.c b/library/pkparse.c index f10a61ef8..83974f846 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -561,9 +561,13 @@ static int uecc_public_key_read_binary( mbedtls_uecc_keypair *uecc_keypair, if( buf[0] != 0x04 ) return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); - mbedtls_platform_memcpy( uecc_keypair->public_key, buf + 1, 2 * NUM_ECC_BYTES ); + if( mbedtls_platform_memcpy( uecc_keypair->public_key, buf + 1, 2 * NUM_ECC_BYTES ) == + uecc_keypair->public_key ) + { + return( 0 ); + } - return( 0 ); + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } static int pk_get_ueccpubkey( unsigned char **p, @@ -976,7 +980,11 @@ static int pk_parse_key_sec1_der( mbedtls_uecc_keypair *keypair, if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret ); - mbedtls_platform_memcpy( keypair->private_key, p, len ); + if( mbedtls_platform_memcpy( keypair->private_key, p, len ) != + keypair->private_key ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } p += len; diff --git a/library/platform_util.c b/library/platform_util.c index 5e938f9c9..3b098d26b 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -95,61 +95,136 @@ void *mbedtls_platform_memset( void *, int, size_t ); static void * (* const volatile memset_func)( void *, int, size_t ) = mbedtls_platform_memset; -void mbedtls_platform_zeroize( void *buf, size_t len ) +void *mbedtls_platform_zeroize( void *buf, size_t len ) { - MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL ); + volatile size_t vlen = len; - if( len > 0 ) - memset_func( buf, 0, len ); + MBEDTLS_INTERNAL_VALIDATE_RET( ( len == 0 || buf != NULL ), NULL ); + + if( vlen > 0 ) + { + return memset_func( buf, 0, vlen ); + } + else + { + mbedtls_platform_random_delay(); + if( vlen == 0 && vlen == len ) + { + return buf; + } + } + return NULL; } #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */ void *mbedtls_platform_memset( void *ptr, int value, size_t num ) { - /* Randomize start offset. */ - size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num ); - /* Randomize data */ - uint32_t data = mbedtls_platform_random_in_range( 256 ); + size_t i, start_offset; + volatile size_t flow_counter = 0; + volatile char *b = ptr; + char rnd_data; - /* Perform a pair of memset operations from random locations with - * random data */ - memset( (void *) ( (unsigned char *) ptr + start_offset ), data, - ( num - start_offset ) ); - memset( (void *) ptr, data, start_offset ); + start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num ); + rnd_data = (char) mbedtls_platform_random_in_range( 256 ); - /* Perform the original memset */ - return( memset( ptr, value, num ) ); + /* Perform a memset operations with random data and start from a random + * location */ + for( i = start_offset; i < num; ++i ) + { + b[i] = rnd_data; + flow_counter++; + } + + /* Start from a random location with target data */ + for( i = start_offset; i < num; ++i ) + { + b[i] = value; + flow_counter++; + } + + /* Second memset operation with random data */ + for( i = 0; i < start_offset; ++i ) + { + b[i] = rnd_data; + flow_counter++; + } + + /* Finish memset operation with correct data */ + for( i = 0; i < start_offset; ++i ) + { + b[i] = value; + flow_counter++; + } + + /* check the correct number of iterations */ + if( flow_counter == 2 * num ) + { + mbedtls_platform_random_delay(); + if( flow_counter == 2 * num ) + { + return ptr; + } + } + return NULL; } void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) { - /* Randomize start offset. */ - size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num ); - /* Randomize initial data to prevent leakage while copying */ - uint32_t data = mbedtls_platform_random_in_range( 256 ); + size_t i; + volatile size_t flow_counter = 0; - /* Use memset with random value at first to increase security - memset is - not normally part of the memcpy function and here can be useed - with regular, unsecured implementation */ - memset( (void *) dst, data, num ); - memcpy( (void *) ( (unsigned char *) dst + start_offset ), - (void *) ( (unsigned char *) src + start_offset ), - ( num - start_offset ) ); - return( memcpy( (void *) dst, (void *) src, start_offset ) ); + if( num > 0 ) + { + /* Randomize start offset. */ + size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num ); + /* Randomize initial data to prevent leakage while copying */ + uint32_t data = mbedtls_platform_random_in_range( 256 ); + + /* Use memset with random value at first to increase security - memset is + not normally part of the memcpy function and here can be useed + with regular, unsecured implementation */ + memset( (void *) dst, data, num ); + + /* Make a copy starting from a random location. */ + i = start_offset; + do + { + ( (char*) dst )[i] = ( (char*) src )[i]; + flow_counter++; + } + while( ( i = ( i + 1 ) % num ) != start_offset ); + } + + /* check the correct number of iterations */ + if( flow_counter == num ) + { + mbedtls_platform_random_delay(); + if( flow_counter == num ) + { + return dst; + } + } + return NULL; } int mbedtls_platform_memmove( void *dst, const void *src, size_t num ) { + void *ret1 = NULL; + void *ret2 = NULL; /* The buffers can have a common part, so we cannot do a copy from a random * location. By using a temporary buffer we can do so, but the cost of it * is using more memory and longer transfer time. */ void *tmp = mbedtls_calloc( 1, num ); if( tmp != NULL ) { - mbedtls_platform_memcpy( tmp, src, num ); - mbedtls_platform_memcpy( dst, tmp, num ); + ret1 = mbedtls_platform_memcpy( tmp, src, num ); + ret2 = mbedtls_platform_memcpy( dst, tmp, num ); mbedtls_free( tmp ); - return 0; + if( ret1 == tmp && ret2 == dst ) + { + return 0; + } + return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; } return MBEDTLS_ERR_PLATFORM_ALLOC_FAILED; diff --git a/library/rsa.c b/library/rsa.c index 67ebf8424..83a4f3879 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -60,9 +60,9 @@ #include #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else + +#if !defined(MBEDTLS_PLATFORM_C) #include #define mbedtls_printf printf #define mbedtls_calloc calloc @@ -1974,8 +1974,11 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, /* Are we signing raw data? */ if( md_alg == MBEDTLS_MD_NONE ) { - mbedtls_platform_memcpy( p, hash, hashlen ); - return( 0 ); + if( mbedtls_platform_memcpy( p, hash, hashlen ) == p ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* Signing hashed data, add corresponding ASN.1 structure @@ -2003,7 +2006,10 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, *p++ = 0x00; *p++ = MBEDTLS_ASN1_OCTET_STRING; *p++ = (unsigned char) hashlen; - mbedtls_platform_memcpy( p, hash, hashlen ); + if( mbedtls_platform_memcpy( p, hash, hashlen ) != p ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } p += hashlen; /* Just a sanity-check, should be automatic @@ -2029,7 +2035,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, const unsigned char *hash, unsigned char *sig ) { - int ret; + int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; unsigned char *sig_try = NULL, *verif = NULL; RSA_VALIDATE_RET( ctx != NULL ); @@ -2087,7 +2093,10 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, goto cleanup; } - mbedtls_platform_memcpy( sig, sig_try, ctx->len ); + if( mbedtls_platform_memcpy( sig, sig_try, ctx->len ) != sig ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } cleanup: mbedtls_free( sig_try ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 55ac1330a..4ebfb5c93 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -92,7 +92,11 @@ int mbedtls_ssl_ecdh_read_peerkey( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - mbedtls_platform_memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES ); + if( mbedtls_platform_memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES ) != + ssl->handshake->ecdh_peerkey ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } *p += secp256r1_uncompressed_point_length; return( 0 ); @@ -1886,9 +1890,13 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, return( ret ); } - mbedtls_platform_zeroize( handshake->premaster, - sizeof(handshake->premaster) ); - return( 0 ); + if( handshake->premaster == mbedtls_platform_zeroize( + handshake->premaster, sizeof(handshake->premaster) ) ) + { + return( 0 ); + } + + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) @@ -2289,7 +2297,10 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch if( end < p || (size_t)( end - p ) < psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - mbedtls_platform_memcpy( p, psk, psk_len ); + if( mbedtls_platform_memcpy( p, psk, psk_len ) != p ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } p += psk_len; ssl->handshake->pmslen = p - ssl->handshake->premaster; @@ -4491,8 +4502,16 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) /* Handshake hashes are computed without fragmentation, * so set frag_offset = 0 and frag_len = hs_len for now */ - mbedtls_platform_memset( ssl->out_msg + 6, 0x00, 3 ); - mbedtls_platform_memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); + if( mbedtls_platform_memset( ssl->out_msg + 6, 0x00, 3 ) != + ssl->out_msg + 6 ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } + if( mbedtls_platform_memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ) != + ssl->out_msg + 9 ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } } #endif /* MBEDTLS_SSL_PROTO_DTLS */ @@ -6123,9 +6142,24 @@ static int ssl_buffer_message( mbedtls_ssl_context *ssl ) /* Prepare final header: copy msg_type, length and message_seq, * then add standardised fragment_offset and fragment_length */ - mbedtls_platform_memcpy( hs_buf->data, ssl->in_msg, 6 ); - mbedtls_platform_memset( hs_buf->data + 6, 0, 3 ); - mbedtls_platform_memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ); + if( mbedtls_platform_memcpy( hs_buf->data, ssl->in_msg, 6 ) != + hs_buf->data ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + goto exit; + } + if( mbedtls_platform_memset( hs_buf->data + 6, 0, 3 ) != + hs_buf->data + 6 ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + goto exit; + } + if( mbedtls_platform_memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ) != + hs_buf->data + 9 ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + goto exit; + } hs_buf->is_valid = 1; @@ -11175,11 +11209,19 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) n = ( len < ssl->in_msglen ) ? len : ssl->in_msglen; - mbedtls_platform_memcpy( buf, ssl->in_offt, n ); + if( mbedtls_platform_memcpy( buf, ssl->in_offt, n ) != + buf ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } ssl->in_msglen -= n; // clear incoming data after it's copied to buffer - mbedtls_platform_memset(ssl->in_offt, 0, n); + if( mbedtls_platform_memset( ssl->in_offt, 0, n ) != + ssl->in_offt ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } if( ssl->in_msglen == 0 ) { @@ -11269,7 +11311,10 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, */ ssl->out_msglen = len; ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; - mbedtls_platform_memcpy( ssl->out_msg, buf, len ); + if( mbedtls_platform_memcpy( ssl->out_msg, buf, len ) != ssl->out_msg ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } #if defined(MBEDTLS_FI_COUNTERMEASURES) && !defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) /* diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c index 5a7a9e53e..6285cf357 100644 --- a/tinycrypt/ecc_dh.c +++ b/tinycrypt/ecc_dh.c @@ -81,7 +81,10 @@ int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key, /* This function is designed for test purposes-only (such as validating NIST * test vectors) as it uses a provided value for d instead of generating * it uniformly at random. */ - mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES); + if( mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES) != _private ) + { + goto exit; + } /* Computing public-key from private: */ ret = EccPoint_compute_public_key(_public, _private); @@ -186,7 +189,9 @@ int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, uECC_vli_nativeToBytes(secret, num_bytes, _public); /* erasing temporary buffer used to store secret: */ - mbedtls_platform_zeroize(_private, sizeof(_private)); + if (_private == mbedtls_platform_zeroize(_private, sizeof(_private))) { + return r; + } - return r; + return UECC_FAULT_DETECTED; }