Blame - lib/libmbedtls/mbedtls/library/bignum.c - OP-TEE/optee_os

2018-05-22 13:49:31 +0200

[diff] [blame]

1

/*

2

* Multi-precision integer library

3

*

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

4

* Copyright The Mbed TLS Contributors

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

*/

/*

* The following sources were referenced in the design of this Multi-precision

10

* Integer library:

11

*

12

* [1] Handbook of Applied Cryptography - 1997

13

* Menezes, van Oorschot and Vanstone

14

*

15

* [2] Multi-Precision Math

16

* Tom St Denis

17

* https://github.com/libtom/libtommath/blob/develop/tommath.pdf

18

*

19

* [3] GNU Multi-Precision Arithmetic Library

20

* https://gmplib.org/manual/index.html

*

*/

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

24

#include "common.h"

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

25

26

#if defined(MBEDTLS_BIGNUM_C)

27

28

#include "mbedtls/bignum.h"

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

29

#include "bignum_core.h"

30

#include "bn_mul.h"

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

31

#include "mbedtls/platform_util.h"

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

32

#include "mbedtls/error.h"

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

33

#include "constant_time_internal.h"

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

34

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

35

#include <limits.h>

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

36

#include <string.h>

37

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

38

#include "mbedtls/platform.h"

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

39

Jens Wiklander

2018-11-08 11:18:22 +0100

[diff] [blame]

40

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

41

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

42

/*

43

* Conditionally select an MPI sign in constant time.

44

* (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid

45

* values.)

46

*/

47

static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond,

48

signed short sign1, signed short sign2)

49

{

50

return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1;

51

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

52

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

53

/*

54

* Compare signed values in constant time

55

*/

56

int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,

57

const mbedtls_mpi *Y,

58

unsigned *ret)

59

{

60

mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;

61

62

if (X->n != Y->n) {

63

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

}

/*

* Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.

68

* We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.

69

*/

70

X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);

71

Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);

72

73

/*

74

* If the signs are different, then the positive operand is the bigger.

75

* That is if X is negative (X_is_negative == 1), then X < Y is true and it

76

* is false if X is positive (X_is_negative == 0).

77

*/

78

different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign

79

result = mbedtls_ct_bool_and(different_sign, X_is_negative);

80

81

/*

82

* Assuming signs are the same, compare X and Y. We switch the comparison

83

* order if they are negative so that we get the right result, regardles of

* sign.

*/

/* This array is used to conditionally swap the pointers in const time */

88

void * const p[2] = { X->p, Y->p };

89

size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);

90

mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);

91

92

/*

93

* Store in result iff the signs are the same (i.e., iff different_sign == false). If

94

* the signs differ, result has already been set, so we don't change it.

95

*/

96

result = mbedtls_ct_bool_or(result,

97

mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));

98

99

*ret = mbedtls_ct_uint_if_else_0(result, 1);

return 0;

}

/*

* Conditionally assign X = Y, without leaking information

106

* about whether the assignment was made or not.

107

* (Leaking information about the respective sizes of X and Y is ok however.)

108

*/

109

#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \

110

(_MSC_FULL_VER < 193131103)

111

/*

112

* MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:

113

* https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989

*/

__declspec(noinline)

#endif

int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,

118

const mbedtls_mpi *Y,

119

unsigned char assign)

{

int ret = 0;

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));

124

125

{

126

mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);

127

128

X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s);

129

130

mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);

131

132

mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);

133

for (size_t i = Y->n; i < X->n; i++) {

134

X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);

}

}

cleanup:

return ret;

}

/*

* Conditionally swap X and Y, without leaking information

144

* about whether the swap was made or not.

145

* Here it is not ok to simply swap the pointers, which would lead to

146

* different memory access patterns when X and Y are used afterwards.

147

*/

148

int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,

mbedtls_mpi *Y,

unsigned char swap)

{

int ret = 0;

int s;

if (X == Y) {

return 0;

}

mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);

160

161

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));

162

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));

163

164

s = X->s;

165

X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s);

166

Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s);

167

168

mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);

cleanup:

return ret;

}

Jens Wiklander

2018-11-08 11:18:22 +0100

[diff] [blame]

173

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

174

/* Implementation that should never be optimized out by the compiler */

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

175

#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

176

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

177

/*

178

* Initialize one MPI

179

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

180

void mbedtls_mpi_init(mbedtls_mpi *X)

Jens Wiklander

2018-11-08 11:18:22 +0100

[diff] [blame]

181

{

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

182

X->s = 1;

183

X->n = 0;

184

X->p = NULL;

Jens Wiklander

2018-11-08 11:18:22 +0100

[diff] [blame]

185

}

186

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

187

/*

188

* Unallocate one MPI

189

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

190

void mbedtls_mpi_free(mbedtls_mpi *X)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

191

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

192

if (X == NULL) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

193

return;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

194

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

195

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

196

if (X->p != NULL) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

197

mbedtls_mpi_zeroize_and_free(X->p, X->n);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

X->s = 1;

X->n = 0;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

202

X->p = NULL;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Enlarge to the specified number of limbs

207

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

208

int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

mbedtls_mpi_uint *p;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

212

if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {

213

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

214

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

215

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

216

if (X->n < nblimbs) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

217

if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {

218

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

219

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

220

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

221

if (X->p != NULL) {

222

memcpy(p, X->p, X->n * ciL);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

223

mbedtls_mpi_zeroize_and_free(X->p, X->n);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

224

}

225

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

226

/* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS

227

* fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */

228

X->n = (unsigned short) nblimbs;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

229

X->p = p;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

230

}

231

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

232

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Resize down as much as possible,

237

* while keeping at least the specified number of limbs

238

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

239

int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

240

{

241

mbedtls_mpi_uint *p;

242

size_t i;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

243

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

244

if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {

245

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

246

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

247

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

248

/* Actually resize up if there are currently fewer than nblimbs limbs. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

249

if (X->n <= nblimbs) {

250

return mbedtls_mpi_grow(X, nblimbs);

251

}

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

252

/* After this point, then X->n > nblimbs and in particular X->n > 0. */

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

253

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

254

for (i = X->n - 1; i > 0; i--) {

255

if (X->p[i] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

256

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

257

}

258

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

259

i++;

260

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

261

if (i < nblimbs) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

262

i = nblimbs;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

263

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

264

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

265

if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {

266

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

}

if (X->p != NULL) {

memcpy(p, X->p, i * ciL);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

271

mbedtls_mpi_zeroize_and_free(X->p, X->n);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

272

}

273

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

274

/* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS

275

* fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */

276

X->n = (unsigned short) i;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

277

X->p = p;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

278

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

279

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

280

}

281

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

282

/* Resize X to have exactly n limbs and set it to 0. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

283

static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

284

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

if (limbs == 0) {

mbedtls_mpi_free(X);

return 0;

} else if (X->n == limbs) {

289

memset(X->p, 0, limbs * ciL);

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

290

X->s = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

return 0;

} else {

mbedtls_mpi_free(X);

return mbedtls_mpi_grow(X, limbs);

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

}

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

298

/*

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

299

* Copy the contents of Y into X.

300

*

301

* This function is not constant-time. Leading zeros in Y may be removed.

