From f47b66eca59104aeec2a99ed423056814cc68b39 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 4 Jun 2024 18:15:44 +0100 Subject: [PATCH 1/5] Remove MBEDTLS_RSA_ALT Signed-off-by: Thomas Daubney --- include/mbedtls/mbedtls_config.h | 1 - library/constant_time.c | 8 ++++---- library/constant_time_internal.h | 4 ++-- library/pk_wrap.c | 6 ------ library/rsa.c | 10 +++------- tests/include/alt-dummy/rsa_alt.h | 16 ---------------- tests/suites/test_suite_constant_time.function | 4 ++-- tests/suites/test_suite_pkcs1_v15.function | 3 +-- .../drivers/builtin/include/mbedtls/rsa.h | 8 -------- 9 files changed, 12 insertions(+), 48 deletions(-) delete mode 100644 tests/include/alt-dummy/rsa_alt.h diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2e98c3aae5..2d1c9c14e4 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -390,7 +390,6 @@ //#define MBEDTLS_MD5_ALT //#define MBEDTLS_POLY1305_ALT //#define MBEDTLS_RIPEMD160_ALT -//#define MBEDTLS_RSA_ALT //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT diff --git a/library/constant_time.c b/library/constant_time.c index d212ddfd81..95b81221f4 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -146,7 +146,7 @@ int mbedtls_ct_memcmp_partial(const void *a, #endif -#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset) { @@ -165,7 +165,7 @@ void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset) } } -#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ +#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */ void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition, unsigned char *dest, @@ -227,7 +227,7 @@ void mbedtls_ct_memcpy_offset(unsigned char *dest, } } -#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len) { @@ -245,4 +245,4 @@ void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t l } } -#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */ +#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) */ diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index 61a5c6d4e9..26f66066fa 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -433,7 +433,7 @@ static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, i * Block memory operations */ -#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) /** Conditionally set a block of memory to zero. * @@ -466,7 +466,7 @@ void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset); -#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */ +#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) */ /** Conditional memcpy. * diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 19196b559a..8710889bbb 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -470,11 +470,6 @@ static void rsa_free_wrap(void *ctx) static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items) { -#if defined(MBEDTLS_RSA_ALT) - /* Not supported */ - (void) pk; - (void) items; -#else mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx; items->type = MBEDTLS_PK_DEBUG_MPI; @@ -486,7 +481,6 @@ static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items) items->type = MBEDTLS_PK_DEBUG_MPI; items->name = "rsa.E"; items->value = &(rsa->E); -#endif } const mbedtls_pk_info_t mbedtls_rsa_info = { diff --git a/library/rsa.c b/library/rsa.c index 7eb4a259ea..8a4c3d0485 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -155,7 +155,7 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si goto cleanup; } -#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) +#if !defined(MBEDTLS_RSA_NO_CRT) /* * The RSA CRT parameters DP, DQ and QP are nominally redundant, in * that they can be easily recomputed from D, P and Q. However by @@ -411,7 +411,7 @@ end_of_export: return (int) len; } -#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) /** This function performs the unpadding part of a PKCS#1 v1.5 decryption * operation (EME-PKCS1-v1_5 decoding). @@ -564,9 +564,7 @@ static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input, return ret; } -#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ - -#if !defined(MBEDTLS_RSA_ALT) +#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */ int mbedtls_rsa_import(mbedtls_rsa_context *ctx, const mbedtls_mpi *N, @@ -2841,8 +2839,6 @@ void mbedtls_rsa_free(mbedtls_rsa_context *ctx) #endif } -#endif /* !MBEDTLS_RSA_ALT */ - #if defined(MBEDTLS_SELF_TEST) diff --git a/tests/include/alt-dummy/rsa_alt.h b/tests/include/alt-dummy/rsa_alt.h deleted file mode 100644 index eabc26da10..0000000000 --- a/tests/include/alt-dummy/rsa_alt.h +++ /dev/null @@ -1,16 +0,0 @@ -/* rsa_alt.h with dummy types for MBEDTLS_RSA_ALT */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#ifndef RSA_ALT_H -#define RSA_ALT_H - -typedef struct mbedtls_rsa_context { - int dummy; -} -mbedtls_rsa_context; - - -#endif /* rsa_alt.h */ diff --git a/tests/suites/test_suite_constant_time.function b/tests/suites/test_suite_constant_time.function index 31273652d5..ba8439756f 100644 --- a/tests/suites/test_suite_constant_time.function +++ b/tests/suites/test_suite_constant_time.function @@ -171,7 +171,7 @@ void mbedtls_ct_if(char *c_str, char *t_str, char *f_str) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:!MBEDTLS_RSA_ALT */ +/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ void mbedtls_ct_zeroize_if(char *c_str, int len) { uint8_t *buf = NULL; @@ -431,7 +431,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:!MBEDTLS_RSA_ALT */ +/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ void mbedtls_ct_memmove_left(int len, int offset) { size_t l = (size_t) len; diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 7113274550..ed9f4f4085 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -235,7 +235,6 @@ void pkcs1_v15_decode(data_t *input, size_t i; size_t count = 0; -#if !defined(MBEDTLS_RSA_ALT) /* Check that the output in invalid cases is what the default * implementation currently does. Alternative implementations * may produce different output, so we only perform these precise @@ -244,7 +243,7 @@ void pkcs1_v15_decode(data_t *input, for (i = 0; i < max_payload_length; i++) { TEST_ASSERT(final[i] == 0); } -#endif + /* Even in alternative implementations, the outputs must have * changed, otherwise it indicates at least a timing vulnerability * because no write to the outputs is performed in the bad case. */ diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h index c1e76b3927..cc839f2198 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h @@ -69,10 +69,6 @@ extern "C" { #endif -#if !defined(MBEDTLS_RSA_ALT) -// Regular implementation -// - #if !defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS) #define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 #elif MBEDTLS_RSA_GEN_KEY_MIN_BITS < 128 @@ -122,10 +118,6 @@ typedef struct mbedtls_rsa_context { } mbedtls_rsa_context; -#else /* MBEDTLS_RSA_ALT */ -#include "rsa_alt.h" -#endif /* MBEDTLS_RSA_ALT */ - /** * \brief This function initializes an RSA context. * From 5edad7f89f21915895b2aa0bcd6931cd5ec84ac1 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 5 Jun 2024 10:33:16 +0100 Subject: [PATCH 2/5] Remove MBEDTLS_DHM_ALT Signed-off-by: Thomas Daubney --- include/mbedtls/mbedtls_config.h | 1 - library/dhm.c | 3 --- tests/include/alt-dummy/dhm_alt.h | 16 ---------------- tests/scripts/all.sh | 12 ------------ .../drivers/builtin/include/mbedtls/dhm.h | 6 ------ 5 files changed, 38 deletions(-) delete mode 100644 tests/include/alt-dummy/dhm_alt.h diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2d1c9c14e4..25ef0ca4ac 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -383,7 +383,6 @@ //#define MBEDTLS_CHACHAPOLY_ALT //#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT -//#define MBEDTLS_DHM_ALT //#define MBEDTLS_ECJPAKE_ALT //#define MBEDTLS_GCM_ALT //#define MBEDTLS_NIST_KW_ALT diff --git a/library/dhm.c b/library/dhm.c index bcc07f5441..75af8b7910 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -33,8 +33,6 @@ #include "mbedtls/platform.h" -#if !defined(MBEDTLS_DHM_ALT) - /* * helper to validate the mbedtls_mpi size and import it */ @@ -642,7 +640,6 @@ int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path) } #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ -#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_SELF_TEST) diff --git a/tests/include/alt-dummy/dhm_alt.h b/tests/include/alt-dummy/dhm_alt.h deleted file mode 100644 index 3cb51d2ed4..0000000000 --- a/tests/include/alt-dummy/dhm_alt.h +++ /dev/null @@ -1,16 +0,0 @@ -/* dhm_alt.h with dummy types for MBEDTLS_DHM_ALT */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#ifndef DHM_ALT_H -#define DHM_ALT_H - -typedef struct mbedtls_dhm_context { - int dummy; -} -mbedtls_dhm_context; - - -#endif /* dhm_alt.h */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index de74f97b6b..6b439aa8b8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2451,24 +2451,12 @@ component_build_module_alt () { # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable # MBEDTLS_XXX_YYY_ALT which are for single functions. scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' - scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C # We can only compile, not link, since we don't have any implementations # suitable for testing with the dummy alt headers. make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib } -component_build_dhm_alt () { - msg "build: MBEDTLS_DHM_ALT" # ~30s - scripts/config.py full - scripts/config.py set MBEDTLS_DHM_ALT - # debug.c currently references mbedtls_dhm_context fields directly. - scripts/config.py unset MBEDTLS_DEBUG_C - # We can only compile, not link, since we don't have any implementations - # suitable for testing with the dummy alt headers. - make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib -} - component_test_no_psa_crypto_full_cmake_asan() { # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh msg "build: cmake, full config minus PSA crypto, ASan" diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h index fcba3d2af0..01434052ea 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h @@ -93,8 +93,6 @@ typedef enum { extern "C" { #endif -#if !defined(MBEDTLS_DHM_ALT) - /** * \brief The DHM context structure. */ @@ -112,10 +110,6 @@ typedef struct mbedtls_dhm_context { } mbedtls_dhm_context; -#else /* MBEDTLS_DHM_ALT */ -#include "dhm_alt.h" -#endif /* MBEDTLS_DHM_ALT */ - /** * \brief This function initializes the DHM context. * From e647d8f77a0889df3a793627c83673e2608016d6 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 5 Jun 2024 14:56:29 +0100 Subject: [PATCH 3/5] Remove MBEDTLS_ECJPAKE_ALT Signed-off-by: Thomas Daubney --- include/mbedtls/mbedtls_config.h | 1 - library/ecjpake.c | 10 ---------- tests/include/alt-dummy/ecjpake_alt.h | 15 --------------- .../drivers/builtin/include/mbedtls/ecjpake.h | 5 ----- 4 files changed, 31 deletions(-) delete mode 100644 tests/include/alt-dummy/ecjpake_alt.h diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 25ef0ca4ac..2c82ca369e 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -383,7 +383,6 @@ //#define MBEDTLS_CHACHAPOLY_ALT //#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT -//#define MBEDTLS_ECJPAKE_ALT //#define MBEDTLS_GCM_ALT //#define MBEDTLS_NIST_KW_ALT //#define MBEDTLS_MD5_ALT diff --git a/library/ecjpake.c b/library/ecjpake.c index cdf5d7ea46..628fb65a59 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -20,8 +20,6 @@ #include -#if !defined(MBEDTLS_ECJPAKE_ALT) - /* * Convert a mbedtls_ecjpake_role to identifier string */ @@ -820,8 +818,6 @@ cleanup: #undef ID_MINE #undef ID_PEER -#endif /* ! MBEDTLS_ECJPAKE_ALT */ - #if defined(MBEDTLS_SELF_TEST) #include "mbedtls/platform.h" @@ -840,8 +836,6 @@ static const unsigned char ecjpake_test_password[] = { 0x65, 0x73, 0x74 }; -#if !defined(MBEDTLS_ECJPAKE_ALT) - static const unsigned char ecjpake_test_x1[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, @@ -1016,8 +1010,6 @@ cleanup: return ret; } -#endif /* ! MBEDTLS_ECJPAKE_ALT */ - /* For tests we don't need a secure RNG; * use the LGC from Numerical Recipes for simplicity */ static int ecjpake_lgc(void *p, unsigned char *out, size_t len) @@ -1116,7 +1108,6 @@ int mbedtls_ecjpake_self_test(int verbose) mbedtls_printf("passed\n"); } -#if !defined(MBEDTLS_ECJPAKE_ALT) /* 'reference handshake' tests can only be run against implementations * for which we have 100% control over how the random ephemeral keys * are generated. This is only the case for the internal Mbed TLS @@ -1186,7 +1177,6 @@ int mbedtls_ecjpake_self_test(int verbose) if (verbose != 0) { mbedtls_printf("passed\n"); } -#endif /* ! MBEDTLS_ECJPAKE_ALT */ cleanup: mbedtls_ecjpake_free(&cli); diff --git a/tests/include/alt-dummy/ecjpake_alt.h b/tests/include/alt-dummy/ecjpake_alt.h deleted file mode 100644 index 4d7524860c..0000000000 --- a/tests/include/alt-dummy/ecjpake_alt.h +++ /dev/null @@ -1,15 +0,0 @@ -/* ecjpake_alt.h with dummy types for MBEDTLS_ECJPAKE_ALT */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#ifndef ECJPAKE_ALT_H -#define ECJPAKE_ALT_H - -typedef struct mbedtls_ecjpake_context { - int dummy; -} mbedtls_ecjpake_context; - - -#endif /* ecjpake_alt.h */ diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h index c2148a2bd1..a75a8ec8f8 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h @@ -45,7 +45,6 @@ typedef enum { MBEDTLS_ECJPAKE_NONE, /**< Undefined */ } mbedtls_ecjpake_role; -#if !defined(MBEDTLS_ECJPAKE_ALT) /** * EC J-PAKE context structure. * @@ -75,10 +74,6 @@ typedef struct mbedtls_ecjpake_context { mbedtls_mpi MBEDTLS_PRIVATE(s); /**< Pre-shared secret (passphrase) */ } mbedtls_ecjpake_context; -#else /* MBEDTLS_ECJPAKE_ALT */ -#include "ecjpake_alt.h" -#endif /* MBEDTLS_ECJPAKE_ALT */ - /** * \brief Initialize an ECJPAKE context. * From 9da176923766c5aed990567562ed0767d659eea8 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 6 Jun 2024 14:04:49 +0100 Subject: [PATCH 4/5] Remove MBEDTLS_ECP_ALT and associated options Also removed are all options of the form MBEDTLS_ECP_XXX_ALT as well as MBEDTLS_ECP_NO_FALLBACK. Signed-off-by: Thomas Daubney --- include/mbedtls/check_config.h | 40 +-- include/mbedtls/mbedtls_config.h | 78 +---- library/ecp.c | 145 --------- library/ecp_curves.c | 4 - library/ecp_curves_new.c | 3 - library/ecp_internal_alt.h | 287 ------------------ scripts/config.py | 1 - tests/include/alt-dummy/ecp_alt.h | 22 -- .../drivers/builtin/include/mbedtls/ecp.h | 13 - 9 files changed, 2 insertions(+), 591 deletions(-) delete mode 100644 library/ecp_internal_alt.h delete mode 100644 tests/include/alt-dummy/ecp_alt.h diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 67a05f83b8..178bd39f28 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -189,9 +189,7 @@ defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT) || \ defined(MBEDTLS_ECDSA_SIGN_ALT) || \ defined(MBEDTLS_ECDSA_VERIFY_ALT) || \ - defined(MBEDTLS_ECDSA_GENKEY_ALT) || \ - defined(MBEDTLS_ECP_INTERNAL_ALT) || \ - defined(MBEDTLS_ECP_ALT) ) + defined(MBEDTLS_ECDSA_GENKEY_ALT) ) #error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation" #endif @@ -269,42 +267,6 @@ #error "MBEDTLS_CHACHAPOLY_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled" -#endif - #if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C) #error "MBEDTLS_HKDF_C defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2c82ca369e..618d10e5bd 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -392,17 +392,6 @@ //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT -/* - * When replacing the elliptic curve module, please consider, that it is - * implemented with two .c files: - * - ecp.c - * - ecp_curves.c - * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT - * macros as described above. The only difference is that you have to make sure - * that you provide functionality for both .c files. - */ -//#define MBEDTLS_ECP_ALT - /** * \def MBEDTLS_SHA256_PROCESS_ALT * @@ -458,71 +447,6 @@ //#define MBEDTLS_ECDSA_SIGN_ALT //#define MBEDTLS_ECDSA_GENKEY_ALT -/** - * \def MBEDTLS_ECP_INTERNAL_ALT - * - * Expose a part of the internal interface of the Elliptic Curve Point module. - * - * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use your - * alternative core implementation of elliptic curve arithmetic. Keep in mind - * that function prototypes should remain the same. - * - * This partially replaces one function. The header file from Mbed TLS is still - * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation - * is still present and it is used for group structures not supported by the - * alternative. - * - * The original implementation can in addition be removed by setting the - * MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which the - * corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not be - * able to fallback to curves not supported by the alternative implementation. - * - * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT - * and implementing the following functions: - * unsigned char mbedtls_internal_ecp_grp_capable( - * const mbedtls_ecp_group *grp ) - * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) - * void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp ) - * The mbedtls_internal_ecp_grp_capable function should return 1 if the - * replacement functions implement arithmetic for the given group and 0 - * otherwise. - * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are - * called before and after each point operation and provide an opportunity to - * implement optimized set up and tear down instructions. - * - * Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and - * MBEDTLS_ECP_DOUBLE_JAC_ALT, Mbed TLS will still provide the ecp_double_jac() - * function, but will use your mbedtls_internal_ecp_double_jac() if the group - * for the operation is supported by your implementation (i.e. your - * mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the - * group is not supported by your implementation, then the original Mbed TLS - * implementation of ecp_double_jac() is used instead, unless this fallback - * behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case - * ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE). - * - * The function prototypes and the definition of mbedtls_ecp_group and - * mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so your - * implementation of mbedtls_internal_ecp__function_name__ must be compatible - * with their definitions. - * - * Uncomment a macro to enable alternate implementation of the corresponding - * function. - */ -/* Required for all the functions in this section */ -//#define MBEDTLS_ECP_INTERNAL_ALT -/* Turn off software fallback for curves not supported in hardware */ -//#define MBEDTLS_ECP_NO_FALLBACK -/* Support for Weierstrass curves with Jacobi representation */ -//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT -//#define MBEDTLS_ECP_ADD_MIXED_ALT -//#define MBEDTLS_ECP_DOUBLE_JAC_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT -/* Support for curves with Montgomery arithmetic */ -//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT -//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT -//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT - /** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * @@ -825,7 +749,7 @@ * * \note This option only works with the default software implementation of * elliptic curve functionality. It is incompatible with - * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. + * MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. * * Requires: MBEDTLS_ECP_C * diff --git a/library/ecp.c b/library/ecp.c index 427059bb53..1e6b69b982 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -31,35 +31,6 @@ #include "common.h" -/** - * \brief Function level alternative implementation. - * - * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to - * replace certain functions in this module. The alternative implementations are - * typically hardware accelerators and need to activate the hardware before the - * computation starts and deactivate it after it finishes. The - * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve - * this purpose. - * - * To preserve the correct functionality the following conditions must hold: - * - * - The alternative implementation must be activated by - * mbedtls_internal_ecp_init() before any of the replaceable functions is - * called. - * - mbedtls_internal_ecp_free() must \b only be called when the alternative - * implementation is activated. - * - mbedtls_internal_ecp_init() must \b not be called when the alternative - * implementation is activated. - * - Public functions must not return while the alternative implementation is - * activated. - * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and - * before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) ) - * \endcode ensures that the alternative implementation supports the current - * group. - */ -#if defined(MBEDTLS_ECP_INTERNAL_ALT) -#endif - #if defined(MBEDTLS_ECP_LIGHT) #include "mbedtls/ecp.h" @@ -72,12 +43,8 @@ #include -#if !defined(MBEDTLS_ECP_ALT) - #include "mbedtls/platform.h" -#include "ecp_internal_alt.h" - #if defined(MBEDTLS_SELF_TEST) /* * Counts of point addition and doubling, and field multiplications. @@ -1317,15 +1284,6 @@ static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt return 0; } -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_normalize_jac(grp, pt); - } -#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi T; mbedtls_mpi_init(&T); @@ -1343,7 +1301,6 @@ cleanup: mbedtls_mpi_free(&T); return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */ } /* @@ -1364,15 +1321,6 @@ static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp, return ecp_normalize_jac(grp, *T); } -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size); - } -#endif - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i; mbedtls_mpi *c, t; @@ -1447,7 +1395,6 @@ cleanup: mbedtls_free(c); return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */ } /* @@ -1491,15 +1438,6 @@ static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R, dbl_count++; #endif -#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_double_jac(grp, R, P); - } -#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* Special case for A = -3 */ @@ -1557,7 +1495,6 @@ static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R, cleanup: return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */ } /* @@ -1588,15 +1525,6 @@ static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R, add_count++; #endif -#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_add_mixed(grp, R, P, Q); - } -#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* NOTE: Aliasing between input and output is allowed, so one has to make @@ -1668,7 +1596,6 @@ static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R, cleanup: return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */ } /* @@ -1681,15 +1608,6 @@ cleanup: static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { -#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng); - } -#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi l; @@ -1718,7 +1636,6 @@ cleanup: ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; } return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */ } /* @@ -2422,15 +2339,6 @@ cleanup: */ static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P) { -#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_normalize_mxz(grp, P); - } -#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; MPI_ECP_INV(&P->Z, &P->Z); MPI_ECP_MUL(&P->X, &P->X, &P->Z); @@ -2438,7 +2346,6 @@ static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P) cleanup: return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */ } /* @@ -2452,15 +2359,6 @@ cleanup: static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { -#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng); - } -#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi l; mbedtls_mpi_init(&l); @@ -2478,7 +2376,6 @@ cleanup: ret = MBEDTLS_ERR_ECP_RANDOM_FAILED; } return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */ } /* @@ -2502,15 +2399,6 @@ static int ecp_double_add_mxz(const mbedtls_ecp_group *grp, const mbedtls_mpi *d, mbedtls_mpi T[4]) { -#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) - if (mbedtls_internal_ecp_grp_capable(grp)) { - return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d); - } -#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */ - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) - return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; MPI_ECP_ADD(&T[0], &P->X, &P->Z); /* Pp := PX + PZ */ @@ -2535,7 +2423,6 @@ static int ecp_double_add_mxz(const mbedtls_ecp_group *grp, cleanup: return ret; -#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */ } /* @@ -2629,9 +2516,6 @@ static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_poin mbedtls_ecp_restart_ctx *rs_ctx) { int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - char is_grp_capable = 0; -#endif #if defined(MBEDTLS_ECP_RESTARTABLE) /* reset ops count for this call if top-level */ @@ -2642,12 +2526,6 @@ static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_poin (void) rs_ctx; #endif -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) { - MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp)); - } -#endif /* MBEDTLS_ECP_INTERNAL_ALT */ - int restarting = 0; #if defined(MBEDTLS_ECP_RESTARTABLE) restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL); @@ -2676,12 +2554,6 @@ static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_poin cleanup: -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - if (is_grp_capable) { - mbedtls_internal_ecp_free(grp); - } -#endif /* MBEDTLS_ECP_INTERNAL_ALT */ - #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL) { rs_ctx->depth--; @@ -2808,9 +2680,6 @@ int mbedtls_ecp_muladd_restartable( mbedtls_ecp_point *pmP = &mP; mbedtls_ecp_point *pR = R; mbedtls_mpi tmp[4]; -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - char is_grp_capable = 0; -#endif if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) { return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; } @@ -2849,12 +2718,6 @@ mul2: #endif MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR, n, Q, rs_ctx)); -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) { - MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp)); - } -#endif /* MBEDTLS_ECP_INTERNAL_ALT */ - #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && rs_ctx->ma != NULL) { rs_ctx->ma->state = ecp_rsma_add; @@ -2884,12 +2747,6 @@ cleanup: mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi)); -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - if (is_grp_capable) { - mbedtls_internal_ecp_free(grp); - } -#endif /* MBEDTLS_ECP_INTERNAL_ALT */ - mbedtls_ecp_point_free(&mP); ECP_RS_LEAVE(ma); @@ -3698,6 +3555,4 @@ cleanup: #endif /* MBEDTLS_SELF_TEST */ -#endif /* !MBEDTLS_ECP_ALT */ - #endif /* MBEDTLS_ECP_LIGHT */ diff --git a/library/ecp_curves.c b/library/ecp_curves.c index c3cd33f47a..97636a7298 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -21,8 +21,6 @@ #include -#if !defined(MBEDTLS_ECP_ALT) - #define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) } #define ECP_MPI_INIT_ARRAY(x) \ @@ -5454,7 +5452,5 @@ mbedtls_ecp_variant mbedtls_ecp_get_variant(void) #endif /* MBEDTLS_TEST_HOOKS */ -#endif /* !MBEDTLS_ECP_ALT */ - #endif /* MBEDTLS_ECP_LIGHT */ #endif /* MBEDTLS_ECP_WITH_MPI_UINT */ diff --git a/library/ecp_curves_new.c b/library/ecp_curves_new.c index 035b23a1b4..169247f3bf 100644 --- a/library/ecp_curves_new.c +++ b/library/ecp_curves_new.c @@ -26,8 +26,6 @@ #include -#if !defined(MBEDTLS_ECP_ALT) - #define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) } #define ECP_MPI_INIT_ARRAY(x) \ @@ -6031,6 +6029,5 @@ mbedtls_ecp_variant mbedtls_ecp_get_variant(void) #endif /* MBEDTLS_TEST_HOOKS */ -#endif /* !MBEDTLS_ECP_ALT */ #endif /* MBEDTLS_ECP_LIGHT */ #endif /* MBEDTLS_ECP_WITH_MPI_UINT */ diff --git a/library/ecp_internal_alt.h b/library/ecp_internal_alt.h deleted file mode 100644 index 668edc74c9..0000000000 --- a/library/ecp_internal_alt.h +++ /dev/null @@ -1,287 +0,0 @@ -/** - * \file ecp_internal_alt.h - * - * \brief Function declarations for alternative implementation of elliptic curve - * point arithmetic. - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -/* - * References: - * - * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records. - * - * - * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis - * for elliptic curve cryptosystems. In : Cryptographic Hardware and - * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302. - * - * - * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to - * render ECC resistant against Side Channel Attacks. IACR Cryptology - * ePrint Archive, 2004, vol. 2004, p. 342. - * - * - * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. - * - * - * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic - * Curve Cryptography. - * - * [6] Digital Signature Standard (DSS), FIPS 186-4. - * - * - * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer - * Security (TLS), RFC 4492. - * - * - * [8] - * - * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory. - * Springer Science & Business Media, 1 Aug 2000 - */ - -#ifndef MBEDTLS_ECP_INTERNAL_H -#define MBEDTLS_ECP_INTERNAL_H - -#include "mbedtls/build_info.h" - -#if defined(MBEDTLS_ECP_INTERNAL_ALT) - -/** - * \brief Indicate if the Elliptic Curve Point module extension can - * handle the group. - * - * \param grp The pointer to the elliptic curve group that will be the - * basis of the cryptographic computations. - * - * \return Non-zero if successful. - */ -unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp); - -/** - * \brief Initialise the Elliptic Curve Point module extension. - * - * If mbedtls_internal_ecp_grp_capable returns true for a - * group, this function has to be able to initialise the - * module for it. - * - * This module can be a driver to a crypto hardware - * accelerator, for which this could be an initialise function. - * - * \param grp The pointer to the group the module needs to be - * initialised for. - * - * \return 0 if successful. - */ -int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp); - -/** - * \brief Frees and deallocates the Elliptic Curve Point module - * extension. - * - * \param grp The pointer to the group the module was initialised for. - */ -void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp); - -#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) - -#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) -/** - * \brief Randomize jacobian coordinates: - * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l. - * - * \param grp Pointer to the group representing the curve. - * - * \param pt The point on the curve to be randomised, given with Jacobian - * coordinates. - * - * \param f_rng A function pointer to the random number generator. - * - * \param p_rng A pointer to the random number generator state. - * - * \return 0 if successful. - */ -int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *pt, int (*f_rng)(void *, - unsigned char *, - size_t), - void *p_rng); -#endif - -#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) -/** - * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates. - * - * The coordinates of Q must be normalized (= affine), - * but those of P don't need to. R is not normalized. - * - * This function is used only as a subrutine of - * ecp_mul_comb(). - * - * Special cases: (1) P or Q is zero, (2) R is zero, - * (3) P == Q. - * None of these cases can happen as intermediate step in - * ecp_mul_comb(): - * - at each step, P, Q and R are multiples of the base - * point, the factor being less than its order, so none of - * them is zero; - * - Q is an odd multiple of the base point, P an even - * multiple, due to the choice of precomputed points in the - * modified comb method. - * So branches for these cases do not leak secret information. - * - * We accept Q->Z being unset (saving memory in tables) as - * meaning 1. - * - * Cost in field operations if done by [5] 3.22: - * 1A := 8M + 3S - * - * \param grp Pointer to the group representing the curve. - * - * \param R Pointer to a point structure to hold the result. - * - * \param P Pointer to the first summand, given with Jacobian - * coordinates - * - * \param Q Pointer to the second summand, given with affine - * coordinates. - * - * \return 0 if successful. - */ -int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *R, const mbedtls_ecp_point *P, - const mbedtls_ecp_point *Q); -#endif - -/** - * \brief Point doubling R = 2 P, Jacobian coordinates. - * - * Cost: 1D := 3M + 4S (A == 0) - * 4M + 4S (A == -3) - * 3M + 6S + 1a otherwise - * when the implementation is based on the "dbl-1998-cmo-2" - * doubling formulas in [8] and standard optimizations are - * applied when curve parameter A is one of { 0, -3 }. - * - * \param grp Pointer to the group representing the curve. - * - * \param R Pointer to a point structure to hold the result. - * - * \param P Pointer to the point that has to be doubled, given with - * Jacobian coordinates. - * - * \return 0 if successful. - */ -#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) -int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *R, const mbedtls_ecp_point *P); -#endif - -/** - * \brief Normalize jacobian coordinates of an array of (pointers to) - * points. - * - * Using Montgomery's trick to perform only one inversion mod P - * the cost is: - * 1N(t) := 1I + (6t - 3)M + 1S - * (See for example Algorithm 10.3.4. in [9]) - * - * This function is used only as a subrutine of - * ecp_mul_comb(). - * - * Warning: fails (returning an error) if one of the points is - * zero! - * This should never happen, see choice of w in ecp_mul_comb(). - * - * \param grp Pointer to the group representing the curve. - * - * \param T Array of pointers to the points to normalise. - * - * \param t_len Number of elements in the array. - * - * \return 0 if successful, - * an error if one of the points is zero. - */ -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) -int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *T[], size_t t_len); -#endif - -/** - * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1. - * - * Cost in field operations if done by [5] 3.2.1: - * 1N := 1I + 3M + 1S - * - * \param grp Pointer to the group representing the curve. - * - * \param pt pointer to the point to be normalised. This is an - * input/output parameter. - * - * \return 0 if successful. - */ -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) -int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *pt); -#endif - -#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ - -#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) - -#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) -int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *R, - mbedtls_ecp_point *S, - const mbedtls_ecp_point *P, - const mbedtls_ecp_point *Q, - const mbedtls_mpi *d); -#endif - -/** - * \brief Randomize projective x/z coordinates: - * (X, Z) -> (l X, l Z) for random l - * - * \param grp pointer to the group representing the curve - * - * \param P the point on the curve to be randomised given with - * projective coordinates. This is an input/output parameter. - * - * \param f_rng a function pointer to the random number generator - * - * \param p_rng a pointer to the random number generator state - * - * \return 0 if successful - */ -#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) -int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *P, int (*f_rng)(void *, - unsigned char *, - size_t), - void *p_rng); -#endif - -/** - * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1. - * - * \param grp pointer to the group representing the curve - * - * \param P pointer to the point to be normalised. This is an - * input/output parameter. - * - * \return 0 if successful - */ -#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) -int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp, - mbedtls_ecp_point *P); -#endif - -#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */ - -#endif /* MBEDTLS_ECP_INTERNAL_ALT */ - -#endif /* ecp_internal_alt.h */ diff --git a/scripts/config.py b/scripts/config.py index 8704bdb51e..7c32db18dd 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -185,7 +185,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options 'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS - 'MBEDTLS_ECP_NO_FALLBACK', # removes internal ECP implementation 'MBEDTLS_ECP_WITH_MPI_UINT', # disables the default ECP and is experimental 'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY 'MBEDTLS_HAVE_SSE2', # hardware dependency diff --git a/tests/include/alt-dummy/ecp_alt.h b/tests/include/alt-dummy/ecp_alt.h deleted file mode 100644 index d204b18d0e..0000000000 --- a/tests/include/alt-dummy/ecp_alt.h +++ /dev/null @@ -1,22 +0,0 @@ -/* ecp_alt.h with dummy types for MBEDTLS_ECP_ALT */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#ifndef ECP_ALT_H -#define ECP_ALT_H - -typedef struct mbedtls_ecp_group { - const mbedtls_ecp_group_id id; - const mbedtls_mpi P; - const mbedtls_mpi A; - const mbedtls_mpi B; - const mbedtls_ecp_point G; - const mbedtls_mpi N; - const size_t pbits; - const size_t nbits; -} -mbedtls_ecp_group; - -#endif /* ecp_alt.h */ diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h index d8f73ae965..d7a3c665f2 100644 --- a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h +++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h @@ -162,15 +162,6 @@ typedef struct mbedtls_ecp_point { } mbedtls_ecp_point; -#if !defined(MBEDTLS_ECP_ALT) -/* - * default Mbed TLS elliptic curve arithmetic implementation - * - * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an - * alternative implementation for the whole module and it will replace this - * one.) - */ - /** * \brief The ECP group structure. * @@ -309,10 +300,6 @@ mbedtls_ecp_group; /** \} name SECTION: Module settings */ -#else /* MBEDTLS_ECP_ALT */ -#include "ecp_alt.h" -#endif /* MBEDTLS_ECP_ALT */ - /** * The maximum size of the groups, that is, of \c N and \c P. */ From 3507d767c9964f2b882937ef02d5ae18d2e01dd0 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Mon, 1 Jul 2024 15:29:37 +0100 Subject: [PATCH 5/5] Modify rsa_alt_helpers.h docs Signed-off-by: Thomas Daubney --- library/rsa_alt_helpers.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/rsa_alt_helpers.h b/library/rsa_alt_helpers.h index 052b02491e..f234036e61 100644 --- a/library/rsa_alt_helpers.h +++ b/library/rsa_alt_helpers.h @@ -3,6 +3,12 @@ * * \brief Context-independent RSA helper functions * + * Please note: The below explanation is historical and is no longer relevant + * due to there being no compelling reason to keep these functions separate + * since the RSA alt interface was removed. A future refactoring will address + * this which is tracked by the following issue: + * https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/105. + * * This module declares some RSA-related helper functions useful when * implementing the RSA interface. These functions are provided in a separate * compilation unit in order to make it easy for designers of alternative RSA