From 4aaa34c03fa03124830460995bd61e976da28b7d Mon Sep 17 00:00:00 2001 From: Piotr Nowicki Date: Wed, 20 May 2020 13:57:38 +0200 Subject: [PATCH 1/3] Add flow monitor protection to mbedtls_platform_memcmp() Signed-off-by: Piotr Nowicki --- library/platform_util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/library/platform_util.c b/library/platform_util.c index 2c22b3c64..2b8eb5672 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -125,22 +125,25 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) volatile unsigned char diff = 0; size_t i = num; - + size_t flow_counter = 0; size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); for( i = start_offset; i < num; i++ ) { unsigned char x = A[i], y = B[i]; + flow_counter++; diff |= x ^ y; } for( i = 0; i < start_offset; i++ ) { unsigned char x = A[i], y = B[i]; + flow_counter++; diff |= x ^ y; } - return( diff ); + /* Return 0 only when diff is 0 and flow_counter is equal to num */ + return( (int) diff | (int) ( flow_counter ^ num ) ); } uint32_t mbedtls_platform_random_in_range( size_t num ) From 1a9d33e8c89aaf9016dc0a16e122cafbe8027d1d Mon Sep 17 00:00:00 2001 From: Piotr Nowicki Date: Wed, 20 May 2020 22:10:14 +0200 Subject: [PATCH 2/3] Start comparison from a random location in the uECC_vli_equal. This increases security and increases resistance to the side channel leakage. Signed-off-by: Piotr Nowicki --- tinycrypt/ecc.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index c6c722a95..8f2cf0e55 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -286,20 +286,30 @@ uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right) { uECC_word_t diff = 0; + uECC_word_t flow_monitor = 0; uECC_word_t tmp1, tmp2; volatile int i; - for (i = NUM_ECC_WORDS - 1; i >= 0; --i) { + int start_offset = mbedtls_platform_random_in_range(NUM_ECC_WORDS); + + for (i = start_offset; i < NUM_ECC_WORDS; ++i) { tmp1 = left[i]; tmp2 = right[i]; + flow_monitor++; diff |= (tmp1 ^ tmp2); } - /* i should be -1 now */ - mbedtls_platform_random_delay(); - diff |= i ^ -1; + for (i = 0; i < start_offset; ++i) { + tmp1 = left[i]; + tmp2 = right[i]; + flow_monitor++; + diff |= (tmp1 ^ tmp2); + } - return diff; + mbedtls_platform_random_delay(); + + /* Return 0 only when diff is 0 and flow_counter is equal to NUM_ECC_WORDS */ + return (diff | (flow_monitor ^ NUM_ECC_WORDS)); } uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond) @@ -848,7 +858,7 @@ void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product) } while (carry < 0); } else { - while (carry || + while (carry || uECC_vli_cmp_unsafe(curve_p, result) != 1) { carry -= uECC_vli_sub(result, result, curve_p); } From f0ab6d62ac64e193d44a6e0276c75797add3f04b Mon Sep 17 00:00:00 2001 From: Piotr Nowicki Date: Mon, 25 May 2020 12:48:30 +0200 Subject: [PATCH 3/3] Added some descriptions of functions Signed-off-by: Piotr Nowicki --- library/platform_util.c | 7 +++++-- tinycrypt/ecc.c | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/library/platform_util.c b/library/platform_util.c index 2b8eb5672..3869f30a5 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -111,6 +111,9 @@ void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) /* Randomize initial data to prevent leakage while copying */ uint32_t data = mbedtls_platform_random_in_range( 256 ); + /* Use memset with random value at first to increase security - memset is + not normally part of the memcpy function and here can be useed + with regular, unsecured implementation */ memset( (void *) dst, data, num ); memcpy( (void *) ( (unsigned char *) dst + start_offset ), (void *) ( (unsigned char *) src + start_offset ), @@ -124,8 +127,8 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) volatile const unsigned char *B = (volatile const unsigned char *) buf2; volatile unsigned char diff = 0; - size_t i = num; - size_t flow_counter = 0; + /* Start from a random location and check the correct number of iterations */ + size_t i, flow_counter = 0; size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); for( i = start_offset; i < num; i++ ) diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index 8f2cf0e55..ba3626719 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -290,6 +290,7 @@ uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right) uECC_word_t tmp1, tmp2; volatile int i; + /* Start from a random location and check the correct number of iterations */ int start_offset = mbedtls_platform_random_in_range(NUM_ECC_WORDS); for (i = start_offset; i < NUM_ECC_WORDS; ++i) { @@ -306,6 +307,7 @@ uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right) diff |= (tmp1 ^ tmp2); } + /* Random delay to increase security */ mbedtls_platform_random_delay(); /* Return 0 only when diff is 0 and flow_counter is equal to NUM_ECC_WORDS */