some additional sanity checks with harden build

2024-12-17 12:47:42 -07:00 · 2024-12-17 12:47:42 -07:00 · 87ae31b48f
parent f0f50f1837
commit 87ae31b48f
3 changed files with 22 additions and 1 deletions
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@ -9138,6 +9138,11 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
   if (err == MP_OKAY) {
       if (mp_cmp(v, r) == MP_EQ)
           *res = 1;
+#ifdef WOLFSSL_CHECK_VER_FAULTS
+       /* redundant comparison as sanity check that first one happened */
+       if (*res == 1 && mp_cmp(r, v) != MP_EQ)
+           *res = 0;
+#endif
   }

   /* cleanup */
--- a/wolfcrypt/src/ed25519.c
+++ b/wolfcrypt/src/ed25519.c
@ -837,7 +837,16 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
    ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
    if (ret != 0) {
        ret = SIG_VERIFY_E;
-    } else {
+    }
+
+#ifdef WOLFSSL_CHECK_VER_FAULTS
+    /* redundant comparison as sanity check that first one happened */
+    if (ret == 0 && ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2) != 0) {
+        ret = SIG_VERIFY_E;
+    }
+#endif
+
+    if (ret == 0) {
        /* set the verification status */
        *res = 1;
    }
--- a/wolfcrypt/src/ge_operations.c
+++ b/wolfcrypt/src/ge_operations.c
@ -9467,6 +9467,13 @@ int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a,
    ge_p1p1_to_p2(r,t);
  }

+#ifdef WOLFSSL_CHECK_VER_FAULTS
+  if (i != -1) {
+      /* did not go through whole loop */
+      return BAD_STATE_E;
+  }
+#endif
+
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC)
  out: