The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Passing endianness as a parameter is a step towards removing it from the
modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Passing endianness as a parameter is a step towards removing it from the
modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In theory we could allow residues to have more allocated limbs than the
modulus, but we might or might not need it in the end.
Go for the simpler option for now and we can extend it later if we
really need it.
Signed-off-by: Janos Follath <janos.follath@arm.com>
We want to make sure that the value has at least as many limbs allocated
as the modulus as we need this to be able to do any operations in
constant time.
An invariant of the API is that the residue values are canonical, make
sure that the residue is compared to the entire modulus.
Signed-off-by: Janos Follath <janos.follath@arm.com>
This patch adjusts the I/O methods and the tests.
Documentation has also been updated to be more clear.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch adjusts the logic of the size checking of the method,
and refactors the tests. Documentation has also been updated.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch is inverting the input type checking logic in the method,
in order to ensure that residue < modulus.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch adds input and ouput fucntions in the `bignum_mod` layer.
The data will be automatically converted between Cannonical and
Montgomery representation if required.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
When legacy CID is enabled at compile time, but not used at runtime, we
would incorrectly skip the sequence number at the beginning of the AAD.
There was already two "else" branches for writing the sequence number
but none of them was taken in that particular case.
Simplify the structure of the code: with TLS 1.2 (we're already in that
branch), we always write the sequence number, unless we're using
standard CID.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to
a null pointer when the cipher does not use an IV. This is undefined
behavior, although it works as naively expected on most platforms. This
can cause a crash with modern Clang+ASan (depending on compiler optimizations).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The loop ends when there are no more bits to process, with one twist: when
that happens, we need to clear the window one last time. Since the window
does not start empty (E_limbs==0 is not supported), the loop always starts
with a non-empty window and some bits to process. So it's correct to move
the window clearing logic to the end of the loop. This lets us exit the loop
when the end of the exponent is reached.
It would be clearer not to do the final window clearing inside the loop, so
we wouldn't need to repeat the loop termination condition (end of exponent
reached) inside the loop. However, this requires duplicating the code to
clear the window. Empirically, this causes a significant code size increase,
even if the window clearing code is placed into a function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We are looking at the exponent at limb granularity and therefore
exponent bits can't go below 32.
The `mpi_` prefix is also removed as it is better not to have prefix at
all than to have just a partial. (Full prefix would be overly long and
would hurt readability.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
Now that we have a function that calls
mbedtls_mpi_core_ct_uint_table_lookup(), the compiler won't complain if
we make it static.
Signed-off-by: Janos Follath <janos.follath@arm.com>
On platforms with size_t different from int, mismatch between size_t and
mpi_uint can cause incorrect results or complaints from the compiler.
Signed-off-by: Janos Follath <janos.follath@arm.com>
mpi_core_exp_mod: Cast local variable explicitly
Signed-off-by: Janos Follath <janos.follath@arm.com>
In this way, in case of error, it is not possible to continue using
the same psa_pake_operation_t without reinitializing it.
This should make the PSA pake's behavior closer to what expected by
the specification
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The table size was set before the configured window size bound was
applied which lead to out of bounds access when the configured window
size bound is less.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The window size starts giving diminishing returns around 6 on most
platforms and highly unlikely to be more than 31 in practical use cases.
Still, compilers and static analysers might complain about this and
better to be pedantic.
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
With small exponents (for example, when doing RSA-1024 with CRT, each
prime is 512 bits and we'll use wsize = 5 which may be smaller that the
maximum - or even worse when doing public RSA operations which typically
have a 16-bit exponent so we'll use wsize = 1) the usage of W will have
pre-computed values, then empty space, then the accumulator at the very
end.
Move X next to the precomputed values to make accesses more efficient
and intuitive.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Elements of W didn't all have the same owner: all were owned by this
function, except W[x_index]. It is more robust if we make a proper copy
of X.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Out of window zeroes were doing squaring on the output variable
directly. This leaks the position of windows and the out of window
zeroes.
Loading the output variable from the table in constant time removes this
leakage.
Signed-off-by: Janos Follath <janos.follath@arm.com>
It might happen that the psa_pake_output() function returns
elements which are not exactly 32 or 65 bytes as expected, but
1 bytes less.
As a consequence, insted of hardcoding the expected value for
the length in the output buffer, we write the correct one as
obtained from psa_pake_output()
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
NEW_SESSION_TICKETS* are processed in handshake_step.
Change the stop condition from `mbedtls_ssl_is_handshake_over`
to directly check.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
