Merge branch 'bugfix/hardware_mpi_fallback_issue_v4.3' into 'release/v4.3'

mbedtls: fix hardware MPI (bignum) related regression (v4.3) See merge request espressif/esp-idf!16237
2021-12-21 03:49:11 +00:00
parent 6c38e7c5de 70936f4c92
commit 7dbfd01520
8 changed files with 86 additions and 45 deletions
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@@ -178,10 +178,6 @@ if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
    endforeach()
 endif()

-if(CONFIG_MBEDTLS_HARDWARE_MPI)
-    target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_mpi_exp_mod")
-endif()
-
 set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)

 # Link mbedtls libraries to component library
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -277,7 +277,7 @@ menu "mbedTLS"
            Enable hardware accelerated multiple precision integer operations.

            Hardware accelerated multiplication, modulo multiplication,
-            and modular exponentiation for up to 4096 bit results.
+            and modular exponentiation for up to SOC_RSA_MAX_BIT_LEN bit results.

            These operations are used by RSA.

--- a/components/mbedtls/component.mk
+++ b/components/mbedtls/component.mk
@@ -75,10 +75,6 @@ WRAP_FUNCTIONS = mbedtls_ssl_handshake_client_step \
 COMPONENT_SRCDIRS += port/dynamic
 endif

-ifdef CONFIG_MBEDTLS_HARDWARE_MPI
-WRAP_FUNCTIONS += mbedtls_mpi_exp_mod
-endif
-
 ifneq ($(origin WRAP_FUNCTIONS),undefined)
 WRAP_ARGUMENT := -Wl,--wrap=
 COMPONENT_ADD_LDFLAGS = -l$(COMPONENT_NAME) $(addprefix $(WRAP_ARGUMENT),$(WRAP_FUNCTIONS))
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
--- a/components/mbedtls/port/esp_bignum.c
+++ b/components/mbedtls/port/esp_bignum.c
@@ -67,8 +67,7 @@ static inline size_t bits_to_words(size_t bits)
 /* Return the number of words actually used to represent an mpi
   number.
 */
-int __wrap_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv );
-extern int __real_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv );
+#if defined(MBEDTLS_MPI_EXP_MOD_ALT) || defined(MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)

 static size_t mpi_words(const mbedtls_mpi *mpi)
 {
@@ -80,6 +79,7 @@ static size_t mpi_words(const mbedtls_mpi *mpi)
    return 0;
 }

+#endif //(MBEDTLS_MPI_EXP_MOD_ALT || MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)

 /**
 *
@@ -182,6 +182,8 @@ cleanup:
    return ret;
 }

+#if defined(MBEDTLS_MPI_EXP_MOD_ALT) || defined(MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)
+
 #ifdef ESP_MPI_USE_MONT_EXP
 /*
 * Return the most significant one-bit.
@@ -272,22 +274,26 @@ cleanup2:
 * (See RSA Accelerator section in Technical Reference for more about Mprime, Rinv)
 *
 */
-int __wrap_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv )
+static int esp_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv )
 {
    int ret = 0;
+
+    mbedtls_mpi Rinv_new; /* used if _Rinv == NULL */
+    mbedtls_mpi *Rinv;    /* points to _Rinv (if not NULL) othwerwise &RR_new */
+    mbedtls_mpi_uint Mprime;
+
    size_t x_words = mpi_words(X);
    size_t y_words = mpi_words(Y);
    size_t m_words = mpi_words(M);

-
    /* "all numbers must be the same length", so choose longest number
       as cardinal length of operation...
    */
    size_t num_words = esp_mpi_hardware_words(MAX(m_words, MAX(x_words, y_words)));

-    mbedtls_mpi Rinv_new; /* used if _Rinv == NULL */
-    mbedtls_mpi *Rinv;    /* points to _Rinv (if not NULL) othwerwise &RR_new */
-    mbedtls_mpi_uint Mprime;
+    if (num_words * 32 > SOC_RSA_MAX_BIT_LEN) {
+        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    }

    if (mbedtls_mpi_cmp_int(M, 0) <= 0 || (M->p[0] & 1) == 0) {
        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -301,14 +307,6 @@ int __wrap_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbed
        return mbedtls_mpi_lset(Z, 1);
    }

-    if (num_words * 32 > SOC_RSA_MAX_BIT_LEN) {
-#ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
-        return __real_mbedtls_mpi_exp_mod(Z, X, Y, M, _Rinv);
-#else
-        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-#endif
-    }
-
    /* Determine RR pointer, either _RR for cached value
       or local RR_new */
    if (_Rinv == NULL) {
@@ -355,6 +353,32 @@ cleanup:
    return ret;
 }

+#endif /* (MBEDTLS_MPI_EXP_MOD_ALT || MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK) */
+
+/*
+ * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR )
+{
+    int ret;
+#if defined(MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)
+    /* Try hardware API first and then fallback to software */
+    ret = esp_mpi_exp_mod( X, A, E, N, _RR );
+    if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) {
+        ret = mbedtls_mpi_exp_mod_soft( X, A, E, N, _RR );
+    }
+#else
+    /* Hardware approach */
+    ret = esp_mpi_exp_mod( X, A, E, N, _RR );
+#endif
+    /* Note: For software only approach, it gets handled in mbedTLS library.
+    This file is not part of build objects for that case */
+
+    return ret;
+}
+
 #if defined(MBEDTLS_MPI_MUL_MPI_ALT) /* MBEDTLS_MPI_MUL_MPI_ALT */

 static int mpi_mult_mpi_failover_mod_mult( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, size_t z_words);
--- a/components/mbedtls/port/include/mbedtls/bignum.h
+++ b/components/mbedtls/port/include/mbedtls/bignum.h
@@ -1,16 +1,8 @@
-// Copyright 2015-2020 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 #pragma once

 #include_next "mbedtls/bignum.h"
@@ -77,4 +69,31 @@ void esp_mpi_release_hardware(void);
 */
 int esp_mpi_mul_mpi_mod(mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M);

+#if CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+
+/**
+ * @brief          Perform a sliding-window exponentiation: X = A^E mod N
+ *
+ * @param X        The destination MPI. This must point to an initialized MPI.
+ * @param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * @param E        The exponent MPI. This must point to an initialized MPI.
+ * @param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * @param _RR      A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI.
+ *
+ * @return         \c 0 if successful.
+ * @return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * @return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * @return         Another negative error code on different kinds of failures.
+ *
+ */
+int mbedtls_mpi_exp_mod_soft(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR);
+
+#endif // CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+
 #endif // CONFIG_MBEDTLS_HARDWARE_MPI
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -153,15 +153,22 @@
 #undef MBEDTLS_MD5_ALT
 #endif

-/* The following MPI (bignum) functions have ESP32 hardware support.
-   For exponential mod, both software and hardware implementation
-   will be compiled. If CONFIG_MBEDTLS_HARDWARE_MPI is enabled, mod APIs
-   will be wrapped to use hardware implementation.
-*/
-#undef MBEDTLS_MPI_EXP_MOD_ALT
+/* The following MPI (bignum) functions have hardware support.
+ * Uncommenting these macros will use the hardware-accelerated
+ * implementations.
+ */
 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI
+#ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+    /* Prefer hardware and fallback to software */
+    #define MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK
+#else
+    /* Hardware only mode */
+    #define MBEDTLS_MPI_EXP_MOD_ALT
+#endif
 #define MBEDTLS_MPI_MUL_MPI_ALT
 #else
+#undef MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK
+#undef MBEDTLS_MPI_EXP_MOD_ALT
 #undef MBEDTLS_MPI_MUL_MPI_ALT
 #endif

--- a/tools/ci/check_copyright_ignore.txt
+++ b/tools/ci/check_copyright_ignore.txt
@@ -1915,7 +1915,6 @@ components/mbedtls/port/include/esp_crypto_shared_gdma.h
 components/mbedtls/port/include/esp_ds/esp_rsa_sign_alt.h
 components/mbedtls/port/include/esp_mem.h
 components/mbedtls/port/include/gcm_alt.h
-components/mbedtls/port/include/mbedtls/bignum.h
 components/mbedtls/port/include/mbedtls/esp_config.h
 components/mbedtls/port/include/mbedtls/esp_debug.h
 components/mbedtls/port/include/md/esp_md.h