yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-02-03 00:10:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix double-check for bad signature

Browse source 
In the previous version, it was enough for the attacker to glitch the
top-level 'if' to skip the entire block. We want two independent blocks here,
so that an attacker can only succeed with two successive glitches.
This commit is contained in:
Manuel Pégourié-Gonnard 2019-11-14 09:19:08 +01:00
parent 4c9b556e38
commit 18761926a8
1 changed files with 3 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
library/x509_crt.c
View file

@ -3547,13 +3547,11 @@ find_parent:
/* signature was checked while searching parent */
signature_is_good_fi = signature_is_good;
if( signature_is_good_fi != X509_SIGNATURE_IS_GOOD )
{
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED | X509_BADCERT_FI_EXTRA;
mbedtls_platform_enforce_volatile_reads();
if( signature_is_good_fi != X509_SIGNATURE_IS_GOOD )
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED | X509_BADCERT_FI_EXTRA;
}
mbedtls_platform_enforce_volatile_reads();
if( signature_is_good_fi != X509_SIGNATURE_IS_GOOD )
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED | X509_BADCERT_FI_EXTRA;
{
mbedtls_pk_context *parent_pk;