mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-25 18:21:00 +00:00
Merge remote-tracking branch 'restricted/pr/523' into mbedtls-2.7-restricted-proposed
This commit is contained in:
commit
02d3b1cfbb
13
ChangeLog
13
ChangeLog
|
@ -48,6 +48,19 @@ Changes
|
||||||
* Improve documentation of mbedtls_ssl_get_verify_result().
|
* Improve documentation of mbedtls_ssl_get_verify_result().
|
||||||
Fixes #517 reported by github-monoculture.
|
Fixes #517 reported by github-monoculture.
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
|
||||||
|
previous settings for the number of rounds made it practical for an
|
||||||
|
adversary to construct non-primes that would be erroneously accepted as
|
||||||
|
primes with high probability. This does not have an impact on the
|
||||||
|
security of TLS, but can matter in other contexts with potentially
|
||||||
|
adversarially-chosen numbers that should be prime and can be validated.
|
||||||
|
For example, the number of rounds was enough to securely generate RSA key
|
||||||
|
pairs or Diffie-Hellman parameters, but was insufficient to validate
|
||||||
|
Diffie-Hellman parameters properly.
|
||||||
|
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
|
||||||
|
Kenneth G. Paterson and Juraj Somorovsky.
|
||||||
|
|
||||||
= mbed TLS 2.7.6 branch released 2018-08-31
|
= mbed TLS 2.7.6 branch released 2018-08-31
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -2053,12 +2053,12 @@ cleanup:
|
||||||
/*
|
/*
|
||||||
* Miller-Rabin pseudo-primality test (HAC 4.24)
|
* Miller-Rabin pseudo-primality test (HAC 4.24)
|
||||||
*/
|
*/
|
||||||
static int mpi_miller_rabin( const mbedtls_mpi *X,
|
static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
|
||||||
int (*f_rng)(void *, unsigned char *, size_t),
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
void *p_rng )
|
void *p_rng )
|
||||||
{
|
{
|
||||||
int ret, count;
|
int ret, count;
|
||||||
size_t i, j, k, n, s;
|
size_t i, j, k, s;
|
||||||
mbedtls_mpi W, R, T, A, RR;
|
mbedtls_mpi W, R, T, A, RR;
|
||||||
|
|
||||||
mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
|
mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
|
||||||
|
@ -2074,27 +2074,12 @@ static int mpi_miller_rabin( const mbedtls_mpi *X,
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
|
||||||
|
|
||||||
i = mbedtls_mpi_bitlen( X );
|
i = mbedtls_mpi_bitlen( X );
|
||||||
/*
|
|
||||||
* HAC, table 4.4
|
|
||||||
*/
|
|
||||||
n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
|
|
||||||
( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
|
|
||||||
( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
|
|
||||||
|
|
||||||
for( i = 0; i < n; i++ )
|
for( i = 0; i < rounds; i++ )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* pick a random A, 1 < A < |X| - 1
|
* pick a random A, 1 < A < |X| - 1
|
||||||
*/
|
*/
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
|
|
||||||
|
|
||||||
if( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 )
|
|
||||||
{
|
|
||||||
j = mbedtls_mpi_bitlen( &A ) - mbedtls_mpi_bitlen( &W );
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &A, j + 1 ) );
|
|
||||||
}
|
|
||||||
A.p[0] |= 3;
|
|
||||||
|
|
||||||
count = 0;
|
count = 0;
|
||||||
do {
|
do {
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
|
||||||
|
@ -2102,7 +2087,7 @@ static int mpi_miller_rabin( const mbedtls_mpi *X,
|
||||||
j = mbedtls_mpi_bitlen( &A );
|
j = mbedtls_mpi_bitlen( &A );
|
||||||
k = mbedtls_mpi_bitlen( &W );
|
k = mbedtls_mpi_bitlen( &W );
|
||||||
if (j > k) {
|
if (j > k) {
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &A, j - k ) );
|
A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (count++ > 30) {
|
if (count++ > 30) {
|
||||||
|
@ -2157,7 +2142,7 @@ cleanup:
|
||||||
/*
|
/*
|
||||||
* Pseudo-primality test: small factors, then Miller-Rabin
|
* Pseudo-primality test: small factors, then Miller-Rabin
|
||||||
*/
|
*/
|
||||||
int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
|
static int mpi_is_prime_internal( const mbedtls_mpi *X, int rounds,
|
||||||
int (*f_rng)(void *, unsigned char *, size_t),
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
void *p_rng )
|
void *p_rng )
|
||||||
{
|
{
|
||||||
|
@ -2183,7 +2168,17 @@ int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
return( mpi_miller_rabin( &XX, f_rng, p_rng ) );
|
return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Pseudo-primality test, error probability 2^-80
|
||||||
|
*/
|
||||||
|
int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng )
|
||||||
|
{
|
||||||
|
return mpi_is_prime_internal( X, 40, f_rng, p_rng );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -2195,6 +2190,7 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t k, n;
|
size_t k, n;
|
||||||
|
int rounds;
|
||||||
mbedtls_mpi_uint r;
|
mbedtls_mpi_uint r;
|
||||||
mbedtls_mpi Y;
|
mbedtls_mpi Y;
|
||||||
|
|
||||||
|
@ -2205,6 +2201,13 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
|
||||||
|
|
||||||
n = BITS_TO_LIMBS( nbits );
|
n = BITS_TO_LIMBS( nbits );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* 2^-80 error probability, number of rounds chosen per HAC, table 4.4
|
||||||
|
*/
|
||||||
|
rounds = ( ( nbits >= 1300 ) ? 2 : ( nbits >= 850 ) ? 3 :
|
||||||
|
( nbits >= 650 ) ? 4 : ( nbits >= 350 ) ? 8 :
|
||||||
|
( nbits >= 250 ) ? 12 : ( nbits >= 150 ) ? 18 : 27 );
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
|
||||||
|
|
||||||
k = mbedtls_mpi_bitlen( X );
|
k = mbedtls_mpi_bitlen( X );
|
||||||
|
@ -2216,7 +2219,7 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
|
||||||
|
|
||||||
if( dh_flag == 0 )
|
if( dh_flag == 0 )
|
||||||
{
|
{
|
||||||
while( ( ret = mbedtls_mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
|
while( ( ret = mpi_is_prime_internal( X, rounds, f_rng, p_rng ) ) != 0 )
|
||||||
{
|
{
|
||||||
if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
|
if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
@ -2252,8 +2255,10 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
|
||||||
*/
|
*/
|
||||||
if( ( ret = mpi_check_small_factors( X ) ) == 0 &&
|
if( ( ret = mpi_check_small_factors( X ) ) == 0 &&
|
||||||
( ret = mpi_check_small_factors( &Y ) ) == 0 &&
|
( ret = mpi_check_small_factors( &Y ) ) == 0 &&
|
||||||
( ret = mpi_miller_rabin( X, f_rng, p_rng ) ) == 0 &&
|
( ret = mpi_miller_rabin( X, rounds, f_rng, p_rng ) )
|
||||||
( ret = mpi_miller_rabin( &Y, f_rng, p_rng ) ) == 0 )
|
== 0 &&
|
||||||
|
( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng ) )
|
||||||
|
== 0 )
|
||||||
{
|
{
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -680,6 +680,14 @@ Test mbedtls_mpi_is_prime #20
|
||||||
depends_on:MBEDTLS_GENPRIME
|
depends_on:MBEDTLS_GENPRIME
|
||||||
mbedtls_mpi_is_prime:10:"49979687":0
|
mbedtls_mpi_is_prime:10:"49979687":0
|
||||||
|
|
||||||
|
Test mbedtls_mpi_is_prime_det (4 non-witnesses)
|
||||||
|
depends_on:MBEDTLS_GENPRIME
|
||||||
|
mbedtls_mpi_is_prime_det:"043BD64BA10B11DA83FBD296B04BCA9E0552FAF6E09CAC74E2D7E735ED0DB09FC47ED76145644203EE0C826013BC602F560BCDAAED557D04683859A65D659FF828A245A2C5B1AC41E01E4669A525A45E23AF":"040EA852F7935ACCECC0E87B845281F047D10DC9AAFEF990AF9D3D66770DA30B0C5B5E03EEA8C0CB79B936FE0BB8EE5389EC1D34EB16C58AA3F2E11AF084160CDF6400BE1CC179867AB074866952D9F34EE7042D27F960E715A97FCB93F3182247D0A6AE51BD21CC2F6B0651F9E572C5FB86F3137053FA85FD7A51816D69B3A53A5A438C17754836D04E98CA240B901F828332F2D72D88C497DA45F533F99A6E53EDEA6B0424EC8951B048FA9A80134B37D0A67014597934E3CFC52C5A4DD4751ADF8D66FC79E84E2A3148C4B15C17E12CB659390FD275F39A331FFC80EC699BC3F6FAB868E30E9B14575FCDAB6FAED01E00112DD28704177E09C335AD43A696FEA761E8DF3B0663277A5C3637F9060CB5E5654F72E9A6B0F369E660AD4CF7ABF4195493545B367BD55271CD4BB7D9C15D3F508FE8F7409C2126FC8E73B43A67CD4EFB21E9F15DBF040A2A8D5F5ED75CEAC12B595C0051F3EC9D5A58ACE82A9506E64F780E9836728260FFE1BFD73E8A9869E3D46A35A856D3028F7FEAB9F4F1A04449AEDC80017EE1014080D87F0B50C8EF255324CD89F7D039":82:MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
|
||||||
|
|
||||||
|
Test mbedtls_mpi_is_prime_det (39 non-witnesses)
|
||||||
|
depends_on:MBEDTLS_GENPRIME
|
||||||
|
mbedtls_mpi_is_prime_det
|
||||||
|
|
||||||
Test mbedtls_mpi_gen_prime (Too small)
|
Test mbedtls_mpi_gen_prime (Too small)
|
||||||
depends_on:MBEDTLS_GENPRIME
|
depends_on:MBEDTLS_GENPRIME
|
||||||
mbedtls_mpi_gen_prime:2:0:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
|
mbedtls_mpi_gen_prime:2:0:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
|
||||||
|
|
|
@ -1,5 +1,49 @@
|
||||||
/* BEGIN_HEADER */
|
/* BEGIN_HEADER */
|
||||||
#include "mbedtls/bignum.h"
|
#include "mbedtls/bignum.h"
|
||||||
|
|
||||||
|
typedef struct mbedtls_test_mpi_random
|
||||||
|
{
|
||||||
|
uint8_t *data;
|
||||||
|
uint32_t data_len;
|
||||||
|
size_t pos;
|
||||||
|
size_t chunk_len;
|
||||||
|
} mbedtls_test_mpi_random;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This function is called by the Miller-Rabin primality test each time it
|
||||||
|
* chooses a random witness. The witnesses (or non-witnesses as provided by the
|
||||||
|
* test) are stored in the data member of the state structure. Each number is in
|
||||||
|
* the format that mbedtls_mpi_read_string understands and is chunk_len long.
|
||||||
|
*/
|
||||||
|
int mbedtls_test_mpi_miller_rabin_determinizer( void* state,
|
||||||
|
unsigned char* buf,
|
||||||
|
size_t len )
|
||||||
|
{
|
||||||
|
mbedtls_test_mpi_random *random = (mbedtls_test_mpi_random*) state;
|
||||||
|
|
||||||
|
if( random == NULL || random->data == NULL || buf == NULL )
|
||||||
|
return( -1 );
|
||||||
|
|
||||||
|
if( random->pos + random->chunk_len > random->data_len
|
||||||
|
|| random->chunk_len > len )
|
||||||
|
{
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
|
||||||
|
memset( buf, 0, len );
|
||||||
|
|
||||||
|
/* The witness is written to the end of the buffer, since the buffer is
|
||||||
|
* used as big endian, unsigned binary data in mbedtls_mpi_read_binary.
|
||||||
|
* Writing the witness to the start of the buffer would result in the
|
||||||
|
* buffer being 'witness 000...000', which would be treated as
|
||||||
|
* witness * 2^n for some n. */
|
||||||
|
memcpy( buf + len - random->chunk_len, &random->data[random->pos],
|
||||||
|
random->chunk_len );
|
||||||
|
|
||||||
|
random->pos += random->chunk_len;
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
@ -809,6 +853,39 @@ exit:
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
|
/* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
|
||||||
|
void mbedtls_mpi_is_prime_det( char *input_X, char *witnesses,
|
||||||
|
int chunk_len, int div_result )
|
||||||
|
{
|
||||||
|
mbedtls_mpi X;
|
||||||
|
int res;
|
||||||
|
mbedtls_test_mpi_random rand;
|
||||||
|
uint8_t *witness_buf = NULL;
|
||||||
|
uint8_t *input_buf = NULL;
|
||||||
|
size_t witness_len;
|
||||||
|
size_t input_len;
|
||||||
|
|
||||||
|
witness_buf = unhexify_alloc( witnesses, &witness_len );
|
||||||
|
input_buf = unhexify_alloc( input_X, &input_len );
|
||||||
|
|
||||||
|
mbedtls_mpi_init( &X );
|
||||||
|
rand.data = witness_buf;
|
||||||
|
rand.data_len = witness_len;
|
||||||
|
rand.pos = 0;
|
||||||
|
rand.chunk_len = chunk_len;
|
||||||
|
|
||||||
|
TEST_ASSERT( mbedtls_mpi_read_binary( &X, input_buf, input_len ) == 0 );
|
||||||
|
res = mbedtls_mpi_is_prime( &X, mbedtls_test_mpi_miller_rabin_determinizer,
|
||||||
|
&rand );
|
||||||
|
TEST_ASSERT( res == div_result );
|
||||||
|
|
||||||
|
exit:
|
||||||
|
mbedtls_mpi_free( &X );
|
||||||
|
mbedtls_free( witness_buf );
|
||||||
|
mbedtls_free( input_buf );
|
||||||
|
}
|
||||||
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
|
/* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
|
||||||
void mbedtls_mpi_gen_prime( int bits, int safe, int ref_ret )
|
void mbedtls_mpi_gen_prime( int bits, int safe, int ref_ret )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue