1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-05 19:01:12 +03:00
Commit Graph

331 Commits

Author SHA1 Message Date
1a9a69778e Fix 'missing prototype' warnings
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-01-22 15:58:57 +00:00
8cdb6064de Align Montgomery init with development
The signature and naming of the Montgomrey initialisation function in
development and in the LTS was different. Align them for easier
readability and maintenance.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-01-22 15:58:57 +00:00
4fe396f1e1 Move some bignum functions to internal header
We will need a couple of low level functions to implement safe
unblinding in RSA.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-01-22 15:58:57 +00:00
42175031ca Move calculating RR into a separate function
So far we needed it only locally here, but we will need calculating RR
for safe unblinding in RSA as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-01-22 15:58:57 +00:00
0f2971a968 Update headers
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-03 12:54:54 +00:00
2bda812130 Merge pull request #8085 from gilles-peskine-arm/mpi_exp_mod-remove_initial_copy-2.28
Backport 2.28: mbedtls_mpi_exp_mod: remove spurious copy of the output variable
2023-08-21 15:50:30 +00:00
0118a1d712 Fix a few unchecked return values
Signed-off-by: Chien Wong <m@xv97.com>
2023-08-17 22:13:11 +08:00
20d54e3115 mbedtls_mpi_exp_mod: remove spurious copy of the output variable
Clear some confusion between `X` as the output variable and "X" as a name
given to the accumulator. Previous iterations of the code used the variable
`X` as the accumulator, but now that the accumulator is `W[x_index]`, some
of the comments didn't make sense.

Remove the copy of the initial value of `X` into `W[x_index]`, which was
meaningless: the initial value of an output variable should not, and did
not, matter. `W[x_index]` is later overridden unconditionally to take the
value `RR`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-17 14:39:25 +02:00
d784833a1b Silence a warning from Clang >=15 about an unused local variable
The assembly code uses t only on some architectures. Fixes #7166.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-24 12:08:57 +01:00
fc820d96e0 Fix IAR warnings
IAR was warning that conditional execution could bypass initialisation of
variables, although those same variables were not used uninitialised. Fix
this along with some other IAR warnings.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-13 15:07:44 +00:00
78b823ab0e mbedtls_mpi_sub_abs: Skip memcpy when redundant (#6701).
In some contexts, the output pointer may equal the first input
pointer, in which case copying is not only superfluous but results in
"Source and destination overlap in memcpy" errors from Valgrind (as I
observed in the context of ecp_double_jac) and a diagnostic message
from TrustInSoft Analyzer (as Pascal Cuoq reported in the context of
other ECP functions called by cert-app with a suitable certificate).

Signed-off-by: Aaron M. Ucko <ucko@ncbi.nlm.nih.gov>
2023-01-31 15:45:44 -05:00
1b6c09a62e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:52:35 +01:00
b6466c88df Fix IAR warning
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-01-06 11:31:54 +00:00
f0090d85e5 Merge remote-tracking branch 'origin/mbedtls-2.28' into merge-2.28 2022-12-05 11:04:05 +00:00
b118d54ff6 mpi_exp_mod: use x_index consistently
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:00:46 +00:00
6c5b5adb46 mpi_exp_mod: reduce the table size by one
The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 10:47:10 +00:00
6fa7a766cc mpi_exp_mod: fix out of bounds access
The table size was set before the configured window size bound was
applied which lead to out of bounds access when the configured window
size bound is less.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 10:21:52 +00:00
2b72690e14 mpi_mod_exp: be pedantic about right shift
The window size starts giving diminishing returns around 6 on most
platforms and highly unlikely to be more than 31 in practical use cases.
Still, compilers and static analysers might complain about this and
better to be pedantic.

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 10:21:03 +00:00
b358e46c8e Merge pull request #6618 from gilles-peskine-arm/mpi_sint-min-ub-2.28
Backport 2.28: Fix undefined behavior in bignum: NULL+0 and -most-negative-sint
2022-11-21 19:52:03 +01:00
6e2d8e3e28 mpi_exp_mod: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-21 16:14:54 +00:00
d88e21941c mpi_exp_mod: remove the 'one' variable
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-21 15:54:20 +00:00
a92f9155a5 mpi_exp_mod: simplify freeing loop
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-21 15:05:31 +00:00
aadbadbf42 mpi_exp_mod: move X next to the precomputed values
With small exponents (for example, when doing RSA-1024 with CRT, each
prime is 512 bits and we'll use wsize = 5 which may be smaller that the
maximum - or even worse when doing public RSA operations which typically
have a 16-bit exponent so we'll use wsize = 1) the usage of W will have
pre-computed values, then empty space, then the accumulator at the very
end.

Move X next to the precomputed values to make accesses more efficient
and intuitive.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-21 14:55:05 +00:00
6632383993 mpi_exp_mod: rename local variables
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-21 14:48:02 +00:00
f0ceb1cae1 mpi_exp_mod: remove memory ownership confusion
Elements of W didn't all have the same owner: all were owned by this
function, except W[x_index]. It is more robust if we make a proper copy
of X.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-21 14:31:22 +00:00
ae7cbd7576 Express abs(z) in a way that satisfies GCC and MSVC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-17 11:03:46 +01:00
de1629aff9 Fix undefined behavior with the most negative mbedtls_mpi_sint
When x is the most negative value of a two's complement type,
`(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x`
has well-defined behavior and does what was intended.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-17 11:03:46 +01:00
103cf59e46 Fix NULL+0 in addition 0 + 0
Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() when
both operands are 0 and the left operand is represented with 0 limbs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-17 11:03:46 +01:00
3a3c50ca0a mpi_exp_mod: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-11 15:56:38 +00:00
581c460161 Fix negative zero created by (-A) + (+A) or (-A) - (-A)
In mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi(), and by extention
mbedtls_mpi_add_int() and mbedtls_mpi_sub_int(), when the resulting value
was zero, the sign bit of the result was incorrectly set to -1 when the
left-hand operand was negative. This is not a valid mbedtls_mpi
representation. Fix this: always set the sign to +1 when the result is 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-10 15:15:25 +01:00
4e47bdc2fa Unify mbedtls_mpi_add_mpi and mbedtls_mpi_sub_mpi
mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() have the same logic, just
with one bit to flip in the sign calculation. Move the shared logic to a new
auxiliary function. This slightly reduces the code size (if the compiler
doesn't inline) and reduces the maintenance burden.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-10 15:15:25 +01:00
95655a2ba0 mpi_exp_mod: protect out of window zeroes
Out of window zeroes were doing squaring on the output variable
directly. This leaks the position of windows and the out of window
zeroes.

Loading the output variable from the table in constant time removes this
leakage.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-08 09:09:14 +00:00
91c0286917 mpi_exp_mod: load the output variable to the table
This is done in preparation for constant time loading that will be added
in a later commit.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-08 09:09:14 +00:00
36f19b97e2 Include platform.h unconditionally: automatic part
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.

There should be no change in behavior since just including the header should
not change the behavior of a program.

This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-05 11:26:07 +02:00
5205c976da Fix a/an typos in doxygen and other comments
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-07-28 06:12:08 +01:00
c9529f9649 Fix null pointer dereference in mpi_mod_int(0, 2)
Fix a null pointer dereference when performing some operations on zero
represented with 0 limbs: mbedtls_mpi_mod_int() dividing by 2, or
mbedtls_mpi_write_string() in base 2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 14:48:44 +02:00
0e7791ff07 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-28 18:22:20 +01:00
582f2398d4 Merge pull request #5167 from tom-cosgrove-arm/fix-builds-with-only-mbedtls_bignum_c-defined
Backport 2.x: Fix builds when config.h only defines MBEDTLS_BIGNUM_C
2021-12-07 12:38:04 +01:00
58efe6184e Fix builds when config.h only defines MBEDTLS_BIGNUM_C
Fixes #4929

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2021-11-15 09:59:53 +00:00
c0ae1cf45a Rename internal header constant_time.h to constant_time_internal.h
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:33:19 +01:00
18a44949d0 Rename constant-time functions to have mbedtls_ct prefix
Rename functions to better suite with the module name.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:32:01 +01:00
b10301d2fc Move mbedtls_mpi_lt_mpi_ct function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:02:38 +01:00
58fc8a65ab Move mbedtls_mpi_safe_cond_swap function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:01:08 +01:00
b8caeeed5c Move mbedtls_mpi_safe_cond_assign function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:00:14 +01:00
043192d209 Move mbedtls_cf_mpi_uint_cond_assign function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 10:55:56 +01:00
5cec8b44a8 Move mbedtls_cf_cond_select_sign function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 10:54:20 +01:00
097d4f555e Move mbedtls_cf_mpi_uint_lt function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 10:52:01 +01:00
17da4f2a4e Remove module dependency
Elinimate macros defined by modules locally in the functions that are
moving to the new constant-time module.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 10:04:59 +01:00
96584ddd4b Move mbedtls_cf_size_bool_eq function to the constant-time module
There were multiple functions called mbedtls_cf_size_bool_eq. They had exactly
the same behavior, so move the one in bignum.c and remove the other.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 10:03:55 +01:00
e41e3e8a8b Rename function to have suitable name
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 09:57:28 +01:00