Merge remote-tracking branch 'public/pr/2960' into baremetal
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index fe9c594..ce348d9 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -110,6 +110,10 @@
#error "MBEDTLS_USE_TINYCRYPT defined, but it cannot be defined with MBEDTLS_NO_64BIT_MULTIPLICATION"
#endif
+#if defined(MBEDTLS_USE_TINYCRYPT) && !defined(MBEDTLS_SHA256_C)
+#error "MBEDTLS_USE_TINYCRYPT defined, but not MBEDTLS_SHA256_C"
+#endif
+
#if defined(MBEDTLS_USE_TINYCRYPT) && \
!( defined(MBEDTLS_SSL_CONF_SINGLE_EC) && \
MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID == 23 && \
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 87012da..dbb84b4 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2649,6 +2649,7 @@
* MBEDTLS_SSL_CONF_SINGLE_EC
* MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID == 23
* MBEDTLS_SSL_CONF_SINGLE_UECC_GRP_ID == MBEDTLS_UECC_DP_SECP256R1
+ * MBEDTLS_SHA256_C
*
* \see MBEDTLS_SSL_CONF_RNG
*
diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h
index ca06dc3..52cb6a0 100644
--- a/include/mbedtls/entropy.h
+++ b/include/mbedtls/entropy.h
@@ -83,8 +83,8 @@
#define MBEDTLS_ENTROPY_MAX_SEED_SIZE 1024 /**< Maximum size of seed we read from seed file */
#define MBEDTLS_ENTROPY_SOURCE_MANUAL MBEDTLS_ENTROPY_MAX_SOURCES
-#define MBEDTLS_ENTROPY_SOURCE_STRONG 1 /**< Entropy source is strong */
-#define MBEDTLS_ENTROPY_SOURCE_WEAK 0 /**< Entropy source is weak */
+#define MBEDTLS_ENTROPY_SOURCE_STRONG 0x7F /**< Entropy source is strong */
+#define MBEDTLS_ENTROPY_SOURCE_WEAK 0x0 /**< Entropy source is weak */
#ifdef __cplusplus
extern "C" {
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 8008b51..e14f58f 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -125,8 +125,13 @@
#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80 /**< DTLS client must retry for hello verification */
#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00 /**< A buffer is too small to receive or write a message */
#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE -0x6980 /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
-#define MBEDTLS_ERR_SSL_WANT_READ -0x6900 /**< No data of requested type currently available on underlying transport. */
-#define MBEDTLS_ERR_SSL_WANT_WRITE -0x6880 /**< Connection requires a write call. */
+/*
+ * MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are dismissable errors,
+ * therefore the hamming distance to other non-dismissable errors should be
+ * large to prevent bit-flipping a non-dismissable error to dismissable.
+ */
+#define MBEDTLS_ERR_SSL_WANT_READ -0xFF6900 /**< No data of requested type currently available on underlying transport. */
+#define MBEDTLS_ERR_SSL_WANT_WRITE -0xFF6880 /**< Connection requires a write call. */
#define MBEDTLS_ERR_SSL_TIMEOUT -0x6800 /**< The operation timed out. */
#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780 /**< The client initiated a reconnect from the same port. */
#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD -0x6700 /**< Record header looks valid but is not expected. */
@@ -191,10 +196,10 @@
#define MBEDTLS_SSL_COMPRESS_NULL 0
#define MBEDTLS_SSL_COMPRESS_DEFLATE 1
-#define MBEDTLS_SSL_VERIFY_NONE 0
-#define MBEDTLS_SSL_VERIFY_OPTIONAL 1
-#define MBEDTLS_SSL_VERIFY_REQUIRED 2
-#define MBEDTLS_SSL_VERIFY_UNSET 3 /* Used only for sni_authmode */
+#define MBEDTLS_SSL_VERIFY_NONE 0x0
+#define MBEDTLS_SSL_VERIFY_OPTIONAL 0xf
+#define MBEDTLS_SSL_VERIFY_REQUIRED 0x33
+#define MBEDTLS_SSL_VERIFY_UNSET 0x3c /* Used only for sni_authmode */
#define MBEDTLS_SSL_LEGACY_RENEGOTIATION 0
#define MBEDTLS_SSL_SECURE_RENEGOTIATION 1
@@ -564,25 +569,26 @@
*/
typedef enum
{
- MBEDTLS_SSL_HELLO_REQUEST,
- MBEDTLS_SSL_CLIENT_HELLO,
- MBEDTLS_SSL_SERVER_HELLO,
- MBEDTLS_SSL_SERVER_CERTIFICATE,
- MBEDTLS_SSL_SERVER_KEY_EXCHANGE,
- MBEDTLS_SSL_CERTIFICATE_REQUEST,
- MBEDTLS_SSL_SERVER_HELLO_DONE,
- MBEDTLS_SSL_CLIENT_CERTIFICATE,
- MBEDTLS_SSL_CLIENT_KEY_EXCHANGE,
- MBEDTLS_SSL_CERTIFICATE_VERIFY,
- MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC,
- MBEDTLS_SSL_CLIENT_FINISHED,
- MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC,
- MBEDTLS_SSL_SERVER_FINISHED,
- MBEDTLS_SSL_FLUSH_BUFFERS,
- MBEDTLS_SSL_HANDSHAKE_WRAPUP,
- MBEDTLS_SSL_HANDSHAKE_OVER,
- MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
- MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
+ MBEDTLS_SSL_HELLO_REQUEST = 0x0,
+ MBEDTLS_SSL_CLIENT_HELLO = 0x0000FFFF,
+ MBEDTLS_SSL_SERVER_HELLO = 0x00FF00FF,
+ MBEDTLS_SSL_SERVER_CERTIFICATE = 0x00FFFF00,
+ MBEDTLS_SSL_SERVER_KEY_EXCHANGE = 0x0F0F0F0F,
+ MBEDTLS_SSL_CERTIFICATE_REQUEST = 0x0F0FF0F0,
+ MBEDTLS_SSL_SERVER_HELLO_DONE = 0x0FF00FF0,
+ MBEDTLS_SSL_CLIENT_CERTIFICATE = 0x0FF0F00F,
+ MBEDTLS_SSL_CLIENT_KEY_EXCHANGE = 0x33333333,
+ MBEDTLS_SSL_CERTIFICATE_VERIFY = 0x3333CCCC,
+ MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC = 0x33CC33CC,
+ MBEDTLS_SSL_CLIENT_FINISHED = 0x33CCCC33,
+ MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC = 0x3C3C3C3C,
+ MBEDTLS_SSL_SERVER_FINISHED = 0x3C3CC3C3,
+ MBEDTLS_SSL_FLUSH_BUFFERS = 0x3CC33CC3,
+ MBEDTLS_SSL_HANDSHAKE_WRAPUP = 0x3CC3C33C,
+ MBEDTLS_SSL_HANDSHAKE_OVER = 0x55555555,
+ MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET = 0x5555AAAA,
+ MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT = 0x55AA55AA,
+ MBEDTLS_SSL_INVALID = 0x55AAAA55
}
mbedtls_ssl_states;
@@ -1196,7 +1202,7 @@
#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
- unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */
+ unsigned int authmode : 6; /*!< MBEDTLS_SSL_VERIFY_XXX */
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
/* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 4872f6f..19328d8 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -226,6 +226,9 @@
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
)
+#define MBEDTLS_SSL_FI_FLAG_UNSET 0x0
+#define MBEDTLS_SSL_FI_FLAG_SET 0x7F
+
/*
* Check that we obey the standard's message size bounds
*/
@@ -385,6 +388,10 @@
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
uint8_t got_peer_pubkey; /*!< Did we store the peer's public key from its certificate? */
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ volatile uint8_t peer_authenticated; /*!< Is the peer authenticated? */
+ volatile uint8_t hello_random_set; /*!< Has the hello random been set? */
+ volatile uint8_t key_derivation_done; /*!< Has the key derivation been done? */
+ volatile uint8_t premaster_generated; /*!< Has the PMS been generated? */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned char verify_cookie_len; /*!< Cli: cookie length
Srv: flag for sending a cookie */
@@ -506,7 +513,7 @@
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
- int resume; /*!< session resume indicator*/
+ volatile int resume; /*!< session resume indicator*/
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
#if defined(MBEDTLS_SSL_SRV_C) && \
@@ -905,7 +912,7 @@
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
-void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
diff --git a/include/tinycrypt/ecc.h b/include/tinycrypt/ecc.h
index df8f1df..6a85a55 100644
--- a/include/tinycrypt/ecc.h
+++ b/include/tinycrypt/ecc.h
@@ -87,7 +87,7 @@
* attacks flipping a low number of bits. */
#define UECC_SUCCESS 0
#define UECC_FAILURE 0x75555555
-#define UECC_ATTACK_DETECTED 0x7aaaaaaa
+#define UECC_FAULT_DETECTED 0x7aaaaaaa
/* Word size (4 bytes considering 32-bits architectures) */
#define uECC_WORD_SIZE 4
@@ -119,23 +119,6 @@
#define NUM_ECC_BYTES (uECC_WORD_SIZE*NUM_ECC_WORDS)
#define NUM_ECC_BITS 256
-/* structure that represents an elliptic curve (e.g. p256):*/
-struct uECC_Curve_t;
-typedef const struct uECC_Curve_t * uECC_Curve;
-struct uECC_Curve_t {
- wordcount_t num_words;
- wordcount_t num_bytes;
- bitcount_t num_n_bits;
- uECC_word_t p[NUM_ECC_WORDS];
- uECC_word_t n[NUM_ECC_WORDS];
- uECC_word_t G[NUM_ECC_WORDS * 2];
- uECC_word_t b[NUM_ECC_WORDS];
- void (*double_jacobian)(uECC_word_t * X1, uECC_word_t * Y1, uECC_word_t * Z1,
- uECC_Curve curve);
- void (*x_side)(uECC_word_t *result, const uECC_word_t *x, uECC_Curve curve);
- void (*mmod_fast)(uECC_word_t *result, uECC_word_t *product);
-};
-
/*
* @brief computes doubling of point ion jacobian coordinates, in place.
* @param X1 IN/OUT -- x coordinate
@@ -144,16 +127,7 @@
* @param curve IN -- elliptic curve
*/
void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1,
- uECC_word_t * Z1, uECC_Curve curve);
-
-/*
- * @brief Computes x^3 + ax + b. result must not overlap x.
- * @param result OUT -- x^3 + ax + b
- * @param x IN -- value of x
- * @param curve IN -- elliptic curve
- */
-void x_side_default(uECC_word_t *result, const uECC_word_t *x,
- uECC_Curve curve);
+ uECC_word_t * Z1);
/*
* @brief Computes result = product % curve_p
@@ -170,42 +144,10 @@
((num_bits + ((uECC_WORD_SIZE * 8) - 1)) / (uECC_WORD_SIZE * 8))
#define BITS_TO_BYTES(num_bits) ((num_bits + 7) / 8)
-/* definition of curve NIST p-256: */
-static const struct uECC_Curve_t curve_secp256r1 = {
- NUM_ECC_WORDS,
- NUM_ECC_BYTES,
- 256, /* num_n_bits */ {
- BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF),
- BYTES_TO_WORDS_8(FF, FF, FF, FF, 00, 00, 00, 00),
- BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00),
- BYTES_TO_WORDS_8(01, 00, 00, 00, FF, FF, FF, FF)
- }, {
- BYTES_TO_WORDS_8(51, 25, 63, FC, C2, CA, B9, F3),
- BYTES_TO_WORDS_8(84, 9E, 17, A7, AD, FA, E6, BC),
- BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF),
- BYTES_TO_WORDS_8(00, 00, 00, 00, FF, FF, FF, FF)
- }, {
- BYTES_TO_WORDS_8(96, C2, 98, D8, 45, 39, A1, F4),
- BYTES_TO_WORDS_8(A0, 33, EB, 2D, 81, 7D, 03, 77),
- BYTES_TO_WORDS_8(F2, 40, A4, 63, E5, E6, BC, F8),
- BYTES_TO_WORDS_8(47, 42, 2C, E1, F2, D1, 17, 6B),
-
- BYTES_TO_WORDS_8(F5, 51, BF, 37, 68, 40, B6, CB),
- BYTES_TO_WORDS_8(CE, 5E, 31, 6B, 57, 33, CE, 2B),
- BYTES_TO_WORDS_8(16, 9E, 0F, 7C, 4A, EB, E7, 8E),
- BYTES_TO_WORDS_8(9B, 7F, 1A, FE, E2, 42, E3, 4F)
- }, {
- BYTES_TO_WORDS_8(4B, 60, D2, 27, 3E, 3C, CE, 3B),
- BYTES_TO_WORDS_8(F6, B0, 53, CC, B0, 06, 1D, 65),
- BYTES_TO_WORDS_8(BC, 86, 98, 76, 55, BD, EB, B3),
- BYTES_TO_WORDS_8(E7, 93, 3A, AA, D8, 35, C6, 5A)
- },
- &double_jacobian_default,
- &x_side_default,
- &vli_mmod_fast_secp256r1
-};
-
-uECC_Curve uECC_secp256r1(void);
+extern const uECC_word_t curve_p[NUM_ECC_WORDS];
+extern const uECC_word_t curve_n[NUM_ECC_WORDS];
+extern const uECC_word_t curve_G[2 * NUM_ECC_WORDS];
+extern const uECC_word_t curve_b[NUM_ECC_WORDS];
/*
* @brief Generates a random integer in the range 0 < random < top.
@@ -260,24 +202,24 @@
* @param curve IN -- elliptic curve
* @return size of a private key for the curve in bytes.
*/
-int uECC_curve_private_key_size(uECC_Curve curve);
+int uECC_curve_private_key_size(void);
/*
* @brief computes the size of a public key for the curve in bytes.
* @param curve IN -- elliptic curve
* @return the size of a public key for the curve in bytes.
*/
-int uECC_curve_public_key_size(uECC_Curve curve);
+int uECC_curve_public_key_size(void);
/*
* @brief Compute the corresponding public key for a private key.
* @param private_key IN -- The private key to compute the public key for
* @param public_key OUT -- Will be filled in with the corresponding public key
* @param curve
- * @return Returns 1 if key was computed successfully, 0 if an error occurred.
+ * @return UECC_SUCCESS or UECC_FAILURE or UECC_FAULT_DETECTED
*/
int uECC_compute_public_key(const uint8_t *private_key,
- uint8_t *public_key, uECC_Curve curve);
+ uint8_t *public_key);
/*
* @brief Compute public-key.
@@ -285,9 +227,10 @@
* @param result OUT -- public-key
* @param private_key IN -- private-key
* @param curve IN -- elliptic curve
+ * @return UECC_SUCCESS or UECC_FAILURE or UECC_FAULT_DETECTED
*/
uECC_word_t EccPoint_compute_public_key(uECC_word_t *result,
- uECC_word_t *private_key, uECC_Curve curve);
+ uECC_word_t *private_key);
/*
* @brief Point multiplication algorithm using Montgomery's ladder with co-Z
@@ -298,10 +241,10 @@
* @param result OUT -- returns scalar*point
* @param point IN -- elliptic curve point
* @param scalar IN -- scalar
- * @param curve IN -- elliptic curve
+ * @return UECC_SUCCESS or UECC_FAILURE or UECC_FAULT_DETECTED
*/
int EccPoint_mult_safer(uECC_word_t * result, const uECC_word_t * point,
- const uECC_word_t * scalar, uECC_Curve curve);
+ const uECC_word_t * scalar);
/*
* @brief Constant-time comparison to zero - secure way to compare long integers
@@ -314,10 +257,9 @@
/*
* @brief Check if 'point' is the point at infinity
* @param point IN -- elliptic curve point
- * @param curve IN -- elliptic curve
* @return if 'point' is the point at infinity, 0 otherwise.
*/
-uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve);
+uECC_word_t EccPoint_isZero(const uECC_word_t *point);
/*
* @brief computes the sign of left - right, in constant time.
@@ -362,7 +304,7 @@
* @param curve IN -- elliptic curve
*/
void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1, uECC_word_t * X2,
- uECC_word_t * Y2, uECC_Curve curve);
+ uECC_word_t * Y2);
/*
* @brief Computes (x1 * z^2, y1 * z^3)
@@ -493,7 +435,7 @@
* @exception returns -2 if x or y is smaller than p,
* @exception returns -3 if y^2 != x^3 + ax + b.
*/
-int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve);
+int uECC_valid_point(const uECC_word_t *point);
/*
* @brief Check if a public key is valid.
@@ -509,7 +451,7 @@
* time computing a shared secret or verifying a signature using an invalid
* public key.
*/
-int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve);
+int uECC_valid_public_key(const uint8_t *public_key);
/*
* @brief Converts an integer in uECC native format to big-endian bytes.
diff --git a/include/tinycrypt/ecc_dh.h b/include/tinycrypt/ecc_dh.h
index d87393d..c443f85 100644
--- a/include/tinycrypt/ecc_dh.h
+++ b/include/tinycrypt/ecc_dh.h
@@ -82,8 +82,7 @@
/**
* @brief Create a public/private key pair.
- * @return returns TC_CRYPTO_SUCCESS (1) if the key pair was generated successfully
- * returns TC_CRYPTO_FAIL (0) if error while generating key pair
+ * @return UECC_SUCCESS or UECC_FAILURE or UECC_FAULT_DETECTED
*
* @param p_public_key OUT -- Will be filled in with the public key. Must be at
* least 2 * the curve size (in bytes) long. For curve secp256r1, p_public_key
@@ -96,7 +95,7 @@
* @warning A cryptographically-secure PRNG function must be set (using
* uECC_set_rng()) before calling uECC_make_key().
*/
-int uECC_make_key(uint8_t *p_public_key, uint8_t *p_private_key, uECC_Curve curve);
+int uECC_make_key(uint8_t *p_public_key, uint8_t *p_private_key);
#ifdef ENABLE_TESTS
@@ -107,14 +106,13 @@
* uECC_make_key() function for real applications.
*/
int uECC_make_key_with_d(uint8_t *p_public_key, uint8_t *p_private_key,
- unsigned int *d, uECC_Curve curve);
+ unsigned int *d);
#endif
/**
* @brief Compute a shared secret given your secret key and someone else's
* public key.
- * @return returns TC_CRYPTO_SUCCESS (1) if the shared secret was computed successfully
- * returns TC_CRYPTO_FAIL (0) otherwise
+ * @return UECC_SUCCESS or UECC_FAILURE or UECC_FAULT_DETECTED
*
* @param p_secret OUT -- Will be filled in with the shared secret value. Must be
* the same size as the curve size (for curve secp256r1, secret must be 32 bytes
@@ -127,7 +125,7 @@
* order to produce a cryptographically secure symmetric key.
*/
int uECC_shared_secret(const uint8_t *p_public_key, const uint8_t *p_private_key,
- uint8_t *p_secret, uECC_Curve curve);
+ uint8_t *p_secret);
#ifdef __cplusplus
}
diff --git a/include/tinycrypt/ecc_dsa.h b/include/tinycrypt/ecc_dsa.h
index f744319..0001ecb 100644
--- a/include/tinycrypt/ecc_dsa.h
+++ b/include/tinycrypt/ecc_dsa.h
@@ -91,8 +91,7 @@
/**
* @brief Generate an ECDSA signature for a given hash value.
- * @return returns TC_CRYPTO_SUCCESS (1) if the signature generated successfully
- * returns TC_CRYPTO_FAIL (0) if an error occurred.
+ * @return UECC_SUCCESS or UECC_FAILURE or UECC_FAULT_DETECTED
*
* @param p_private_key IN -- Your private key.
* @param p_message_hash IN -- The hash of the message to sign.
@@ -108,7 +107,7 @@
* attack.
*/
int uECC_sign(const uint8_t *p_private_key, const uint8_t *p_message_hash,
- unsigned p_hash_size, uint8_t *p_signature, uECC_Curve curve);
+ unsigned p_hash_size, uint8_t *p_signature);
#ifdef ENABLE_TESTS
/*
@@ -116,8 +115,7 @@
* Refer to uECC_sign() function for real applications.
*/
int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
- unsigned int hash_size, uECC_word_t *k, uint8_t *signature,
- uECC_Curve curve);
+ unsigned int hash_size, uECC_word_t *k, uint8_t *signature)
#endif
/**
@@ -135,7 +133,7 @@
* the signature values (hash_size and signature).
*/
int uECC_verify(const uint8_t *p_public_key, const uint8_t *p_message_hash,
- unsigned int p_hash_size, const uint8_t *p_signature, uECC_Curve curve);
+ unsigned int p_hash_size, const uint8_t *p_signature);
#ifdef __cplusplus
}
diff --git a/library/entropy.c b/library/entropy.c
index 75421cf..b4d1f29 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -43,9 +43,7 @@
#include <stdio.h>
#endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
#include "mbedtls/platform.h"
-#endif
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
@@ -258,7 +256,9 @@
*/
static int entropy_gather_internal( mbedtls_entropy_context *ctx )
{
- int ret, i, have_one_strong = 0;
+ int i;
+ volatile int ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
+ volatile int have_one_strong_fi = MBEDTLS_ENTROPY_SOURCE_WEAK;
unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
size_t olen;
@@ -270,8 +270,16 @@
*/
for( i = 0; i < ctx->source_count; i++ )
{
- if( ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG )
- have_one_strong = 1;
+ volatile int strong_fi = ctx->source[i].strong;
+ if( strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+
+ if( strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
+ have_one_strong_fi = MBEDTLS_ENTROPY_SOURCE_STRONG;
+ else
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
olen = 0;
if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
@@ -292,13 +300,24 @@
}
}
- if( have_one_strong == 0 )
- ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
-
cleanup:
mbedtls_platform_zeroize( buf, sizeof( buf ) );
- return( ret );
+ if( have_one_strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( have_one_strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
+ {
+ return( ret );
+ }
+ else
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+
+ }
+
+ return( MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE );
}
/*
diff --git a/library/pk.c b/library/pk.c
index 9eddb61..27276a8 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -580,7 +580,6 @@
volatile int ret_fi;
uint8_t signature[2*NUM_ECC_BYTES];
unsigned char *p;
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
const mbedtls_uecc_keypair *keypair = (const mbedtls_uecc_keypair *) ctx;
((void) md_alg);
@@ -591,9 +590,9 @@
return( ret );
ret_fi = uECC_verify( keypair->public_key, hash,
- (unsigned) hash_len, signature, uecc_curve );
+ (unsigned) hash_len, signature );
- if( ret_fi == UECC_ATTACK_DETECTED )
+ if( ret_fi == UECC_FAULT_DETECTED )
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
if( ret_fi == UECC_SUCCESS )
@@ -704,7 +703,6 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
const mbedtls_uecc_keypair *keypair = (const mbedtls_uecc_keypair *) ctx;
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
int ret;
/*
@@ -724,9 +722,10 @@
*/
#define MAX_SECP256R1_ECDSA_SIG_LEN ( 3 + 2 * ( 3 + NUM_ECC_BYTES ) )
- ret = uECC_sign( keypair->private_key, hash, hash_len, sig, uecc_curve );
- /* TinyCrypt uses 0 to signal errors. */
- if( ret == 0 )
+ ret = uECC_sign( keypair->private_key, hash, hash_len, sig );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
*sig_len = 2 * NUM_ECC_BYTES;
@@ -1516,6 +1515,7 @@
const unsigned char *sig, size_t sig_len,
mbedtls_pk_restart_ctx *rs_ctx )
{
+ volatile int verify_ret = MBEDTLS_ERR_PK_HW_ACCEL_FAILED;
PK_VALIDATE_RET( ctx != NULL );
PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
hash != NULL );
@@ -1548,8 +1548,23 @@
(void) rs_ctx;
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
- return( pk_info_verify_func( MBEDTLS_PK_CTX_INFO( ctx ),
- ctx->pk_ctx, md_alg, hash, hash_len, sig, sig_len ) );
+ verify_ret = pk_info_verify_func( MBEDTLS_PK_CTX_INFO( ctx ),
+ ctx->pk_ctx, md_alg, hash, hash_len, sig, sig_len );
+
+ if( verify_ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( verify_ret == 0 )
+ {
+ return( verify_ret );
+ }
+ else
+ {
+ verify_ret = MBEDTLS_ERR_PK_HW_ACCEL_FAILED;
+ }
+ }
+
+ return( verify_ret );
}
/*
diff --git a/library/pkparse.c b/library/pkparse.c
index 4562f65..3f20225 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -986,9 +986,10 @@
if( !pubkey_done )
{
ret = uECC_compute_public_key( keypair->private_key,
- keypair->public_key,
- uECC_secp256r1() );
- if( ret == 0 )
+ keypair->public_key );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
}
diff --git a/library/platform_util.c b/library/platform_util.c
index 97dfe73..16867aa 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -142,10 +142,7 @@
uint32_t mbedtls_platform_random_in_range( size_t num )
{
- /* Temporary force the dummy version - drawing directly from the HRNG
- * seems to be causing issues, avoid doing that until we understood the
- * issue, and perhaps we'll need to draw from a DRBG instead. */
-#if 1 || !defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+#if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
(void) num;
return 0;
#else
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index f7d331f..479554d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -687,7 +687,7 @@
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t t;
#endif
-
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
/*
* When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
*/
@@ -713,13 +713,19 @@
p += 4;
#endif /* MBEDTLS_HAVE_TIME */
- if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
- ( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 ) ) != 0 )
+ ret = mbedtls_ssl_conf_get_frng( ssl->conf )
+ ( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 );
+ if( ret == 0 )
{
- return( ret );
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ return( 0 );
+ }
}
- return( 0 );
+ return( ret );
}
/**
@@ -862,7 +868,7 @@
* appropriate length. Otherwise make the length 0 (for now, see next code
* block for behaviour with tickets).
