Merge pull request #3403 from piotr-now/sca_memmove
Add mbedtls_platform_memmove() as a secured memcmp()
diff --git a/library/pk.c b/library/pk.c
index cf4cfbb..b92eb14 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -46,10 +46,9 @@
#endif /* MBEDTLS_USE_TINYCRYPT */
#include "mbedtls/platform_util.h"
-
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
+
+#if !defined(MBEDTLS_PLATFORM_C)
#include <stdlib.h>
#define mbedtls_calloc calloc
#define mbedtls_free free
@@ -1569,7 +1568,7 @@
}
else
{
- verify_ret = MBEDTLS_ERR_PK_HW_ACCEL_FAILED;
+ verify_ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
}
diff --git a/library/platform_util.c b/library/platform_util.c
index 17913b4..de2fa2b 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -213,6 +213,9 @@
do
{
i++;
+ /* Dummy calculations to increase the time between iterations and
+ * make side channel attack more difficult by reducing predictability
+ * of its behaviour */
shift = rn_2 & 0x07;
if ( i % 2 )
rn_2 = (uint32_t)( rn_2 >> shift | rn_2 << ( 32 - shift ) );
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index eada831..5c74386 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -27,9 +27,9 @@
#if defined(MBEDTLS_SSL_CLI_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
+
+#if !defined(MBEDTLS_PLATFORM_C)
#include <stdlib.h>
#define mbedtls_calloc calloc
#define mbedtls_free free
@@ -724,6 +724,10 @@
ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
}
return( ret );
@@ -2388,6 +2392,10 @@
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
}
MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
@@ -2460,6 +2468,12 @@
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
}
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
+ goto cleanup;
+ }
}
else
{
@@ -3101,7 +3115,7 @@
}
else
{
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
}
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index fbad37b..2cd34b2 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -27,9 +27,9 @@
#if defined(MBEDTLS_SSL_SRV_C)
-#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
-#else
+
+#if !defined(MBEDTLS_PLATFORM_C)
#include <stdlib.h>
#define mbedtls_calloc calloc
#define mbedtls_free free
@@ -4659,6 +4659,10 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
goto exit;
}
+ else
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c92ab7f..9851560 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2027,8 +2027,9 @@
}
else
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
- return( ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret",
+ MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
}
else
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 7f689ff..43bb977 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2936,7 +2936,7 @@
*
* Return value:
* - 0 on success
- * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ * - MBEDTLS_ERR_ECP_IN_PROGRESS or MBEDTLS_ERR_PLATFORM_FAULT_DETECTED otherwise
*/
static int x509_crt_find_parent_in(
mbedtls_x509_crt_sig_info const *child_sig,
@@ -3051,6 +3051,8 @@
mbedtls_platform_random_delay();
if( ret_fi == 0 )
signature_is_good = X509_SIGNATURE_IS_GOOD;
+ else
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
if( top && ! signature_is_good )
@@ -3869,6 +3871,8 @@
mbedtls_platform_random_delay();
if( flags_fi == 0 )
return( 0 );
+ else
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
/* Preserve the API by removing internal extra bits - from now on the