Blame - library/bignum.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 358714839c7edee8a8edf34cee5a91ad6f315588 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Multi-precision integer library
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Dave Rodgman	16799db	2023-11-02 19:47:20 +0000	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	6	*/
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	7
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	8	/*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	9	* The following sources were referenced in the design of this Multi-precision
				10	* Integer library:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	11	*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	12	* [1] Handbook of Applied Cryptography - 1997
				13	* Menezes, van Oorschot and Vanstone
				14	*
				15	* [2] Multi-Precision Math
				16	* Tom St Denis
				17	* https://github.com/libtom/libtommath/blob/develop/tommath.pdf
				18	*
				19	* [3] GNU Multi-Precision Arithmetic Library
				20	* https://gmplib.org/manual/index.html
				21	*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	22	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	24	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	25
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	26	#if defined(MBEDTLS_BIGNUM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	27
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/bignum.h"
Janos Follath	4614b9a	2022-07-21 15:34:47 +0100	[diff] [blame]	29	#include "bignum_core.h"
Janos Follath	5f31697	2024-08-22 14:53:13 +0100	[diff] [blame]	30	#include "bignum_internal.h"
Chris Jones	4c5819c	2021-03-03 17:45:34 +0000	[diff] [blame]	31	#include "bn_mul.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	32	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	33	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	34	#include "constant_time_internal.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	35
Dave Rodgman	351c71b	2021-12-06 17:50:53 +0000	[diff] [blame]	36	#include <limits.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	37	#include <string.h>
				38
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	39	#include "mbedtls/platform.h"
Paul Bakker	6e339b5	2013-07-03 13:37:05 +0200	[diff] [blame]	40
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	41
				42
				43	/*
				44	* Conditionally select an MPI sign in constant time.
				45	* (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid
				46	* values.)
				47	*/
Janos Follath	b888bc0	2024-03-11 09:29:53 +0000	[diff] [blame]	48	static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond,
				49	signed short sign1, signed short sign2)
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	50	{
Janos Follath	b888bc0	2024-03-11 09:29:53 +0000	[diff] [blame]	51	return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1;
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	52	}
				53
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	54	/*
				55	* Compare signed values in constant time
				56	*/
				57	int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
				58	const mbedtls_mpi *Y,
				59	unsigned *ret)
				60	{
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	61	mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	62
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	63	if (X->n != Y->n) {
				64	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				65	}
				66
				67	/*
Dave Rodgman	b69239c	2023-08-09 14:53:18 +0100	[diff] [blame]	68	* Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	69	* We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
				70	*/
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	71	X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
				72	Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	73
				74	/*
				75	* If the signs are different, then the positive operand is the bigger.
				76	* That is if X is negative (X_is_negative == 1), then X < Y is true and it
				77	* is false if X is positive (X_is_negative == 0).
				78	*/
Dave Rodgman	1cfc43c	2023-09-19 16:18:59 +0100	[diff] [blame]	79	different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	80	result = mbedtls_ct_bool_and(different_sign, X_is_negative);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	81
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	82	/*
				83	* Assuming signs are the same, compare X and Y. We switch the comparison
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	84	* order if they are negative so that we get the right result, regardles of
				85	* sign.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	86	*/
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	87
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	88	/* This array is used to conditionally swap the pointers in const time */
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	89	void * const p[2] = { X->p, Y->p };
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	90	size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
Dave Rodgman	2c76484	2023-05-18 13:28:21 +0100	[diff] [blame]	91	mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	92
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	93	/*
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	94	* Store in result iff the signs are the same (i.e., iff different_sign == false). If
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	95	* the signs differ, result has already been set, so we don't change it.
				96	*/
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	97	result = mbedtls_ct_bool_or(result,
				98	mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	99
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	100	*ret = mbedtls_ct_uint_if_else_0(result, 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	101
				102	return 0;
				103	}
				104
				105	/*
				106	* Conditionally assign X = Y, without leaking information
				107	* about whether the assignment was made or not.
				108	* (Leaking information about the respective sizes of X and Y is ok however.)
				109	*/
Dave Rodgman	0a48717	2023-09-15 11:52:06 +0100	[diff] [blame]	110	#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
				111	(_MSC_FULL_VER < 193131103)
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	112	/*
				113	* MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
				114	* https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
				115	*/
				116	__declspec(noinline)
				117	#endif
				118	int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
				119	const mbedtls_mpi *Y,
				120	unsigned char assign)
				121	{
				122	int ret = 0;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	123
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	124	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				125
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	126	{
				127	mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
Dave Rodgman	589ccb8	2023-05-17 13:55:01 +0100	[diff] [blame]	128
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	129	X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	130
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	131	mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	132
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	133	mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
				134	for (size_t i = Y->n; i < X->n; i++) {
				135	X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
				136	}
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	137	}
				138
				139	cleanup:
				140	return ret;
				141	}
				142
				143	/*
				144	* Conditionally swap X and Y, without leaking information
				145	* about whether the swap was made or not.
				146	* Here it is not ok to simply swap the pointers, which would lead to
				147	* different memory access patterns when X and Y are used afterwards.
				148	*/
				149	int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
				150	mbedtls_mpi *Y,
				151	unsigned char swap)
				152	{
				153	int ret = 0;
				154	int s;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	155
				156	if (X == Y) {
				157	return 0;
				158	}
				159
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	160	mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
				161
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	162	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				163	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
				164
				165	s = X->s;
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	166	X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s);
				167	Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	168
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	169	mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	170
				171	cleanup:
				172	return ret;
				173	}
				174
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	175	/* Implementation that should never be optimized out by the compiler */
Tom Cosgrove	bc345e8	2023-07-25 15:17:39 +0100	[diff] [blame]	176	#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	177
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	178	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	179	* Initialize one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	180	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	181	void mbedtls_mpi_init(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	182	{
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	183	X->s = 1;
				184	X->n = 0;
				185	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	186	}
				187
				188	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	189	* Unallocate one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	190	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	191	void mbedtls_mpi_free(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	192	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	193	if (X == NULL) {
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	194	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	195	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	196
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	197	if (X->p != NULL) {
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	198	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	199	}
				200
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	201	X->s = 1;
				202	X->n = 0;
				203	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	204	}
				205
				206	/*
				207	* Enlarge to the specified number of limbs
				208	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	209	int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	210	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	211	mbedtls_mpi_uint *p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	212
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	213	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				214	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				215	}
Paul Bakker	f968857	2011-05-05 10:00:45 +0000	[diff] [blame]	216
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	217	if (X->n < nblimbs) {
				218	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
				219	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				220	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	221
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	222	if (X->p != NULL) {
				223	memcpy(p, X->p, X->n * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	224	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	225	}
				226
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	227	/* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				228	* fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				229	X->n = (unsigned short) nblimbs;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	230	X->p = p;
				231	}
				232
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	233	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	234	}
				235
				236	/*
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	237	* Resize down as much as possible,
				238	* while keeping at least the specified number of limbs
				239	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	240	int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	241	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	242	mbedtls_mpi_uint *p;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	243	size_t i;
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	244
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	245	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				246	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				247	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	248
Gilles Peskine	e2f563e	2020-01-20 21:17:43 +0100	[diff] [blame]	249	/* Actually resize up if there are currently fewer than nblimbs limbs. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	250	if (X->n <= nblimbs) {
				251	return mbedtls_mpi_grow(X, nblimbs);
				252	}
Gilles Peskine	322752b	2020-01-21 13:59:51 +0100	[diff] [blame]	253	/* After this point, then X->n > nblimbs and in particular X->n > 0. */
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	254
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	255	for (i = X->n - 1; i > 0; i--) {
				256	if (X->p[i] != 0) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	257	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	258	}
				259	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	260	i++;
				261
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	262	if (i < nblimbs) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	263	i = nblimbs;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	264	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	265
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	266	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
				267	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				268	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	269
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	270	if (X->p != NULL) {
				271	memcpy(p, X->p, i * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	272	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	273	}
				274
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	275	/* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				276	* fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				277	X->n = (unsigned short) i;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	278	X->p = p;
				279
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	280	return 0;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	281	}
				282
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	283	/* Resize X to have exactly n limbs and set it to 0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	284	static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	285	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	286	if (limbs == 0) {
				287	mbedtls_mpi_free(X);
				288	return 0;
				289	} else if (X->n == limbs) {
				290	memset(X->p, 0, limbs * ciL);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	291	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	292	return 0;
				293	} else {
				294	mbedtls_mpi_free(X);
				295	return mbedtls_mpi_grow(X, limbs);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	296	}
				297	}
				298
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	299	/*
Gilles Peskine	3da1a8f	2021-06-08 23:17:42 +0200	[diff] [blame]	300	* Copy the contents of Y into X.
