Note a possible microoptimization in mbedtls_mpi_mul_hlp that I tried
in the hope of reducing the number of allocations, but turned out to
be counterproductive.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Rewrite mbedtls_mpi_mul_int to call mpi_mul_hlp directly rather than
create a temporary mpi object. This has the benefit of not performing
an allocation when the multiplication is in place (mpi operand aliased
with the result) and the result mpi is large enough.
This saves about 40% of the calloc() calls in test_suite_ecp. There is
no measurable performance difference on my Linux PC.
The cost is a few bytes in bignum.o.
When there is no aliasing, or when there is aliasing but the mpi
object needs to be enlarged, the performance difference is negligible.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_mpi_sub_abs systematically allocated a new mpi when the result
was aliased with the right operand (i.e. X = A - X). This aliasing
very commonly happens during ECP operations. Rewrite the function to
allocate only if the result might not fit otherwise.
This costs a few bytes of code size in bignum.o, and might make
mbedtls_mpi_sub_abs very very slightly slower when no reallocation is
done. However, there is a substantial performance gain in ECP
operations with Montgomery curves (10-20% on my PC).
test_suite_ecp drops from 1422794 to 1271506 calls to calloc().
This commit also fixes a bug whereby mbedtls_mpi_sub_abs would leak
memory when X == B (so TB was in use) and the result was negative.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Reduce the code size, stack consumption and heap consumption in
fix_negative by encoding the special-case subtraction manually.
* Code size: ecp_curves.o goes down from 7837B down to 7769 in a
sample Cortex-M0 build with all curves enabled. The savings come
from not having to set up C in INIT (which is used many times) and
from not having to catch errors in fix_negative.
* Stack consumption: get rid of C on the stack.
* Heap: mbedtls_mpi_sub_abs with destination == second operand would
make a heap allocation. The new code doesn't do any heap allocation.
* Performance: no measurable difference.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If you pass a curve name to the benchmark program, the ECDH and ECDSA
benchmarks will only run for that particular curve. By default, all
curves are benchmarked.
To simplify the implementation, if you pass multiple curves, only the
last one will be benchmarked.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
fix_negative allocates memory for its result. The calling site didn't
check the return value, so an out-of-memory error could lead to an
incorrect calculation. Fix this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a memory leak in mbedtls_mpi_sub_abs when the output parameter is
aliased to the second operand (X = A - X) and the result is negative.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Run all the addition and subtraction tests with the result aliased to
the first operand and with the result aliased to the second operand.
Before, only some of the aliasing possibilities were tested, for only
some of the functions, with only some inputs.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The previous revision of guards around SHA_224 and SHA_384 were not
correct. This set of changes ensures the proper code is available
when SHA_224 and SHA_384 are enabled for use.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Removed unecessary checks on the ALG_SHA_224 and ALG_SHA_384 since
those are handled in config_psa.h by ensuring the correct _C is
included. Reformatted config_psa.h to be alphabetical and made the
assignments line up correctly for consistency. Fixed the guards
for ALG_SHA_224 and ALG_SHA_384 to be correct in the crypto library
source.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Due to a misplaced #endif, the (non-functional) macro definitions were
not properly removed from crypto_compat.h if MBEDTLS_DEPRECATED_REMOVED
was declared.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
New tests have been added for all the hash algorithms to
confirm they compile correctly when using PSA_WANT and
accelerator guards.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
This set of changes converts all the previous MBEDTLS_*_C guards in
the crypto library to use the new MBEDTLS_PSA_BUILTIN_ guards for
hash algorithms.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
With the addition of hash algorithms to crypto config there
are new dependencies for SHA224 and SHA384 that need to be confirmed
for those hashes to be used.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, if an Mbed TLS crypto
feature is enabled, declare the corresponding PSA feature as enabled,
in addition to enabling its software implementation. This is necessary
for code that uses PSA APIs and relies on PSA_WANT_xxx symbols to know
which features are enabled (application code, our library code using
MBEDTLS_USE_PSA_CRYPTO, our test dependencies, etc.).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.
*_drbg_reseed_interval is now set in init() and free().
mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().
Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
Signed-off-by: gacquroff <gavina352@gmail.com>
`finish_sha384_t` was made more generic by using `unsigned char*`
instead of `unsigned char[48]` as the second parameter.
This change tries to make the function casting more robust against
future improvements of gcc analysis.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
This commit fixes the same warning fixed by baeedbf9, but without
wasting RAM. By casting `mbedtls_sha512_finish_ret()`, `padbuf`
could be kept 48 bytes long without triggering any warnings.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
GCC 11 generated a warning because `padbuf` was too small to be
used as an argument for `mbedtls_sha512_finish_ret`. The `output`
parameter of `mbedtls_sha512_finish_ret` has the type
`unsigned char[64]`, but `padbuf` was only 48 bytes long.
Even though `ssl_calc_finished_tls_sha384` uses only 48 bytes for
the hash output, the size of `padbuf` was increased to 64 bytes.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
GCC 11 generated the warnings because the parameter `ret_buf`
was declared as `const char[10]`, but some of the arguments
provided in `run_test_snprintf` are shorter literals, like "".
Now the type of `ret_buf` is `const char *`.
Both implementations of `test_snprintf` were fixed.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
In GCC 11, parameters declared as arrays in function prototypes
cannot be declared as pointers in the function definition. The
same is true for the other way around.
The definition of `mbedtls_aes_cmac_prf_128` was changed to match
its public prototype in `cmac.h`. The type `output` was
`unsigned char *`, now is `unsigned char [16]`.
In `ssl_tls.c`, all the `ssl_calc_verify_*` variants now use pointers
for the output `hash` parameter. The array parameters were removed
because those functions must be compatible with the function pointer
`calc_verify` (defined in `ssl_internal.h`).
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
Rework the section describing key import, in particular to clarify key
size determination and checking. There is no intended semantic change.
Note an open question around support for implementation-specific
import formats.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>