We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.
If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources (RFC
7748 say we MAY reject 0 as a result) and recommended by some to reject
those points (either to ensure contributory behaviour, or to protect
against timing attack when the underlying field arithmetic is not
constant-time).
Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)
Signed-off-by: Janos Follath <janos.follath@arm.com>
Without this parameter, it would be hard for callers to know how many bytes
of output the function wrote into the output buffer. It would be possible,
since the cumulated output must have the same length as the cumulated input,
but it would be cumbersome for the caller to keep track.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used
as intended, for keys that cannot be modified through normal use of the API.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_psa_get_stats() was written back before lifetimes were
structured as persistence and location. Fix its classification of
volatile external keys and internal keys with a non-default
persistence.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Clang was complaining and check-names.sh too
This only duplicates macros, so no impact on code size. In 3.0 we can
probably avoid the duplication by using an internal header under
library/ but this won't work for 2.16.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.
If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources
(RFC 7748 say we MAY reject 0 as a result) and recommended by some to
reject those points (either to ensure contributory behaviour, or to
protect against timing attack when the underlying field arithmetic is
not constant-time).
Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
* development: (66 commits)
Document the return type change in the migration guide
Fix return type of example key export callbacks
Add change log
psa: mac: Add driver dispatch tests for psa_mac_verify
psa: mac: Add driver delegation support for psa_mac_verify()
psa: mac: Introduce psa_mac_compute_internal
psa: mac: Add driver dispatch tests for psa_mac_compute
psa: mac: Improve MAC finalization code
psa: mac: Add driver delegation support for psa_mac_compute()
psa: mac: Add MAC compute builtin implementation
psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
psa: mac: Split psa_mac_setup()
psa: mac: Re-organize psa_mac_setup() internal function
Move export callback and context to the end of SSL context
Improve ChangeLog wording for key export
Remove return value from key export callback
Make key export callback and context connection-specific
Remove all occurrences of TLS < 1.2 PRF identifier
Remote key export identifier used for TLS < 1.2.
Add missing documentation for key export callback parameters
...
Ensure finish only called when encrypting and verify only called for
decrypting, and add tests to ensure this.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
I wrote a function to determine the base algorithm given a variant,
however this is already implemented by
PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Where hashlen was previously ignored when the hash length could be
inferred from an md_alg parameter, the two must now match.
Adapt the existing tests accordingly. Adapt the sample programs accordingly.
This commit does not add any negative testing.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The loop exits early iff there is a nonzero limb, so i==0 means that
all limbs are 0, whether the number of limbs is 0 or not.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a bug introduced in "Fix multiplication producing a negative zero" that
caused the sign to be forced to +1 when A > 0, B < 0 and B's low-order limb
is 0.
Add a non-regression test. More generally, systematically test combinations
of leading zeros, trailing zeros and signs.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In mbedtls_mpi_read_string, if the string is empty, return an empty bignum
rather than a bignum with one limb with the value 0.
Both representations are correct, so this is not, in principle, a
user-visible change. The change does leak however through
mbedtls_mpi_write_string in base 16 (but not in other bases), as it writes a
bignum with 0 limbs as "" but a bignum with the value 0 and at least one
limb as "00".
This change makes it possible to construct an empty bignum through
mbedtls_mpi_read_string, which is especially useful to construct test
cases (a common use of mbedtls_mpi_read_string, as most formats use in
production encode numbers in binary, to be read with mbedtls_mpi_read_binary
or mbedtls_mpi_read_binary_le).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
