From 6a9fb932fbb0ecc804731c8f750d665807fb5f5f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 17:50:36 +0100 Subject: [PATCH 01/16] Use MBEDTLS_GET_UINT16_BE in mbedtls_ecp_tls_read_group_id Signed-off-by: Dave Rodgman --- library/ecp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index f9b6672e9..5f2a7b0c0 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -958,9 +958,8 @@ int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp, /* * Next two bytes are the namedcurve value */ - tls_id = *(*buf)++; - tls_id <<= 8; - tls_id |= *(*buf)++; + tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0); + *buf += 2; if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) { return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; From 58c8b942d2b04fd4db58bd4b27b79cb23b960067 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 17:51:04 +0100 Subject: [PATCH 02/16] Eliminate redundant version of mbedtls_ct_memcmp Signed-off-by: Dave Rodgman --- library/psa_crypto_core.h | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 8bc1b647c..6d4476844 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -21,6 +21,8 @@ #ifndef PSA_CRYPTO_CORE_H #define PSA_CRYPTO_CORE_H +#include "mbedtls/constant_time.h" + #include "mbedtls/build_info.h" #include "psa/crypto.h" @@ -49,14 +51,7 @@ int psa_can_do_hash(psa_algorithm_t hash_alg); static inline int mbedtls_psa_safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n) { - size_t i; - unsigned char diff = 0; - - for (i = 0; i < n; i++) { - diff |= a[i] ^ b[i]; - } - - return diff; + return mbedtls_ct_memcmp(a, b, n); } /** The data structure representing a key slot, containing key material From 164614af3d54543153c14bb512f81ef91ce77a85 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 17:56:28 +0100 Subject: [PATCH 03/16] Reduce code-size to access key slots init flag Signed-off-by: Dave Rodgman --- library/psa_crypto_slot_management.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index a10cb2b47..ef285acb1 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -38,7 +38,7 @@ typedef struct { psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT]; - unsigned key_slots_initialized : 1; + uint8_t key_slots_initialized; } psa_global_data_t; static psa_global_data_t global_data; From 864f594acc7c20315201ae6dde4b8e09b36d070b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 18:04:44 +0100 Subject: [PATCH 04/16] Adjust layout of some stucts Signed-off-by: Dave Rodgman --- include/mbedtls/entropy.h | 2 +- library/psa_crypto.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index e17245efd..c2bba41d2 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -115,10 +115,10 @@ mbedtls_entropy_source_state; * \brief Entropy context structure */ typedef struct mbedtls_entropy_context { + mbedtls_md_context_t MBEDTLS_PRIVATE(accumulator); int MBEDTLS_PRIVATE(accumulator_started); /* 0 after init. * 1 after the first update. * -1 after free. */ - mbedtls_md_context_t MBEDTLS_PRIVATE(accumulator); int MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */ mbedtls_entropy_source_state MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES]; #if defined(MBEDTLS_THREADING_C) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2b9eca8f2..0a5ecc857 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -104,9 +104,9 @@ static int key_type_is_raw_bytes(psa_key_type_t type) #define RNG_SEEDED 2 typedef struct { - unsigned initialized : 1; - unsigned rng_state : 2; - unsigned drivers_initialized : 1; + uint8_t initialized; + uint8_t rng_state; + uint8_t drivers_initialized; mbedtls_psa_random_context_t rng; } psa_global_data_t; From 6f6820345a8ceabfda3f3d57c4284c27f0500cfc Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 18:44:32 +0100 Subject: [PATCH 05/16] add #ifdefs to reduce switch size Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0a5ecc857..c3b8335ae 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -392,45 +392,71 @@ psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid, size_t *bits) { switch (grpid) { +#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) case MBEDTLS_ECP_DP_SECP192R1: *bits = 192; return PSA_ECC_FAMILY_SECP_R1; +#endif +#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) case MBEDTLS_ECP_DP_SECP224R1: *bits = 224; return PSA_ECC_FAMILY_SECP_R1; +#endif +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) case MBEDTLS_ECP_DP_SECP256R1: *bits = 256; return PSA_ECC_FAMILY_SECP_R1; +#endif +#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) case MBEDTLS_ECP_DP_SECP384R1: *bits = 384; return PSA_ECC_FAMILY_SECP_R1; +#endif +#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) case MBEDTLS_ECP_DP_SECP521R1: *bits = 521; return PSA_ECC_FAMILY_SECP_R1; +#endif +#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) case MBEDTLS_ECP_DP_BP256R1: *bits = 256; return PSA_ECC_FAMILY_BRAINPOOL_P_R1; +#endif +#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) case MBEDTLS_ECP_DP_BP384R1: *bits = 384; return PSA_ECC_FAMILY_BRAINPOOL_P_R1; +#endif +#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) case MBEDTLS_ECP_DP_BP512R1: *bits = 512; return PSA_ECC_FAMILY_BRAINPOOL_P_R1; +#endif +#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) case MBEDTLS_ECP_DP_CURVE25519: *bits = 255; return PSA_ECC_FAMILY_MONTGOMERY; +#endif +#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) case MBEDTLS_ECP_DP_SECP192K1: *bits = 192; return PSA_ECC_FAMILY_SECP_K1; +#endif +#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) case MBEDTLS_ECP_DP_SECP224K1: *bits = 224; return PSA_ECC_FAMILY_SECP_K1; +#endif +#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) case MBEDTLS_ECP_DP_SECP256K1: *bits = 256; return PSA_ECC_FAMILY_SECP_K1; +#endif +#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) case MBEDTLS_ECP_DP_CURVE448: *bits = 448; return PSA_ECC_FAMILY_MONTGOMERY; +#endif default: *bits = 0; return 0; From 509b567911279915fda0d0400420871dc5a9d564 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 19:26:23 +0100 Subject: [PATCH 06/16] add ifdefs to reduce size of mbedtls_to_psa_error Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c3b8335ae..94139afaa 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -152,9 +152,13 @@ psa_status_t mbedtls_to_psa_error(int ret) case 0: return PSA_SUCCESS; +#if defined(PSA_WANT_KEY_TYPE_AES) case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH: case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; +#endif + +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C) case MBEDTLS_ERR_ASN1_OUT_OF_DATA: case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG: case MBEDTLS_ERR_ASN1_INVALID_LENGTH: @@ -165,26 +169,36 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INSUFFICIENT_MEMORY; case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL: return PSA_ERROR_BUFFER_TOO_SMALL; +#endif +#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) #if defined(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA) case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA: #endif case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; +#endif +#if defined(PSA_WANT_ALG_CCM) case MBEDTLS_ERR_CCM_BAD_INPUT: return PSA_ERROR_INVALID_ARGUMENT; case MBEDTLS_ERR_CCM_AUTH_FAILED: return PSA_ERROR_INVALID_SIGNATURE; +#endif +#if defined(PSA_WANT_KEY_TYPE_CHACHA20) case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT; +#endif +#if defined(PSA_WANT_ALG_CHACHA20_POLY1305) case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: return PSA_ERROR_BAD_STATE; case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: return PSA_ERROR_INVALID_SIGNATURE; +#endif +#if defined(MBEDTLS_CIPHER_C) case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE: return PSA_ERROR_NOT_SUPPORTED; case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA: @@ -199,6 +213,7 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INVALID_SIGNATURE; case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT: return PSA_ERROR_CORRUPTION_DETECTED; +#endif #if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \ defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)) @@ -213,20 +228,24 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INSUFFICIENT_ENTROPY; #endif +#if defined(PSA_WANT_KEY_TYPE_DES) case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; +#endif case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: return PSA_ERROR_INSUFFICIENT_ENTROPY; +#if defined(PSA_WANT_ALG_GCM) case MBEDTLS_ERR_GCM_AUTH_FAILED: return PSA_ERROR_INVALID_SIGNATURE; case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: return PSA_ERROR_BUFFER_TOO_SMALL; case MBEDTLS_ERR_GCM_BAD_INPUT: return PSA_ERROR_INVALID_ARGUMENT; +#endif #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \ defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) @@ -241,17 +260,24 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INSUFFICIENT_ENTROPY; #endif +#if defined(MBEDTLS_MD_C) case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: return PSA_ERROR_NOT_SUPPORTED; case MBEDTLS_ERR_MD_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT; case MBEDTLS_ERR_MD_ALLOC_FAILED: return PSA_ERROR_INSUFFICIENT_MEMORY; +#if defined(MBEDTLS_FS_IO) case MBEDTLS_ERR_MD_FILE_IO_ERROR: return PSA_ERROR_STORAGE_FAILURE; +#endif +#endif +#if defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_FS_IO) case MBEDTLS_ERR_MPI_FILE_IO_ERROR: return PSA_ERROR_STORAGE_FAILURE; +#endif case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT; case MBEDTLS_ERR_MPI_INVALID_CHARACTER: @@ -266,14 +292,19 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INVALID_ARGUMENT; case MBEDTLS_ERR_MPI_ALLOC_FAILED: return PSA_ERROR_INSUFFICIENT_MEMORY; +#endif +#if defined(MBEDTLS_PK_C) case MBEDTLS_ERR_PK_ALLOC_FAILED: return PSA_ERROR_INSUFFICIENT_MEMORY; case MBEDTLS_ERR_PK_TYPE_MISMATCH: case MBEDTLS_ERR_PK_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT; +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \ + defined(MBEDTLS_PSA_ITS_FILE_C) case MBEDTLS_ERR_PK_FILE_IO_ERROR: return PSA_ERROR_STORAGE_FAILURE; +#endif case MBEDTLS_ERR_PK_KEY_INVALID_VERSION: case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT: return PSA_ERROR_INVALID_ARGUMENT; @@ -292,12 +323,14 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INVALID_SIGNATURE; case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL: return PSA_ERROR_BUFFER_TOO_SMALL; +#endif case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED: return PSA_ERROR_HARDWARE_FAILURE; case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED: return PSA_ERROR_NOT_SUPPORTED; +#if defined(MBEDTLS_RSA_C) case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT; case MBEDTLS_ERR_RSA_INVALID_PADDING: @@ -315,7 +348,9 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_BUFFER_TOO_SMALL; case MBEDTLS_ERR_RSA_RNG_FAILED: return PSA_ERROR_INSUFFICIENT_ENTROPY; +#endif +#if defined(MBEDTLS_ECP_C) case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: case MBEDTLS_ERR_ECP_INVALID_KEY: return PSA_ERROR_INVALID_ARGUMENT; @@ -331,8 +366,11 @@ psa_status_t mbedtls_to_psa_error(int ret) case MBEDTLS_ERR_ECP_RANDOM_FAILED: return PSA_ERROR_INSUFFICIENT_ENTROPY; +#if defined(MBEDTLS_ECP_RESTARTABLE) case MBEDTLS_ERR_ECP_IN_PROGRESS: return PSA_OPERATION_INCOMPLETE; +#endif +#endif case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: return PSA_ERROR_CORRUPTION_DETECTED; From 2aaf888e0bb5e560c8d1770e14a3907d6ad7a08d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 19:48:10 +0100 Subject: [PATCH 07/16] Adjust struct layout for small size win Signed-off-by: Dave Rodgman --- include/mbedtls/sha256.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 87e5cc61a..87e259f5b 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -50,9 +50,9 @@ extern "C" { * made in the call to mbedtls_sha256_starts(). */ typedef struct mbedtls_sha256_context { + unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< The data block being processed. */ uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< The number of Bytes processed. */ uint32_t MBEDTLS_PRIVATE(state)[8]; /*!< The intermediate digest state. */ - unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< The data block being processed. */ int MBEDTLS_PRIVATE(is224); /*!< Determines which function to use: 0: Use SHA-256, or 1: Use SHA-224. */ } From f4efd19dd0d83326f2137daa2e79f9a5e6bf3c78 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 16 Aug 2023 19:54:41 +0100 Subject: [PATCH 08/16] Reduce code size in ccm Signed-off-by: Dave Rodgman --- include/mbedtls/ccm.h | 11 +++++------ library/ccm.c | 1 - 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 6c2255281..a1f601ff6 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -77,7 +77,8 @@ extern "C" { typedef struct mbedtls_ccm_context { unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */ unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */ - mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ + int MBEDTLS_PRIVATE(state); /*!< Working value holding context's + state. Used for chunked data input */ size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */ size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */ size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */ @@ -87,15 +88,13 @@ typedef struct mbedtls_ccm_context { and plaintext/ciphertext. This variable is set to zero after auth data input is finished. */ - unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */ - unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform: + unsigned int MBEDTLS_PRIVATE(q); /*!< The Q working value */ + unsigned int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: #MBEDTLS_CCM_ENCRYPT or #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or #MBEDTLS_CCM_STAR_DECRYPT. */ - int MBEDTLS_PRIVATE(state); /*!< Working value holding context's - state. Used for chunked data - input */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ } mbedtls_ccm_context; diff --git a/library/ccm.c b/library/ccm.c index cd689c806..bc613762d 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -400,7 +400,6 @@ int mbedtls_ccm_update(mbedtls_ccm_context *ctx, mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len); memcpy(output, local_output, use_len); - mbedtls_platform_zeroize(local_output, 16); if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { if ((ret = From 787011542bafd1c9cab2e95a0a04b0eee5eb2481 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 29 Aug 2023 14:20:18 +0100 Subject: [PATCH 09/16] Fully replace mbedtls_psa_safer_memcmp Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 7 ++++--- library/psa_crypto_core.h | 14 -------------- library/psa_crypto_mac.c | 3 ++- .../psa_crypto_driver_wrappers.c.jinja | 3 ++- 4 files changed, 8 insertions(+), 19 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 94139afaa..9582f1933 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -64,6 +64,7 @@ #include "mbedtls/cipher.h" #include "mbedtls/ccm.h" #include "mbedtls/cmac.h" +#include "mbedtls/constant_time.h" #include "mbedtls/des.h" #include "mbedtls/ecdh.h" #include "mbedtls/ecp.h" @@ -2420,7 +2421,7 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation, goto exit; } - if (mbedtls_psa_safer_memcmp(hash, actual_hash, actual_hash_length) != 0) { + if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) { status = PSA_ERROR_INVALID_SIGNATURE; } @@ -2469,7 +2470,7 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg, status = PSA_ERROR_INVALID_SIGNATURE; goto exit; } - if (mbedtls_psa_safer_memcmp(hash, actual_hash, actual_hash_length) != 0) { + if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) { status = PSA_ERROR_INVALID_SIGNATURE; } @@ -2851,7 +2852,7 @@ psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key, status = PSA_ERROR_INVALID_SIGNATURE; goto exit; } - if (mbedtls_psa_safer_memcmp(mac, actual_mac, actual_mac_length) != 0) { + if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) { status = PSA_ERROR_INVALID_SIGNATURE; goto exit; } diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 6d4476844..4e28f3080 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -40,20 +40,6 @@ */ int psa_can_do_hash(psa_algorithm_t hash_alg); -/** Constant-time buffer comparison - * - * \param[in] a Left-hand buffer for comparison. - * \param[in] b Right-hand buffer for comparison. - * \param n Amount of bytes to compare. - * - * \return 0 if the buffer contents are equal, non-zero otherwise - */ -static inline int mbedtls_psa_safer_memcmp( - const uint8_t *a, const uint8_t *b, size_t n) -{ - return mbedtls_ct_memcmp(a, b, n); -} - /** The data structure representing a key slot, containing key material * and metadata for one key. */ diff --git a/library/psa_crypto_mac.c b/library/psa_crypto_mac.c index 07f123ee0..2f2c51dce 100644 --- a/library/psa_crypto_mac.c +++ b/library/psa_crypto_mac.c @@ -29,6 +29,7 @@ #include #include +#include "mbedtls/constant_time.h" #include #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) @@ -453,7 +454,7 @@ psa_status_t mbedtls_psa_mac_verify_finish( goto cleanup; } - if (mbedtls_psa_safer_memcmp(mac, actual_mac, mac_length) != 0) { + if (mbedtls_ct_memcmp(mac, actual_mac, mac_length) != 0) { status = PSA_ERROR_INVALID_SIGNATURE; } diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 3ecd74d7c..1b5206625 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -32,6 +32,7 @@ #include "psa_crypto_rsa.h" #include "mbedtls/platform.h" +#include "mbedtls/constant_time.h" /* END-common headers */ #if defined(MBEDTLS_PSA_CRYPTO_C) @@ -2253,7 +2254,7 @@ psa_status_t psa_driver_wrapper_aead_verify( if( status == PSA_SUCCESS ) { if( tag_length != check_tag_length || - mbedtls_psa_safer_memcmp( tag, check_tag, tag_length ) + mbedtls_ct_memcmp( tag, check_tag, tag_length ) != 0 ) status = PSA_ERROR_INVALID_SIGNATURE; } From 33e1f42307e8cc761c425126463ca8d117e9495e Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 29 Aug 2023 18:17:29 +0100 Subject: [PATCH 10/16] Fix use of mbedtls_psa_safer_memcmp in test code Signed-off-by: Dave Rodgman --- tests/src/drivers/test_driver_aead.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c index 8eb5547f4..6dadf5282 100644 --- a/tests/src/drivers/test_driver_aead.c +++ b/tests/src/drivers/test_driver_aead.c @@ -25,6 +25,8 @@ #include "test/drivers/aead.h" +#include "mbedtls/constant_time.h" + #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) #include "libtestdriver1/library/psa_crypto_aead.h" #endif @@ -431,7 +433,7 @@ psa_status_t mbedtls_test_transparent_aead_verify( if (mbedtls_test_driver_aead_hooks.driver_status == PSA_SUCCESS) { if (tag_length != check_tag_length || - mbedtls_psa_safer_memcmp(tag, check_tag, tag_length) + mbedtls_ct_memcmp(tag, check_tag, tag_length) != 0) { mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_INVALID_SIGNATURE; From 68efcf56ed0c2f63ab41322a861dbf8aad51c85d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 31 Aug 2023 10:09:05 +0100 Subject: [PATCH 11/16] Remove not-needed #include Signed-off-by: Dave Rodgman --- library/psa_crypto_core.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 4e28f3080..2b4afd7e1 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -21,8 +21,6 @@ #ifndef PSA_CRYPTO_CORE_H #define PSA_CRYPTO_CORE_H -#include "mbedtls/constant_time.h" - #include "mbedtls/build_info.h" #include "psa/crypto.h" From 09a9e589c154c8e8f93d85c04040d15fea8f3498 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 31 Aug 2023 11:05:22 +0100 Subject: [PATCH 12/16] Add missing error conversion case Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9582f1933..028bdaaaf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -157,6 +157,8 @@ psa_status_t mbedtls_to_psa_error(int ret) case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH: case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; + case MBEDTLS_ERR_AES_BAD_INPUT_DATA: + return PSA_ERROR_INVALID_ARGUMENT; #endif #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C) From 8d706f6b59b6d987c0c3722b46c81401d1890a7b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 31 Aug 2023 11:48:44 +0100 Subject: [PATCH 13/16] Simplify camellia error conversion macros Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 028bdaaaf..2b6c8d42c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -175,9 +175,7 @@ psa_status_t mbedtls_to_psa_error(int ret) #endif #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) -#if defined(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA) case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA: -#endif case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; #endif From dea266f3f584ca06deda83c557074f7223c118f7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 31 Aug 2023 11:52:43 +0100 Subject: [PATCH 14/16] Use MBEDTLS_MD_LIGHT instead of MBEDTLS_MD_C Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2b6c8d42c..959b94536 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -261,7 +261,7 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INSUFFICIENT_ENTROPY; #endif -#if defined(MBEDTLS_MD_C) +#if defined(MBEDTLS_MD_LIGHT) case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: return PSA_ERROR_NOT_SUPPORTED; case MBEDTLS_ERR_MD_BAD_INPUT_DATA: From 4f47f3dac8378f880e3a627563aca66f9de0dcdf Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 31 Aug 2023 12:10:00 +0100 Subject: [PATCH 15/16] Covert PSA guards to MBEDTLS Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fb19c14f9..9ef3f1e06 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -153,7 +153,7 @@ psa_status_t mbedtls_to_psa_error(int ret) case 0: return PSA_SUCCESS; -#if defined(PSA_WANT_KEY_TYPE_AES) +#if defined(MBEDTLS_AES_C) case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH: case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; @@ -174,25 +174,25 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_BUFFER_TOO_SMALL; #endif -#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) +#if defined(MBEDTLS_CAMELLIA_C) case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA: case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; #endif -#if defined(PSA_WANT_ALG_CCM) +#if defined(MBEDTLS_CCM_C) case MBEDTLS_ERR_CCM_BAD_INPUT: return PSA_ERROR_INVALID_ARGUMENT; case MBEDTLS_ERR_CCM_AUTH_FAILED: return PSA_ERROR_INVALID_SIGNATURE; #endif -#if defined(PSA_WANT_KEY_TYPE_CHACHA20) +#if defined(MBEDTLS_CHACHA20_C) case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT; #endif -#if defined(PSA_WANT_ALG_CHACHA20_POLY1305) +#if defined(MBEDTLS_CHACHAPOLY_C) case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: return PSA_ERROR_BAD_STATE; case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: @@ -229,7 +229,7 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INSUFFICIENT_ENTROPY; #endif -#if defined(PSA_WANT_KEY_TYPE_DES) +#if defined(MBEDTLS_DES_C) case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH: return PSA_ERROR_NOT_SUPPORTED; #endif @@ -239,7 +239,7 @@ psa_status_t mbedtls_to_psa_error(int ret) case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: return PSA_ERROR_INSUFFICIENT_ENTROPY; -#if defined(PSA_WANT_ALG_GCM) +#if defined(MBEDTLS_GCM_C) case MBEDTLS_ERR_GCM_AUTH_FAILED: return PSA_ERROR_INVALID_SIGNATURE; case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: From 1dab44580435718dc2edbd27391c47c950f39e25 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 1 Sep 2023 09:59:51 +0100 Subject: [PATCH 16/16] Update guard for ecp Signed-off-by: Dave Rodgman --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9ef3f1e06..456d4e38f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -351,7 +351,7 @@ psa_status_t mbedtls_to_psa_error(int ret) return PSA_ERROR_INSUFFICIENT_ENTROPY; #endif -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_LIGHT) case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: case MBEDTLS_ERR_ECP_INVALID_KEY: return PSA_ERROR_INVALID_ARGUMENT;