1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-24 13:32:59 +03:00
Commit Graph

289 Commits

Author SHA1 Message Date
Gilles Peskine
2536aa709b mbedtls_mpi_div_mpi: directly grow T1 to its useful size
T1 is set to a 2-limb value. The first operation that takes it as
input is mbedtls_mpi_mul_int, which makes it grow to 3 limbs. Later it
is shifted left, which causes it to grow again. Set its size to the
final size from the start. This saves two calls to calloc(), at the
expense of a slowdown in some operations involving T1 as input since
it now has more leading zeros.

Setting T1 to 3 limbs initially instead of 2 saves about 6% of the
calloc() calls in test_suite_ecp and does not incur a performance
penalty. Setting T1 to A->n + 2 limbs instead of 2 saves about 20% of
the calloc calls and does not cause a measurable performance
difference on my Linux PC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Gilles Peskine
cd0dbf36b6 mbedtls_mpi_mul_hlp: no microoptimization
Note a possible microoptimization in mbedtls_mpi_mul_hlp that I tried
in the hope of reducing the number of allocations, but turned out to
be counterproductive.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Gilles Peskine
8e464c407a mpi_mul_hlp: microoptimization
If c == 0, no need to add it to *d.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Gilles Peskine
8fd95c6757 Perform mbedtls_mpi_mul_int in place if possible
Rewrite mbedtls_mpi_mul_int to call mpi_mul_hlp directly rather than
create a temporary mpi object. This has the benefit of not performing
an allocation when the multiplication is in place (mpi operand aliased
with the result) and the result mpi is large enough.

This saves about 40% of the calloc() calls in test_suite_ecp. There is
no measurable performance difference on my Linux PC.

The cost is a few bytes in bignum.o.

When there is no aliasing, or when there is aliasing but the mpi
object needs to be enlarged, the performance difference is negligible.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Gilles Peskine
a5d8d89cca Document mpi_mul_hlp
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Gilles Peskine
1acf7cb76c Avoid reallocating during subtraction
mbedtls_mpi_sub_abs systematically allocated a new mpi when the result
was aliased with the right operand (i.e. X = A - X). This aliasing
very commonly happens during ECP operations. Rewrite the function to
allocate only if the result might not fit otherwise.

This costs a few bytes of code size in bignum.o, and might make
mbedtls_mpi_sub_abs very very slightly slower when no reallocation is
done. However, there is a substantial performance gain in ECP
operations with Montgomery curves (10-20% on my PC).

test_suite_ecp drops from 1422794 to 1271506 calls to calloc().

This commit also fixes a bug whereby mbedtls_mpi_sub_abs would leak
memory when X == B (so TB was in use) and the result was negative.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Janos Follath
7973e2b358 Merge pull request #772 from chris-jones-arm/development-restricted
Fix Diffie-Hellman large key size DoS
2020-12-07 09:28:55 +00:00
Gilles Peskine
89b4130098 Fix memory leak in mbedtls_mpi_sub_abs
Fix a memory leak in mbedtls_mpi_sub_abs when the output parameter is
aliased to the second operand (X = A - X) and the result is negative.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Manuel Pégourié-Gonnard
489c058b52 Merge branch 'development' into development-restricted
* development: (488 commits)
  Fix removal of deprecated PSA constants
  Use GitHub-compatible table formatting
  Remove psa header files in uninstall part
  Change function casting in `ssl_calc_finished_tls_sha384`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Add changelog entry file to `ChangeLog.d`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Fix GCC warning about `test_snprintf`
  Fix mismatched function parameters (prototype/definition)
  Fix build failure on gcc-11
  Copyediting
  Clarifications around key import
  Fix copypasta
  A variable is unused in some configurations
  Rename test_driver_keygen to test_driver_key_management
  Move "internal use" sentence attached to the wrong function
  Added changelog
  Plug in the entry point for public key export through driver
  tests: psa: Reset key attributes where needed
  Improve/fix documentation
  ...
2020-12-03 09:59:42 +01:00
Chris Jones
9246d04150 Fix potential DoS by limiting number sizes in exponentiation
Check that the exponent and modulus is below `MBEDTLS_MPI_MAX_BITS` before
performing a time expensive operation (modular exponentiation). This prevents
a potential DoS from Diffie-Hellman computations with extremely
large key sizes.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-02 15:25:27 +00:00
Gilles Peskine
436400eec3 Handle random generator failure in mbedtls_mpi_fill_random()
Discuss the impact in a changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-25 17:30:46 +01:00
Daniel Otte
388f9b2d0f adjusting size of sliding window array to correct size.
Probably the `W[2 << MBEDTLS_MPI_WINDOW_SIZE]` notation is based on a transcription of 2**MBEDTLS_MPI_WINDOW_SIZE.

