yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-23 03:55:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rename function to have suitable name

Browse Source 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
gabor-mezei-arm 2021-09-28 16:14:47 +02:00 committed by Gabor Mezei
parent 9055972227
commit e41e3e8a8b
5 changed files with 96 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
library/bignum.c
View File

@ -280,7 +280,7 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
* *
* \return The selected sign value. * \return The selected sign value.
*/ */
static int mpi_safe_cond_select_sign( int a, int b, unsigned char second ) static int mbedtls_cf_cond_select_sign( int a, int b, unsigned char second )
{ {
/* In order to avoid questions about what we can reasonnably assume about /* In order to avoid questions about what we can reasonnably assume about
* the representations of signed integers, move everything to unsigned * the representations of signed integers, move everything to unsigned
@ -304,10 +304,10 @@ static int mpi_safe_cond_select_sign( int a, int b, unsigned char second )
* dest and src must be arrays of limbs of size n. * dest and src must be arrays of limbs of size n.
* assign must be 0 or 1. * assign must be 0 or 1.
*/ */
static void mpi_safe_cond_assign( size_t n, void mbedtls_cf_mpi_uint_cond_assign( size_t n,
mbedtls_mpi_uint *dest, mbedtls_mpi_uint *dest,
const mbedtls_mpi_uint *src, const mbedtls_mpi_uint *src,
unsigned char assign ) unsigned char assign )
{ {
size_t i; size_t i;
@ -360,9 +360,9 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign ); X->s = mbedtls_cf_cond_select_sign( X->s, Y->s, assign );
mpi_safe_cond_assign( Y->n, X->p, Y->p, assign ); mbedtls_cf_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign );
for( i = Y->n; i < X->n; i++ ) for( i = Y->n; i < X->n; i++ )
X->p[i] &= ~limb_mask; X->p[i] &= ~limb_mask;
@ -409,8 +409,8 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
s = X->s; s = X->s;
X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap ); X->s = mbedtls_cf_cond_select_sign( X->s, Y->s, swap );
Y->s = mpi_safe_cond_select_sign( Y->s, s, swap ); Y->s = mbedtls_cf_cond_select_sign( Y->s, s, swap );
for( i = 0; i < X->n; i++ ) for( i = 0; i < X->n; i++ )
@ -1253,7 +1253,7 @@ int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
* *
* \return 1 if \p x is less than \p y, 0 otherwise * \return 1 if \p x is less than \p y, 0 otherwise
*/ */
static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x, static unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x,
const mbedtls_mpi_uint y ) const mbedtls_mpi_uint y )
{ {
mbedtls_mpi_uint ret; mbedtls_mpi_uint ret;
@ -1328,7 +1328,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
* Again even if we can make a decision, we just mark the result and * Again even if we can make a decision, we just mark the result and
* the fact that we are done and continue looping. * the fact that we are done and continue looping.
*/ */
cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] ); cond = mbedtls_cf_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] );
*ret |= cond & ( 1 - done ) & X_is_negative; *ret |= cond & ( 1 - done ) & X_is_negative;
done |= cond; done |= cond;
@ -1339,7 +1339,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
* Again even if we can make a decision, we just mark the result and * Again even if we can make a decision, we just mark the result and
* the fact that we are done and continue looping. * the fact that we are done and continue looping.
*/ */
cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] ); cond = mbedtls_cf_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] );
*ret |= cond & ( 1 - done ) & ( 1 - X_is_negative ); *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
done |= cond; done |= cond;
} }
@ -2207,7 +2207,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
* so d[n] == 1 and we want to set A to the result of the subtraction * so d[n] == 1 and we want to set A to the result of the subtraction
* which is d - (2^biL)^n, i.e. the n least significant limbs of d. * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
* This exactly corresponds to a conditional assignment. */ * This exactly corresponds to a conditional assignment. */
mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] ); mbedtls_cf_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] );
} }
/* /*
@ -2238,7 +2238,7 @@ static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
* This function is implemented without using comparison operators, as those * This function is implemented without using comparison operators, as those
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
static size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y ) static size_t mbedtls_cf_size_bool_eq( size_t x, size_t y )
{ {
/* diff = 0 if x == y, non-zero otherwise */ /* diff = 0 if x == y, non-zero otherwise */
const size_t diff = x ^ y; const size_t diff = x ^ y;
@ -2285,7 +2285,7 @@ static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size
for( size_t i = 0; i < T_size; i++ ) for( size_t i = 0; i < T_size; i++ )
{ {
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i], MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
(unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) ); (unsigned char) mbedtls_cf_size_bool_eq( i, idx ) ) );
} }
cleanup: cleanup:

65
library/rsa.c
View File

@ -1499,7 +1499,7 @@ cleanup:
* \param value The value to analyze. * \param value The value to analyze.
* \return Zero if \p value is zero, otherwise all-bits-one. * \return Zero if \p value is zero, otherwise all-bits-one.
*/ */
static unsigned all_or_nothing_int( unsigned value ) static unsigned mbedtls_cf_uint_mask( unsigned value )
{ {
/* MSVC has a warning about unary minus on unsigned, but this is /* MSVC has a warning about unary minus on unsigned, but this is
* well-defined and precisely what we want to do here */ * well-defined and precisely what we want to do here */
@ -1523,7 +1523,7 @@ static unsigned all_or_nothing_int( unsigned value )
* \return \c 0 if `size <= max`. * \return \c 0 if `size <= max`.
* \return \c 1 if `size > max`. * \return \c 1 if `size > max`.
*/ */
static unsigned size_greater_than( size_t size, size_t max ) static unsigned mbedtls_cf_size_gt( size_t size, size_t max )
{ {
/* Return the sign bit (1 for negative) of (max - size). */ /* Return the sign bit (1 for negative) of (max - size). */
return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) ); return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
@ -1539,16 +1539,17 @@ static unsigned size_greater_than( size_t size, size_t max )
* \param if0 Value to use if \p cond is zero. * \param if0 Value to use if \p cond is zero.
* \return \c if1 if \p cond is nonzero, otherwise \c if0. * \return \c if1 if \p cond is nonzero, otherwise \c if0.
*/ */
static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) static unsigned mbedtls_cf_uint_if( unsigned cond, unsigned if1, unsigned if0 )
{ {
unsigned mask = all_or_nothing_int( cond ); unsigned mask = mbedtls_cf_uint_mask( cond );
return( ( mask & if1 ) | (~mask & if0 ) ); return( ( mask & if1 ) | (~mask & if0 ) );
} }
/** Shift some data towards the left inside a buffer without leaking /** Shift some data towards the left inside a buffer without leaking
* the length of the data through side channels. * the length of the data through side channels.
* *
* `mem_move_to_left(start, total, offset)` is functionally equivalent to * `mbedtls_cf_mem_move_to_left(start, total, offset)` is functionally
* equivalent to
* ``` * ```
* memmove(start, start + offset, total - offset); * memmove(start, start + offset, total - offset);
* memset(start + offset, 0, total - offset); * memset(start + offset, 0, total - offset);
@ -1561,9 +1562,9 @@ static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
* \param total Total size of the buffer. * \param total Total size of the buffer.
* \param offset Offset from which to copy \p total - \p offset bytes. * \param offset Offset from which to copy \p total - \p offset bytes.
