Merge branch 'bugfix/hardware_mpi_fallback_issue' into 'master'

mbedtls: fix hardware MPI (bignum) related regression

See merge request espressif/esp-idf!15854

components/mbedtls/CMakeLists.txt

@@ -198,10 +198,6 @@ if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
     endforeach()
 endif()
 
-if(CONFIG_MBEDTLS_HARDWARE_MPI)
-    target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_mpi_exp_mod")
-endif()
-
 set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)
 set_property(TARGET mbedcrypto APPEND PROPERTY LINK_LIBRARIES idf::driver idf::${target})
 set_property(TARGET mbedcrypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES idf::driver idf::${target})

components/mbedtls/Kconfig

@@ -276,7 +276,7 @@ menu "mbedTLS"
             Enable hardware accelerated multiple precision integer operations.
 
             Hardware accelerated multiplication, modulo multiplication,
-            and modular exponentiation for up to 4096 bit results.
+            and modular exponentiation for up to SOC_RSA_MAX_BIT_LEN bit results.
 
             These operations are used by RSA.
 

components/mbedtls/mbedtls

@@ -1 +1 @@
-Subproject commit 6465247f67167518b8813ae2faaf422704e4b1a3
+Subproject commit 73cfa42bd39a704fa2706e3c1b1b532be5f19eed

components/mbedtls/port/esp_bignum.c

@@ -64,12 +64,10 @@ static inline size_t bits_to_words(size_t bits)
     return (bits + 31) / 32;
 }
 
-int __wrap_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv );
-extern int __real_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv );
-
 /* Return the number of words actually used to represent an mpi
    number.
 */
+#if defined(MBEDTLS_MPI_EXP_MOD_ALT) || defined(MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)
 static size_t mpi_words(const mbedtls_mpi *mpi)
 {
     for (size_t i = mpi->n; i > 0; i--) {
@@ -80,6 +78,7 @@ static size_t mpi_words(const mbedtls_mpi *mpi)
     return 0;
 }
 
+#endif //(MBEDTLS_MPI_EXP_MOD_ALT || MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)
 
 /**
  *
@@ -182,6 +181,8 @@ cleanup:
     return ret;
 }
 
+#if defined(MBEDTLS_MPI_EXP_MOD_ALT) || defined(MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)
+
 #ifdef ESP_MPI_USE_MONT_EXP
 /*
  * Return the most significant one-bit.
@@ -272,22 +273,26 @@ cleanup2:
  * (See RSA Accelerator section in Technical Reference for more about Mprime, Rinv)
  *
  */
-int __wrap_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv )
+static int esp_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M, mbedtls_mpi *_Rinv )
 {
     int ret = 0;
+
+    mbedtls_mpi Rinv_new; /* used if _Rinv == NULL */
+    mbedtls_mpi *Rinv;    /* points to _Rinv (if not NULL) othwerwise &RR_new */
+    mbedtls_mpi_uint Mprime;
+
     size_t x_words = mpi_words(X);
     size_t y_words = mpi_words(Y);
     size_t m_words = mpi_words(M);
 
-
     /* "all numbers must be the same length", so choose longest number
        as cardinal length of operation...
     */
     size_t num_words = esp_mpi_hardware_words(MAX(m_words, MAX(x_words, y_words)));
 
-    mbedtls_mpi Rinv_new; /* used if _Rinv == NULL */
-    mbedtls_mpi *Rinv;    /* points to _Rinv (if not NULL) othwerwise &RR_new */
-    mbedtls_mpi_uint Mprime;
+    if (num_words * 32 > SOC_RSA_MAX_BIT_LEN) {
+        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    }
 
     if (mbedtls_mpi_cmp_int(M, 0) <= 0 || (M->p[0] & 1) == 0) {
         return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -301,14 +306,6 @@ int __wrap_mbedtls_mpi_exp_mod( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbed
         return mbedtls_mpi_lset(Z, 1);
     }
 
-    if (num_words * 32 > SOC_RSA_MAX_BIT_LEN) {
-#ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
-        return __real_mbedtls_mpi_exp_mod(Z, X, Y, M, _Rinv);
-#else
-        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-#endif
-    }
-
     /* Determine RR pointer, either _RR for cached value
        or local RR_new */
     if (_Rinv == NULL) {
@@ -355,6 +352,32 @@ cleanup:
     return ret;
 }
 
+#endif /* (MBEDTLS_MPI_EXP_MOD_ALT || MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK) */
+
+/*
+ * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR )
+{
+    int ret;
+#if defined(MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK)
+    /* Try hardware API first and then fallback to software */
+    ret = esp_mpi_exp_mod( X, A, E, N, _RR );
+    if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) {
+        ret = mbedtls_mpi_exp_mod_soft( X, A, E, N, _RR );
+    }
+#else
+    /* Hardware approach */
+    ret = esp_mpi_exp_mod( X, A, E, N, _RR );
+#endif
+    /* Note: For software only approach, it gets handled in mbedTLS library.
+    This file is not part of build objects for that case */
+
+    return ret;
+}
+
 #if defined(MBEDTLS_MPI_MUL_MPI_ALT) /* MBEDTLS_MPI_MUL_MPI_ALT */
 
 static int mpi_mult_mpi_failover_mod_mult( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, size_t z_words);

components/mbedtls/port/include/mbedtls/bignum.h

@@ -1,16 +1,8 @@
-// Copyright 2015-2020 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 #pragma once
 
 #include_next "mbedtls/bignum.h"
@@ -77,4 +69,31 @@ void esp_mpi_release_hardware(void);
  */
 int esp_mpi_mul_mpi_mod(mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y, const mbedtls_mpi *M);
 
+#if CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+
+/**
+ * @brief          Perform a sliding-window exponentiation: X = A^E mod N
+ *
+ * @param X        The destination MPI. This must point to an initialized MPI.
+ * @param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * @param E        The exponent MPI. This must point to an initialized MPI.
+ * @param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * @param _RR      A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI.
+ *
+ * @return         \c 0 if successful.
+ * @return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * @return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * @return         Another negative error code on different kinds of failures.
+ *
+ */
+int mbedtls_mpi_exp_mod_soft(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR);
+
+#endif // CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+
 #endif // CONFIG_MBEDTLS_HARDWARE_MPI

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -153,15 +153,22 @@
 #undef MBEDTLS_MD5_ALT
 #endif
 
-/* The following MPI (bignum) functions have ESP32 hardware support.
-   For exponential mod, both software and hardware implementation
-   will be compiled. If CONFIG_MBEDTLS_HARDWARE_MPI is enabled, mod APIs
-   will be wrapped to use hardware implementation.
-*/
-#undef MBEDTLS_MPI_EXP_MOD_ALT
+/* The following MPI (bignum) functions have hardware support.
+ * Uncommenting these macros will use the hardware-accelerated
+ * implementations.
+ */
 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI
+#ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+    /* Prefer hardware and fallback to software */
+    #define MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK
+#else
+    /* Hardware only mode */
+    #define MBEDTLS_MPI_EXP_MOD_ALT
+#endif
 #define MBEDTLS_MPI_MUL_MPI_ALT
 #else
+#undef MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK
+#undef MBEDTLS_MPI_EXP_MOD_ALT
 #undef MBEDTLS_MPI_MUL_MPI_ALT
 #endif
 

tools/ci/check_copyright_ignore.txt

@@ -1484,7 +1484,6 @@ components/mbedtls/port/include/esp_crypto_shared_gdma.h
 components/mbedtls/port/include/esp_ds/esp_rsa_sign_alt.h
 components/mbedtls/port/include/esp_mem.h
 components/mbedtls/port/include/gcm_alt.h
-components/mbedtls/port/include/mbedtls/bignum.h
 components/mbedtls/port/include/mbedtls/esp_config.h
 components/mbedtls/port/include/mbedtls/esp_debug.h
 components/mbedtls/port/include/md/esp_md.h