libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify() Adds fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of just mbedtls_safer_memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> [sby: rebased onto mbedtls-3.6.2] Signed-off-by: Sungbae Yoo <sungbaey@nvidia.com>

commit: 50e013c6c3065e298efe77abbb63b2c255801724 [log] [tgz]
author: Jens Wiklander <jens.wiklander@linaro.org> Fri Apr 01 17:45:56 2022 +0200
committer: Jerome Forissier <jerome@forissier.org> Mon Nov 25 09:21:51 2024 +0100
tree: 515f7eb4052c44af0126b3c7a9c58c1acfa06404
parent: c363a3c7e7e168c336808e87c5c3819ccf2bf76b [diff] [blame]
diff --git a/lib/libmbedtls/mbedtls/library/rsa.c b/lib/libmbedtls/mbedtls/library/rsa.c
index 848e781..dbf934f 100644
--- a/lib/libmbedtls/mbedtls/library/rsa.c
+++ b/lib/libmbedtls/mbedtls/library/rsa.c

@@ -2724,8 +2724,8 @@
      * Compare
      */
 
-    if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
-                                 sig_len)) != 0) {
+    if ((ret = FTMN_CALLEE_DONE_MEMCMP(mbedtls_ct_memcmp, encoded,
+                                       encoded_expected, sig_len )) != 0) {
         ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
         goto cleanup;
     }
commit	50e013c6c3065e298efe77abbb63b2c255801724	[log] [tgz]
author	Jens Wiklander <jens.wiklander@linaro.org>	Fri Apr 01 17:45:56 2022 +0200
committer	Jerome Forissier <jerome@forissier.org>	Mon Nov 25 09:21:51 2024 +0100
tree	515f7eb4052c44af0126b3c7a9c58c1acfa06404
parent	c363a3c7e7e168c336808e87c5c3819ccf2bf76b [diff] [blame]