Use large Hamming distance for signature validity
If signature_is_good is 0 (invalid) of 1 (valid), then it's all too easy for
an active physical attacker to turn invalid into valid by flipping a single
bit in RAM, on the bus or in a CPU register.
Use a special value to represent "valid" that can't easily be reached by
flipping a few bits.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index e1e98df..d75e304 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2884,6 +2884,10 @@
return( 0 );
}
+/* This value is different enough from 0 that it's hard for an active physical
+ * attacker to reach it just by flipping a few bits. */
+#define X509_SIGNATURE_IS_GOOD 0x7f5a5a5a
+
/*
* Find a suitable parent for child in candidates, or return NULL.
*
@@ -2915,7 +2919,8 @@
* - [in] child: certificate for which we're looking for a parent
* - [in] candidates: chained list of potential parents
* - [out] r_parent: parent found (or NULL)
- * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
+ * - [out] r_signature_is_good: set to X509_SIGNATURE_IS_GOOD if
+ * child signature by parent is valid, or to 0
* - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
* of the chain, 0 otherwise
* - [in] path_cnt: number of intermediates seen so far
@@ -3040,7 +3045,7 @@
{
mbedtls_platform_enforce_volatile_reads();
if( ret_fi == 0 )
- signature_is_good = 1;
+ signature_is_good = X509_SIGNATURE_IS_GOOD;
}
if( top && ! signature_is_good )
@@ -3522,7 +3527,7 @@
}
/* signature was checked while searching parent */
- if( ! signature_is_good )
+ if( signature_is_good != X509_SIGNATURE_IS_GOOD )
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
{