*/
- if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
+ if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_UNSET ||
mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
ssl->session_negotiate->id_len < 16 ||
ssl->session_negotiate->id_len > 32 )
@@ -1116,7 +1122,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -1719,8 +1725,15 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
(unsigned long)mbedtls_platform_get_uint32_be( &buf[2] ) ) );
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
+
mbedtls_platform_memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32, buf + 2, 32 ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+
n = buf[34];
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
@@ -1819,11 +1832,11 @@
ssl->session_negotiate->id_len != n ||
mbedtls_platform_memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
{
- ssl->handshake->resume = 0;
+ ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_UNSET;
}
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
- if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
+ if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_SET )
{
/* Resume a session */
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
@@ -1839,7 +1852,7 @@
else
{
/* Start a new session */
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_CERTIFICATE;
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time( NULL );
#endif
@@ -2329,7 +2342,7 @@
unsigned char* out,
unsigned add_length_tag )
{
- int ret;
+ volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
/*
* Generate (part of) the pre-master secret as
@@ -2351,14 +2364,21 @@
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
ssl->conf->transport, out );
- if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
- ( mbedtls_ssl_conf_get_prng( ssl->conf ), out + 2, 46 ) ) != 0 )
+ ret = mbedtls_ssl_conf_get_frng( ssl->conf )
+ ( mbedtls_ssl_conf_get_prng( ssl->conf ), out + 2, 46 );
+
+ if( ret == 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
- return( ret );
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ return( 0 );
+ }
}
- return( 0 );
+ MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
+ return( ret );
}
/*
@@ -2370,7 +2390,7 @@
unsigned char *out, size_t buflen,
size_t *olen )
{
- int ret;
+ volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
size_t len_bytes = mbedtls_ssl_get_minor_ver( ssl ) ==
MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
mbedtls_pk_context *peer_pk = NULL;
@@ -2414,16 +2434,27 @@
goto cleanup;
}
- if( ( ret = mbedtls_pk_encrypt( peer_pk,
+ ret = mbedtls_pk_encrypt( peer_pk,
ppms, 48, out + len_bytes,
olen, buflen - len_bytes,
mbedtls_ssl_conf_get_frng( ssl->conf ),
- mbedtls_ssl_conf_get_prng( ssl->conf ) ) ) != 0 )
+ mbedtls_ssl_conf_get_prng( ssl->conf ) );
+
+ if( ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ }
+ else
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
goto cleanup;
}
+
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( len_bytes == 2 )
@@ -2731,7 +2762,11 @@
unsigned char *buf,
size_t buflen )
{
- int ret;
+ /*
+ * Initialising to an error value would need a significant
+ * structural change to provide default flow assumes failure
+ */
+ volatile int ret = 0;
unsigned char *p;
unsigned char *end;
@@ -3031,39 +3066,51 @@
rs_ctx = &ssl->handshake->ecrs_ctx.pk;
#endif
- if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
- md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
+ ret = mbedtls_pk_verify_restartable( peer_pk,
+ md_alg, hash, hashlen, p, sig_len, rs_ctx );
+
+ if( ret == 0 )
{
-#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
- if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
-#endif
+ mbedtls_platform_enforce_volatile_reads();
+
+ if( ret == 0 )
{
- mbedtls_ssl_pend_fatal_alert( ssl,
- MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ /* We don't need the peer's public key anymore. Free it,
+ * so that more RAM is available for upcoming expensive
+ * operations like ECDHE. */
+ mbedtls_pk_free( peer_pk );
+#else
+ mbedtls_x509_crt_pk_release(
+ ssl->session_negotiate->peer_cert );
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ return( ret );
}
+ else
+ {
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ }
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+ {
+ mbedtls_ssl_pend_fatal_alert( ssl,
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+ }
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
- if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
- ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
#endif
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- return( ret );
- }
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- /* We don't need the peer's public key anymore. Free it,
- * so that more RAM is available for upcoming expensive
- * operations like ECDHE. */
- mbedtls_pk_free( peer_pk );
-#else
- mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
}
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
- return( 0 );
+ return( ret );
}
static int ssl_in_server_key_exchange_postprocess( mbedtls_ssl_context *ssl )
@@ -3143,7 +3190,7 @@
if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
return( 0 );
}
@@ -3165,7 +3212,7 @@
if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
return( 0 );
}
@@ -3183,7 +3230,7 @@
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
@@ -3340,7 +3387,7 @@
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
}
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CERTIFICATE;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -3567,9 +3614,7 @@
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
{
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
((void) n);
- ((void) ret);
if( (size_t)( end - p ) < 2 * NUM_ECC_BYTES + 2 )
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
@@ -3577,11 +3622,11 @@
*p++ = 2 * NUM_ECC_BYTES + 1;
*p++ = 0x04; /* uncompressed point presentation */
- if( !uECC_make_key( p, ssl->handshake->ecdh_privkey,
- uecc_curve ) )
- {
+ ret = uECC_make_key( p, ssl->handshake->ecdh_privkey );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- }
p += 2 * NUM_ECC_BYTES;
}
else
@@ -3718,9 +3763,7 @@
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
{
#if defined(MBEDTLS_USE_TINYCRYPT)
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
((void) n);
- ((void) ret);
if( (size_t)( end - p ) < 2 * NUM_ECC_BYTES + 2 )
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
@@ -3728,11 +3771,11 @@
*p++ = 2 * NUM_ECC_BYTES + 1;
*p++ = 0x04; /* uncompressed point presentation */
- if( !uECC_make_key( p, ssl->handshake->ecdh_privkey,
- uecc_curve ) )
- {
+ ret = uECC_make_key( p, ssl->handshake->ecdh_privkey );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- }
p += 2 * NUM_ECC_BYTES;
#else /* MBEDTLS_USE_TINYCRYPT */
/*
@@ -3831,7 +3874,7 @@
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@@ -3870,14 +3913,14 @@
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@@ -4001,7 +4044,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
{
@@ -4255,9 +4298,10 @@
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
- mbedtls_ssl_handshake_wrapup( ssl );
+ ret = mbedtls_ssl_handshake_wrapup( ssl );
break;
+ case MBEDTLS_SSL_INVALID:
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index a9f983e..92d1da0 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -627,7 +627,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
- ssl->handshake->resume = 1;
+ ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
/* Don't send a new ticket after all, this one is OK */
ssl->handshake->new_session_ticket = 0;
@@ -1223,8 +1223,14 @@
mbedtls_platform_memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
p += sess_len;
+
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
memset( ssl->handshake->randbytes, 0, 64 );
mbedtls_platform_memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
/*
* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
@@ -1360,7 +1366,7 @@
}
ssl->in_left = 0;
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
@@ -1717,10 +1723,14 @@
/*
* Save client random (inc. Unix time)
*/
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
mbedtls_platform_memcpy( ssl->handshake->randbytes, buf + 2, 32 );
-
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes, buf + 2, 32 ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
/*
* Check the session ID length and save session ID
*/
@@ -2298,7 +2308,7 @@
mbedtls_ssl_get_ciphersuite_name(
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -2814,8 +2824,12 @@
}
p += 28;
-
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
mbedtls_platform_memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32, buf + 6, 32 ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
@@ -2825,19 +2839,19 @@
* It may be already set to 1 by ssl_parse_session_ticket_ext().
* If not, try looking up session ID in our cache.
*/
- if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 &&
+ if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_UNSET &&
mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
ssl->session_negotiate->id_len != 0 &&
ssl->conf->f_get_cache != NULL &&
ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
- ssl->handshake->resume = 1;
+ ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
}
#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
- if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
+ if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_SET )
{
/*
* Resuming a session
@@ -2858,7 +2872,7 @@
* New session, create a new session id,
* unless we're about to issue a session ticket
*/
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_CERTIFICATE;
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time( NULL );
@@ -3008,7 +3022,7 @@
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
return( 0 );
}
@@ -3030,7 +3044,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
@@ -3279,9 +3293,6 @@
unsigned char *dig_signed = NULL;
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
-#if defined(MBEDTLS_USE_TINYCRYPT)
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
-#endif
(void) ciphersuite_info; /* unused in some configurations */
#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
@@ -3413,6 +3424,7 @@
#if defined(MBEDTLS_USE_TINYCRYPT)
{
+ int ret;
static const unsigned char ecdh_param_hdr[] = {
MBEDTLS_SSL_EC_TLS_NAMED_CURVE,
0 /* high bits of secp256r1 TLS ID */,
@@ -3429,13 +3441,12 @@
ecdh_param_hdr, sizeof( ecdh_param_hdr ) );
ssl->out_msglen += sizeof( ecdh_param_hdr );
- if( !uECC_make_key( &ssl->out_msg[ ssl->out_msglen ],
- ssl->handshake->ecdh_privkey,
- uecc_curve ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Key creation failed" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
+ ret = uECC_make_key( &ssl->out_msg[ ssl->out_msglen ],
+ ssl->handshake->ecdh_privkey );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
ssl->out_msglen += 2*NUM_ECC_BYTES;
}
@@ -3696,7 +3707,7 @@
/* Key exchanges not involving ephemeral keys don't use
* ServerKeyExchange, so end here. */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CERTIFICATE_REQUEST;
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
@@ -3754,7 +3765,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CERTIFICATE_REQUEST;
if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
{
@@ -3776,7 +3787,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CERTIFICATE;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -3967,6 +3978,7 @@
unsigned char mask;
size_t i, peer_pmslen;
unsigned int diff;
+ volatile unsigned int pmscounter = 0;
/* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't
@@ -4045,7 +4057,19 @@
/* Set pms to either the true or the fake PMS, without
* data-dependent branches. */
for( i = 0; i < ssl->handshake->pmslen; i++ )
+ {
pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
+ pmscounter++;
+ }
+
+ if( pmscounter == ssl->handshake->pmslen )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( pmscounter == ssl->handshake->pmslen )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ }
return( 0 );
}
@@ -4425,7 +4449,7 @@
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@@ -4435,7 +4459,7 @@
#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ volatile int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t i, sig_len;
unsigned char hash[48];
unsigned char *hash_start = hash;
@@ -4453,7 +4477,7 @@
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@@ -4481,7 +4505,7 @@
if( peer_pk == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@@ -4493,7 +4517,7 @@
goto exit;
}
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
/* Process the message contents */
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
@@ -4621,17 +4645,25 @@
md_alg, ssl, hash, &dummy_hlen );
}
- if( ( ret = mbedtls_pk_verify( peer_pk,
- md_alg, hash_start, hashlen,
- ssl->in_msg + i, sig_len ) ) != 0 )
+ ret = mbedtls_pk_verify( peer_pk,
+ md_alg, hash_start, hashlen,
+ ssl->in_msg + i, sig_len );
+
+ if( ret == 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
- goto exit;
+ mbedtls_platform_enforce_volatile_reads();
+
+ if( ret == 0 )
+ {
+ mbedtls_ssl_update_handshake_status( ssl );
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
+ goto exit;
+ }
+
}
- mbedtls_ssl_update_handshake_status( ssl );
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
exit:
@@ -4818,9 +4850,10 @@
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
- mbedtls_ssl_handshake_wrapup( ssl );
+ ret = mbedtls_ssl_handshake_wrapup( ssl );
break;
+ case MBEDTLS_SSL_INVALID:
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 988c593..19bdc90 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -48,6 +48,8 @@
#include "mbedtls/ssl_internal.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
+#include "mbedtls/platform.h"
+
#include <string.h>
@@ -1825,7 +1827,7 @@
mbedtls_ssl_handshake_get_ciphersuite( handshake );
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
- if( handshake->resume != 0 )
+ if( handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
return( 0 );
@@ -1881,10 +1883,10 @@
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
{
- int ret;
+ volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
-
+ ssl->handshake->key_derivation_done = MBEDTLS_SSL_FI_FLAG_UNSET;
/* Compute master secret if needed */
ret = ssl_compute_master( ssl->handshake,
ssl->session_negotiate->master,
@@ -1925,7 +1927,19 @@
mbedtls_ssl_get_minor_ver( ssl ),
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
ssl );
- if( ret != 0 )
+ if( ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->key_derivation_done = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ }
+ else
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
return( ret );
@@ -1958,11 +1972,10 @@
int mbedtls_ssl_build_pms( mbedtls_ssl_context *ssl )
{
- int ret;
+ volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
-
#if defined(MBEDTLS_USE_TINYCRYPT)
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
@@ -1973,16 +1986,14 @@
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
{
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
- ((void) ret);
-
- if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey,
- ssl->handshake->ecdh_privkey,
- ssl->handshake->premaster,
- uecc_curve ) )
- {
+ ret = uECC_shared_secret( ssl->handshake->ecdh_peerkey,
+ ssl->handshake->ecdh_privkey,
+ ssl->handshake->premaster );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- }
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
ssl->handshake->pmslen = NUM_ECC_BYTES;
}
@@ -1992,12 +2003,26 @@
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
== MBEDTLS_KEY_EXCHANGE_DHE_RSA )
{
- if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+ ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
MBEDTLS_PREMASTER_SIZE,
&ssl->handshake->pmslen,
mbedtls_ssl_conf_get_frng( ssl->conf ),
- mbedtls_ssl_conf_get_prng( ssl->conf ) ) ) != 0 )
+ mbedtls_ssl_conf_get_prng( ssl->conf ) );
+ if( ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+ return( ret );
+ }
+ }
+ else
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
return( ret );
@@ -2021,12 +2046,26 @@
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
{
- if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+ ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
mbedtls_ssl_conf_get_frng( ssl->conf ),
- mbedtls_ssl_conf_get_prng( ssl->conf ) ) ) != 0 )
+ mbedtls_ssl_conf_get_prng( ssl->conf ) );
+ if( ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ }
+ else
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
return( ret );
@@ -2042,8 +2081,22 @@
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
{
- if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
- mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
+ ret = mbedtls_ssl_psk_derive_premaster( ssl,
+ mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) );
+ if( ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ }
+ else
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
return( ret );
@@ -2059,7 +2112,20 @@
ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
mbedtls_ssl_conf_get_frng( ssl->conf ),
mbedtls_ssl_conf_get_prng( ssl->conf ) );
- if( ret != 0 )
+ if( ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ }
+ else
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
return( ret );
@@ -2170,16 +2236,13 @@
size_t zlen;
#if defined(MBEDTLS_USE_TINYCRYPT)
- const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
- ((void) ret);
-
- if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey,
- ssl->handshake->ecdh_privkey,
- p + 2,
- uecc_curve ) )
- {
+ ret = uECC_shared_secret( ssl->handshake->ecdh_peerkey,
+ ssl->handshake->ecdh_privkey,
+ p + 2 );
+ if( ret == UECC_FAULT_DETECTED )
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ if( ret != UECC_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- }
zlen = NUM_ECC_BYTES;
#else /* MBEDTLS_USE_TINYCRYPT */
@@ -2220,6 +2283,8 @@
ssl->handshake->pmslen = p - ssl->handshake->premaster;
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
@@ -4496,6 +4561,7 @@
{
unsigned i;
size_t protected_record_size;
+ volatile int encrypted_fi = 0;
/* Skip writing the record content type to after the encryption,
* as it may change when using the CID extension. */
@@ -4550,6 +4616,13 @@
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
ssl->out_msglen = len = rec.data_len;
(void)mbedtls_platform_put_uint16_be( ssl->out_len, rec.data_len );
+ encrypted_fi = 1;
+ }
+
+ /* Double check to ensure the encryption has been done */
+ if( ssl->transform_out != NULL && encrypted_fi == 0 )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
@@ -6746,7 +6819,18 @@
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_KEY_EXCHANGE;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_KEY_EXCHANGE;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
return( 0 );
}
@@ -6764,7 +6848,18 @@
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_KEY_EXCHANGE;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_KEY_EXCHANGE;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
return( 0 );
}
@@ -6788,7 +6883,18 @@
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_KEY_EXCHANGE;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_KEY_EXCHANGE;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
return( 0 );
}
@@ -6799,7 +6905,18 @@
if( ssl->client_auth == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_KEY_EXCHANGE;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_KEY_EXCHANGE;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
return( 0 );
}
@@ -6873,7 +6990,18 @@
write_msg:
#endif
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_KEY_EXCHANGE;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_KEY_EXCHANGE;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
{
@@ -7135,7 +7263,7 @@
* indicating whether a Certificate message is expected or not.
*/
#define SSL_CERTIFICATE_EXPECTED 0
-#define SSL_CERTIFICATE_SKIP 1
+#define SSL_CERTIFICATE_SKIP 0xff
static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
int authmode )
{
@@ -7169,19 +7297,24 @@
}
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
- int authmode,
+ volatile int authmode,
mbedtls_x509_crt *chain,
void *rs_ctx )
{
- int verify_ret;
+ volatile int verify_ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+ volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ volatile int flow_counter = 0;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
+ {
return( 0 );
+ }
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
{
@@ -7211,9 +7344,22 @@
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
rs_ctx );
+ if( verify_ret == 0 )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( verify_ret == 0 )
+ {
+ flow_counter++;
+ }
+ else
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ }
if( verify_ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", verify_ret );
+ flow_counter++;
}
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
@@ -7227,7 +7373,6 @@
#if defined(MBEDTLS_ECP_C) || defined(MBEDTLS_USE_TINYCRYPT)
{
- int ret;
#if defined(MBEDTLS_USE_TINYCRYPT)
ret = mbedtls_ssl_check_curve_uecc( ssl, MBEDTLS_UECC_DP_SECP256R1 );
#else /* MBEDTLS_USE_TINYCRYPT */
@@ -7255,16 +7400,27 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
if( verify_ret == 0 )
verify_ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+ flow_counter++;
+ }
+ if( ret == 0 )
+ {
+ flow_counter++;
}
}
#endif /* MBEDTLS_ECP_C || MEDTLS_USE_TINYCRYPT */
- if( mbedtls_ssl_check_cert_usage( chain,
+ ret = mbedtls_ssl_check_cert_usage( chain,
ciphersuite_info,
( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ),
- &ssl->session_negotiate->verify_result ) != 0 )
+ &ssl->session_negotiate->verify_result );
+ if( ret == 0 )
{
+ flow_counter++;
+ }
+ else
+ {
+ flow_counter++;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( verify_ret == 0 )
verify_ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
@@ -7280,13 +7436,31 @@
( verify_ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
verify_ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
{
- verify_ret = 0;
+ mbedtls_platform_enforce_volatile_reads();
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+ ( verify_ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ verify_ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
+ {
+ verify_ret = 0;
+ flow_counter++;
+ }
+ else
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ } else {
+ flow_counter++;
}
if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
verify_ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+ flow_counter++;
+ }
+ else
+ {
+ flow_counter++;
}
if( verify_ret != 0 )
@@ -7321,6 +7495,32 @@
mbedtls_ssl_pend_fatal_alert( ssl, alert );
}
+ if( verify_ret == 0 &&
+#if defined(MBEDTLS_ECP_C) || defined(MBEDTLS_USE_TINYCRYPT)
+ flow_counter == 5 )
+#else
+ flow_counter == 4 )
+#endif
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( verify_ret == 0 &&
+#if defined(MBEDTLS_ECP_C) || defined(MBEDTLS_USE_TINYCRYPT)
+ flow_counter == 5 )
+#else
+ flow_counter == 4 )
+#endif
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PEER AUTHENTICATED" ) );
+ ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PEER NOT AUTHENTICATED, %d", flow_counter));
+ }
+
#if defined(MBEDTLS_DEBUG_C)
if( ssl->session_negotiate->verify_result != 0 )
{
@@ -7529,7 +7729,20 @@
exit:
if( ret == 0 )
- ssl->state++;
+ {
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_KEY_EXCHANGE;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CERTIFICATE )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_KEY_EXCHANGE;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
+ }
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
@@ -7559,7 +7772,18 @@
ssl->out_msglen = 1;
ssl->out_msg[0] = 1;
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_FINISHED;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_FINISHED;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
{
@@ -7642,7 +7866,18 @@
}
#endif
- ssl->state++;
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC )
+ {
+ ssl->state = MBEDTLS_SSL_CLIENT_FINISHED;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_FINISHED;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
@@ -7691,8 +7926,21 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
}
-void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
{
+ volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ volatile const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+ ? ssl->handshake->sni_authmode
+ : mbedtls_ssl_conf_get_authmode( ssl->conf );
+#else
+ volatile const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ volatile int crt_expected = SSL_CERTIFICATE_EXPECTED;
+ crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
+#endif
MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -7726,13 +7974,102 @@
*/
if( ssl->conf->f_set_cache != NULL &&
ssl->session->id_len != 0 &&
- ssl->handshake->resume == 0 )
+ ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_UNSET )
{
if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
}
#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */
+ if( authmode == MBEDTLS_SSL_VERIFY_NONE ||
+ authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ||
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ crt_expected == SSL_CERTIFICATE_SKIP )
+#else
+ 1 )
+#endif
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( authmode == MBEDTLS_SSL_VERIFY_NONE ||
+ authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ||
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ crt_expected == SSL_CERTIFICATE_SKIP )
+#else
+ 1 )
+#endif
+ {
+ ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto cleanup;
+ }
+ }
+
+#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
+ if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
+ {
+ /* When doing session resume, no premaster or peer authentication */
+ ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto cleanup;
+ }
+ }
+#endif
+
+ if( ssl->handshake->peer_authenticated == MBEDTLS_SSL_FI_FLAG_SET )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ssl->handshake->peer_authenticated == MBEDTLS_SSL_FI_FLAG_SET )
+ {
+ ret = 0;
+ }
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto cleanup;
+ }
+ }
+ else
+ {
+ ret = MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+ if( ssl->handshake->hello_random_set == MBEDTLS_SSL_FI_FLAG_SET &&
+ ssl->handshake->key_derivation_done == MBEDTLS_SSL_FI_FLAG_SET &&
+ ssl->handshake->premaster_generated == MBEDTLS_SSL_FI_FLAG_SET )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( ssl->handshake->hello_random_set == MBEDTLS_SSL_FI_FLAG_SET &&
+ ssl->handshake->key_derivation_done == MBEDTLS_SSL_FI_FLAG_SET &&
+ ssl->handshake->premaster_generated == MBEDTLS_SSL_FI_FLAG_SET )
+ {
+ ret = 0;
+ }
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto cleanup;
+ }
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello random %d", ssl->handshake->hello_random_set ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "key_derivation_done %d", ssl->handshake->key_derivation_done ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "premaster_generated %d", ssl->handshake->premaster_generated ) );
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+cleanup:
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->flight != NULL )
@@ -7748,9 +8085,10 @@
#endif
ssl_handshake_wrapup_free_hs_transform( ssl );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
+ return ret;
}
int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
@@ -7791,7 +8129,7 @@
* In case of session resuming, invert the client and server
* ChangeCipherSpec messages order.
