Backport 2.x: Fix non-uniform random generation in a range #4276
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gilles-peskine-arm
added
bug
mbed TLS team
needs-review
This was referenced Mar 31, 2021
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
2 times, most recently
from
50fe56a to
f8b66e3
Compare
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
from
f8b66e3 to
79d0b53
Compare
gilles-peskine-arm
added
the
needs-preceding-pr
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
from
79d0b53 to
5201c52
Compare
|
I have rebased this pull request due to add/add conflicts with #4297. |
|
The prerequisite PR #4297 has now been merged, removing the label and changing the base branche twice in order to force-refresh github's cache. |
mpg
requested changes
Apr 13, 2021
There was a problem hiding this comment.
This looks very good overall but I have a number of comments, mainly about readability / internal documentation, plus what looks like to typos in test data.
Thank you very much for cleanly isolating "moving code" in specific commits that do just that, it makes those commits so much easier to review with git show --color-moved --color-moved-ws=allow-indentation-change <commit> (tip for the other reviewer).
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
from
71ea745 to
78c8e2b
Compare
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
from
78c8e2b to
b9bbd14
Compare
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
from
1893e5b to
ee340d9
Compare
The idiom "resize an mpi to a given size" appeared 4 times. Unify it in a single function. Guarantee that the value is set to 0, which is required by some of the callers and not a significant expense where not required. Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
force-pushed
the
random-range-uniformity
branch
from
ee340d9 to
3130ce2
Compare
mpg
previously approved these changes
Jun 3, 2021
Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
ronald-cron-arm
approved these changes
Jun 3, 2021
This was referenced Jun 3, 2021
mpg
removed
the
needs-review
mpg
added
approved
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbedtls
that referenced
this pull request
Jun 11, 2021
mbedtls_mpi_read_binary{,_le} (in Mbed-TLS#4276)
and mbedtls_mpi_read_string (in Mbed-TLS#4644)
changed their behavior on an empty input from constructing an MPI object with
one limb to not allocating a limb. In principle, this change should be
transparent to applications, however it caused a bug in the library and it does
affect the value when writing back out, so list the change in the changelog.
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbedtls
that referenced
this pull request
Jun 11, 2021
mbedtls_mpi_read_binary{,_le} (in Mbed-TLS#4276)
and mbedtls_mpi_read_string (in Mbed-TLS#4644)
changed their behavior on an empty input from constructing an MPI object with
one limb to not allocating a limb. In principle, this change should be
transparent to applications, however it caused a bug in the library and it does
affect the value when writing back out, so list the change in the changelog.
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbedtls
that referenced
this pull request
Jun 11, 2021
mbedtls_mpi_read_binary{,_le} (in Mbed-TLS#4276)
and mbedtls_mpi_read_string (in Mbed-TLS#4644)
changed their behavior on an empty input from constructing an MPI object with
one limb to not allocating a limb. In principle, this change should be
transparent to applications, however it caused a bug in the library and it does
affect the value when writing back out, so list the change in the changelog.
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbedtls
that referenced
this pull request
Jun 22, 2021
mbedtls_mpi_read_binary{,_le} (in Mbed-TLS#4276)
and mbedtls_mpi_read_string (in Mbed-TLS#4644)
changed their behavior on an empty input from constructing an MPI object with
one limb to not allocating a limb. In principle, this change should be
transparent to applications, however it caused a bug in the library and it does
affect the value when writing back out, so list the change in the changelog.
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbedtls
that referenced
this pull request
Jun 22, 2021
mbedtls_mpi_read_binary{,_le} (in Mbed-TLS#4276)
and mbedtls_mpi_read_string (in Mbed-TLS#4644)
changed their behavior on an empty input from constructing an MPI object with
one limb to not allocating a limb. In principle, this change should be
transparent to applications, however it caused a bug in the library and it does
affect the value when writing back out, so list the change in the changelog.
Signed-off-by: Gilles Peskine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
mbedtls_ecp_gen_privkeyand extract the part that generates a random number uniformly in a range [2, P-1].mbedtls_mpi_randomto generate a random number uniformly in a range [m, P-1] with m small.dhm.c.mbedtls_mpi_randomin places where a random number was generated in a non-uniform way (key generation and blinding in both ECP and DHM). Fix [BUG] Bias in private key generation in Diffie-Hellman #4245.Needs backports: yes, the non-uniform generation should be fixed in 2.16. However, the refactorings in this pull request are far too invasive for an LTS branch, so we need to figure out a more targeted fix in 2.16.
Given the complexity of this PR, I'll make the 3.0 forward-port once it has two approvals.
There is a conflict with #4297 because both introduce
library/ecp_invasive.h. Since #4297 fixes newly-introduced bugs, it should go in first, then this PR should be rebased. The conflict is trivial so this PR can be reviewed even before the rebase.