commit 34139ba9fc7f2d8c480bf7787238ad388121b6ff
author Arto Kinnunen <arto.kinnunen@arm.com> Tue Dec 03 15:43:27 2019 +0200
committer Arto Kinnunen <arto.kinnunen@arm.com> Tue Dec 10 14:54:43 2019 +0200
tree 4d7378c96a43c23d6eee475a82aa6435816f7101
parent be1bb06acd045d264dd94fdaf02b3405059611f9

Updates to AES countermeasures

-Update comments regarding flag MBEDTLS_AES_SCA_COUNTERMEASURES
-Remove MBEDTLS_AES_SCA_COUNTERMEASURES dependency check
-More comments and coding style changes

include/mbedtls/check_config.h

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 40647d5..fe9c594 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -70,10 +70,6 @@
 #error "MBEDTLS_AESNI_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES) && !defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
-#error "MBEDTLS_AES_SCA_COUNTERMEASURES defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
 #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
 #endif

include/mbedtls/config.h

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 1a2de9a..20f1800 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -639,12 +639,12 @@
  *
  * Add countermeasures against possible side-channel-attack to AES calculation.
  *
- * Uncommenting this macro adds three additional calculation rounds to AES
+ * Uncommenting this macro adds additional calculation rounds to AES
  * calculation. Additional rounds are using random data and can occur in any
  * AES calculation round.
  *
- * Tradeoff: Uncommenting this increases ROM footprint by ~800 bytes.
- * The performance loss is 3/11= 27% with 128 bit AES.
+ * Tradeoff: Uncommenting this increases ROM footprint by ~100 bytes.
+ * The performance loss is ~50% with 128 bit AES.
  *
  * This option is dependent of \c MBEDTLS_ENTROPY_HARDWARE_ALT.
  *

library/aes.c

diff --git a/library/aes.c b/library/aes.c
index 909b4c5..0ddde52 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -90,7 +90,7 @@
  */
 typedef struct _aes_r_data_s {
     uint32_t *rk_ptr;       /* Round Key */
-    uint32_t xy_values[8];  /* X0, X1, X2, X3, Y0, U1, Y2, Y3 */
+    uint32_t xy_values[8];  /* X0, X1, X2, X3, Y0, Y1, Y2, Y3 */
 } aes_r_data_t;
 
 #if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
@@ -547,20 +547,20 @@
                 is_unique_number = 0;
                 tbl[num] = 0x10;
             }
-        } while ( is_unique_number == 1 );
+        } while( is_unique_number == 1 );
     }
 
     // Fill start/final round control data
     num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % 0xff;
     if( ( num % 2 ) == 0 )
     {
-        tbl[tbl_len - 2] = 0x10;
-        tbl[tbl_len - 1] = 0x0;
+        tbl[tbl_len - 2] = 0x10;    // fake data
+        tbl[tbl_len - 1] = 0x0;     // real data
     }
     else
     {
-        tbl[tbl_len - 2] = 0x00;
-        tbl[tbl_len - 1] = 0x10;
+        tbl[tbl_len - 2] = 0x00;    // real data
+        tbl[tbl_len - 1] = 0x10;    // fake data
     }
 #endif /* AES_SCA_CM_ROUNDS != 0 */
 
@@ -572,7 +572,7 @@
         {
             if( is_even_pos == 1 )
             {
-                tbl[i] = 0x04;  // real data, offset 0
+                tbl[i] = 0x04;  // real data, offset 4
                 is_even_pos = 0;
             }
             else