Duplicate sensitive buffer and buffer length information
Detect FI attacks on buffer pointers and buffer lengths.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
diff --git a/library/aes.c b/library/aes.c
index 5746987..8cfb4ba 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -686,6 +686,8 @@
unsigned int flow_ctrl = 0;
volatile unsigned int i = 0;
volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ volatile const unsigned char *key_dup = key;
+ volatile unsigned int keybits_dup = keybits;
uint32_t *RK;
uint32_t offset = 0;
@@ -814,7 +816,10 @@
#endif
) )
{
- return ret;
+ if( keybits_dup == keybits && key_dup == key )
+ {
+ return ret;
+ }
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
@@ -1063,6 +1068,8 @@
aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS;
volatile int flow_control;
+ volatile const unsigned char *input_dup = input;
+ volatile unsigned char *output_dup = output;
// control bytes for AES calculation rounds,
// reserve based on max rounds + dummy rounds + 2 (for initial key addition)
uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
@@ -1163,7 +1170,10 @@
if( flow_control == tindex + dummy_rounds + 8 )
{
/* Validate control path due possible fault injection */
- return 0;
+ if( output_dup == output && input_dup == input )
+ {
+ return 0;
+ }
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
@@ -1342,6 +1352,8 @@
aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS;
volatile int flow_control;
+ volatile const unsigned char *input_dup = input;
+ volatile unsigned char *output_dup = output;
// control bytes for AES calculation rounds,
// reserve based on max rounds + dummy rounds + 2 (for initial key addition)
uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
@@ -1442,7 +1454,10 @@
if( flow_control == tindex + dummy_rounds + 8 )
{
/* Validate control path due possible fault injection */
- return 0;
+ if( output_dup == output && input_dup == input )
+ {
+ return 0;
+ }
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
diff --git a/library/ccm.c b/library/ccm.c
index 750ec9e..ab0540b 100644
--- a/library/ccm.c
+++ b/library/ccm.c
@@ -77,6 +77,8 @@
{
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
const mbedtls_cipher_info_t *cipher_info;
+ volatile const unsigned char *key_dup = key;
+ volatile unsigned int keybits_dup = keybits;
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( key != NULL );
@@ -99,6 +101,11 @@
return( ret );
}
+ if( keybits_dup != keybits || key_dup != key )
+ {
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
+
return( ret );
}
@@ -165,6 +172,15 @@
unsigned char ctr[16];
const unsigned char *src;
unsigned char *dst;
+ volatile size_t length_dup = length;
+ volatile const unsigned char *iv_dup = iv;
+ volatile size_t iv_len_dup = iv_len;
+ volatile const unsigned char *add_dup = add;
+ volatile size_t add_len_dup = add_len;
+ volatile const unsigned char *input_dup = input;
+ volatile unsigned char *output_dup = output;
+ volatile unsigned char *tag_dup = tag;
+ volatile size_t tag_len_dup = tag_len;
/*
* Check length requirements: SP800-38C A.1
@@ -316,6 +332,13 @@
CTR_CRYPT( y, y, 16 );
mbedtls_platform_memcpy( tag, y, tag_len );
+ if( length_dup != length || iv_dup != iv || iv_len_dup != iv_len ||
+ add_dup != add || add_len_dup != add_len || input_dup != input ||
+ output_dup != output || tag_dup != tag || tag_len_dup != tag_len)
+ {
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
+
return( ret );
}
@@ -370,6 +393,15 @@
unsigned char check_tag[16];
unsigned char i;
int diff;
+ volatile size_t length_dup = length;
+ volatile const unsigned char *iv_dup = iv;
+ volatile size_t iv_len_dup = iv_len;
+ volatile const unsigned char *add_dup = add;
+ volatile size_t add_len_dup = add_len;
+ volatile const unsigned char *input_dup = input;
+ volatile unsigned char *output_dup = output;
+ volatile const unsigned char *tag_dup = tag;
+ volatile size_t tag_len_dup = tag_len;
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( iv != NULL );
@@ -395,6 +427,13 @@
return( MBEDTLS_ERR_CCM_AUTH_FAILED );
}
+ if( length_dup != length || iv_dup != iv || iv_len_dup != iv_len ||
+ add_dup != add || add_len_dup != add_len || input_dup != input ||
+ output_dup != output || tag_dup != tag || tag_len_dup != tag_len)
+ {
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
+
return( ret );
}
diff --git a/library/entropy.c b/library/entropy.c
index f5d7d40..8db3d94 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -143,6 +143,10 @@
size_t threshold, int strong )
{
int idx, ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ volatile mbedtls_entropy_f_source_ptr f_source_dup = f_source;
+ volatile void *p_source_dup = p_source;
+ volatile size_t threshold_dup = threshold;
+ volatile int strong_dup = strong;
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
@@ -170,6 +174,11 @@
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif
+ if( f_source_dup != f_source || p_source_dup != p_source ||
+ threshold_dup != threshold || strong_dup != strong )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
return( ret );
}
@@ -184,7 +193,8 @@
size_t use_len = len;
const unsigned char *p = data;
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
-
+ volatile const unsigned char *data_dup = data;
+ volatile size_t len_dup = len;
if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE )
{
#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
@@ -229,6 +239,10 @@
cleanup:
mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+ if( len_dup != len || data_dup != data )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
return( ret );
}
@@ -349,6 +363,9 @@
int count = 0, i, done;
mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+ volatile void *data_dup = data;
+ volatile unsigned char *output_dup = output;
+ volatile size_t len_dup = len;
if( len > MBEDTLS_ENTROPY_BLOCK_SIZE )
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
@@ -456,7 +473,10 @@
