masked-aes CI problems fixes
Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 18c50bb..0a02642 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -84,9 +84,9 @@
* \brief The AES context-type definition.
*/
-//#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-#define AES_128_EXPANDED_KEY_SIZE_IN_WORDS 44
-//#endif
+#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+#define MBEDTLS_AES_128_EXPANDED_KEY_SIZE_IN_WORDS 44
+#endif
typedef struct mbedtls_aes_context
{
int nr; /*!< The number of rounds. */
@@ -98,7 +98,7 @@
uint32_t hash; /*!< hash of the set key */
#endif
#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) && !defined(MBEDTLS_PADLOCK_C)
- uint32_t buf[AES_128_EXPANDED_KEY_SIZE_IN_WORDS]; /*!< Unaligned data buffer for expanded key only */
+ uint32_t buf[MBEDTLS_AES_128_EXPANDED_KEY_SIZE_IN_WORDS]; /*!< Unaligned data buffer for expanded key only */
#else /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
uint32_t buf[68]; /*!< Unaligned data buffer. This buffer can
hold 32 extra Bytes, which can be used for
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e9a1526..1ac2c81 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -658,14 +658,14 @@
* \def MBEDTLS_AES_128_BIT_MASKED
*
* Requires MBEDTLS_AES_SCA_COUNTERMEASURES
- *
+ *
* Add boolean masking against possible combined side-channel-attack fault injection attacks.
*
* Uncommenting this macro adds data, key and Sbox masking additionally to dummy rounds
*
* Tradeoff:
* Uncommenting this macro does not increase codesize in MBEDTLS_AES_ROM_TABLES configuration.
- * Uncommenting this macro increases codesize in AES RAM tables configuration by ~1k.
+ * Uncommenting this macro increases codesize in AES RAM tables configuration by ~600 byte.
* The performance loss is ~50% with 128 bit AES encrypt.
*
* This option is dependent of \c MBEDTLS_ENTROPY_HARDWARE_ALT.
diff --git a/library/aes.c b/library/aes.c
index 53c6146..f01c738 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -790,7 +790,7 @@
GET_UINT32_LE( RK[j], key, j << 2 );
flow_ctrl++;
}
-
+
switch( ctx->nr )
{
case 10:
@@ -805,7 +805,7 @@
RK[5] = RK[1] ^ RK[4];
RK[6] = RK[2] ^ RK[5];
RK[7] = RK[3] ^ RK[6];
- }
+ }
break;
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
case 12:
@@ -1068,9 +1068,9 @@
static int sub_bytes_masked(uint32_t *data, uint8_t sbox_masked[256])
{
- volatile unsigned int i;
+ volatile unsigned int i;
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 4; i++) {
data[i] = ( (uint32_t) sbox_masked[ ( data[i] ) & 0xFF ] ) ^
( (uint32_t) sbox_masked[ ( data[i] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) sbox_masked[ ( data[i] >> 16 ) & 0xFF ] << 16 ) ^
@@ -1148,7 +1148,7 @@
#define mul_03(num) ( mul_02(num) ^ num )
static void calcMixColmask(uint32_t mask[10])
-{
+{
mask[6] = mul_02(mask[0]) ^ mul_03(mask[1]) ^ mask[2] ^ mask[3];
mask[7] = mask[0] ^ mul_02(mask[1]) ^ mul_03(mask[2]) ^ mask[3];
mask[8] = mask[0] ^ mask[1] ^ mul_02(mask[2]) ^ mul_03(mask[3]);
@@ -1175,7 +1175,7 @@
{
volatile unsigned int i = 0;
-
+
for ( i = 0; i < 4; i++)
{
data[i] = data[i] ^ ( (m1^m5) );
@@ -1197,7 +1197,7 @@
volatile int flow_control = 0;
unsigned int i = 0;
- mbedtls_platform_memcpy(rk_masked, rk, AES_128_EXPANDED_KEY_SIZE_IN_WORDS*4);
+ mbedtls_platform_memcpy(rk_masked, rk, MBEDTLS_AES_128_EXPANDED_KEY_SIZE_IN_WORDS*4);
//Randomly generate the masks: m1 m2 m3 m4 m m'
@@ -1213,15 +1213,14 @@
//Calculate the masked Sbox
if (calcSboxMasked(mask, sbox_masked) == 0){
- flow_control++;
+ flow_control++;
}
-
+
#define MASK_INIT_CONTROL 19
//Init masked key
if (remask( (uint32_t *)&rk_masked[(Nr * Nb * 4)], 0, 0, 0, 0, mask[5], mask[5], mask[5], mask[5]) == 0) {
flow_control++;
}
-
// Mask change from M1',M2',M3',M4' to M
for (i = 0; i < Nr; i++)
@@ -1229,14 +1228,14 @@
if ( remask( (uint32_t *)&rk_masked[( i * Nb * 4 )], mask[6], mask[7], mask[8], mask[9], mask[4], mask[4], mask[4], mask[4]) == 0 )
flow_control++;
}
-
+
if( flow_control == MASK_INIT_CONTROL ) {
mbedtls_platform_random_delay();
if( flow_control == MASK_INIT_CONTROL ) {
return MASK_INIT_CONTROL;
- }
+ }
}
-
+
return MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
@@ -1283,7 +1282,7 @@
// Masks change from M1',M2',M3',M4' to M
if ( add_rk_masked(round,data, key) == 0 )
flow_control++;
-
+
if ( flow_control == 4 )
return 0;
@@ -1296,14 +1295,14 @@
if ( sub_bytes_masked(data, sbox_masked) == 0 )
flow_control++;
-
- shift_rows((uint8_t *)data);
+
+ shift_rows((uint8_t *)data);
// Mask are removed by the last addroundkey
// From M' to 0
if( add_rk_masked(Nr, data, key) == 0)
flow_control++;
-
+
if ( flow_control == 2 )
return 0;
@@ -1370,14 +1369,14 @@
}
#endif // MBEDTLS_AES_128_BIT_MASKED
-
+
int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] )
{
int i, tindex, offset, stop_mark, dummy_rounds;
- aes_r_data_t aes_data_real = {0}; // real data
- aes_r_data_t aes_data_fake = {0}; // fake data
+ aes_r_data_t aes_data_real; // real data
+ aes_r_data_t aes_data_fake; // fake data
aes_r_data_t *aes_data_ptr; // pointer to real or fake data
aes_r_data_t *aes_data_table[2] = {0}; // pointers to real and fake data
int round_ctrl_table_len = ctx->nr + 2 + AES_SCA_CM_ROUNDS;
@@ -1387,7 +1386,7 @@
uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
#if defined MBEDTLS_AES_128_BIT_MASKED
- uint32_t rk_masked[AES_128_EXPANDED_KEY_SIZE_IN_WORDS] = {0};
+ uint32_t rk_masked[MBEDTLS_AES_128_EXPANDED_KEY_SIZE_IN_WORDS] = {0};
static uint8_t sbox_masked[256] = {0};
uint32_t mask[10] = {0};
#endif
@@ -1408,13 +1407,13 @@
#endif
#if defined (MBEDTLS_AES_128_BIT_MASKED)
- //Flow control should be MASK_INIT_CONTROL and it will be checked as a part last flow control verification
+ //Flow control should be MASK_INIT_CONTROL and it will be checked as a part last flow control verification
flow_control = init_masking_encrypt((uint8_t*)ctx->rk, (uint8_t*)rk_masked, mask, sbox_masked);
aes_data_real.rk_ptr = &rk_masked[0];
#else
- aes_data_real.rk_ptr = ctx->rk;
-#endif
-
+ aes_data_real.rk_ptr = ctx->rk;
+#endif
+
aes_data_fake.rk_ptr = ctx->frk;
aes_data_table[0] = &aes_data_real;
@@ -1440,14 +1439,13 @@
flow_control++;
} while( ( i = ( i + 1 ) % 4 ) != offset );
-#if defined (MBEDTLS_AES_128_BIT_MASKED)
+#if defined (MBEDTLS_AES_128_BIT_MASKED)
//Plain text masked with m1',m2',m3',m4'
if (remask( &aes_data_real.xy_values[0], mask[6], mask[7], mask[8], mask[9], 0, 0, 0, 0) == 0)
flow_control++;
if (remask( &aes_data_fake.xy_values[0], mask[6], mask[7], mask[8], mask[9], 0, 0, 0, 0) == 0)
- flow_control++;
-
+ flow_control++;
#endif
tindex = 0;
@@ -1456,7 +1454,7 @@
// Get pointer to the real or fake data
aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
stop_mark = round_ctrl_table[tindex] & 0x03;
-
+
// initial round key addition
#if defined (MBEDTLS_AES_128_BIT_MASKED)
if ( add_rk_masked(0, &aes_data_ptr->xy_values[0], aes_data_ptr->rk_ptr) == 0)
@@ -1472,7 +1470,7 @@
tindex++;
} while( stop_mark == 0 );
-
+
// Calculate AES rounds (9, 11 or 13 rounds) + dummy rounds
do
@@ -1497,9 +1495,9 @@
aes_data_ptr->xy_values[6 - offset],
aes_data_ptr->xy_values[7 - offset] );
flow_control++;
-#endif
+#endif
tindex++;
-
+
} while( stop_mark == 0 );
// Calculate final AES round + dummy rounds
@@ -1511,8 +1509,8 @@
if ( aes_masked_round_final( &aes_data_ptr->xy_values[0],
aes_data_ptr->rk_ptr, sbox_masked ) == 0)
flow_control++;
- //Cleanup the masked key
- mbedtls_platform_memset(rk_masked, 0, sizeof(rk_masked));
+ //Cleanup the masked key
+ mbedtls_platform_memset(rk_masked, 0, sizeof(rk_masked));
#else
aes_fround_final( aes_data_ptr->rk_ptr,
&aes_data_ptr->xy_values[0],
@@ -1542,9 +1540,9 @@
flow_control++;
} while( ( i = ( i + 1 ) % 4 ) != offset );
-#if defined (MBEDTLS_AES_128_BIT_MASKED)
+#if defined (MBEDTLS_AES_128_BIT_MASKED)
mbedtls_platform_memset(rk_masked, 0, sizeof(rk_masked));
-#endif
+#endif
/* Double negation is used to silence an "extraneous parentheses" warning */
if( ! ( flow_control != tindex + dummy_rounds + MASKING_FLOW_CONTORL + 8 )
#if defined(MBEDTLS_VALIDATE_AES_KEYS_INTEGRITY)
@@ -1560,10 +1558,10 @@
return 0;
}
}
-
+
// Clear the output in case of a FI
mbedtls_platform_memset( output, 0, 16 );
- mbedtls_platform_memset( aes_data_real.xy_values, 0, 16 );
+ mbedtls_platform_memset( (uint8_t*)&aes_data_real, 0, sizeof(aes_data_real) );
mbedtls_platform_memset (aes_data_table, 0, sizeof(aes_data_table));
#if defined (MBEDTLS_AES_128_BIT_MASKED)
//Clear masked key, masked sbox and mask in case of a FI
@@ -1685,7 +1683,7 @@
#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
-static uint32_t *aes_fround( uint32_t *R,
+static uint32_t *aes_rround( uint32_t *R,
uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
{
diff --git a/library/version_features.c b/library/version_features.c
index d7e6581..beccd3f 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -273,12 +273,12 @@
#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
"MBEDTLS_AES_SCA_COUNTERMEASURES",
#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
-#if defined(MBEDTLS_FI_COUNTERMEASURES)
- "MBEDTLS_FI_COUNTERMEASURES",
-#endif /* MBEDTLS_FI_COUNTERMEASURES */
#if defined(MBEDTLS_AES_128_BIT_MASKED)
"MBEDTLS_AES_128_BIT_MASKED",
#endif /* MBEDTLS_AES_128_BIT_MASKED */
+#if defined(MBEDTLS_FI_COUNTERMEASURES)
+ "MBEDTLS_FI_COUNTERMEASURES",
+#endif /* MBEDTLS_FI_COUNTERMEASURES */
#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
"MBEDTLS_CAMELLIA_SMALL_MEMORY",
#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */