Similar to the previous commit, this commit removes
the word 'multi-part' from the encrypt setup tests.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
After other changes had taken place the call to
PSA_ASSERT( psa_get_key_attributes( key, &attributes ) )
was no longer needed.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Having such implementation might cause issues for those that
expect to have a working implementation.
Having a compile-time error is better in such case.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Don't depend on the default sizes in the test programs: pass explicit
request and buffer sizes.
Don't depend on MAX_CONTENT_LEN (other than it not being extremely small:
this commit assumes that it will never be less than 101).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The added null byte was accounted for twice, once by taking
opt.buffer_size+1 when allocating the buffer and once by taking opt.buffer-1
when filling the buffer. Make opt.buffer_size the size that is actually
read, it's less confusing that way.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make sure that buf always has enough room for what it will contain. Before,
this was not the case if the buffer was smaller than the default response,
leading to memory corruption in ssl_server2.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For weistrass curves the pair is encoded as 0x04 || x || y.
Flipping one of the bits in the first byte should be a sure failure.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Force a bitflip in server key to make the raw key
agreement fail, and then verify that no key slots
are left open at the end. Use a Weierstrass curve
to have a high chance of failure upon encountering
such bitflip.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit alters an ASSERT_COMPARE statement
at the end of the aead_encrypt_setup test. This is to
correct a mistake introduced by the preceding PR.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
This commit adds the required changes that arose from
the first round of reviewing. The total_input_data argument
has been removed and so the .data file needed to be edited
also.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Adds test data for the test case where the insufficient
memory error is forced on the driver status.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit adds test data for the case where the
algorithm is not supported by the driver but
the fallback option is available in the library.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
A previous commit has changed the signature of mpi_mul_hlp, making the length
of the output explicit. This commit adjusts mpi_montmul() accordingly.
It also fixes a comment on the required size of the temporary value
passed to mpi_montmul() (but does not change the call-sites).
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
A previous commit has changed the signature of mpi_mul_hlp(), making
the length of the output explicit.
This commit adjusts mbedtls_mpi_mul_int() to this change.
Along the way, we make the code simpler and more secure by not calculating
the minimal limb-size of A. A previous comment indicated that this was
functionally necessary because of the implementation of mpi_mul_hlp() --
if it ever was, it isn't anymore.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The previous commit has changed the signature of mpi_mul_hlp(),
making the length of the output explicit.
This commit adjusts the call-site in mbedtls_mpi_mul_mpi() to
this new signature.
A notable change to the multiplication strategy had to be made:
mbedtls_mpi_mul_mpi() performs a simple row-wise schoolbook
multiplication, which however was so far computed iterating
rows from top to bottom. This leads to the undesirable consequence
that as lower rows are calculated and added to the temporary
result, carry chains can grow. It is simpler and faster to
iterate from bottom to top instead, as it is guaranteed that
there will be no carry when adding the next row to the previous
temporary result: The length of the output in each iteration
can be fixed to len(B)+1.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The helper `mpi_mul_hlp()` performs a multiply-accumulate
operation `d += s * b`, where `d,b` are MPIs and `b` is a scalar.
Previously, only the length of `s` was specified, while `d` was
assumed to be 0-terminated of unspecified length.
This was leveraged at the end of the core multiplication steps
computingg the first `limb(s)` limbs of `d + s*b`: Namely, the
routine would keep on adding the current carry to `d` until none
was left. This can, in theory, run for an arbitrarily long time
if `d` has a tail of `0xFF`s, and hence the assumption of
`0`-termination.
This solution is both fragile and insecure -- the latter because
the carry-loop depends on the result of the multiplication.
This commit changes the signature of `mpi_mul_hlp()` to receive
the length of the output buffer, which must be greater or equal
to the length of the input buffer.
It is _not_ assumed that the output buffer is strictly larger
than the input buffer -- instead, the routine will simply return
any carry that's left. This will be useful in some applications
of this function. It is the responsibility of the caller to either
size the output appropriately so that no carry will be left, or
to handle the carry.
NOTE: The commit leaves the library in a state where it cannot
be compiled since the call-sites of mpi_mul_hlp() have
not yet been adjusted. This will be done in the subsequent
commits.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
