diff --git a/library/aes.c b/library/aes.c index 57469873f..e49f74f76 100644 --- a/library/aes.c +++ b/library/aes.c @@ -686,6 +686,8 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, unsigned int flow_ctrl = 0; volatile unsigned int i = 0; volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + volatile const unsigned char *key_dup = key; + volatile unsigned int keybits_dup = keybits; uint32_t *RK; uint32_t offset = 0; @@ -814,9 +816,13 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, #endif ) ) { - return ret; + if( keybits_dup == keybits && key_dup == key ) + { + return ret; + } } + mbedtls_platform_memset( RK, 0, ( keybits >> 5 ) * 4 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ @@ -1063,6 +1069,8 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, aes_r_data_t *aes_data_table[2]; // pointers to real and fake data int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS; volatile int flow_control; + volatile const unsigned char *input_dup = input; + volatile unsigned char *output_dup = output; // control bytes for AES calculation rounds, // reserve based on max rounds + dummy rounds + 2 (for initial key addition) uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )]; @@ -1163,9 +1171,14 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, if( flow_control == tindex + dummy_rounds + 8 ) { /* Validate control path due possible fault injection */ - return 0; + if( output_dup == output && input_dup == input ) + { + return 0; + } } + // Clear the output in case of a FI + mbedtls_platform_memset( output, 0, 16 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -1342,6 +1355,8 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, aes_r_data_t *aes_data_table[2]; // pointers to real and fake data int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS; volatile int flow_control; + volatile const unsigned char *input_dup = input; + volatile unsigned char *output_dup = output; // control bytes for AES calculation rounds, // reserve based on max rounds + dummy rounds + 2 (for initial key addition) uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )]; @@ -1442,9 +1457,14 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, if( flow_control == tindex + dummy_rounds + 8 ) { /* Validate control path due possible fault injection */ - return 0; + if( output_dup == output && input_dup == input ) + { + return 0; + } } + // Clear the output in case of a FI + mbedtls_platform_memset( output, 0, 16 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } diff --git a/library/ccm.c b/library/ccm.c index 750ec9e98..54d051e34 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -77,6 +77,8 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, { int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; const mbedtls_cipher_info_t *cipher_info; + volatile const unsigned char *key_dup = key; + volatile unsigned int keybits_dup = keybits; CCM_VALIDATE_RET( ctx != NULL ); CCM_VALIDATE_RET( key != NULL ); @@ -99,7 +101,14 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, return( ret ); } - return( ret ); + if( keybits_dup == keybits && key_dup == key ) + { + return( ret ); + } + + // In case of a FI - clear the context + mbedtls_cipher_free( &ctx->cipher_ctx ); + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* @@ -165,6 +174,15 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, unsigned char ctr[16]; const unsigned char *src; unsigned char *dst; + volatile size_t length_dup = length; + volatile const unsigned char *iv_dup = iv; + volatile size_t iv_len_dup = iv_len; + volatile const unsigned char *add_dup = add; + volatile size_t add_len_dup = add_len; + volatile const unsigned char *input_dup = input; + volatile unsigned char *output_dup = output; + volatile unsigned char *tag_dup = tag; + volatile size_t tag_len_dup = tag_len; /* * Check length requirements: SP800-38C A.1 @@ -316,6 +334,16 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, CTR_CRYPT( y, y, 16 ); mbedtls_platform_memcpy( tag, y, tag_len ); + if( length_dup != length || iv_dup != iv || iv_len_dup != iv_len || + add_dup != add || add_len_dup != add_len || input_dup != input || + output_dup != output || tag_dup != tag || tag_len_dup != tag_len) + { + + // In case of a FI - clear the output + mbedtls_platform_memset( output, 0, length ); + return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } + return( ret ); } @@ -370,6 +398,15 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, unsigned char check_tag[16]; unsigned char i; int diff; + volatile size_t length_dup = length; + volatile const unsigned char *iv_dup = iv; + volatile size_t iv_len_dup = iv_len; + volatile const unsigned char *add_dup = add; + volatile size_t add_len_dup = add_len; + volatile const unsigned char *input_dup = input; + volatile unsigned char *output_dup = output; + volatile const unsigned char *tag_dup = tag; + volatile size_t tag_len_dup = tag_len; CCM_VALIDATE_RET( ctx != NULL ); CCM_VALIDATE_RET( iv != NULL ); @@ -395,6 +432,13 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, return( MBEDTLS_ERR_CCM_AUTH_FAILED ); } + if( length_dup != length || iv_dup != iv || iv_len_dup != iv_len || + add_dup != add || add_len_dup != add_len || input_dup != input || + output_dup != output || tag_dup != tag || tag_len_dup != tag_len) + { + return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } + return( ret ); } diff --git a/library/entropy.c b/library/entropy.c index f5d7d4021..8db3d94f1 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -143,6 +143,10 @@ int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx, size_t threshold, int strong ) { int idx, ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + volatile mbedtls_entropy_f_source_ptr f_source_dup = f_source; + volatile void *p_source_dup = p_source; + volatile size_t threshold_dup = threshold; + volatile int strong_dup = strong; #if defined(MBEDTLS_THREADING_C) if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) @@ -170,6 +174,11 @@ exit: return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif + if( f_source_dup != f_source || p_source_dup != p_source || + threshold_dup != threshold || strong_dup != strong ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } return( ret ); } @@ -184,7 +193,8 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id size_t use_len = len; const unsigned char *p = data; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; - + volatile const unsigned char *data_dup = data; + volatile size_t len_dup = len; if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE ) { #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) @@ -229,6 +239,10 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id cleanup: mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); + if( len_dup != len || data_dup != data ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } return( ret ); } @@ -349,6 +363,9 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) int count = 0, i, done; mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE]; + volatile void *data_dup = data; + volatile unsigned char *output_dup = output; + volatile size_t len_dup = len; if( len > MBEDTLS_ENTROPY_BLOCK_SIZE ) return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); @@ -456,7 +473,10 @@ exit: if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif - + if( data_dup != data || len_dup != len || output_dup != output ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } return( ret ); } diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index d197f24a1..58750c8b7 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -81,6 +81,8 @@ int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx, volatile unsigned int flow_counter = 0; unsigned char K[MBEDTLS_MD_MAX_SIZE]; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + volatile const unsigned char *additional_dup = additional; + volatile size_t add_len_dup = add_len; for( sep[0] = 0; sep[0] < rounds; sep[0]++ ) { @@ -143,7 +145,10 @@ exit: // Double check flow_counter if ( ( flow_counter == 7 ) || ( flow_counter == 16 ) ) { - return ret; // success, return 0 from ret + if( additional_dup == additional && add_len_dup == add_len ) + { + return ret; // success, return 0 from ret + } } } @@ -167,6 +172,8 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, const unsigned char *data, size_t data_len ) { int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + volatile const unsigned char *data_dup = data; + volatile size_t data_len_dup = data_len; if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) return( ret ); @@ -183,7 +190,10 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 ) return( ret ); - + if( data_dup != data || data_len_dup != data_len ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } return( ret ); } @@ -200,6 +210,9 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx, size_t seedlen = 0; size_t total_entropy_len; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + volatile const unsigned char *additional_dup = additional; + volatile size_t len_dup = len; + int reseed_counter_backup = -1; if( use_nonce == HMAC_NONCE_NO ) total_entropy_len = ctx->entropy_len; @@ -257,6 +270,7 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx, goto exit; /* 3. Reset reseed_counter */ + reseed_counter_backup = ctx->reseed_counter; ctx->reseed_counter = 1; exit: @@ -264,6 +278,15 @@ exit: /* 4. Done */ mbedtls_platform_zeroize( seed, seedlen ); + if( additional_dup != additional || len_dup != len ) + { + /* Rollback the reseed_counter in case of FI */ + if( reseed_counter_backup != -1 ) + ctx->reseed_counter = reseed_counter_backup; + + return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } + if ( ret != 0 ) return ret; @@ -273,6 +296,9 @@ exit: return ret; } + /* Rollback the reseed_counter in case of FI */ + if( reseed_counter_backup != -1 ) + ctx->reseed_counter = reseed_counter_backup; return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -299,6 +325,11 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, size_t len ) { int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + int (* volatile f_entropy_dup)(void *, unsigned char *, size_t) = f_entropy; + volatile void *p_entropy_dup = p_entropy; + volatile const unsigned char *custom_dup = custom; + volatile size_t len_dup = len; + size_t md_size; if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) @@ -339,6 +370,11 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, return( ret ); } + if( f_entropy != f_entropy_dup || p_entropy != p_entropy_dup || + custom_dup != custom || len_dup != len ) + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + } return( ret ); } diff --git a/library/sha256.c b/library/sha256.c index 07b899d07..493e88ed5 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -287,7 +287,8 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, { return( 0 ); } - + /* Free the ctx upon suspected FI */ + mbedtls_sha256_free( ctx ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -310,7 +311,9 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, int ret; size_t fill; uint32_t left; - + volatile const unsigned char *input_dup = input; + volatile size_t ilen_dup = ilen; + size_t ilen_change; SHA256_VALIDATE_RET( ctx != NULL ); SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); @@ -353,8 +356,15 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, /* Re-check ilen to protect from a FI attack */ if( ilen < 64 ) { - return( 0 ); + /* Re-check that the calculated offsets are correct */ + ilen_change = ilen_dup - ilen; + if( ( input_dup + ilen_change ) == input ) + { + return( 0 ); + } } + /* Free the ctx upon suspected FI */ + mbedtls_sha256_free( ctx ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -451,6 +461,9 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, { return( 0 ); } + /* Free the ctx and clear output upon suspected FI */ + mbedtls_sha256_free( ctx ); + mbedtls_platform_memset( output, 0, 32 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -472,8 +485,10 @@ int mbedtls_sha256_ret( const unsigned char *input, unsigned char output[32], int is224 ) { - int ret; + int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; mbedtls_sha256_context ctx; + volatile const unsigned char *input_dup = input; + volatile size_t ilen_dup = ilen; SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); @@ -493,7 +508,12 @@ int mbedtls_sha256_ret( const unsigned char *input, exit: mbedtls_sha256_free( &ctx ); - return( ret ); + if( input_dup == input && ilen_dup == ilen ) + { + return( ret ); + } + mbedtls_platform_memset( output, 0, 32 ); + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #if !defined(MBEDTLS_DEPRECATED_REMOVED) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 5c74386e0..5b47c0a9b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2796,10 +2796,14 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl, volatile int ret = 0; unsigned char *p; unsigned char *end; + volatile unsigned char *buf_dup = buf; + volatile size_t buflen_dup = buflen; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); + ((void) buf_dup); + ((void) buflen_dup); p = buf + mbedtls_ssl_hs_hdr_len( ssl ); end = buf + buflen; @@ -3100,7 +3104,7 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl, { mbedtls_platform_random_delay(); - if( ret == 0 ) + if( ret == 0 && buf_dup == buf && buflen_dup == buflen ) { #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* We don't need the peer's public key anymore. Free it, @@ -3583,7 +3587,10 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, { int ret; unsigned char *p, *end; + volatile unsigned char *buf_dup = buf; + volatile size_t buflen_dup = buflen; size_t n; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); @@ -3866,7 +3873,12 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, } *olen = p - buf; - return( 0 ); + /* Secure against buffer substitution */ + if( buf_dup == buf && buflen_dup == buflen ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } static int ssl_out_client_key_exchange_postprocess( mbedtls_ssl_context *ssl ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 2cd34b21f..7094a89a1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3269,13 +3269,19 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, - sig_start ); int ret = ssl->conf->f_async_resume( ssl, sig_start, signature_len, sig_max_len ); + volatile size_t *signature_len_dup = signature_len; if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) { ssl->handshake->async_in_progress = 0; mbedtls_ssl_set_async_operation_data( ssl, NULL ); } MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret ); - return( ret ); + /* Secure against buffer substitution */ + if( signature_len_dup == signature_len ) + { + return( ret ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ @@ -3286,6 +3292,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, size_t *signature_len ) { + volatile size_t *signature_len_dup = signature_len; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); @@ -3673,7 +3680,11 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ - return( 0 ); + if( signature_len_dup == signature_len ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* Prepare the ServerKeyExchange message and send it. For ciphersuites @@ -3821,6 +3832,8 @@ static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char * const unsigned char *end ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + unsigned char ** volatile p_dup = p; + volatile const unsigned char *end_dup = end; size_t n; /* @@ -3851,7 +3864,12 @@ static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char * MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); - return( ret ); + /* Secure against buffer substitution */ + if( p_dup == p && end_dup == end ) + { + return( ret ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ @@ -4218,6 +4236,8 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); unsigned char *p, *end; + volatile unsigned char *buf_dup = buf; + volatile size_t buflen_dup = buflen; p = buf + mbedtls_ssl_hs_hdr_len( ssl ); end = buf + buflen; @@ -4412,8 +4432,11 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - - return( ret ); + if( buf_dup == buf && buflen_dup == buflen ) + { + return( ret ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* Update the handshake state */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b74c96d5a..c16bd6154 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -177,6 +177,8 @@ int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, size_t buflen ) { int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + volatile unsigned char *buf_dup = buf; + volatile size_t buflen_dup = buflen; mbedtls_record rec; MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); @@ -228,6 +230,10 @@ exit: ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; } + if( buf_dup != buf || buflen_dup != buflen ) + { + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); + } MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); return( ret ); } @@ -282,6 +288,9 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl, unsigned char const *own_cid, size_t own_cid_len ) { + volatile unsigned char const *own_cid_dup = own_cid; + volatile size_t own_cid_len_dup = own_cid_len; + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -308,7 +317,12 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl, * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */ ssl->own_cid_len = (uint8_t) own_cid_len; - return( 0 ); + /* Secure against buffer substitution */ + if( own_cid_dup == own_cid && own_cid_len_dup == own_cid_len ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, @@ -605,7 +619,13 @@ MBEDTLS_NO_INLINE static int ssl3_prf( const unsigned char *secret, size_t slen, mbedtls_sha1_context sha1; unsigned char padding[16]; unsigned char sha1sum[20]; - ((void)label); + volatile const unsigned char *secret_dup = secret; + volatile size_t slen_dup = slen; + volatile const char *label_dup = label; + volatile const unsigned char *random_dup = random; + volatile size_t rlen_dup = rlen; + volatile unsigned char *dstbuf_dup = dstbuf; + volatile size_t dlen_dup = dlen; mbedtls_md5_init( &md5 ); mbedtls_sha1_init( &sha1 ); @@ -650,7 +670,14 @@ exit: mbedtls_platform_zeroize( padding, sizeof( padding ) ); mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) ); - return( ret ); + /* Secure against buffer substitution */ + if( secret_dup == secret && slen_dup == slen && label_dup == label && + random_dup == random && rlen_dup == rlen && dstbuf_dup == dstbuf && + dlen_dup == dlen ) + { + return( ret ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -668,6 +695,13 @@ MBEDTLS_NO_INLINE static int tls1_prf( const unsigned char *secret, size_t slen, mbedtls_md_handle_t md_info; mbedtls_md_context_t md_ctx; int ret; + volatile const unsigned char *secret_dup = secret; + volatile size_t slen_dup = slen; + volatile const char *label_dup = label; + volatile const unsigned char *random_dup = random; + volatile size_t rlen_dup = rlen; + volatile unsigned char *dstbuf_dup = dstbuf; + volatile size_t dlen_dup = dlen; mbedtls_md_init( &md_ctx ); @@ -754,7 +788,14 @@ MBEDTLS_NO_INLINE static int tls1_prf( const unsigned char *secret, size_t slen, mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); - return( 0 ); + /* Secure against buffer substitution */ + if( secret_dup == secret && slen_dup == slen && label_dup == label && + random_dup == random && rlen_dup == rlen && dstbuf_dup == dstbuf && + dlen_dup == dlen ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ @@ -777,6 +818,13 @@ int tls_prf_generic( mbedtls_md_type_t md_type, mbedtls_md_handle_t md_info; mbedtls_md_context_t md_ctx; int ret; + volatile const unsigned char *secret_dup = secret; + volatile size_t slen_dup = slen; + volatile const char *label_dup = label; + volatile const unsigned char *random_dup = random; + volatile size_t rlen_dup = rlen; + volatile unsigned char *dstbuf_dup = dstbuf; + volatile size_t dlen_dup = dlen; mbedtls_md_init( &md_ctx ); @@ -836,7 +884,14 @@ int tls_prf_generic( mbedtls_md_type_t md_type, (void)mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); (void)mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); - return( 0 ); + /* Secure against buffer substitution */ + if( secret_dup == secret && slen_dup == slen && label_dup == label && + random_dup == random && rlen_dup == rlen && dstbuf_dup == dstbuf && + dlen_dup == dlen ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #if defined(MBEDTLS_SHA256_C) @@ -1828,6 +1883,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, const mbedtls_ssl_context *ssl ) { int ret; + volatile unsigned char *master_dup = master; /* #if !defined(MBEDTLS_DEBUG_C) && !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) */ /* ssl = NULL; /\* make sure we don't use it except for debug and EMS *\/ */ @@ -1888,8 +1944,12 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, mbedtls_platform_zeroize( handshake->premaster, sizeof(handshake->premaster) ); - - return( 0 ); + /* Secure against buffer substitution */ + if( master_dup == master ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) @@ -2406,22 +2466,32 @@ static int ssl_cid_build_inner_plaintext( unsigned char *content, size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY - ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY; + volatile unsigned char *content_dup = content; + volatile size_t *content_size_dup = content_size; + volatile size_t remaining_dup = remaining; /* Write real content type */ if( remaining == 0 ) - return( -1 ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); content[ len ] = rec_type; len++; remaining--; if( remaining < pad ) - return( -1 ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); mbedtls_platform_memset( content + len, 0, pad ); len += pad; remaining -= pad; *content_size = len; - return( 0 ); + + /* Secure against buffer substitution */ + if( content_dup == content && content_size_dup == content_size && + ( remaining_dup - 1 - pad ) == remaining ) + { + return( 0 ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* This function parses a DTLSInnerPlaintext structure. @@ -2566,6 +2636,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, if( rec->cid_len != 0 ) { + int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; /* * Wrap plaintext into DTLSInnerPlaintext structure. * See ssl_cid_build_inner_plaintext() for more information. @@ -2573,12 +2644,12 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Note that this changes `rec->data_len`, and hence * `post_avail` needs to be recalculated afterwards. */ - if( ssl_cid_build_inner_plaintext( data, - &rec->data_len, - post_avail, - rec->type ) != 0 ) + if( ( ret = ssl_cid_build_inner_plaintext( data, + &rec->data_len, + post_avail, + rec->type ) ) != 0 ) { - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + return( ret ); } rec->type = MBEDTLS_SSL_MSG_CID; @@ -4816,6 +4887,7 @@ static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) memset( mask + offset / 8, 0xFF, len / 8 ); } +#define BITMASK_CHECK_FAILED 0x75555555 /* * Check that bitmask is full */ @@ -4825,11 +4897,11 @@ static int ssl_bitmask_check( unsigned char *mask, size_t len ) for( i = 0; i < len / 8; i++ ) if( mask[i] != 0xFF ) - return( -1 ); + return( BITMASK_CHECK_FAILED ); for( i = 0; i < len % 8; i++ ) if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) - return( -1 ); + return( BITMASK_CHECK_FAILED ); return( 0 ); } @@ -7057,6 +7129,7 @@ write_msg: #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#define PEER_CRT_CHANGED 0x75555555 static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, unsigned char *crt_buf, size_t crt_buf_len ) @@ -7064,14 +7137,15 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; if( peer_crt == NULL ) - return( -1 ); + return( PEER_CRT_CHANGED ); if( peer_crt->raw.len != crt_buf_len ) - return( -1 ); + return( PEER_CRT_CHANGED ); return( mbedtls_platform_memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) ); } #elif defined(MBEDTLS_SSL_RENEGOTIATION) +#define PEER_CRT_CHANGED 0x75555555 static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, unsigned char *crt_buf, size_t crt_buf_len ) @@ -7089,16 +7163,16 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, if( peer_cert_digest == NULL || digest_info == MBEDTLS_MD_INVALID_HANDLE ) { - return( -1 ); + return( PEER_CRT_CHANGED ); } digest_len = mbedtls_md_get_size( digest_info ); if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN ) - return( -1 ); + return( PEER_CRT_CHANGED ); ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest ); if( ret != 0 ) - return( -1 ); + return( PEER_CRT_CHANGED ); return( mbedtls_platform_memcmp( tmp_digest, peer_cert_digest, digest_len ) ); } @@ -10878,6 +10952,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) { int ret; size_t n; + volatile unsigned char *buf_dup = buf; + volatile size_t len_dup = len; if( ssl == NULL || ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -11191,7 +11267,12 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); - return( (int) n ); + /* Secure against buffer substitution */ + if( buf_dup == buf && len_dup == len ) + { + return( (int) n ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* @@ -11211,6 +11292,8 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, { int ret = mbedtls_ssl_get_max_out_record_payload( ssl ); const size_t max_len = (size_t) ret; + volatile const unsigned char *buf_dup = buf; + volatile size_t len_dup = len; if( ret < 0 ) { @@ -11233,6 +11316,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS) { len = max_len; + len_dup = len; } #endif } @@ -11268,8 +11352,12 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, return( ret ); } } - - return( (int) len ); + /* Secure against buffer substitution */ + if( buf_dup == buf && len_dup == len ) + { + return( (int) len ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* @@ -11318,6 +11406,8 @@ static int ssl_write_split( mbedtls_ssl_context *ssl, int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { int ret; + volatile const unsigned char *buf_dup = buf; + volatile size_t len_dup = len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); @@ -11349,7 +11439,12 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); - return( ret ); + /* Secure against buffer substitution */ + if( buf_dup == buf && len_dup == len ) + { + return( ret ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* @@ -12933,6 +13028,11 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, { int ret = 0; mbedtls_md_context_t ctx; + volatile unsigned char* hash_dup = hash; + volatile size_t *hashlen_dup = hashlen; + volatile unsigned char* data_dup = data; + volatile size_t data_len_dup = data_len; + mbedtls_md_handle_t md_info = mbedtls_md_info_from_type( md_alg ); *hashlen = mbedtls_md_get_size( md_info ); @@ -12978,7 +13078,13 @@ exit: mbedtls_ssl_pend_fatal_alert( ssl, MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - return( ret ); + /* Secure against buffer substitution */ + if( hash_dup == hash && hashlen_dup == hashlen && + data_dup == data && data_len_dup == data_len ) + { + return( ret ); + } + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ MBEDTLS_SSL_PROTO_TLS1_2 */ diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index ca91e12f4..805543204 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -33,16 +33,16 @@ * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * - Neither the name of Intel Corporation nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -99,7 +99,7 @@ const uECC_word_t curve_b[NUM_ECC_WORDS] = { }; static int uECC_update_param_sha256(mbedtls_sha256_context *ctx, - const uECC_word_t val[NUM_ECC_WORDS]) + const uECC_word_t val[NUM_ECC_WORDS]) { uint8_t bytes[NUM_ECC_BYTES]; @@ -119,10 +119,10 @@ static int uECC_compute_param_sha256(unsigned char output[32]) } if (uECC_update_param_sha256(&ctx, curve_p) != 0 || - uECC_update_param_sha256(&ctx, curve_n) != 0 || - uECC_update_param_sha256(&ctx, curve_G) != 0 || - uECC_update_param_sha256(&ctx, curve_G + NUM_ECC_WORDS) != 0 || - uECC_update_param_sha256(&ctx, curve_b) != 0) + uECC_update_param_sha256(&ctx, curve_n) != 0 || + uECC_update_param_sha256(&ctx, curve_G) != 0 || + uECC_update_param_sha256(&ctx, curve_G + NUM_ECC_WORDS) != 0 || + uECC_update_param_sha256(&ctx, curve_b) != 0) { goto