Signed-off-by: Daniel Otte <d.otte@wut.de>
2020-08-21 12:57:08 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Gilles Peskine
db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Gilles Peskine
09ec10a32e Clean up some comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-09 10:39:38 +02:00
Gilles Peskine
0e5faf6407 mbedtls_mpi_sub_abs: check the range of the result when it happens
The function mbedtls_mpi_sub_abs first checked that A >= B and then
performed the subtraction, relying on the fact that A >= B to
guarantee that the carry propagation would stop, and not taking
advantage of the fact that the carry when subtracting two numbers can
only be 0 or 1. This made the carry propagation code a little hard to
follow.

Write an ad hoc loop for the carry propagation, checking the size of
the result. This makes termination obvious.

The initial check that A >= B is no longer needed, since the function
now checks that the carry propagation terminates, which is equivalent.
This is a slight performance gain.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:50:35 +02:00
Gilles Peskine
221626f2d3 Simplify the final reduction in mpi_montmul
There was some confusion during review about when A->p[n] could be
nonzero. In fact, there is no need to set A->p[n]: only the
intermediate result d might need to extend to n+1 limbs, not the final
result A. So never access A->p[n]. Rework the explanation of the
calculation in a way that should be easier to follow.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:37:50 +02:00
Gilles Peskine
c097e9ea45 Move carry propagation out of mpi_sub_hlp
The function mpi_sub_hlp had confusing semantics: although it took a
size parameter, it accessed the limb array d beyond this size, to
propagate the carry. This made the function difficult to understand
and analyze, with a potential buffer overflow if misused (not enough
room to propagate the carry).

Change the function so that it only performs the subtraction within
the specified number of limbs, and returns the carry.

Move the carry propagation out of mpi_sub_hlp and into its caller
mbedtls_mpi_sub_abs. This makes the code of subtraction very slightly
less neat, but not significantly different.

In the one other place where mpi_sub_hlp is used, namely mpi_montmul,
this is a net win because the carry is potentially sensitive data and
the function carefully arranges to not have to propagate it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:08:21 +02:00
Gilles Peskine
37ecc61836 More logical parameter order for mpi_sub_hlp
mpi_sub_hlp performs a subtraction A - B, but took parameters in the
order (B, A). Swap the parameters so that they match the usual
mathematical syntax.

This has the additional benefit of putting the output parameter (A)
first, which is the normal convention in this module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:05:13 +02:00
Gilles Peskine
026f555df3 Explicitly cast down from mbedtls_mpi_uint to unsigned char
Let code analyzers know that this is deliberate. For example MSVC
warns about the conversion if it's implicit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-05 10:48:25 +02:00
Gilles Peskine
132c0976e9 Remove a secret-dependent branch in Montgomery multiplication
In mpi_montmul, an auxiliary function for modular
exponentiation (mbedtls_mpi_mod_exp) that performs Montgomery
multiplication, the last step is a conditional subtraction to force
the result into the correct range. The current implementation uses a
branch and therefore may leak information about secret data to an
adversary who can observe what branch is taken through a side channel.

Avoid this potential leak by always doing the same subtraction and
doing a contant-trace conditional assignment to set the result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:23 +02:00
Gilles Peskine
f04d11e8b2 Separate out low-level mpi_safe_cond_assign
Separate out a version of mpi_safe_cond_assign that works on
equal-sized limb arrays, without worrying about allocation sizes or
signs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:23 +02:00
Gilles Peskine
2a82f72703 Document some internal bignum functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:23 +02:00
Gilles Peskine
4e91d473c3 Revert "Shut up a clang-analyzer warning"
This reverts commit 2cc69fffcf.

A check was added in mpi_montmul because clang-analyzer warned about a
possibly null pointer. However this was a false positive. Recent
versions of clang-analyzer no longer emit a warning (3.6 does, 6
doesn't).

Incidentally, the size check was wrong: mpi_montmul needs
T->n >= 2 * (N->n + 1), not just T->n >= N->n + 1.

Given that this is an internal function which is only used from one
public function and in a tightly controlled way, remove both the null
check (which is of low value to begin with) and the size check (which
would be slightly more valuable, but was wrong anyway). This allows
the function not to need to return an error, which makes the source
code a little easier to read and makes the object code a little
smaller.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:17 +02:00
Gilles Peskine
742f1a4528 Add a const annotation to the non-changing argument of mpi_sub_mul
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 20:53:57 +02:00
Kenneth Soerensen
518d435e7b Fix GCC format-signedness warnings
Signed-off-by: Kenneth Soerensen <knnthsrnsn@gmail.com>
2020-04-22 16:01:48 +02:00
Manuel Pégourié-Gonnard
4d8c836cdc Merge pull request #346 from gilles-peskine-arm/mpi_copy_shrink
Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:01 +01:00
Gilles Peskine
322752ba20 Minor comment improvement 2020-01-21 13:59:51 +01:00
Gilles Peskine
e2f563e22e Improve comments in mpi_shrink 2020-01-20 21:17:43 +01:00
Gilles Peskine
db42062cb9 mpi_copy: make the 0 case slightly more robust
If Y was constructed through functions in this module, then Y->n == 0
iff Y->p == NULL. However we do not prevent filling mpi structures
manually, and zero may be represented with n=0 and p a valid pointer.
Most of the code can cope with such a representation, but for the
source of mbedtls_mpi_copy, this would cause an integer underflow.
Changing the test for zero from Y->p==NULL to Y->n==0 causes this case
to work at no extra cost.
2020-01-20 21:12:50 +01:00
Janos Follath
d27a88438f Merge branch 'development' into development-restricted 2020-01-15 15:55:11 +00:00
Janos Follath
24eed8d2d2 Initialise return values to an error
Initialising the return values to and error is best practice and makes
the library more robust.
2019-12-03 16:07:18 +00:00
Gilles Peskine
87ef0c24af Merge branch 'development' into development-restricted 2019-11-20 20:09:34 +01:00
Janos Follath
307024207a mpi_lt_mpi_ct: fix condition handling
The code previously only set the done flag if the return value was one.
This led to overriding the correct return value later on.
2019-11-05 15:13:00 +00:00
Janos Follath
67ce647ff0 ct_lt_mpi_uint: cast the return value explicitely
The return value is always either one or zero and therefore there is no
risk of losing precision. Some compilers can't deduce this and complain.
2019-11-04 10:39:20 +00:00
Janos Follath
c50e6d5edb mbedtls_mpi_lt_mpi_ct: simplify condition
In the case of *ret we might need to preserve a 0 value throughout the
loop and therefore we need an extra condition to protect it from being
overwritten.

The value of done is always 1 after *ret has been set and does not need
to be protected from overwriting. Therefore in this case the extra
condition can be removed.
2019-11-04 10:39:20 +00:00
Janos Follath
5e614cef15 Rename variable for better readability 2019-11-04 10:39:20 +00:00
Janos Follath
bb5147f165 mbedtls_mpi_lt_mpi_ct: Improve documentation 2019-11-04 10:39:20 +00:00
Janos Follath
73ba9ec9a6 Make mbedtls_mpi_lt_mpi_ct more portable
The code relied on the assumptions that CHAR_BIT is 8 and that unsigned
does not have padding bits.

In the Bignum module we already assume that the sign of an MPI is either
-1 or 1. Using this, we eliminate the above mentioned dependency.
2019-11-04 10:39:20 +00:00
Janos Follath
3f6f0e44eb Document ct_lt_mpi_uint 2019-11-04 10:39:20 +00:00
Janos Follath
4abc172360 mpi_lt_mpi_ct: make use of unsigned consistent 2019-11-04 10:39:20 +00:00
Janos Follath
a0f732ba06 ct_lt_mpi_uint: make use of biL 2019-11-04 10:39:20 +00:00
Janos Follath
0e5532d6cf Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-04 10:39:20 +00:00
Janos Follath
1fc97594da mbedtls_mpi_cmp_mpi_ct: remove multiplications
Multiplication is known to have measurable timing variations based on
the operands. For example it typically is much faster if one of the
operands is zero. Remove them from constant time code.
2019-11-04 10:39:20 +00:00
Janos Follath
b2590790f2 Remove declaration after statement
Visual Studio 2013 does not like it for some reason.
2019-11-04 10:39:20 +00:00
Janos Follath
ee6abcedfd Add new, constant time mpi comparison 2019-11-04 10:39:20 +00:00
Alexander K
d19a193738 Fix code review comments:
1. variable name accoriding to the Mbed TLS coding style;
2. add a comment explaining safety of the optimization;
3. safer T2 initialization and memory zeroing on the function exit;
2019-11-01 18:20:42 +03:00
Alexander K
35d6d46169 Small performance improvement of mbedtls_mpi_div_mpi():
1. don't use dynamic allocator for fixed size T2;
2. move T2 initialization out of the inner loop.
2019-10-31 14:46:45 +03:00
Jaeden Amero
826907736f Merge remote-tracking branch 'origin/pr/2623' into development
* origin/pr/2623:
  Adapt ChangeLog
  Fix mpi_bigendian_to_host() on bigendian systems
2019-09-05 14:43:46 +01:00
Jaeden Amero
3d7005f851 Merge remote-tracking branch 'tls/pr/2363' into development
* origin/pr/2363:
  Add ChangeLog entry
  fix memory leak in mpi_miller_rabin()
2019-09-03 19:32:45 +01:00