core: ltc: add fault mitigation in crypto_acipher_rsassa_verify()

Adds fault mitigations in crypto_acipher_rsassa_verify() and dependent functions in libTomCrypt in order to include the critical final memcompare. This fault mitigation is only enabled with the calling function enabled fault mitigations and CFG_CORE_FAULT_MITIGATION is 'y'. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
jenswi-linaro · Apr 24, 2024 · 43363af · 43363af
1 parent d3040d8
commit 43363af
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/core/lib/libtomcrypt/src/pk/pkcs1/pkcs_1_pss_decode.c b/core/lib/libtomcrypt/src/pk/pkcs1/pkcs_1_pss_decode.c
@@ -1,5 +1,6 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
 /* SPDX-License-Identifier: Unlicense */
+#include <fault_mitigation.h>
 #include "tomcrypt_private.h"
 
 /**
@@ -142,7 +143,7 @@ int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
    }
 
    /* mask == hash means valid signature */
-   if (XMEM_NEQ(mask, hash, hLen) == 0) {
+   if (FTMN_CALLEE_DONE_MEMCMP(XMEM_NEQ, mask, hash, hLen) == 0) {
       *res = 1;
    }
 

diff --git a/core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c b/core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c
@@ -1,5 +1,6 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
 /* SPDX-License-Identifier: Unlicense */
+#include <fault_mitigation.h>
 #include "tomcrypt_private.h"
 
 /**
@@ -30,7 +31,9 @@ int rsa_verify_hash_ex(const unsigned char *sig,            unsigned long  sigle
 {
   unsigned long modulus_bitlen, modulus_bytelen, x;
   int           err;
+  unsigned int  inc1 = 0;
   unsigned char *tmpbuf;
+  struct ftmn   ftmn = { };
 
   LTC_ARGCHK(hash  != NULL);
   LTC_ARGCHK(sig   != NULL);
@@ -39,6 +42,7 @@ int rsa_verify_hash_ex(const unsigned char *sig,            unsigned long  sigle
 
   /* default to invalid */
   *stat = 0;
+  FTMN_SET_CHECK_RES(&ftmn, FTMN_INCR0, 1);
 
   /* valid padding? */
 
@@ -86,12 +90,18 @@ int rsa_verify_hash_ex(const unsigned char *sig,            unsigned long  sigle
   if (padding == LTC_PKCS_1_PSS) {
     /* PSS decode and verify it */
 
+    FTMN_PUSH_LINKED_CALL(&ftmn, FTMN_FUNC_HASH("pkcs_1_pss_decode"));
     if(modulus_bitlen%8 == 1){
       err = pkcs_1_pss_decode(hash, hashlen, tmpbuf+1, x-1, saltlen, hash_idx, modulus_bitlen, stat);
     }
     else{
       err = pkcs_1_pss_decode(hash, hashlen, tmpbuf, x, saltlen, hash_idx, modulus_bitlen, stat);
     }
+    if (*stat) {
+      FTMN_SET_CHECK_RES_FROM_CALL(&ftmn, FTMN_INCR1, 0);
+      inc1 = 1;
+    }
+    FTMN_POP_LINKED_CALL(&ftmn);
 
   } else {
     /* PKCS #1 v1.5 decode it */
@@ -155,15 +165,19 @@ int rsa_verify_hash_ex(const unsigned char *sig,            unsigned long  sigle
           (digestinfo[0].size == hash_descriptor[hash_idx]->OIDlen) &&
         (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx]->OID, sizeof(unsigned long) * hash_descriptor[hash_idx]->OIDlen) == 0) &&
           (siginfo[1].size == hashlen) &&
-        (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {
+        (ftmn_set_check_res_memcmp(&ftmn, FTMN_INCR1, XMEMCMP,
+				   siginfo[1].data, hash, hashlen) == 0)) {
          *stat = 1;
       }
+      inc1 = 1;
     } else {
       /* only check if the hash is equal */
       if ((hashlen == outlen) &&
-          (XMEMCMP(out, hash, hashlen) == 0)) {
+          (ftmn_set_check_res_memcmp(&ftmn, FTMN_INCR1, XMEMCMP,
+				     out, hash, hashlen) == 0)) {
         *stat = 1;
       }
+      inc1 = 1;
     }
 
 #ifdef LTC_CLEAN_STACK
@@ -177,6 +191,7 @@ int rsa_verify_hash_ex(const unsigned char *sig,            unsigned long  sigle
   zeromem(tmpbuf, siglen);
 #endif
   XFREE(tmpbuf);
+  FTMN_CALLEE_DONE_CHECK(&ftmn, FTMN_INCR0, FTMN_STEP_COUNT(1, inc1), !*stat);
   return err;
 }