Refactor mpi_write_hlp to not be recursive

[RonEld]

Description

Refactor mpi_write_hlp() to not be recursive, to fix stack overflows.
Iterate over the mbedtls_mpi division of the radix requested,
until it is zero. Each iteration, put the residue in the next LSB
of the output buffer. Fixes #2190

Status

READY

Requires Backporting

Yes
Which branch?
mbedtls-2.1
mbedtls-2.7

Migrations

NO

Additional comments

Tested on Linux machine, K64F, NRF52840_DK

Todos

• Tests
• Documentation
• Changelog updated
• Backported

Steps to test or reproduce

Run the test_suite_mpi on embedded platforms.

[hanno-becker]

That's a too detailed ChangeLog entry, the first line suffices.

[RonEld]

Yeah, I thought about it

[andresag01]

I personally like a bit of information regarding the reasoning of a change, but I would phrase it differently. For example:

Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190.

[hanno-becker]

I like that.

[hanno-becker]

Consider failing if buflen == 0 to avoid an underflow.

[RonEld]

I considered it, but since the calling function checks the buffer length here, I thought I shouldn't

[hanno-becker]

Yes, for a static function that should be enough. Could you add a comment instead?

[hanno-becker]

Minor: Double white space

[hanno-becker]

This is pre-existing, but what is this line supposed to do?

[RonEld]

As I wrote in the comment( It took me a while to understand as well):
"Write the residue in the current position, as an ASCII character."
Digits start from 0x30, and A start from 0x41. So, 0x37 + A is 0x41

[hanno-becker]

No need to repeat a comment here. Anyway, what you wrote afterwards clarifies things, thanks.

[hanno-becker]

Minor improvement: Consider setting p_end = p + buflen in the beginning, and using *--p_end = ... in the loop. This allows to use p_end instead of p_end + 1 here.

[RonEld]

I like this approach better

[hanno-becker]

Blocker: If length > buflen, we'll leave the loop but nonetheless call memmove() with length as the length parameter.

We should fail if length > buflen.

[RonEld]

Same answer as #2214 (comment)
I'll add a comment

[hanno-becker]

No, length is dynamic.

[RonEld]

But it starts from 0, and dependent on buflen.
buflen cannot be shorter than n, as checked in https://github.com/ARMmbed/mbedtls/blob/development/library/bignum.c#L552
n should be at most length

[hanno-becker]

In that case, one shouldn't check for length <= buflen. It is highly unintuitive and error-prone to have a buffer length parameter and nonetheless omit bounds checks because one assumes it's large enough. There is technical justification here because of the memmove(), but nonetheless it's dangerous.

Please remove the check length <= buflen from the loop condition and instead check for length < buflen at the beginning of the loop body. This also removes the need for the precondition buflen > 0.

[RonEld]

I thought about not adding it at all, but then again, it's always better not to increase the size.
I'll make the change

[hanno-becker]

Yes, very true - if we can, we should be keep the code size down, and if it wasn't for the memmove() I'd be fine with using the fact that we have sufficient space as a precondition. But with the buffer length parameter in place, I think it's misleading to make this assumption.

[hanno-becker]

Thanks @RonEld, overall the approach looks good to me. I requested some changes, the most relevant ones being a shortening of the ChangeLog entry, and the removal of a potential buffer overflow.

[RonEld]

@hanno-arm I addressed your comments

[hanno-becker]

Thanks for the changes, @RonEld, looks fine apart from the bounds check which should be streamlined as indicated in the comment. This also makes the precondition (and hence the comment) on buflen redundant.

[RonEld]

@hanno-arm I fixed according to your comment

[hanno-becker]

There's an infinite loop if length ever gets to buflen. Suggestion: Check for length >= buflen in the beginning of the loop body and return MBEDTLS_ERR_MPI_BUFFER_TO_SMALL in this case.

[RonEld]

@hanno-arm I addressed your comment, but honestly I think it is adding dead code, as in this static function, length will always be smaller than buflen (or equal at the last iteration)

[hanno-becker]

Minor: It would be more readable to write

if( length >= buflen )
   return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );

and then do the rest.

[RonEld]

ok

[hanno-becker]

Could you fix this, and then we leave the other optimizations for another issue?

