yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-12-23 16:55:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'public/pr/2934' into baremetal

Browse source
This commit is contained in:
Simon Butcher 2019-12-05 14:32:44 +00:00
parent 5b45c6e1b3 ec37a89bf3
commit 501c466d01
3 changed files with 111 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
include/mbedtls/hmac_drbg.h
View file

@ -70,8 +70,8 @@
/* \} name SECTION: Module settings */ /* \} name SECTION: Module settings */
#define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */ #define MBEDTLS_HMAC_DRBG_PR_OFF 0x55555555 /**< No prediction resistance */
#define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */ #define MBEDTLS_HMAC_DRBG_PR_ON 0x2AAAAAAA /**< Prediction resistance enabled */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
@ -202,7 +202,8 @@ void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
* \param add_len Length of additional data, or 0 * \param add_len Length of additional data, or 0
* *
* \return \c 0 on success, or an error from the underlying * \return \c 0 on success, or an error from the underlying
* hash calculation. * hash calculation or
* MBEDTLS_ERR_PLATFORM_FAULT_DETECTED.
* *
* \note Additional data is optional, pass NULL and 0 as second * \note Additional data is optional, pass NULL and 0 as second
* third argument if no additional data is being used. * third argument if no additional data is being used.
@ -237,7 +238,8 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
* \return 0 if successful, or * \return 0 if successful, or
* MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or * MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or
* MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG, or * MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG, or
* MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG. * MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG, or
* MBEDTLS_ERR_PLATFORM_FAULT_DETECTED.
*/ */
int mbedtls_hmac_drbg_random_with_add( void *p_rng, int mbedtls_hmac_drbg_random_with_add( void *p_rng,
unsigned char *output, size_t output_len, unsigned char *output, size_t output_len,
@ -255,7 +257,9 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
* *
* \return 0 if successful, or * \return 0 if successful, or
* MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or * MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or
* MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG * MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG,
* MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG, or
* MBEDTLS_ERR_PLATFORM_FAULT_DETECTED.
*/ */
int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len ); int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );

94
library/hmac_drbg.c
View file

@ -34,6 +34,7 @@
#if defined(MBEDTLS_HMAC_DRBG_C) #if defined(MBEDTLS_HMAC_DRBG_C)
#include "mbedtls/hmac_drbg.h" #include "mbedtls/hmac_drbg.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include <string.h> #include <string.h>
@ -51,6 +52,9 @@
#endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_PLATFORM_C */
#define HMAC_NONCE_YES 0x4AAAAAAA
#define HMAC_NONCE_NO 0x75555555
/* /*
* HMAC_DRBG context initialization * HMAC_DRBG context initialization
*/ */
@ -74,42 +78,76 @@ int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
mbedtls_md_get_handle( &ctx->md_ctx ) ); mbedtls_md_get_handle( &ctx->md_ctx ) );
unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1; unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1;
unsigned char sep[1]; unsigned char sep[1];
volatile unsigned int flow_counter = 0;
unsigned char K[MBEDTLS_MD_MAX_SIZE]; unsigned char K[MBEDTLS_MD_MAX_SIZE];
int ret; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
for( sep[0] = 0; sep[0] < rounds; sep[0]++ ) for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
{ {
/* Step 1 or 4 */ /* Step 1 or 4 */
flow_counter++;
if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 ) if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
goto exit; goto exit;
flow_counter++;
if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx, if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
ctx->V, md_len ) ) != 0 ) ctx->V, md_len ) ) != 0 )
goto exit; goto exit;
flow_counter++;
if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx, if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
sep, 1 ) ) != 0 ) sep, 1 ) ) != 0 )
goto exit; goto exit;
if( rounds == 2 ) if( rounds == 2 )
{ {
flow_counter++;
if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx, if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
additional, add_len ) ) != 0 ) additional, add_len ) ) != 0 )
goto exit; goto exit;
} }
flow_counter++;
if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, K ) ) != 0 ) if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, K ) ) != 0 )
goto exit; goto exit;
/* Step 2 or 5 */ /* Step 2 or 5 */
flow_counter++;
if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, K, md_len ) ) != 0 ) if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, K, md_len ) ) != 0 )
goto exit; goto exit;
flow_counter++;
if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx, if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
ctx->V, md_len ) ) != 0 ) ctx->V, md_len ) ) != 0 )
goto exit; goto exit;
flow_counter++;
if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 ) if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
goto exit; goto exit;
flow_counter++;
} }
exit: exit:
mbedtls_platform_zeroize( K, sizeof( K ) ); mbedtls_platform_zeroize( K, sizeof( K ) );
return( ret ); /* Check for possible attack.
* Counters needs to have correct values when returning success
*/
if ( ret != 0 )
return( ret ); // error case, return immediately
if ( ( ( flow_counter == 8 ) && ( sep[0] == 1 ) ) ||
( ( flow_counter == 18 ) && ( sep[0] == 2 ) ) )
{
flow_counter = flow_counter - sep[0];
// Double check flow_counter
if ( ( flow_counter == 7 ) || ( flow_counter == 16 ) )
{
return ret; // success, return 0 from ret
}
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)
@ -128,7 +166,7 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
mbedtls_md_handle_t md_info, mbedtls_md_handle_t md_info,
const unsigned char *data, size_t data_len ) const unsigned char *data, size_t data_len )
{ {
int ret; int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret ); return( ret );
@ -146,7 +184,7 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 ) if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 )
return( ret ); return( ret );
return( 0 ); return( ret );
} }
/* /*
@ -160,12 +198,10 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
{ {
unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT]; unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
size_t seedlen = 0; size_t seedlen = 0;
size_t total_entropy_len;
int ret; int ret;
{ if( use_nonce == HMAC_NONCE_NO )
size_t total_entropy_len;
if( use_nonce == 0 )
total_entropy_len = ctx->entropy_len; total_entropy_len = ctx->entropy_len;
else else
total_entropy_len = ctx->entropy_len * 3 / 2; total_entropy_len = ctx->entropy_len * 3 / 2;
@ -176,7 +212,6 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
{ {
return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG ); return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
} }
}
memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT ); memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
@ -190,7 +225,7 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
/* For initial seeding, allow adding of nonce generated /* For initial seeding, allow adding of nonce generated
* from the entropy source. See Sect 8.6.7 in SP800-90A. */ * from the entropy source. See Sect 8.6.7 in SP800-90A. */
if( use_nonce ) if( use_nonce == HMAC_NONCE_YES )
{ {
/* Note: We don't merge the two calls to f_entropy() in order /* Note: We don't merge the two calls to f_entropy() in order
* to avoid requesting too much entropy from f_entropy() * to avoid requesting too much entropy from f_entropy()
@ -225,9 +260,20 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
ctx->reseed_counter = 1; ctx->reseed_counter = 1;
exit: exit:
/* 4. Done */ /* 4. Done */
mbedtls_platform_zeroize( seed, seedlen ); mbedtls_platform_zeroize( seed, seedlen );
return( ret );
if ( ret != 0 )
return ret;
if ( ret == 0 && ctx->reseed_counter == 1 )
{
/* All ok, return 0 from ret */
return ret;
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* /*
@ -236,8 +282,7 @@ exit:
int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
const unsigned char *additional, size_t len ) const unsigned char *additional, size_t len )
{ {
return( hmac_drbg_reseed_core( ctx, additional, len, return( hmac_drbg_reseed_core( ctx, additional, len, HMAC_NONCE_NO ) );
0 /* no nonce */ ) );
} }
/* /*
@ -286,13 +331,12 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
32; /* better (256+) -> 256 bits */ 32; /* better (256+) -> 256 bits */
if( ( ret = hmac_drbg_reseed_core( ctx, custom, len, if( ( ret = hmac_drbg_reseed_core( ctx, custom, len, HMAC_NONCE_YES ) ) != 0 )
1 /* add nonce */ ) ) != 0 )
{ {
return( ret ); return( ret );
} }
return( 0 ); return( ret );
} }
/* /*
@ -329,6 +373,8 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
const unsigned char *additional, size_t add_len ) const unsigned char *additional, size_t add_len )
{ {
int ret; int ret;
volatile unsigned char *output_fi = output;
volatile size_t out_len_fi = out_len;
mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng; mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
size_t md_len = mbedtls_md_get_size( size_t md_len = mbedtls_md_get_size(
mbedtls_md_get_handle( &ctx->md_ctx ) ); mbedtls_md_get_handle( &ctx->md_ctx ) );
@ -390,7 +436,21 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
exit: exit:
/* 8. Done */ /* 8. Done */
return( ret );
if ( ret != 0 )
return ret;
/*
* Check doubled variables and illegal conditions in case of possible
* attack.
*/
if ( ( out_len_fi == out_len ) && ( output_fi == output) &&
( left == 0 ) )
{
return ret; // Success, return 0
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
/* /*

18
library/md.c
View file

@ -32,6 +32,7 @@
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
#include "mbedtls/md.h" #include "mbedtls/md.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#if defined(MBEDTLS_PLATFORM_C) #if defined(MBEDTLS_PLATFORM_C)
@ -525,7 +526,7 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
int ret; int ret;
unsigned char sum[MBEDTLS_MD_MAX_SIZE]; unsigned char sum[MBEDTLS_MD_MAX_SIZE];
unsigned char *ipad, *opad; unsigned char *ipad, *opad;
size_t i; size_t i = 0;
mbedtls_md_handle_t md_info; mbedtls_md_handle_t md_info;
@ -575,16 +576,27 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
if( ( ret = mbedtls_md_info_starts( md_info, ctx->md_ctx ) ) != 0 ) if( ( ret = mbedtls_md_info_starts( md_info, ctx->md_ctx ) ) != 0 )
goto cleanup; goto cleanup;
i++; // Use i as flow control
if( ( ret = mbedtls_md_info_update( md_info, ctx->md_ctx, ipad, if( ( ret = mbedtls_md_info_update( md_info, ctx->md_ctx, ipad,
mbedtls_md_info_block_size( md_info ) ) ) != 0 ) mbedtls_md_info_block_size( md_info ) ) ) != 0 )
{ {
goto cleanup; goto cleanup;
} }
i++; // Use i as flow control now
cleanup: cleanup:
mbedtls_platform_zeroize( sum, sizeof( sum ) ); mbedtls_platform_zeroize( sum, sizeof( sum ) );
return( ret ); if ( ret != 0 )
return ret;
/* Check possible fault injection */
if ( ( i - 2 ) == keylen )
return ret; // success, return 0 from ret
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx,
@ -653,7 +665,7 @@ int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output )
if( ( ret = mbedtls_md_info_finish( md_info, ctx->md_ctx, output ) ) != 0 ) if( ( ret = mbedtls_md_info_finish( md_info, ctx->md_ctx, output ) ) != 0 )
return( ret ); return( ret );
return( 0 ); return( ret );
} }
int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx ) int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx )