Update signature of mbedtls_platform_random_delay
Skip parameter and return value from mbedtls_platform_random_delay
to make it more resistant for FI attacks.
diff --git a/library/entropy.c b/library/entropy.c
index 8d42dd7..6656ee8 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -273,7 +273,7 @@
volatile int strong_fi = ctx->source[i].strong;
if( strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
have_one_strong_fi = MBEDTLS_ENTROPY_SOURCE_STRONG;
@@ -305,7 +305,7 @@
if( have_one_strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( have_one_strong_fi == MBEDTLS_ENTROPY_SOURCE_STRONG )
{
return( ret );
diff --git a/library/pk.c b/library/pk.c
index 252c789..caa5e17 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -597,7 +597,7 @@
if( ret_fi == UECC_SUCCESS )
{
- mbedtls_platform_random_delay( 50 );
+ mbedtls_platform_random_delay();
if( ret_fi == UECC_SUCCESS )
return( 0 );
else
@@ -1553,7 +1553,7 @@
if( verify_ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( verify_ret == 0 )
{
return( verify_ret );
diff --git a/library/platform_util.c b/library/platform_util.c
index 6c5bd3e..c615e34 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -45,6 +45,9 @@
#include <stddef.h>
#include <string.h>
+/* Max number of loops for mbedtls_platform_random_delay */
+#define MBEDTLS_MAX_RAND_DELAY 100
+
#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
/*
* This implementation should never be optimized out by the compiler
@@ -165,21 +168,16 @@
#endif
}
-int mbedtls_platform_random_delay( size_t max_rand )
+void mbedtls_platform_random_delay( void )
{
#if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
- (void) max_rand;
- return -1;
+ return;
#else
size_t rn_1, rn_2, rn_3;
volatile size_t i = 0;
uint8_t shift;
- if( max_rand == 0 || max_rand > INT_MAX )
- {
- return( -1 );
- }
- rn_1 = mbedtls_platform_random_in_range( max_rand );
+ rn_1 = mbedtls_platform_random_in_range( MBEDTLS_MAX_RAND_DELAY );
rn_2 = mbedtls_platform_random_in_range( 0xffffffff ) + 1;
rn_3 = mbedtls_platform_random_in_range( 0xffffffff ) + 1;
@@ -194,7 +192,7 @@
rn_2 ^= rn_3;
} while( i < rn_1 || rn_2 == 0 || rn_3 == 0 );
- return( (int)i );
+ return;
#endif /* !MBEDTLS_ENTROPY_HARDWARE_ALT */
}
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 88d609b..3c59923 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -717,7 +717,7 @@
( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 );
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
@@ -2369,7 +2369,7 @@
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -2442,7 +2442,7 @@
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -3071,7 +3071,7 @@
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 2ba1c19..bab8f00 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -4064,7 +4064,7 @@
if( pmscounter == ssl->handshake->pmslen )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( pmscounter == ssl->handshake->pmslen )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -4651,7 +4651,7 @@
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d86960e..03bfd11 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1929,7 +1929,7 @@
ssl );
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->key_derivation_done = MBEDTLS_SSL_FI_FLAG_SET;
@@ -2011,7 +2011,7 @@
mbedtls_ssl_conf_get_prng( ssl->conf ) );
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -2054,7 +2054,7 @@
mbedtls_ssl_conf_get_prng( ssl->conf ) );
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -2085,7 +2085,7 @@
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) );
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -2114,7 +2114,7 @@
mbedtls_ssl_conf_get_prng( ssl->conf ) );
if( ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ret == 0 )
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -7346,7 +7346,7 @@
if( verify_ret == 0 )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( verify_ret == 0 )
{
flow_counter++;
@@ -7436,7 +7436,7 @@
( verify_ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
verify_ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
( verify_ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
verify_ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
@@ -7502,7 +7502,7 @@
flow_counter == 4 )
#endif
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( verify_ret == 0 &&
#if defined(MBEDTLS_ECP_C) || defined(MBEDTLS_USE_TINYCRYPT)
flow_counter == 5 )
@@ -7989,7 +7989,7 @@
1 )
#endif
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( authmode == MBEDTLS_SSL_VERIFY_NONE ||
authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ||
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
@@ -8010,7 +8010,7 @@
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
/* When doing session resume, no premaster or peer authentication */
@@ -8027,7 +8027,7 @@
if( ssl->handshake->peer_authenticated == MBEDTLS_SSL_FI_FLAG_SET )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ssl->handshake->peer_authenticated == MBEDTLS_SSL_FI_FLAG_SET )
{
ret = 0;
@@ -8048,7 +8048,7 @@
ssl->handshake->key_derivation_done == MBEDTLS_SSL_FI_FLAG_SET &&
ssl->handshake->premaster_generated == MBEDTLS_SSL_FI_FLAG_SET )
{
- mbedtls_platform_random_delay(50);
+ mbedtls_platform_random_delay();
if( ssl->handshake->hello_random_set == MBEDTLS_SSL_FI_FLAG_SET &&
ssl->handshake->key_derivation_done == MBEDTLS_SSL_FI_FLAG_SET &&
ssl->handshake->premaster_generated == MBEDTLS_SSL_FI_FLAG_SET )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index e624c6d..af8f1d6 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -3043,7 +3043,7 @@
if( ret_fi == 0 )
{
- mbedtls_platform_random_delay( 50 );
+ mbedtls_platform_random_delay();
if( ret_fi == 0 )
signature_is_good = X509_SIGNATURE_IS_GOOD;
}
@@ -3549,7 +3549,7 @@
if( signature_is_good_fi != X509_SIGNATURE_IS_GOOD )
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED | X509_BADCERT_FI_EXTRA;
- mbedtls_platform_random_delay( 50 );
+ mbedtls_platform_random_delay();
if( signature_is_good_fi != X509_SIGNATURE_IS_GOOD )
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED | X509_BADCERT_FI_EXTRA;
@@ -3861,7 +3861,7 @@
flags_fi = *flags;
if( flags_fi == 0 )
{
- mbedtls_platform_random_delay( 50 );
+ mbedtls_platform_random_delay();
if( flags_fi == 0 )
return( 0 );
}