Added sanity check on TLS encrypt to trap against glitching.

2022-06-10 12:52:34 -07:00 · 2022-06-10 12:52:34 -07:00 · 2f4864cab2
parent afc63a3bfa
commit 2f4864cab2
4 changed files with 49 additions and 1 deletions
--- a/configure.ac
+++ b/configure.ac
@ -7468,7 +7468,7 @@ then
 fi

 AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"],
-      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH"])
+      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH -DWOLFSSL_CIPHER_TEXT_CHECK"])

 AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
       test "x$ENABLED_OLD_TLS" = "xyes"],
--- a/src/internal.c
+++ b/src/internal.c
@ -15823,6 +15823,13 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
                return ENCRYPT_ERROR;
            }

+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
+                XMEMCPY(ssl->encrypt.sanityCheck, input,
+                    min(sz, sizeof(ssl->encrypt.sanityCheck)));
+            }
+        #endif
+
        #ifdef HAVE_FUZZER
            if (ssl->fuzzerCb)
                ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx);
@ -15870,6 +15877,18 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,

        case CIPHER_STATE_END:
        {
+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                XMEMCMP(out, ssl->encrypt.sanityCheck,
+                    min(sz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+
+                WOLFSSL_MSG("Encrypt sanity check failed! Glitch?");
+                return ENCRYPT_ERROR;
+            }
+            ForceZero(ssl->encrypt.sanityCheck,
+                sizeof(ssl->encrypt.sanityCheck));
+        #endif
+
        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
--- a/src/tls13.c
+++ b/src/tls13.c
@ -1855,6 +1855,13 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
            WOLFSSL_BUFFER(aad, aadSz);
        #endif

+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
+                XMEMCPY(ssl->encrypt.sanityCheck, input,
+                    min(dataSz, sizeof(ssl->encrypt.sanityCheck)));
+            }
+        #endif
+
        #ifdef CIPHER_NONCE
            if (ssl->encrypt.nonce == NULL)
                ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
@ -1980,6 +1987,18 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
                WOLFSSL_BUFFER(output + dataSz, macSz);
        #endif

+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                XMEMCMP(output, ssl->encrypt.sanityCheck,
+                    min(dataSz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+
+                WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
+                return ENCRYPT_ERROR;
+            }
+            ForceZero(ssl->encrypt.sanityCheck,
+                sizeof(ssl->encrypt.sanityCheck));
+        #endif
+
        #ifdef CIPHER_NONCE
            ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
        #endif
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -3256,6 +3256,13 @@ enum CipherSrc {
 };
 #endif

+#ifdef WOLFSSL_CIPHER_TEXT_CHECK
+    #ifndef WOLFSSL_CIPHER_CHECK_SZ
+        /* 64-bits to confirm encrypt operation worked */
+        #define WOLFSSL_CIPHER_CHECK_SZ 8
+    #endif
+#endif
+
 /* cipher for now */
 typedef struct Ciphers {
 #ifdef BUILD_ARC4
@ -3282,6 +3289,9 @@ typedef struct Ciphers {
 #endif
 #if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
    Hmac* hmac;
+#endif
+#ifdef WOLFSSL_CIPHER_TEXT_CHECK
+    word32 sanityCheck[WOLFSSL_CIPHER_CHECK_SZ/sizeof(word32)];
 #endif
    byte    state;
    byte    setup;       /* have we set it up flag for detection */