1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-26 00:37:41 +03:00
Commit Graph

473 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
9e1c532847 RSA: use CT gcd-modinv in deduce_private_exponent()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-14 09:40:05 +02:00
Manuel Pégourié-Gonnard
630148e67f RSA: use constant-time modinv in deduce_crt()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-14 09:40:05 +02:00
Janos Follath
210f8bc4d7 Merge pull request #1408 from mpg/improve-gcd-3.6
[3.6] Make GCD (a lot) less leaky
2025-08-13 19:44:57 +01:00
Manuel Pégourié-Gonnard
30f0732369 bignum: gcd: improve comments
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-13 09:01:55 +02:00
Manuel Pégourié-Gonnard
87e77d6516 bignum: fix memory leak in GCD with 0 as an input
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-13 09:01:55 +02:00
Manuel Pégourié-Gonnard
381d4ba03b Make mbedtls_mpi_gcd() more consistent
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-13 09:01:45 +02:00
Manuel Pégourié-Gonnard
c6a9d84555 bignum: use CT gcd for mbedtls_mpi_gcd()
The overall function is still not constant-time, but it just got a lot
less leaky.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-13 09:01:45 +02:00
Manuel Pégourié-Gonnard
a08faf9070 bignum: follow customs for ret initialisation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-12 11:55:22 +02:00
Manuel Pégourié-Gonnard
7a5447ff65 Fix a few typos
Co-authored-by: Felix Conway <felix.conway@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-12 11:55:15 +02:00
Manuel Pégourié-Gonnard
65b8011f7e bignum: make mbedtls_mpi_lsb() less leaky
The path using builtin should be OK, as it should be using dedicated CPU
instructions which are constant time.

This fixes the no-builing path.

GCC gained support for __has_builtin in version 10. We're still testing
with older GCC on the CI, so the non-builtin path is tested on the CI.

https://gcc.gnu.org/gcc-10/changes.html

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-11 09:36:26 +02:00
Manuel Pégourié-Gonnard
40dfc811ef bignum: remove dead variable-time inv_mod code
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-11 09:35:28 +02:00
Manuel Pégourié-Gonnard
1ac0a1e071 bignum: use CT modinv when A is odd (any range)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-11 09:35:28 +02:00
Manuel Pégourié-Gonnard
e41709c17e bignum: use CT modinv when A is odd and in [2, N)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-11 09:35:28 +02:00
Manuel Pégourié-Gonnard
cdfd1c9c7d bignum: use CT modinv when N is odd
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-08-11 09:35:28 +02:00
Felix Conway
a1c95e378a Adjust mpi_gcd_modinv_odd() internals
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-08-06 09:54:11 +01:00
Felix Conway
eefdfe99a4 Change A=0 (null) handling in mpi_gcd_invmod_odd()
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-08-05 14:35:53 +01:00
Felix Conway
d9c4c9c441 Update mpi_gcd_invmod_odd() related comments/documentation
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-08-05 14:33:32 +01:00
Felix Conway
f4df43b6c4 Fix gcd_invmod_odd wrapper when A is 0 (null)
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-08-04 17:00:10 +01:00
Felix Conway
54a94c1598 Adjust mpi_gcd_modinv_odd docs and precondition checking
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-08-04 11:34:19 +01:00
Felix Conway
bd7ede3f33 bignum: add mpi wrapper for gcd_modinv
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-08-04 11:33:48 +01:00
Janos Follath
5f316972b2 Add header for mbedtls_mpi_exp_mod_unsafe()
To silence no previous prototype warnings. And this is the proper way to
do it anyway.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-22 15:00:09 +01:00
Janos Follath
a5fc8f342a Move _public parameters next to their target
It is easier to read if the parameter controlling constant timeness with
respect to a parameter is next to that parameter.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-13 07:41:05 +01:00
Janos Follath
38ff70e169 Make _optionally_safe functions internal
The complexity of having functions whose security properties depend on a
runtime argument can be dangerous. Limit misuse by making any such
functions local.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-12 20:03:06 +01:00
Manuel Pégourié-Gonnard
75ed58723e Add optionally unsafe variant of exp_mod for perf
Attempt to partially solve the performance regression in 3.6.0 without
adding too much code size.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-06-18 12:52:45 +02:00
Dave Rodgman
d282e264cd Fix IAR warning
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2024-03-11 15:28:48 +00:00
Janos Follath
b888bc0be6 Fix typo
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-03-11 09:29:53 +00:00
Janos Follath
16ef486c2c Improve style
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-03-08 17:25:57 +00:00
Janos Follath
4ec0fb5924 Avoid implementation defined behaviour
The conversion back to signed short is an issue: the uint cast results
in (-1 + UINT_MAX), which is OK. But then that can't be cast back to a
signed value: "if the new type is signed and the value cannot be
represented in it; either the result is implementation-defined or an
implementation-defined signal is raised."