*/ */
static void mem_move_to_left( void *start, static void mbedtls_cf_mem_move_to_left( void *start,
size_t total, size_t total,
size_t offset ) size_t offset )
{ {
volatile unsigned char *buf = start; volatile unsigned char *buf = start;
size_t i, n; size_t i, n;
@ -1571,7 +1572,7 @@ static void mem_move_to_left( void *start,
return; return;
for( i = 0; i < total; i++ ) for( i = 0; i < total; i++ )
{ {
unsigned no_op = size_greater_than( total - offset, i ); unsigned no_op = mbedtls_cf_size_gt( total - offset, i );
/* The first `total - offset` passes are a no-op. The last /* The first `total - offset` passes are a no-op. The last
* `offset` passes shift the data one byte to the left and * `offset` passes shift the data one byte to the left and
* zero out the last byte. */ * zero out the last byte. */
@ -1579,9 +1580,9 @@ static void mem_move_to_left( void *start,
{ {
unsigned char current = buf[n]; unsigned char current = buf[n];
unsigned char next = buf[n+1]; unsigned char next = buf[n+1];
buf[n] = if_int( no_op, current, next ); buf[n] = mbedtls_cf_uint_if( no_op, current, next );
} }
buf[total-1] = if_int( no_op, buf[total-1], 0 ); buf[total-1] = mbedtls_cf_uint_if( no_op, buf[total-1], 0 );
} }
} }
@ -1669,17 +1670,17 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* If there's a non-0xff byte in the padding, the padding is bad. */ * If there's a non-0xff byte in the padding, the padding is bad. */
for( i = 2; i < ilen; i++ ) for( i = 2; i < ilen; i++ )
{ {
pad_done |= if_int( buf[i], 0, 1 ); pad_done |= mbedtls_cf_uint_if( buf[i], 0, 1 );
pad_count += if_int( pad_done, 0, 1 ); pad_count += mbedtls_cf_uint_if( pad_done, 0, 1 );
bad |= if_int( pad_done, 0, buf[i] ^ 0xFF ); bad |= mbedtls_cf_uint_if( pad_done, 0, buf[i] ^ 0xFF );
} }
} }
/* If pad_done is still zero, there's no data, only unfinished padding. */ /* If pad_done is still zero, there's no data, only unfinished padding. */
bad |= if_int( pad_done, 0, 1 ); bad |= mbedtls_cf_uint_if( pad_done, 0, 1 );
/* There must be at least 8 bytes of padding. */ /* There must be at least 8 bytes of padding. */
bad |= size_greater_than( 8, pad_count ); bad |= mbedtls_cf_size_gt( 8, pad_count );
/* If the padding is valid, set plaintext_size to the number of /* If the padding is valid, set plaintext_size to the number of
* remaining bytes after stripping the padding. If the padding * remaining bytes after stripping the padding. If the padding
@ -1688,23 +1689,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* buffer. Do it without branches to avoid leaking the padding * buffer. Do it without branches to avoid leaking the padding
* validity through timing. RSA keys are small enough that all the * validity through timing. RSA keys are small enough that all the
* size_t values involved fit in unsigned int. */ * size_t values involved fit in unsigned int. */
plaintext_size = if_int( bad, plaintext_size = mbedtls_cf_uint_if(
(unsigned) plaintext_max_size, bad, (unsigned) plaintext_max_size,
(unsigned) ( ilen - pad_count - 3 ) ); (unsigned) ( ilen - pad_count - 3 ) );
/* Set output_too_large to 0 if the plaintext fits in the output /* Set output_too_large to 0 if the plaintext fits in the output
* buffer and to 1 otherwise. */ * buffer and to 1 otherwise. */
output_too_large = size_greater_than( plaintext_size, output_too_large = mbedtls_cf_size_gt( plaintext_size,
plaintext_max_size ); plaintext_max_size );
/* Set ret without branches to avoid timing attacks. Return: /* Set ret without branches to avoid timing attacks. Return:
* - INVALID_PADDING if the padding is bad (bad != 0). * - INVALID_PADDING if the padding is bad (bad != 0).
* - OUTPUT_TOO_LARGE if the padding is good but the decrypted * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
* plaintext does not fit in the output buffer. * plaintext does not fit in the output buffer.
* - 0 if the padding is correct. */ * - 0 if the padding is correct. */
ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, ret = - (int) mbedtls_cf_uint_if(
if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
0 ) ); mbedtls_cf_uint_if( output_too_large,
- MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
0 ) );
/* If the padding is bad or the plaintext is too large, zero the /* If the padding is bad or the plaintext is too large, zero the
* data that we're about to copy to the output buffer. * data that we're about to copy to the output buffer.
