Improve robustness and testing of mbedtls_mpi_copy #346
Conversation
Cover more cases: different signs, different zeronesses, repeated argument.
If Y was constructed through functions in this module, then Y->n == 0 iff Y->p == NULL. However we do not prevent filling mpi structures manually, and zero may be represented with n=0 and p a valid pointer. Most of the code can cope with such a representation, but for the source of mbedtls_mpi_copy, this would cause an integer underflow. Changing the test for zero from Y->p==NULL to Y->n==0 causes this case to work at no extra cost.
gilles-peskine-arm
added
enhancement
library/bignum.c
Outdated
| if( X->n <= nblimbs ) | ||
| return( mbedtls_mpi_grow( X, nblimbs ) ); | ||
| /* Now X->n > nblimbs >= 0. */ |
There was a problem hiding this comment.
Minor: While we're improving comments, I'd like to suggest replacing "Now" with "If we reach this point, we know that". Initially I missed that there there was a return on the line above, so I started commenting that we only know X->n >= nblimbs here before realizing my mistake. I think wording like the one I suggested would have helped draw my attention to the return above.
|
I checked the CI results, and the only failures are in Mbed OS testing, which is expected as Mbed OS needs updating, so it's as good as a pass. |
|
For some reason the CI had directly reported failure without actually running any test. I'm restarting it. |
tests/suites/test_suite_mpi.data
Outdated
| mbedtls_mpi_swap:0:1500 | ||
|
|
||
| Test mbedtls_mpi_shrink #1 | ||
| Shrink 2 in 2 to 4 |
There was a problem hiding this comment.
I am not sure I understand this description, could you please make it slightly more verbose?
tests/suites/test_suite_mpi.function
Outdated
| mbedtls_mpi X, Y, X0; | ||
| mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &X0 ); | ||
|
|
||
| TEST_ASSERT( mbedtls_mpi_read_binary_le( &X, input_X->x, input_X->len ) == 0 ); |
There was a problem hiding this comment.
Our existing tests are using big endian input and I think it would be less confusing to have consistency in this matter. Why do you prefer little endian by the way?
yanesca
added
needs: work
We normally represent bignums in big-endian order and there is no reason to deviate here.
gilles-peskine-arm
added
needs: review
|
Checked the CI and it only fails on Mbed OS with known issues that are unrelated to this PR. |
yanesca
removed
the
needs: review
mpg
added
ready for merge
|
The backport are now ready for merge, and so is this. |
* ARMmbed#352: Parse RSA parameters DP, DQ and QP from PKCS1 private keys * ARMmbed#263: Introduce ASN.1 SEQUENCE traversal API * ARMmbed#345: Fix possible error code mangling in psa_mac_verify_finish * ARMmbed#357: Update Mbed Crypto with latest Mbed TLS changes as of 2020-02-03 * ARMmbed#350: test_suite_asn1parse: improve testing of trailing garbage in parse_prefixes * ARMmbed#346: Improve robustness and testing of mbedtls_mpi_copy
Also improve testing of
mbedtls_mpi_swap.The robustness improvement could plausibly fix a bug in some applications, so this should be backported.