yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 17:25:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3481 from AndrzejKurek/fi_duplicate_buffers_2

Browse Source 
Duplicate sensitive buffer and buffer length information
This commit is contained in:
Andrzej Kurek 2020-07-15 11:56:36 +02:00 committed by GitHub
commit c417c783e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 476 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
library/aes.c
View File

@ -686,6 +686,8 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int flow_ctrl = 0; unsigned int flow_ctrl = 0;
volatile unsigned int i = 0; volatile unsigned int i = 0;
volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile const unsigned char *key_dup = key;
volatile unsigned int keybits_dup = keybits;
uint32_t *RK; uint32_t *RK;
uint32_t offset = 0; uint32_t offset = 0;
@ -814,9 +816,13 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
#endif #endif
) ) ) )
{ {
return ret; if( keybits_dup == keybits && key_dup == key )
{
return ret;
}
} }
mbedtls_platform_memset( RK, 0, ( keybits >> 5 ) * 4 );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
@ -1063,6 +1069,8 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
aes_r_data_t *aes_data_table[2]; // pointers to real and fake data aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS; int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS;
volatile int flow_control; volatile int flow_control;
volatile const unsigned char *input_dup = input;
volatile unsigned char *output_dup = output;
// control bytes for AES calculation rounds, // control bytes for AES calculation rounds,
// reserve based on max rounds + dummy rounds + 2 (for initial key addition) // reserve based on max rounds + dummy rounds + 2 (for initial key addition)
uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )]; uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
@ -1163,9 +1171,14 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
if( flow_control == tindex + dummy_rounds + 8 ) if( flow_control == tindex + dummy_rounds + 8 )
{ {
/* Validate control path due possible fault injection */ /* Validate control path due possible fault injection */
return 0; if( output_dup == output && input_dup == input )
{
return 0;
}
} }
// Clear the output in case of a FI
mbedtls_platform_memset( output, 0, 16 );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
@ -1342,6 +1355,8 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
aes_r_data_t *aes_data_table[2]; // pointers to real and fake data aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS; int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS;
volatile int flow_control; volatile int flow_control;
volatile const unsigned char *input_dup = input;
volatile unsigned char *output_dup = output;
// control bytes for AES calculation rounds, // control bytes for AES calculation rounds,
// reserve based on max rounds + dummy rounds + 2 (for initial key addition) // reserve based on max rounds + dummy rounds + 2 (for initial key addition)
uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )]; uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
@ -1442,9 +1457,14 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
if( flow_control == tindex + dummy_rounds + 8 ) if( flow_control == tindex + dummy_rounds + 8 )
{ {
/* Validate control path due possible fault injection */ /* Validate control path due possible fault injection */
return 0; if( output_dup == output && input_dup == input )
{
return 0;
}
} }
// Clear the output in case of a FI
mbedtls_platform_memset( output, 0, 16 );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }

46
library/ccm.c
View File

@ -77,6 +77,8 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
{ {
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
volatile const unsigned char *key_dup = key;
volatile unsigned int keybits_dup = keybits;
CCM_VALIDATE_RET( ctx != NULL ); CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( key != NULL ); CCM_VALIDATE_RET( key != NULL );
@ -99,7 +101,14 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
return( ret ); return( ret );
} }
return( ret ); if( keybits_dup == keybits && key_dup == key )
{
return( ret );
}
// In case of a FI - clear the context
mbedtls_cipher_free( &ctx->cipher_ctx );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* /*
@ -165,6 +174,15 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
unsigned char ctr[16]; unsigned char ctr[16];
const unsigned char *src; const unsigned char *src;
unsigned char *dst; unsigned char *dst;
volatile size_t length_dup = length;
volatile const unsigned char *iv_dup = iv;
volatile size_t iv_len_dup = iv_len;
volatile const unsigned char *add_dup = add;
volatile size_t add_len_dup = add_len;
volatile const unsigned char *input_dup = input;
volatile unsigned char *output_dup = output;
volatile unsigned char *tag_dup = tag;
volatile size_t tag_len_dup = tag_len;
/* /*
* Check length requirements: SP800-38C A.1 * Check length requirements: SP800-38C A.1
@ -316,6 +334,16 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
CTR_CRYPT( y, y, 16 ); CTR_CRYPT( y, y, 16 );
mbedtls_platform_memcpy( tag, y, tag_len ); mbedtls_platform_memcpy( tag, y, tag_len );
if( length_dup != length || iv_dup != iv || iv_len_dup != iv_len ||
add_dup != add || add_len_dup != add_len || input_dup != input ||
output_dup != output || tag_dup != tag || tag_len_dup != tag_len)
{
// In case of a FI - clear the output
mbedtls_platform_memset( output, 0, length );
return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }
@ -370,6 +398,15 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
unsigned char check_tag[16]; unsigned char check_tag[16];
unsigned char i; unsigned char i;
int diff; int diff;
volatile size_t length_dup = length;
volatile const unsigned char *iv_dup = iv;
volatile size_t iv_len_dup = iv_len;
volatile const unsigned char *add_dup = add;
volatile size_t add_len_dup = add_len;
volatile const unsigned char *input_dup = input;
volatile unsigned char *output_dup = output;
volatile const unsigned char *tag_dup = tag;
volatile size_t tag_len_dup = tag_len;
CCM_VALIDATE_RET( ctx != NULL ); CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( iv != NULL ); CCM_VALIDATE_RET( iv != NULL );
@ -395,6 +432,13 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
return( MBEDTLS_ERR_CCM_AUTH_FAILED ); return( MBEDTLS_ERR_CCM_AUTH_FAILED );
} }
if( length_dup != length || iv_dup != iv || iv_len_dup != iv_len ||
add_dup != add || add_len_dup != add_len || input_dup != input ||
output_dup != output || tag_dup != tag || tag_len_dup != tag_len)
{
return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }

24
library/entropy.c
View File

@ -143,6 +143,10 @@ int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
size_t threshold, int strong ) size_t threshold, int strong )
{ {
int idx, ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int idx, ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile mbedtls_entropy_f_source_ptr f_source_dup = f_source;
volatile void *p_source_dup = p_source;
volatile size_t threshold_dup = threshold;
volatile int strong_dup = strong;
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
@ -170,6 +174,11 @@ exit:
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif #endif
if( f_source_dup != f_source || p_source_dup != p_source ||
threshold_dup != threshold || strong_dup != strong )
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }
@ -184,7 +193,8 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id
size_t use_len = len; size_t use_len = len;
const unsigned char *p = data; const unsigned char *p = data;
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile const unsigned char *data_dup = data;
volatile size_t len_dup = len;
if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE ) if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE )
{ {
#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
@ -229,6 +239,10 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id
cleanup: cleanup:
mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
if( len_dup != len || data_dup != data )
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }
@ -349,6 +363,9 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len )
int count = 0, i, done; int count = 0, i, done;
mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data; mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE]; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
volatile void *data_dup = data;
volatile unsigned char *output_dup = output;
volatile size_t len_dup = len;
if( len > MBEDTLS_ENTROPY_BLOCK_SIZE ) if( len > MBEDTLS_ENTROPY_BLOCK_SIZE )
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
@ -456,7 +473,10 @@ exit:
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif #endif
if( data_dup != data || len_dup != len || output_dup != output )
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }

40
library/hmac_drbg.c
View File

@ -81,6 +81,8 @@ int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
volatile unsigned int flow_counter = 0; volatile unsigned int flow_counter = 0;
unsigned char K[MBEDTLS_MD_MAX_SIZE]; unsigned char K[MBEDTLS_MD_MAX_SIZE];
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile const unsigned char *additional_dup = additional;
volatile size_t add_len_dup = add_len;
for( sep[0] = 0; sep[0] < rounds; sep[0]++ ) for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
{ {
@ -143,7 +145,10 @@ exit:
// Double check flow_counter // Double check flow_counter
if ( ( flow_counter == 7 ) || ( flow_counter == 16 ) ) if ( ( flow_counter == 7 ) || ( flow_counter == 16 ) )
{ {
return ret; // success, return 0 from ret if( additional_dup == additional && add_len_dup == add_len )
{
return ret; // success, return 0 from ret
}
} }
} }
@ -167,6 +172,8 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
const unsigned char *data, size_t data_len ) const unsigned char *data, size_t data_len )
{ {
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile const unsigned char *data_dup = data;
volatile size_t data_len_dup = data_len;
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret ); return( ret );
@ -183,7 +190,10 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 ) if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 )
return( ret ); return( ret );
if( data_dup != data || data_len_dup != data_len )
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }
@ -200,6 +210,9 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
size_t seedlen = 0; size_t seedlen = 0;
size_t total_entropy_len; size_t total_entropy_len;
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile const unsigned char *additional_dup = additional;
volatile size_t len_dup = len;
int reseed_counter_backup = -1;
if( use_nonce == HMAC_NONCE_NO ) if( use_nonce == HMAC_NONCE_NO )
total_entropy_len = ctx->entropy_len; total_entropy_len = ctx->entropy_len;
@ -257,6 +270,7 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
goto exit; goto exit;
/* 3. Reset reseed_counter */ /* 3. Reset reseed_counter */
reseed_counter_backup = ctx->reseed_counter;
ctx->reseed_counter = 1; ctx->reseed_counter = 1;
exit: exit:
@ -264,6 +278,15 @@ exit:
/* 4. Done */ /* 4. Done */
mbedtls_platform_zeroize( seed, seedlen ); mbedtls_platform_zeroize( seed, seedlen );
if( additional_dup != additional || len_dup != len )
{
/* Rollback the reseed_counter in case of FI */
if( reseed_counter_backup != -1 )
ctx->reseed_counter = reseed_counter_backup;
return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
if ( ret != 0 ) if ( ret != 0 )
return ret; return ret;
@ -273,6 +296,9 @@ exit:
return ret; return ret;
} }
/* Rollback the reseed_counter in case of FI */
if( reseed_counter_backup != -1 )
ctx->reseed_counter = reseed_counter_backup;
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
@ -299,6 +325,11 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
size_t len ) size_t len )
{ {
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
int (* volatile f_entropy_dup)(void *, unsigned char *, size_t) = f_entropy;
volatile void *p_entropy_dup = p_entropy;
volatile const unsigned char *custom_dup = custom;
volatile size_t len_dup = len;
size_t md_size; size_t md_size;
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
@ -339,6 +370,11 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
return( ret ); return( ret );
} }
if( f_entropy != f_entropy_dup || p_entropy != p_entropy_dup ||
custom_dup != custom || len_dup != len )
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return( ret ); return( ret );
} }

30
library/sha256.c
View File

@ -287,7 +287,8 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
{ {
return( 0 ); return( 0 );
} }
/* Free the ctx upon suspected FI */
mbedtls_sha256_free( ctx );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
@ -310,7 +311,9 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
int ret; int ret;
size_t fill; size_t fill;
uint32_t left; uint32_t left;
volatile const unsigned char *input_dup = input;
volatile size_t ilen_dup = ilen;
size_t ilen_change;
SHA256_VALIDATE_RET( ctx != NULL ); SHA256_VALIDATE_RET( ctx != NULL );
SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
@ -353,8 +356,15 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
/* Re-check ilen to protect from a FI attack */ /* Re-check ilen to protect from a FI attack */
if( ilen < 64 ) if( ilen < 64 )
{ {
return( 0 ); /* Re-check that the calculated offsets are correct */
ilen_change = ilen_dup - ilen;
if( ( input_dup + ilen_change ) == input )
{
return( 0 );
}
} }
/* Free the ctx upon suspected FI */
mbedtls_sha256_free( ctx );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
@ -451,6 +461,9 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
{ {
return( 0 ); return( 0 );
} }
/* Free the ctx and clear output upon suspected FI */
mbedtls_sha256_free( ctx );
mbedtls_platform_memset( output, 0, 32 );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
@ -472,8 +485,10 @@ int mbedtls_sha256_ret( const unsigned char *input,
unsigned char output[32], unsigned char output[32],
int is224 ) int is224 )
{ {
int ret; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
mbedtls_sha256_context ctx; mbedtls_sha256_context ctx;
volatile const unsigned char *input_dup = input;
volatile size_t ilen_dup = ilen;
SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
@ -493,7 +508,12 @@ int mbedtls_sha256_ret( const unsigned char *input,
exit: exit:
mbedtls_sha256_free( &ctx ); mbedtls_sha256_free( &ctx );
return( ret ); if( input_dup == input && ilen_dup == ilen )
{
return( ret );
}
mbedtls_platform_memset( output, 0, 32 );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)

16
library/ssl_cli.c
View File

@ -2796,10 +2796,14 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
volatile int ret = 0; volatile int ret = 0;
unsigned char *p; unsigned char *p;
unsigned char *end; unsigned char *end;
volatile unsigned char *buf_dup = buf;
volatile size_t buflen_dup = buflen;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
((void) buf_dup);
((void) buflen_dup);
p = buf + mbedtls_ssl_hs_hdr_len( ssl ); p = buf + mbedtls_ssl_hs_hdr_len( ssl );
end = buf + buflen; end = buf + buflen;
@ -3100,7 +3104,7 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
{ {
mbedtls_platform_random_delay(); mbedtls_platform_random_delay();
if( ret == 0 ) if( ret == 0 && buf_dup == buf && buflen_dup == buflen )
{ {
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it, /* We don't need the peer's public key anymore. Free it,
@ -3583,7 +3587,10 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl,
{ {
int ret; int ret;
unsigned char *p, *end; unsigned char *p, *end;
volatile unsigned char *buf_dup = buf;
volatile size_t buflen_dup = buflen;
size_t n; size_t n;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
@ -3866,7 +3873,12 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl,
} }
*olen = p - buf; *olen = p - buf;
return( 0 ); /* Secure against buffer substitution */
if( buf_dup == buf && buflen_dup == buflen )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
static int ssl_out_client_key_exchange_postprocess( mbedtls_ssl_context *ssl ) static int ssl_out_client_key_exchange_postprocess( mbedtls_ssl_context *ssl )

