Harden hmac_drbg and md against fault injection
-Add flow monitor, loop integrity check and variable doubling to
harden mbedtls_hmac_drbg_update_ret.
-Use longer hamming distance for nonce usage in hmac_drbg_reseed_core
-Return actual value instead of success in mbedtls_hmac_drbg_seed and
mbedtls_hmac_drbg_seed_buf
-Check illegal condition in hmac_drbg_reseed_core.
-Double buf/buf_len variables in mbedtls_hmac_drbg_random_with_add
-Add more hamming distance to MBEDTLS_HMAC_DRBG_PR_ON/OFF
diff --git a/library/md.c b/library/md.c
index d9d6509..7644ac6 100644
--- a/library/md.c
+++ b/library/md.c
@@ -575,15 +575,28 @@
if( ( ret = mbedtls_md_info_starts( md_info, ctx->md_ctx ) ) != 0 )
goto cleanup;
+ i++; // Use i as flow control
+
if( ( ret = mbedtls_md_info_update( md_info, ctx->md_ctx, ipad,
mbedtls_md_info_block_size( md_info ) ) ) != 0 )
{
goto cleanup;
}
+ i++; // Use i as flow control now
+
cleanup:
mbedtls_platform_zeroize( sum, sizeof( sum ) );
+ if ( ret == 0 )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ /* Check possible fault injection */
+ if ( ( i - 2 ) == keylen ) {
+ ret = 0;
+ }
+ }
+
return( ret );
}
@@ -653,7 +666,7 @@
if( ( ret = mbedtls_md_info_finish( md_info, ctx->md_ctx, output ) ) != 0 )
return( ret );
- return( 0 );
+ return( ret );
}
int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx )