Commit graph

40 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 1765933ab2 Remove num_words member from curve structure
Saves code size, and makes the curve structure simpler.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 1c6f7eae2d Remove function pointers from curve structure
They're not needed in practice, and removing them decreases the code size
slightly and provides less opportunities for an attacker.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard e714332563 Add pre and post-validation to mult_safer()
Validating the input is always a good idea. Validating the output protects
against some fault injections that would make the result invalid.

Note: valid_point() implies that the point is not zero.

Adding validation to mult_safer() makes it redundant in
compute_shared_secret().
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 41ab8cb6cb Centralize everything to EccPoint_mult_safer()
This will make easier to add future counter-measures in a single place.

In practice this change means that:

- compute_public_key() now uses projective coordinate randomisation, which it
  should as this is a protection against Template Attacks for example.
- mult_safer() now checks that the result is not the point at infinity, which
  it can as the result is indeed never expected to be that
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 2b6312b7d9 Harden return value of uECC_vli_equal()
Previously it was returning 0 or 1, so flipping a single bit in the return
value reversed its meaning. Now it's returning the diff itself.

This is safe because in the two places it's used (signature verification and
point validation), invalid values will have a large number of bits differing
from the expected value, so diff will have a large Hamming weight.

An alternative would be to return for example -!(diff == 0), but the
comparison itself is prone to attacks (glitching the appropriate flag in the
CPU flags register, or the conditional branch if the comparison uses one). So
we'd need to protect the comparison, and it's simpler to just skip it and
return diff itself.
2019-11-21 15:12:44 +01:00
Manuel Pégourié-Gonnard c881486bb2 Fix off-by-one number of extra operations
This caused a performance issue.
2019-11-05 10:32:37 +01:00
Manuel Pégourié-Gonnard 913534837a Hardcode numwords in vli_modInv 2019-11-04 15:53:22 +01:00
Manuel Pégourié-Gonnard 3e20adf533 Hardcode numwords in vli_modMult 2019-11-04 15:53:20 +01:00
Manuel Pégourié-Gonnard 10349e4912 Hardcode numwords in vli_mmod 2019-11-04 15:53:19 +01:00
Manuel Pégourié-Gonnard 1b0875d863 Hardcode numwords in vli_modSub 2019-11-04 15:53:17 +01:00
Manuel Pégourié-Gonnard 0779be7f31 Hardcode numwords in vli_modAdd 2019-11-04 15:53:14 +01:00
Manuel Pégourié-Gonnard 5e3baf2303 Hardcode numwords in vli_rshift1 2019-11-04 15:53:12 +01:00
Manuel Pégourié-Gonnard 2cb3eea922 Hardcode numwords in vli_cmp 2019-11-04 15:53:10 +01:00
Manuel Pégourié-Gonnard 129b42ea2e Hardcode numwords in vli_sub 2019-11-04 15:53:09 +01:00
Manuel Pégourié-Gonnard 2eca3d367b Hardcode numwords in vli_equal 2019-11-04 15:53:07 +01:00
Manuel Pégourié-Gonnard a752191191 Hardcode numwords in vli_cpm_unsafe 2019-11-04 15:53:03 +01:00
Manuel Pégourié-Gonnard cbbb0f034b Hardcode numwords in vli_set() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 2bf5a129cf Hardcode numwords in semi-internal vli_numBits() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 94e48498ef Hardcode numwords in semi-internal vli_clear() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard f3899fc0ea hardcode numwords in semi-internal vli_isZero 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 02d9d21fd6 Hardcode numwords in internal vli_add
Saves 40 bytes
2019-11-04 15:52:37 +01:00
Manuel Pégourié-Gonnard 78a7e351fe Use macros for number of bits and words 2019-11-04 12:31:37 +01:00
Manuel Pégourié-Gonnard c3ec14c87f Harcode curve in semi-internal modMult function
Saves 80 bytes of code size.
2019-11-04 12:23:11 +01:00
Manuel Pégourié-Gonnard 3645ac93f5 Start hardcoding curve in internal functions
Saves 68 byte of code size.
2019-11-04 12:20:22 +01:00
Manuel Pégourié-Gonnard 27926d63b7 Remove less-safe mult function from public API
This doesn't change code size, but makes it easier to remove unneeded
parameters later (less possible entry points).
2019-11-04 11:26:46 +01:00
Manuel Pégourié-Gonnard ef238283d5 Add ECCPoint_mult_safer() function
This avoids the need for each calling site to manually regularize the scalar
and randomize coordinates, which makes for simpler safe use and saves 50 bytes
of code size in the library.
2019-11-04 11:19:30 +01:00
Manuel Pégourié-Gonnard c78d86b499 Remove some internal functions that aren't needed
This saves 10 bytes of code size, and makes it a bit easier to remove unused
parameters later (fewer prototypes to change).
2019-11-04 10:18:42 +01:00
Manuel Pégourié-Gonnard 86c4f81408 Improve documentation of internal function 2019-10-31 13:07:58 +01:00
Manuel Pégourié-Gonnard d5e503ec33 Rename wait_state_t to ecc_wait_state_t
Even though this is type name is purely internal to a single C file, let's
reduce the potential for clashes with other wait state types which might be
added elsewhere in the library and become visible here (for example through
platform_util.h).
2019-10-31 13:07:58 +01:00
Manuel Pégourié-Gonnard d467116e59 Make wait_state smaller
Previous size was 3584 bytes which is not acceptable on constrained systems
(especially on the stack). This was a misguided attempt at minimizing the
number of calls to the RNG function in order to minimize impact on
performance, but clearly this does not justify using that much RAM and a
compromise had to be found.
2019-10-31 13:07:52 +01:00
Manuel Pégourié-Gonnard 938f53f1fb Actually use randomized mult when relevant
While at it, loose the 'curve' argument in internal randomized functions, for
the same reasons we lost 'num_words' in uECC_vli_mult_rnd(): we only have one
curve so we don't need this, and hardcoding it saves a bit of code size and
speed, which is welcome to slightly reduce the impact of the counter-measure
on both of them.
2019-10-31 13:07:52 +01:00
Manuel Pégourié-Gonnard 14ab9c2879 Add random delays to multi-precision multiplication
This is a counter-measure to make horizontal attacks harder. Horizontal
attacks work with a single trace by noticing when intermediate computations
within that trace happen on the same operands.

We'll try to make that harder for an attacker to achieve that by introducing
random delays based on extra computation and extra random accesses to input in
the multi-precision multiplication (which is the dominant operation and the target of
horizontal attacks known so far). This should make it hard for the attacker to
compare two multiplications.

This first commit introduces the new function for multiplication with random
delay - future commits will ensure it is used all the way up to the top-level
scalar multiplication routine.
2019-10-31 13:07:52 +01:00
Simon Butcher 92c3d1f4f4 Addition of copyright statements to tinycrypt files
Each of the tinycrypt files have had some very minor changes, so need a
copyright statement.
2019-09-09 17:37:08 +01:00
Simon Butcher cffedb548f Add SPDX lines to each imported TinyCrypt file
Out of the 6 tinycrypt files included in Mbed TLS, this commit adds SPDX lines
to each for the BSD 3 Clause licence.
2019-09-09 17:34:51 +01:00
Hanno Becker 36ae758798 Include Mbed TLS config in tinycrypt compilation units 2019-08-12 17:05:38 +01:00
Manuel Pégourié-Gonnard afdc1b5cbd Consistently use the name tinycrypt over uecc
We called in tinycrypt in the file names, but uecc in config.h, all.sh and
other places, which could be confusing. Just use tinycrypt everywhere because
that's the name of the project and repo where we took the files.

The changes were made using the following commands (with GNU sed and zsh):

sed -i 's/uecc/tinycrypt/g' **/*.[ch] tests/scripts/all.sh
sed -i 's/MBEDTLS_USE_UECC/MBEDTLS_USE_TINYCRYPT/g' **/*.[ch] tests/scripts/all.sh scripts/config.pl
2019-05-09 11:24:11 +02:00
Jarno Lamsa 46132207f8 Make compiler happy when MBEDTLS_USE_UECC disabled 2019-04-29 14:29:52 +03:00
Jarno Lamsa 55427964b1 Guard tinycrypt files with MBEDTLS_USE_UECC 2019-04-29 10:25:23 +03:00
Jarno Lamsa d50fd6b373 Remove unused headers from uecc sources 2019-04-24 16:19:50 +03:00
Jarno Lamsa 18987a420b Add micro-ecc based ecc-files to mbedtls
The files are from https://github.com/intel/tinycrypt
Using commit 6e0eb53fc8403988f97345e94081b0453f47231d as a base.
2019-04-24 15:40:43 +03:00