Make _optionally_safe functions internal

The complexity of having functions whose security properties depend on a runtime argument can be dangerous. Limit misuse by making any such functions local. Signed-off-by: Janos Follath <janos.follath@arm.com>
2025-03-18 10:20:50 +00:00 · 2024-08-12 18:20:59 +01:00 · 2024-08-12 18:20:59 +01:00 · 9a8b1f4a4c
commit 9a8b1f4a4c
parent 91537eb09d
4 changed files with 62 additions and 34 deletions
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
@ -903,6 +903,8 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
 /**
 * \brief          Perform a modular exponentiation: X = A^E mod N
 *
+ * \warning        This function is not constant time with respect to \p E (the exponent).
+ *
 * \param X        The destination MPI. This must point to an initialized MPI.
 *                 This must not alias E or N.
 * \param A        The base of the exponentiation.
@ -927,9 +929,9 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
 * \return         Another negative error code on different kinds of failures.
 *
 */
-int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A,
-                                        const mbedtls_mpi *E, const mbedtls_mpi *N,
-                                        mbedtls_mpi *prec_RR, int E_public);
+int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,
+                               const mbedtls_mpi *E, const mbedtls_mpi *N,
+                               mbedtls_mpi *prec_RR);

 /**
 * \brief          Perform a modular exponentiation: X = A^E mod N
--- a/tf-psa-crypto/drivers/builtin/src/bignum.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum.c
@ -1610,9 +1610,13 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s
    return 0;
 }

-int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A,
-                                        const mbedtls_mpi *E, const mbedtls_mpi *N,
-                                        mbedtls_mpi *prec_RR, int E_public)
+/*
+ * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
+ * this function is not constant time with respect to the exponent (parameter E).
+ */
+static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A,
+                                               const mbedtls_mpi *E, const mbedtls_mpi *N,
+                                               mbedtls_mpi *prec_RR, int E_public)
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

@ -1695,15 +1699,11 @@ int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A,
    {
        mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
        mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
-        mbedtls_mpi_core_exp_mod_optionally_safe(X->p,
-                                                 X->p,
-                                                 N->p,
-                                                 N->n,
-                                                 E->p,
-                                                 E->n,
-                                                 RR.p,
-                                                 T,
-                                                 E_public);
+        if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
+            mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+        } else {
+            mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+        }
        mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
    }

@ -1735,6 +1735,13 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
    return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, N, prec_RR, MBEDTLS_MPI_IS_SECRET);
 }

+int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,
+                               const mbedtls_mpi *E, const mbedtls_mpi *N,
+                               mbedtls_mpi *prec_RR)
+{
+    return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, N, prec_RR, MBEDTLS_MPI_IS_PUBLIC);
+}
+
 /*
 * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
 */
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
@ -748,6 +748,9 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
 }

 /* Exponentiation: X := A^E mod N.
+ *
+ * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
+ * this function is not constant time with respect to the exponent (parameter E).
 *
 * A must already be in Montgomery form.
 *
@ -759,15 +762,15 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
 * (The difference is that the body in our loop processes a single bit instead
 * of a full window.)
 */
-void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X,
-                                              const mbedtls_mpi_uint *A,
-                                              const mbedtls_mpi_uint *N,
-                                              size_t AN_limbs,
-                                              const mbedtls_mpi_uint *E,
-                                              size_t E_limbs,
-                                              const mbedtls_mpi_uint *RR,
-                                              mbedtls_mpi_uint *T,
-                                              int E_public)
+static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X,
+                                                     const mbedtls_mpi_uint *A,
+                                                     const mbedtls_mpi_uint *N,
+                                                     size_t AN_limbs,
+                                                     const mbedtls_mpi_uint *E,
+                                                     size_t E_limbs,
+                                                     const mbedtls_mpi_uint *RR,
+                                                     mbedtls_mpi_uint *T,
+                                                     int E_public)
 {
    const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
    const size_t welem = ((size_t) 1) << wsize;
@ -873,6 +876,24 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
                                             MBEDTLS_MPI_IS_SECRET);
 }

+void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X,
+                                     const mbedtls_mpi_uint *A,
+                                     const mbedtls_mpi_uint *N, size_t AN_limbs,
+                                     const mbedtls_mpi_uint *E, size_t E_limbs,
+                                     const mbedtls_mpi_uint *RR,
+                                     mbedtls_mpi_uint *T)
+{
+    mbedtls_mpi_core_exp_mod_optionally_safe(X,
+                                             A,
+                                             N,
+                                             AN_limbs,
+                                             E,
+                                             E_limbs,
+                                             RR,
+                                             T,
+                                             MBEDTLS_MPI_IS_PUBLIC);
+}
+
 mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
                                          const mbedtls_mpi_uint *A,
                                          mbedtls_mpi_uint c,  /* doubles as carry */
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.h
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.h
@ -618,6 +618,8 @@ size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
 * \brief            Perform a modular exponentiation with public or secret exponent:
 *                   X = A^E mod N, where \p A is already in Montgomery form.
 *
+ * \warning          This function is not constant time with respect to \p E (the exponent).
+ *
 * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
 * \p AN_limbs.
 *
@ -640,17 +642,13 @@ size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
 *                   It is up to the caller to zeroize \p T when it is no
 *                   longer needed, and before freeing it if it was dynamically
 *                   allocated.
- * \param[in] E_public Set to MBEDTLS_MPI_IS_PUBLIC to gain some performance
- *                   when the value of E is public.
- *                   Set to MBEDTLS_MPI_IS_SECRET when the value of E is secret.
 */
-void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X,
-                                              const mbedtls_mpi_uint *A,
-                                              const mbedtls_mpi_uint *N, size_t AN_limbs,
-                                              const mbedtls_mpi_uint *E, size_t E_limbs,
-                                              const mbedtls_mpi_uint *RR,
-                                              mbedtls_mpi_uint *T,
-                                              int E_public);
+void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X,
+                                     const mbedtls_mpi_uint *A,
+                                     const mbedtls_mpi_uint *N, size_t AN_limbs,
+                                     const mbedtls_mpi_uint *E, size_t E_limbs,
+                                     const mbedtls_mpi_uint *RR,
+                                     mbedtls_mpi_uint *T);

 /**
 * \brief            Perform a modular exponentiation with secret exponent: