diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 8d00eba9f..1f45b1c7d 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -161,8 +161,11 @@ MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t; * \param buf Buffer to be zeroized * \param len Length of the buffer in bytes * + * \return The value of \p buf if the operation was successful. + * \return NULL if a potential FI attack was detected or input parameters + * are not valid. */ -void mbedtls_platform_zeroize( void *buf, size_t len ); +void *mbedtls_platform_zeroize( void *buf, size_t len ); /** * \brief Secure memset @@ -176,7 +179,8 @@ void mbedtls_platform_zeroize( void *buf, size_t len ); * \param value Value to be used when setting the buffer. * \param num The length of the buffer in bytes. * - * \return The value of \p ptr. + * \return The value of \p ptr if the operation was successful. + * \return NULL if a potential FI attack was detected. */ void *mbedtls_platform_memset( void *ptr, int value, size_t num ); diff --git a/library/platform_util.c b/library/platform_util.c index 5e938f9c9..28790a4bd 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -95,30 +95,68 @@ void *mbedtls_platform_memset( void *, int, size_t ); static void * (* const volatile memset_func)( void *, int, size_t ) = mbedtls_platform_memset; -void mbedtls_platform_zeroize( void *buf, size_t len ) +void *mbedtls_platform_zeroize( void *buf, size_t len ) { - MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL ); + volatile size_t vlen = len; - if( len > 0 ) - memset_func( buf, 0, len ); + MBEDTLS_INTERNAL_VALIDATE_RET( ( len == 0 || buf != NULL ), NULL ); + + if( vlen > 0 ) + { + return memset_func( buf, 0, vlen ); + } + else + { + mbedtls_platform_random_delay(); + if( vlen == 0 && vlen == len ) + { + return buf; + } + } + return NULL; } #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */ void *mbedtls_platform_memset( void *ptr, int value, size_t num ) { - /* Randomize start offset. */ - size_t start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num ); - /* Randomize data */ - uint32_t data = mbedtls_platform_random_in_range( 256 ); + size_t i, start_offset; + volatile size_t flow_counter = 0; + volatile char *b = ptr; + char rnd_data; - /* Perform a pair of memset operations from random locations with - * random data */ - memset( (void *) ( (unsigned char *) ptr + start_offset ), data, - ( num - start_offset ) ); - memset( (void *) ptr, data, start_offset ); + start_offset = (size_t) mbedtls_platform_random_in_range( (uint32_t) num ); + rnd_data = (char) mbedtls_platform_random_in_range( 256 ); - /* Perform the original memset */ - return( memset( ptr, value, num ) ); + /* Start from a random location */ + for( i = start_offset; i < num; ++i ) + { + b[i] = value; + flow_counter++; + } + + /* Perform a memset operations with random data */ + for( i = 0; i < start_offset; ++i ) + { + b[i] = rnd_data; + } + + /* Finish a memset operations with correct data */ + for( i = 0; i < start_offset; ++i ) + { + b[i] = value; + flow_counter++; + } + + /* check the correct number of iterations */ + if( flow_counter == num ) + { + mbedtls_platform_random_delay(); + if( flow_counter == num ) + { + return ptr; + } + } + return NULL; } void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num )