*/
- if( ssl->handshake->resume != 0 )
+ if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
@@ -7810,7 +8148,20 @@
}
else
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
- ssl->state++;
+ {
+ if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
+ {
+ ssl->state = MBEDTLS_SSL_FLUSH_BUFFERS;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
+ }
/*
* Switch to our negotiated transform and session parameters for outbound
@@ -7957,7 +8308,7 @@
#endif
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
- if( ssl->handshake->resume != 0 )
+ if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
@@ -7970,7 +8321,20 @@
}
else
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
- ssl->state++;
+ {
+ if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED )
+ {
+ ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ }
+ else if( ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
+ {
+ ssl->state = MBEDTLS_SSL_FLUSH_BUFFERS;
+ }
+ else
+ {
+ ssl->state = MBEDTLS_SSL_INVALID;
+ }
+ }
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -8673,7 +9037,7 @@
session ) ) != 0 )
return( ret );
- ssl->handshake->resume = 1;
+ ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 2fd48c2..61bf95c 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -35,9 +35,8 @@
int ret;
ret = uECC_make_key( mbedtls_pk_uecc( *pk )->public_key,
- mbedtls_pk_uecc( *pk )->private_key,
- uECC_secp256r1() );
- if( ret == 0 )
+ mbedtls_pk_uecc( *pk )->private_key );
+ if( ret != UECC_SUCCESS )
return( -1 );
return( 0 );
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index a4d9466..54fa7af 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -93,8 +93,7 @@
TEST_ASSERT( mbedtls_ecp_check_pubkey( &eckey->grp, &eckey->Q ) == 0 );
#else
uecckey = mbedtls_pk_uecc( ctx );
- TEST_ASSERT( uECC_valid_public_key( uecckey->public_key,
- uECC_secp256r1() ) == 0 );
+ TEST_ASSERT( uECC_valid_public_key( uecckey->public_key ) == 0 );
#endif /* MBEDTLS_USE_TINYCRYPT */
}
@@ -136,11 +135,9 @@
TEST_ASSERT( mbedtls_ecp_check_privkey( &eckey->grp, &eckey->d ) == 0 );
#else
uecckey = mbedtls_pk_uecc( ctx );
- TEST_ASSERT( uECC_valid_public_key( uecckey->public_key,
- uECC_secp256r1() ) == 0 );
+ TEST_ASSERT( uECC_valid_public_key( uecckey->public_key ) == 0 );
TEST_ASSERT( uECC_compute_public_key( uecckey->private_key,
- tmp_pubkey,
- uECC_secp256r1() ) != 0 );
+ tmp_pubkey ) == UECC_SUCCESS );
TEST_ASSERT( memcmp( tmp_pubkey, uecckey->public_key,
sizeof( tmp_pubkey ) ) == 0 );
#endif /* MBEDTLS_USE_TINYCRYPT */
diff --git a/tests/suites/test_suite_tinycrypt.function b/tests/suites/test_suite_tinycrypt.function
index 664cd08..3247e05 100644
--- a/tests/suites/test_suite_tinycrypt.function
+++ b/tests/suites/test_suite_tinycrypt.function
@@ -21,17 +21,15 @@
uint8_t secret1[NUM_ECC_BYTES] = {0};
uint8_t secret2[NUM_ECC_BYTES] = {0};
- const struct uECC_Curve_t * curve = uECC_secp256r1();
-
uECC_set_rng( &uecc_rng_wrapper );
- TEST_ASSERT( uECC_make_key( public1, private1, curve ) != 0 );
+ TEST_ASSERT( uECC_make_key( public1, private1 ) == UECC_SUCCESS );
- TEST_ASSERT( uECC_make_key( public2, private2, curve ) != 0 );
+ TEST_ASSERT( uECC_make_key( public2, private2 ) == UECC_SUCCESS );
- TEST_ASSERT( uECC_shared_secret( public2, private1, secret1, curve ) != 0 );
+ TEST_ASSERT( uECC_shared_secret( public2, private1, secret1 ) == UECC_SUCCESS );
- TEST_ASSERT( uECC_shared_secret( public1, private2, secret2, curve ) != 0 );
+ TEST_ASSERT( uECC_shared_secret( public1, private2, secret2 ) == UECC_SUCCESS );
TEST_ASSERT( memcmp( secret1, secret2, sizeof( secret1 ) ) == 0 );
}
@@ -45,17 +43,15 @@
uint8_t hash[NUM_ECC_BYTES] = {0};
uint8_t sig[2*NUM_ECC_BYTES] = {0};
- const struct uECC_Curve_t * curve = uECC_secp256r1();
-
uECC_set_rng( &uecc_rng_wrapper );
TEST_ASSERT( rnd_std_rand( NULL, hash, NUM_ECC_BYTES ) == 0 );
- TEST_ASSERT( uECC_make_key( public, private, curve ) != 0 );
+ TEST_ASSERT( uECC_make_key( public, private ) == UECC_SUCCESS );
- TEST_ASSERT( uECC_sign( private, hash, sizeof( hash ), sig, curve ) != 0 );
+ TEST_ASSERT( uECC_sign( private, hash, sizeof( hash ), sig ) == UECC_SUCCESS );
- TEST_ASSERT( uECC_verify( public, hash, sizeof( hash ), sig, curve ) == UECC_SUCCESS );
+ TEST_ASSERT( uECC_verify( public, hash, sizeof( hash ), sig ) == UECC_SUCCESS );
}
/* END_CASE */
@@ -64,7 +60,6 @@
data_t * yA_str, data_t * private2,
data_t * xB_str, data_t * yB_str, data_t * z_str )
{
- const struct uECC_Curve_t * curve = uECC_secp256r1();
uint8_t public1[2*NUM_ECC_BYTES] = {0};
uint8_t public2[2*NUM_ECC_BYTES] = {0};
uint8_t secret1[NUM_ECC_BYTES] = {0};
@@ -76,9 +71,9 @@
memcpy( public2 + NUM_ECC_BYTES, yB_str->x, yB_str->len );
// Compute shared secrets and compare to test vector secret
- TEST_ASSERT( uECC_shared_secret( public2, private1->x, secret1, curve ) != 0 );
+ TEST_ASSERT( uECC_shared_secret( public2, private1->x, secret1 ) == UECC_SUCCESS );
- TEST_ASSERT( uECC_shared_secret( public1, private2->x, secret2, curve ) != 0 );
+ TEST_ASSERT( uECC_shared_secret( public1, private2->x, secret2 ) == UECC_SUCCESS );
TEST_ASSERT( memcmp( secret1, secret2, sizeof( secret1 ) ) == 0 );
TEST_ASSERT( memcmp( secret1, z_str->x, sizeof( secret1 ) ) == 0 );
@@ -90,7 +85,6 @@
void ecdsa_primitive_testvec( data_t * xQ_str, data_t * yQ_str,
data_t * hash, data_t * r_str, data_t * s_str )
{
- const struct uECC_Curve_t * curve = uECC_secp256r1();
uint8_t pub_bytes[2*NUM_ECC_BYTES] = {0};
uint8_t sig_bytes[2*NUM_ECC_BYTES] = {0};
@@ -100,7 +94,7 @@
memcpy( sig_bytes + NUM_ECC_BYTES, s_str->x, r_str->len );
TEST_ASSERT( uECC_verify( pub_bytes, hash->x, hash->len,
- sig_bytes, curve ) == UECC_SUCCESS );
+ sig_bytes ) == UECC_SUCCESS );
// Alter the signature and check the verification fails
for( int i = 0; i < 2*NUM_ECC_BYTES; i++ )
@@ -108,7 +102,7 @@
uint8_t temp = sig_bytes[i];
sig_bytes[i] = ( sig_bytes[i] + 1 ) % 256;
TEST_ASSERT( uECC_verify( pub_bytes, hash->x, hash->len,
- sig_bytes, curve ) == UECC_FAILURE );
+ sig_bytes ) == UECC_FAILURE );
sig_bytes[i] = temp;
}
diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index 38b11d9..a0333b0 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -65,8 +65,115 @@
#include <tinycrypt/ecc.h>
#include "mbedtls/platform_util.h"
+#include "mbedtls/sha256.h"
#include <string.h>
+/* Parameters for curve NIST P-256 aka secp256r1 */
+const uECC_word_t curve_p[NUM_ECC_WORDS] = {
+ BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF),
+ BYTES_TO_WORDS_8(FF, FF, FF, FF, 00, 00, 00, 00),
+ BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00),
+ BYTES_TO_WORDS_8(01, 00, 00, 00, FF, FF, FF, FF)
+};
+const uECC_word_t curve_n[NUM_ECC_WORDS] = {
+ BYTES_TO_WORDS_8(51, 25, 63, FC, C2, CA, B9, F3),
+ BYTES_TO_WORDS_8(84, 9E, 17, A7, AD, FA, E6, BC),
+ BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF),
+ BYTES_TO_WORDS_8(00, 00, 00, 00, FF, FF, FF, FF)
+};
+const uECC_word_t curve_G[2 * NUM_ECC_WORDS] = {
+ BYTES_TO_WORDS_8(96, C2, 98, D8, 45, 39, A1, F4),
+ BYTES_TO_WORDS_8(A0, 33, EB, 2D, 81, 7D, 03, 77),
+ BYTES_TO_WORDS_8(F2, 40, A4, 63, E5, E6, BC, F8),
+ BYTES_TO_WORDS_8(47, 42, 2C, E1, F2, D1, 17, 6B),
+ BYTES_TO_WORDS_8(F5, 51, BF, 37, 68, 40, B6, CB),
+ BYTES_TO_WORDS_8(CE, 5E, 31, 6B, 57, 33, CE, 2B),
+ BYTES_TO_WORDS_8(16, 9E, 0F, 7C, 4A, EB, E7, 8E),
+ BYTES_TO_WORDS_8(9B, 7F, 1A, FE, E2, 42, E3, 4F)
+};
+const uECC_word_t curve_b[NUM_ECC_WORDS] = {
+ BYTES_TO_WORDS_8(4B, 60, D2, 27, 3E, 3C, CE, 3B),
+ BYTES_TO_WORDS_8(F6, B0, 53, CC, B0, 06, 1D, 65),
+ BYTES_TO_WORDS_8(BC, 86, 98, 76, 55, BD, EB, B3),
+ BYTES_TO_WORDS_8(E7, 93, 3A, AA, D8, 35, C6, 5A)
+};
+
+static int uECC_update_param_sha256(mbedtls_sha256_context *ctx,
+ const uECC_word_t val[NUM_ECC_WORDS])
+{
+ uint8_t bytes[NUM_ECC_BYTES];
+
+ uECC_vli_nativeToBytes(bytes, NUM_ECC_BYTES, val);
+ return mbedtls_sha256_update_ret(ctx, bytes, NUM_ECC_BYTES);
+}
+
+static int uECC_compute_param_sha256(unsigned char output[32])
+{
+ int ret = UECC_FAILURE;
+ mbedtls_sha256_context ctx;
+
+ mbedtls_sha256_init( &ctx );
+
+ if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) {
+ goto exit;
+ }
+
+ if (uECC_update_param_sha256(&ctx, curve_p) != 0 ||
+ uECC_update_param_sha256(&ctx, curve_n) != 0 ||
+ uECC_update_param_sha256(&ctx, curve_G) != 0 ||
+ uECC_update_param_sha256(&ctx, curve_G + NUM_ECC_WORDS) != 0 ||
+ uECC_update_param_sha256(&ctx, curve_b) != 0)
+ {
+ goto exit;
+ }
+
+ if (mbedtls_sha256_finish_ret(&ctx, output) != 0) {
+ goto exit;
+ }
+
+ ret = UECC_SUCCESS;
+
+exit:
+ mbedtls_sha256_free( &ctx );
+
+ return ret;
+}
+
+/*
+ * Check integrity of curve parameters.
+ * Return 0 if everything's OK, non-zero otherwise.
+ */
+static int uECC_check_curve_integrity(void)
+{
+ unsigned char computed[32];
+ static const unsigned char reference[32] = {
+ 0x2d, 0xa1, 0xa4, 0x64, 0x45, 0x28, 0x0d, 0xe1,
+ 0x93, 0xf9, 0x29, 0x2f, 0xac, 0x3e, 0xe2, 0x92,
+ 0x76, 0x0a, 0xe2, 0xbc, 0xce, 0x2a, 0xa2, 0xc6,
+ 0x38, 0xf2, 0x19, 0x1d, 0x76, 0x72, 0x93, 0x49,
+ };
+ unsigned char diff = 0;
+ unsigned char tmp1, tmp2;
+ volatile unsigned i;
+
+ if (uECC_compute_param_sha256(computed) != UECC_SUCCESS) {
+ return UECC_FAILURE;
+ }
+
+ for (i = 0; i < 32; i++) {
+ /* make sure the order of volatile accesses is well-defined */
+ tmp1 = computed[i];
+ tmp2 = reference[i];
+ diff |= tmp1 ^ tmp2;
+ }
+
+ /* i should be 32 */
+ mbedtls_platform_enforce_volatile_reads();
+ diff |= (unsigned char) i ^ 32;
+
+ return diff;
+}
+
/* IMPORTANT: Make sure a cryptographically-secure PRNG is set and the platform
* has access to enough entropy in order to feed the PRNG regularly. */
#if default_RNG_defined
@@ -85,14 +192,14 @@
return g_rng_function;
}
-int uECC_curve_private_key_size(uECC_Curve curve)
+int uECC_curve_private_key_size(void)
{
- return BITS_TO_BYTES(curve->num_n_bits);
+ return BITS_TO_BYTES(NUM_ECC_BITS);
}
-int uECC_curve_public_key_size(uECC_Curve curve)
+int uECC_curve_public_key_size(void)
{
- return 2 * curve->num_bytes;
+ return 2 * NUM_ECC_BYTES;
}
void uECC_vli_clear(uECC_word_t *vli)
@@ -179,11 +286,19 @@
{
uECC_word_t diff = 0;
- wordcount_t i;
+ uECC_word_t tmp1, tmp2;
+ volatile int i;
for (i = NUM_ECC_WORDS - 1; i >= 0; --i) {
- diff |= (left[i] ^ right[i]);
+ tmp1 = left[i];
+ tmp2 = right[i];
+ diff |= (tmp1 ^ tmp2);
}
+
+ /* i should be -1 now */
+ mbedtls_platform_enforce_volatile_reads();
+ diff |= i ^ -1;
+
return diff;
}
@@ -575,12 +690,12 @@
/* ------ Point operations ------ */
void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1,
- uECC_word_t * Z1, uECC_Curve curve)
+ uECC_word_t * Z1)
{
/* t1 = X, t2 = Y, t3 = Z */
uECC_word_t t4[NUM_ECC_WORDS];
uECC_word_t t5[NUM_ECC_WORDS];
- wordcount_t num_words = curve->num_words;
+ wordcount_t num_words = NUM_ECC_WORDS;
if (uECC_vli_isZero(Z1)) {
return;
@@ -592,15 +707,15 @@
uECC_vli_modMult_fast(Y1, Y1, Z1); /* t2 = y1*z1 = z3 */
uECC_vli_modMult_fast(Z1, Z1, Z1); /* t3 = z1^2 */
- uECC_vli_modAdd(X1, X1, Z1, curve->p); /* t1 = x1 + z1^2 */
- uECC_vli_modAdd(Z1, Z1, Z1, curve->p); /* t3 = 2*z1^2 */
- uECC_vli_modSub(Z1, X1, Z1, curve->p); /* t3 = x1 - z1^2 */
+ uECC_vli_modAdd(X1, X1, Z1, curve_p); /* t1 = x1 + z1^2 */
+ uECC_vli_modAdd(Z1, Z1, Z1, curve_p); /* t3 = 2*z1^2 */
+ uECC_vli_modSub(Z1, X1, Z1, curve_p); /* t3 = x1 - z1^2 */
uECC_vli_modMult_fast(X1, X1, Z1); /* t1 = x1^2 - z1^4 */
- uECC_vli_modAdd(Z1, X1, X1, curve->p); /* t3 = 2*(x1^2 - z1^4) */
- uECC_vli_modAdd(X1, X1, Z1, curve->p); /* t1 = 3*(x1^2 - z1^4) */
+ uECC_vli_modAdd(Z1, X1, X1, curve_p); /* t3 = 2*(x1^2 - z1^4) */
+ uECC_vli_modAdd(X1, X1, Z1, curve_p); /* t1 = 3*(x1^2 - z1^4) */
if (uECC_vli_testBit(X1, 0)) {
- uECC_word_t l_carry = uECC_vli_add(X1, X1, curve->p);
+ uECC_word_t l_carry = uECC_vli_add(X1, X1, curve_p);
uECC_vli_rshift1(X1);
X1[num_words - 1] |= l_carry << (uECC_WORD_BITS - 1);
} else {
@@ -609,34 +724,34 @@
/* t1 = 3/2*(x1^2 - z1^4) = B */
uECC_vli_modMult_fast(Z1, X1, X1); /* t3 = B^2 */
- uECC_vli_modSub(Z1, Z1, t5, curve->p); /* t3 = B^2 - A */
- uECC_vli_modSub(Z1, Z1, t5, curve->p); /* t3 = B^2 - 2A = x3 */
- uECC_vli_modSub(t5, t5, Z1, curve->p); /* t5 = A - x3 */
+ uECC_vli_modSub(Z1, Z1, t5, curve_p); /* t3 = B^2 - A */
+ uECC_vli_modSub(Z1, Z1, t5, curve_p); /* t3 = B^2 - 2A = x3 */
+ uECC_vli_modSub(t5, t5, Z1, curve_p); /* t5 = A - x3 */
uECC_vli_modMult_fast(X1, X1, t5); /* t1 = B * (A - x3) */
/* t4 = B * (A - x3) - y1^4 = y3: */
- uECC_vli_modSub(t4, X1, t4, curve->p);
+ uECC_vli_modSub(t4, X1, t4, curve_p);
uECC_vli_set(X1, Z1);
uECC_vli_set(Z1, Y1);
uECC_vli_set(Y1, t4);
}
-void x_side_default(uECC_word_t *result,
- const uECC_word_t *x,
- uECC_Curve curve)
+/*
+ * @brief Computes x^3 + ax + b. result must not overlap x.
