Merge pull request #3481 from AndrzejKurek/fi_duplicate_buffers_2
Duplicate sensitive buffer and buffer length information
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
index 54572ef..8c70a42 100644
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -264,6 +264,7 @@
&aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_ecb_info = {
MBEDTLS_CIPHER_AES_192_ECB,
MBEDTLS_MODE_ECB,
@@ -285,6 +286,7 @@
16,
&aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#if defined(MBEDTLS_CIPHER_MODE_CBC)
static const mbedtls_cipher_info_t aes_128_cbc_info = {
@@ -298,6 +300,7 @@
&aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_cbc_info = {
MBEDTLS_CIPHER_AES_192_CBC,
MBEDTLS_MODE_CBC,
@@ -319,6 +322,7 @@
16,
&aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_CIPHER_MODE_CFB)
@@ -333,6 +337,7 @@
&aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_cfb128_info = {
MBEDTLS_CIPHER_AES_192_CFB128,
MBEDTLS_MODE_CFB,
@@ -354,6 +359,7 @@
16,
&aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_CIPHER_MODE_CFB */
#if defined(MBEDTLS_CIPHER_MODE_OFB)
@@ -368,6 +374,7 @@
&aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_ofb_info = {
MBEDTLS_CIPHER_AES_192_OFB,
MBEDTLS_MODE_OFB,
@@ -389,6 +396,7 @@
16,
&aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_CIPHER_MODE_OFB */
#if defined(MBEDTLS_CIPHER_MODE_CTR)
@@ -403,6 +411,7 @@
&aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_ctr_info = {
MBEDTLS_CIPHER_AES_192_CTR,
MBEDTLS_MODE_CTR,
@@ -424,6 +433,7 @@
16,
&aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
@@ -500,6 +510,7 @@
&xts_aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_256_xts_info = {
MBEDTLS_CIPHER_AES_256_XTS,
MBEDTLS_MODE_XTS,
@@ -510,6 +521,7 @@
16,
&xts_aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_CIPHER_MODE_XTS */
#if defined(MBEDTLS_GCM_C)
@@ -558,6 +570,7 @@
&gcm_aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_gcm_info = {
MBEDTLS_CIPHER_AES_192_GCM,
MBEDTLS_MODE_GCM,
@@ -579,6 +592,7 @@
16,
&gcm_aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CCM_C)
@@ -627,6 +641,7 @@
&ccm_aes_info
};
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const mbedtls_cipher_info_t aes_192_ccm_info = {
MBEDTLS_CIPHER_AES_192_CCM,
MBEDTLS_MODE_CCM,
@@ -648,6 +663,7 @@
16,
&ccm_aes_info
};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_CCM_C */
#endif /* MBEDTLS_AES_C */
@@ -2123,42 +2139,65 @@
{
#if defined(MBEDTLS_AES_C)
{ MBEDTLS_CIPHER_AES_128_ECB, &aes_128_ecb_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_ECB, &aes_192_ecb_info },
{ MBEDTLS_CIPHER_AES_256_ECB, &aes_256_ecb_info },
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#if defined(MBEDTLS_CIPHER_MODE_CBC)
{ MBEDTLS_CIPHER_AES_128_CBC, &aes_128_cbc_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_CBC, &aes_192_cbc_info },
{ MBEDTLS_CIPHER_AES_256_CBC, &aes_256_cbc_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
#if defined(MBEDTLS_CIPHER_MODE_CFB)
{ MBEDTLS_CIPHER_AES_128_CFB128, &aes_128_cfb128_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_CFB128, &aes_192_cfb128_info },
{ MBEDTLS_CIPHER_AES_256_CFB128, &aes_256_cfb128_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
#if defined(MBEDTLS_CIPHER_MODE_OFB)
{ MBEDTLS_CIPHER_AES_128_OFB, &aes_128_ofb_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_OFB, &aes_192_ofb_info },
{ MBEDTLS_CIPHER_AES_256_OFB, &aes_256_ofb_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
{ MBEDTLS_CIPHER_AES_128_CTR, &aes_128_ctr_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_CTR, &aes_192_ctr_info },
{ MBEDTLS_CIPHER_AES_256_CTR, &aes_256_ctr_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
#if defined(MBEDTLS_CIPHER_MODE_XTS)
{ MBEDTLS_CIPHER_AES_128_XTS, &aes_128_xts_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_256_XTS, &aes_256_xts_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#if defined(MBEDTLS_GCM_C)
{ MBEDTLS_CIPHER_AES_128_GCM, &aes_128_gcm_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_GCM, &aes_192_gcm_info },
{ MBEDTLS_CIPHER_AES_256_GCM, &aes_256_gcm_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_GCM_C */
+
#if defined(MBEDTLS_CCM_C)
{ MBEDTLS_CIPHER_AES_128_CCM, &aes_128_ccm_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ MBEDTLS_CIPHER_AES_192_CCM, &aes_192_ccm_info },
{ MBEDTLS_CIPHER_AES_256_CCM, &aes_256_ccm_info },
-#endif
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_CCM_C */
+
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_ARC4_C)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e4db522..c16bd61 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7186,7 +7186,7 @@
static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *chain )
{
- int ret;
+ volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
int crt_cnt=0;
#endif
@@ -7298,10 +7298,25 @@
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
switch( ret )
{
- case 0: /*ok*/
+ case 0: /* ok */
+ mbedtls_platform_random_delay();
+ if( ret != 0 )
+ {
+ alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto crt_parse_der_failed;
+ }
+ break;
case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
/* Ignore certificate with an unknown algorithm: maybe a
- prior certificate was already trusted. */
+ * prior certificate was already trusted. */
+ mbedtls_platform_random_delay();
+ if( ret != MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND )
+ {
+ alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+ ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
+ goto crt_parse_der_failed;
+ }
break;
case MBEDTLS_ERR_X509_ALLOC_FAILED: