mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-25 19:51:12 +00:00
Merge branch 'mbedtls-1.3' into development
* commit 'ce60fbe': Fix potential timing difference with RSA PMS Update Changelog for recent merge Added more constant-time code and removed biases in the prime number generation routines. Conflicts: library/bignum.c library/ssl_srv.c
This commit is contained in:
commit
53c76c07de
|
@ -114,6 +114,9 @@ Bugfix
|
||||||
curve picked by the server was actually allowed.
|
curve picked by the server was actually allowed.
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
|
* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
|
||||||
|
* Remove potential sources of timing variations (some contributed by Pascal
|
||||||
|
Junod).
|
||||||
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
|
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
|
||||||
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
|
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
|
||||||
* compat-1.2.h and openssl.h are deprecated.
|
* compat-1.2.h and openssl.h are deprecated.
|
||||||
|
|
|
@ -223,8 +223,8 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
/* make sure assign is 0 or 1 */
|
/* make sure assign is 0 or 1 in a time-constant manner */
|
||||||
assign = ( assign != 0 );
|
assign = (assign | (unsigned char)-assign) >> 7;
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
||||||
|
|
||||||
|
@ -255,8 +255,8 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw
|
||||||
if( X == Y )
|
if( X == Y )
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
||||||
/* make sure swap is 0 or 1 */
|
/* make sure swap is 0 or 1 in a time-constant manner */
|
||||||
swap = ( swap != 0 );
|
swap = (swap | (unsigned char)-swap) >> 7;
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
|
||||||
|
@ -1958,8 +1958,8 @@ static int mpi_miller_rabin( const mbedtls_mpi *X,
|
||||||
int (*f_rng)(void *, unsigned char *, size_t),
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
void *p_rng )
|
void *p_rng )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret, count;
|
||||||
size_t i, j, n, s;
|
size_t i, j, k, n, s;
|
||||||
mbedtls_mpi W, R, T, A, RR;
|
mbedtls_mpi W, R, T, A, RR;
|
||||||
|
|
||||||
mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
|
mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
|
||||||
|
@ -1996,6 +1996,23 @@ static int mpi_miller_rabin( const mbedtls_mpi *X,
|
||||||
}
|
}
|
||||||
A.p[0] |= 3;
|
A.p[0] |= 3;
|
||||||
|
|
||||||
|
count = 0;
|
||||||
|
do {
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
|
||||||
|
|
||||||
|
j = mbedtls_mpi_msb( &A );
|
||||||
|
k = mbedtls_mpi_msb( &W );
|
||||||
|
if (j > k) {
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &A, j - k ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
if (count++ > 30) {
|
||||||
|
return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
|
||||||
|
}
|
||||||
|
|
||||||
|
} while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
|
||||||
|
mbedtls_mpi_cmp_int( &A, 1 ) <= 0 );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* A = A^R mod |X|
|
* A = A^R mod |X|
|
||||||
*/
|
*/
|
||||||
|
@ -2092,10 +2109,11 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
|
||||||
|
|
||||||
k = mbedtls_mpi_msb( X );
|
k = mbedtls_mpi_msb( X );
|
||||||
if( k < nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( X, nbits - k ) );
|
if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits + 1 ) );
|
||||||
if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
|
|
||||||
|
|
||||||
X->p[0] |= 3;
|
mbedtls_mpi_set_bit( X, nbits-1, 1 );
|
||||||
|
|
||||||
|
X->p[0] |= 1;
|
||||||
|
|
||||||
if( dh_flag == 0 )
|
if( dh_flag == 0 )
|
||||||
{
|
{
|
||||||
|
@ -2114,6 +2132,9 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
|
||||||
* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
|
* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
|
||||||
* Make sure it is satisfied, while keeping X = 3 mod 4
|
* Make sure it is satisfied, while keeping X = 3 mod 4
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
X->p[0] |= 2;
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
|
||||||
if( r == 0 )
|
if( r == 0 )
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
|
||||||
|
|
|
@ -773,7 +773,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
|
||||||
for( i = 0; i < ilen - 2 * hlen - 2; i++ )
|
for( i = 0; i < ilen - 2 * hlen - 2; i++ )
|
||||||
{
|
{
|
||||||
pad_done |= p[i];
|
pad_done |= p[i];
|
||||||
pad_len += ( pad_done == 0 );
|
pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
p += pad_len;
|
p += pad_len;
|
||||||
|
@ -847,8 +847,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
||||||
* (minus one, for the 00 byte) */
|
* (minus one, for the 00 byte) */
|
||||||
for( i = 0; i < ilen - 3; i++ )
|
for( i = 0; i < ilen - 3; i++ )
|
||||||
{
|
{
|
||||||
pad_done |= ( p[i] == 0 );
|
pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
|
||||||
pad_count += ( pad_done == 0 );
|
pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
p += pad_count;
|
p += pad_count;
|
||||||
|
|
|
@ -3235,7 +3235,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
||||||
unsigned char ver[2];
|
unsigned char ver[2];
|
||||||
unsigned char fake_pms[48], peer_pms[48];
|
unsigned char fake_pms[48], peer_pms[48];
|
||||||
unsigned char mask;
|
unsigned char mask;
|
||||||
size_t i;
|
size_t i, diff, peer_pmslen;
|
||||||
|
|
||||||
if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
|
if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
|
||||||
{
|
{
|
||||||
|
@ -3280,16 +3280,17 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
||||||
return( ret );
|
return( ret );
|
||||||
|
|
||||||
ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
|
ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
|
||||||
peer_pms, &ssl->handshake->pmslen,
|
peer_pms, &peer_pmslen,
|
||||||
sizeof( peer_pms ),
|
sizeof( peer_pms ),
|
||||||
ssl->f_rng, ssl->p_rng );
|
ssl->f_rng, ssl->p_rng );
|
||||||
|
|
||||||
ret |= ssl->handshake->pmslen - 48;
|
diff = (size_t) ret;
|
||||||
ret |= peer_pms[0] - ver[0];
|
diff |= peer_pmslen ^ 48;
|
||||||
ret |= peer_pms[1] - ver[1];
|
diff |= peer_pms[0] ^ ssl->handshake->max_major_ver;
|
||||||
|
diff |= peer_pms[1] ^ ssl->handshake->max_minor_ver;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DEBUG_ALL)
|
#if defined(POLARSSL_SSL_DEBUG_ALL)
|
||||||
if( ret != 0 )
|
if( diff != 0 )
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -3301,7 +3302,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
||||||
}
|
}
|
||||||
ssl->handshake->pmslen = 48;
|
ssl->handshake->pmslen = 48;
|
||||||
|
|
||||||
mask = (unsigned char)( - ( ret != 0 ) ); /* ret ? 0xff : 0x00 */
|
mask = ( diff | - diff ) >> ( sizeof( size_t ) * 8 - 1 );
|
||||||
|
mask = (unsigned char)( - ( ret != 0 ) ); /* mask = diff ? 0xff : 0x00 */
|
||||||
for( i = 0; i < ssl->handshake->pmslen; i++ )
|
for( i = 0; i < ssl->handshake->pmslen; i++ )
|
||||||
pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
|
pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue