Add FI countermeasures to the ssl module This commit adds mainly buffer pointer and length duplication and checks, but also some hamming distance and return values checking improvements. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

commit: 84bde419e134a318becb61537459d7365af7f4bd [log] [tgz]
author: Andrzej Kurek <andrzej.kurek@arm.com> Mon Jul 06 15:27:34 2020 -0400
committer: Andrzej Kurek <andrzej.kurek@arm.com> Mon Jul 06 15:27:34 2020 -0400
tree: 2b887ea4df13526366334e6ba88266ffd19b3ff9
parent: 74f7d0f03de292474ed16500575aee45758fa491 [diff] [blame]
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 24c73b5..5b47c0a 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -3587,7 +3587,10 @@
 {
     int ret;
     unsigned char *p, *end;
+    volatile unsigned char *buf_dup = buf;
+    volatile size_t buflen_dup = buflen;
     size_t n;
+
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
         mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
@@ -3870,7 +3873,12 @@
     }
 
     *olen = p - buf;
-    return( 0 );
+    /* Secure against buffer substitution */
+    if( buf_dup == buf && buflen_dup == buflen )
+    {
+       return( 0 );
+    }
+    return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
 }
 
 static int ssl_out_client_key_exchange_postprocess( mbedtls_ssl_context *ssl )
commit	84bde419e134a318becb61537459d7365af7f4bd	[log] [tgz]
author	Andrzej Kurek <andrzej.kurek@arm.com>	Mon Jul 06 15:27:34 2020 -0400
committer	Andrzej Kurek <andrzej.kurek@arm.com>	Mon Jul 06 15:27:34 2020 -0400
tree	2b887ea4df13526366334e6ba88266ffd19b3ff9
parent	74f7d0f03de292474ed16500575aee45758fa491 [diff] [blame]