Commit Graph

87 Commits

Author SHA1 Message Date
Shelly Liberman
8176022b22 Restore tinycrypt implementation of regularize_k()
The fix is required to prevent array overrun

Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
2020-10-26 17:35:49 +02:00
Andrzej Kurek
b04208151b
tinycrypt: make asm optimizations optional for baremetal
Disable asm optimizations for strict armcc baremetal builds.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-10-14 19:42:23 +02:00
Andrzej Kurek
db0e50ea70
Introduce MBEDTLS_OPTIMIZE_TINYCRYPT_ASM
Make the ASM optimizations in tinycrypt optional.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-10-14 14:32:50 +02:00
Andrzej Kurek
7e62c31097
Guard the tinycrypt code with MBEDTLS_USE_TINYCRYPT
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-10-14 12:02:40 +02:00
Kevin Bracey
8b2014bdb6 Add .syntax divided markers
Old GCC (pre-5?) natively use divided syntax, so we must put it back
after changing it.

More recent GCCs natively use unified syntax, and themselves are
surrounding our blocks with divided/unified directives for backwards
compatibility, so we don't need to restore for those.

Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-13 10:24:39 +03:00
Kevin Bracey
045e576e02 Adjust fixed-time arithmetic to not use boolean ops
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
99c64e142e Use builtin CLZ
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
3be252e252 vli_isZero and vli_clear assembly
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
4aea62569b More GCC assembly
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
06060330d8 Add GCC vli_rshift1 assembly
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
0a1884bba4 Use GCC extended assembler
Naked functions and basic assembler don't seem to work reliably - basic
assembler is assumed to not change registers or memory, and there does
not appear to be any special handling of naked functions in this regard.

Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
e0f88d5140 Add GCC/Clang muladd assembly
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
84f31d3eaa Optimise muladd more
Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Kevin Bracey
1959c18c69 tinycrypt: Add ARM assembler optimisations
For ARM Compiler 5 only, provide assembler versions of vli_add, vli_sub,
vli_rshift1 and muladd.

Signed-off-by: Kevin Bracey <kevin.bracey@arm.com>
2020-10-12 18:09:04 +03:00
Shelly Liberman
05beb9ac70 replace user rand by platform rand in ecc delays
Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
2020-09-16 18:58:50 +03:00
Andrzej Kurek
cf3e35cc58
Revert a part of sensitive information duplication from tinycrypt
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-15 22:32:30 -04:00
Andrzej Kurek
0919b142b6
Formatting changes
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06 15:28:59 -04:00
Andrzej Kurek
74f7d0f03d
Duplicate sensitive buffer and buffer length information
Detect FI attacks on buffer pointers and buffer lengths.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06 14:28:12 -04:00
Andrzej Kurek
3a0df03364
Increase the Hamming distance of uECC_generate_random_int returns
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-12 06:32:13 -04:00
Andrzej Kurek
090365fe60
Improve the usage of uECC_RNG_Function
Since the mbed TLS implementation of rng wrapper returns the size of random
data generated upon success - check for it explicitly.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-08 11:00:51 -04:00
Andrzej Kurek
478b05c34c
Merge pull request #3355 from AndrzejKurek/fi_error_codes
Change the default value of status variables to an error
2020-06-08 08:57:33 +01:00
Andrzej Kurek
fd56f409b3
Change the default value of status variables to an error
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-05 12:26:07 -04:00
Piotr Nowicki
f0ab6d62ac Added some descriptions of functions
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27 15:35:44 +02:00
Piotr Nowicki
1a9d33e8c8 Start comparison from a random location in the uECC_vli_equal.
This increases security and increases resistance to the side channel leakage.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27 15:34:49 +02:00
Arto Kinnunen
10a2ffde5d Merge remote-tracking branch 'upstream/pr/2945' into baremetal
* upstream/pr/2945:
  Rename macro MBEDTLS_MAX_RAND_DELAY
  Update signature of mbedtls_platform_random_delay
  Replace mbedtls_platform_enforce_volatile_reads 2
  Replace mbedtls_platform_enforce_volatile_reads
  Add more variation to random delay countermeasure
  Add random  delay to enforce_volatile_reads
  Update comments of mbedtls_platform_random_delay
  Follow Mbed TLS coding style
  Add random delay function to platform_utils
2020-01-17 11:21:16 +02:00
Arto Kinnunen
ac6d226939 Update signature of mbedtls_platform_random_delay
Skip parameter and return value from mbedtls_platform_random_delay
to make it more resistant for FI attacks.
2020-01-09 10:19:07 +02:00
Arto Kinnunen
e91f0dc905 Replace mbedtls_platform_enforce_volatile_reads
Replace function mbedtls_platform_enforce_volatile_reads() with
mbedtls_platform_random_delay().
2020-01-07 10:47:58 +02:00
Teppo Järvelin
0b1d7d946d Coverity fix: dead error condition removed from ecc.c 2020-01-05 12:02:04 +02:00
Simon Butcher
e76c638d6f Merge remote-tracking branch 'public/pr/2925' into baremetal 2019-12-13 14:51:29 +00:00
Manuel Pégourié-Gonnard
645896e0ea Fix undefined order of volatile access
Found by the IAR compiler.

