yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-20 18:40:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3613 from AndrzejKurek/fi-double-crypto-calls

Browse source 
Add double pk verification and double master secret calculation
This commit is contained in:
Andrzej Kurek 2020-10-07 16:03:23 +01:00 committed by GitHub
parent 2544cd3582 f4d2c7de31
commit ce62080a99
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
library/ssl_cli.c
View file

@ -2794,6 +2794,7 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
* structural change to provide default flow assumes failure * structural change to provide default flow assumes failure
*/ */
volatile int ret = 0; volatile int ret = 0;
volatile int ret_fi = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
unsigned char *p; unsigned char *p;
unsigned char *end; unsigned char *end;
@ -2931,6 +2932,7 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{ {
((void) ret); ((void) ret);
((void) ret_fi);
((void) p); ((void) p);
((void) end); ((void) end);
((void) ciphersuite_info); ((void) ciphersuite_info);
@ -3100,7 +3102,16 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
{ {
mbedtls_platform_random_delay(); mbedtls_platform_random_delay();
if( ret == 0 ) if( rs_ctx == NULL )
{
ret_fi = mbedtls_pk_verify_restartable( peer_pk,
md_alg, hash, hashlen, p, sig_len, rs_ctx );
}
else
{
ret_fi = 0;
}
if( ret == 0 && ret_fi == 0 )
{ {
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it, /* We don't need the peer's public key anymore. Free it,

12
library/ssl_srv.c
View file

@ -4456,7 +4456,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{ {
volatile int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile int ret_fi = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
size_t i, sig_len; size_t i, sig_len;
unsigned char hash[48]; unsigned char hash[48];
unsigned char *hash_start = hash; unsigned char *hash_start = hash;
@ -4643,14 +4644,17 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
} }
ret = mbedtls_pk_verify( peer_pk, ret = mbedtls_pk_verify( peer_pk,
md_alg, hash_start, hashlen, md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len ); ssl->in_msg + i, sig_len );
if( ret == 0 ) if( ret == 0 )
{ {
mbedtls_platform_random_delay(); mbedtls_platform_random_delay();
if( ret == 0 ) ret_fi = mbedtls_pk_verify( peer_pk,
md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len );
if( ret == 0 && ret_fi == 0 )
{ {
mbedtls_ssl_update_handshake_status( ssl ); mbedtls_ssl_update_handshake_status( ssl );

21
library/ssl_tls.c
View file

@ -2601,6 +2601,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
size_t add_data_len; size_t add_data_len;
size_t post_avail; size_t post_avail;
int encryption_status = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
/* The SSL context is only used for debugging purposes! */ /* The SSL context is only used for debugging purposes! */
#if !defined(MBEDTLS_DEBUG_C) #if !defined(MBEDTLS_DEBUG_C)
@ -2770,7 +2771,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx, if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx,
transform->iv_enc, transform->ivlen, transform->iv_enc, transform->ivlen,
data, rec->data_len, data, rec->data_len,
data, &olen ) ) != 0 ) data, &olen ) ) != 0 )
@ -2779,7 +2780,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#else #else
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
transform->iv_enc, transform->ivlen, transform->iv_enc, transform->ivlen,
data, rec->data_len, data, rec->data_len,
data, &olen ) ) != 0 ) data, &olen ) ) != 0 )
@ -2869,7 +2870,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx, if( ( ret = encryption_status = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx,
iv, transform->ivlen, iv, transform->ivlen,
add_data, add_data_len, /* add data */ add_data, add_data_len, /* add data */
data, rec->data_len, /* source */ data, rec->data_len, /* source */
@ -2880,7 +2881,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#else #else
if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc, if( ( ret = encryption_status = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
iv, transform->ivlen, iv, transform->ivlen,
add_data, add_data_len, /* add data */ add_data, add_data_len, /* add data */
data, rec->data_len, /* source */ data, rec->data_len, /* source */
@ -2891,6 +2892,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#endif #endif
MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
data + rec->data_len, transform->taglen ); data + rec->data_len, transform->taglen );
@ -2974,7 +2976,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx, if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx,
transform->iv_enc, transform->iv_enc,
transform->ivlen, transform->ivlen,
data, rec->data_len, data, rec->data_len,
@ -2984,7 +2986,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#else #else
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
transform->iv_enc, transform->iv_enc,
transform->ivlen, transform->ivlen,
data, rec->data_len, data, rec->data_len,
@ -2994,6 +2996,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#endif #endif
if( rec->data_len != olen ) if( rec->data_len != olen )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@ -3082,7 +3085,11 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
return( 0 ); if( encryption_status == 0 )
{
return( 0 );
}
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
} }
int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,