@ -1712,7 +1715,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* from the same buffer whether the padding is good or not to * from the same buffer whether the padding is good or not to
* avoid leaking the padding validity through overall timing or * avoid leaking the padding validity through overall timing or
* through memory or cache access patterns. */ * through memory or cache access patterns. */
bad = all_or_nothing_int( bad | output_too_large ); bad = mbedtls_cf_uint_mask( bad | output_too_large );
for( i = 11; i < ilen; i++ ) for( i = 11; i < ilen; i++ )
buf[i] &= ~bad; buf[i] &= ~bad;
@ -1720,9 +1723,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* Copy anyway to avoid revealing the length through timing, because * Copy anyway to avoid revealing the length through timing, because
* revealing the length is as bad as revealing the padding validity * revealing the length is as bad as revealing the padding validity
* for a Bleichenbacher attack. */ * for a Bleichenbacher attack. */
plaintext_size = if_int( output_too_large, plaintext_size = mbedtls_cf_uint_if( output_too_large,
(unsigned) plaintext_max_size, (unsigned) plaintext_max_size,
(unsigned) plaintext_size ); (unsigned) plaintext_size );
/* Move the plaintext to the leftmost position where it can start in /* Move the plaintext to the leftmost position where it can start in
* the working buffer, i.e. make it start plaintext_max_size from * the working buffer, i.e. make it start plaintext_max_size from
@ -1730,9 +1733,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* does not depend on the plaintext size. After this move, the * does not depend on the plaintext size. After this move, the
* starting location of the plaintext is no longer sensitive * starting location of the plaintext is no longer sensitive
* information. */ * information. */
mem_move_to_left( buf + ilen - plaintext_max_size, mbedtls_cf_mem_move_to_left( buf + ilen - plaintext_max_size,
plaintext_max_size, plaintext_max_size,
plaintext_max_size - plaintext_size ); plaintext_max_size - plaintext_size );
/* Finally copy the decrypted plaintext plus trailing zeros into the output /* Finally copy the decrypted plaintext plus trailing zeros into the output
* buffer. If output_max_len is 0, then output may be an invalid pointer * buffer. If output_max_len is 0, then output may be an invalid pointer

12
library/ssl_invasive.h
View File

@ -65,7 +65,7 @@
* \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
* The hardware accelerator failed. * The hardware accelerator failed.
*/ */
int mbedtls_ssl_cf_hmac( int mbedtls_cf_hmac(
mbedtls_md_context_t *ctx, mbedtls_md_context_t *ctx,
const unsigned char *add_data, size_t add_data_len, const unsigned char *add_data, size_t add_data_len,
const unsigned char *data, size_t data_len_secret, const unsigned char *data, size_t data_len_secret,
@ -90,11 +90,11 @@ int mbedtls_ssl_cf_hmac(
* \param offset_max The maximal value of \p offset_secret. * \param offset_max The maximal value of \p offset_secret.
* \param len The number of bytes to copy. * \param len The number of bytes to copy.
*/ */
void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst, void mbedtls_cf_memcpy_offset( unsigned char *dst,
const unsigned char *src_base, const unsigned char *src_base,
size_t offset_secret, size_t offset_secret,
size_t offset_min, size_t offset_max, size_t offset_min, size_t offset_max,
size_t len ); size_t len );
#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ #endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
#endif /* MBEDTLS_SSL_INVASIVE_H */ #endif /* MBEDTLS_SSL_INVASIVE_H */

68
library/ssl_msg.c
View File

@ -1055,7 +1055,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
* This function is implemented without using comparison operators, as those * This function is implemented without using comparison operators, as those
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit ) static size_t mbedtls_cf_size_mask( size_t bit )
{ {
/* MSVC has a warning about unary minus on unsigned integer types, /* MSVC has a warning about unary minus on unsigned integer types,
* but this is well-defined and precisely what we want to do here. */ * but this is well-defined and precisely what we want to do here. */
@ -1080,7 +1080,7 @@ static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit )
* This function is implemented without using comparison operators, as those * This function is implemented without using comparison operators, as those
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) static size_t mbedtls_cf_size_mask_lt( size_t x, size_t y )
{ {
/* This has the most significant bit set if and only if x < y */ /* This has the most significant bit set if and only if x < y */
const size_t sub = x - y; const size_t sub = x - y;
@ -1089,7 +1089,7 @@ static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y )
const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
/* mask = (x < y) ? 0xff... : 0x00... */ /* mask = (x < y) ? 0xff... : 0x00... */
const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 ); const size_t mask = mbedtls_cf_size_mask( sub1 );
return( mask ); return( mask );
} }
@ -1105,9 +1105,9 @@ static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y )
* This function is implemented without using comparison operators, as those * This function is implemented without using comparison operators, as those
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y ) static size_t mbedtls_cf_size_mask_ge( size_t x, size_t y )
{ {
return( ~mbedtls_ssl_cf_mask_lt( x, y ) ); return( ~mbedtls_cf_size_mask_lt( x, y ) );
} }
/* /*
@ -1116,12 +1116,12 @@ static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y )
* *
* This function can be used to write constant-time code by replacing branches * This function can be used to write constant-time code by replacing branches
* with bit operations - it can be used in conjunction with * with bit operations - it can be used in conjunction with
* mbedtls_ssl_cf_mask_from_bit(). * mbedtls_cf_size_mask().
* *
* This function is implemented without using comparison operators, as those * This function is implemented without using comparison operators, as those
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y ) static size_t mbedtls_cf_size_bool_eq( size_t x, size_t y )
{ {
/* diff = 0 if x == y, non-zero otherwise */ /* diff = 0 if x == y, non-zero otherwise */
const size_t diff = x ^ y; const size_t diff = x ^ y;
@ -1155,14 +1155,14 @@ static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y )
* This function is implemented without using comparison operators, as those * This function is implemented without using comparison operators, as those
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, static void mbedtls_cf_memcpy_if_eq( unsigned char *dst,
const unsigned char *src, const unsigned char *src,
size_t len, size_t len,
size_t c1, size_t c2 ) size_t c1, size_t c2 )
{ {
/* mask = c1 == c2 ? 0xff : 0x00 */ /* mask = c1 == c2 ? 0xff : 0x00 */
const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 ); const size_t equal = mbedtls_cf_size_bool_eq( c1, c2 );
const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal ); const unsigned char mask = (unsigned char) mbedtls_cf_size_mask( equal );
/* dst[i] = c1 == c2 ? src[i] : dst[i] */ /* dst[i] = c1 == c2 ? src[i] : dst[i] */
for( size_t i = 0; i < len; i++ ) for( size_t i = 0; i < len; i++ )
@ -1175,7 +1175,7 @@ static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
* Only works with MD-5, SHA-1, SHA-256 and SHA-384. * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
* (Otherwise, computation of block_size needs to be adapted.) * (Otherwise, computation of block_size needs to be adapted.)
*/ */
MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( MBEDTLS_STATIC_TESTABLE int mbedtls_cf_hmac(
mbedtls_md_context_t *ctx, mbedtls_md_context_t *ctx,
const unsigned char *add_data, size_t add_data_len, const unsigned char *add_data, size_t add_data_len,
const unsigned char *data, size_t data_len_secret, const unsigned char *data, size_t data_len_secret,
@ -1231,8 +1231,8 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
MD_CHK( mbedtls_md_clone( &aux, ctx ) ); MD_CHK( mbedtls_md_clone( &aux, ctx ) );
MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
/* Keep only the correct inner_hash in the output buffer */ /* Keep only the correct inner_hash in the output buffer */
mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, mbedtls_cf_memcpy_if_eq( output, aux_out, hash_size,
offset, data_len_secret ); offset, data_len_secret );
if( offset < max_data_len ) if( offset < max_data_len )
MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
@ -1262,7 +1262,7 @@ cleanup:
* - functionally equivalent to memcpy(dst, src + offset_secret, len) * - functionally equivalent to memcpy(dst, src + offset_secret, len)
* - but with execution flow independent from the value of offset_secret. * - but with execution flow independent from the value of offset_secret.
