1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-23 01:52:40 +03:00
Commit Graph

459 Commits

Author SHA1 Message Date
Dave Rodgman
fa703e38a2 Use __builtin_ctz to count trailing zeros
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-09 18:56:07 +01:00
Dave Rodgman
f3df105b37 Generate smaller code for picking a sign value
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-09 18:55:41 +01:00
Dave Rodgman
c98f8d996a Merge branch 'development' into safer-ct5
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-07 11:47:35 +01:00
Dave Rodgman
1d4d944e19 Merge pull request #7933 from tom-cosgrove-arm/add-mbedtls_zeroize_and_free
Provide and use internal function mbedtls_zeroize_and_free()
2023-08-03 12:56:21 +00:00
Chien Wong
e2caf4161b Fix a few unchecked value issue
Signed-off-by: Chien Wong <m@xv97.com>
2023-08-01 22:41:17 +08:00
Dave Rodgman
1f39f037bf Improve variable name in mbedtls_mpi_lt_mpi_ct
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-01 09:19:16 +01:00
Dave Rodgman
32d726033b Improve comments in mbedtls_mpi_lt_mpi_ct
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-31 12:43:23 +01:00
Tom Cosgrove
bc345e8685 Protect macro parameter expansion with parentheses
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-07-25 15:17:39 +01:00
Tom Cosgrove
350226f636 Use a macro for mbedtls_mpi_zeroize_and_free()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-07-25 15:10:14 +01:00
Dave Rodgman
8e8e6b9be3 Merge pull request #7934 from AgathiyanB/move-declarations-to-top
Move declarations to top of functions
2023-07-19 15:25:27 +01:00
Tom Cosgrove
46259f670f Internal function mbedtls_mpi_zeroize() can be mbedtls_mpi_zeroize_and_free()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-07-18 16:44:14 +01:00
Agathiyan Bragadeesh
c99840ae1f Move declarations in mbedtls_mpi_add_abs to top
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-07-17 12:21:06 +01:00
Gilles Peskine
053022fe24 Reduce the size of mbedtls_mpi
Reduce the size of mbedtls_mpi from 3 words to 2 on most architectures.

This also reduces the code size significantly in bignum.o and ecp_curves.o,
with negligible variations in other modules.

This removes the ability to set MBEDTLS_MPI_MAX_LIMBS to a value >=65536,
but we don't support customizing this value anyway (it's always 10000).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-06-29 19:33:44 +02:00
Dave Rodgman
2c76484005 Fix non-opaque use of mbedtls_ct_condition_t
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
2b4486a014 Rename mbedtls_ct_uint_if_new to mbedtls_ct_uint_if
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
cf06acac32 Use new CT interface in mbedtls_mpi_safe_cond_swap
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
ee54faf1cd Update mpi_select to use new CT interface
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
1a7a5626ec Update mbedtls_mpi_lt_mpi_ct to new interface
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
589ccb8aaa Update mbedtls_mpi_safe_cond_(assign|swap) part 2
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
cd2e38b906 Update mbedtls_mpi_safe_cond_(assign|swap) to use new CT interface
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
7d4f019810 Move some bignum functions out of constant_time module
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Dave Rodgman
68ef1d6ee6 Remove DIY SIZE_MAX definitions
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-18 20:49:03 +01:00
Minos Galanakis
0144b35f7d bignum: Updated mbedtls_mpi_shift_l to use the core method.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-05-16 17:16:26 +01:00
Tom Cosgrove
6af26f3838 Tidy up, remove MPI_CORE(), apply the naming convention, and use the new mbedtls_mpi_core_mul()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-03-31 16:16:00 +02:00
Paul Elliott
1748de160a Fix IAR Warnings
IAR was warning that conditional execution could bypass initialisation of
variables, although those same variables were not used uninitialised.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-13 15:35:35 +00:00
Aaron M. Ucko
af67d2c1cf mbedtls_mpi_sub_abs: Skip memcpy when redundant (#6701).
In some contexts, the output pointer may equal the first input
pointer, in which case copying is not only superfluous but results in
"Source and destination overlap in memcpy" errors from Valgrind (as I
observed in the context of ecp_double_jac) and a diagnostic message
from TrustInSoft Analyzer (as Pascal Cuoq reported in the context of
other ECP functions called by cert-app with a suitable certificate).