33
library/ssl_srv.c
View File

@ -3269,13 +3269,19 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
- sig_start ); - sig_start );
int ret = ssl->conf->f_async_resume( ssl, int ret = ssl->conf->f_async_resume( ssl,
sig_start, signature_len, sig_max_len ); sig_start, signature_len, sig_max_len );
volatile size_t *signature_len_dup = signature_len;
if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
{ {
ssl->handshake->async_in_progress = 0; ssl->handshake->async_in_progress = 0;
mbedtls_ssl_set_async_operation_data( ssl, NULL ); mbedtls_ssl_set_async_operation_data( ssl, NULL );
} }
MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret ); MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
return( ret ); /* Secure against buffer substitution */
if( signature_len_dup == signature_len )
{
return( ret );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
@ -3286,6 +3292,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
size_t *signature_len ) size_t *signature_len )
{ {
volatile size_t *signature_len_dup = signature_len;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
@ -3673,7 +3680,11 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
return( 0 ); if( signature_len_dup == signature_len )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* Prepare the ServerKeyExchange message and send it. For ciphersuites /* Prepare the ServerKeyExchange message and send it. For ciphersuites
@ -3821,6 +3832,8 @@ static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char *
const unsigned char *end ) const unsigned char *end )
{ {
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
unsigned char ** volatile p_dup = p;
volatile const unsigned char *end_dup = end;
size_t n; size_t n;
/* /*
@ -3851,7 +3864,12 @@ static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char *
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
return( ret ); /* Secure against buffer substitution */
if( p_dup == p && end_dup == end )
{
return( ret );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
@ -4218,6 +4236,8 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl,
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
unsigned char *p, *end; unsigned char *p, *end;
volatile unsigned char *buf_dup = buf;
volatile size_t buflen_dup = buflen;
p = buf + mbedtls_ssl_hs_hdr_len( ssl ); p = buf + mbedtls_ssl_hs_hdr_len( ssl );
end = buf + buflen; end = buf + buflen;
@ -4412,8 +4432,11 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
} }
if( buf_dup == buf && buflen_dup == buflen )
return( ret ); {
return( ret );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* Update the handshake state */ /* Update the handshake state */

