cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-07 22:27:01 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #978 from Mbed-TLS/mbedtls-2.28.2rc0-pr

Browse Source 
Mbedtls 2.28.2rc0 pr [DO NOT MERGE]
This commit is contained in:
Dave Rodgman 2022-12-12 15:17:36 +00:00 committed by GitHub
commit 89f040a5c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 185 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
BRANCHES.md
View File

@ -70,6 +70,7 @@ The following branches are currently maintained:
- [master](https://github.com/Mbed-TLS/mbedtls/tree/master) - [master](https://github.com/Mbed-TLS/mbedtls/tree/master)
- [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024. maintained until at least the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2>.
Users are urged to always use the latest version of a maintained branch. Users are urged to always use the latest version of a maintained branch.

69
ChangeLog
View File

@ -1,5 +1,74 @@
Mbed TLS ChangeLog (Sorted per branch, date) Mbed TLS ChangeLog (Sorted per branch, date)
= Mbed TLS 2.28.2 branch released 2022-12-14
Security
* Fix potential heap buffer overread and overwrite in DTLS if
MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
* An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation if the window size used for the
exponentiation was 3 or smaller. Found and reported by Zili KOU,
Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
and Test in Europe 2023.
Bugfix
* Fix a long-standing build failure when building x86 PIC code with old
gcc (4.x). The code will be slower, but will compile. We do however
recommend upgrading to a more recent compiler instead. Fixes #1910.
* Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
Contributed by Kazuyuki Kimura to fix #2020.
* Use double quotes to include private header file psa_crypto_cipher.h.
Fixes 'file not found with <angled> include' error
when building with Xcode.
* Fix handling of broken symlinks when loading certificates using
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
broken link is encountered, skip the broken link and continue parsing
other certificate files. Contributed by Eduardo Silva in #2602.
* Fix a compilation error when using CMake with an IAR toolchain.
Fixes #5964.
* Fix bugs and missing dependencies when building and testing
configurations with only one encryption type enabled in TLS 1.2.
* Provide the missing definition of mbedtls_setbuf() in some configurations
with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
* Fix compilation errors when trying to build with
PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
* Fix memory leak in ssl_parse_certificate_request() caused by
mbedtls_x509_get_name() not freeing allocated objects in case of error.
Change mbedtls_x509_get_name() to clean up allocated objects on error.
* Fix checks on PK in check_config.h for builds with PSA and RSA. This does
not change which builds actually work, only moving a link-time error to
an early check.
* Fix ECDSA verification, where it was not always validating the
public key. This bug meant that it was possible to verify a
signature with an invalid public key, in some cases. Reported by
Guido Vranken using Cryptofuzz in #4420.
* Fix a possible null pointer dereference if a memory allocation fails
in TLS PRF code. Reported by Michael Madsen in #6516.
* Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
bytes when parsing certificates containing a binary RFC 4108
HardwareModuleName as a Subject Alternative Name extension. Hardware
serial numbers are now rendered in hex format. Fixes #6262.
* Fix bug in error reporting in dh_genprime.c where upon failure,
the error code returned by mbedtls_mpi_write_file() is overwritten
and therefore not printed.
* In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
with A > 0 created an unintended representation of the value 0 which was
not processed correctly by some bignum operations. Fix this. This had no
consequence on cryptography code, but might affect applications that call
bignum directly and use negative numbers.
* Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
when both operands are 0 and the left operand is represented with 0 limbs.
* Fix undefined behavior (typically harmless in practice) when some bignum
functions receive the most negative value of mbedtls_mpi_sint. Credit
to OSS-Fuzz. Fixes #6597.
* Fix undefined behavior (typically harmless in practice) in PSA ECB
encryption and decryption.
= Mbed TLS 2.28.1 branch released 2022-07-11 = Mbed TLS 2.28.1 branch released 2022-07-11
Default behavior changes Default behavior changes

4
ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix a long-standing build failure when building x86 PIC code with old
gcc (4.x). The code will be slower, but will compile. We do however
recommend upgrading to a more recent compiler instead. Fixes #1910.

5
ChangeLog.d/ecdsa-verify-fixes.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix ECDSA verification, where it was not always validating the
public key. This bug meant that it was possible to verify a
signature with an invalid public key, in some cases. Reported by
Guido Vranken using Cryptofuzz in #4420.

3
ChangeLog.d/fix_aead_psa_driver_build.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix compilation errors when trying to build with
PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).