exit; } @@ -449,7 +449,7 @@ void ecc_wait_state_reset(ecc_wait_state_t *ws) * know it's always 8. This saves a bit of code size and execution speed. */ static void uECC_vli_mult_rnd(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, ecc_wait_state_t *s) + const uECC_word_t *right, ecc_wait_state_t *s) { uECC_word_t r0 = 0; @@ -546,7 +546,7 @@ static void uECC_vli_mult_rnd(uECC_word_t *result, const uECC_word_t *left, } void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod) + const uECC_word_t *right, const uECC_word_t *mod) { uECC_word_t carry = uECC_vli_add(result, left, right); if (carry || uECC_vli_cmp_unsafe(mod, result) != 1) { @@ -557,7 +557,7 @@ void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, } void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod) + const uECC_word_t *right, const uECC_word_t *mod) { uECC_word_t l_borrow = uECC_vli_sub(result, left, right); if (l_borrow) { @@ -570,7 +570,7 @@ void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, /* Computes result = product % mod, where product is 2N words long. */ /* Currently only designed to work for curve_p or curve_n. */ void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, - const uECC_word_t *mod) + const uECC_word_t *mod) { uECC_word_t mod_multiple[2 * NUM_ECC_WORDS]; uECC_word_t tmp[2 * NUM_ECC_WORDS]; @@ -608,14 +608,14 @@ void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, index = !(index ^ borrow); uECC_vli_rshift1(mod_multiple); mod_multiple[num_words - 1] |= mod_multiple[num_words] << - (uECC_WORD_BITS - 1); + (uECC_WORD_BITS - 1); uECC_vli_rshift1(mod_multiple + num_words); } uECC_vli_set(result, v[index]); } void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod) + const uECC_word_t *right, const uECC_word_t *mod) { uECC_word_t product[2 * NUM_ECC_WORDS]; uECC_vli_mult_rnd(product, left, right, NULL); @@ -640,7 +640,7 @@ void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left, #define EVEN(vli) (!(vli[0] & 1)) static void vli_modInv_update(uECC_word_t *uv, - const uECC_word_t *mod) + const uECC_word_t *mod) { uECC_word_t carry = 0; @@ -655,7 +655,7 @@ static void vli_modInv_update(uECC_word_t *uv, } void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, - const uECC_word_t *mod) + const uECC_word_t *mod) { uECC_word_t a[NUM_ECC_WORDS], b[NUM_ECC_WORDS]; uECC_word_t u[NUM_ECC_WORDS], v[NUM_ECC_WORDS]; @@ -674,27 +674,27 @@ void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, while ((cmpResult = uECC_vli_cmp_unsafe(a, b)) != 0) { if (EVEN(a)) { uECC_vli_rshift1(a); - vli_modInv_update(u, mod); - } else if (EVEN(b)) { + vli_modInv_update(u, mod); + } else if (EVEN(b)) { uECC_vli_rshift1(b); vli_modInv_update(v, mod); } else if (cmpResult > 0) { uECC_vli_sub(a, a, b); uECC_vli_rshift1(a); if (uECC_vli_cmp_unsafe(u, v) < 0) { - uECC_vli_add(u, u, mod); - } - uECC_vli_sub(u, u, v); - vli_modInv_update(u, mod); - } else { - uECC_vli_sub(b, b, a); - uECC_vli_rshift1(b); - if (uECC_vli_cmp_unsafe(v, u) < 0) { - uECC_vli_add(v, v, mod); - } - uECC_vli_sub(v, v, u); - vli_modInv_update(v, mod); - } + uECC_vli_add(u, u, mod); + } + uECC_vli_sub(u, u, v); + vli_modInv_update(u, mod); + } else { + uECC_vli_sub(b, b, a); + uECC_vli_rshift1(b); + if (uECC_vli_cmp_unsafe(v, u) < 0) { + uECC_vli_add(v, v, mod); + } + uECC_vli_sub(v, v, u); + vli_modInv_update(v, mod); + } } uECC_vli_set(result, u); } @@ -702,7 +702,7 @@ void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, /* ------ Point operations ------ */ void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1, - uECC_word_t * Z1) + uECC_word_t * Z1) { /* t1 = X, t2 = Y, t3 = Z */ uECC_word_t t4[NUM_ECC_WORDS]; @@ -755,7 +755,7 @@ void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1, * @param curve IN -- elliptic curve */ static void x_side_default(uECC_word_t *result, - const uECC_word_t *x) + const uECC_word_t *x) { uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */ @@ -861,7 +861,7 @@ void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product) while (carry < 0); } else { while (carry || - uECC_vli_cmp_unsafe(curve_p, result) != 1) { + uECC_vli_cmp_unsafe(curve_p, result) != 1) { carry -= uECC_vli_sub(result, result, curve_p); } } @@ -876,7 +876,7 @@ void apply_z(uECC_word_t * X1, uECC_word_t * Y1, const uECC_word_t * const Z) { uECC_word_t t1[NUM_ECC_WORDS]; - uECC_vli_modMult_fast(t1, Z, Z); /* z^2 */ + uECC_vli_modMult_fast(t1, Z, Z); /* z^2 */ uECC_vli_modMult_fast(X1, X1, t1); /* x1 * z^2 */ uECC_vli_modMult_fast(t1, t1, Z); /* z^3 */ uECC_vli_modMult_fast(Y1, Y1, t1); /* y1 * z^3 */ @@ -929,7 +929,7 @@ static void XYcZ_add_rnd(uECC_word_t * X1, uECC_word_t * Y1, } void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1, - uECC_word_t * X2, uECC_word_t * Y2) + uECC_word_t * X2, uECC_word_t * Y2) { XYcZ_add_rnd(X1, Y1, X2, Y2, NULL); } @@ -1030,7 +1030,7 @@ static uECC_word_t regularize_k(const uECC_word_t * const k, uECC_word_t *k0, bitcount_t num_n_bits = NUM_ECC_BITS; uECC_word_t carry = uECC_vli_add(k0, k, curve_n) || - uECC_vli_testBit(k0, num_n_bits); + uECC_vli_testBit(k0, num_n_bits); uECC_vli_add(k1, k0, curve_n); @@ -1078,7 +1078,7 @@ int EccPoint_mult_safer(uECC_word_t * result, const uECC_word_t * point, carry = regularize_k(scalar, tmp, s); /* If an RNG function was specified, get a random initial Z value to - * protect against side-channel attacks such as Template SPA */ + * protect against side-channel attacks such as Template SPA */ if (g_rng_function) { if (uECC_generate_random_int(k2[carry], curve_p, num_words) != UECC_SUCCESS) { r = UECC_FAILURE; @@ -1135,7 +1135,7 @@ uECC_word_t EccPoint_compute_public_key(uECC_word_t *result, /* Converts an