				301	*
				302	* This function is not constant-time. Leading zeros in Y may be removed.
				303	*
				304	* Ensure that X does not shrink. This is not guaranteed by the public API,
Janos Follath	c9faea0	2024-02-19 10:49:18 +0000	[diff] [blame]	305	* but some code in the bignum module might still rely on this property.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	306	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	307	int mbedtls_mpi_copy(mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	308	{
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	309	int ret = 0;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	310	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	311
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	312	if (X == Y) {
				313	return 0;
Manuel Pégourié-Gonnard	f499993	2013-08-12 17:02:59 +0200	[diff] [blame]	314	}
				315
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	316	if (Y->n == 0) {
				317	if (X->n != 0) {
				318	X->s = 1;
				319	memset(X->p, 0, X->n * ciL);
				320	}
				321	return 0;
				322	}
				323
				324	for (i = Y->n - 1; i > 0; i--) {
				325	if (Y->p[i] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	326	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	327	}
				328	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	329	i++;
				330
				331	X->s = Y->s;
				332
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	333	if (X->n < i) {
				334	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
				335	} else {
				336	memset(X->p + i, 0, (X->n - i) * ciL);
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	337	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	338
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	339	memcpy(X->p, Y->p, i * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	340
				341	cleanup:
				342
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	343	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	344	}
				345
				346	/*
				347	* Swap the contents of X and Y
				348	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	349	void mbedtls_mpi_swap(mbedtls_mpi X, mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	350	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	351	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	352
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	353	memcpy(&T, X, sizeof(mbedtls_mpi));
				354	memcpy(X, Y, sizeof(mbedtls_mpi));
				355	memcpy(Y, &T, sizeof(mbedtls_mpi));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	356	}
				357
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	358	static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	359	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	360	if (z >= 0) {
				361	return z;
				362	}
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	363	/* Take care to handle the most negative value (-2^(biL-1)) correctly.
				364	* A naive -z would have undefined behavior.
				365	* Write this in a way that makes popular compilers happy (GCC, Clang,
				366	* MSVC). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	367	return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	368	}
				369
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	370	/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
				371	* This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
Dave Rodgman	73d8591	2023-09-28 17:00:50 +0100	[diff] [blame]	372	#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	373
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	374	/*
				375	* Set value from integer
				376	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	377	int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	378	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	379	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	380
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	381	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
				382	memset(X->p, 0, X->n * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	383
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	384	X->p[0] = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	385	X->s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	386
				387	cleanup:
				388
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	389	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	390	}
				391
				392	/*
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	393	* Get a specific bit
				394	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	395	int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	396	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	397	if (X->n * biL <= pos) {
				398	return 0;
				399	}
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	400
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	401	return (X->p[pos / biL] >> (pos % biL)) & 0x01;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	402	}
				403
				404	/*
				405	* Set a bit to a specific value of 0 or 1
				406	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	407	int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	408	{
				409	int ret = 0;
				410	size_t off = pos / biL;
				411	size_t idx = pos % biL;
				412
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	413	if (val != 0 && val != 1) {
				414	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	415	}
				416
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	417	if (X->n * biL <= pos) {
				418	if (val == 0) {
				419	return 0;
				420	}
				421
				422	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
				423	}
				424
				425	X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	426	X->p[off] \|= (mbedtls_mpi_uint) val << idx;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	427
				428	cleanup:
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	429
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	430	return ret;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	431	}
				432
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	433	#if defined(__has_builtin)
				434	#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
				435	#define mbedtls_mpi_uint_ctz __builtin_ctz
				436	#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
				437	#define mbedtls_mpi_uint_ctz __builtin_ctzl
				438	#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
				439	#define mbedtls_mpi_uint_ctz __builtin_ctzll
				440	#endif
				441	#endif
				442
Manuel Pégourié-Gonnard	65b8011	2025-07-10 21:26:42 +0200	[diff] [blame]	443	#if !defined(mbedtls_mpi_uint_ctz)
				444	static size_t mbedtls_mpi_uint_ctz(mbedtls_mpi_uint x)
				445	{
				446	size_t count = 0;
				447	mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE;
				448
				449	for (size_t i = 0; i < biL; i++) {
				450	mbedtls_ct_condition_t non_zero = mbedtls_ct_bool((x >> i) & 1);
				451	done = mbedtls_ct_bool_or(done, non_zero);
				452	count = mbedtls_ct_size_if(done, count, i + 1);
				453	}
				454
				455	return count;
				456	}
				457	#endif
				458
				459	/*
				460	* Return the number of less significant zero-bits
				461	*/
				462	size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
				463	{
				464	size_t i;
				465
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	466	for (i = 0; i < X->n; i++) {
Dave Rodgman	960eca9	2023-08-09 20:43:18 +0100	[diff] [blame]	467	if (X->p[i] != 0) {
				468	return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
				469	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	470	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	471
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	472	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	473	}
				474
				475	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	476	* Return the number of bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	477	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	478	size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	479	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	480	return mbedtls_mpi_core_bitlen(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	481	}
				482
				483	/*
				484	* Return the total size in bytes
				485	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	486	size_t mbedtls_mpi_size(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	487	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	488	return (mbedtls_mpi_bitlen(X) + 7) >> 3;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	489	}
				490
				491	/*
				492	* Convert an ASCII character to digit value
				493	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	494	static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	495	{
				496	*d = 255;
				497
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	498	if (c >= 0x30 && c <= 0x39) {
				499	*d = c - 0x30;
				500	}
				501	if (c >= 0x41 && c <= 0x46) {
				502	*d = c - 0x37;
				503	}
				504	if (c >= 0x61 && c <= 0x66) {
				505	*d = c - 0x57;
				506	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	507
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	508	if (*d >= (mbedtls_mpi_uint) radix) {
				509	return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
				510	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	511
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	512	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	513	}
				514
				515	/*
				516	* Import from an ASCII string
				517	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	518	int mbedtls_mpi_read_string(mbedtls_mpi X, int radix, const char s)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	519	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	520	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	521	size_t i, j, slen, n;
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	522	int sign = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	523	mbedtls_mpi_uint d;
				524	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	525
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	526	if (radix < 2 \|\| radix > 16) {
				527	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Gilles Peskine	7cba859	2021-06-08 18:32:34 +0200	[diff] [blame]	528	}
				529
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	530	mbedtls_mpi_init(&T);
				531
				532	if (s[0] == 0) {
				533	mbedtls_mpi_free(X);
				534	return 0;
				535	}
				536
				537	if (s[0] == '-') {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	538	++s;
				539	sign = -1;
				540	}
				541
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	542	slen = strlen(s);
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	543
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	544	if (radix == 16) {
Dave Rodgman	68ef1d6	2023-05-18 20:49:03 +0100	[diff] [blame]	545	if (slen > SIZE_MAX >> 2) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	546	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	547	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	548
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	549	n = BITS_TO_LIMBS(slen << 2);
				550
				551	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
				552	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				553
				554	for (i = slen, j = 0; i > 0; i--, j++) {
				555	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
				556	X->p[j / (2 * ciL)] \|= d << ((j % (2 * ciL)) << 2);
				557	}
				558	} else {
				559	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				560
				561	for (i = 0; i < slen; i++) {
				562	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
				563	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
				564	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	565	}
				566	}
				567
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	568	if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	569	X->s = -1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	570	}
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	571
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	572	cleanup:
				573
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	574	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	575
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	576	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	577	}
				578
				579	/*
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	580	* Helper to write the digits high-order first.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	581	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	582	static int mpi_write_hlp(mbedtls_mpi *X, int radix,
				583	char **p, const size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	584	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	585	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	586	mbedtls_mpi_uint r;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	587	size_t length = 0;
				588	char p_end = p + buflen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	589
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	590	do {
				591	if (length >= buflen) {
				592	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	593	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	594
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	595	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
				596	MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	597	/*
				598	* Write the residue in the current position, as an ASCII character.