+ * @param result OUT -- x^3 + ax + b
+ * @param x IN -- value of x
+ * @param curve IN -- elliptic curve
+ */
+static void x_side_default(uECC_word_t *result,
+ const uECC_word_t *x)
{
uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */
uECC_vli_modMult_fast(result, x, x); /* r = x^2 */
- uECC_vli_modSub(result, result, _3, curve->p); /* r = x^2 - 3 */
+ uECC_vli_modSub(result, result, _3, curve_p); /* r = x^2 - 3 */
uECC_vli_modMult_fast(result, result, x); /* r = x^3 - 3x */
/* r = x^3 - 3x + b: */
- uECC_vli_modAdd(result, result, curve->b, curve->p);
-}
-
-uECC_Curve uECC_secp256r1(void)
-{
- return &curve_secp256r1;
+ uECC_vli_modAdd(result, result, curve_b, curve_p);
}
void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product)
@@ -729,20 +844,19 @@
if (carry < 0) {
do {
- carry += uECC_vli_add(result, result, curve_secp256r1.p);
+ carry += uECC_vli_add(result, result, curve_p);
}
while (carry < 0);
} else {
while (carry ||
- uECC_vli_cmp_unsafe(curve_secp256r1.p, result) != 1) {
- carry -= uECC_vli_sub(result, result, curve_secp256r1.p);
+ uECC_vli_cmp_unsafe(curve_p, result) != 1) {
+ carry -= uECC_vli_sub(result, result, curve_p);
}
}
}
-uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve)
+uECC_word_t EccPoint_isZero(const uECC_word_t *point)
{
- (void) curve;
return uECC_vli_isZero(point);
}
@@ -759,8 +873,7 @@
/* P = (x1, y1) => 2P, (x2, y2) => P' */
static void XYcZ_initial_double(uECC_word_t * X1, uECC_word_t * Y1,
uECC_word_t * X2, uECC_word_t * Y2,
- const uECC_word_t * const initial_Z,
- uECC_Curve curve)
+ const uECC_word_t * const initial_Z)
{
uECC_word_t z[NUM_ECC_WORDS];
if (initial_Z) {
@@ -774,7 +887,7 @@
uECC_vli_set(Y2, Y1);
apply_z(X1, Y1, z);
- curve->double_jacobian(X1, Y1, z, curve);
+ double_jacobian_default(X1, Y1, z);
apply_z(X2, Y2, z);
}
@@ -784,31 +897,28 @@
{
/* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
uECC_word_t t5[NUM_ECC_WORDS];
- const uECC_Curve curve = &curve_secp256r1;
- uECC_vli_modSub(t5, X2, X1, curve->p); /* t5 = x2 - x1 */
+ uECC_vli_modSub(t5, X2, X1, curve_p); /* t5 = x2 - x1 */
uECC_vli_modMult_rnd(t5, t5, t5, s); /* t5 = (x2 - x1)^2 = A */
uECC_vli_modMult_rnd(X1, X1, t5, s); /* t1 = x1*A = B */
uECC_vli_modMult_rnd(X2, X2, t5, s); /* t3 = x2*A = C */
- uECC_vli_modSub(Y2, Y2, Y1, curve->p); /* t4 = y2 - y1 */
+ uECC_vli_modSub(Y2, Y2, Y1, curve_p); /* t4 = y2 - y1 */
uECC_vli_modMult_rnd(t5, Y2, Y2, s); /* t5 = (y2 - y1)^2 = D */
- uECC_vli_modSub(t5, t5, X1, curve->p); /* t5 = D - B */
- uECC_vli_modSub(t5, t5, X2, curve->p); /* t5 = D - B - C = x3 */
- uECC_vli_modSub(X2, X2, X1, curve->p); /* t3 = C - B */
+ uECC_vli_modSub(t5, t5, X1, curve_p); /* t5 = D - B */
+ uECC_vli_modSub(t5, t5, X2, curve_p); /* t5 = D - B - C = x3 */
+ uECC_vli_modSub(X2, X2, X1, curve_p); /* t3 = C - B */
uECC_vli_modMult_rnd(Y1, Y1, X2, s); /* t2 = y1*(C - B) */
- uECC_vli_modSub(X2, X1, t5, curve->p); /* t3 = B - x3 */
+ uECC_vli_modSub(X2, X1, t5, curve_p); /* t3 = B - x3 */
uECC_vli_modMult_rnd(Y2, Y2, X2, s); /* t4 = (y2 - y1)*(B - x3) */
- uECC_vli_modSub(Y2, Y2, Y1, curve->p); /* t4 = y3 */
+ uECC_vli_modSub(Y2, Y2, Y1, curve_p); /* t4 = y3 */
uECC_vli_set(X2, t5);
}
void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1,
- uECC_word_t * X2, uECC_word_t * Y2,
- uECC_Curve curve)
+ uECC_word_t * X2, uECC_word_t * Y2)
{
- (void) curve;
XYcZ_add_rnd(X1, Y1, X2, Y2, NULL);
}
@@ -824,32 +934,31 @@
uECC_word_t t5[NUM_ECC_WORDS];
uECC_word_t t6[NUM_ECC_WORDS];
uECC_word_t t7[NUM_ECC_WORDS];
- const uECC_Curve curve = &curve_secp256r1;
- uECC_vli_modSub(t5, X2, X1, curve->p); /* t5 = x2 - x1 */
+ uECC_vli_modSub(t5, X2, X1, curve_p); /* t5 = x2 - x1 */
uECC_vli_modMult_rnd(t5, t5, t5, s); /* t5 = (x2 - x1)^2 = A */
uECC_vli_modMult_rnd(X1, X1, t5, s); /* t1 = x1*A = B */
uECC_vli_modMult_rnd(X2, X2, t5, s); /* t3 = x2*A = C */
- uECC_vli_modAdd(t5, Y2, Y1, curve->p); /* t5 = y2 + y1 */
- uECC_vli_modSub(Y2, Y2, Y1, curve->p); /* t4 = y2 - y1 */
+ uECC_vli_modAdd(t5, Y2, Y1, curve_p); /* t5 = y2 + y1 */
+ uECC_vli_modSub(Y2, Y2, Y1, curve_p); /* t4 = y2 - y1 */
- uECC_vli_modSub(t6, X2, X1, curve->p); /* t6 = C - B */
+ uECC_vli_modSub(t6, X2, X1, curve_p); /* t6 = C - B */
uECC_vli_modMult_rnd(Y1, Y1, t6, s); /* t2 = y1 * (C - B) = E */
- uECC_vli_modAdd(t6, X1, X2, curve->p); /* t6 = B + C */
+ uECC_vli_modAdd(t6, X1, X2, curve_p); /* t6 = B + C */
uECC_vli_modMult_rnd(X2, Y2, Y2, s); /* t3 = (y2 - y1)^2 = D */
- uECC_vli_modSub(X2, X2, t6, curve->p); /* t3 = D - (B + C) = x3 */
+ uECC_vli_modSub(X2, X2, t6, curve_p); /* t3 = D - (B + C) = x3 */
- uECC_vli_modSub(t7, X1, X2, curve->p); /* t7 = B - x3 */
+ uECC_vli_modSub(t7, X1, X2, curve_p); /* t7 = B - x3 */
uECC_vli_modMult_rnd(Y2, Y2, t7, s); /* t4 = (y2 - y1)*(B - x3) */
/* t4 = (y2 - y1)*(B - x3) - E = y3: */
- uECC_vli_modSub(Y2, Y2, Y1, curve->p);
+ uECC_vli_modSub(Y2, Y2, Y1, curve_p);
uECC_vli_modMult_rnd(t7, t5, t5, s); /* t7 = (y2 + y1)^2 = F */
- uECC_vli_modSub(t7, t7, t6, curve->p); /* t7 = F - (B + C) = x3' */
- uECC_vli_modSub(t6, t7, X1, curve->p); /* t6 = x3' - B */
+ uECC_vli_modSub(t7, t7, t6, curve_p); /* t7 = F - (B + C) = x3' */
+ uECC_vli_modSub(t6, t7, X1, curve_p); /* t6 = x3' - B */
uECC_vli_modMult_rnd(t6, t6, t5, s); /* t6 = (y2+y1)*(x3' - B) */
/* t2 = (y2+y1)*(x3' - B) - E = y3': */
- uECC_vli_modSub(Y1, t6, Y1, curve->p);
+ uECC_vli_modSub(Y1, t6, Y1, curve_p);
uECC_vli_set(X1, t7);
}
@@ -866,14 +975,13 @@
uECC_word_t nb;
const wordcount_t num_words = NUM_ECC_WORDS;
const bitcount_t num_bits = NUM_ECC_BITS + 1; /* from regularize_k */
- const uECC_Curve curve = uECC_secp256r1();
ecc_wait_state_t wait_state;
ecc_wait_state_t * const ws = g_rng_function ? &wait_state : NULL;
uECC_vli_set(Rx[1], point);
uECC_vli_set(Ry[1], point + num_words);
- XYcZ_initial_double(Rx[1], Ry[1], Rx[0], Ry[0], initial_Z, curve);
+ XYcZ_initial_double(Rx[1], Ry[1], Rx[0], Ry[0], initial_Z);
for (i = num_bits - 2; i > 0; --i) {
ecc_wait_state_reset(ws);
@@ -887,10 +995,10 @@
XYcZ_addC_rnd(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], ws);
/* Find final 1/Z value. */
- uECC_vli_modSub(z, Rx[1], Rx[0], curve->p); /* X1 - X0 */
+ uECC_vli_modSub(z, Rx[1], Rx[0], curve_p); /* X1 - X0 */
uECC_vli_modMult_fast(z, z, Ry[1 - nb]); /* Yb * (X1 - X0) */
uECC_vli_modMult_fast(z, z, point); /* xP * Yb * (X1 - X0) */
- uECC_vli_modInv(z, z, curve->p); /* 1 / (xP * Yb * (X1 - X0))*/
+ uECC_vli_modInv(z, z, curve_p); /* 1 / (xP * Yb * (X1 - X0))*/
/* yP / (xP * Yb * (X1 - X0)) */
uECC_vli_modMult_fast(z, z, point + num_words);
/* Xb * yP / (xP * Yb * (X1 - X0)) */
@@ -910,19 +1018,18 @@
wordcount_t num_n_words = NUM_ECC_WORDS;
bitcount_t num_n_bits = NUM_ECC_BITS;
- const uECC_Curve curve = uECC_secp256r1();
- uECC_word_t carry = uECC_vli_add(k0, k, curve->n) ||
+ uECC_word_t carry = uECC_vli_add(k0, k, curve_n) ||
(num_n_bits < ((bitcount_t)num_n_words * uECC_WORD_SIZE * 8) &&
uECC_vli_testBit(k0, num_n_bits));
- uECC_vli_add(k1, k0, curve->n);
+ uECC_vli_add(k1, k0, curve_n);
return carry;
}
int EccPoint_mult_safer(uECC_word_t * result, const uECC_word_t * point,
- const uECC_word_t * scalar, uECC_Curve curve)
+ const uECC_word_t * scalar)
{
uECC_word_t tmp[NUM_ECC_WORDS];
uECC_word_t s[NUM_ECC_WORDS];
@@ -930,10 +1037,32 @@
wordcount_t num_words = NUM_ECC_WORDS;
uECC_word_t carry;
uECC_word_t *initial_Z = 0;
- int r;
+ int r = UECC_FAULT_DETECTED;
+ volatile int problem;
- if (curve != uECC_secp256r1())
- return 0;
+ /* Protect against faults modifying curve paremeters in flash */
+ problem = -1;
+ problem = uECC_check_curve_integrity();
+ if (problem != 0) {
+ return UECC_FAULT_DETECTED;
+ }
+ mbedtls_platform_enforce_volatile_reads();
+ if (problem != 0) {
+ return UECC_FAULT_DETECTED;
+ }
+
+ /* Protects against invalid curve attacks */
+ problem = -1;
+ problem = uECC_valid_point(point);
+ if (problem != 0) {
+ /* invalid input, can happen without fault */
+ return UECC_FAILURE;
+ }
+ mbedtls_platform_enforce_volatile_reads();
+ if (problem != 0) {
+ /* failure on second check means fault, though */
+ return UECC_FAULT_DETECTED;
+ }
/* Regularize the bitcount for the private key so that attackers cannot use a
* side channel attack to learn the number of leading zeros. */
@@ -942,15 +1071,43 @@
/* If an RNG function was specified, get a random initial Z value to
* protect against side-channel attacks such as Template SPA */
if (g_rng_function) {
- if (!uECC_generate_random_int(k2[carry], curve->p, num_words)) {
- r = 0;
+ if (!uECC_generate_random_int(k2[carry], curve_p, num_words)) {
+ r = UECC_FAILURE;
goto clear_and_out;
}
initial_Z = k2[carry];
}
EccPoint_mult(result, point, k2[!carry], initial_Z);
- r = 1;
+
+ /* Protect against fault injections that would make the resulting
+ * point not lie on the intended curve */
+ problem = -1;
+ problem = uECC_valid_point(result);
+ if (problem != 0) {
+ r = UECC_FAULT_DETECTED;
+ goto clear_and_out;
+ }
+ mbedtls_platform_enforce_volatile_reads();
+ if (problem != 0) {
+ r = UECC_FAULT_DETECTED;
+ goto clear_and_out;
+ }
+
+ /* Protect against faults modifying curve paremeters in flash */
+ problem = -1;
+ problem = uECC_check_curve_integrity();
+ if (problem != 0) {
+ r = UECC_FAULT_DETECTED;
+ goto clear_and_out;
+ }
+ mbedtls_platform_enforce_volatile_reads();
+ if (problem != 0) {
+ r = UECC_FAULT_DETECTED;
+ goto clear_and_out;
+ }
+
+ r = UECC_SUCCESS;
clear_and_out:
/* erasing temporary buffer used to store secret: */
@@ -962,28 +1119,9 @@
}
uECC_word_t EccPoint_compute_public_key(uECC_word_t *result,
- uECC_word_t *private_key,
- uECC_Curve curve)
+ uECC_word_t *private_key)
{
-
- uECC_word_t tmp1[NUM_ECC_WORDS];
- uECC_word_t tmp2[NUM_ECC_WORDS];
- uECC_word_t *p2[2] = {tmp1, tmp2};
- uECC_word_t carry;
-
- if (curve != uECC_secp256r1())
- return 0;
-
- /* Regularize the bitcount for the private key so that attackers cannot
- * use a side channel attack to learn the number of leading zeros. */
- carry = regularize_k(private_key, tmp1, tmp2);
-
- EccPoint_mult(result, curve->G, p2[!carry], 0);
-
- if (EccPoint_isZero(result, curve)) {
- return 0;
- }
- return 1;
+ return EccPoint_mult_safer(result, curve_G, private_key);
}
/* Converts an integer in uECC native format to big-endian bytes. */
@@ -1036,81 +1174,87 @@
}
-int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve)
+int uECC_valid_point(const uECC_word_t *point)
{
uECC_word_t tmp1[NUM_ECC_WORDS];
uECC_word_t tmp2[NUM_ECC_WORDS];
- wordcount_t num_words = curve->num_words;
+ wordcount_t num_words = NUM_ECC_WORDS;
+ volatile uECC_word_t diff = 0xffffffff;
/* The point at infinity is invalid. */
- if (EccPoint_isZero(point, curve)) {
+ if (EccPoint_isZero(point)) {
return -1;
}
/* x and y must be smaller than p. */
- if (uECC_vli_cmp_unsafe(curve->p, point) != 1 ||
- uECC_vli_cmp_unsafe(curve->p, point + num_words) != 1) {
+ if (uECC_vli_cmp_unsafe(curve_p, point) != 1 ||
+ uECC_vli_cmp_unsafe(curve_p, point + num_words) != 1) {
return -2;
}
uECC_vli_modMult_fast(tmp1, point + num_words, point + num_words);
- curve->x_side(tmp2, point, curve); /* tmp2 = x^3 + ax + b */
+ x_side_default(tmp2, point); /* tmp2 = x^3 + ax + b */
/* Make sure that y^2 == x^3 + ax + b */
- if (uECC_vli_equal(tmp1, tmp2) != 0)
- return -3;
+ diff = uECC_vli_equal(tmp1, tmp2);
+ if (diff == 0) {
+ mbedtls_platform_enforce_volatile_reads();
+ if (diff == 0) {
+ return 0;
+ }
+ }
- return 0;
+ return -3;
}
-int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve)
+int uECC_valid_public_key(const uint8_t *public_key)
{
uECC_word_t _public[NUM_ECC_WORDS * 2];
- uECC_vli_bytesToNative(_public, public_key, curve->num_bytes);
+ uECC_vli_bytesToNative(_public, public_key, NUM_ECC_BYTES);
uECC_vli_bytesToNative(
- _public + curve->num_words,
- public_key + curve->num_bytes,
- curve->num_bytes);
+ _public + NUM_ECC_WORDS,
+ public_key + NUM_ECC_BYTES,
+ NUM_ECC_BYTES);
- if (memcmp(_public, curve->G, NUM_ECC_WORDS * 2) == 0) {
+ if (memcmp(_public, curve_G, NUM_ECC_WORDS * 2) == 0) {
return -4;
}
- return uECC_valid_point(_public, curve);
+ return uECC_valid_point(_public);
}
-int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key,
- uECC_Curve curve)
+int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key)
{
-
+ int ret;
uECC_word_t _private[NUM_ECC_WORDS];
uECC_word_t _public[NUM_ECC_WORDS * 2];
uECC_vli_bytesToNative(
_private,
private_key,
- BITS_TO_BYTES(curve->num_n_bits));
+ BITS_TO_BYTES(NUM_ECC_BITS));
/* Make sure the private key is in the range [1, n-1]. */
if (uECC_vli_isZero(_private)) {
- return 0;
+ return UECC_FAILURE;
}
- if (uECC_vli_cmp(curve->n, _private) != 1) {
- return 0;
+ if (uECC_vli_cmp(curve_n, _private) != 1) {
+ return UECC_FAILURE;
}
/* Compute public key. */
- if (!EccPoint_compute_public_key(_public, _private, curve)) {
- return 0;
+ ret = EccPoint_compute_public_key(_public, _private);
+ if (ret != UECC_SUCCESS) {
+ return ret;
}
- uECC_vli_nativeToBytes(public_key, curve->num_bytes, _public);
+ uECC_vli_nativeToBytes(public_key, NUM_ECC_BYTES, _public);
uECC_vli_nativeToBytes(
public_key +
- curve->num_bytes, curve->num_bytes, _public + curve->num_words);
- return 1;
+ NUM_ECC_BYTES, NUM_ECC_BYTES, _public + NUM_ECC_WORDS);
+ return UECC_SUCCESS;
}
diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c
index 3ab7b15..1b1ff3f 100644
--- a/tinycrypt/ecc_dh.c
+++ b/tinycrypt/ecc_dh.c
@@ -72,9 +72,9 @@
#include "mbedtls/platform_util.h"
int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key,
- unsigned int *d, uECC_Curve curve)
+ unsigned int *d)
{
-
+ int ret;
uECC_word_t _private[NUM_ECC_WORDS];
uECC_word_t _public[NUM_ECC_WORDS * 2];
@@ -84,30 +84,32 @@
mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES);
/* Computing public-key from private: */
- if (EccPoint_compute_public_key(_public, _private, curve)) {
-
- /* Converting buffers to correct bit order: */
- uECC_vli_nativeToBytes(private_key,
- BITS_TO_BYTES(curve->num_n_bits),
- _private);
- uECC_vli_nativeToBytes(public_key,
- curve->num_bytes,
- _public);
- uECC_vli_nativeToBytes(public_key + curve->num_bytes,
- curve->num_bytes,
- _public + curve->num_words);
-
- /* erasing temporary buffer used to store secret: */
- mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES);
-
- return 1;
+ ret = EccPoint_compute_public_key(_public, _private);
+ if (ret != UECC_SUCCESS) {
+ goto exit;
}
- return 0;
+
+ /* Converting buffers to correct bit order: */
+ uECC_vli_nativeToBytes(private_key,
+ BITS_TO_BYTES(NUM_ECC_BITS),
+ _private);
+ uECC_vli_nativeToBytes(public_key,
+ NUM_ECC_BYTES,
+ _public);
+ uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES,
+ NUM_ECC_BYTES,
+ _public + NUM_ECC_WORDS);
+
+exit:
+ /* erasing temporary buffer used to store secret: */
+ mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES);
+
+ return ret;
}
-int uECC_make_key(uint8_t *public_key, uint8_t *private_key, uECC_Curve curve)
+int uECC_make_key(uint8_t *public_key, uint8_t *private_key)
{
-
+ int ret;
uECC_word_t _random[NUM_ECC_WORDS * 2];
uECC_word_t _private[NUM_ECC_WORDS];
uECC_word_t _public[NUM_ECC_WORDS * 2];
@@ -118,55 +120,54 @@
uECC_RNG_Function rng_function = uECC_get_rng();
if (!rng_function ||
!rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE)) {
- return 0;
+ return UECC_FAILURE;
}
/* computing modular reduction of _random (see FIPS 186.4 B.4.1): */
- uECC_vli_mmod(_private, _random, curve->n);
+ uECC_vli_mmod(_private, _random, curve_n);
/* Computing public-key from private: */
- if (EccPoint_compute_public_key(_public, _private, curve)) {
+ ret = EccPoint_compute_public_key(_public, _private);
+ /* don't try again if a fault was detected */
+ if (ret == UECC_FAULT_DETECTED) {
+ return ret;
+ }
+ if (ret == UECC_SUCCESS) {
/* Converting buffers to correct bit order: */
uECC_vli_nativeToBytes(private_key,
- BITS_TO_BYTES(curve->num_n_bits),
+ BITS_TO_BYTES(NUM_ECC_BITS),
_private);
uECC_vli_nativeToBytes(public_key,
- curve->num_bytes,
+ NUM_ECC_BYTES,
_public);
- uECC_vli_nativeToBytes(public_key + curve->num_bytes,
- curve->num_bytes,
- _public + curve->num_words);
+ uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES,
+ NUM_ECC_BYTES,
+ _public + NUM_ECC_WORDS);
/* erasing temporary buffer that stored secret: */
mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES);
- return 1;
+ return UECC_SUCCESS;
}
}
- return 0;
+ return UECC_FAILURE;
}
int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key,
- uint8_t *secret, uECC_Curve curve)
+ uint8_t *secret)
{
uECC_word_t _public[NUM_ECC_WORDS * 2];
uECC_word_t _private[NUM_ECC_WORDS];
- wordcount_t num_words = curve->num_words;
- wordcount_t num_bytes = curve->num_bytes;
+ wordcount_t num_words = NUM_ECC_WORDS;
+ wordcount_t num_bytes = NUM_ECC_BYTES;
int r;
- /* Protect against invalid curve attacks */
- if (uECC_valid_public_key(public_key, curve) != 0) {
- r = 0;
- goto clear_and_out;
- }
-
/* Converting buffers to correct bit order: */
uECC_vli_bytesToNative(_private,
private_key,
- BITS_TO_BYTES(curve->num_n_bits));
+ BITS_TO_BYTES(NUM_ECC_BITS));
uECC_vli_bytesToNative(_public,
public_key,
num_bytes);
@@ -174,14 +175,9 @@
public_key + num_bytes,
num_bytes);
- r = EccPoint_mult_safer(_public, _public, _private, curve);
- if (r == 0)
- goto clear_and_out;
-
+ r = EccPoint_mult_safer(_public, _public, _private);
uECC_vli_nativeToBytes(secret, num_bytes, _public);
- r = !EccPoint_isZero(_public, curve);
-clear_and_out:
/* erasing temporary buffer used to store secret: */
mbedtls_platform_zeroize(_private, sizeof(_private));
diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c
index f1620d0..ca071f8 100644
--- a/tinycrypt/ecc_dsa.c
+++ b/tinycrypt/ecc_dsa.c
@@ -69,10 +69,10 @@
#include "mbedtls/platform_util.h"
static void bits2int(uECC_word_t *native, const uint8_t *bits,
- unsigned bits_size, uECC_Curve curve)
+ unsigned bits_size)
{
- unsigned num_n_bytes = BITS_TO_BYTES(curve->num_n_bits);
- unsigned num_n_words = BITS_TO_WORDS(curve->num_n_bits);
+ unsigned num_n_bytes = BITS_TO_BYTES(NUM_ECC_BITS);
+ unsigned num_n_words = BITS_TO_WORDS(NUM_ECC_BITS);
int shift;
uECC_word_t carry;
uECC_word_t *ptr;
@@ -83,10 +83,10 @@
uECC_vli_clear(native);
uECC_vli_bytesToNative(native, bits, bits_size);
- if (bits_size * 8 <= (unsigned)curve->num_n_bits) {
+ if (bits_size * 8 <= (unsigned)NUM_ECC_BITS) {
return;
}
- shift = bits_size * 8 - curve->num_n_bits;
+ shift = bits_size * 8 - NUM_ECC_BITS;
carry = 0;
ptr = native + num_n_words;
while (ptr-- > native) {
@@ -96,32 +96,31 @@
}
/* Reduce mod curve_n */
- if (uECC_vli_cmp_unsafe(curve->n, native) != 1) {
- uECC_vli_sub(native, native, curve->n);
+ if (uECC_vli_cmp_unsafe(curve_n, native) != 1) {
+ uECC_vli_sub(native, native, curve_n);
}
}
int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
- unsigned hash_size, uECC_word_t *k, uint8_t *signature,
- uECC_Curve curve)
+ unsigned hash_size, uECC_word_t *k, uint8_t *signature)
{
uECC_word_t tmp[NUM_ECC_WORDS];
uECC_word_t s[NUM_ECC_WORDS];
uECC_word_t p[NUM_ECC_WORDS * 2];
- wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits);
+ wordcount_t num_n_words = BITS_TO_WORDS(NUM_ECC_BITS);
int r;
/* Make sure 0 < k < curve_n */
if (uECC_vli_isZero(k) ||
- uECC_vli_cmp(curve->n, k) != 1) {
- return 0;
+ uECC_vli_cmp(curve_n, k) != 1) {
+ return UECC_FAILURE;
}
- r = EccPoint_mult_safer(p, curve->G, k, curve);
- if (r == 0 || uECC_vli_isZero(p)) {
- return 0;
+ r = EccPoint_mult_safer(p, curve_G, k);
+ if (r != UECC_SUCCESS) {
+ return r;
}
/* If an RNG function was specified, get a random number
@@ -130,60 +129,66 @@
uECC_vli_clear(tmp);
tmp[0] = 1;
}
- else if (!uECC_generate_random_int(tmp, curve->n, num_n_words)) {
- return 0;
+ else if (!uECC_generate_random_int(tmp, curve_n, num_n_words)) {
+ return UECC_FAILURE;
}
/* Prevent side channel analysis of uECC_vli_modInv() to determine
bits of k / the private key by premultiplying by a random number */
- uECC_vli_modMult(k, k, tmp, curve->n); /* k' = rand * k */
- uECC_vli_modInv(k, k, curve->n); /* k = 1 / k' */
- uECC_vli_modMult(k, k, tmp, curve->n); /* k = 1 / k */
+ uECC_vli_modMult(k, k, tmp, curve_n); /* k' = rand * k */
+ uECC_vli_modInv(k, k, curve_n); /* k = 1 / k' */
+ uECC_vli_modMult(k, k, tmp, curve_n); /* k = 1 / k */
- uECC_vli_nativeToBytes(signature, curve->num_bytes, p); /* store r */
+ uECC_vli_nativeToBytes(signature, NUM_ECC_BYTES, p); /* store r */
/* tmp = d: */
- uECC_vli_bytesToNative(tmp, private_key, BITS_TO_BYTES(curve->num_n_bits));
+ uECC_vli_bytesToNative(tmp, private_key, BITS_TO_BYTES(NUM_ECC_BITS));
s[num_n_words - 1] = 0;
uECC_vli_set(s, p);
- uECC_vli_modMult(s, tmp, s, curve->n); /* s = r*d */
+ uECC_vli_modMult(s, tmp, s, curve_n); /* s = r*d */
- bits2int(tmp, message_hash, hash_size, curve);
- uECC_vli_modAdd(s, tmp, s, curve->n); /* s = e + r*d */
- uECC_vli_modMult(s, s, k, curve->n); /* s = (e + r*d) / k */
- if (uECC_vli_numBits(s) > (bitcount_t)curve->num_bytes * 8) {
- return 0;
+ bits2int(tmp, message_hash, hash_size);
+ uECC_vli_modAdd(s, tmp, s, curve_n); /* s = e + r*d */
+ uECC_vli_modMult(s, s, k, curve_n); /* s = (e + r*d) / k */
+ if (uECC_vli_numBits(s) > (bitcount_t)NUM_ECC_BYTES * 8) {
+ return UECC_FAILURE;
}
- uECC_vli_nativeToBytes(signature + curve->num_bytes, curve->num_bytes, s);
- return 1;
+ uECC_vli_nativeToBytes(signature + NUM_ECC_BYTES, NUM_ECC_BYTES, s);
+ return UECC_SUCCESS;
}
int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash,
- unsigned hash_size, uint8_t *signature, uECC_Curve curve)
+ unsigned hash_size, uint8_t *signature)
{
- uECC_word_t _random[2*NUM_ECC_WORDS];
- uECC_word_t k[NUM_ECC_WORDS];
- uECC_word_t tries;
+ int r;
+ uECC_word_t _random[2*NUM_ECC_WORDS];
+ uECC_word_t k[NUM_ECC_WORDS];
+ uECC_word_t tries;
for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
/* Generating _random uniformly at random: */
uECC_RNG_Function rng_function = uECC_get_rng();
if (!rng_function ||
!rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE)) {
- return 0;
+ return UECC_FAILURE;
}
// computing k as modular reduction of _random (see FIPS 186.4 B.5.1):
- uECC_vli_mmod(k, _random, curve->n);
+ uECC_vli_mmod(k, _random, curve_n);
- if (uECC_sign_with_k(private_key, message_hash, hash_size, k, signature,
- curve)) {
- return 1;
+ r = uECC_sign_with_k(private_key, message_hash, hash_size, k, signature);
+ /* don't keep trying if a fault was detected */
+ if (r == UECC_FAULT_DETECTED) {
+ return r;
}
+ if (r == UECC_SUCCESS) {
+ return UECC_SUCCESS;
+ }
+ /* else keep trying */
}
- return 0;
+ return UECC_FAILURE;
}
static bitcount_t smax(bitcount_t a, bitcount_t b)
@@ -192,8 +197,7 @@
}
int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
- unsigned hash_size, const uint8_t *signature,
- uECC_Curve curve)
+ unsigned hash_size, const uint8_t *signature)
{
uECC_word_t u1[NUM_ECC_WORDS], u2[NUM_ECC_WORDS];
@@ -212,21 +216,18 @@
uECC_word_t _public[NUM_ECC_WORDS * 2];
uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS];
- wordcount_t num_words = curve->num_words;
- wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits);
-
- if (curve != uECC_secp256r1())
- return 0;
+ wordcount_t num_words = NUM_ECC_WORDS;
+ wordcount_t num_n_words = BITS_TO_WORDS(NUM_ECC_BITS);
rx[num_n_words - 1] = 0;
r[num_n_words - 1] = 0;
s[num_n_words - 1] = 0;
- uECC_vli_bytesToNative(_public, public_key, curve->num_bytes);
- uECC_vli_bytesToNative(_public + num_words, public_key + curve->num_bytes,
- curve->num_bytes);
- uECC_vli_bytesToNative(r, signature, curve->num_bytes);
- uECC_vli_bytesToNative(s, signature + curve->num_bytes, curve->num_bytes);
+ uECC_vli_bytesToNative(_public, public_key, NUM_ECC_BYTES);
+ uECC_vli_bytesToNative(_public + num_words, public_key + NUM_ECC_BYTES,
+ NUM_ECC_BYTES);
+ uECC_vli_bytesToNative(r, signature, NUM_ECC_BYTES);
+ uECC_vli_bytesToNative(s, signature + NUM_ECC_BYTES, NUM_ECC_BYTES);
/* r, s must not be 0. */
if (uECC_vli_isZero(r) || uECC_vli_isZero(s)) {
@@ -234,31 +235,31 @@
}
/* r, s must be < n. */
- if (uECC_vli_cmp_unsafe(curve->n, r) != 1 ||
- uECC_vli_cmp_unsafe(curve->n, s) != 1) {
+ if (uECC_vli_cmp_unsafe(curve_n, r) != 1 ||
+ uECC_vli_cmp_unsafe(curve_n, s) != 1) {
return UECC_FAILURE;
}
/* Calculate u1 and u2. */
- uECC_vli_modInv(z, s, curve->n); /* z = 1/s */
+ uECC_vli_modInv(z, s, curve_n); /* z = 1/s */
u1[num_n_words - 1] = 0;
- bits2int(u1, message_hash, hash_size, curve);
- uECC_vli_modMult(u1, u1, z, curve->n); /* u1 = e/s */
- uECC_vli_modMult(u2, r, z, curve->n); /* u2 = r/s */
+ bits2int(u1, message_hash, hash_size);
+ uECC_vli_modMult(u1, u1, z, curve_n); /* u1 = e/s */
+ uECC_vli_modMult(u2, r, z, curve_n); /* u2 = r/s */
/* Calculate sum = G + Q. */
uECC_vli_set(sum, _public);
uECC_vli_set(sum + num_words, _public + num_words);
- uECC_vli_set(tx, curve->G);
- uECC_vli_set(ty, curve->G + num_words);
- uECC_vli_modSub(z, sum, tx, curve->p); /* z = x2 - x1 */
- XYcZ_add(tx, ty, sum, sum + num_words, curve);
- uECC_vli_modInv(z, z, curve->p); /* z = 1/z */
+ uECC_vli_set(tx, curve_G);
+ uECC_vli_set(ty, curve_G + num_words);
+ uECC_vli_modSub(z, sum, tx, curve_p); /* z = x2 - x1 */
+ XYcZ_add(tx, ty, sum, sum + num_words);
+ uECC_vli_modInv(z, z, curve_p); /* z = 1/z */
apply_z(sum, sum + num_words, z);
/* Use Shamir's trick to calculate u1*G + u2*Q */
points[0] = 0;
- points[1] = curve->G;
+ points[1] = curve_G;
points[2] = _public;
points[3] = sum;
num_bits = smax(uECC_vli_numBits(u1),
@@ -273,7 +274,7 @@
for (i = num_bits - 2; i >= 0; --i) {
uECC_word_t index;
- curve->double_jacobian(rx, ry, z, curve);
+ double_jacobian_default(rx, ry, z);
index = (!!uECC_vli_testBit(u1, i)) | ((!!uECC_vli_testBit(u2, i)) << 1);
point = points[index];
@@ -281,18 +282,18 @@
uECC_vli_set(tx, point);
uECC_vli_set(ty, point + num_words);
apply_z(tx, ty, z);
- uECC_vli_modSub(tz, rx, tx, curve->p); /* Z = x2 - x1 */
- XYcZ_add(tx, ty, rx, ry, curve);
+ uECC_vli_modSub(tz, rx, tx, curve_p); /* Z = x2 - x1 */
+ XYcZ_add(tx, ty, rx, ry);
uECC_vli_modMult_fast(z, z, tz);
}
}
- uECC_vli_modInv(z, z, curve->p); /* Z = 1/Z */
+ uECC_vli_modInv(z, z, curve_p); /* Z = 1/Z */
apply_z(rx, ry, z);
/* v = x1 (mod n) */
- if (uECC_vli_cmp_unsafe(curve->n, rx) != 1) {
- uECC_vli_sub(rx, rx, curve->n);
+ if (uECC_vli_cmp_unsafe(curve_n, rx) != 1) {
+ uECC_vli_sub(rx, rx, curve_n);
}
/* Accept only if v == r. */
@@ -303,7 +304,7 @@
return UECC_SUCCESS;
}
else {
- return UECC_ATTACK_DETECTED;
+ return UECC_FAULT_DETECTED;
}
}