Signed-off-by: Aaron M. Ucko <ucko@ncbi.nlm.nih.gov>
2023-01-17 11:52:22 -05:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Glenn Strauss
14db51224e Fix IAR warning
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-01-06 14:20:14 +00:00
Manuel Pégourié-Gonnard
5bf8629b2c Merge pull request #6303 from gilles-peskine-arm/bignum-core-random
Bignum: Implement mbedtls_mpi_core_random
2022-12-16 09:58:07 +01:00
Gilles Peskine
6b7ce968d2 Clarify some comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-15 15:04:33 +01:00
Dave Rodgman
acbb6dc364 Merge remote-tracking branch 'origin/development' into merge-dev 2022-12-05 10:59:23 +00:00
Gilles Peskine
70375b2028 Move mbedtls_mpi_core_random to the proper source file
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:46:26 +01:00
Gilles Peskine
78cf3bbf22 Bignum core: break mbedtls_mpi_core_random out of mbedtls_mpi_random
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:45:45 +01:00
Gilles Peskine
26be89b3f6 Bignum core: random: prepare to break out the core function
Shuffle things around a bit inside mbedtls_mpi_random() in preparation for
breaking out mbedtls_mpi_core_random().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:06:43 +01:00
Gilles Peskine
8a32a75aa2 mbedtls_mpi_random: avoid local allocation
Rewrite the minimum bound comparison to avoid a local allocation. This costs
a bit of code size, but saves RAM. This is in preparation for moving the
bulk of the function to the bignum_core module where allocation is not
permitted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:06:43 +01:00
Manuel Pégourié-Gonnard
660b396e41 Merge pull request #975 from yanesca/issue-946
Fix RSA side channel
2022-11-23 10:30:35 +01:00
Janos Follath
3165f063b5 mpi_exp_mod: use x_index consistently
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
c8d66d50d0 mpi_exp_mod: reduce the table size by one
The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
060009518b mpi_exp_mod: fix out of bounds access
The table size was set before the configured window size bound was
applied which lead to out of bounds access when the configured window
size bound is less.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
9c09326572 mpi_mod_exp: be pedantic about right shift
The window size starts giving diminishing returns around 6 on most
platforms and highly unlikely to be more than 31 in practical use cases.
Still, compilers and static analysers might complain about this and
better to be pedantic.

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
be54ca77e2 mpi_exp_mod: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
74601209fa mpi_exp_mod: remove the 'one' variable
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
b2c2fca974 mpi_exp_mod: simplify freeing loop
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
3646ff02ad mpi_exp_mod: move X next to the precomputed values
With small exponents (for example, when doing RSA-1024 with CRT, each
prime is 512 bits and we'll use wsize = 5 which may be smaller that the
maximum - or even worse when doing public RSA operations which typically
have a 16-bit exponent so we'll use wsize = 1) the usage of W will have
pre-computed values, then empty space, then the accumulator at the very
end.

Move X next to the precomputed values to make accesses more efficient
and intuitive.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
7fa11b88f3 mpi_exp_mod: rename local variables
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
844614814e mpi_exp_mod: remove memory ownership confusion
Elements of W didn't all have the same owner: all were owned by this
function, except W[x_index]. It is more robust if we make a proper copy
of X.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
f08b40eaab mpi_exp_mod: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
b764ee1603 mpi_exp_mod: protect out of window zeroes
Out of window zeroes were doing squaring on the output variable
directly. This leaks the position of windows and the out of window
zeroes.

Loading the output variable from the table in constant time removes this
leakage.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
8e7d6a0386 mpi_exp_mod: load the output variable to the table
This is done in preparation for constant time loading that will be added
in a later commit.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Tom Cosgrove
452c99c173 Use mbedtls_mpi_core_sub_int() in mbedtls_mpi_sub_abs()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-11-22 14:58:15 +00:00