*/ */
MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( MBEDTLS_STATIC_TESTABLE void mbedtls_cf_memcpy_offset(
unsigned char *dst, unsigned char *dst,
const unsigned char *src_base, const unsigned char *src_base,
size_t offset_secret, size_t offset_secret,
@ -1273,8 +1273,8 @@ MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset(
for( offset = offset_min; offset <= offset_max; offset++ ) for( offset = offset_min; offset <= offset_max; offset++ )
{ {
mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len, mbedtls_cf_memcpy_if_eq( dst, src_base + offset, len,
offset, offset_secret ); offset, offset_secret );
} }
} }
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
@ -1620,7 +1620,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
if( auth_done == 1 ) if( auth_done == 1 )
{ {
const size_t mask = mbedtls_ssl_cf_mask_ge( const size_t mask = mbedtls_cf_size_mask_ge(
rec->data_len, rec->data_len,
padlen + 1 ); padlen + 1 );
correct &= mask; correct &= mask;
@ -1640,7 +1640,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
} }
#endif #endif
const size_t mask = mbedtls_ssl_cf_mask_ge( const size_t mask = mbedtls_cf_size_mask_ge(
rec->data_len, rec->data_len,
transform->maclen + padlen + 1 ); transform->maclen + padlen + 1 );
correct &= mask; correct &= mask;
@ -1696,18 +1696,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
/* pad_count += (idx >= padding_idx) && /* pad_count += (idx >= padding_idx) &&
* (check[idx] == padlen - 1); * (check[idx] == padlen - 1);
*/ */
const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx ); const size_t mask = mbedtls_cf_size_mask_ge( idx, padding_idx );
const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx], const size_t equal = mbedtls_cf_size_bool_eq( check[idx],
padlen - 1 ); padlen - 1 );
pad_count += mask & equal; pad_count += mask & equal;
} }
correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen ); correct &= mbedtls_cf_size_bool_eq( pad_count, padlen );
#if defined(MBEDTLS_SSL_DEBUG_ALL) #if defined(MBEDTLS_SSL_DEBUG_ALL)
if( padlen > 0 && correct == 0 ) if( padlen > 0 && correct == 0 )
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
#endif #endif
padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); padlen &= mbedtls_cf_size_mask( correct );
} }
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@ -1791,20 +1791,20 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
const size_t max_len = rec->data_len + padlen; const size_t max_len = rec->data_len + padlen;
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec, ret = mbedtls_cf_hmac( &transform->md_ctx_dec,
add_data, add_data_len, add_data, add_data_len,
data, rec->data_len, min_len, max_len, data, rec->data_len, min_len, max_len,
mac_expect ); mac_expect );
if( ret != 0 ) if( ret != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
return( ret ); return( ret );
} }
mbedtls_ssl_cf_memcpy_offset( mac_peer, data, mbedtls_cf_memcpy_offset( mac_peer, data,
rec->data_len, rec->data_len,
min_len, max_len, min_len, max_len,
transform->maclen ); transform->maclen );
} }
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \

14
tests/suites/test_suite_ssl.function
View File

@ -4428,7 +4428,7 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation,
void ssl_cf_hmac( int hash ) void ssl_cf_hmac( int hash )
{ {
/* /*
* Test the function mbedtls_ssl_cf_hmac() against a reference * Test the function mbedtls_cf_hmac() against a reference
* implementation. * implementation.
*/ */
mbedtls_md_context_t ctx, ref_ctx; mbedtls_md_context_t ctx, ref_ctx;
@ -4487,10 +4487,10 @@ void ssl_cf_hmac( int hash )
/* Get the function's result */ /* Get the function's result */
TEST_CF_SECRET( &in_len, sizeof( in_len ) ); TEST_CF_SECRET( &in_len, sizeof( in_len ) );
TEST_EQUAL( 0, mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ), TEST_EQUAL( 0, mbedtls_cf_hmac( &ctx, add_data, sizeof( add_data ),
data, in_len, data, in_len,
min_in_len, max_in_len, min_in_len, max_in_len,
out ) ); out ) );
TEST_CF_PUBLIC( &in_len, sizeof( in_len ) ); TEST_CF_PUBLIC( &in_len, sizeof( in_len ) );
TEST_CF_PUBLIC( out, out_len ); TEST_CF_PUBLIC( out, out_len );
@ -4537,8 +4537,8 @@ void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len )
mbedtls_test_set_step( (int) secret ); mbedtls_test_set_step( (int) secret );
TEST_CF_SECRET( &secret, sizeof( secret ) ); TEST_CF_SECRET( &secret, sizeof( secret ) );
mbedtls_ssl_cf_memcpy_offset( dst, src, secret, mbedtls_cf_memcpy_offset( dst, src, secret,
offset_min, offset_max, len ); offset_min, offset_max, len );
TEST_CF_PUBLIC( &secret, sizeof( secret ) ); TEST_CF_PUBLIC( &secret, sizeof( secret ) );
TEST_CF_PUBLIC( dst, len ); TEST_CF_PUBLIC( dst, len );