				599	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	600	if (r < 0xA) {
				601	*(--p_end) = (char) ('0' + r);
				602	} else {
				603	*(--p_end) = (char) ('A' + (r - 0xA));
				604	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	605
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	606	length++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	607	} while (mbedtls_mpi_cmp_int(X, 0) != 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	608
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	609	memmove(*p, p_end, length);
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	610	*p += length;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	611
				612	cleanup:
				613
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	614	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	615	}
				616
				617	/*
				618	* Export into an ASCII string
				619	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	620	int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
				621	char buf, size_t buflen, size_t olen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	622	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	623	int ret = 0;
				624	size_t n;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	625	char *p;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	626	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	627
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	628	if (radix < 2 \|\| radix > 16) {
				629	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				630	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	631
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	632	n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
				633	if (radix >= 4) {
				634	n >>= 1; /* Number of 4-adic digits necessary to present
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	635	* `n`. If radix > 4, this might be a strict
				636	* overapproximation of the number of
				637	* radix-adic digits needed to present `n`. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	638	}
				639	if (radix >= 16) {
				640	n >>= 1; /* Number of hexadecimal digits necessary to
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	641	* present `n`. */
				642
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	643	}
Janos Follath	8047062	2019-03-06 13:43:02 +0000	[diff] [blame]	644	n += 1; /* Terminating null byte */
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	645	n += 1; /* Compensate for the divisions above, which round down `n`
				646	* in case it's not even. */
				647	n += 1; /* Potential '-'-sign. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	648	n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	649	* which always uses an even number of hex-digits. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	650
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	651	if (buflen < n) {
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	652	*olen = n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	653	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	654	}
				655
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	656	p = buf;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	657	mbedtls_mpi_init(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	658
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	659	if (X->s == -1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	660	*p++ = '-';
Hanno Becker	c983c81	2019-02-01 16:41:30 +0000	[diff] [blame]	661	buflen--;
				662	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	663
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	664	if (radix == 16) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	665	int c;
				666	size_t i, j, k;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	667
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	668	for (i = X->n, k = 0; i > 0; i--) {
				669	for (j = ciL; j > 0; j--) {
				670	c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	671
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	672	if (c == 0 && k == 0 && (i + j) != 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	673	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	674	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	675
Paul Bakker	98fe5ea	2012-10-24 11:17:48 +0000	[diff] [blame]	676	*(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakker	d2c167e	2012-10-30 07:49:19 +0000	[diff] [blame]	677	*(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	678	k = 1;
				679	}
				680	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	681	} else {
				682	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	683
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	684	if (T.s == -1) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	685	T.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	686	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	687
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	688	MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	689	}
				690
				691	*p++ = '\0';
Dave Rodgman	e4a6f5a	2023-11-04 12:20:09 +0000	[diff] [blame]	692	*olen = (size_t) (p - buf);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	693
				694	cleanup:
				695
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	696	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	697
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	698	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	699	}
				700
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	701	#if defined(MBEDTLS_FS_IO)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	702	/*
				703	* Read X from an opened file
				704	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	705	int mbedtls_mpi_read_file(mbedtls_mpi X, int radix, FILE fin)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	706	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	707	mbedtls_mpi_uint d;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	708	size_t slen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	709	char *p;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	710	/*
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	711	* Buffer should have space for (short) label and decimal formatted MPI,
				712	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	713	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	714	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	715
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	716	if (radix < 2 \|\| radix > 16) {
				717	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				718	}
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	719
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	720	memset(s, 0, sizeof(s));
				721	if (fgets(s, sizeof(s) - 1, fin) == NULL) {
				722	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				723	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	724
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	725	slen = strlen(s);
				726	if (slen == sizeof(s) - 2) {
				727	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
				728	}
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	729
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	730	if (slen > 0 && s[slen - 1] == '\n') {
				731	slen--; s[slen] = '\0';
				732	}
				733	if (slen > 0 && s[slen - 1] == '\r') {
				734	slen--; s[slen] = '\0';
				735	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	736
				737	p = s + slen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	738	while (p-- > s) {
				739	if (mpi_get_digit(&d, radix, *p) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	740	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	741	}
				742	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	743
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	744	return mbedtls_mpi_read_string(X, radix, p + 1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	745	}
				746
				747	/*
				748	* Write X into an opened file (or stdout if fout == NULL)
				749	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	750	int mbedtls_mpi_write_file(const char p, const mbedtls_mpi X, int radix, FILE *fout)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	751	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	752	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	753	size_t n, slen, plen;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	754	/*
Paul Bakker	5531c6d	2012-09-26 19:20:46 +0000	[diff] [blame]	755	* Buffer should have space for (short) label and decimal formatted MPI,
				756	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	757	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	758	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	759
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	760	if (radix < 2 \|\| radix > 16) {
				761	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				762	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	763
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	764	memset(s, 0, sizeof(s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	765
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	766	MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	767
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	768	if (p == NULL) {
				769	p = "";
				770	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	771
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	772	plen = strlen(p);
				773	slen = strlen(s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	774	s[slen++] = '\r';
				775	s[slen++] = '\n';
				776
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	777	if (fout != NULL) {
				778	if (fwrite(p, 1, plen, fout) != plen \|\|
				779	fwrite(s, 1, slen, fout) != slen) {
				780	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				781	}
				782	} else {
				783	mbedtls_printf("%s%s", p, s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	784	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	785
				786	cleanup:
				787
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	788	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	789	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	790	#endif /* MBEDTLS_FS_IO */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	791
				792	/*
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	793	* Import X from unsigned binary data, little endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	794	*
				795	* This function is guaranteed to return an MPI with exactly the necessary
				796	* number of limbs (in particular, it does not skip 0s in the input).
