diff --git a/library/bignum.c b/library/bignum.c index 42ec7ac31..0df325d43 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -280,7 +280,7 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ) * * \return The selected sign value. */ -static int mpi_safe_cond_select_sign( int a, int b, unsigned char second ) +static int mbedtls_cf_cond_select_sign( int a, int b, unsigned char second ) { /* In order to avoid questions about what we can reasonnably assume about * the representations of signed integers, move everything to unsigned @@ -304,10 +304,10 @@ static int mpi_safe_cond_select_sign( int a, int b, unsigned char second ) * dest and src must be arrays of limbs of size n. * assign must be 0 or 1. */ -static void mpi_safe_cond_assign( size_t n, - mbedtls_mpi_uint *dest, - const mbedtls_mpi_uint *src, - unsigned char assign ) +void mbedtls_cf_mpi_uint_cond_assign( size_t n, + mbedtls_mpi_uint *dest, + const mbedtls_mpi_uint *src, + unsigned char assign ) { size_t i; @@ -360,9 +360,9 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); - X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign ); + X->s = mbedtls_cf_cond_select_sign( X->s, Y->s, assign ); - mpi_safe_cond_assign( Y->n, X->p, Y->p, assign ); + mbedtls_cf_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign ); for( i = Y->n; i < X->n; i++ ) X->p[i] &= ~limb_mask; @@ -409,8 +409,8 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); s = X->s; - X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap ); - Y->s = mpi_safe_cond_select_sign( Y->s, s, swap ); + X->s = mbedtls_cf_cond_select_sign( X->s, Y->s, swap ); + Y->s = mbedtls_cf_cond_select_sign( Y->s, s, swap ); for( i = 0; i < X->n; i++ ) @@ -1253,7 +1253,7 @@ int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y ) * * \return 1 if \p x is less than \p y, 0 otherwise */ -static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x, +static unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x, const mbedtls_mpi_uint y ) { mbedtls_mpi_uint ret; @@ -1328,7 +1328,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y, * Again even if we can make a decision, we just mark the result and * the fact that we are done and continue looping. */ - cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] ); + cond = mbedtls_cf_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] ); *ret |= cond & ( 1 - done ) & X_is_negative; done |= cond; @@ -1339,7 +1339,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y, * Again even if we can make a decision, we just mark the result and * the fact that we are done and continue looping. */ - cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] ); + cond = mbedtls_cf_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] ); *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative ); done |= cond; } @@ -2207,7 +2207,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi * so d[n] == 1 and we want to set A to the result of the subtraction * which is d - (2^biL)^n, i.e. the n least significant limbs of d. * This exactly corresponds to a conditional assignment. */ - mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] ); + mbedtls_cf_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] ); } /* @@ -2238,7 +2238,7 @@ static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, * This function is implemented without using comparison operators, as those * might be translated to branches by some compilers on some platforms. */ -static size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y ) +static size_t mbedtls_cf_size_bool_eq( size_t x, size_t y ) { /* diff = 0 if x == y, non-zero otherwise */ const size_t diff = x ^ y; @@ -2285,7 +2285,7 @@ static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size for( size_t i = 0; i < T_size; i++ ) { MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i], - (unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) ); + (unsigned char) mbedtls_cf_size_bool_eq( i, idx ) ) ); } cleanup: diff --git a/library/rsa.c b/library/rsa.c index e818e6dae..9c110378c 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1478,7 +1478,7 @@ cleanup: * \param value The value to analyze. * \return Zero if \p value is zero, otherwise all-bits-one. */ -static unsigned all_or_nothing_int( unsigned value ) +static unsigned mbedtls_cf_uint_mask( unsigned value ) { /* MSVC has a warning about unary minus on unsigned, but this is * well-defined and precisely what we want to do here */ @@ -1502,7 +1502,7 @@ static unsigned all_or_nothing_int( unsigned value ) * \return \c 0 if `size <= max`. * \return \c 1 if `size > max`. */ -static unsigned size_greater_than( size_t size, size_t max ) +static unsigned mbedtls_cf_size_gt( size_t size, size_t max ) { /* Return the sign bit (1 for negative) of (max - size). */ return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) ); @@ -1518,16 +1518,17 @@ static unsigned size_greater_than( size_t size, size_t max ) * \param if0 Value to use if \p cond is zero. * \return \c if1 if \p cond is nonzero, otherwise \c if0. */ -static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) +static unsigned mbedtls_cf_uint_if( unsigned cond, unsigned if1, unsigned if0 ) { - unsigned mask = all_or_nothing_int( cond ); + unsigned mask = mbedtls_cf_uint_mask( cond ); return( ( mask & if1 ) | (~mask & if0 ) ); } /** Shift some data towards the left inside a buffer without leaking * the length of the data through side channels. * - * `mem_move_to_left(start, total, offset)` is functionally equivalent to + * `mbedtls_cf_mem_move_to_left(start, total, offset)` is functionally + * equivalent to * ``` * memmove(start, start + offset, total - offset); * memset(start + offset, 0, total - offset); @@ -1540,9 +1541,9 @@ static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) * \param total Total size of the buffer. * \param offset Offset from which to copy \p total - \p offset bytes. */ -static void mem_move_to_left( void *start, - size_t total, - size_t offset ) +static void mbedtls_cf_mem_move_to_left( void *start, + size_t total, + size_t offset ) { volatile unsigned char *buf = start; size_t i, n; @@ -1550,7 +1551,7 @@ static void mem_move_to_left( void *start, return; for( i = 0; i < total; i++ ) { - unsigned no_op = size_greater_than( total - offset, i ); + unsigned no_op = mbedtls_cf_size_gt( total - offset, i ); /* The first `total - offset` passes are a no-op. The last * `offset` passes shift the data one byte to the left and * zero out the last byte. */ @@ -1558,9 +1559,9 @@ static void mem_move_to_left( void *start, { unsigned char current = buf[n]; unsigned char next = buf[n+1]; - buf[n] = if_int( no_op, current, next ); + buf[n] = mbedtls_cf_uint_if( no_op, current, next ); } - buf[total-1] = if_int( no_op, buf[total-1], 0 ); + buf[total-1] = mbedtls_cf_uint_if( no_op, buf[total-1], 0 ); } } @@ -1634,10 +1635,10 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, /* If pad_done is still zero, there's no data, only unfinished padding. */ - bad |= if_int( pad_done, 0, 1 ); + bad |= mbedtls_cf_uint_if( pad_done, 0, 1 ); /* There must be at least 8 bytes of padding. */ - bad |= size_greater_than( 8, pad_count ); + bad |= mbedtls_cf_size_gt( 8, pad_count ); /* If the padding is valid, set plaintext_size to the number of * remaining bytes after stripping the padding. If the padding @@ -1646,23 +1647,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * buffer. Do it without branches to avoid leaking the padding * validity through timing. RSA keys are small enough that all the * size_t values involved fit in unsigned int. */ - plaintext_size = if_int( bad, - (unsigned) plaintext_max_size, - (unsigned) ( ilen - pad_count - 3 ) ); + plaintext_size = mbedtls_cf_uint_if( + bad, (unsigned) plaintext_max_size, + (unsigned) ( ilen - pad_count - 3 ) ); /* Set output_too_large to 0 if the plaintext fits in the output * buffer and to 1 otherwise. */ - output_too_large = size_greater_than( plaintext_size, - plaintext_max_size ); + output_too_large = mbedtls_cf_size_gt( plaintext_size, + plaintext_max_size ); /* Set ret without branches to avoid timing attacks. Return: * - INVALID_PADDING if the padding is bad (bad != 0). * - OUTPUT_TOO_LARGE if the padding is good but the decrypted * plaintext does not fit in the output buffer. * - 0 if the padding is correct. */ - ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, - if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, - 0 ) ); + ret = - (int) mbedtls_cf_uint_if( + bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, + mbedtls_cf_uint_if( output_too_large, + - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, + 0 ) ); /* If the padding is bad or the plaintext is too large, zero the * data that we're about to copy to the output buffer. @@ -1670,7 +1673,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * from the same buffer whether the padding is good or not to * avoid leaking the padding validity through overall timing or * through memory or cache access patterns. */ - bad = all_or_nothing_int( bad | output_too_large ); + bad = mbedtls_cf_uint_mask( bad | output_too_large ); for( i = 11; i < ilen; i++ ) buf[i] &= ~bad; @@ -1678,9 +1681,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * Copy anyway to avoid revealing the length through timing, because * revealing the length is as bad as revealing the padding validity * for a Bleichenbacher attack. */ - plaintext_size = if_int( output_too_large, - (unsigned) plaintext_max_size, - (unsigned) plaintext_size ); + plaintext_size = mbedtls_cf_uint_if( output_too_large, + (unsigned) plaintext_max_size, + (unsigned) plaintext_size ); /* Move the plaintext to the leftmost position where it can start in * the working buffer, i.e. make it start plaintext_max_size from @@ -1688,9 +1691,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * does not depend