eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add returning a FAULT_DETECTED error on suspected FI attacks

Browse source 
The change applies to the places where we prevent double synchronous
FI attacks with random delay, and where we do not respond to their
detection. The response to such an attack should be to return the
appropriate error code.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
This commit is contained in:
Piotr Nowicki 2020-06-05 17:59:28 +02:00
parent b06ec05dc0
commit e048b91d25
5 changed files with 34 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

20
library/ssl_cli.c
View file

@ -27,9 +27,9 @@
#if defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#if !defined(MBEDTLS_PLATFORM_C)
#include <stdlib.h>
#define mbedtls_calloc calloc
#define mbedtls_free free
@ -724,6 +724,10 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}
else
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
}
return( ret );
@ -2388,6 +2392,10 @@ static int ssl_rsa_generate_partial_pms( mbedtls_ssl_context *ssl,
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}
else
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
}
MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
@ -2460,6 +2468,12 @@ static int ssl_rsa_encrypt_partial_pms( mbedtls_ssl_context *ssl,
{
ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
}
else
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
goto cleanup;
}
}
else
{
@ -3101,7 +3115,7 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
}
else
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
}
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)