While at it, make 'diff' non-volatile in uECC_check_curve_integrity(), as
there is no good reason to make it volatile, and making it volatile only
increases the code size and the burden of defining access ordering.
2019-12-05 16:02:17 +01:00
Simon Butcher
5b45c6e1b3 Merge remote-tracking branch 'public/pr/2932' into baremetal 2019-12-05 14:32:31 +00:00
Jarno Lamsa
83d7881cec Make VS compiler happy
It doesn't seem to like using unary - to unsigned values.
2019-12-04 14:40:57 +02:00
Manuel Pégourié-Gonnard
e1cb8846e7 Add loop integrity check to curve param check
Also make the reference result static const while at it.
2019-11-28 12:21:34 +01:00
Manuel Pégourié-Gonnard
5c3066a4f6 Add double-checking in some critical places 2019-11-27 13:01:10 +01:00
Manuel Pégourié-Gonnard
98e1fe0796 Add flow control in uECC_vli_equal loop 2019-11-27 12:52:54 +01:00
Manuel Pégourié-Gonnard
9d6a535ba1 Return and propagate UECC_FAULT_DETECTED
This commit first changes the return convention of EccPoint_mult_safer() so
that it properly reports when faults are detected. Then all functions that
call it need to be changed to (1) follow the same return convention and (2)
properly propagate UECC_FAULT_DETECTED when it occurs.

Here's the reverse call graph from EccPoint_mult_safer() to the rest of the
library (where return values are translated to the MBEDTLS_ERR_ space) and test
functions (where expected return values are asserted explicitly).

EccPoint_mult_safer()
    EccPoint_compute_public_key()
        uECC_compute_public_key()
            pkparse.c
            tests/suites/test_suite_pkparse.function
        uECC_make_key_with_d()
        uECC_make_key()
            ssl_cli.c
            ssl_srv.c
            tests/suites/test_suite_pk.function
            tests/suites/test_suite_tinycrypt.function
    uECC_shared_secret()
        ssl_tls.c
        tests/suites/test_suite_tinycrypt.function
    uECC_sign_with_k()
        uECC_sign()
            pk.c
            tests/suites/test_suite_tinycrypt.function

Note: in uECC_sign_with_k() a test for uECC_vli_isZero(p) is suppressed
because it is redundant with a more thorough test (point validity) done at the
end of EccPoint_mult_safer(). This redundancy was introduced in a previous
commit but not noticed earlier.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
2b90961b8d Add integrity check for curve parameters
We don't really need a secure hash for that, something like CRC32 would
probably be enough - but we have SHA-256 handy, not CRC32, so use that for the
sake of simplicity.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
1a5337179f Remove curve parameter from public functions 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
be5f833c9c Remove curve parameter from (semi-)internal functions
By semi-internal I mean functions that are only public because they're used in
more than once compilation unit in the library (for example in ecc.c and
ecc_dsa.c) but should not really be part of the public-facing API.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
bc3f49011a Remove struct curve entirely 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
ffd13996fd Move b from curve structure to its own constant
Same motivation as for the other parameters. This is the last one, making the
curve structure empty, so it's left with a dummy parameter for legal reasons.
2019-11-26 12:54:04 +01:00
Manuel Pégourié-Gonnard
a6115087a0 Move G from struct curve to its own constant 2019-11-26 12:53:13 +01:00
Manuel Pégourié-Gonnard
356d8594d7 Move n from struct curve to its own constant 2019-11-26 12:52:57 +01:00
Manuel Pégourié-Gonnard
4d8777cbb6 Move p from curve structure to its own constant
This removes an indirection, which both makes the code smaller and decreases
the number of glitching opportunities for an attacker.
2019-11-26 12:51:58 +01:00
Simon Butcher
35e535a74a Remove TinyCrypt config condition in source files
This commit removes from the TinyCrypt header and source code files, the
configuration condition on MBEDTLS_USE_TINYCRYPT to include the file
contents.

This is to allow use of the library by the Factory Tool without enabling
MBEDTLS_USE_TINYCRYPT, and also removes a modification we've made to make the
code closer to the upstream TinyCrypt making it easier to maintain.
2019-11-21 17:54:16 +00:00
Manuel Pégourié-Gonnard
30833f2a07 Remove num_n_bits member from curve structure 2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
72c1764c00 Remove num_bytes member from curve structure
Reduces code size and size of the structure.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
1765933ab2 Remove num_words member from curve structure
Saves code size, and makes the curve structure simpler.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
1c6f7eae2d Remove function pointers from curve structure
They're not needed in practice, and removing them decreases the code size
slightly and provides less opportunities for an attacker.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
e714332563 Add pre and post-validation to mult_safer()
Validating the input is always a good idea. Validating the output protects
against some fault injections that would make the result invalid.

Note: valid_point() implies that the point is not zero.

Adding validation to mult_safer() makes it redundant in
compute_shared_secret().
2019-11-21 15:37:22 +01:00