TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-05-03 00:30:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
32,239 Commits 179 Branches 280 Tags
630148e67f0cd3d337308321f72f444ca4ef1c35
Commit Graph

13642 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
630148e67f RSA: use constant-time modinv in deduce_crt() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:40:05 +02:00
Manuel Pégourié-Gonnard
7dcfd73731 RSA: use constant-time GCD in deduce_primes() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
0d73de5ee0 ecdsa: use CT modinv 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
f35d30799c ECP: use CT modinv 
A function that was previously called in multiple places is now called
only once, hence more susceptible to being inlined, hence the test fix.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
c2d210ea0d DHM: use CT modinv for blinding 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
a56a05b015 RSA: use CT gcd-modinv in prepare_blinding() 
While at it, draw the blinding value uniformly in the permissible range.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Janos Follath
210f8bc4d7 Merge pull request #1408 from mpg/improve-gcd-3.6 
[3.6] Make GCD (a lot) less leaky
 2025-08-13 19:44:57 +01:00
Manuel Pégourié-Gonnard
30f0732369 bignum: gcd: improve comments 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:55 +02:00
Manuel Pégourié-Gonnard
87e77d6516 bignum: fix memory leak in GCD with 0 as an input 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:55 +02:00
Manuel Pégourié-Gonnard
381d4ba03b Make mbedtls_mpi_gcd() more consistent 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:45 +02:00
Manuel Pégourié-Gonnard
c6a9d84555 bignum: use CT gcd for mbedtls_mpi_gcd() 
The overall function is still not constant-time, but it just got a lot
less leaky.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:45 +02:00
Manuel Pégourié-Gonnard
a08faf9070 bignum: follow customs for ret initialisation 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-12 11:55:22 +02:00
Manuel Pégourié-Gonnard
7a5447ff65 Fix a few typos 
Co-authored-by: Felix Conway <felix.conway@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-12 11:55:15 +02:00
Manuel Pégourié-Gonnard
65b8011f7e bignum: make mbedtls_mpi_lsb() less leaky 
The path using builtin should be OK, as it should be using dedicated CPU
instructions which are constant time.

This fixes the no-builing path.

GCC gained support for __has_builtin in version 10. We're still testing
with older GCC on the CI, so the non-builtin path is tested on the CI.

https://gcc.gnu.org/gcc-10/changes.html

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-11 09:36:26 +02:00
Manuel Pégourié-Gonnard
40dfc811ef bignum: remove dead variable-time inv_mod code 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-11 09:35:28 +02:00
Manuel Pégourié-Gonnard
1ac0a1e071 bignum: use CT modinv when A is odd (any range) 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-11 09:35:28 +02:00
Manuel Pégourié-Gonnard
e41709c17e bignum: use CT modinv when A is odd and in [2, N) 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-11 09:35:28 +02:00
Manuel Pégourié-Gonnard
cdfd1c9c7d bignum: use CT modinv when N is odd 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-11 09:35:28 +02:00
Felix Conway
a1c95e378a Adjust mpi_gcd_modinv_odd() internals 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-08-06 09:54:11 +01:00
Felix Conway
eefdfe99a4 Change A=0 (null) handling in mpi_gcd_invmod_odd() 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-08-05 14:35:53 +01:00
Felix Conway
d9c4c9c441 Update mpi_gcd_invmod_odd() related comments/documentation 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-08-05 14:33:32 +01:00
Felix Conway
f4df43b6c4 Fix gcd_invmod_odd wrapper when A is 0 (null) 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-08-04 17:00:10 +01:00
Felix Conway
54a94c1598 Adjust mpi_gcd_modinv_odd docs and precondition checking 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-08-04 11:34:19 +01:00
Felix Conway
bd7ede3f33 bignum: add mpi wrapper for gcd_modinv 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-08-04 11:33:48 +01:00
Manuel Pégourié-Gonnard
ec35382a51 Try again to clarify connection with the paper 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-24 12:22:16 +02:00
Manuel Pégourié-Gonnard
efd242a0e5 Gracefully handle A_limbs > N_limbs and test it 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-24 11:10:59 +02:00
Manuel Pégourié-Gonnard
9361550c45 Tune comment about paper vs our code again 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-23 13:21:07 +02:00
Manuel Pégourié-Gonnard
dbda872369 Expand comment about adaptations from the paper 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-22 09:21:53 +02:00
Manuel Pégourié-Gonnard
ed711e1420 Clarify preconditions and impact if not met 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-22 09:00:52 +02:00
Manuel Pégourié-Gonnard
5972096114 Forbid uninteresting edge cases 
A == N (as pointers) will not happen in pratice: in our context, it
would mean we know at compile time that A == N (as values), and we
wouldn't be calling this function if we knew that already.

N == 1 when I != NULL is also not going to happen: we don't care about
operations mod 1.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-18 09:40:14 +02:00
Manuel Pégourié-Gonnard
7fba466826 Unit-test mpi_core_div2_mod_odd() 
This function has specific code to handle carries and it's not clear how
to exercises that code through the modinv function, so well, that's what
unit tests are for.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-18 09:40:14 +02:00
Manuel Pégourié-Gonnard
de5eeb5ce9 Relax and test aliasing rules 
This is consistent with the general rules documented at the top of the
file:
- when computing GCD(A, N), there is no modular arithmetic, so the
  output can alias any of the inputs;
- when computing a modular inverse, N is the modulus, so it can't be
  aliased by any of the outputs (we'll use it for modular operations
  over the entire course of the function's execution).

But since this function has two modes of operations with different
aliasing rules (G can alias N only if I == NULL), I think it should
really be stated explicitly.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-18 09:40:14 +02:00
Manuel Pégourié-Gonnard
07a057756c bignum_core: Add mbedtls_mpi_core_gcd_modinv_odd() 
This is a direct translation of sict_mi2() from
https://github.com/mpg/cryptohack/blob/main/ct-pres.py
which was presented in the book club's special session.

This commit only includes two test cases which is very little. Most of
the test cases will be generated by Python modules that belong  to the
framework. However we can't have the framework generate those before we
have the corresponding test function in the consuming branches. So,
extended tests are coming as a 2nd step, after the test function has
been merged.

(The test cases in .misc should stay, as they can be convenient when
working on the test function.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-07-18 09:40:14 +02:00
minosgalanakis
1a22f21b74 Merge pull request #1381 from Mbed-TLS/mbedtls-3.6.4-mergeback 
Mbedtls 3.6.4 merge-back pr
 2025-06-30 22:06:11 +01:00
Minos Galanakis
5b9c7c5204 Revert "Added generated files" 
This reverts commit 59e8b3a6b0.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-06-30 18:33:00 +01:00
Minos Galanakis
59e8b3a6b0 Added generated files 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-06-25 14:18:23 +01:00
Minos Galanakis
5374262f3b Version bump 3.6.4 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-06-25 14:07:55 +01:00
Minos Galanakis
f36277558a Merge remote-tracking branch 'restricted/mbedtls-3.6-restricted' into mbedtls-3.6.4rc0-pr 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-06-23 18:52:17 +01:00
David Horstmann
5e1e5b3e53 Merge pull request #10241 from ariwo17/backport-typo-fixes-3.6 
[BACKPORT] Fixed some minor typos in comments.
 2025-06-23 16:33:41 +00:00
David Horstmann
54ceaf7a53 Merge pull request #10200 from aslze/mbedtls-3.6 
[3.6] Fix build C++ apps with MSVC
 2025-06-19 14:25:50 +00:00
Ari Weiler-Ofek
fb2460ae0b Fixed some minor typos in comments. 
Signed-off-by: Ari Weiler-Ofek <ari.weiler-ofek@arm.com>
 2025-06-19 15:15:30 +01:00
Ronald Cron
7df899211a fix: additional MSVC v142 build issue with tls1.3 configuration enabled. 
Signed-off-by: Cesar Cruz <cesar.cruz@philips.com>
Signed-off-by: ccrugoPhilips <cesar.cruz@philips.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2025-06-18 10:13:54 +02:00
David Horstmann
a84be59757 Merge pull request #1366 from gilles-peskine-arm/base64-decode-clean-3.6 
Backport 3.6: mbedtls_base64_decode: fix sloppiness
 2025-06-17 14:55:39 +01:00
Gilles Peskine
3c9ad42719 Merge pull request #1367 from gilles-peskine-arm/aesni_has_support-volatile-3.6 
Backport 3.6: Fix race condition in mbedtls_aesni_has_support
 2025-06-13 23:20:28 +02:00
Gilles Peskine
853cfbdced Add a note about processor memory reordering 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-06-12 18:30:45 +02:00
Felix Conway
766be1f8f4 Replace __attribute__((nonstring)) with macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING 
This macro applies __attribute__((nonstring)) when the compiler supports
it

Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-06-12 11:13:33 +01:00
Gilles Peskine
51dccfb2a6 Improve some explanations 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-06-11 18:47:31 +02:00
Felix Conway
2e1399f1e1 Add __attribute__ ((nonstring)) to remove unterminated-string-initialization warning 
Signed-off-by: Felix Conway <felix.conway@arm.com>
 2025-06-11 16:04:30 +01:00
Gilles Peskine
a79525239f Merge pull request #1359 from Mbed-TLS/bugfix_1351_1352_1353_lms_drivers_3.6bp 
[3.6 Backport]Bugfix: lms/lmots driver hardening.
 2025-06-10 19:08:15 +02:00
Manuel Pégourié-Gonnard
7ed3653c57 Merge pull request #1363 from gilles-peskine-arm/3.6-restricted-merge-20250606 
Merge mbedtls-3.6 into mbedtls-3.6-restricted
 2025-06-10 11:01:11 +02:00