diff --git a/library/bignum_core.c b/library/bignum_core.c index 4231554b84..88582c2d38 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -747,8 +747,8 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A, } #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) -// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET -int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; +void (*mbedtls_safe_codepath_hook)(void) = NULL; +void (*mbedtls_unsafe_codepath_hook)(void) = NULL; #endif /* @@ -781,7 +781,9 @@ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E_bit_index = E_bits % biL; #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC; + if (mbedtls_unsafe_codepath_hook != NULL) { + mbedtls_unsafe_codepath_hook(); + } #endif } else { /* @@ -791,9 +793,8 @@ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E_limb_index = E_limbs; *E_bit_index = 0; #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - // Only mark the codepath safe if there wasn't an unsafe codepath before - if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) { - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET; + if (mbedtls_safe_codepath_hook != NULL) { + mbedtls_safe_codepath_hook(); } #endif } @@ -813,7 +814,9 @@ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselec if (window_public == MBEDTLS_MPI_IS_PUBLIC) { memcpy(Wselect, Wtable + window * AN_limbs, AN_limbs * ciL); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC; + if (mbedtls_unsafe_codepath_hook != NULL) { + mbedtls_unsafe_codepath_hook(); + } #endif } else { /* Select Wtable[window] without leaking window through @@ -821,9 +824,8 @@ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselec mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable, AN_limbs, welem, window); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - // Only mark the codepath safe if there wasn't an unsafe codepath before - if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) { - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET; + if (mbedtls_safe_codepath_hook != NULL) { + mbedtls_safe_codepath_hook(); } #endif } @@ -857,8 +859,8 @@ static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X, /* We'll process the bits of E from most significant * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant * (limb_index=0, E_bit_index=0). */ - size_t E_limb_index; - size_t E_bit_index; + size_t E_limb_index = E_limbs; + size_t E_bit_index = 0; exp_mod_calc_first_bit_optionally_safe(E, E_limbs, E_public, &E_limb_index, &E_bit_index); diff --git a/library/bignum_core.h b/library/bignum_core.h index cf6485a148..264ee63550 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -70,9 +70,7 @@ #include "common.h" -#if defined(MBEDTLS_BIGNUM_C) #include "mbedtls/bignum.h" -#endif #include "constant_time_internal.h" @@ -106,10 +104,17 @@ * } else { * // safe path * } - * not the other way round, in order to prevent misuse. (This is, if a value - * other than the two below is passed, default to the safe path.) */ + * not the other way round, in order to prevent misuse. (That is, if a value + * other than the two below is passed, default to the safe path.) + * + * The value of MBEDTLS_MPI_IS_PUBLIC is chosen in a way that is unlikely to happen by accident, but + * which can be used as an immediate value in a Thumb2 comparison (for code size). */ #define MBEDTLS_MPI_IS_PUBLIC 0x2a2a2a2a #define MBEDTLS_MPI_IS_SECRET 0 +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) +// Default value for testing that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET +#define MBEDTLS_MPI_IS_TEST 1 +#endif /** Count leading zero bits in a given integer. * @@ -817,17 +822,4 @@ void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X, mbedtls_mpi_uint mm, mbedtls_mpi_uint *T); -/* - * Can't define thread local variables with our abstraction layer: do nothing if threading is on. - */ -#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) -extern int mbedtls_mpi_optionally_safe_codepath; - -static inline void mbedtls_mpi_optionally_safe_codepath_reset(void) -{ - // Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; -} -#endif - #endif /* MBEDTLS_BIGNUM_CORE_H */ diff --git a/library/bignum_core_invasive.h b/library/bignum_core_invasive.h new file mode 100644 index 0000000000..167099dc91 --- /dev/null +++ b/library/bignum_core_invasive.h @@ -0,0 +1,23 @@ +/** + * \file bignum_core_invasive.h + * + * \brief Function declarations for invasive functions of bignum core. + */ +/** + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef MBEDTLS_BIGNUM_CORE_INVASIVE_H +#define MBEDTLS_BIGNUM_CORE_INVASIVE_H + +#include "bignum_core.h" + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + +extern void (*mbedtls_safe_codepath_hook)(void); +extern void (*mbedtls_unsafe_codepath_hook)(void); + +#endif /* MBEDTLS_TEST_HOOKS && !MBEDTLS_THREADING_C */ + +#endif /* MBEDTLS_BIGNUM_CORE_INVASIVE_H */ diff --git a/tests/include/test/bignum_codepath_check.h b/tests/include/test/bignum_codepath_check.h new file mode 100644 index 0000000000..3d72be1b2e --- /dev/null +++ b/tests/include/test/bignum_codepath_check.h @@ -0,0 +1,94 @@ +/** Support for path tracking in optionally safe bignum functions + * + * The functions are called when an optionally safe path is taken and logs it with a single + * variable. This variable is at any time in one of three states: + * - MBEDTLS_MPI_IS_TEST: No optionally safe path has been taken since the last reset + * - MBEDTLS_MPI_IS_SECRET: Only safe paths were teken since the last reset + * - MBEDTLS_MPI_IS_PUBLIC: At least one unsafe path has been taken since the last reset + * + * Use a simple global variable to track execution path. Making it work with multithreading + * isn't worth the effort as multithreaded tests add little to no value here. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef BIGNUM_CODEPATH_CHECK_H +#define BIGNUM_CODEPATH_CHECK_H + +#include "bignum_core.h" + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + +extern int mbedtls_codepath_check; + +/** + * \brief Setup the codepath test hooks used by optionally safe bignum functions to signal + * the path taken. + */ +void mbedtls_codepath_test_hooks_setup(void); + +/** + * \brief Teardown the codepath test hooks used by optionally safe bignum functions to + * signal the path taken. + */ +void mbedtls_codepath_test_hooks_teardown(void); + +/** + * \brief Reset the state of the codepath to the initial state. + */ +static inline void mbedtls_codepath_reset(void) +{ + mbedtls_codepath_check = MBEDTLS_MPI_IS_TEST; +} + +/** Check the codepath taken and fail if it doesn't match. + * + * When a function returns with an error, it can do so before reaching any interesting codepath. The + * same can happen if a parameter to the function is zero. In these cases we need to allow + * the codepath tracking variable to still have its initial "not set" value. + * + * This macro expands to an instruction, not an expression. + * It may jump to the \c exit label. + * + * \param path The expected codepath. + * This expression may be evaluated multiple times. + * \param ret The expected return value. + * \param E The MPI parameter that can cause shortcuts. + */ +#define ASSERT_BIGNUM_CODEPATH(path, ret, E) \ + do { \ + if ((ret) != 0 || (E).n == 0) { \ + TEST_ASSERT(mbedtls_codepath_check == (path) || \ + mbedtls_codepath_check == MBEDTLS_MPI_IS_TEST); \ + } else { \ + TEST_EQUAL(mbedtls_codepath_check, (path)); \ + } \ + } while (0) + +/** Check the codepath taken and fail if it doesn't match. + * + * When a function returns with an error, it can do so before reaching any interesting codepath. In + * this case we need to allow the codepath tracking variable to still have its + * initial "not set" value. + * + * This macro expands to an instruction, not an expression. + * It may jump to the \c exit label. + * + * \param path The expected codepath. + * This expression may be evaluated multiple times. + * \param ret The expected return value. + */ +#define ASSERT_RSA_CODEPATH(path, ret) \ + do { \ + if ((ret) != 0) { \ + TEST_ASSERT(mbedtls_codepath_check == (path) || \ + mbedtls_codepath_check == MBEDTLS_MPI_IS_TEST); \ + } else { \ + TEST_EQUAL(mbedtls_codepath_check, (path)); \ + } \ + } while (0) +#endif /* MBEDTLS_TEST_HOOKS && !MBEDTLS_THREADING_C */ + +#endif /* BIGNUM_CODEPATH_CHECK_H */ diff --git a/tests/src/bignum_codepath_check.c b/tests/src/bignum_codepath_check.c new file mode 100644 index 0000000000..b752d13f82 --- /dev/null +++ b/tests/src/bignum_codepath_check.c @@ -0,0 +1,38 @@ +/** Support for path tracking in optionally safe bignum functions + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include "test/bignum_codepath_check.h" +#include "bignum_core_invasive.h" + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) +int mbedtls_codepath_check = MBEDTLS_MPI_IS_TEST; + +void mbedtls_codepath_take_safe(void) +{ + if (mbedtls_codepath_check == MBEDTLS_MPI_IS_TEST) { + mbedtls_codepath_check = MBEDTLS_MPI_IS_SECRET; + } +} + +void mbedtls_codepath_take_unsafe(void) +{ + mbedtls_codepath_check = MBEDTLS_MPI_IS_PUBLIC; +} + +void mbedtls_codepath_test_hooks_setup(void) +{ + mbedtls_safe_codepath_hook = mbedtls_codepath_take_safe; + mbedtls_unsafe_codepath_hook = mbedtls_codepath_take_unsafe; +} + +void mbedtls_codepath_test_hooks_teardown(void) +{ + mbedtls_safe_codepath_hook = NULL; + mbedtls_unsafe_codepath_hook = NULL; +} + +#endif /* MBEDTLS_TEST_HOOKS && !MBEDTLS_THREADING_C */ diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 065d17d3e0..db50296e01 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -16,6 +16,9 @@ #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) #include #endif +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) +#include +#endif #if defined(MBEDTLS_THREADING_C) #include "mbedtls/threading.h" #endif @@ -342,6 +345,11 @@ int mbedtls_test_platform_setup(void) mbedtls_mutex_init(&mbedtls_test_info_mutex); #endif /* MBEDTLS_THREADING_C */ + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_test_hooks_setup(); +#endif /* MBEDTLS_TEST_HOOKS && !MBEDTLS_THREADING_C */ + return ret; } @@ -359,6 +367,10 @@ void mbedtls_test_platform_teardown(void) #if defined(MBEDTLS_PLATFORM_C) mbedtls_platform_teardown(&platform_ctx); #endif /* MBEDTLS_PLATFORM_C */ + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_test_hooks_teardown(); +#endif /* MBEDTLS_TEST_HOOKS && !MBEDTLS_THREADING_C */ } int mbedtls_test_ascii2uc(const char c, unsigned char *uc) diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 3ac4e10ea6..3d2b8a1240 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -5,6 +5,7 @@ #include "bignum_core.h" #include "bignum_internal.h" #include "test/constant_flow.h" +#include "test/bignum_codepath_check.h" #if MBEDTLS_MPI_MAX_BITS > 792 #define MPI_MAX_BITS_LARGER_THAN_792 @@ -989,7 +990,13 @@ void mpi_exp_mod_min_RR(char *input_A, char *input_E, * against a smaller RR. */ TEST_LE_U(RR.n, N.n - 1); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_SECRET, res, E); +#endif /* We know that exp_mod internally needs RR to be as large as N. * Validate that it is the case now, otherwise there was probably * a buffer overread. */ @@ -1022,7 +1029,26 @@ void mpi_exp_mod(char *input_A, char *input_E, TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&X, input_X) == 0); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, NULL); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_SECRET, res, E); +#endif + TEST_ASSERT(res == exp_result); + if (res == 0) { + TEST_ASSERT(sign_is_valid(&Z)); + TEST_ASSERT(mbedtls_mpi_cmp_mpi(&Z, &X) == 0); + } + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif + res = mbedtls_mpi_exp_mod_unsafe(&Z, &A, &E, &N, NULL); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_PUBLIC, res, E); +#endif TEST_ASSERT(res == exp_result); if (res == 0) { TEST_ASSERT(sign_is_valid(&Z)); @@ -1030,7 +1056,13 @@ void mpi_exp_mod(char *input_A, char *input_E, } /* Now test again with the speed-up parameter supplied as an output. */ +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_SECRET, res, E); +#endif TEST_ASSERT(res == exp_result); if (res == 0) { TEST_ASSERT(sign_is_valid(&Z)); @@ -1038,7 +1070,13 @@ void mpi_exp_mod(char *input_A, char *input_E, } /* Now test again with the speed-up parameter supplied in calculated form. */ +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_SECRET, res, E); +#endif TEST_ASSERT(res == exp_result); if (res == 0) { TEST_ASSERT(sign_is_valid(&Z)); @@ -1078,7 +1116,21 @@ void mpi_exp_mod_size(int A_bytes, int E_bytes, int N_bytes, TEST_ASSERT(mbedtls_test_read_mpi(&RR, input_RR) == 0); } +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif TEST_ASSERT(mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR) == exp_result); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_SECRET, exp_result, E); +#endif + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif + TEST_ASSERT(mbedtls_mpi_exp_mod_unsafe(&Z, &A, &E, &N, &RR) == exp_result); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_BIGNUM_CODEPATH(MBEDTLS_MPI_IS_PUBLIC, exp_result, E); +#endif exit: mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index 08dac2e279..c2b44bccdd 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -4,6 +4,7 @@ #include "bignum_core.h" #include "constant_time_internal.h" #include "test/constant_flow.h" +#include "test/bignum_codepath_check.h" /** Verifies mbedtls_mpi_core_add(). * @@ -1233,22 +1234,22 @@ void mpi_core_exp_mod(char *input_N, char *input_A, /* Test the safe variant */ #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath_reset(); + mbedtls_codepath_reset(); #endif mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_SECRET); + TEST_EQUAL(mbedtls_codepath_check, MBEDTLS_MPI_IS_SECRET); #endif TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint))); /* Test the unsafe variant */ #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath_reset(); + mbedtls_codepath_reset(); #endif mbedtls_mpi_core_exp_mod_unsafe(Y, A, N, N_limbs, E, E_limbs, R2, T); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_PUBLIC); + TEST_EQUAL(mbedtls_codepath_check, MBEDTLS_MPI_IS_PUBLIC); #endif TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint))); @@ -1258,21 +1259,21 @@ void mpi_core_exp_mod(char *input_N, char *input_A, memcpy(A_copy, A, sizeof(*A_copy) * A_limbs); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath_reset(); + mbedtls_codepath_reset(); #endif mbedtls_mpi_core_exp_mod(A, A, N, N_limbs, E, E_limbs, R2, T); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_SECRET); + TEST_EQUAL(mbedtls_codepath_check, MBEDTLS_MPI_IS_SECRET); #endif TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint))); memcpy(A, A_copy, sizeof(*A) * A_limbs); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath_reset(); + mbedtls_codepath_reset(); #endif mbedtls_mpi_core_exp_mod_unsafe(A, A, N, N_limbs, E, E_limbs, R2, T); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_PUBLIC); + TEST_EQUAL(mbedtls_codepath_check, MBEDTLS_MPI_IS_PUBLIC); #endif TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint))); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index e82452927e..98ea9efb1c 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1,7 +1,9 @@ /* BEGIN_HEADER */ #include "mbedtls/rsa.h" +#include "bignum_core.h" #include "rsa_alt_helpers.h" #include "rsa_internal.h" +#include "test/bignum_codepath_check.h" /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -489,7 +491,13 @@ void mbedtls_rsa_public(data_t *message_str, int mod, TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif TEST_ASSERT(mbedtls_rsa_public(&ctx, message_str->x, output) == result); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_RSA_CODEPATH(MBEDTLS_MPI_IS_PUBLIC, result); +#endif if (result == 0) { TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x, @@ -554,9 +562,15 @@ void mbedtls_rsa_private(data_t *message_str, int mod, /* repeat three times to test updating of blinding values */ for (i = 0; i < 3; i++) { memset(output, 0x00, sizeof(output)); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_codepath_reset(); +#endif TEST_ASSERT(mbedtls_rsa_private(&ctx, mbedtls_test_rnd_pseudo_rand, &rnd_info, message_str->x, output) == result); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + ASSERT_RSA_CODEPATH(MBEDTLS_MPI_IS_SECRET, result); +#endif if (result == 0) { TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,