lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-23 01:52:40 +03:00
Code Activity

ECP: use CT modinv

Browse Source 
A function that was previously called in multiple places is now called
only once, hence more susceptible to being inlined, hence the test fix.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
2025-07-10 21:54:38 +02:00
parent c2d210ea0d
commit f35d30799c
2 changed files with 4 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
library/ecp.c
View File

@@ -68,6 +68,7 @@
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "bn_mul.h" #include "bn_mul.h"
#include "bignum_internal.h"
#include "ecp_invasive.h" #include "ecp_invasive.h"
#include <string.h> #include <string.h>
@@ -1173,7 +1174,7 @@ cleanup:
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c)) MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
#define MPI_ECP_INV(dst, src) \ #define MPI_ECP_INV(dst, src) \
MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P)) MBEDTLS_MPI_CHK(mbedtls_mpi_gcd_modinv_odd(NULL, (dst), (src), &grp->P))
#define MPI_ECP_MOV(X, A) \ #define MPI_ECP_MOV(X, A) \
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A)) MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
@@ -2201,21 +2202,6 @@ static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
final_norm: final_norm:
MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV); MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
#endif #endif
/*
* Knowledge of the jacobian coordinates may leak the last few bits of the
* scalar [1], and since our MPI implementation isn't constant-flow,
* inversion (used for coordinate normalization) may leak the full value
* of its input via side-channels [2].
*
* [1] https://eprint.iacr.org/2003/191
* [2] https://eprint.iacr.org/2020/055
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
if (f_rng != 0) {
MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
}
MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR)); MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
#if defined(MBEDTLS_ECP_RESTARTABLE) #if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -2594,18 +2580,6 @@ static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b); MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
} }
/*
* Knowledge of the projective coordinates may leak the last few bits of the
* scalar [1], and since our MPI implementation isn't constant-flow,
* inversion (used for coordinate normalization) may leak the full value
* of its input via side-channels [2].
*
* [1] https://eprint.iacr.org/2003/191
* [2] https://eprint.iacr.org/2020/055
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R)); MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
cleanup: cleanup:

3
tests/scripts/components-configuration-crypto.sh
View File

@@ -1293,7 +1293,8 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
helper_libtestdriver1_make_main "$loc_accel_list" # For grep to work below we need less inlining in ecp.c
ASAN_CFLAGS="$ASAN_CFLAGS -O0" helper_libtestdriver1_make_main "$loc_accel_list"
# We expect ECDH to be re-enabled for the missing curves # We expect ECDH to be re-enabled for the missing curves
grep mbedtls_ecdh_ library/ecdh.o grep mbedtls_ecdh_ library/ecdh.o