From ca60937cf9dd6961242a3c0c9a4aca6f9a7dcb0d Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 8 Jul 2020 03:19:02 -0400 Subject: [PATCH] Add buffer and context clearing upon suspected FI Signed-off-by: Andrzej Kurek --- library/aes.c | 5 +++++ library/ccm.c | 11 ++++++++--- library/hmac_drbg.c | 9 +++++++++ library/sha256.c | 9 ++++++++- tinycrypt/ecc_dh.c | 4 ++++ tinycrypt/ecc_dsa.c | 2 ++ 6 files changed, 36 insertions(+), 4 deletions(-) diff --git a/library/aes.c b/library/aes.c index 8cfb4ba2f..e49f74f76 100644 --- a/library/aes.c +++ b/library/aes.c @@ -822,6 +822,7 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, } } + mbedtls_platform_memset( RK, 0, ( keybits >> 5 ) * 4 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ @@ -1176,6 +1177,8 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, } } + // Clear the output in case of a FI + mbedtls_platform_memset( output, 0, 16 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -1460,6 +1463,8 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, } } + // Clear the output in case of a FI + mbedtls_platform_memset( output, 0, 16 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } diff --git a/library/ccm.c b/library/ccm.c index ab0540b57..54d051e34 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -101,12 +101,14 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, return( ret ); } - if( keybits_dup != keybits || key_dup != key ) + if( keybits_dup == keybits && key_dup == key ) { - return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + return( ret ); } - return( ret ); + // In case of a FI - clear the context + mbedtls_cipher_free( &ctx->cipher_ctx ); + return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } /* @@ -336,6 +338,9 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, add_dup != add || add_len_dup != add_len || input_dup != input || output_dup != output || tag_dup != tag || tag_len_dup != tag_len) { + + // In case of a FI - clear the output + mbedtls_platform_memset( output, 0, length ); return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; } diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index ecca88034..58750c8b7 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -212,6 +212,7 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx, int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; volatile const unsigned char *additional_dup = additional; volatile size_t len_dup = len; + int reseed_counter_backup = -1; if( use_nonce == HMAC_NONCE_NO ) total_entropy_len = ctx->entropy_len; @@ -269,6 +270,7 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx, goto exit; /* 3. Reset reseed_counter */ + reseed_counter_backup = ctx->reseed_counter; ctx->reseed_counter = 1; exit: @@ -278,6 +280,10 @@ exit: if( additional_dup != additional || len_dup != len ) { + /* Rollback the reseed_counter in case of FI */ + if( reseed_counter_backup != -1 ) + ctx->reseed_counter = reseed_counter_backup; + return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; } @@ -290,6 +296,9 @@ exit: return ret; } + /* Rollback the reseed_counter in case of FI */ + if( reseed_counter_backup != -1 ) + ctx->reseed_counter = reseed_counter_backup; return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } diff --git a/library/sha256.c b/library/sha256.c index bf52eaea0..493e88ed5 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -287,7 +287,8 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, { return( 0 ); } - + /* Free the ctx upon suspected FI */ + mbedtls_sha256_free( ctx ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -362,6 +363,8 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, return( 0 ); } } + /* Free the ctx upon suspected FI */ + mbedtls_sha256_free( ctx ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -458,6 +461,9 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, { return( 0 ); } + /* Free the ctx and clear output upon suspected FI */ + mbedtls_sha256_free( ctx ); + mbedtls_platform_memset( output, 0, 32 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } @@ -506,6 +512,7 @@ exit: { return( ret ); } + mbedtls_platform_memset( output, 0, 32 ); return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED ); } diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c index 197a61a10..bf3a80343 100644 --- a/tinycrypt/ecc_dh.c +++ b/tinycrypt/ecc_dh.c @@ -153,6 +153,8 @@ int uECC_make_key(uint8_t *public_key, uint8_t *private_key) if (private_key == private_key_dup && public_key == public_key_dup) { return UECC_SUCCESS; } + /* Erase key in case of FI */ + mbedtls_platform_memset(public_key, 0, 2*NUM_ECC_BYTES); return UECC_FAULT_DETECTED; } } @@ -189,6 +191,8 @@ int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, /* erasing temporary buffer used to store secret: */ mbedtls_platform_zeroize(_private, sizeof(_private)); if (public_key_dup != public_key || private_key_dup != private_key || secret_dup != secret) { + /* Erase secret in case of FI */ + mbedtls_platform_memset(secret, 0, NUM_ECC_BYTES); return UECC_FAULT_DETECTED; } diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c index 2b06d44fa..15098e8ff 100644 --- a/tinycrypt/ecc_dsa.c +++ b/tinycrypt/ecc_dsa.c @@ -165,11 +165,13 @@ int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, r = uECC_sign_with_k(private_key, message_hash, hash_size, k, signature); /* don't keep trying if a fault was detected */ if (r == UECC_FAULT_DETECTED) { + mbedtls_platform_memset(signature, 0, 2*NUM_ECC_BYTES); return r; } if (r == UECC_SUCCESS) { if (private_key_dup != private_key || message_hash_dup != message_hash || hash_size_dup != hash_size || signature_dup != signature) { + mbedtls_platform_memset(signature, 0, 2*NUM_ECC_BYTES); return UECC_FAULT_DETECTED; } return UECC_SUCCESS;