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-03-08 17:22:40 +00:00
Janos Follath
0902572aa4 Fix style
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-21 11:50:25 +00:00
Janos Follath
86258f51b5 Exp mod: handle negative zero
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-21 11:25:41 +00:00
Janos Follath
424c2655b9 Exp mod: tidy up temporary storage allocation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-21 09:26:36 +00:00
Janos Follath
0512d178e0 Exp mod: Make sure RR has enough limbs
When generated by exp_mod, RR has enough limbs to be passed as a
parameter to core functions. If it is received from the caller, it might
be of any length.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-20 14:30:46 +00:00
Janos Follath
518b5b60c6 Improve style
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-19 11:30:24 +00:00
Janos Follath
467a5499a5 Exp mod: clarify preprocessing
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-19 11:27:38 +00:00
Janos Follath
583f047c9f Exp mod: simplify 0 exponent handling
Removing E_core and returning early achieves the same and is simpler
(easier to read and maintain).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-19 11:16:44 +00:00
Janos Follath
576087d836 Exp mod: use assignment instead memcpy
memcpy() has the advantage of making the reader stop and arguably signal
that the shallow copy here is intentional. But that hinges on having the
right amount of & and the right size. An assignment is clearer and less
risky.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-19 11:05:01 +00:00
Janos Follath
701ae1d3d9 Exp mod: move declarations before use
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-19 10:56:54 +00:00
Janos Follath
c9faea0f70 Bignum: Remove/update obsolete comments
- We have moved to fixed window exponentiation and the algorithm used is
properly documented and referenced in core already, no need for
duplication.
- A comment on mbedtls_mpi_copy states that mbedtls_mpi_exp_mod relies
on it not to shrink X. This is not the case anymore, however we
should probably still state that some functions might rely on this
property as we don't know it for sure and it is safer to keep it that
way.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-19 10:52:03 +00:00
Janos Follath
4b5edfa0bb Bignum: remove unused functions
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-15 10:47:56 +00:00
Janos Follath
1ba40585f9 Use mpi_core_exp_mod in bignum.
The two algorithms are not equivalent. The original bignum
exponentiation was a sliding window algorithm. The one in
mpi_core_exp_mod uses a fixed window approach. This change is
intentional. We don't want to maintain two algorithms and decided to
keep the fixed window algorithm.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-02-15 10:47:56 +00:00
Valerio Setti
4e048f1749 bignum: removing usage of MPI_VALIDATE_RET()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-29 12:00:21 +01:00
Valerio Setti
a45a399a6b lib: remove NULL pointer checks performed with MBEDTLS_INTERNAL_VALIDATE[_RET]
Symbols defined starting from MBEDTLS_INTERNAL_VALIDATE[_RET]
are removed as well.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-29 12:00:15 +01:00
Dave Rodgman
59059ec503 Merge remote-tracking branch 'origin/development' into msft-aarch64
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-30 09:34:41 +00:00
Dave Rodgman
e4a6f5a7ec Use size_t cast for pointer subtractions
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
16799db69a update headers
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-02 19:47:20 +00:00
Dave Rodgman
0a48717b83 Simplify Windows-on-Arm macros
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-10-16 09:25:59 +01:00
Minos Galanakis
1a3ad265cc Merge branch 'development-restricted' into mbedtls-3.5.0rc0-pr
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-10-03 21:57:51 +01:00
Dave Rodgman
7e9af05409 Fix IAR control bypasses initialisation warning
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-28 17:08:49 +01:00
Dave Rodgman
73d8591f7f Fix IAR change of sign warning
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-28 17:00:50 +01:00
Gilles Peskine
ca1e605b9c Merge remote-tracking branch 'upstream-public/development' into development-restricted-merge-20230925
Conflicts:
* `include/mbedtls/build_info.h`: a new fragment to auto-enable
  `MBEDTLS_CIPHER_PADDING_PKCS7` was added in
  c9f4040f7f in `development-restricted`.
  In `development`, this section of the file has moved to
  `include/mbedtls/config_adjust_legacy_crypto.h`.
* `library/bignum.c`: function name change in `development-restricted` vs
  comment change in development. The comment change in `development` is not
  really relevant, so just take the line from `development-restricted`.
2023-09-25 16:16:26 +02:00