integer in uECC native format to big-endian bytes. */ void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, - const unsigned int *native) + const unsigned int *native) { wordcount_t i; for (i = 0; i < num_bytes; ++i) { @@ -1146,7 +1146,7 @@ void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, /* Converts big-endian bytes to an integer in uECC native format. */ void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, - int num_bytes) + int num_bytes) { wordcount_t i; uECC_vli_clear(native); @@ -1158,7 +1158,7 @@ void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, } int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, - wordcount_t num_words) + wordcount_t num_words) { uECC_word_t mask = (uECC_word_t)-1; uECC_word_t tries; @@ -1170,10 +1170,10 @@ int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { if (g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE) != num_words * uECC_WORD_SIZE) { - return UECC_FAILURE; - } + return UECC_FAILURE; + } random[num_words - 1] &= - mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits)); + mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits)); if (!uECC_vli_isZero(random) && uECC_vli_cmp(top, random) == 1) { return UECC_SUCCESS; @@ -1207,7 +1207,7 @@ int uECC_valid_point(const uECC_word_t *point) /* Make sure that y^2 == x^3 + ax + b */ diff = uECC_vli_equal(tmp1, tmp2); if (diff == 0) { - mbedtls_platform_random_delay(); + mbedtls_platform_random_delay(); if (diff == 0) { return 0; } @@ -1239,6 +1239,8 @@ int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key) int ret = UECC_FAULT_DETECTED; uECC_word_t _private[NUM_ECC_WORDS]; uECC_word_t _public[NUM_ECC_WORDS * 2]; + volatile const uint8_t *private_key_dup = private_key; + volatile const uint8_t *public_key_dup = public_key; uECC_vli_bytesToNative( _private, @@ -1264,5 +1266,8 @@ int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key) uECC_vli_nativeToBytes( public_key + NUM_ECC_BYTES, NUM_ECC_BYTES, _public + NUM_ECC_WORDS); + if (private_key_dup != private_key || public_key_dup != public_key){ + return UECC_FAULT_DETECTED; + } return ret; } diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c index a63c84bba..bf3a80343 100644 --- a/tinycrypt/ecc_dh.c +++ b/tinycrypt/ecc_dh.c @@ -12,10 +12,10 @@ * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -36,16 +36,16 @@ * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * - Neither the name of Intel Corporation nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -91,14 +91,14 @@ int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key, /* Converting buffers to correct bit order: */ uECC_vli_nativeToBytes(private_key, - BITS_TO_BYTES(NUM_ECC_BITS), - _private); + BITS_TO_BYTES(NUM_ECC_BITS), + _private); uECC_vli_nativeToBytes(public_key, - NUM_ECC_BYTES, - _public); + NUM_ECC_BYTES, + _public); uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES, - NUM_ECC_BYTES, - _public + NUM_ECC_WORDS); + NUM_ECC_BYTES, + _public + NUM_ECC_WORDS); exit: /* erasing temporary buffer used to store secret: */ @@ -114,13 +114,15 @@ int uECC_make_key(uint8_t *public_key, uint8_t *private_key) uECC_word_t _private[NUM_ECC_WORDS]; uECC_word_t _public[NUM_ECC_WORDS * 2]; uECC_word_t tries; + volatile uint8_t *public_key_dup = public_key; + volatile uint8_t *private_key_dup = private_key; for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { /* Generating _private uniformly at random: */ uECC_RNG_Function rng_function = uECC_get_rng(); if (!rng_function || rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) != 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) { - return UECC_FAILURE; + return UECC_FAILURE; } /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */ @@ -136,26 +138,31 @@ int uECC_make_key(uint8_t *public_key, uint8_t *private_key) /* Converting buffers to correct bit order: */ uECC_vli_nativeToBytes(private_key, - BITS_TO_BYTES(NUM_ECC_BITS), - _private); + BITS_TO_BYTES(NUM_ECC_BITS), + _private); uECC_vli_nativeToBytes(public_key, - NUM_ECC_BYTES, - _public); + NUM_ECC_BYTES, + _public); uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES, - NUM_ECC_BYTES, - _public + NUM_ECC_WORDS); + NUM_ECC_BYTES, + _public + NUM_ECC_WORDS); /* erasing temporary buffer that stored secret: */ mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES); - return UECC_SUCCESS; - } + if (private_key == private_key_dup && public_key == public_key_dup) { + return UECC_SUCCESS; + } + /* Erase key in case of FI */ + mbedtls_platform_memset(public_key, 0, 2*NUM_ECC_BYTES); + return UECC_FAULT_DETECTED; + } } return UECC_FAILURE; } int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, - uint8_t *secret) + uint8_t *secret) { uECC_word_t _public[NUM_ECC_WORDS * 2]; @@ -163,23 +170,31 @@ int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, wordcount_t num_words = NUM_ECC_WORDS; wordcount_t num_bytes = NUM_ECC_BYTES; int r = UECC_FAULT_DETECTED; + volatile const uint8_t *public_key_dup = public_key; + volatile const uint8_t *private_key_dup = private_key; + volatile const uint8_t *secret_dup = secret; /* Converting buffers to correct bit order: */ uECC_vli_bytesToNative(_private, - private_key, - BITS_TO_BYTES(NUM_ECC_BITS)); + private_key, + BITS_TO_BYTES(NUM_ECC_BITS)); uECC_vli_bytesToNative(_public, - public_key, - num_bytes); + public_key, + num_bytes); uECC_vli_bytesToNative(_public + num_words, - public_key + num_bytes, - num_bytes); + public_key + num_bytes, + num_bytes); r = EccPoint_mult_safer(_public, _public, _private); uECC_vli_nativeToBytes(secret, num_bytes, _public); /* erasing temporary buffer used to store secret: */ mbedtls_platform_zeroize(_private, sizeof(_private)); + if (public_key_dup != public_key || private_key_dup != private_key || secret_dup != secret) { + /* Erase secret in case of FI */ + mbedtls_platform_memset(secret, 0, NUM_ECC_BYTES); + return UECC_FAULT_DETECTED; + } return r; } diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c index bb3ed813b..2a676dc8f 100644 --- a/tinycrypt/ecc_dsa.c +++ b/tinycrypt/ecc_dsa.c @@ -11,10 +11,10 @@ * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -34,16 +34,16 @@ * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * - Neither the name of Intel Corporation nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -69,7 +69,7 @@ #include "mbedtls/platform_util.h" static void bits2int(uECC_word_t *native, const uint8_t *bits, - unsigned bits_size) + unsigned bits_size) { unsigned num_n_bytes = BITS_TO_BYTES(NUM_ECC_BITS); @@ -82,7 +82,7 @@ static void bits2int(uECC_word_t *native, const uint8_t *bits, } int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, - unsigned hash_size, uECC_word_t *k, uint8_t *signature) + unsigned hash_size, uECC_word_t *k, uint8_t *signature) { uECC_word_t tmp[NUM_ECC_WORDS]; @@ -94,12 +94,12 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, /* Make sure 0 < k < curve_n */ if (uECC_vli_isZero(k) || - uECC_vli_cmp(curve_n, k) != 1) { + uECC_vli_cmp(curve_n, k) != 1) { return UECC_FAILURE; } r = EccPoint_mult_safer(p, curve_G, k); - if (r != UECC_SUCCESS) { + if (r != UECC_SUCCESS) { return r; } @@ -116,7 +116,7 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, /* Prevent side channel analysis of uECC_vli_modInv() to determine bits of k / the private key by premultiplying by a random number */ uECC_vli_modMult(k, k, tmp, curve_n); /* k' = rand * k */ - uECC_vli_modInv(k, k, curve_n); /* k = 1 / k' */ + uECC_vli_modInv(k, k, curve_n); /* k = 1 / k' */ uECC_vli_modMult(k, k, tmp, curve_n); /* k = 1 / k */ uECC_vli_nativeToBytes(signature, NUM_ECC_BYTES, p); /* store r */ @@ -140,18 +140,22 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, } int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, - unsigned hash_size, uint8_t *signature) + unsigned hash_size, uint8_t *signature) { int r; uECC_word_t _random[2*NUM_ECC_WORDS]; uECC_word_t k[NUM_ECC_WORDS]; uECC_word_t tries; + volatile const uint8_t *private_key_dup = private_key; + volatile const uint8_t *message_hash_dup = message_hash; + volatile unsigned hash_size_dup = hash_size; + volatile uint8_t *signature_dup = signature; for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { /* Generating _random uniformly at random: */ uECC_RNG_Function rng_function = uECC_get_rng(); if (!rng_function || - rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE) != 2*NUM_ECC_WORDS*uECC_WORD_SIZE) { + rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE) != 2*NUM_ECC_WORDS*uECC_WORD_SIZE) { return UECC_FAILURE; } @@ -161,9 +165,15 @@ int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, r = uECC_sign_with_k(private_key, message_hash, hash_size, k, signature); /* don't keep trying if a fault was detected */ if (r == UECC_FAULT_DETECTED) { + mbedtls_platform_memset(signature, 0, 2*NUM_ECC_BYTES); return r; } if (r == UECC_SUCCESS) { + if (private_key_dup != private_key || message_hash_dup != message_hash || + hash_size_dup != hash_size || signature_dup != signature) { + mbedtls_platform_memset(signature, 0, 2*NUM_ECC_BYTES); + return UECC_FAULT_DETECTED; + } return UECC_SUCCESS; } /* else keep trying */ @@ -194,6 +204,10 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, bitcount_t i; bitcount_t flow_control; volatile uECC_word_t diff; + volatile const uint8_t *public_key_dup = public_key; + volatile const uint8_t *message_hash_dup = message_hash; + volatile unsigned hash_size_dup = hash_size; + volatile const uint8_t *signature_dup = signature; uECC_word_t _public[NUM_ECC_WORDS * 2]; uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS]; @@ -207,7 +221,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, uECC_vli_bytesToNative(_public, public_key, NUM_ECC_BYTES); uECC_vli_bytesToNative(_public + num_words, public_key + NUM_ECC_BYTES, - NUM_ECC_BYTES); + NUM_ECC_BYTES); uECC_vli_bytesToNative(r, signature, NUM_ECC_BYTES); uECC_vli_bytesToNative(s, signature + NUM_ECC_BYTES, NUM_ECC_BYTES); @@ -218,7 +232,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, /* r, s must be < n. */ if (uECC_vli_cmp_unsafe(curve_n, r) != 1 || - uECC_vli_cmp_unsafe(curve_n, s) != 1) { + uECC_vli_cmp_unsafe(curve_n, s) != 1) { return UECC_FAILURE; } @@ -252,7 +266,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, uECC_vli_numBits(u2)); point = points[(!!uECC_vli_testBit(u1, num_bits - 1)) | - ((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)]; + ((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)]; uECC_vli_set(rx, point); uECC_vli_set(ry, point + num_words); uECC_vli_clear(z); @@ -288,13 +302,17 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, /* Accept only if v == r. */ diff = uECC_vli_equal(rx, r); if (diff == 0) { - flow_control++; - mbedtls_platform_random_delay(); - - /* Re-check the condition and test if the control flow is as expected. - * 1 (base value) + num_bits - 1 (from the loop) + 5 incrementations. - */ + flow_control++; + mbedtls_platform_random_delay(); + + /* Re-check the condition and test if the control flow is as expected. + * 1 (base value) + num_bits - 1 (from the loop) + 5 incrementations. + */ if (diff == 0 && flow_control == (num_bits + 5)) { + if (public_key_dup != public_key || message_hash_dup != message_hash || + hash_size_dup != hash_size || signature_dup != signature) { + return UECC_FAULT_DETECTED; + } return UECC_SUCCESS; } else {