160
library/ssl_tls.c
View File

@ -177,6 +177,8 @@ int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
size_t buflen ) size_t buflen )
{ {
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile unsigned char *buf_dup = buf;
volatile size_t buflen_dup = buflen;
mbedtls_record rec; mbedtls_record rec;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
@ -228,6 +230,10 @@ exit:
ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
} }
if( buf_dup != buf || buflen_dup != buflen )
{
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
return( ret ); return( ret );
} }
@ -282,6 +288,9 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
unsigned char const *own_cid, unsigned char const *own_cid,
size_t own_cid_len ) size_t own_cid_len )
{ {
volatile unsigned char const *own_cid_dup = own_cid;
volatile size_t own_cid_len_dup = own_cid_len;
if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -308,7 +317,12 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
* MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */ * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
ssl->own_cid_len = (uint8_t) own_cid_len; ssl->own_cid_len = (uint8_t) own_cid_len;
return( 0 ); /* Secure against buffer substitution */
if( own_cid_dup == own_cid && own_cid_len_dup == own_cid_len )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
@ -605,7 +619,13 @@ MBEDTLS_NO_INLINE static int ssl3_prf( const unsigned char *secret, size_t slen,
mbedtls_sha1_context sha1; mbedtls_sha1_context sha1;
unsigned char padding[16]; unsigned char padding[16];
unsigned char sha1sum[20]; unsigned char sha1sum[20];
((void)label); volatile const unsigned char *secret_dup = secret;
volatile size_t slen_dup = slen;
volatile const char *label_dup = label;
volatile const unsigned char *random_dup = random;
volatile size_t rlen_dup = rlen;
volatile unsigned char *dstbuf_dup = dstbuf;
volatile size_t dlen_dup = dlen;
mbedtls_md5_init( &md5 ); mbedtls_md5_init( &md5 );
mbedtls_sha1_init( &sha1 ); mbedtls_sha1_init( &sha1 );
@ -650,7 +670,14 @@ exit:
mbedtls_platform_zeroize( padding, sizeof( padding ) ); mbedtls_platform_zeroize( padding, sizeof( padding ) );
mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) ); mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
return( ret ); /* Secure against buffer substitution */
if( secret_dup == secret && slen_dup == slen && label_dup == label &&
random_dup == random && rlen_dup == rlen && dstbuf_dup == dstbuf &&
dlen_dup == dlen )
{
return( ret );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif /* MBEDTLS_SSL_PROTO_SSL3 */ #endif /* MBEDTLS_SSL_PROTO_SSL3 */
@ -668,6 +695,13 @@ MBEDTLS_NO_INLINE static int tls1_prf( const unsigned char *secret, size_t slen,
mbedtls_md_handle_t md_info; mbedtls_md_handle_t md_info;
mbedtls_md_context_t md_ctx; mbedtls_md_context_t md_ctx;
int ret; int ret;
volatile const unsigned char *secret_dup = secret;
volatile size_t slen_dup = slen;
volatile const char *label_dup = label;
volatile const unsigned char *random_dup = random;
volatile size_t rlen_dup = rlen;
volatile unsigned char *dstbuf_dup = dstbuf;
volatile size_t dlen_dup = dlen;
mbedtls_md_init( &md_ctx ); mbedtls_md_init( &md_ctx );
@ -754,7 +788,14 @@ MBEDTLS_NO_INLINE static int tls1_prf( const unsigned char *secret, size_t slen,
mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
return( 0 ); /* Secure against buffer substitution */
if( secret_dup == secret && slen_dup == slen && label_dup == label &&
random_dup == random && rlen_dup == rlen && dstbuf_dup == dstbuf &&
dlen_dup == dlen )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
@ -777,6 +818,13 @@ int tls_prf_generic( mbedtls_md_type_t md_type,
mbedtls_md_handle_t md_info; mbedtls_md_handle_t md_info;
mbedtls_md_context_t md_ctx; mbedtls_md_context_t md_ctx;
int ret; int ret;
volatile const unsigned char *secret_dup = secret;
volatile size_t slen_dup = slen;
volatile const char *label_dup = label;
volatile const unsigned char *random_dup = random;
volatile size_t rlen_dup = rlen;
volatile unsigned char *dstbuf_dup = dstbuf;
volatile size_t dlen_dup = dlen;
mbedtls_md_init( &md_ctx ); mbedtls_md_init( &md_ctx );
@ -836,7 +884,14 @@ int tls_prf_generic( mbedtls_md_type_t md_type,
(void)mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); (void)mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
(void)mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); (void)mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
return( 0 ); /* Secure against buffer substitution */
if( secret_dup == secret && slen_dup == slen && label_dup == label &&
random_dup == random && rlen_dup == rlen && dstbuf_dup == dstbuf &&
dlen_dup == dlen )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
@ -1828,6 +1883,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
const mbedtls_ssl_context *ssl ) const mbedtls_ssl_context *ssl )
{ {
int ret; int ret;
volatile unsigned char *master_dup = master;
/* #if !defined(MBEDTLS_DEBUG_C) && !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) */ /* #if !defined(MBEDTLS_DEBUG_C) && !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) */
/* ssl = NULL; /\* make sure we don't use it except for debug and EMS *\/ */ /* ssl = NULL; /\* make sure we don't use it except for debug and EMS *\/ */
@ -1888,8 +1944,12 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
mbedtls_platform_zeroize( handshake->premaster, mbedtls_platform_zeroize( handshake->premaster,
sizeof(handshake->premaster) ); sizeof(handshake->premaster) );
/* Secure against buffer substitution */
return( 0 ); if( master_dup == master )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
@ -2406,22 +2466,32 @@ static int ssl_cid_build_inner_plaintext( unsigned char *content,
size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY - size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) % ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
MBEDTLS_SSL_CID_PADDING_GRANULARITY; MBEDTLS_SSL_CID_PADDING_GRANULARITY;
volatile unsigned char *content_dup = content;
volatile size_t *content_size_dup = content_size;
volatile size_t remaining_dup = remaining;
/* Write real content type */ /* Write real content type */
if( remaining == 0 ) if( remaining == 0 )
return( -1 ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
content[ len ] = rec_type; content[ len ] = rec_type;
len++; len++;
remaining--; remaining--;
if( remaining < pad ) if( remaining < pad )
return( -1 ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
mbedtls_platform_memset( content + len, 0, pad ); mbedtls_platform_memset( content + len, 0, pad );
len += pad; len += pad;
remaining -= pad; remaining -= pad;
*content_size = len; *content_size = len;
return( 0 );
/* Secure against buffer substitution */
if( content_dup == content && content_size_dup == content_size &&
( remaining_dup - 1 - pad ) == remaining )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* This function parses a DTLSInnerPlaintext structure. /* This function parses a DTLSInnerPlaintext structure.
@ -2566,6 +2636,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
if( rec->cid_len != 0 ) if( rec->cid_len != 0 )
{ {
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
/* /*
* Wrap plaintext into DTLSInnerPlaintext structure. * Wrap plaintext into DTLSInnerPlaintext structure.
* See ssl_cid_build_inner_plaintext() for more information. * See ssl_cid_build_inner_plaintext() for more information.
@ -2573,12 +2644,12 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
* Note that this changes `rec->data_len`, and hence * Note that this changes `rec->data_len`, and hence
* `post_avail` needs to be recalculated afterwards. * `post_avail` needs to be recalculated afterwards.
*/ */
if( ssl_cid_build_inner_plaintext( data, if( ( ret = ssl_cid_build_inner_plaintext( data,
&rec->data_len, &rec->data_len,
post_avail, post_avail,
rec->type ) != 0 ) rec->type ) ) != 0 )
{ {
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); return( ret );
} }
rec->type = MBEDTLS_SSL_MSG_CID; rec->type = MBEDTLS_SSL_MSG_CID;
@ -4816,6 +4887,7 @@ static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
memset( mask + offset / 8, 0xFF, len / 8 ); memset( mask + offset / 8, 0xFF, len / 8 );
} }
#define BITMASK_CHECK_FAILED 0x75555555
/* /*
* Check that bitmask is full * Check that bitmask is full
*/ */
@ -4825,11 +4897,11 @@ static int ssl_bitmask_check( unsigned char *mask, size_t len )
for( i = 0; i < len / 8; i++ ) for( i = 0; i < len / 8; i++ )
if( mask[i] != 0xFF ) if( mask[i] != 0xFF )
return( -1 ); return( BITMASK_CHECK_FAILED );
for( i = 0; i < len % 8; i++ ) for( i = 0; i < len % 8; i++ )
if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
return( -1 ); return( BITMASK_CHECK_FAILED );
return( 0 ); return( 0 );
} }
@ -7057,6 +7129,7 @@ write_msg:
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
#define PEER_CRT_CHANGED 0x75555555
static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
unsigned char *crt_buf, unsigned char *crt_buf,
size_t crt_buf_len ) size_t crt_buf_len )
@ -7064,14 +7137,15 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
if( peer_crt == NULL ) if( peer_crt == NULL )
return( -1 ); return( PEER_CRT_CHANGED );
if( peer_crt->raw.len != crt_buf_len ) if( peer_crt->raw.len != crt_buf_len )
return( -1 ); return( PEER_CRT_CHANGED );
return( mbedtls_platform_memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) ); return( mbedtls_platform_memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) );
} }
#elif defined(MBEDTLS_SSL_RENEGOTIATION) #elif defined(MBEDTLS_SSL_RENEGOTIATION)
#define PEER_CRT_CHANGED 0x75555555
static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
unsigned char *crt_buf, unsigned char *crt_buf,
size_t crt_buf_len ) size_t crt_buf_len )
@ -7089,16 +7163,16 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
if( peer_cert_digest == NULL || if( peer_cert_digest == NULL ||
digest_info == MBEDTLS_MD_INVALID_HANDLE ) digest_info == MBEDTLS_MD_INVALID_HANDLE )
{ {
return( -1 ); return( PEER_CRT_CHANGED );
} }
digest_len = mbedtls_md_get_size( digest_info ); digest_len = mbedtls_md_get_size( digest_info );
if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN ) if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
return( -1 ); return( PEER_CRT_CHANGED );
ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest ); ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
if( ret != 0 ) if( ret != 0 )
return( -1 ); return( PEER_CRT_CHANGED );
return( mbedtls_platform_memcmp( tmp_digest, peer_cert_digest, digest_len ) ); return( mbedtls_platform_memcmp( tmp_digest, peer_cert_digest, digest_len ) );
} }
@ -10878,6 +10952,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
{ {
int ret; int ret;
size_t n; size_t n;
volatile unsigned char *buf_dup = buf;
volatile size_t len_dup = len;
if( ssl == NULL || ssl->conf == NULL ) if( ssl == NULL || ssl->conf == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -11191,7 +11267,12 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
return( (int) n ); /* Secure against buffer substitution */
if( buf_dup == buf && len_dup == len )
{
return( (int) n );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* /*
@ -11211,6 +11292,8 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
{ {
int ret = mbedtls_ssl_get_max_out_record_payload( ssl ); int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
const size_t max_len = (size_t) ret; const size_t max_len = (size_t) ret;
volatile const unsigned char *buf_dup = buf;
volatile size_t len_dup = len;
if( ret < 0 ) if( ret < 0 )
{ {
@ -11233,6 +11316,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS) #if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
len = max_len; len = max_len;
len_dup = len;
} }
#endif #endif
} }
@ -11268,8 +11352,12 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
} }
/* Secure against buffer substitution */
return( (int) len ); if( buf_dup == buf && len_dup == len )
{
return( (int) len );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* /*
@ -11318,6 +11406,8 @@ static int ssl_write_split( mbedtls_ssl_context *ssl,
int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
{ {
int ret; int ret;
volatile const unsigned char *buf_dup = buf;
volatile size_t len_dup = len;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
@ -11349,7 +11439,12 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
return( ret ); /* Secure against buffer substitution */
if( buf_dup == buf && len_dup == len )
{
return( ret );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* /*
@ -12933,6 +13028,11 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
{ {
int ret = 0; int ret = 0;
mbedtls_md_context_t ctx; mbedtls_md_context_t ctx;
volatile unsigned char* hash_dup = hash;
volatile size_t *hashlen_dup = hashlen;
volatile unsigned char* data_dup = data;
volatile size_t data_len_dup = data_len;
mbedtls_md_handle_t md_info = mbedtls_md_info_from_type( md_alg ); mbedtls_md_handle_t md_info = mbedtls_md_info_from_type( md_alg );
*hashlen = mbedtls_md_get_size( md_info ); *hashlen = mbedtls_md_get_size( md_info );
@ -12978,7 +13078,13 @@ exit:
mbedtls_ssl_pend_fatal_alert( ssl, mbedtls_ssl_pend_fatal_alert( ssl,
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
return( ret ); /* Secure against buffer substitution */
if( hash_dup == hash && hashlen_dup == hashlen &&
data_dup == data && data_len_dup == data_len )
{
return( ret );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
MBEDTLS_SSL_PROTO_TLS1_2 */ MBEDTLS_SSL_PROTO_TLS1_2 */