on the plaintext size. After this move, the * starting location of the plaintext is no longer sensitive * information. */ - mem_move_to_left( buf + ilen - plaintext_max_size, - plaintext_max_size, - plaintext_max_size - plaintext_size ); + mbedtls_cf_mem_move_to_left( buf + ilen - plaintext_max_size, + plaintext_max_size, + plaintext_max_size - plaintext_size ); /* Finally copy the decrypted plaintext plus trailing zeros into the output * buffer. If output_max_len is 0, then output may be an invalid pointer diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h index babbc2768..5cb29cb0a 100644 --- a/library/ssl_invasive.h +++ b/library/ssl_invasive.h @@ -65,7 +65,7 @@ * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED * The hardware accelerator failed. */ -int mbedtls_ssl_cf_hmac( +int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, const unsigned char *add_data, size_t add_data_len, const unsigned char *data, size_t data_len_secret, @@ -90,11 +90,11 @@ int mbedtls_ssl_cf_hmac( * \param offset_max The maximal value of \p offset_secret. * \param len The number of bytes to copy. */ -void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst, - const unsigned char *src_base, - size_t offset_secret, - size_t offset_min, size_t offset_max, - size_t len ); +void mbedtls_cf_memcpy_offset( unsigned char *dst, + const unsigned char *src_base, + size_t offset_secret, + size_t offset_min, size_t offset_max, + size_t len ); #endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ #endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 76cc2b17d..34b28b1cb 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -949,7 +949,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * This function is implemented without using comparison operators, as those * might be translated to branches by some compilers on some platforms. */ -static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit ) +static size_t mbedtls_cf_size_mask( size_t bit ) { /* MSVC has a warning about unary minus on unsigned integer types, * but this is well-defined and precisely what we want to do here. */ @@ -974,7 +974,7 @@ static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit ) * This function is implemented without using comparison operators, as those * might be translated to branches by some compilers on some platforms. */ -static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) +static size_t mbedtls_cf_size_mask_lt( size_t x, size_t y ) { /* This has the most significant bit set if and only if x < y */ const size_t sub = x - y; @@ -983,7 +983,7 @@ static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); /* mask = (x < y) ? 0xff... : 0x00... */ - const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 ); + const size_t mask = mbedtls_cf_size_mask( sub1 ); return( mask ); } @@ -999,9 +999,9 @@ static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) * This function is implemented without using comparison operators, as those * might be translated to branches by some compilers on some platforms. */ -static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y ) +static size_t mbedtls_cf_size_mask_ge( size_t x, size_t y ) { - return( ~mbedtls_ssl_cf_mask_lt( x, y ) ); + return( ~mbedtls_cf_size_mask_lt( x, y ) ); } /* @@ -1010,12 +1010,12 @@ static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y ) * * This function can be used to write constant-time code by replacing branches * with bit operations - it can be used in conjunction with - * mbedtls_ssl_cf_mask_from_bit(). + * mbedtls_cf_size_mask(). * * This function is implemented without using comparison operators, as those * might be translated to branches by some compilers on some platforms. */ -static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y ) +static size_t mbedtls_cf_size_bool_eq( size_t x, size_t y ) { /* diff = 0 if x == y, non-zero otherwise */ const size_t diff = x ^ y; @@ -1049,14 +1049,14 @@ static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y ) * This function is implemented without using comparison operators, as those * might be translated to branches by some compilers on some platforms. */ -static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, - const unsigned char *src, - size_t len, - size_t c1, size_t c2 ) +static void mbedtls_cf_memcpy_if_eq( unsigned char *dst, + const unsigned char *src, + size_t len, + size_t c1, size_t c2 ) { /* mask = c1 == c2 ? 