feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #5498 from SparkiDev/tls_ecc_sig_fault

Browse Source 
Check ECC signature in TLS
This commit is contained in:
David Garske
2022-08-24 09:59:06 -07:00
committed by GitHub
parent 124cff60f1 2571f65e85
commit 53b74e2d32
2 changed files with 81 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
src/internal.c
View File

@ -65,7 +65,7 @@
* may be received by a client. To support detecting this, peek will * may be received by a client. To support detecting this, peek will
* return WOLFSSL_ERROR_WANT_READ. * return WOLFSSL_ERROR_WANT_READ.
* This define turns off this behaviour. * This define turns off this behaviour.
* WOLFSSL_DTLS_NO_HVR_ON_RESUME * WOLFSSL_DTLS_NO_HVR_ON_RESUME
* If defined, a DTLS server will not do a cookie exchange on successful * If defined, a DTLS server will not do a cookie exchange on successful
* client resumption: the resumption will be faster (one RTT less) and * client resumption: the resumption will be faster (one RTT less) and
* will consume less bandwidth (one ClientHello and one HelloVerifyRequest * will consume less bandwidth (one ClientHello and one HelloVerifyRequest
@ -76,6 +76,10 @@
* Verify hostname/ip address using alternate name (SAN) only and do not * Verify hostname/ip address using alternate name (SAN) only and do not
* use the common name. Forces use of the alternate name, so certificates * use the common name. Forces use of the alternate name, so certificates
* missing SAN will be rejected during the handshake * missing SAN will be rejected during the handshake
* WOLFSSL_CHECK_SIG_FAULTS
* Verifies the ECC signature after signing in case of faults in the
* calculation of the signature. Useful when signature fault injection is a
* possible attack.
*/ */
@ -29369,23 +29373,46 @@ int SendCertificateVerify(WOLFSSL* ssl)
args->verify = &args->output[args->idx]; args->verify = &args->output[args->idx];
switch (ssl->hsType) { switch (ssl->hsType) {
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
#ifdef HAVE_ECC #ifdef HAVE_ECC
case DYNAMIC_TYPE_ECC: case DYNAMIC_TYPE_ECC:
#endif #ifdef WOLFSSL_CHECK_SIG_FAULTS
#ifdef HAVE_ED25519 {
ecc_key* key = (ecc_key*)ssl->hsKey;
ret = EccVerify(ssl,
ssl->buffers.sig.buffer, ssl->buffers.sig.length,
ssl->buffers.digest.buffer, ssl->buffers.digest.length,
key,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.key
#else
NULL
#endif
);
if (ret != 0) {
WOLFSSL_MSG("Failed to verify ECC signature");
goto exit_scv;
}
}
#if defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
FALL_THROUGH;
#endif
#endif /* WOLFSSL_CHECK_SIG_FAULTS */
#endif /* HAVE_ECC */
#ifdef HAVE_ED25519
case DYNAMIC_TYPE_ED25519: case DYNAMIC_TYPE_ED25519:
#endif #endif
#ifdef HAVE_ED448 #ifdef HAVE_ED448
case DYNAMIC_TYPE_ED448: case DYNAMIC_TYPE_ED448:
#endif #endif
args->length = (word16)ssl->buffers.sig.length; args->length = (word16)ssl->buffers.sig.length;
/* prepend hdr */ /* prepend hdr */
c16toa(args->length, args->verify + args->extraSz); c16toa(args->length, args->verify + args->extraSz);
XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER, XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER,
ssl->buffers.sig.buffer, ssl->buffers.sig.length); ssl->buffers.sig.buffer, ssl->buffers.sig.length);
break; break;
#endif #endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
#ifndef NO_RSA #ifndef NO_RSA
case DYNAMIC_TYPE_RSA: case DYNAMIC_TYPE_RSA:
{ {
@ -31415,6 +31442,33 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
} }
#endif #endif
case ecc_dsa_sa_algo: case ecc_dsa_sa_algo:
#ifdef WOLFSSL_CHECK_SIG_FAULTS
{
ecc_key* key = (ecc_key*)ssl->hsKey;
ret = EccVerify(ssl,
args->output + LENGTH_SZ + args->idx,
args->sigSz,
ssl->buffers.digest.buffer,
ssl->buffers.digest.length,
key,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.key
#else
NULL
#endif
);
if (ret != 0) {
WOLFSSL_MSG(
"Failed to verify ECC signature");
goto exit_sske;
}
}
#if defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)
FALL_THROUGH;
#endif
#endif /* WOLFSSL_CHECK_SIG_FAULTS */
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
case ed25519_sa_algo: case ed25519_sa_algo:
#endif #endif

19
src/tls13.c
View File

@ -77,6 +77,10 @@
* When multiple PSK identities are available for the same cipher suite. * When multiple PSK identities are available for the same cipher suite.
* Sets the first byte of the client identity to the count of identites * Sets the first byte of the client identity to the count of identites
* that have been seen so far for the cipher suite. * that have been seen so far for the cipher suite.
* WOLFSSL_CHECK_SIG_FAULTS
* Verifies the ECC signature after signing in case of faults in the
* calculation of the signature. Useful when signature fault injection is a
* possible attack.
*/ */
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
@ -7326,7 +7330,6 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
{ {
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (ssl->hsType == DYNAMIC_TYPE_ECC) { if (ssl->hsType == DYNAMIC_TYPE_ECC) {
ret = EccSign(ssl, args->sigData, args->sigDataSz, ret = EccSign(ssl, args->sigData, args->sigDataSz,
args->verify + HASH_SIG_SIZE + VERIFY_HEADER, args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
(word32*)&sig->length, (ecc_key*)ssl->hsKey, (word32*)&sig->length, (ecc_key*)ssl->hsKey,
@ -7430,6 +7433,20 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
); );
} }
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#if defined(HAVE_ECC) && defined(WOLFSSL_CHECK_SIG_FAULTS)
if (ssl->hsType == DYNAMIC_TYPE_ECC) {
ret = EccVerify(ssl,
args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
sig->length, args->sigData, args->sigDataSz,
(ecc_key*)ssl->hsKey,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.key
#else
NULL
#endif
);
}
#endif
/* Check for error */ /* Check for error */
if (ret != 0) { if (ret != 0) {