3
ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix bugs and missing dependencies when building and testing
configurations with only one encryption type enabled in TLS 1.2.

3
ChangeLog.d/fix_cmake_using_iar_toolchain.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a compilation error when using CMake with an IAR toolchain.
Fixes #5964.

4
ChangeLog.d/fix_dh_genprime_error_reporting.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix bug in error reporting in dh_genprime.c where upon failure,
the error code returned by mbedtls_mpi_write_file() is overwritten
and therefore not printed.

4
ChangeLog.d/fix_psa_crypto_cipher_h_include.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Use double quotes to include private header file psa_crypto_cipher.h.
Fixes 'file not found with <angled> include' error
when building with Xcode.

4
ChangeLog.d/fix_x509_get_name_mem_leak.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix memory leak in ssl_parse_certificate_request() caused by
mbedtls_x509_get_name() not freeing allocated objects in case of error.
Change mbedtls_x509_get_name() to clean up allocated objects on error.

5
ChangeLog.d/fix_x509_info_hwmodulename.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
bytes when parsing certificates containing a binary RFC 4108
HardwareModuleName as a Subject Alternative Name extension. Hardware
serial numbers are now rendered in hex format. Fixes #6262.

3
ChangeLog.d/fix_zeroization.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a possible null pointer dereference if a memory allocation fails
in TLS PRF code. Reported by Michael Madsen in #6516.

4
ChangeLog.d/mpi-add-0-ub.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
when both operands are 0 and the left operand is represented with 0 limbs.

4
ChangeLog.d/mpi-most-negative-sint.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix undefined behavior (typically harmless in practice) when some bignum
functions receive the most negative value of mbedtls_mpi_sint. Credit
to OSS-Fuzz. Fixes #6597.

3
ChangeLog.d/muladdc_microblaze.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
Contributed by Kazuyuki Kimura to fix #2020.

6
ChangeLog.d/negative-zero-from-add.txt
View File

@ -1,6 +0,0 @@
Bugfix
* In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
with A > 0 created an unintended representation of the value 0 which was
not processed correctly by some bignum operations. Fix this. This had no
consequence on cryptography code, but might affect applications that call
bignum directly and use negative numbers.

3
ChangeLog.d/platform-setbuf.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Provide the missing definition of mbedtls_setbuf() in some configurations
with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.

3
ChangeLog.d/psa-ecb-ub.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix undefined behavior (typically harmless in practice) in PSA ECB
encryption and decryption.

4
ChangeLog.d/psa_rsa_needs_pk.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix checks on PK in check_config.h for builds with PSA and RSA. This does
not change which builds actually work, only moving a link-time error to
an early check.

5
ChangeLog.d/x509-broken-symlink-handling.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix handling of broken symlinks when loading certificates using
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
broken link is encountered, skip the broken link and continue parsing
other certificate files. Contributed by Eduardo Silva in #2602.

2
doxygen/input/doc_mainpage.h
View File

@ -22,7 +22,7 @@
*/ */
/** /**
* @mainpage mbed TLS v2.28.1 source code documentation * @mainpage mbed TLS v2.28.2 source code documentation
* *
* This documentation describes the internal structure of mbed TLS. It was * This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in * automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View File

@ -1,4 +1,4 @@
PROJECT_NAME = "mbed TLS v2.28.1" PROJECT_NAME = "mbed TLS v2.28.2"
OUTPUT_DIRECTORY = ../apidoc/ OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES OPTIMIZE_OUTPUT_FOR_C = YES

2
include/mbedtls/ssl_internal.h
View File

@ -782,7 +782,7 @@ struct mbedtls_ssl_transform
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
uint8_t in_cid_len; uint8_t in_cid_len;
uint8_t out_cid_len; uint8_t out_cid_len;
unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ];
unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

8
include/mbedtls/version.h
View File

@ -38,16 +38,16 @@
*/ */
#define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 28 #define MBEDTLS_VERSION_MINOR 28
#define MBEDTLS_VERSION_PATCH 1 #define MBEDTLS_VERSION_PATCH 2
/** /**
* The single version number has the following structure: * The single version number has the following structure:
* MMNNPP00 * MMNNPP00
* Major version | Minor version | Patch version * Major version | Minor version | Patch version
*/ */
#define MBEDTLS_VERSION_NUMBER 0x021C0100 #define MBEDTLS_VERSION_NUMBER 0x021C0200
#define MBEDTLS_VERSION_STRING "2.28.1" #define MBEDTLS_VERSION_STRING "2.28.2"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.1" #define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.2"
#if defined(MBEDTLS_VERSION_C) #if defined(MBEDTLS_VERSION_C)

6
library/CMakeLists.txt
View File

@ -204,15 +204,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto}) add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.1 SOVERSION 7) set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.2 SOVERSION 7)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
add_library(${mbedx509_target} SHARED ${src_x509}) add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.1 SOVERSION 1) set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.2 SOVERSION 1)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls}) add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.1 SOVERSION 14) set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.2 SOVERSION 14)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY) endif(USE_SHARED_MBEDTLS_LIBRARY)

138
library/bignum.c
View File

@ -2005,11 +2005,11 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
mbedtls_mpi *prec_RR ) mbedtls_mpi *prec_RR )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t wbits, wsize, one = 1; size_t window_bitsize;
size_t i, j, nblimbs; size_t i, j, nblimbs;
size_t bufsize, nbits; size_t bufsize, nbits;
mbedtls_mpi_uint ei, mm, state; mbedtls_mpi_uint ei, mm, state;
mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; mbedtls_mpi RR, T, W[ (size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
int neg; int neg;
MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( X != NULL );
@ -2038,21 +2038,59 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
i = mbedtls_mpi_bitlen( E ); i = mbedtls_mpi_bitlen( E );
wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 : window_bitsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1; ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
#if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) #if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) if( window_bitsize > MBEDTLS_MPI_WINDOW_SIZE )
wsize = MBEDTLS_MPI_WINDOW_SIZE; window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
#endif #endif
const size_t w_table_used_size = (size_t) 1 << window_bitsize;
/*
* This function is not constant-trace: its memory accesses depend on the
* exponent value. To defend against timing attacks, callers (such as RSA
* and DHM) should use exponent blinding. However this is not enough if the
* adversary can find the exponent in a single trace, so this function
* takes extra precautions against adversaries who can observe memory
* access patterns.
*
* This function performs a series of multiplications by table elements and
* squarings, and we want the prevent the adversary from finding out which
* table element was used, and from distinguishing between multiplications
* and squarings. Firstly, when multiplying by an element of the window
* W[i], we do a constant-trace table lookup to obfuscate i. This leaves
* squarings as having a different memory access patterns from other
* multiplications. So secondly, we put the accumulator X in the table as
* well, and also do a constant-trace table lookup to multiply by X.
*
* This way, all multiplications take the form of a lookup-and-multiply.
* The number of lookup-and-multiply operations inside each iteration of
* the main loop still depends on the bits of the exponent, but since the
* other operations in the loop don't have an easily recognizable memory
* trace, an adversary is unlikely to be able to observe the exact
* patterns.
*
* An adversary may still be able to recover the exponent if they can
* observe both memory accesses and branches. However, branch prediction
* exploitation typically requires many traces of execution over the same
* data, which is defeated by randomized blinding.
*
* To achieve this, we make a copy of X and we use the table entry in each
* calculation from this point on.
*/
const size_t x_index = 0;
mbedtls_mpi_init( &W[x_index] );
mbedtls_mpi_copy( &W[x_index], X );
j = N->n + 1; j = N->n + 1;
/* All W[i] and X must have at least N->n limbs for the mpi_montmul() /* All W[i] and X must have at least N->n limbs for the mpi_montmul()
* and mpi_montred() calls later. Here we ensure that W[1] and X are * and mpi_montred() calls later. Here we ensure that W[1] and X are
* large enough, and later we'll grow other W[i] to the same length. * large enough, and later we'll grow other W[i] to the same length.
* They must not be shrunk midway through this function! * They must not be shrunk midway through this function!
*/ */
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[x_index], j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
@ -2101,28 +2139,36 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
mpi_montmul( &W[1], &RR, N, mm, &T ); mpi_montmul( &W[1], &RR, N, mm, &T );
/* /*
* X = R^2 * R^-1 mod N = R mod N * W[x_index] = R^2 * R^-1 mod N = R mod N
*/ */
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) );
mpi_montred( X, N, mm, &T ); mpi_montred( &W[x_index], N, mm, &T );
if( wsize > 1 )
if( window_bitsize > 1 )
{ {
/* /*
* W[1 << (wsize - 1)] = W[1] ^ (wsize - 1) * W[i] = W[1] ^ i
*
* The first bit of the sliding window is always 1 and therefore we
* only need to store the second half of the table.
*
* (There are two special elements in the table: W[0] for the
* accumulator/result and W[1] for A in Montgomery form. Both of these
* are already set at this point.)
*/ */
j = one << ( wsize - 1 ); j = w_table_used_size / 2;
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
for( i = 0; i < wsize - 1; i++ ) for( i = 0; i < window_bitsize - 1; i++ )
mpi_montmul( &W[j], &W[j], N, mm, &T ); mpi_montmul( &W[j], &W[j], N, mm, &T );
/* /*
* W[i] = W[i - 1] * W[1] * W[i] = W[i - 1] * W[1]
*/ */
for( i = j + 1; i < ( one << wsize ); i++ ) for( i = j + 1; i < w_table_used_size; i++ )
{ {
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
@ -2134,7 +2180,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
nblimbs = E->n; nblimbs = E->n;
bufsize = 0; bufsize = 0;
nbits = 0; nbits = 0;
wbits = 0; size_t exponent_bits_in_window = 0;
state = 0; state = 0;
while( 1 ) while( 1 )
@ -2162,9 +2208,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
if( ei == 0 && state == 1 ) if( ei == 0 && state == 1 )
{ {
/* /*
* out of window, square X * out of window, square W[x_index]
*/ */
mpi_montmul( X, X, N, mm, &T ); MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
continue; continue;
} }
@ -2174,25 +2221,30 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
state = 2; state = 2;
nbits++; nbits++;
wbits |= ( ei << ( wsize - nbits ) ); exponent_bits_in_window |= ( ei << ( window_bitsize - nbits ) );
if( nbits == wsize ) if( nbits == window_bitsize )
{ {
/* /*
* X = X^wsize R^-1 mod N * W[x_index] = W[x_index]^window_bitsize R^-1 mod N
*/ */
for( i = 0; i < wsize; i++ ) for( i = 0; i < window_bitsize; i++ )
mpi_montmul( X, X, N, mm, &T ); {
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size,
x_index ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
}
/* /*
* X = X * W[wbits] R^-1 mod N * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N
*/ */
MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) ); MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size,
mpi_montmul( X, &WW, N, mm, &T ); exponent_bits_in_window ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
state--; state--;
nbits = 0; nbits = 0;
wbits = 0; exponent_bits_in_window = 0;
} }
} }
@ -2201,31 +2253,45 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
*/ */
for( i = 0; i < nbits; i++ ) for( i = 0; i < nbits; i++ )
{ {
mpi_montmul( X, X, N, mm, &T ); MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
wbits <<= 1; exponent_bits_in_window <<= 1;
if( ( wbits & ( one << wsize ) ) != 0 ) if( ( exponent_bits_in_window & ( (size_t) 1 << window_bitsize ) ) != 0 )
mpi_montmul( X, &W[1], N, mm, &T ); {
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, 1 ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
}
} }
/* /*
* X = A^E * R * R^-1 mod N = A^E mod N * W[x_index] = A^E * R * R^-1 mod N = A^E mod N
*/ */
mpi_montred( X, N, mm, &T ); mpi_montred( &W[x_index], N, mm, &T );
if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 ) if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
{ {
X->s = -1; W[x_index].s = -1;
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &W[x_index], N, &W[x_index] ) );
} }
/*
* Load the result in the output variable.
*/
mbedtls_mpi_copy( X, &W[x_index] );
cleanup: cleanup:
for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ ) /* The first bit of the sliding window is always 1 and therefore the first
* half of the table was unused. */
for( i = w_table_used_size/2; i < w_table_used_size; i++ )
mbedtls_mpi_free( &W[i] ); mbedtls_mpi_free( &W[i] );
mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos ); mbedtls_mpi_free( &W[x_index] );
mbedtls_mpi_free( &W[1] );
mbedtls_mpi_free( &T );
mbedtls_mpi_free( &Apos );
mbedtls_mpi_free( &WW ); mbedtls_mpi_free( &WW );
if( prec_RR == NULL || prec_RR->p == NULL ) if( prec_RR == NULL || prec_RR->p == NULL )

4
tests/suites/test_suite_version.data
View File

@ -1,8 +1,8 @@
Check compile time library version Check compile time library version
check_compiletime_version:"2.28.1" check_compiletime_version:"2.28.2"
Check runtime library version Check runtime library version
check_runtime_version:"2.28.1" check_runtime_version:"2.28.2"
Check for MBEDTLS_VERSION_C Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0 check_feature:"MBEDTLS_VERSION_C":0