0xff : 0x00 */ - const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 ); - const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal ); + const size_t equal = mbedtls_cf_size_bool_eq( c1, c2 ); + const unsigned char mask = (unsigned char) mbedtls_cf_size_mask( equal ); /* dst[i] = c1 == c2 ? src[i] : dst[i] */ for( size_t i = 0; i < len; i++ ) @@ -1069,7 +1069,7 @@ static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, * Only works with MD-5, SHA-1, SHA-256 and SHA-384. * (Otherwise, computation of block_size needs to be adapted.) */ -MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( +MBEDTLS_STATIC_TESTABLE int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, const unsigned char *add_data, size_t add_data_len, const unsigned char *data, size_t data_len_secret, @@ -1125,8 +1125,8 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( MD_CHK( mbedtls_md_clone( &aux, ctx ) ); MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); /* Keep only the correct inner_hash in the output buffer */ - mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, - offset, data_len_secret ); + mbedtls_cf_memcpy_if_eq( output, aux_out, hash_size, + offset, data_len_secret ); if( offset < max_data_len ) MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); @@ -1156,7 +1156,7 @@ cleanup: * - functionally equivalent to memcpy(dst, src + offset_secret, len) * - but with execution flow independent from the value of offset_secret. */ -MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( +MBEDTLS_STATIC_TESTABLE void mbedtls_cf_memcpy_offset( unsigned char *dst, const unsigned char *src_base, size_t offset_secret, @@ -1167,8 +1167,8 @@ MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( for( offset = offset_min; offset <= offset_max; offset++ ) { - mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len, - offset, offset_secret ); + mbedtls_cf_memcpy_if_eq( dst, src_base + offset, len, + offset, offset_secret ); } } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ @@ -1494,7 +1494,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, if( auth_done == 1 ) { - const size_t mask = mbedtls_ssl_cf_mask_ge( + const size_t mask = mbedtls_cf_size_mask_ge( rec->data_len, padlen + 1 ); correct &= mask; @@ -1514,7 +1514,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, } #endif - const size_t mask = mbedtls_ssl_cf_mask_ge( + const size_t mask = mbedtls_cf_size_mask_ge( rec->data_len, transform->maclen + padlen + 1 ); correct &= mask; @@ -1548,18 +1548,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* pad_count += (idx >= padding_idx) && * (check[idx] == padlen - 1); */ - const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx ); - const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx], - padlen - 1 ); + const size_t mask = mbedtls_cf_size_mask_ge( idx, padding_idx ); + const size_t equal = mbedtls_cf_size_bool_eq( check[idx], + padlen - 1 ); pad_count += mask & equal; } - correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen ); + correct &= mbedtls_cf_size_bool_eq( pad_count, padlen ); #if defined(MBEDTLS_SSL_DEBUG_ALL) if( padlen > 0 && correct == 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); #endif - padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); + padlen &= mbedtls_cf_size_mask( correct ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -1622,20 +1622,20 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, const size_t max_len = rec->data_len + padlen; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; - ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec, - add_data, add_data_len, - data, rec->data_len, min_len, max_len, - mac_expect ); + ret = mbedtls_cf_hmac( &transform->md_ctx_dec, + add_data, add_data_len, + data, rec->data_len, min_len, max_len, + mac_expect ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cf_hmac", ret ); return( ret ); } - mbedtls_ssl_cf_memcpy_offset( mac_peer, data, - rec->data_len, - min_len, max_len, - transform->maclen ); + mbedtls_cf_memcpy_offset( mac_peer, data, + rec->data_len, + min_len, max_len, + transform->maclen ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_DEBUG_ALL) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 72b0cdb8a..26b99a446 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4555,7 +4555,7 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, void ssl_cf_hmac( int hash ) { /* - * Test the function mbedtls_ssl_cf_hmac() against a reference + * Test the function mbedtls_cf_hmac() against a reference * implementation. */ mbedtls_md_context_t ctx, ref_ctx; @@ -4614,10 +4614,10 @@ void ssl_cf_hmac( int hash ) /* Get the function's result */ TEST_CF_SECRET( &in_len, sizeof( in_len ) ); - TEST_EQUAL( 0, mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ), - data, in_len, - min_in_len, max_in_len, - out ) ); + TEST_EQUAL( 0, mbedtls_cf_hmac( &ctx, add_data, sizeof( add_data ), + data, in_len, + min_in_len, max_in_len, + out ) ); TEST_CF_PUBLIC( &in_len, sizeof( in_len ) ); TEST_CF_PUBLIC( out, out_len ); @@ -4664,8 +4664,8 @@ void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len ) mbedtls_test_set_step( (int) secret ); TEST_CF_SECRET( &secret, sizeof( secret ) ); - mbedtls_ssl_cf_memcpy_offset( dst, src, secret, - offset_min, offset_max, len ); + mbedtls_cf_memcpy_offset( dst, src, secret, + offset_min, offset_max, len ); TEST_CF_PUBLIC( &secret, sizeof( secret ) ); TEST_CF_PUBLIC( dst, len );