As for ecjpake_setup(), now the test function can handle:
- "external" errors, through parameters set by the data file
- "internal" ones, through enums which inject ad-hoc failures
Similarly also ecjpake_rounds() can handle both type of errors,
but right now there's no erroneous case in the associated ".data"
file.
In both cases, after an error the current test is terminated.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
In this way, in case of error, it is not possible to continue using
the same psa_pake_operation_t without reinitializing it.
This should make the PSA pake's behavior closer to what expected by
the specification
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The table size was set before the configured window size bound was
applied which lead to out of bounds access when the configured window
size bound is less.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The window size starts giving diminishing returns around 6 on most
platforms and highly unlikely to be more than 31 in practical use cases.
Still, compilers and static analysers might complain about this and
better to be pedantic.
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
With small exponents (for example, when doing RSA-1024 with CRT, each
prime is 512 bits and we'll use wsize = 5 which may be smaller that the
maximum - or even worse when doing public RSA operations which typically
have a 16-bit exponent so we'll use wsize = 1) the usage of W will have
pre-computed values, then empty space, then the accumulator at the very
end.
Move X next to the precomputed values to make accesses more efficient
and intuitive.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Elements of W didn't all have the same owner: all were owned by this
function, except W[x_index]. It is more robust if we make a proper copy
of X.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Out of window zeroes were doing squaring on the output variable
directly. This leaks the position of windows and the out of window
zeroes.
Loading the output variable from the table in constant time removes this
leakage.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Eventually we want it to be enabled by default
when TLS 1.3 is enabled but currently the
feature is on development thus it should not be
enabled by default.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