[hanno-becker]

@RonEld Thanks. I agree that it should never happen, but apart from the reason for including the check I've already given, is it really that obvious that length will never exceed buflen? The caller checks buflen against a shifted version of mbedtls_mpi_get_bitlen(), while the evolution of length in this function depends on iterated calls to mbedtls_mpi_div_int() and mbedtls_mpi_cmp_int(). We rely on all of these functions to work properly if we want to reason that we don't risk an overflow. In my opinion, that's too much risk compared to adding the check. I fully agree that we should reduce code-size whenever we can, but it must not come at the cost of too complex reasoning about the safety of the resulting code.

[hanno-becker]

Let's save some bytes and RAM here instead, by not using T. Suggestion: Document that mpi_write_hlp() ignores the sign and just pass X instead of the local copy T.

[hanno-becker]

That's actually wrong, because we need a copy in order to successively divide T by the radix.

[RonEld]

Probably, but maybe it's better to define T in mpi_write_hlp() instead?

[andresag01]

I like @RonEld suggestion

[hanno-becker]

Also, if we want to save code, I think we should call mpi_write_hlp() even for radix 16 and get rid of the radix == 16 branch - it might not be as fast as the hand-coded version, but mbedtls_mpi_write_string() is not time-critical anyway.

[andresag01]

We could do that, but I have no strong opinions about it, so this is not a blocker for my approval...

[hanno-becker]

Requested two code and RAM saving optimizations in the caller mbedtls_write_mpi() that are worth doing along the way. If you insist, @RonEld, that's of course a pre-existing issue and need not be addressed in this PR, but I'd be happy if you could spare the time nonetheless.

[RonEld]

@hanno-arm I don't mind doing these changes, I just think they should be tracked in a different github issue

[hanno-becker]

Looks good to me!

[RonEld]

@hanno-arm Thanks for the review!
I created #2216 to track the other two optimization suggestions

[hanno-becker]

Minor: This line is too long.

[hanno-becker]

I only now noticed that there's an overly long line introduced in the PR. Please break it.

[hanno-becker]

This is easier to read if we write (char)( 'a' + ( r - 10 ) ).

[RonEld]

I think it will be more readable if we change 10 to 0xA

[hanno-becker]

This is slightly easier to read if we write (char)( '0' + r ).

[hanno-becker]

Minor: I think usually we are explicit about the != 0. Could you add it?

[RonEld]

yes, it's a typo from my previous modification

[RonEld]

@Hanno I modified according to your comments

[RonEld]

@andresag01 If you haven't started reviewing yet, I will squash the code commits tomorrow, to a single commit, and update the ChangeLog as you requested

[andresag01]

The changes look good to me, just made a few minor suggestions.

[andresag01]

I like @RonEld suggestion

[andresag01]

I think this code is a bit pointless. This function is only a helper called within this compilation module and the caller (i.e. mbedtls_mpi_write_string()) already has the same check, so I think this is effectively dead code.

[RonEld]

OK. I guess the original intent of this check was if this helper function would be called from a different function in the future, to check this function's preconditions

[andresag01]

We could do that, but I have no strong opinions about it, so this is not a blocker for my approval...

[andresag01]

@andresag01 If you haven't started reviewing yet, I will squash the code commits tomorrow, to a single commit, and update the ChangeLog as you requested

Sorry, I had already started reviewing by the time you posted the message...

[RonEld]

@andresag01 I have addressed your comments.
Note that #2214 (comment) will be addressed as part of hanno's work on #2216

[hanno-becker]

LGTM

[RonEld]

@andresag01 @hanno-arm I have squashed the PR into two commits. A refernce branch for comparison before the commit is in https://github.com/RonEld/mbedtls/tree/2627_reference
Please review

[RonEld]

A backport to mbedtls-2.7 is in #2234

[hanno-becker]

Looks good to me! Sorry for the long delay.

[hanno-becker]

Ping @Patater for gatekeeping.

[simonbutcher]

CI is failing on DTLS fragmentations issues:

DTLS proxy: 3d, min handshake, client-initiated renego
DTLS proxy: 3d, FS, ticket
DTLS proxy: 3d, min handshake, server-initiated renego, nbio

The issue appears to be due to timeouts, therefore re-running the CI.