Merge pull request #3999 from AndrzejKurek/baremetal-fi-parse-certificate
[baremetal] Improved fi protection in ssl_parse_certificate
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 22eba11..b2e7329 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3028,9 +3028,11 @@
/**
* \def MBEDTLS_PLATFORM_FAULT_CALLBACKS
*
- * Uncomment to provide your own alternate implementation for mbedtls_platform_fault(),
- * used in library/platform_util.c to signal a fault injection in either
- * mbedtls_platform_memcpy, mbedtls_platform_memset or mbedtls_platform_random_buf.
+ * Uncomment to provide your own alternate implementation for
+ * mbedtls_platform_fault(), used in library/platform_util.c and
+ * tinycrypt/ecc.c to signal a fault injection in either
+ * mbedtls_platform_memcpy, mbedtls_platform_memset, mbedtls_platform_random_buf,
+ * or uECC_vli_mmod.
*
* You will need to provide a header "platform_fault.h" and an implementation at
* compile time.
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2bf512c..ebd570f 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -7414,8 +7414,8 @@
requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
run_test "DTLS client reconnect from same port: reference" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
- "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
+ "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=15000-25000" \
+ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=15000-25000" \
0 \
-C "resend" \
-S "The operation timed out" \
@@ -7425,7 +7425,7 @@
requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
run_test "DTLS client reconnect from same port: reconnect" \
- "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
+ "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=15000-25000" \
"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=15000-25000 reconnect_hard=1" \
0 \
-C "resend" \
diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index a6c8467..1a16438 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -70,6 +70,12 @@
#include <string.h>
#include "mbedtls/platform_util.h"
+#if defined(MBEDTLS_PLATFORM_FAULT_CALLBACKS)
+#include "platform_fault.h"
+#else
+static void mbedtls_platform_fault(){}
+#endif
+
#if defined MBEDTLS_OPTIMIZE_TINYCRYPT_ASM
#ifndef asm
#define asm __asm
@@ -1167,6 +1173,12 @@
wordcount_t word_shift = shift / uECC_WORD_BITS;
wordcount_t bit_shift = shift % uECC_WORD_BITS;
uECC_word_t carry = 0;
+
+ if(word_shift > NUM_ECC_WORDS)
+ {
+ mbedtls_platform_fault();
+ }
+
uECC_vli_clear(mod_multiple);
if (bit_shift > 0) {
for(index = 0; index < (uECC_word_t)num_words; ++index) {