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif
-
+ if( data_dup != data || len_dup != len || output_dup != output )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
return( ret );
}
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index d197f24..ecca880 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -81,6 +81,8 @@
volatile unsigned int flow_counter = 0;
unsigned char K[MBEDTLS_MD_MAX_SIZE];
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ volatile const unsigned char *additional_dup = additional;
+ volatile size_t add_len_dup = add_len;
for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
{
@@ -143,7 +145,10 @@
// Double check flow_counter
if ( ( flow_counter == 7 ) || ( flow_counter == 16 ) )
{
- return ret; // success, return 0 from ret
+ if( additional_dup == additional && add_len_dup == add_len )
+ {
+ return ret; // success, return 0 from ret
+ }
}
}
@@ -167,6 +172,8 @@
const unsigned char *data, size_t data_len )
{
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ volatile const unsigned char *data_dup = data;
+ volatile size_t data_len_dup = data_len;
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret );
@@ -183,7 +190,10 @@
if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 )
return( ret );
-
+ if( data_dup != data || data_len_dup != data_len )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
return( ret );
}
@@ -200,6 +210,8 @@
size_t seedlen = 0;
size_t total_entropy_len;
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ volatile const unsigned char *additional_dup = additional;
+ volatile size_t len_dup = len;
if( use_nonce == HMAC_NONCE_NO )
total_entropy_len = ctx->entropy_len;
@@ -264,6 +276,11 @@
/* 4. Done */
mbedtls_platform_zeroize( seed, seedlen );
+ if( additional_dup != additional || len_dup != len )
+ {
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
+
if ( ret != 0 )
return ret;
@@ -299,6 +316,11 @@
size_t len )
{
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ int (* volatile f_entropy_dup)(void *, unsigned char *, size_t) = f_entropy;
+ volatile void *p_entropy_dup = p_entropy;
+ volatile const unsigned char *custom_dup = custom;
+ volatile size_t len_dup = len;
+
size_t md_size;
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
@@ -339,6 +361,11 @@
return( ret );
}
+ if( f_entropy != f_entropy_dup || p_entropy != p_entropy_dup ||
+ custom_dup != custom || len_dup != len )
+ {
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
return( ret );
}
diff --git a/library/sha256.c b/library/sha256.c
index 07b899d..bf52eae 100644
--- a/library/sha256.c
+++ b/library/sha256.c
@@ -310,7 +310,9 @@
int ret;
size_t fill;
uint32_t left;
-
+ volatile const unsigned char *input_dup = input;
+ volatile size_t ilen_dup = ilen;
+ size_t ilen_change;
SHA256_VALIDATE_RET( ctx != NULL );
SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
@@ -353,7 +355,12 @@
/* Re-check ilen to protect from a FI attack */
if( ilen < 64 )
{
- return( 0 );
+ /* Re-check that the calculated offsets are correct */
+ ilen_change = ilen_dup - ilen;
+ if( ( input_dup + ilen_change ) == input )
+ {
+ return( 0 );
+ }
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
@@ -472,8 +479,10 @@
unsigned char output[32],
int is224 )
{
- int ret;
+ int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
mbedtls_sha256_context ctx;
+ volatile const unsigned char *input_dup = input;
+ volatile size_t ilen_dup = ilen;
SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
@@ -493,7 +502,11 @@
exit:
mbedtls_sha256_free( &ctx );
- return( ret );
+ if( input_dup == input && ilen_dup == ilen )
+ {
+ return( ret );
+ }
+ return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 5c74386..24c73b5 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2796,10 +2796,14 @@
volatile int ret = 0;
unsigned char *p;
unsigned char *end;
+ volatile unsigned char *buf_dup = buf;
+ volatile size_t buflen_dup = buflen;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
+ ((void) buf_dup);
+ ((void) buflen_dup);
p = buf + mbedtls_ssl_hs_hdr_len( ssl );
end = buf + buflen;
@@ -3100,7 +3104,7 @@
{
mbedtls_platform_random_delay();
- if( ret == 0 )
+ if( ret == 0 && buf_dup == buf && buflen_dup == buflen )
{
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it,
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 2cd34b2..d560d35 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3286,6 +3286,7 @@
static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
size_t *signature_len )
{
+ volatile size_t *signature_len_dup = signature_len;
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
@@ -3673,7 +3674,11 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
- return( 0 );
+ if( signature_len_dup == signature_len )
+ {
+ return( 0 );
+ }
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
/* Prepare the ServerKeyExchange message and send it. For ciphersuites
@@ -4218,6 +4223,8 @@
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
unsigned char *p, *end;
+ volatile unsigned char *buf_dup = buf;
+ volatile size_t buflen_dup = buflen;
p = buf + mbedtls_ssl_hs_hdr_len( ssl );
end = buf + buflen;
@@ -4412,8 +4419,11 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
-
- return( ret );
+ if( buf_dup == buf && buflen_dup == buflen )
+ {
+ return( ret );
+ }
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
/* Update the handshake state */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4f41ac9..ad2dc98 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -177,6 +177,8 @@
size_t buflen )
{
int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ volatile unsigned char *buf_dup = buf;
+ volatile size_t buflen_dup = buflen;
mbedtls_record rec;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
@@ -228,6 +230,10 @@
ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
}
+ if( buf_dup != buf || buflen_dup != buflen )
+ {
+ return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ }
MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
return( ret );
}