Skip to content

Commit

Permalink
Merge pull request Mbed-TLS#6327 from yuhaoth/pr/tls13-psk-after-sess…
Browse files Browse the repository at this point in the history 
…ion-tickets
  • Loading branch information
@yuhaoth
yuhaoth committed Nov 27, 2022
2 parents bdce42a + 78317c8 commit a85c02a
Show file tree
Hide file tree
Showing 26 changed files with 15,776 additions and 1,169 deletions.
4 changes: 4 additions & 0 deletions include/mbedtls/ssl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1481,10 +1481,12 @@ struct mbedtls_ssl_config
#endif

#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_SSL_SRV_C)
/** Callback to retrieve PSK key from identity */
int (*MBEDTLS_PRIVATE(f_psk))(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
void *MBEDTLS_PRIVATE(p_psk); /*!< context for PSK callback */
#endif
#endif

#if (defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \
(defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3))) \
Expand Down Expand Up @@ -3677,6 +3679,7 @@ int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
mbedtls_svc_key_id_t psk );
#endif /* MBEDTLS_USE_PSA_CRYPTO */

#if defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Set the PSK callback (server-side only).
*
Expand Down Expand Up @@ -3719,6 +3722,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
size_t),
void *p_psk );
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */

#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Expand Down
2 changes: 1 addition & 1 deletion include/mbedtls/x509_crt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -516,7 +516,7 @@ int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain,
* mbedtls_x509_crt_init().
* \param buf The address of the readable buffer holding the DER encoded
* certificate to use. On success, this buffer must be
* retained and not be changed for the liftetime of the
* retained and not be changed for the lifetime of the
* CRT chain \p chain, that is, until \p chain is destroyed
* through a call to mbedtls_x509_crt_free().
* \param buflen The size in Bytes of \p buf.
Expand Down
143 changes: 9 additions & 134 deletions library/bignum.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@
#if defined(MBEDTLS_BIGNUM_C)

#include "mbedtls/bignum.h"
#include "bignum_internal.h"
#include "bignum_core.h"
#include "bn_mul.h"
#include "mbedtls/platform_util.h"
Expand Down Expand Up @@ -962,40 +961,6 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
return( ret );
}

/**
* Helper for mbedtls_mpi subtraction.
*
* Calculate l - r where l and r have the same size.
* This function operates modulo (2^ciL)^n and returns the carry
* (1 if there was a wraparound, i.e. if `l < r`, and 0 otherwise).
*
* d may be aliased to l or r.
*
* \param n Number of limbs of \p d, \p l and \p r.
* \param[out] d The result of the subtraction.
* \param[in] l The left operand.
* \param[in] r The right operand.
*
* \return 1 if `l < r`.
* 0 if `l >= r`.
*/
static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
mbedtls_mpi_uint *d,
const mbedtls_mpi_uint *l,
const mbedtls_mpi_uint *r )
{
size_t i;
mbedtls_mpi_uint c = 0, t, z;

for( i = 0; i < n; i++ )
{
z = ( l[i] < c ); t = l[i] - c;
c = ( t < r[i] ) + z; d[i] = t - r[i];
}

return( c );
}

/*
* Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
*/
Expand Down Expand Up @@ -1028,7 +993,7 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
if( X->n > A->n )
memset( X->p + A->n, 0, ( X->n - A->n ) * ciL );

carry = mpi_sub_hlp( n, X->p, A->p, B->p );
carry = mbedtls_mpi_core_sub( X->p, A->p, B->p, n );
if( carry != 0 )
{
/* Propagate the carry to the first nonzero limb of X. */
Expand Down Expand Up @@ -1157,38 +1122,6 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
return( mbedtls_mpi_sub_mpi( X, A, &B ) );
}

mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *d, size_t d_len,
const mbedtls_mpi_uint *s, size_t s_len,
mbedtls_mpi_uint b )
{
mbedtls_mpi_uint c = 0; /* carry */
size_t excess_len = d_len - s_len;

size_t steps_x8 = s_len / 8;
size_t steps_x1 = s_len & 7;

while( steps_x8-- )
{
MULADDC_X8_INIT
MULADDC_X8_CORE
MULADDC_X8_STOP
}

while( steps_x1-- )
{
MULADDC_X1_INIT
MULADDC_X1_CORE
MULADDC_X1_STOP
}

while( excess_len-- )
{
*d += c; c = ( *d < c ); d++;
}

return( c );
}

/*
* Baseline multiplication: X = A * B (HAC 14.12)
*/
Expand Down Expand Up @@ -1612,21 +1545,9 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_
return( 0 );
}

/*
* Fast Montgomery initialization (thanks to Tom St Denis)
*/
static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
{
mbedtls_mpi_uint x, m0 = N->p[0];
unsigned int i;

x = m0;
x += ( ( m0 + 2 ) & 4 ) << 1;

for( i = biL; i >= 8; i /= 2 )
x *= ( 2 - ( m0 * x ) );

*mm = ~x + 1;
*mm = mbedtls_mpi_core_montmul_init( N->p );
}

/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
Expand All @@ -1640,67 +1561,21 @@ static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
* \param[in] B One of the numbers to multiply.
* It must be nonzero and must not have more limbs than N
* (B->n <= N->n).
* \param[in] N The modulo. N must be odd.
* \param[in] N The modulus. \p N must be odd.
* \param mm The value calculated by `mpi_montg_init(&mm, N)`.
* This is -N^-1 mod 2^ciL.
* \param[in,out] T A bignum for temporary storage.
* It must be at least twice the limb size of N plus 1
* (T->n >= 2 * N->n + 1).
* Its initial content is unused and
* its final content is indeterminate.
* Note that unlike the usual convention in the library
* for `const mbedtls_mpi*`, the content of T can change.
* It does not get reallocated.
*/
static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
const mbedtls_mpi *T )
static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B,
const mbedtls_mpi *N, mbedtls_mpi_uint mm,
mbedtls_mpi *T )
{
size_t n, m;
mbedtls_mpi_uint *d;

memset( T->p, 0, T->n * ciL );

d = T->p;
n = N->n;
m = ( B->n < n ) ? B->n : n;

for( size_t i = 0; i < n; i++ )
{
mbedtls_mpi_uint u0, u1;

/*
* T = (T + u0*B + u1*N) / 2^biL
*/
u0 = A->p[i];
u1 = ( d[0] + u0 * B->p[0] ) * mm;

(void) mbedtls_mpi_core_mla( d, n + 2,
B->p, m,
u0 );
(void) mbedtls_mpi_core_mla( d, n + 2,
N->p, n,
u1 );
d++;
}

/* At this point, d is either the desired result or the desired result
* plus N. We now potentially subtract N, avoiding leaking whether the
* subtraction is performed through side channels. */

/* Copy the n least significant limbs of d to A, so that
* A = d if d < N (recall that N has n limbs). */
memcpy( A->p, d, n * ciL );
/* If d >= N then we want to set A to d - N. To prevent timing attacks,
* do the calculation without using conditional tests. */
/* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
d[n] += 1;
d[n] -= mpi_sub_hlp( n, d, d, N->p );
/* If d0 < N then d < (2^biL)^n
* so d[n] == 0 and we want to keep A as it is.
* If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
* so d[n] == 1 and we want to set A to the result of the subtraction
* which is d - (2^biL)^n, i.e. the n least significant limbs of d.
* This exactly corresponds to a conditional assignment. */
mbedtls_ct_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] );
mbedtls_mpi_core_montmul( A->p, A->p, B->p, B->n, N->p, N->n, mm, T->p );
}

/*
Expand All @@ -1709,7 +1584,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
* See mpi_montmul() regarding constraints and guarantees on the parameters.
*/
static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
mbedtls_mpi_uint mm, const mbedtls_mpi *T )
mbedtls_mpi_uint mm, mbedtls_mpi *T )
{
mbedtls_mpi_uint z = 1;
mbedtls_mpi U;
Expand Down
Loading

0 comments on commit a85c02a

Please sign in to comment.