105
tinycrypt/ecc.c
View File

@ -33,16 +33,16 @@
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
* *
* - Redistributions of source code must retain the above copyright notice, * - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. * this list of conditions and the following disclaimer.
* *
* - Redistributions in binary form must reproduce the above copyright * - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the * notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution. * documentation and/or other materials provided with the distribution.
* *
* - Neither the name of Intel Corporation nor the names of its contributors * - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software * may be used to endorse or promote products derived from this software
* without specific prior written permission. * without specific prior written permission.
* *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -99,7 +99,7 @@ const uECC_word_t curve_b[NUM_ECC_WORDS] = {
}; };
static int uECC_update_param_sha256(mbedtls_sha256_context *ctx, static int uECC_update_param_sha256(mbedtls_sha256_context *ctx,
const uECC_word_t val[NUM_ECC_WORDS]) const uECC_word_t val[NUM_ECC_WORDS])
{ {
uint8_t bytes[NUM_ECC_BYTES]; uint8_t bytes[NUM_ECC_BYTES];
@ -119,10 +119,10 @@ static int uECC_compute_param_sha256(unsigned char output[32])
} }
if (uECC_update_param_sha256(&ctx, curve_p) != 0 || if (uECC_update_param_sha256(&ctx, curve_p) != 0 ||
uECC_update_param_sha256(&ctx, curve_n) != 0 || uECC_update_param_sha256(&ctx, curve_n) != 0 ||
uECC_update_param_sha256(&ctx, curve_G) != 0 || uECC_update_param_sha256(&ctx, curve_G) != 0 ||
uECC_update_param_sha256(&ctx, curve_G + NUM_ECC_WORDS) != 0 || uECC_update_param_sha256(&ctx, curve_G + NUM_ECC_WORDS) != 0 ||
uECC_update_param_sha256(&ctx, curve_b) != 0) uECC_update_param_sha256(&ctx, curve_b) != 0)
{ {
goto exit; goto exit;
} }
@ -449,7 +449,7 @@ void ecc_wait_state_reset(ecc_wait_state_t *ws)
* know it's always 8. This saves a bit of code size and execution speed. * know it's always 8. This saves a bit of code size and execution speed.
*/ */
static void uECC_vli_mult_rnd(uECC_word_t *result, const uECC_word_t *left, static void uECC_vli_mult_rnd(uECC_word_t *result, const uECC_word_t *left,
const uECC_word_t *right, ecc_wait_state_t *s) const uECC_word_t *right, ecc_wait_state_t *s)
{ {
uECC_word_t r0 = 0; uECC_word_t r0 = 0;
@ -546,7 +546,7 @@ static void uECC_vli_mult_rnd(uECC_word_t *result, const uECC_word_t *left,
} }
void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left,
const uECC_word_t *right, const uECC_word_t *mod) const uECC_word_t *right, const uECC_word_t *mod)
{ {
uECC_word_t carry = uECC_vli_add(result, left, right); uECC_word_t carry = uECC_vli_add(result, left, right);
if (carry || uECC_vli_cmp_unsafe(mod, result) != 1) { if (carry || uECC_vli_cmp_unsafe(mod, result) != 1) {
@ -557,7 +557,7 @@ void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left,
} }
void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left,
const uECC_word_t *right, const uECC_word_t *mod) const uECC_word_t *right, const uECC_word_t *mod)
{ {
uECC_word_t l_borrow = uECC_vli_sub(result, left, right); uECC_word_t l_borrow = uECC_vli_sub(result, left, right);
if (l_borrow) { if (l_borrow) {
@ -570,7 +570,7 @@ void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left,
/* Computes result = product % mod, where product is 2N words long. */ /* Computes result = product % mod, where product is 2N words long. */
/* Currently only designed to work for curve_p or curve_n. */ /* Currently only designed to work for curve_p or curve_n. */
void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product,
const uECC_word_t *mod) const uECC_word_t *mod)
{ {
uECC_word_t mod_multiple[2 * NUM_ECC_WORDS]; uECC_word_t mod_multiple[2 * NUM_ECC_WORDS];
uECC_word_t tmp[2 * NUM_ECC_WORDS]; uECC_word_t tmp[2 * NUM_ECC_WORDS];
@ -608,14 +608,14 @@ void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product,
index = !(index ^ borrow); index = !(index ^ borrow);
uECC_vli_rshift1(mod_multiple); uECC_vli_rshift1(mod_multiple);
mod_multiple[num_words - 1] |= mod_multiple[num_words] << mod_multiple[num_words - 1] |= mod_multiple[num_words] <<
(uECC_WORD_BITS - 1); (uECC_WORD_BITS - 1);
uECC_vli_rshift1(mod_multiple + num_words); uECC_vli_rshift1(mod_multiple + num_words);
} }
uECC_vli_set(result, v[index]); uECC_vli_set(result, v[index]);
} }
void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left, void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left,
const uECC_word_t *right, const uECC_word_t *mod) const uECC_word_t *right, const uECC_word_t *mod)
{ {
uECC_word_t product[2 * NUM_ECC_WORDS]; uECC_word_t product[2 * NUM_ECC_WORDS];
uECC_vli_mult_rnd(product, left, right, NULL); uECC_vli_mult_rnd(product, left, right, NULL);
@ -640,7 +640,7 @@ void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left,
#define EVEN(vli) (!(vli[0] & 1)) #define EVEN(vli) (!(vli[0] & 1))
static void vli_modInv_update(uECC_word_t *uv, static void vli_modInv_update(uECC_word_t *uv,
const uECC_word_t *mod) const uECC_word_t *mod)
{ {
uECC_word_t carry = 0; uECC_word_t carry = 0;
@ -655,7 +655,7 @@ static void vli_modInv_update(uECC_word_t *uv,
} }
void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input,
const uECC_word_t *mod) const uECC_word_t *mod)
{ {
uECC_word_t a[NUM_ECC_WORDS], b[NUM_ECC_WORDS]; uECC_word_t a[NUM_ECC_WORDS], b[NUM_ECC_WORDS];
uECC_word_t u[NUM_ECC_WORDS], v[NUM_ECC_WORDS]; uECC_word_t u[NUM_ECC_WORDS], v[NUM_ECC_WORDS];
@ -674,27 +674,27 @@ void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input,
while ((cmpResult = uECC_vli_cmp_unsafe(a, b)) != 0) { while ((cmpResult = uECC_vli_cmp_unsafe(a, b)) != 0) {
if (EVEN(a)) { if (EVEN(a)) {
uECC_vli_rshift1(a); uECC_vli_rshift1(a);
vli_modInv_update(u, mod); vli_modInv_update(u, mod);
} else if (EVEN(b)) { } else if (EVEN(b)) {
uECC_vli_rshift1(b); uECC_vli_rshift1(b);
vli_modInv_update(v, mod); vli_modInv_update(v, mod);
} else if (cmpResult > 0) { } else if (cmpResult > 0) {
uECC_vli_sub(a, a, b); uECC_vli_sub(a, a, b);
uECC_vli_rshift1(a); uECC_vli_rshift1(a);
if (uECC_vli_cmp_unsafe(u, v) < 0) { if (uECC_vli_cmp_unsafe(u, v) < 0) {
uECC_vli_add(u, u, mod); uECC_vli_add(u, u, mod);
} }
uECC_vli_sub(u, u, v); uECC_vli_sub(u, u, v);
vli_modInv_update(u, mod); vli_modInv_update(u, mod);
} else { } else {
uECC_vli_sub(b, b, a); uECC_vli_sub(b, b, a);
uECC_vli_rshift1(b); uECC_vli_rshift1(b);
if (uECC_vli_cmp_unsafe(v, u) < 0) { if (uECC_vli_cmp_unsafe(v, u) < 0) {
uECC_vli_add(v, v, mod); uECC_vli_add(v, v, mod);
} }
uECC_vli_sub(v, v, u); uECC_vli_sub(v, v, u);
vli_modInv_update(v, mod); vli_modInv_update(v, mod);
} }
} }
uECC_vli_set(result, u); uECC_vli_set(result, u);
} }
@ -702,7 +702,7 @@ void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input,
/* ------ Point operations ------ */ /* ------ Point operations ------ */
void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1, void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1,
uECC_word_t * Z1) uECC_word_t * Z1)
{ {
/* t1 = X, t2 = Y, t3 = Z */ /* t1 = X, t2 = Y, t3 = Z */
uECC_word_t t4[NUM_ECC_WORDS]; uECC_word_t t4[NUM_ECC_WORDS];
@ -755,7 +755,7 @@ void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1,
* @param curve IN -- elliptic curve * @param curve IN -- elliptic curve
*/ */
static void x_side_default(uECC_word_t *result, static void x_side_default(uECC_word_t *result,
const uECC_word_t *x) const uECC_word_t *x)
{ {
uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */ uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */
@ -861,7 +861,7 @@ void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product)
while (carry < 0); while (carry < 0);
} else { } else {
while (carry || while (carry ||
uECC_vli_cmp_unsafe(curve_p, result) != 1) { uECC_vli_cmp_unsafe(curve_p, result) != 1) {
carry -= uECC_vli_sub(result, result, curve_p); carry -= uECC_vli_sub(result, result, curve_p);
} }
} }
@ -876,7 +876,7 @@ void apply_z(uECC_word_t * X1, uECC_word_t * Y1, const uECC_word_t * const Z)
{ {
uECC_word_t t1[NUM_ECC_WORDS]; uECC_word_t t1[NUM_ECC_WORDS];
uECC_vli_modMult_fast(t1, Z, Z); /* z^2 */ uECC_vli_modMult_fast(t1, Z, Z); /* z^2 */
uECC_vli_modMult_fast(X1, X1, t1); /* x1 * z^2 */ uECC_vli_modMult_fast(X1, X1, t1); /* x1 * z^2 */
uECC_vli_modMult_fast(t1, t1, Z); /* z^3 */ uECC_vli_modMult_fast(t1, t1, Z); /* z^3 */
uECC_vli_modMult_fast(Y1, Y1, t1); /* y1 * z^3 */ uECC_vli_modMult_fast(Y1, Y1, t1); /* y1 * z^3 */
@ -929,7 +929,7 @@ static void XYcZ_add_rnd(uECC_word_t * X1, uECC_word_t * Y1,
} }
void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1, void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1,
uECC_word_t * X2, uECC_word_t * Y2) uECC_word_t * X2, uECC_word_t * Y2)
{ {
XYcZ_add_rnd(X1, Y1, X2, Y2, NULL); XYcZ_add_rnd(X1, Y1, X2, Y2, NULL);
} }
@ -1030,7 +1030,7 @@ static uECC_word_t regularize_k(const uECC_word_t * const k, uECC_word_t *k0,
bitcount_t num_n_bits = NUM_ECC_BITS; bitcount_t num_n_bits = NUM_ECC_BITS;
uECC_word_t carry = uECC_vli_add(k0, k, curve_n) || uECC_word_t carry = uECC_vli_add(k0, k, curve_n) ||
uECC_vli_testBit(k0, num_n_bits); uECC_vli_testBit(k0, num_n_bits);
uECC_vli_add(k1, k0, curve_n); uECC_vli_add(k1, k0, curve_n);
@ -1078,7 +1078,7 @@ int EccPoint_mult_safer(uECC_word_t * result, const uECC_word_t * point,
carry = regularize_k(scalar, tmp, s); carry = regularize_k(scalar, tmp, s);
/* If an RNG function was specified, get a random initial Z value to /* If an RNG function was specified, get a random initial Z value to
* protect against side-channel attacks such as Template SPA */ * protect against side-channel attacks such as Template SPA */
if (g_rng_function) { if (g_rng_function) {
if (uECC_generate_random_int(k2[carry], curve_p, num_words) != UECC_SUCCESS) { if (uECC_generate_random_int(k2[carry], curve_p, num_words) != UECC_SUCCESS) {
r = UECC_FAILURE; r = UECC_FAILURE;
@ -1135,7 +1135,7 @@ uECC_word_t EccPoint_compute_public_key(uECC_word_t *result,
/* Converts an integer in uECC native format to big-endian bytes. */ /* Converts an integer in uECC native format to big-endian bytes. */
void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes,
const unsigned int *native) const unsigned int *native)
{ {
wordcount_t i; wordcount_t i;
for (i = 0; i < num_bytes; ++i) { for (i = 0; i < num_bytes; ++i) {
@ -1146,7 +1146,7 @@ void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes,
/* Converts big-endian bytes to an integer in uECC native format. */ /* Converts big-endian bytes to an integer in uECC native format. */
void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes,
int num_bytes) int num_bytes)
{ {
wordcount_t i; wordcount_t i;
uECC_vli_clear(native); uECC_vli_clear(native);
@ -1158,7 +1158,7 @@ void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes,
} }
int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top,
wordcount_t num_words) wordcount_t num_words)
{ {
uECC_word_t mask = (uECC_word_t)-1; uECC_word_t mask = (uECC_word_t)-1;
uECC_word_t tries; uECC_word_t tries;
@ -1170,10 +1170,10 @@ int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top,
for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
if (g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE) != num_words * uECC_WORD_SIZE) { if (g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE) != num_words * uECC_WORD_SIZE) {
return UECC_FAILURE; return UECC_FAILURE;
} }
random[num_words - 1] &= random[num_words - 1] &=
mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits)); mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits));
if (!uECC_vli_isZero(random) && if (!uECC_vli_isZero(random) &&
uECC_vli_cmp(top, random) == 1) { uECC_vli_cmp(top, random) == 1) {
return UECC_SUCCESS; return UECC_SUCCESS;
@ -1207,7 +1207,7 @@ int uECC_valid_point(const uECC_word_t *point)
/* Make sure that y^2 == x^3 + ax + b */ /* Make sure that y^2 == x^3 + ax + b */
diff = uECC_vli_equal(tmp1, tmp2); diff = uECC_vli_equal(tmp1, tmp2);
if (diff == 0) { if (diff == 0) {
mbedtls_platform_random_delay(); mbedtls_platform_random_delay();
if (diff == 0) { if (diff == 0) {
return 0; return 0;
} }
@ -1239,6 +1239,8 @@ int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key)
int ret = UECC_FAULT_DETECTED; int ret = UECC_FAULT_DETECTED;
uECC_word_t _private[NUM_ECC_WORDS]; uECC_word_t _private[NUM_ECC_WORDS];
uECC_word_t _public[NUM_ECC_WORDS * 2]; uECC_word_t _public[NUM_ECC_WORDS * 2];
volatile const uint8_t *private_key_dup = private_key;
volatile const uint8_t *public_key_dup = public_key;
uECC_vli_bytesToNative( uECC_vli_bytesToNative(
_private, _private,
@ -1264,5 +1266,8 @@ int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key)
uECC_vli_nativeToBytes( uECC_vli_nativeToBytes(
public_key + public_key +
NUM_ECC_BYTES, NUM_ECC_BYTES, _public + NUM_ECC_WORDS); NUM_ECC_BYTES, NUM_ECC_BYTES, _public + NUM_ECC_WORDS);
if (private_key_dup != private_key || public_key_dup != public_key){
return UECC_FAULT_DETECTED;
}
return ret; return ret;
} }

81
tinycrypt/ecc_dh.c
View File

@ -12,10 +12,10 @@
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
* * Redistributions of source code must retain the above copyright notice, * * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. * this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice, * * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation * this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution. * and/or other materials provided with the distribution.
* *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -36,16 +36,16 @@
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
* *
* - Redistributions of source code must retain the above copyright notice, * - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. * this list of conditions and the following disclaimer.
* *
* - Redistributions in binary form must reproduce the above copyright * - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the * notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution. * documentation and/or other materials provided with the distribution.
* *
* - Neither the name of Intel Corporation nor the names of its contributors * - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software * may be used to endorse or promote products derived from this software
* without specific prior written permission. * without specific prior written permission.
* *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -91,14 +91,14 @@ int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key,
/* Converting buffers to correct bit order: */ /* Converting buffers to correct bit order: */
uECC_vli_nativeToBytes(private_key, uECC_vli_nativeToBytes(private_key,
BITS_TO_BYTES(NUM_ECC_BITS), BITS_TO_BYTES(NUM_ECC_BITS),
_private); _private);
uECC_vli_nativeToBytes(public_key, uECC_vli_nativeToBytes(public_key,
NUM_ECC_BYTES, NUM_ECC_BYTES,
_public); _public);
uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES, uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES,
NUM_ECC_BYTES, NUM_ECC_BYTES,
_public + NUM_ECC_WORDS); _public + NUM_ECC_WORDS);
exit: exit:
/* erasing temporary buffer used to store secret: */ /* erasing temporary buffer used to store secret: */
@ -114,13 +114,15 @@ int uECC_make_key(uint8_t *public_key, uint8_t *private_key)
uECC_word_t _private[NUM_ECC_WORDS]; uECC_word_t _private[NUM_ECC_WORDS];
uECC_word_t _public[NUM_ECC_WORDS * 2]; uECC_word_t _public[NUM_ECC_WORDS * 2];
uECC_word_t tries; uECC_word_t tries;
volatile uint8_t *public_key_dup = public_key;
volatile uint8_t *private_key_dup = private_key;
for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
/* Generating _private uniformly at random: */ /* Generating _private uniformly at random: */
uECC_RNG_Function rng_function = uECC_get_rng(); uECC_RNG_Function rng_function = uECC_get_rng();
if (!rng_function || if (!rng_function ||
rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) != 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) { rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) != 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) {
return UECC_FAILURE; return UECC_FAILURE;
} }
/* computing modular reduction of _random (see FIPS 186.4 B.4.1): */ /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */
@ -136,26 +138,31 @@ int uECC_make_key(uint8_t *public_key, uint8_t *private_key)
/* Converting buffers to correct bit order: */ /* Converting buffers to correct bit order: */
uECC_vli_nativeToBytes(private_key, uECC_vli_nativeToBytes(private_key,
BITS_TO_BYTES(NUM_ECC_BITS), BITS_TO_BYTES(NUM_ECC_BITS),
_private); _private);
uECC_vli_nativeToBytes(public_key, uECC_vli_nativeToBytes(public_key,
NUM_ECC_BYTES, NUM_ECC_BYTES,
_public); _public);
uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES, uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES,
NUM_ECC_BYTES, NUM_ECC_BYTES,
_public + NUM_ECC_WORDS); _public + NUM_ECC_WORDS);
/* erasing temporary buffer that stored secret: */ /* erasing temporary buffer that stored secret: */
mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES); mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES);
return UECC_SUCCESS; if (private_key == private_key_dup && public_key == public_key_dup) {
} return UECC_SUCCESS;
}
/* Erase key in case of FI */
mbedtls_platform_memset(public_key, 0, 2*NUM_ECC_BYTES);
return UECC_FAULT_DETECTED;
}
} }
return UECC_FAILURE; return UECC_FAILURE;
} }
int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key,
uint8_t *secret) uint8_t *secret)
{ {
uECC_word_t _public[NUM_ECC_WORDS * 2]; uECC_word_t _public[NUM_ECC_WORDS * 2];
@ -163,23 +170,31 @@ int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key,
wordcount_t num_words = NUM_ECC_WORDS; wordcount_t num_words = NUM_ECC_WORDS;
wordcount_t num_bytes = NUM_ECC_BYTES; wordcount_t num_bytes = NUM_ECC_BYTES;
int r = UECC_FAULT_DETECTED; int r = UECC_FAULT_DETECTED;
volatile const uint8_t *public_key_dup = public_key;
volatile const uint8_t *private_key_dup = private_key;
volatile const uint8_t *secret_dup = secret;
/* Converting buffers to correct bit order: */ /* Converting buffers to correct bit order: */
uECC_vli_bytesToNative(_private, uECC_vli_bytesToNative(_private,
private_key, private_key,
BITS_TO_BYTES(NUM_ECC_BITS)); BITS_TO_BYTES(NUM_ECC_BITS));
uECC_vli_bytesToNative(_public, uECC_vli_bytesToNative(_public,
public_key, public_key,
num_bytes); num_bytes);
uECC_vli_bytesToNative(_public + num_words, uECC_vli_bytesToNative(_public + num_words,
public_key + num_bytes, public_key + num_bytes,
num_bytes); num_bytes);
r = EccPoint_mult_safer(_public, _public, _private); r = EccPoint_mult_safer(_public, _public, _private);
uECC_vli_nativeToBytes(secret, num_bytes, _public); uECC_vli_nativeToBytes(secret, num_bytes, _public);
/* erasing temporary buffer used to store secret: */ /* erasing temporary buffer used to store secret: */
mbedtls_platform_zeroize(_private, sizeof(_private)); mbedtls_platform_zeroize(_private, sizeof(_private));
if (public_key_dup != public_key || private_key_dup != private_key || secret_dup != secret) {
/* Erase secret in case of FI */
mbedtls_platform_memset(secret, 0, NUM_ECC_BYTES);
return UECC_FAULT_DETECTED;
}
return r; return r;
} }

72
tinycrypt/ecc_dsa.c
View File

@ -11,10 +11,10 @@
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
* * Redistributions of source code must retain the above copyright notice, * * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. * this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice, * * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation * this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution. * and/or other materials provided with the distribution.
* *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -34,16 +34,16 @@
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
* *
* - Redistributions of source code must retain the above copyright notice, * - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. * this list of conditions and the following disclaimer.
* *
* - Redistributions in binary form must reproduce the above copyright * - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the * notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution. * documentation and/or other materials provided with the distribution.
* *
* - Neither the name of Intel Corporation nor the names of its contributors * - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software * may be used to endorse or promote products derived from this software
* without specific prior written permission. * without specific prior written permission.
* *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -69,7 +69,7 @@
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
static void bits2int(uECC_word_t *native, const uint8_t *bits, static void bits2int(uECC_word_t *native, const uint8_t *bits,
unsigned bits_size) unsigned bits_size)
{ {
unsigned num_n_bytes = BITS_TO_BYTES(NUM_ECC_BITS); unsigned num_n_bytes = BITS_TO_BYTES(NUM_ECC_BITS);
@ -82,7 +82,7 @@ static void bits2int(uECC_word_t *native, const uint8_t *bits,
} }
int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
unsigned hash_size, uECC_word_t *k, uint8_t *signature) unsigned hash_size, uECC_word_t *k, uint8_t *signature)
{ {
uECC_word_t tmp[NUM_ECC_WORDS]; uECC_word_t tmp[NUM_ECC_WORDS];
@ -94,12 +94,12 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
/* Make sure 0 < k < curve_n */ /* Make sure 0 < k < curve_n */
if (uECC_vli_isZero(k) || if (uECC_vli_isZero(k) ||
uECC_vli_cmp(curve_n, k) != 1) { uECC_vli_cmp(curve_n, k) != 1) {
return UECC_FAILURE; return UECC_FAILURE;
} }
r = EccPoint_mult_safer(p, curve_G, k); r = EccPoint_mult_safer(p, curve_G, k);
if (r != UECC_SUCCESS) { if (r != UECC_SUCCESS) {
return r; return r;
} }
@ -116,7 +116,7 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
/* Prevent side channel analysis of uECC_vli_modInv() to determine /* Prevent side channel analysis of uECC_vli_modInv() to determine
bits of k / the private key by premultiplying by a random number */ bits of k / the private key by premultiplying by a random number */
uECC_vli_modMult(k, k, tmp, curve_n); /* k' = rand * k */ uECC_vli_modMult(k, k, tmp, curve_n); /* k' = rand * k */
uECC_vli_modInv(k, k, curve_n); /* k = 1 / k' */ uECC_vli_modInv(k, k, curve_n); /* k = 1 / k' */
uECC_vli_modMult(k, k, tmp, curve_n); /* k = 1 / k */ uECC_vli_modMult(k, k, tmp, curve_n); /* k = 1 / k */
uECC_vli_nativeToBytes(signature, NUM_ECC_BYTES, p); /* store r */ uECC_vli_nativeToBytes(signature, NUM_ECC_BYTES, p); /* store r */
@ -140,18 +140,22 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
} }
int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash,
unsigned hash_size, uint8_t *signature) unsigned hash_size, uint8_t *signature)
{ {
int r; int r;
uECC_word_t _random[2*NUM_ECC_WORDS]; uECC_word_t _random[2*NUM_ECC_WORDS];
uECC_word_t k[NUM_ECC_WORDS]; uECC_word_t k[NUM_ECC_WORDS];
uECC_word_t tries; uECC_word_t tries;
volatile const uint8_t *private_key_dup = private_key;
volatile const uint8_t *message_hash_dup = message_hash;
volatile unsigned hash_size_dup = hash_size;
volatile uint8_t *signature_dup = signature;
for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
/* Generating _random uniformly at random: */ /* Generating _random uniformly at random: */
uECC_RNG_Function rng_function = uECC_get_rng(); uECC_RNG_Function rng_function = uECC_get_rng();
if (!rng_function || if (!rng_function ||
rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE) != 2*NUM_ECC_WORDS*uECC_WORD_SIZE) { rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE) != 2*NUM_ECC_WORDS*uECC_WORD_SIZE) {
return UECC_FAILURE; return UECC_FAILURE;
} }
@ -161,9 +165,15 @@ int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash,
r = uECC_sign_with_k(private_key, message_hash, hash_size, k, signature); r = uECC_sign_with_k(private_key, message_hash, hash_size, k, signature);
/* don't keep trying if a fault was detected */ /* don't keep trying if a fault was detected */
if (r == UECC_FAULT_DETECTED) { if (r == UECC_FAULT_DETECTED) {
mbedtls_platform_memset(signature, 0, 2*NUM_ECC_BYTES);
return r; return r;
} }
if (r == UECC_SUCCESS) { if (r == UECC_SUCCESS) {
if (private_key_dup != private_key || message_hash_dup != message_hash ||
hash_size_dup != hash_size || signature_dup != signature) {
mbedtls_platform_memset(signature, 0, 2*NUM_ECC_BYTES);
return UECC_FAULT_DETECTED;
}
return UECC_SUCCESS; return UECC_SUCCESS;
} }
/* else keep trying */ /* else keep trying */
@ -194,6 +204,10 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
bitcount_t i; bitcount_t i;
bitcount_t flow_control; bitcount_t flow_control;
volatile uECC_word_t diff; volatile uECC_word_t diff;
volatile const uint8_t *public_key_dup = public_key;
volatile const uint8_t *message_hash_dup = message_hash;
volatile unsigned hash_size_dup = hash_size;
volatile const uint8_t *signature_dup = signature;
uECC_word_t _public[NUM_ECC_WORDS * 2]; uECC_word_t _public[NUM_ECC_WORDS * 2];
uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS]; uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS];
@ -207,7 +221,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
uECC_vli_bytesToNative(_public, public_key, NUM_ECC_BYTES); uECC_vli_bytesToNative(_public, public_key, NUM_ECC_BYTES);
uECC_vli_bytesToNative(_public + num_words, public_key + NUM_ECC_BYTES, uECC_vli_bytesToNative(_public + num_words, public_key + NUM_ECC_BYTES,
NUM_ECC_BYTES); NUM_ECC_BYTES);
uECC_vli_bytesToNative(r, signature, NUM_ECC_BYTES); uECC_vli_bytesToNative(r, signature, NUM_ECC_BYTES);
uECC_vli_bytesToNative(s, signature + NUM_ECC_BYTES, NUM_ECC_BYTES); uECC_vli_bytesToNative(s, signature + NUM_ECC_BYTES, NUM_ECC_BYTES);
@ -218,7 +232,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
/* r, s must be < n. */ /* r, s must be < n. */
if (uECC_vli_cmp_unsafe(curve_n, r) != 1 || if (uECC_vli_cmp_unsafe(curve_n, r) != 1 ||
uECC_vli_cmp_unsafe(curve_n, s) != 1) { uECC_vli_cmp_unsafe(curve_n, s) != 1) {
return UECC_FAILURE; return UECC_FAILURE;
} }
@ -252,7 +266,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
uECC_vli_numBits(u2)); uECC_vli_numBits(u2));
point = points[(!!uECC_vli_testBit(u1, num_bits - 1)) | point = points[(!!uECC_vli_testBit(u1, num_bits - 1)) |
((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)]; ((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)];
uECC_vli_set(rx, point); uECC_vli_set(rx, point);
uECC_vli_set(ry, point + num_words); uECC_vli_set(ry, point + num_words);
uECC_vli_clear(z); uECC_vli_clear(z);
@ -288,13 +302,17 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
/* Accept only if v == r. */ /* Accept only if v == r. */
diff = uECC_vli_equal(rx, r); diff = uECC_vli_equal(rx, r);
if (diff == 0) { if (diff == 0) {
flow_control++; flow_control++;
mbedtls_platform_random_delay(); mbedtls_platform_random_delay();
/* Re-check the condition and test if the control flow is as expected. /* Re-check the condition and test if the control flow is as expected.
* 1 (base value) + num_bits - 1 (from the loop) + 5 incrementations. * 1 (base value) + num_bits - 1 (from the loop) + 5 incrementations.
*/ */
if (diff == 0 && flow_control == (num_bits + 5)) { if (diff == 0 && flow_control == (num_bits + 5)) {
if (public_key_dup != public_key || message_hash_dup != message_hash ||
hash_size_dup != hash_size || signature_dup != signature) {
return UECC_FAULT_DETECTED;
}
return UECC_SUCCESS; return UECC_SUCCESS;
} }
else { else {