302

*

303

* Ensure that X does not shrink. This is not guaranteed by the public API,

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

304

* but some code in the bignum module might still rely on this property.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

305

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

306

int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

307

{

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

308

int ret = 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

309

size_t i;

310

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

311

if (X == Y) {

312

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

313

}

314

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

if (Y->n == 0) {

if (X->n != 0) {

X->s = 1;

memset(X->p, 0, X->n * ciL);

}

return 0;

}

for (i = Y->n - 1; i > 0; i--) {

324

if (Y->p[i] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

325

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

326

}

327

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

i++;

X->s = Y->s;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

332

if (X->n < i) {

333

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));

334

} else {

335

memset(X->p + i, 0, (X->n - i) * ciL);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

336

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

337

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

338

memcpy(X->p, Y->p, i * ciL);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

342

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Swap the contents of X and Y

347

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

348

void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

mbedtls_mpi T;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

352

memcpy(&T, X, sizeof(mbedtls_mpi));

353

memcpy(X, Y, sizeof(mbedtls_mpi));

354

memcpy(Y, &T, sizeof(mbedtls_mpi));

355

}

356

357

static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)

{

if (z >= 0) {

return z;

}

/* Take care to handle the most negative value (-2^(biL-1)) correctly.

363

* A naive -z would have undefined behavior.

364

* Write this in a way that makes popular compilers happy (GCC, Clang,

365

* MSVC). */

366

return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

367

}

368

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

369

/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.

370

* This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */

371

#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)

372

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

373

/*

374

* Set value from integer

375

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

376

int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

377

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

378

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

379

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

380

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));

381

memset(X->p, 0, X->n * ciL);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

382

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

383

X->p[0] = mpi_sint_abs(z);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

384

X->s = TO_SIGN(z);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

388

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Get a specific bit

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

394

int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

395

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

396

if (X->n * biL <= pos) {

397

return 0;

398

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

399

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

400

return (X->p[pos / biL] >> (pos % biL)) & 0x01;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Set a bit to a specific value of 0 or 1

405

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

406

int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

407

{

408

int ret = 0;

409

size_t off = pos / biL;

410

size_t idx = pos % biL;

411

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

412

if (val != 0 && val != 1) {

413

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

414

}

415

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

416

if (X->n * biL <= pos) {

if (val == 0) {

return 0;

}

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));

422

}

423

424

X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

425

X->p[off] |= (mbedtls_mpi_uint) val << idx;

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

429

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Return the number of less significant zero-bits

434

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

435

size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

436

{

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

437

size_t i;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

438

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

439

#if defined(__has_builtin)

440

#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)

441

#define mbedtls_mpi_uint_ctz __builtin_ctz

442

#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)

443

#define mbedtls_mpi_uint_ctz __builtin_ctzl

444

#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)

445

#define mbedtls_mpi_uint_ctz __builtin_ctzll

#endif

#endif

#if defined(mbedtls_mpi_uint_ctz)

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

450

for (i = 0; i < X->n; i++) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

451

if (X->p[i] != 0) {

452

return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);

}

}

#else

size_t count = 0;

for (i = 0; i < X->n; i++) {

458

for (size_t j = 0; j < biL; j++, count++) {

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

459

if (((X->p[i] >> j) & 1) != 0) {

460

return count;

461

}

462

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

463

}

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

464

#endif

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

465

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

466

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Return the number of bits

471

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

472

size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

473

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

474

return mbedtls_mpi_core_bitlen(X->p, X->n);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Return the total size in bytes

479

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

480

size_t mbedtls_mpi_size(const mbedtls_mpi *X)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

481

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

482

return (mbedtls_mpi_bitlen(X) + 7) >> 3;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Convert an ASCII character to digit value

487

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

488

static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

*d = 255;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

492

if (c >= 0x30 && c <= 0x39) {

493

*d = c - 0x30;

494

}

495

if (c >= 0x41 && c <= 0x46) {

496

*d = c - 0x37;

497

}

498

if (c >= 0x61 && c <= 0x66) {

499

*d = c - 0x57;

500

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

501

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

502

if (*d >= (mbedtls_mpi_uint) radix) {

503

return MBEDTLS_ERR_MPI_INVALID_CHARACTER;

504

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

505

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

506

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Import from an ASCII string

511

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

512

int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

513

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

514

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

515

size_t i, j, slen, n;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

516

int sign = 1;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

mbedtls_mpi_uint d;

mbedtls_mpi T;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

520

if (radix < 2 || radix > 16) {

521

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

522

}

523

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

524

mbedtls_mpi_init(&T);

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

if (s[0] == 0) {

mbedtls_mpi_free(X);

return 0;

}

if (s[0] == '-') {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

++s;

sign = -1;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

536

slen = strlen(s);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

537

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

538

if (radix == 16) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

539

if (slen > SIZE_MAX >> 2) {

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

540

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

541

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

542

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

543

n = BITS_TO_LIMBS(slen << 2);

544

545

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));

546

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));

547

548

for (i = slen, j = 0; i > 0; i--, j++) {

549

MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));

550

X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2);

551

}

552

} else {

553

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));

554

555

for (i = 0; i < slen; i++) {

556

MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));

557

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));

558

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

562

if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

563

X->s = -1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

564

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

565

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

566

cleanup:

567

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

568

mbedtls_mpi_free(&T);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

569

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

570

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

571

}

572

573

/*

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

574

* Helper to write the digits high-order first.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

575

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

576

static int mpi_write_hlp(mbedtls_mpi *X, int radix,

577

char **p, const size_t buflen)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

578

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

579

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

580

mbedtls_mpi_uint r;

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

581

size_t length = 0;

582

char *p_end = *p + buflen;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

583

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

584

do {

585

if (length >= buflen) {

586

return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

587

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

588

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

589

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));

590

MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

591

/*

592

* Write the residue in the current position, as an ASCII character.

593

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

594

if (r < 0xA) {

595

*(--p_end) = (char) ('0' + r);

596

} else {

597

*(--p_end) = (char) ('A' + (r - 0xA));

598

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

599

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

600

length++;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

601

} while (mbedtls_mpi_cmp_int(X, 0) != 0);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

602

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

603

memmove(*p, p_end, length);

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

604

*p += length;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

608

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Export into an ASCII string

613

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

614

int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,

615

char *buf, size_t buflen, size_t *olen)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

int ret = 0;

size_t n;

char *p;

mbedtls_mpi T;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

622

if (radix < 2 || radix > 16) {

623

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

624

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

625

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

626

n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */

627

if (radix >= 4) {

628

n >>= 1; /* Number of 4-adic digits necessary to present

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

629

* `n`. If radix > 4, this might be a strict

630

* overapproximation of the number of

631

* radix-adic digits needed to present `n`. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

632

}

633

if (radix >= 16) {

634

n >>= 1; /* Number of hexadecimal digits necessary to

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

635

* present `n`. */

636

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

637

}

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

638

n += 1; /* Terminating null byte */

639

n += 1; /* Compensate for the divisions above, which round down `n`

640

* in case it's not even. */

641

n += 1; /* Potential '-'-sign. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

642

n += (n & 1); /* Make n even to have enough space for hexadecimal writing,

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

643

* which always uses an even number of hex-digits. */

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

644

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

645

if (buflen < n) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

646

*olen = n;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

647

return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

648

}

649

650

p = buf;

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

651

mbedtls_mpi_init(&T);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

652

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

653

if (X->s == -1) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

654

*p++ = '-';

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

655

buflen--;

656

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

657

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

658

if (radix == 16) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

int c;

size_t i, j, k;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

662

for (i = X->n, k = 0; i > 0; i--) {

663

for (j = ciL; j > 0; j--) {

664

c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

665

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

666

if (c == 0 && k == 0 && (i + j) != 2) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

667

continue;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

668

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

669

670

*(p++) = "0123456789ABCDEF" [c / 16];

671

*(p++) = "0123456789ABCDEF" [c % 16];

672

k = 1;

673

}

674

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

675

} else {

676

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

677

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

678

if (T.s == -1) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

679

T.s = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

680

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

681

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

682

MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

683

}

684

685

*p++ = '\0';

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

686

*olen = (size_t) (p - buf);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

690

mbedtls_mpi_free(&T);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

691

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

692

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

693

}

694

695

#if defined(MBEDTLS_FS_IO)

696

/*

697

* Read X from an opened file

698

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

699

int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

mbedtls_mpi_uint d;

size_t slen;

char *p;

/*

* Buffer should have space for (short) label and decimal formatted MPI,

706

* newline characters and '\0'

707

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

708

char s[MBEDTLS_MPI_RW_BUFFER_SIZE];

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

709

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

710

if (radix < 2 || radix > 16) {

711

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

712

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

713

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

714

memset(s, 0, sizeof(s));

715

if (fgets(s, sizeof(s) - 1, fin) == NULL) {

716

return MBEDTLS_ERR_MPI_FILE_IO_ERROR;

717

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

718

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

719

slen = strlen(s);

720

if (slen == sizeof(s) - 2) {

721

return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;

722

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

723

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

724

if (slen > 0 && s[slen - 1] == '\n') {

725

slen--; s[slen] = '\0';

726

}

727

if (slen > 0 && s[slen - 1] == '\r') {

728

slen--; s[slen] = '\0';

729

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

730

731

p = s + slen;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

732

while (p-- > s) {

733

if (mpi_get_digit(&d, radix, *p) != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

734

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

735

}

736

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

737

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

738

return mbedtls_mpi_read_string(X, radix, p + 1);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Write X into an opened file (or stdout if fout == NULL)

743

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

744

int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

745

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

746

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

747

size_t n, slen, plen;

748

/*

749

* Buffer should have space for (short) label and decimal formatted MPI,

750

* newline characters and '\0'

751

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

752

char s[MBEDTLS_MPI_RW_BUFFER_SIZE];

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

753

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

754

if (radix < 2 || radix > 16) {

755

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

756

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

757

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

758

memset(s, 0, sizeof(s));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

759

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

760

MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

761

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

762

if (p == NULL) {

763

p = "";

764

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

765

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

766

plen = strlen(p);

767

slen = strlen(s);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

s[slen++] = '\r';

s[slen++] = '\n';

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

771

if (fout != NULL) {

772

if (fwrite(p, 1, plen, fout) != plen ||

773

fwrite(s, 1, slen, fout) != slen) {

774

return MBEDTLS_ERR_MPI_FILE_IO_ERROR;

775

}

776

} else {

777

mbedtls_printf("%s%s", p, s);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

778

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

782

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

783

}

784

#endif /* MBEDTLS_FS_IO */

785

786

/*

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

787

* Import X from unsigned binary data, little endian

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

788

*

789

* This function is guaranteed to return an MPI with exactly the necessary

790

* number of limbs (in particular, it does not skip 0s in the input).

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

791

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

792

int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,

793

const unsigned char *buf, size_t buflen)

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

794

{

795

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

796

const size_t limbs = CHARS_TO_LIMBS(buflen);

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

797

798

/* Ensure that target MPI has exactly the necessary number of limbs */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

799

MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

800

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

801

MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

cleanup:

/*

* This function is also used to import keys. However, wiping the buffers

807

* upon failure is not necessary because failure only can happen before any

808

* input is copied.

809

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

810

return ret;

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

811

}

812

813

/*

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

814

* Import X from unsigned binary data, big endian

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

815

*

816

* This function is guaranteed to return an MPI with exactly the necessary

817

* number of limbs (in particular, it does not skip 0s in the input).

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

818

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

819

int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

820

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

821

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

822

const size_t limbs = CHARS_TO_LIMBS(buflen);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

823

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

824

/* Ensure that target MPI has exactly the necessary number of limbs */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

825

MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));

Jens Wiklander

2976273

2019-04-17 12:28:43 +0200

[diff] [blame]

826

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

827

MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

831

/*

832

* This function is also used to import keys. However, wiping the buffers

833

* upon failure is not necessary because failure only can happen before any

834

* input is copied.

835

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

836

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

837

}

838

839

/*

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

840

* Export X into unsigned binary data, little endian

841

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

842

int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,

843

unsigned char *buf, size_t buflen)

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

844

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

845

return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

846

}

847

848

/*

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

849

* Export X into unsigned binary data, big endian

850

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

851

int mbedtls_mpi_write_binary(const mbedtls_mpi *X,

852

unsigned char *buf, size_t buflen)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

853

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

854

return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Left-shift: X <<= count

859

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

860

int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

861

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

862

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

863

size_t i;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

864

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

865

i = mbedtls_mpi_bitlen(X) + count;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

866

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

867

if (X->n * biL < i) {

868

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));

869

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

ret = 0;

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

873

mbedtls_mpi_core_shift_l(X->p, X->n, count);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

874

cleanup:

875

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

876

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Right-shift: X >>= count

881

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

882

int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

883

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

884

if (X->n != 0) {

885

mbedtls_mpi_core_shift_r(X->p, X->n, count);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

886

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

887

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Compare unsigned values

892

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

893

int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

size_t i, j;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

897

for (i = X->n; i > 0; i--) {

898

if (X->p[i - 1] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

899

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

900

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

901

}

902

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

903

for (j = Y->n; j > 0; j--) {

904

if (Y->p[j - 1] != 0) {

break;

}

}

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

909

/* If i == j == 0, i.e. abs(X) == abs(Y),

910

* we end up returning 0 at the end of the function. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

if (i > j) {

return 1;

}

if (j > i) {

return -1;

}

for (; i > 0; i--) {

if (X->p[i - 1] > Y->p[i - 1]) {

921

return 1;

922

}

923

if (X->p[i - 1] < Y->p[i - 1]) {

return -1;

}

}

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Compare signed values

933

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

934

int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

size_t i, j;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

938

for (i = X->n; i > 0; i--) {

939

if (X->p[i - 1] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

940

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

941

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

942

}

943

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

944

for (j = Y->n; j > 0; j--) {

945

if (Y->p[j - 1] != 0) {

break;

}

}

if (i == 0 && j == 0) {

return 0;

}

if (i > j) {

return X->s;

}

if (j > i) {

return -Y->s;

}

if (X->s > 0 && Y->s < 0) {

962

return 1;

963

}

964

if (Y->s > 0 && X->s < 0) {

return -1;

}

for (; i > 0; i--) {

if (X->p[i - 1] > Y->p[i - 1]) {

970

return X->s;

971

}

972

if (X->p[i - 1] < Y->p[i - 1]) {

return -X->s;

}

}

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Compare signed values

982

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

983

int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

984

{

985

mbedtls_mpi Y;

986

mbedtls_mpi_uint p[1];

987

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

988

*p = mpi_sint_abs(z);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

989

Y.s = TO_SIGN(z);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

Y.n = 1;

Y.p = p;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

993

return mbedtls_mpi_cmp_mpi(X, &Y);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Unsigned addition: X = |A| + |B| (HAC 14.7)

998

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

999

int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1000

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1001

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1002

size_t j;

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1003

mbedtls_mpi_uint *p;

1004

mbedtls_mpi_uint c;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1005

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1006

if (X == B) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1007

const mbedtls_mpi *T = A; A = X; B = T;

1008

}

1009

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1010

if (X != A) {

1011

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));

1012

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1013

1014

/*

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1015

* X must always be positive as a result of unsigned additions.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

*/

X->s = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1019

for (j = B->n; j > 0; j--) {

1020

if (B->p[j - 1] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1021

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1022

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1023

}

1024

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1025

/* Exit early to avoid undefined behavior on NULL+0 when X->n == 0

1026

* and B is 0 (of any size). */

if (j == 0) {

return 0;

}

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));

1032

1033

/* j is the number of non-zero limbs of B. Add those to X. */

1034

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1035

p = X->p;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1036

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1037

c = mbedtls_mpi_core_add(p, p, B->p, j);

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

p += j;

/* Now propagate any carry */

while (c != 0) {

if (j >= X->n) {

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));

1046

p = X->p + j;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1047

}

1048

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1049

*p += c; c = (*p < c); j++; p++;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1054

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1055

}

1056

1057

/*

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1058

* Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1059

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1060

int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1061

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1062

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1063

size_t n;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1064

mbedtls_mpi_uint carry;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1065

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1066

for (n = B->n; n > 0; n--) {

1067

if (B->p[n - 1] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1068

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1069

}

1070

}

1071

if (n > A->n) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1072

/* B >= (2^ciL)^n > A */

1073

ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;

1074

goto cleanup;

1075

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1076

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1077

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1078

1079

/* Set the high limbs of X to match A. Don't touch the lower limbs

1080

* because X might be aliased to B, and we must not overwrite the

1081

* significant digits of B. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1082

if (A->n > n && A != X) {

1083

memcpy(X->p + n, A->p + n, (A->n - n) * ciL);

1084

}

1085

if (X->n > A->n) {

1086

memset(X->p + A->n, 0, (X->n - A->n) * ciL);

1087

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1088

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1089

carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);

1090

if (carry != 0) {

1091

/* Propagate the carry through the rest of X. */

1092

carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);

1093

1094

/* If we have further carry/borrow, the result is negative. */

1095

if (carry != 0) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1096

ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;

1097

goto cleanup;

1098

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1099

}

1100

1101

/* X should always be positive as a result of unsigned subtractions. */

1102

X->s = 1;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1103

1104

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

return ret;

}

/* Common function for signed addition and subtraction.

1109

* Calculate A + B * flip_B where flip_B is 1 or -1.

1110

*/

1111

static int add_sub_mpi(mbedtls_mpi *X,

1112

const mbedtls_mpi *A, const mbedtls_mpi *B,

1113

int flip_B)

1114

{

1115

int ret, s;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1116

1117

s = A->s;

1118

if (A->s * B->s * flip_B < 0) {

1119

int cmp = mbedtls_mpi_cmp_abs(A, B);

1120

if (cmp >= 0) {

1121

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));

1122

/* If |A| = |B|, the result is 0 and we must set the sign bit

1123

* to +1 regardless of which of A or B was negative. Otherwise,

1124

* since |A| > |B|, the sign is the sign of A. */

1125

X->s = cmp == 0 ? 1 : s;

1126

} else {

1127

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));

1128

/* Since |A| < |B|, the sign is the opposite of A. */

X->s = -s;

}

} else {

MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));

X->s = s;

}

cleanup:

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Signed addition: X = A + B

1143

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1144

int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1145

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1146

return add_sub_mpi(X, A, B, 1);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Signed subtraction: X = A - B

1151

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1152

int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1153

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1154

return add_sub_mpi(X, A, B, -1);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Signed addition: X = A + b

1159

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1160

int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1161

{

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1162

mbedtls_mpi B;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1163

mbedtls_mpi_uint p[1];

1164

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1165

p[0] = mpi_sint_abs(b);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1166

B.s = TO_SIGN(b);

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1167

B.n = 1;

1168

B.p = p;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1169

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1170

return mbedtls_mpi_add_mpi(X, A, &B);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Signed subtraction: X = A - b

1175

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1176

int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1177

{

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1178

mbedtls_mpi B;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1179

mbedtls_mpi_uint p[1];

1180

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1181

p[0] = mpi_sint_abs(b);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1182

B.s = TO_SIGN(b);

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1183

B.n = 1;

1184

B.p = p;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1185

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1186

return mbedtls_mpi_sub_mpi(X, A, &B);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Baseline multiplication: X = A * B (HAC 14.12)

1191

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1192

int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1193

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1194

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1195

size_t i, j;

1196

mbedtls_mpi TA, TB;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1197

int result_is_zero = 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1198

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1199

mbedtls_mpi_init(&TA);

1200

mbedtls_mpi_init(&TB);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1201

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1202

if (X == A) {

1203

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;

1204

}

1205

if (X == B) {

1206

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;

1207

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1208

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1209

for (i = A->n; i > 0; i--) {

1210

if (A->p[i - 1] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1211

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1212

}

1213

}

1214

if (i == 0) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1215

result_is_zero = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1216

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1217

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1218

for (j = B->n; j > 0; j--) {

1219

if (B->p[j - 1] != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1220

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1221

}

1222

}

1223

if (j == 0) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1224

result_is_zero = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1225

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1226

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1227

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));

1228

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1229

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1230

mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1231

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1232

/* If the result is 0, we don't shortcut the operation, which reduces

1233

* but does not eliminate side channels leaking the zero-ness. We do

1234

* need to take care to set the sign bit properly since the library does

1235

* not fully support an MPI object with a value of 0 and s == -1. */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1236

if (result_is_zero) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1237

X->s = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1238

} else {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1239

X->s = A->s * B->s;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1240

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1244

mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1245

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1246

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Baseline multiplication: X = A * b

1251

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1252

int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1253

{

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1254

size_t n = A->n;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1255

while (n > 0 && A->p[n - 1] == 0) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1256

--n;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1257

}

1258

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1259

/* The general method below doesn't work if b==0. */

1260

if (b == 0 || n == 0) {

1261

return mbedtls_mpi_lset(X, 0);

1262

}

1263

1264

/* Calculate A*b as A + A*(b-1) to take advantage of mbedtls_mpi_core_mla */

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1265

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1266

/* In general, A * b requires 1 limb more than b. If

1267

* A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same

1268

* number of limbs as A and the call to grow() is not required since

1269

* copy() will take care of the growth if needed. However, experimentally,

1270

* making the call to grow() unconditional causes slightly fewer

1271

* calls to calloc() in ECP code, presumably because it reuses the

1272

* same mpi for a while and this way the mpi is more likely to directly

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1273

* grow to its final size.

1274

*

1275

* Note that calculating A*b as 0 + A*b doesn't work as-is because

1276

* A,X can be the same. */

1277

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));

1278

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));

1279

mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1280

1281

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1282

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and

1287

* mbedtls_mpi_uint divisor, d

1288

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1289

static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,

1290

mbedtls_mpi_uint u0,

1291

mbedtls_mpi_uint d,

1292

mbedtls_mpi_uint *r)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1293

{

1294

#if defined(MBEDTLS_HAVE_UDBL)

1295

mbedtls_t_udbl dividend, quotient;

1296

#else

1297

const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1298

const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1299

mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;

1300

mbedtls_mpi_uint u0_msw, u0_lsw;

size_t s;

#endif

/*

* Check for overflow

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1307

if (0 == d || u1 >= d) {

1308

if (r != NULL) {

1309

*r = ~(mbedtls_mpi_uint) 0u;

1310

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1311

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1312

return ~(mbedtls_mpi_uint) 0u;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1313

}

1314

1315

#if defined(MBEDTLS_HAVE_UDBL)

1316

dividend = (mbedtls_t_udbl) u1 << biL;

1317

dividend |= (mbedtls_t_udbl) u0;

1318

quotient = dividend / d;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1319

if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {

1320

quotient = ((mbedtls_t_udbl) 1 << biL) - 1;

1321

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1322

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1323

if (r != NULL) {

1324

*r = (mbedtls_mpi_uint) (dividend - (quotient * d));

1325

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1326

1327

return (mbedtls_mpi_uint) quotient;

#else

/*

* Algorithm D, Section 4.3.1 - The Art of Computer Programming

1332

* Vol. 2 - Seminumerical Algorithms, Knuth

*/

/*

* Normalize the divisor, d, and dividend, u0, u1

1337

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1338

s = mbedtls_mpi_core_clz(d);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1339

d = d << s;

1340

1341

u1 = u1 << s;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1342

u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

u0 = u0 << s;

d1 = d >> biH;

d0 = d & uint_halfword_mask;

1347

1348

u0_msw = u0 >> biH;

1349

u0_lsw = u0 & uint_halfword_mask;

1350

1351

/*

1352

* Find the first quotient and remainder

*/

q1 = u1 / d1;

r0 = u1 - d1 * q1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1357

while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

q1 -= 1;

r0 += d1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1361

if (r0 >= radix) {

1362

break;

1363

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1364

}

1365

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1366

rAX = (u1 * radix) + (u0_msw - q1 * d);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

q0 = rAX / d1;

r0 = rAX - q0 * d1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1370

while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

q0 -= 1;

r0 += d1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1374

if (r0 >= radix) {

1375

break;

1376

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1377

}

1378

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1379

if (r != NULL) {

1380

*r = (rAX * radix + u0_lsw - q0 * d) >> s;

1381

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1382

1383

quotient = q1 * radix + q0;

return quotient;

#endif

}

/*

* Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)

1391

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1392

int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,

1393

const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1394

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1395

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1396

size_t i, n, t, k;

1397

mbedtls_mpi X, Y, Z, T1, T2;

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1398

mbedtls_mpi_uint TP2[3];

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1399

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1400

if (mbedtls_mpi_cmp_int(B, 0) == 0) {

1401

return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;

1402

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1403

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1404

mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);

1405

mbedtls_mpi_init(&T1);

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1406

/*

1407

* Avoid dynamic memory allocations for constant-size T2.

1408

*

1409

* T2 is used for comparison only and the 3 limbs are assigned explicitly,

1410

* so nobody increase the size of the MPI and we're safe to use an on-stack

1411

* buffer.

1412

*/

1413

T2.s = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1414

T2.n = sizeof(TP2) / sizeof(*TP2);

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1415

T2.p = TP2;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1416

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1417

if (mbedtls_mpi_cmp_abs(A, B) < 0) {

1418

if (Q != NULL) {

1419

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));

1420

}

1421

if (R != NULL) {

1422

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));

1423

}

1424

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1425

}

1426

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1427

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));

1428

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1429

X.s = Y.s = 1;

1430

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1431

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));

1432

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));

1433

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1434

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1435

k = mbedtls_mpi_bitlen(&Y) % biL;

1436

if (k < biL - 1) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1437

k = biL - 1 - k;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1438

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));

1439

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));

1440

} else {

1441

k = 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1442

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1443

1444

n = X.n - 1;

1445

t = Y.n - 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1446

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1447

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1448

while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1449

Z.p[n - t]++;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1450

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1451

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1452

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1453

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1454

for (i = n; i > t; i--) {

1455

if (X.p[i] >= Y.p[t]) {

1456

Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;

1457

} else {

1458

Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],

1459

Y.p[t], NULL);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1460

}

1461

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1462

T2.p[0] = (i < 2) ? 0 : X.p[i - 2];

1463

T2.p[1] = (i < 1) ? 0 : X.p[i - 1];

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1464

T2.p[2] = X.p[i];

1465

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1466

Z.p[i - t - 1]++;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1467

do {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1468

Z.p[i - t - 1]--;

1469

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1470

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));

1471

T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1472

T1.p[1] = Y.p[t];

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1473

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));

1474

} while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1475

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1476

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));

1477

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));

1478

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1479

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1480

if (mbedtls_mpi_cmp_int(&X, 0) < 0) {

1481

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));

1482

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));

1483

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

Z.p[i - t - 1]--;

}

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1488

if (Q != NULL) {

1489

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

Q->s = A->s * B->s;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1493

if (R != NULL) {

1494

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1495

X.s = A->s;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1496

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1497

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1498

if (mbedtls_mpi_cmp_int(R, 0) == 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1499

R->s = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1500

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1505

mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);

1506

mbedtls_mpi_free(&T1);

1507

mbedtls_platform_zeroize(TP2, sizeof(TP2));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1508

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1509

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Division by int: A = Q * b + R

1514

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1515

int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,

1516

const mbedtls_mpi *A,

1517

mbedtls_mpi_sint b)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1518

{

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1519

mbedtls_mpi B;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1520

mbedtls_mpi_uint p[1];

1521

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1522

p[0] = mpi_sint_abs(b);

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1523

B.s = TO_SIGN(b);

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1524

B.n = 1;

1525

B.p = p;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1526

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1527

return mbedtls_mpi_div_mpi(Q, R, A, &B);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Modulo: R = A mod B

1532

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1533

int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1534

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1535

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1536

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1537

if (mbedtls_mpi_cmp_int(B, 0) < 0) {

1538

return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;

1539

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1540

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1541

MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1542

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1543

while (mbedtls_mpi_cmp_int(R, 0) < 0) {

1544

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));

1545

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1546

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1547

while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {

1548

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));

1549

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1553

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Modulo: r = A mod b

1558

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1559

int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1560

{

1561

size_t i;

1562

mbedtls_mpi_uint x, y, z;

1563

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1564

if (b == 0) {

1565

return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;

1566

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1567

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1568

if (b < 0) {

1569

return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;

1570

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1571

1572

/*

1573

* handle trivial cases

1574

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1575

if (b == 1 || A->n == 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1576

*r = 0;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1577

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1578

}

1579

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1580

if (b == 2) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1581

*r = A->p[0] & 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1582

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* general case

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1588

for (i = A->n, y = 0; i > 0; i--) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1589

x = A->p[i - 1];

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1590

y = (y << biH) | (x >> biH);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

z = y / b;

y -= z * b;

x <<= biH;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1595

y = (y << biH) | (x >> biH);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

z = y / b;

y -= z * b;

}

/*

* If A is negative, then the current y represents a negative value.

1602

* Flipping it to the positive side.

1603

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1604

if (A->s < 0 && y != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1605

y = b - y;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1606

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

*r = y;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1610

return 0;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1611

}

1612

Jens Wiklander

12e83fc

2018-11-07 08:11:29 +0100

[diff] [blame^]

1613

/**

1614

* \remark Replaced by our own because the original has been removed since

1615

* mbedtls v3.6.0.

1616

*/

1617

void mbedtls_mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)

1618

{

1619

*mm = mbedtls_mpi_core_montmul_init(N->p);

1620

}

1621

1622

/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)

1623

*

1624

* \param[in,out] A One of the numbers to multiply.

1625

* It must have at least as many limbs as N

1626

* (A->n >= N->n), and any limbs beyond n are ignored.

1627

* On successful completion, A contains the result of

1628

* the multiplication A * B * R^-1 mod N where

1629

* R = (2^ciL)^n.

1630

* \param[in] B One of the numbers to multiply.

1631

* It must be nonzero and must not have more limbs than N

1632

* (B->n <= N->n).

1633

* \param[in] N The modulus. \p N must be odd.

1634

* \param mm The value calculated by `mpi_montg_init(&mm, N)`.

1635

* This is -N^-1 mod 2^ciL.

1636

* \param[in,out] T A bignum for temporary storage.

1637

* It must be at least twice the limb size of N plus 1

1638

* (T->n >= 2 * N->n + 1).

1639

* Its initial content is unused and

1640

* its final content is indeterminate.

1641

* It does not get reallocated.

1642

* \remark Replaced by our own because the original has been removed since

1643

* mbedtls v3.6.0.

1644

*/

1645

void mbedtls_mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B,

1646

const mbedtls_mpi *N, mbedtls_mpi_uint mm,

1647

mbedtls_mpi *T)

1648

{

1649

mbedtls_mpi_core_montmul(A->p, A->p, B->p, B->n, N->p, N->n, mm, T->p);

}

/**

* Montgomery reduction: A = A * R^-1 mod N

1654

*

1655

* See mbedtls_mpi_montmul() regarding constraints and guarantees on the parameters.

1656

*

1657

* \remark Replaced by our own because the original has been removed since

1658

* mbedtls v3.6.0.

1659

*/

1660

void mbedtls_mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,

1661

mbedtls_mpi_uint mm, mbedtls_mpi *T)

1662

{

1663

mbedtls_mpi_uint z = 1;

mbedtls_mpi U;

U.n = U.s = (int) z;

U.p = &z;

mbedtls_mpi_montmul(A, &U, N, mm, T);

}

/*

* Sliding-window exponentiation: X = A^E mod N (HAC 14.85)

1674

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1675

int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,

1676

const mbedtls_mpi *E, const mbedtls_mpi *N,

1677

mbedtls_mpi *prec_RR)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1678

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1679

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

1680

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1681

if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {

1682

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1683

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1684

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1685

if (mbedtls_mpi_cmp_int(E, 0) < 0) {

1686

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1687

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1688

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1689

if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||

1690

mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {

1691

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1692

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1693

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1694

/*

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1695

* Ensure that the exponent that we are passing to the core is not NULL.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1696

*/

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1697

if (E->n == 0) {

1698

ret = mbedtls_mpi_lset(X, 1);

1699

return ret;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1700

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1701

1702

/*

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1703

* Allocate working memory for mbedtls_mpi_core_exp_mod()

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1704

*/

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1705

size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);

1706

mbedtls_mpi_uint *T = (mbedtls_mpi_uint *) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));

1707

if (T == NULL) {

1708

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1709

}

1710

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1711

mbedtls_mpi RR;

1712

mbedtls_mpi_init(&RR);

1713

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1714

/*

1715

* If 1st call, pre-compute R^2 mod N

1716

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1717

if (prec_RR == NULL || prec_RR->p == NULL) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1718

MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1719

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1720

if (prec_RR != NULL) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1721

*prec_RR = RR;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1722

}

1723

} else {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1724

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));

1725

RR = *prec_RR;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1726

}

1727

1728

/*

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1729

* To preserve constness we need to make a copy of A. Using X for this to

1730

* save memory.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1731

*/

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1732

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1733

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1734

/*

1735

* Compensate for negative A (and correct at the end).

1736

*/

1737

X->s = 1;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1738

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1739

/*

1740

* Make sure that X is in a form that is safe for consumption by

1741

* the core functions.

1742

*

1743

* - The core functions will not touch the limbs of X above N->n. The

1744

* result will be correct if those limbs are 0, which the mod call

1745

* ensures.

1746

* - Also, X must have at least as many limbs as N for the calls to the

1747

* core functions.

1748

*/

1749

if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {

1750

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));

1751

}

1752

MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));

1753

1754

/*

1755

* Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().

1756

*/

1757

{

1758

mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);

1759

mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);

1760

mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);

1761

mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1762

}

1763

1764

/*

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1765

* Correct for negative A.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1766

*/

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1767

if (A->s == -1 && (E->p[0] & 1) != 0) {

1768

mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n);

1769

X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1770

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1771

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

cleanup:

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1776

mbedtls_mpi_zeroize_and_free(T, T_limbs);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1777

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1778

if (prec_RR == NULL || prec_RR->p == NULL) {

1779

mbedtls_mpi_free(&RR);

1780

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1781

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1782

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Greatest common divisor: G = gcd(A, B) (HAC 14.54)

1787

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1788

int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1789

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1790

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1791

size_t lz, lzt;

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1792

mbedtls_mpi TA, TB;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1793

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1794

mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1795

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1796

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));

1797

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1798

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1799

lz = mbedtls_mpi_lsb(&TA);

1800

lzt = mbedtls_mpi_lsb(&TB);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1801

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1802

/* The loop below gives the correct result when A==0 but not when B==0.

1803

* So have a special case for B==0. Leverage the fact that we just

1804

* calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test

1805

* slightly more efficient than cmp_int(). */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1806

if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {

1807

ret = mbedtls_mpi_copy(G, A);

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

goto cleanup;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1811

if (lzt < lz) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1812

lz = lzt;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1813

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1814

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1815

TA.s = TB.s = 1;

1816

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1817

/* We mostly follow the procedure described in HAC 14.54, but with some

1818

* minor differences:

1819

* - Sequences of multiplications or divisions by 2 are grouped into a

1820

* single shift operation.

1821

* - The procedure in HAC assumes that 0 < TB <= TA.

1822

* - The condition TB <= TA is not actually necessary for correctness.

1823

* TA and TB have symmetric roles except for the loop termination

1824

* condition, and the shifts at the beginning of the loop body

1825

* remove any significance from the ordering of TA vs TB before

1826

* the shifts.

1827

* - If TA = 0, the loop goes through 0 iterations and the result is

1828

* correctly TB.

1829

* - The case TB = 0 was short-circuited above.

1830

*

1831

* For the correctness proof below, decompose the original values of

1832

* A and B as

1833

* A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1

1834

* B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1

1835

* Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),

1836

* and gcd(A',B') is odd or 0.

1837

*

1838

* At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).

1839

* The code maintains the following invariant:

1840

* gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)

1841

*/

1842

1843

/* Proof that the loop terminates:

1844

* At each iteration, either the right-shift by 1 is made on a nonzero

1845

* value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases

1846

* by at least 1, or the right-shift by 1 is made on zero and then

1847

* TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted

1848

* since in that case TB is calculated from TB-TA with the condition TB>TA).

1849

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1850

while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1851

/* Divisions by 2 preserve the invariant (I). */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1852

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));

1853

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1854

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1855

/* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,

1856

* TA-TB is even so the division by 2 has an integer result.

1857

* Invariant (I) is preserved since any odd divisor of both TA and TB

1858

* also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2

Jerome Forissier

2022-08-09 17:10:15 +0200

[diff] [blame]

1859

* also divides TB, and any odd divisor of both TB and |TA-TB|/2 also

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1860

* divides TA.

1861

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1862

if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {

1863

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));

1864

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));

1865

} else {

1866

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));

1867

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1868

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1869

/* Note that one of TA or TB is still odd. */

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1870

}

1871

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1872

/* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.

1873

* At the loop exit, TA = 0, so gcd(TA,TB) = TB.

1874

* - If there was at least one loop iteration, then one of TA or TB is odd,

1875

* and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,

1876

* lz = min(a,b) so gcd(A,B) = 2^lz * TB.

1877

* - If there was no loop iteration, then A was 0, and gcd(A,B) = B.

1878

* In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.

1879

*/

1880

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1881

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));

1882

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1886

mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1887

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1888

return ret;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1889

}

1890

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1891

/*

1892

* Fill X with size bytes of random.

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1893

* The bytes returned from the RNG are used in a specific order which

1894

* is suitable for deterministic ECDSA (see the specification of

1895

* mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1896

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1897

int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,

1898

int (*f_rng)(void *, unsigned char *, size_t),

1899

void *p_rng)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1900

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1901

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1902

const size_t limbs = CHARS_TO_LIMBS(size);

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

1903

Jerome Forissier

2020-04-07 11:18:49 +0200

[diff] [blame]

1904

/* Ensure that target MPI has exactly the necessary number of limbs */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1905

MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));

1906

if (size == 0) {

1907

return 0;

1908

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1909

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1910

ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1911

1912

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1913

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1914

}

1915

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1916

int mbedtls_mpi_random(mbedtls_mpi *X,

1917

mbedtls_mpi_sint min,

1918

const mbedtls_mpi *N,

1919

int (*f_rng)(void *, unsigned char *, size_t),

1920

void *p_rng)

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1921

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1922

if (min < 0) {

1923

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1924

}

1925

if (mbedtls_mpi_cmp_int(N, min) <= 0) {

1926

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1927

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1928

1929

/* Ensure that target MPI has exactly the same number of limbs

1930

* as the upper bound, even if the upper bound has leading zeros.

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1931

* This is necessary for mbedtls_mpi_core_random. */

1932

int ret = mbedtls_mpi_resize_clear(X, N->n);

1933

if (ret != 0) {

1934

return ret;

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1935

}

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1936

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1937

return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

1938

}

1939

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1940

/*

1941

* Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)

1942

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1943

int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1944

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

1945

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1946

mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;

1947

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1948

if (mbedtls_mpi_cmp_int(N, 1) <= 0) {

1949

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1950

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1951

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

1952

mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);

1953

mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);

1954

mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1955

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1956

MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1957

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1958

if (mbedtls_mpi_cmp_int(&G, 1) != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1959

ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

goto cleanup;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1963

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));

1964

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));

1965

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));

1966

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1967

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1968

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));

1969

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));

1970

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));

1971

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1972

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1973

do {

1974

while ((TU.p[0] & 1) == 0) {

1975

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1976

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1977

if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) {

1978

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));

1979

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1980

}

1981

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1982

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));

1983

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1984

}

1985

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1986

while ((TV.p[0] & 1) == 0) {

1987

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1988

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1989

if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) {

1990

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));

1991

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1992

}

1993

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1994

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));

1995

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

1996

}

1997

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

1998

if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {

1999

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));

2000

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));

2001

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));

2002

} else {

2003

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));

2004

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));

2005

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2006

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2007

} while (mbedtls_mpi_cmp_int(&TU, 0) != 0);

2008

2009

while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {

2010

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2011

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2012

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2013

while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {

2014

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));

2015

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2016

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2017

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2021

mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);

2022

mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);

2023

mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2024

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2025

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2026

}

2027

2028

#if defined(MBEDTLS_GENPRIME)

2029

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2030

/* Gaps between primes, starting at 3. https://oeis.org/A001223 */

2031

static const unsigned char small_prime_gaps[] = {

2032

2, 2, 4, 2, 4, 2, 4, 6,

2033

2, 6, 4, 2, 4, 6, 6, 2,

2034

6, 4, 2, 6, 4, 6, 8, 4,

2035

2, 4, 2, 4, 14, 4, 6, 2,

2036

10, 2, 6, 6, 4, 6, 6, 2,

2037

10, 2, 4, 2, 12, 12, 4, 2,

2038

4, 6, 2, 10, 6, 6, 6, 2,

2039

6, 4, 2, 10, 14, 4, 2, 4,

2040

14, 6, 10, 2, 4, 6, 8, 6,

2041

6, 4, 6, 8, 4, 8, 10, 2,

2042

10, 2, 6, 4, 6, 8, 4, 2,

2043

4, 12, 8, 4, 8, 4, 6, 12,

2044

2, 18, 6, 10, 6, 6, 2, 6,

2045

10, 6, 6, 2, 6, 6, 4, 2,

2046

12, 10, 2, 4, 6, 6, 2, 12,

2047

4, 6, 8, 10, 8, 10, 8, 6,

2048

6, 4, 8, 6, 4, 8, 4, 14,

2049

10, 12, 2, 10, 2, 4, 2, 10,

2050

14, 4, 2, 4, 14, 4, 2, 4,

2051

20, 4, 8, 10, 8, 4, 6, 6,

2052

14, 4, 6, 6, 8, 6, /*reaches 997*/

2053

0 /* the last entry is effectively unused */

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

};

/*

* Small divisors test (X must be positive)

2058

*

2059

* Return values:

2060

* 0: no small factor (possible prime, more tests needed)

2061

* 1: certain prime

2062

* MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime

2063

* other negative: error

2064

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2065

static int mpi_check_small_factors(const mbedtls_mpi *X)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

{

int ret = 0;

size_t i;

mbedtls_mpi_uint r;

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2070

unsigned p = 3; /* The first odd prime */

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2071

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2072

if ((X->p[0] & 1) == 0) {

2073

return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

2074

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2075

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2076

for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {

2077

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2078

if (r == 0) {

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2079

if (mbedtls_mpi_cmp_int(X, p) == 0) {

2080

return 1;

2081

} else {

2082

return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

2083

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2084

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2085

}

2086

2087

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2088

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Miller-Rabin pseudo-primality test (HAC 4.24)

2093

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2094

static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,

2095

int (*f_rng)(void *, unsigned char *, size_t),

2096

void *p_rng)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2097

{

2098

int ret, count;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2099

size_t i, j, k, s;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2100

mbedtls_mpi W, R, T, A, RR;

2101

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2102

mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);

2103

mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);

2104

mbedtls_mpi_init(&RR);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

/*

* W = |X| - 1

* R = W >> lsb( W )

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2110

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));

2111

s = mbedtls_mpi_lsb(&W);

2112

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));

2113

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2114

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2115

for (i = 0; i < rounds; i++) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2116

/*

2117

* pick a random A, 1 < A < |X| - 1

2118

*/

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2119

count = 0;

2120

do {

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2121

MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2122

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2123

j = mbedtls_mpi_bitlen(&A);

2124

k = mbedtls_mpi_bitlen(&W);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2125

if (j > k) {

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2126

A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2127

}

2128

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2129

if (count++ > 30) {

Jens Wiklander

336e329

2019-01-17 11:14:38 +0100

[diff] [blame]

2130

ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

2131

goto cleanup;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2132

}

2133

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2134

} while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||

2135

mbedtls_mpi_cmp_int(&A, 1) <= 0);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

/*

* A = A^R mod |X|

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2140

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2141

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2142

if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 ||

2143

mbedtls_mpi_cmp_int(&A, 1) == 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2144

continue;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2145

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2146

2147

j = 1;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2148

while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2149

/*

2150

* A = A * A mod |X|

2151

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2152

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));

2153

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2154

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2155

if (mbedtls_mpi_cmp_int(&A, 1) == 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2156

break;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2157

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

j++;

}

/*

* not prime if A != |X| - 1 or A == 1

2164

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2165

if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 ||

2166

mbedtls_mpi_cmp_int(&A, 1) == 0) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2167

ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

break;

}

}

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2173

mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);

2174

mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);

2175

mbedtls_mpi_free(&RR);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2176

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2177

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

/*

* Pseudo-primality test: small factors, then Miller-Rabin

2182

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2183

int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,

2184

int (*f_rng)(void *, unsigned char *, size_t),

2185

void *p_rng)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2186

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

2187

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

mbedtls_mpi XX;

XX.s = 1;

XX.n = X->n;

XX.p = X->p;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2194

if (mbedtls_mpi_cmp_int(&XX, 0) == 0 ||

2195

mbedtls_mpi_cmp_int(&XX, 1) == 0) {

2196

return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2197

}

2198

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2199

if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {

2200

return 0;

2201

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2202

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2203

if ((ret = mpi_check_small_factors(&XX)) != 0) {

2204

if (ret == 1) {

2205

return 0;

2206

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2207

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

return ret;

}

return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2212

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2213

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2214

/*

2215

* Prime number generation

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2216

*

2217

* To generate an RSA key in a way recommended by FIPS 186-4, both primes must

2218

* be either 1024 bits or 1536 bits long, and flags must contain

2219

* MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2220

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2221

int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,

2222

int (*f_rng)(void *, unsigned char *, size_t),

2223

void *p_rng)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2224

{

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2225

#ifdef MBEDTLS_HAVE_INT64

2226

// ceil(2^63.5)

2227

#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL

2228

#else

2229

// ceil(2^31.5)

