Merge branch 'mbedtls-2.16-restricted' into mbedtls-2.16.7r0

2020-06-25 09:19:21 +01:00 · 2020-06-25 09:19:21 +01:00 · f69b919844
commit f69b919844
parent eab4a7a05d 3a1944a187
12 changed files with 565 additions and 5 deletions
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -167,6 +167,16 @@
 #error "MBEDTLS_ECP_C defined, but not all prerequisites"
 #endif

+#if defined(MBEDTLS_ECP_C) && !(            \
+    defined(MBEDTLS_ECP_ALT) ||             \
+    defined(MBEDTLS_CTR_DRBG_C) ||          \
+    defined(MBEDTLS_HMAC_DRBG_C) ||         \
+    defined(MBEDTLS_SHA512_C) ||            \
+    defined(MBEDTLS_SHA256_C) ||            \
+    defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
+#error "MBEDTLS_ECP_C requires a DRBG or SHA-2 module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
+#endif
+
 #if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
 #error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
 #endif
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -807,6 +807,28 @@
 */
 #define MBEDTLS_ECP_NIST_OPTIM

+/**
+ * \def MBEDTLS_ECP_NO_INTERNAL_RNG
+ *
+ * When this option is disabled, mbedtls_ecp_mul() will make use of an
+ * internal RNG when called with a NULL \c f_rng argument, in order to protect
+ * against some side-channel attacks.
+ *
+ * This protection introduces a dependency of the ECP module on one of the
+ * DRBG or SHA modules (HMAC-DRBG, CTR-DRBG, SHA-512 or SHA-256.) For very
+ * constrained applications that don't require this protection (for example,
+ * because you're only doing signature verification, so not manipulating any
+ * secret, or because local/physical side-channel attacks are outside your
+ * threat model), it might be desirable to get rid of that dependency.
+ *
+ * \warning Enabling this option makes some uses of ECP vulnerable to some
+ * side-channel attacks. Only enable it if you know that's not a problem for
+ * your use case.
+ *
+ * Uncomment this macro to disable some counter-measures in ECP.
+ */
+//#define MBEDTLS_ECP_NO_INTERNAL_RNG
+
 /**
 * \def MBEDTLS_ECP_RESTARTABLE
 *
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@ -840,6 +840,9 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
 *                  intermediate results to prevent potential timing attacks
 *                  targeting these results. We recommend always providing
 *                  a non-NULL \p f_rng. The overhead is negligible.
+ *                  Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
+ *                  \p f_rng is NULL, an internal RNG (seeded from the value
+ *                  of \p m) will be used instead.
 *
 * \param grp       The ECP group to use.
 *                  This must be initialized and have group parameters
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@ -125,6 +125,8 @@ typedef struct mbedtls_md_context_t
 * \brief           This function returns the list of digests supported by the
 *                  generic digest module.
 *
+ * \note            The list starts with the strongest available hashes.
+ *
 * \return          A statically allocated array of digests. Each element
 *                  in the returned list is an integer belonging to the
 *                  message-digest enumeration #mbedtls_md_type_t.