Merge pull request #3468 from piotr-now/fic_flow_monitor
Add flow monitor for memory block operations
diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h
index 8d00eba..c65c853 100644
--- a/include/mbedtls/platform_util.h
+++ b/include/mbedtls/platform_util.h
@@ -161,8 +161,11 @@
* \param buf Buffer to be zeroized
* \param len Length of the buffer in bytes
*
+ * \return The value of \p buf if the operation was successful.
+ * \return NULL if a potential FI attack was detected or input parameters
+ * are not valid.
*/
-void mbedtls_platform_zeroize( void *buf, size_t len );
+void *mbedtls_platform_zeroize( void *buf, size_t len );
/**
* \brief Secure memset
@@ -176,7 +179,8 @@
* \param value Value to be used when setting the buffer.
* \param num The length of the buffer in bytes.
*
- * \return The value of \p ptr.
+ * \return The value of \p ptr if the operation was successful.
+ * \return NULL if a potential FI attack was detected.
*/
void *mbedtls_platform_memset( void *ptr, int value, size_t num );
@@ -193,6 +197,7 @@
* \param num The length of the buffers in bytes.
*
* \return The value of \p dst.
+ * \return NULL if a potential FI attack was detected.
*/
void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num );
diff --git a/library/entropy.c b/library/entropy.c
index 8db3d94..2b1e7ef 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -462,9 +462,10 @@
for( i = 0; i < ctx->source_count; i++ )
ctx->source[i].size = 0;
- mbedtls_platform_memcpy( output, buf, len );
-
- ret = 0;
+ if( output == mbedtls_platform_memcpy( output, buf, len ) )
+ {
+ ret = 0;
+ }
exit:
mbedtls_platform_zeroize( buf, sizeof( buf ) );
diff --git a/library/pkparse.c b/library/pkparse.c
index f10a61e..83974f8 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -561,9 +561,13 @@
if( buf[0] != 0x04 )
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
- mbedtls_platform_memcpy( uecc_keypair->public_key, buf + 1, 2 * NUM_ECC_BYTES );
+ if( mbedtls_platform_memcpy( uecc_keypair->public_key, buf + 1, 2 * NUM_ECC_BYTES ) ==
+ uecc_keypair->public_key )
+ {
+ return( 0 );
+ }
- return( 0 );
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
static int pk_get_ueccpubkey( unsigned char **p,
@@ -976,7 +980,11 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
- mbedtls_platform_memcpy( keypair->private_key, p, len );
+ if( mbedtls_platform_memcpy( keypair->private_key, p, len ) !=
+ keypair->private_key )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
p += len;
diff --git a/library/platform_util.c b/library/platform_util.c
index 5e938f9..3b098d2 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -95,61 +95,136 @@
void *mbedtls_platform_memset( void *, int, size_t );
static void * (* const volatile memset_func)( void *, int, size_t ) = mbedtls_platform_memset;
-void mbedtls_platform_zeroize( void *buf, size_t len )
+void *mbedtls_platform_zeroize( void *buf, size_t len )
{
- MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL );
+ volatile size_t vlen = len;
- if( len > 0 )
- memset_func( buf, 0, len );
+ MBEDTLS_INTERNAL_VALIDATE_RET( ( len == 0 || buf != NULL ), NULL );
+
+ if( vlen > 0 )
+ {
+ return memset_func( buf, 0, vlen );
+ }
+ else
+ {
+ mbedtls_platform_random_delay();
+ if( vlen == 0 && vlen == len )
+ {
+ return buf;
+ }
+ }
+ return NULL;
}
#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
void *mbedtls_platform_memset( void *ptr, int value, size_t num )
{
- /* Randomize start offset. */
- size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
- /* Randomize data */
- uint32_t data = mbedtls_platform_random_in_range( 256 );
+ size_t i, start_offset;
+ volatile size_t flow_counter = 0;
+ volatile char *b = ptr;
+ char rnd_data;
- /* Perform a pair of memset operations from random locations with
- * random data */
- memset( (void *) ( (unsigned char *) ptr + start_offset ), data,
- ( num - start_offset ) );
- memset( (void *) ptr, data, start_offset );
+ start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
+ rnd_data = (char) mbedtls_platform_random_in_range( 256 );
- /* Perform the original memset */
- return( memset( ptr, value, num ) );
+ /* Perform a memset operations with random data and start from a random
+ * location */
+ for( i = start_offset; i < num; ++i )
+ {
+ b[i] = rnd_data;
+ flow_counter++;
+ }
+
+ /* Start from a random location with target data */
+ for( i = start_offset; i < num; ++i )
+ {
+ b[i] = value;
+ flow_counter++;
+ }
+
+ /* Second memset operation with random data */
+ for( i = 0; i < start_offset; ++i )
+ {
+ b[i] = rnd_data;
+ flow_counter++;
+ }
+
+ /* Finish memset operation with correct data */
+ for( i = 0; i < start_offset; ++i )
+ {
+ b[i] = value;
+ flow_counter++;
+ }
+
+ /* check the correct number of iterations */
+ if( flow_counter == 2 * num )
+ {
+ mbedtls_platform_random_delay();
+ if( flow_counter == 2 * num )
+ {
+ return ptr;
+ }
+ }
+ return NULL;
}
void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num )
{
- /* Randomize start offset. */
- size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
- /* Randomize initial data to prevent leakage while copying */
- uint32_t data = mbedtls_platform_random_in_range( 256 );
+ size_t i;
+ volatile size_t flow_counter = 0;
- /* Use memset with random value at first to increase security - memset is
- not normally part of the memcpy function and here can be useed
- with regular, unsecured implementation */
- memset( (void *) dst, data, num );
- memcpy( (void *) ( (unsigned char *) dst + start_offset ),
- (void *) ( (unsigned char *) src + start_offset ),
- ( num - start_offset ) );
- return( memcpy( (void *) dst, (void *) src, start_offset ) );
+ if( num > 0 )
+ {
+ /* Randomize start offset. */
+ size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num );
+ /* Randomize initial data to prevent leakage while copying */
+ uint32_t data = mbedtls_platform_random_in_range( 256 );
+
+ /* Use memset with random value at first to increase security - memset is
+ not normally part of the memcpy function and here can be useed
+ with regular, unsecured implementation */
+ memset( (void *) dst, data, num );
+
+ /* Make a copy starting from a random location. */
+ i = start_offset;
+ do
+ {
+ ( (char*) dst )[i] = ( (char*) src )[i];
+ flow_counter++;
+ }
+ while( ( i = ( i + 1 ) % num ) != start_offset );
+ }
+
+ /* check the correct number of iterations */
+ if( flow_counter == num )
+ {
+ mbedtls_platform_random_delay();
+ if( flow_counter == num )
+ {
+ return dst;
+ }
+ }
+ return NULL;
}
int mbedtls_platform_memmove( void *dst, const void *src, size_t num )
{
+ void *ret1 = NULL;
+ void *ret2 = NULL;
/* The buffers can have a common part, so we cannot do a copy from a random
* location. By using a temporary buffer we can do so, but the cost of it
* is using more memory and longer transfer time. */
void *tmp = mbedtls_calloc( 1, num );
if( tmp != NULL )
{
- mbedtls_platform_memcpy( tmp, src, num );
- mbedtls_platform_memcpy( dst, tmp, num );
+ ret1 = mbedtls_platform_memcpy( tmp, src, num );
+ ret2 = mbedtls_platform_memcpy( dst, tmp, num );
mbedtls_free( tmp );
- return 0;
+ if( ret1 == tmp && ret2 == dst )
+ {
+ return 0;
+ }
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
return MBEDTLS_ERR_PLATFORM_ALLOC_FAILED;
diff --git a/library/rsa.c b/library/rsa.c
index 67ebf84..83a4f38 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -60,9 +60,9 @@
#include <stdlib.h>
#endif
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
+
+#if !defined(MBEDTLS_PLATFORM_C)
#include <stdio.h>
#define mbedtls_printf printf
#define mbedtls_calloc calloc
@@ -1974,8 +1974,11 @@
/* Are we signing raw data? */
if( md_alg == MBEDTLS_MD_NONE )
{
- mbedtls_platform_memcpy( p, hash, hashlen );
- return( 0 );
+ if( mbedtls_platform_memcpy( p, hash, hashlen ) == p )
+ {
+ return( 0 );
+ }
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
/* Signing hashed data, add corresponding ASN.1 structure
@@ -2003,7 +2006,10 @@
*p++ = 0x00;
*p++ = MBEDTLS_ASN1_OCTET_STRING;
*p++ = (unsigned char) hashlen;
- mbedtls_platform_memcpy( p, hash, hashlen );
+ if( mbedtls_platform_memcpy( p, hash, hashlen ) != p )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
p += hashlen;
/* Just a sanity-check, should be automatic
@@ -2029,7 +2035,7 @@
const unsigned char *hash,
unsigned char *sig )
{
- int ret;
+ int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
unsigned char *sig_try = NULL, *verif = NULL;
RSA_VALIDATE_RET( ctx != NULL );
@@ -2087,7 +2093,10 @@
goto cleanup;
}
- mbedtls_platform_memcpy( sig, sig_try, ctx->len );
+ if( mbedtls_platform_memcpy( sig, sig_try, ctx->len ) != sig )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
cleanup:
mbedtls_free( sig_try );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 55ac133..4ebfb5c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -92,7 +92,11 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
- mbedtls_platform_memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES );
+ if( mbedtls_platform_memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES ) !=
+ ssl->handshake->ecdh_peerkey )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
*p += secp256r1_uncompressed_point_length;
return( 0 );
@@ -1886,9 +1890,13 @@
return( ret );
}
- mbedtls_platform_zeroize( handshake->premaster,
- sizeof(handshake->premaster) );
- return( 0 );
+ if( handshake->premaster == mbedtls_platform_zeroize(
+ handshake->premaster, sizeof(handshake->premaster) ) )
+ {
+ return( 0 );
+ }
+
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
@@ -2289,7 +2297,10 @@
if( end < p || (size_t)( end - p ) < psk_len )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- mbedtls_platform_memcpy( p, psk, psk_len );
+ if( mbedtls_platform_memcpy( p, psk, psk_len ) != p )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
p += psk_len;
ssl->handshake->pmslen = p - ssl->handshake->premaster;
@@ -4491,8 +4502,16 @@
/* Handshake hashes are computed without fragmentation,
* so set frag_offset = 0 and frag_len = hs_len for now */
- mbedtls_platform_memset( ssl->out_msg + 6, 0x00, 3 );
- mbedtls_platform_memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
+ if( mbedtls_platform_memset( ssl->out_msg + 6, 0x00, 3 ) !=
+ ssl->out_msg + 6 )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
+ if( mbedtls_platform_memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ) !=
+ ssl->out_msg + 9 )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
@@ -6123,9 +6142,24 @@
/* Prepare final header: copy msg_type, length and message_seq,
* then add standardised fragment_offset and fragment_length */
- mbedtls_platform_memcpy( hs_buf->data, ssl->in_msg, 6 );
- mbedtls_platform_memset( hs_buf->data + 6, 0, 3 );
- mbedtls_platform_memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
+ if( mbedtls_platform_memcpy( hs_buf->data, ssl->in_msg, 6 ) !=
+ hs_buf->data )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto exit;
+ }
+ if( mbedtls_platform_memset( hs_buf->data + 6, 0, 3 ) !=
+ hs_buf->data + 6 )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto exit;
+ }
+ if( mbedtls_platform_memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ) !=
+ hs_buf->data + 9 )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto exit;
+ }
hs_buf->is_valid = 1;
@@ -11175,11 +11209,19 @@
n = ( len < ssl->in_msglen )
? len : ssl->in_msglen;
- mbedtls_platform_memcpy( buf, ssl->in_offt, n );
+ if( mbedtls_platform_memcpy( buf, ssl->in_offt, n ) !=
+ buf )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
ssl->in_msglen -= n;
// clear incoming data after it's copied to buffer
- mbedtls_platform_memset(ssl->in_offt, 0, n);
+ if( mbedtls_platform_memset( ssl->in_offt, 0, n ) !=
+ ssl->in_offt )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
if( ssl->in_msglen == 0 )
{
@@ -11269,7 +11311,10 @@
*/
ssl->out_msglen = len;
ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
- mbedtls_platform_memcpy( ssl->out_msg, buf, len );
+ if( mbedtls_platform_memcpy( ssl->out_msg, buf, len ) != ssl->out_msg )
+ {
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ }
#if defined(MBEDTLS_FI_COUNTERMEASURES) && !defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
/*
diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c
index 5a7a9e5..6285cf3 100644
--- a/tinycrypt/ecc_dh.c
+++ b/tinycrypt/ecc_dh.c
@@ -81,7 +81,10 @@
/* This function is designed for test purposes-only (such as validating NIST
* test vectors) as it uses a provided value for d instead of generating
* it uniformly at random. */
- mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES);
+ if( mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES) != _private )
+ {
+ goto exit;
+ }
/* Computing public-key from private: */
ret = EccPoint_compute_public_key(_public, _private);
@@ -186,7 +189,9 @@
uECC_vli_nativeToBytes(secret, num_bytes, _public);
/* erasing temporary buffer used to store secret: */
- mbedtls_platform_zeroize(_private, sizeof(_private));
+ if (_private == mbedtls_platform_zeroize(_private, sizeof(_private))) {
+ return r;
+ }
- return r;
+ return UECC_FAULT_DETECTED;
}