2230

#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U

2231

#endif

2232

int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2233

size_t k, n;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2234

int rounds;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

mbedtls_mpi_uint r;

mbedtls_mpi Y;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2238

if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {

2239

return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

2240

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2241

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2242

mbedtls_mpi_init(&Y);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2243

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2244

n = BITS_TO_LIMBS(nbits);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2245

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2246

if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2247

/*

2248

* 2^-80 error probability, number of rounds chosen per HAC, table 4.4

2249

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2250

rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :

2251

(nbits >= 650) ? 4 : (nbits >= 350) ? 8 :

2252

(nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);

2253

} else {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2254

/*

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2255

* 2^-100 error probability, number of rounds computed based on HAC,

2256

* fact 4.48

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2257

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2258

rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :

2259

(nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :

2260

(nbits >= 750) ? 8 : (nbits >= 500) ? 13 :

2261

(nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2262

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2263

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2264

while (1) {

2265

MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2266

/* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2267

if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {

2268

continue;

2269

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2270

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2271

k = n * biL;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2272

if (k > nbits) {

2273

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));

2274

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2275

X->p[0] |= 1;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2276

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2277

if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {

2278

ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2279

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2280

if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2281

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2282

}

2283

} else {

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2284

/*

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2285

* A necessary condition for Y and X = 2Y + 1 to be prime

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2286

* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).

2287

* Make sure it is satisfied, while keeping X = 3 mod 4

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2288

*/

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

X->p[0] |= 2;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2292

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));

2293

if (r == 0) {

2294

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));

2295

} else if (r == 1) {

2296

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));

2297

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2298

2299

/* Set Y = (X-1) / 2, which is X / 2 because X is odd */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2300

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));

2301

MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2302

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2303

while (1) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2304

/*

2305

* First, check small factors for X and Y

2306

* before doing Miller-Rabin on any of them

2307

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2308

if ((ret = mpi_check_small_factors(X)) == 0 &&

2309

(ret = mpi_check_small_factors(&Y)) == 0 &&

2310

(ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))

2311

== 0 &&

2312

(ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))

2313

== 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2314

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2315

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2316

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2317

if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2318

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2319

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2320

2321

/*

2322

* Next candidates. We want to preserve Y = (X-1) / 2 and

2323

* Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)

2324

* so up Y by 6 and X by 12.

2325

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2326

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));

2327

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

2328

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

}

}

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2334

mbedtls_mpi_free(&Y);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2335

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2336

return ret;

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2337

}

2338

2339

#endif /* MBEDTLS_GENPRIME */

2340

2341

#if defined(MBEDTLS_SELF_TEST)

2342

2343

#define GCD_PAIR_COUNT 3

2344

2345

static const int gcd_pairs[GCD_PAIR_COUNT][3] =

{

{ 693, 609, 21 },

{ 1764, 868, 28 },

{ 768454923, 542167814, 1 }

};

/*

* Checkup routine

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2355

int mbedtls_mpi_self_test(int verbose)

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2356

{

2357

int ret, i;

2358

mbedtls_mpi A, E, N, X, Y, U, V;

2359

Tom Van Eyck

2024-04-09 18:44:13 +0200

[diff] [blame]

2360

mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);

2361

mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2362

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2363

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,

2364

"EFE021C2645FD1DC586E69184AF4A31E" \

2365

"D5F53E93B5F123FA41680867BA110131" \

2366

"944FE7952E2517337780CB0DB80E61AA" \

2367

"E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2368

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2369

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,

2370

"B2E7EFD37075B9F03FF989C7C5051C20" \

2371

"34D2A323810251127E7BF8625A4F49A5" \

2372

"F3E27F4DA8BD59C47D6DAABA4C8127BD" \

2373

"5B5C25763222FEFCCFC38B832366C29E"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2374

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2375

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,

2376

"0066A198186C18C10B2F5ED9B522752A" \

2377

"9830B69916E535C8F047518A889A43A5" \

2378

"94B6BED27A168D31D4A52F88925AA8F5"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2379

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2380

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2381

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2382

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,

2383

"602AB7ECA597A3D6B56FF9829A5E8B85" \

2384

"9E857EA95A03512E2BAE7391688D264A" \

2385

"A5663B0341DB9CCFD2C4C5F421FEC814" \

2386

"8001B72E848A38CAE1C65F78E56ABDEF" \

2387

"E12D3C039B8A02D6BE593F0BBBDA56F1" \

2388

"ECF677152EF804370C1A305CAF3B5BF1" \

2389

"30879B56C61DE584A0F53A2447A51E"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2390

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2391

if (verbose != 0) {

2392

mbedtls_printf(" MPI test #1 (mul_mpi): ");

2393

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2394

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2395

if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {

2396

if (verbose != 0) {

2397

mbedtls_printf("failed\n");

2398

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

ret = 1;

goto cleanup;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2404

if (verbose != 0) {

2405

mbedtls_printf("passed\n");

2406

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2407

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2408

MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2409

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2410

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,

2411

"256567336059E52CAE22925474705F39A94"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2412

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2413

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,

2414

"6613F26162223DF488E9CD48CC132C7A" \

2415

"0AC93C701B001B092E4E5B9F73BCD27B" \

2416

"9EE50D0657C77F374E903CDFA4C642"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2417

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2418

if (verbose != 0) {

2419

mbedtls_printf(" MPI test #2 (div_mpi): ");

2420

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2421

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2422

if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 ||

2423

mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {

2424

if (verbose != 0) {

2425

mbedtls_printf("failed\n");

2426

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

ret = 1;

goto cleanup;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2432

if (verbose != 0) {

2433

mbedtls_printf("passed\n");

2434

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2435

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2436

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2437

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2438

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,

2439

"36E139AEA55215609D2816998ED020BB" \

2440

"BD96C37890F65171D948E9BC7CBAA4D9" \

2441

"325D24D6A3C12710F10A09FA08AB87"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2442

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2443

if (verbose != 0) {

2444

mbedtls_printf(" MPI test #3 (exp_mod): ");

2445

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2446

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2447

if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {

2448

if (verbose != 0) {

2449

mbedtls_printf("failed\n");

2450

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

ret = 1;

goto cleanup;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2456

if (verbose != 0) {

2457

mbedtls_printf("passed\n");

2458

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2459

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2460

MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2461

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2462

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,

2463

"003A0AAEDD7E784FC07D8F9EC6E3BFD5" \

2464

"C3DBA76456363A10869622EAC2DD84EC" \

2465

"C5B8A74DAC4D09E03B5E0BE779F2DF61"));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2466

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2467

if (verbose != 0) {

2468

mbedtls_printf(" MPI test #4 (inv_mod): ");

2469

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2470

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2471

if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {

2472

if (verbose != 0) {

2473

mbedtls_printf("failed\n");

2474

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

ret = 1;

goto cleanup;

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2480

if (verbose != 0) {

2481

mbedtls_printf("passed\n");

2482

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2483

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2484

if (verbose != 0) {

2485

mbedtls_printf(" MPI test #5 (simple gcd): ");

2486

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2487

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2488

for (i = 0; i < GCD_PAIR_COUNT; i++) {

2489

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));

2490

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2491

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2492

MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2493

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2494

if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {

2495

if (verbose != 0) {

2496

mbedtls_printf("failed at %d\n", i);

2497

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

ret = 1;

goto cleanup;

}

}

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2504

if (verbose != 0) {

2505

mbedtls_printf("passed\n");

2506

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2510

if (ret != 0 && verbose != 0) {

2511

mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);

2512

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2513

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2514

mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);

2515

mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2516

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2517

if (verbose != 0) {

2518

mbedtls_printf("\n");

2519

}

Jens Wiklander

2018-05-22 13:49:31 +0200

[diff] [blame]

2520

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

2521

return ret;

Jens Wiklander