From 090365fe608b915643168df35ec5fb0a72244027 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 8 Jun 2020 11:00:51 -0400 Subject: [PATCH 1/3] Improve the usage of uECC_RNG_Function Since the mbed TLS implementation of rng wrapper returns the size of random data generated upon success - check for it explicitly. Signed-off-by: Andrzej Kurek --- include/tinycrypt/ecc.h | 10 +++++----- tinycrypt/ecc.c | 2 +- tinycrypt/ecc_dh.c | 2 +- tinycrypt/ecc_dsa.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/tinycrypt/ecc.h b/include/tinycrypt/ecc.h index 6a85a5578..b6fbc6906 100644 --- a/include/tinycrypt/ecc.h +++ b/include/tinycrypt/ecc.h @@ -163,9 +163,9 @@ int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, /* uECC_RNG_Function type * The RNG function should fill 'size' random bytes into 'dest'. It should - * return 1 if 'dest' was filled with random data, or 0 if the random data could - * not be generated. The filled-in values should be either truly random, or from - * a cryptographically-secure PRNG. + * return 'size' if 'dest' was filled with random data of 'size' length, or 0 + * if the random data could not be generated. The filled-in values should be + * either truly random, or from a cryptographically-secure PRNG. * * A correctly functioning RNG function must be set (using uECC_set_rng()) * before calling uECC_make_key() or uECC_sign(). @@ -181,8 +181,8 @@ typedef int(*uECC_RNG_Function)(uint8_t *dest, unsigned int size); /* * @brief Set the function that will be used to generate random bytes. The RNG - * function should return 1 if the random data was generated, or 0 if the random - * data could not be generated. + * function should return 'size' if the random data of length 'size' was + * generated, or 0 if the random data could not be generated. * * @note On platforms where there is no predefined RNG function, this must be * called before uECC_make_key() or uECC_sign() are used. diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index b3e3ed327..57b3228dd 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -1169,7 +1169,7 @@ int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, } for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { - if (!g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE)) { + if (g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE) != num_words * uECC_WORD_SIZE) { return 0; } random[num_words - 1] &= diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c index ceabb0005..a63c84bba 100644 --- a/tinycrypt/ecc_dh.c +++ b/tinycrypt/ecc_dh.c @@ -119,7 +119,7 @@ int uECC_make_key(uint8_t *public_key, uint8_t *private_key) /* Generating _private uniformly at random: */ uECC_RNG_Function rng_function = uECC_get_rng(); if (!rng_function || - !rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE)) { + rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) != 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) { return UECC_FAILURE; } diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c index 230f6890c..70f9c8bc6 100644 --- a/tinycrypt/ecc_dsa.c +++ b/tinycrypt/ecc_dsa.c @@ -151,7 +151,7 @@ int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, /* Generating _random uniformly at random: */ uECC_RNG_Function rng_function = uECC_get_rng(); if (!rng_function || - !rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE)) { + rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE) != 2*NUM_ECC_WORDS*uECC_WORD_SIZE) { return UECC_FAILURE; } From 8f52a8a8c06ba767ce0be2cf8d1406b7b24878a2 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 8 Jun 2020 11:02:22 -0400 Subject: [PATCH 2/3] Improve the Hamming distance of ssl_hs_is_proper_fragment return values Signed-off-by: Andrzej Kurek --- library/ssl_tls.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c92ab7f39..c79fe7d86 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -56,6 +56,8 @@ #include "mbedtls/oid.h" #endif +#define PROPER_HS_FRAGMENT 0x75555555 + #if defined(MBEDTLS_USE_TINYCRYPT) static int uecc_rng_wrapper( uint8_t *dest, unsigned int size ) { @@ -4735,7 +4737,7 @@ static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl ) mbedtls_platform_memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || mbedtls_platform_memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ) { - return( 1 ); + return( PROPER_HS_FRAGMENT ); } return( 0 ); } @@ -4928,7 +4930,7 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) * messages; the commonality is that both handshake fragments and * future messages cannot be forwarded immediately to the * handshake logic layer. */ - if( ssl_hs_is_proper_fragment( ssl ) == 1 ) + if( ssl_hs_is_proper_fragment( ssl ) == PROPER_HS_FRAGMENT ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); @@ -6052,7 +6054,7 @@ static int ssl_buffer_message( mbedtls_ssl_context *ssl ) size_t reassembly_buf_sz; hs_buf->is_fragmented = - ( ssl_hs_is_proper_fragment( ssl ) == 1 ); + ( ssl_hs_is_proper_fragment( ssl ) == PROPER_HS_FRAGMENT ); /* We copy the message back into the input buffer * after reassembly, so check that it's not too large. From 3a0df033643261d3872f8176568814a32103c2f8 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 12 Jun 2020 06:32:13 -0400 Subject: [PATCH 3/3] Increase the Hamming distance of uECC_generate_random_int returns Signed-off-by: Andrzej Kurek --- include/tinycrypt/ecc.h | 3 ++- tinycrypt/ecc.c | 10 +++++----- tinycrypt/ecc_dsa.c | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/include/tinycrypt/ecc.h b/include/tinycrypt/ecc.h index b6fbc6906..57aa5087d 100644 --- a/include/tinycrypt/ecc.h +++ b/include/tinycrypt/ecc.h @@ -155,7 +155,8 @@ extern const uECC_word_t curve_b[NUM_ECC_WORDS]; * @param random OUT -- random integer in the range 0 < random < top * @param top IN -- upper limit * @param num_words IN -- number of words - * @return a random integer in the range 0 < random < top + * @return UECC_SUCCESS in case of success + * @return UECC_FAILURE upon failure */ int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, wordcount_t num_words); diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index 57b3228dd..ca91e12f4 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -1080,7 +1080,7 @@ int EccPoint_mult_safer(uECC_word_t * result, const uECC_word_t * point, /* If an RNG function was specified, get a random initial Z value to * protect against side-channel attacks such as Template SPA */ if (g_rng_function) { - if (!uECC_generate_random_int(k2[carry], curve_p, num_words)) { + if (uECC_generate_random_int(k2[carry], curve_p, num_words) != UECC_SUCCESS) { r = UECC_FAILURE; goto clear_and_out; } @@ -1165,21 +1165,21 @@ int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, bitcount_t num_bits = uECC_vli_numBits(top); if (!g_rng_function) { - return 0; + return UECC_FAILURE; } for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { if (g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE) != num_words * uECC_WORD_SIZE) { - return 0; + return UECC_FAILURE; } random[num_words - 1] &= mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits)); if (!uECC_vli_isZero(random) && uECC_vli_cmp(top, random) == 1) { - return 1; + return UECC_SUCCESS; } } - return 0; + return UECC_FAILURE; } diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c index 70f9c8bc6..bb3ed813b 100644 --- a/tinycrypt/ecc_dsa.c +++ b/tinycrypt/ecc_dsa.c @@ -109,7 +109,7 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, uECC_vli_clear(tmp); tmp[0] = 1; } - else if (!uECC_generate_random_int(tmp, curve_n, num_n_words)) { + else if (uECC_generate_random_int(tmp, curve_n, num_n_words) != UECC_SUCCESS) { return UECC_FAILURE; }