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	797	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	798	int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
				799	const unsigned char *buf, size_t buflen)
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	800	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	801	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	802	const size_t limbs = CHARS_TO_LIMBS(buflen);
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	803
				804	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	805	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	806
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	807	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	808
				809	cleanup:
				810
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	811	/*
				812	* This function is also used to import keys. However, wiping the buffers
				813	* upon failure is not necessary because failure only can happen before any
				814	* input is copied.
				815	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	816	return ret;
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	817	}
				818
				819	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	820	* Import X from unsigned binary data, big endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	821	*
				822	* This function is guaranteed to return an MPI with exactly the necessary
				823	* number of limbs (in particular, it does not skip 0s in the input).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	824	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	825	int mbedtls_mpi_read_binary(mbedtls_mpi X, const unsigned char buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	826	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	827	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	828	const size_t limbs = CHARS_TO_LIMBS(buflen);
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	829
Hanno Becker	073c199	2017-10-17 15:17:27 +0100	[diff] [blame]	830	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	831	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	832
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	833	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	834
				835	cleanup:
				836
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	837	/*
				838	* This function is also used to import keys. However, wiping the buffers
				839	* upon failure is not necessary because failure only can happen before any
				840	* input is copied.
				841	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	842	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	843	}
				844
				845	/*
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	846	* Export X into unsigned binary data, little endian
				847	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	848	int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
				849	unsigned char *buf, size_t buflen)
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	850	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	851	return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	852	}
				853
				854	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	855	* Export X into unsigned binary data, big endian
				856	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	857	int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
				858	unsigned char *buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	859	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	860	return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	861	}
				862
				863	/*
				864	* Left-shift: X <<= count
				865	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	866	int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	867	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	868	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	869	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	870
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	871	i = mbedtls_mpi_bitlen(X) + count;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	872
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	873	if (X->n * biL < i) {
				874	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
				875	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	876
				877	ret = 0;
				878
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	879	mbedtls_mpi_core_shift_l(X->p, X->n, count);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	880	cleanup:
				881
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	882	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	883	}
				884
				885	/*
				886	* Right-shift: X >>= count
				887	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	888	int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	889	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	890	if (X->n != 0) {
				891	mbedtls_mpi_core_shift_r(X->p, X->n, count);
				892	}
				893	return 0;
Gilles Peskine	6641420	2022-09-21 15:36:16 +0200	[diff] [blame]	894	}
				895
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	896	/*
				897	* Compare unsigned values
				898	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	899	int mbedtls_mpi_cmp_abs(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	900	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	901	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	902
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	903	for (i = X->n; i > 0; i--) {
				904	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	905	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	906	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	907	}
				908
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	909	for (j = Y->n; j > 0; j--) {
				910	if (Y->p[j - 1] != 0) {
				911	break;
				912	}
				913	}
				914
Dave Rodgman	ebcd785	2023-08-09 18:56:42 +0100	[diff] [blame]	915	/* If i == j == 0, i.e. abs(X) == abs(Y),
				916	* we end up returning 0 at the end of the function. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	917
				918	if (i > j) {
				919	return 1;
				920	}
				921	if (j > i) {
				922	return -1;
				923	}
				924
				925	for (; i > 0; i--) {
				926	if (X->p[i - 1] > Y->p[i - 1]) {
				927	return 1;
				928	}
				929	if (X->p[i - 1] < Y->p[i - 1]) {
				930	return -1;
				931	}
				932	}
				933
				934	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	935	}
				936
				937	/*
				938	* Compare signed values
				939	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	940	int mbedtls_mpi_cmp_mpi(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	941	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	942	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	943
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	944	for (i = X->n; i > 0; i--) {
				945	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	946	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	947	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	948	}
				949
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	950	for (j = Y->n; j > 0; j--) {
				951	if (Y->p[j - 1] != 0) {
				952	break;
				953	}
				954	}
				955
				956	if (i == 0 && j == 0) {
				957	return 0;
				958	}
				959
				960	if (i > j) {
				961	return X->s;
				962	}
				963	if (j > i) {
				964	return -Y->s;
				965	}
				966
				967	if (X->s > 0 && Y->s < 0) {
				968	return 1;
				969	}
				970	if (Y->s > 0 && X->s < 0) {
				971	return -1;
				972	}
				973
				974	for (; i > 0; i--) {
				975	if (X->p[i - 1] > Y->p[i - 1]) {
				976	return X->s;
				977	}
				978	if (X->p[i - 1] < Y->p[i - 1]) {
				979	return -X->s;
				980	}
				981	}
				982
				983	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	984	}
				985
Janos Follath	ee6abce	2019-09-05 14:47:19 +0100	[diff] [blame]	986	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	987	* Compare signed values
				988	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	989	int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	990	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	991	mbedtls_mpi Y;
				992	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	993
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	994	*p = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	995	Y.s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	996	Y.n = 1;
				997	Y.p = p;
				998
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	999	return mbedtls_mpi_cmp_mpi(X, &Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1000	}
				1001
				1002	/*
				1003	* Unsigned addition: X = \|A\| + \|B\| (HAC 14.7)
				1004	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1005	int mbedtls_mpi_add_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1006	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1007	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1008	size_t j;
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1009	mbedtls_mpi_uint *p;
				1010	mbedtls_mpi_uint c;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1011
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1012	if (X == B) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1013	const mbedtls_mpi *T = A; A = X; B = T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1014	}
				1015
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1016	if (X != A) {
				1017	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1018	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1019
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1020	/*
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1021	* X must always be positive as a result of unsigned additions.
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1022	*/
				1023	X->s = 1;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1024
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1025	for (j = B->n; j > 0; j--) {
				1026	if (B->p[j - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1027	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1028	}
				1029	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1030
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1031	/* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
				1032	* and B is 0 (of any size). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1033	if (j == 0) {
				1034	return 0;
				1035	}
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1036
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1037	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1038
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1039	/* j is the number of non-zero limbs of B. Add those to X. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1040
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1041	p = X->p;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1042
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1043	c = mbedtls_mpi_core_add(p, p, B->p, j);
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1044
				1045	p += j;
				1046
				1047	/* Now propagate any carry */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1048
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1049	while (c != 0) {
				1050	if (j >= X->n) {
				1051	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1052	p = X->p + j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1053	}
				1054
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1055	p += c; c = (p < c); j++; p++;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1056	}
				1057
				1058	cleanup:
				1059
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1060	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1061	}
				1062
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1063	/*
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1064	* Unsigned subtraction: X = \|A\| - \|B\| (HAC 14.9, 14.10)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1065	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1066	int mbedtls_mpi_sub_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1067	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1068	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1069	size_t n;
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1070	mbedtls_mpi_uint carry;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1071
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1072	for (n = B->n; n > 0; n--) {
				1073	if (B->p[n - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1074	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1075	}
				1076	}
				1077	if (n > A->n) {
Gilles Peskine	c8a9177	2021-01-27 22:30:43 +0100	[diff] [blame]	1078	/* B >= (2^ciL)^n > A */
				1079	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1080	goto cleanup;
				1081	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1082
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1083	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1084
				1085	/* Set the high limbs of X to match A. Don't touch the lower limbs
				1086	* because X might be aliased to B, and we must not overwrite the
				1087	* significant digits of B. */
Aaron M. Ucko	af67d2c	2023-01-17 11:52:22 -0500	[diff] [blame]	1088	if (A->n > n && A != X) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1089	memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
				1090	}
				1091	if (X->n > A->n) {
				1092	memset(X->p + A->n, 0, (X->n - A->n) * ciL);
				1093	}
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1094
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1095	carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
				1096	if (carry != 0) {
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1097	/* Propagate the carry through the rest of X. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1098	carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1099
				1100	/* If we have further carry/borrow, the result is negative. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1101	if (carry != 0) {
Gilles Peskine	89b4130	2020-07-23 01:16:46 +0200	[diff] [blame]	1102	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1103	goto cleanup;
				1104	}
Gilles Peskine	c097e9e	2020-06-08 21:58:22 +0200	[diff] [blame]	1105	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1106
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1107	/* X should always be positive as a result of unsigned subtractions. */
				1108	X->s = 1;
				1109
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1110	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1111	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1112	}
				1113
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1114	/* Common function for signed addition and subtraction.
				1115	* Calculate A + B * flip_B where flip_B is 1 or -1.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1116	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1117	static int add_sub_mpi(mbedtls_mpi *X,
				1118	const mbedtls_mpi A, const mbedtls_mpi B,
				1119	int flip_B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1120	{
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1121	int ret, s;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1122
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1123	s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1124	if (A->s * B->s * flip_B < 0) {
				1125	int cmp = mbedtls_mpi_cmp_abs(A, B);
				1126	if (cmp >= 0) {
				1127	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1128	/* If \|A\| = \|B\|, the result is 0 and we must set the sign bit
				1129	* to +1 regardless of which of A or B was negative. Otherwise,
				1130	* since \|A\| > \|B\|, the sign is the sign of A. */
				1131	X->s = cmp == 0 ? 1 : s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1132	} else {
				1133	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1134	/* Since \|A\| < \|B\|, the sign is the opposite of A. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1135	X->s = -s;
				1136	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1137	} else {
				1138	MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1139	X->s = s;
				1140	}
				1141
				1142	cleanup:
				1143
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1144	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1145	}
				1146
				1147	/*
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1148	* Signed addition: X = A + B
				1149	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1150	int mbedtls_mpi_add_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1151	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1152	return add_sub_mpi(X, A, B, 1);
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1153	}
				1154
				1155	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1156	* Signed subtraction: X = A - B
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1157	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1158	int mbedtls_mpi_sub_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1159	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1160	return add_sub_mpi(X, A, B, -1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1161	}
				1162
				1163	/*
				1164	* Signed addition: X = A + b
				1165	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1166	int mbedtls_mpi_add_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1167	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1168	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1169	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1170
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1171	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1172	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1173	B.n = 1;
				1174	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1175
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1176	return mbedtls_mpi_add_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1177	}
				1178
				1179	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1180	* Signed subtraction: X = A - b
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1181	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1182	int mbedtls_mpi_sub_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1183	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1184	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1185	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1186
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1187	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1188	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1189	B.n = 1;
				1190	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1191
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1192	return mbedtls_mpi_sub_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1193	}
				1194
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1195	/*
				1196	* Baseline multiplication: X = A * B (HAC 14.12)
				1197	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1198	int mbedtls_mpi_mul_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1199	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1200	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	1772e05	2022-04-13 06:51:40 +0100	[diff] [blame]	1201	size_t i, j;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1202	mbedtls_mpi TA, TB;
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1203	int result_is_zero = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1204
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1205	mbedtls_mpi_init(&TA);
				1206	mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1207
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1208	if (X == A) {
				1209	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
				1210	}
				1211	if (X == B) {
				1212	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
				1213	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1214
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1215	for (i = A->n; i > 0; i--) {
				1216	if (A->p[i - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1217	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1218	}
				1219	}
				1220	if (i == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1221	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1222	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1223
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1224	for (j = B->n; j > 0; j--) {
				1225	if (B->p[j - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1226	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1227	}
				1228	}
				1229	if (j == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1230	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1231	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1232
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1233	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
				1234	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1235
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1236	mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1237
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1238	/* If the result is 0, we don't shortcut the operation, which reduces
				1239	* but does not eliminate side channels leaking the zero-ness. We do
				1240	* need to take care to set the sign bit properly since the library does
				1241	* not fully support an MPI object with a value of 0 and s == -1. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1242	if (result_is_zero) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1243	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1244	} else {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1245	X->s = A->s * B->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1246	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1247
				1248	cleanup:
				1249
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1250	mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1251
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1252	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1253	}
				1254
				1255	/*
				1256	* Baseline multiplication: X = A * b
				1257	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1258	int mbedtls_mpi_mul_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_uint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1259	{
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1260	size_t n = A->n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1261	while (n > 0 && A->p[n - 1] == 0) {
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1262	--n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1263	}
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1264
Hanno Becker	74a11a3	2022-04-06 06:27:00 +0100	[diff] [blame]	1265	/* The general method below doesn't work if b==0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1266	if (b == 0 \|\| n == 0) {
				1267	return mbedtls_mpi_lset(X, 0);
				1268	}
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1269
Hanno Becker	aef9cc4	2022-04-11 06:36:29 +0100	[diff] [blame]	1270	/* Calculate Ab as A + A(b-1) to take advantage of mbedtls_mpi_core_mla */
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1271	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1272	/* In general, A * b requires 1 limb more than b. If
				1273	* A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
				1274	* number of limbs as A and the call to grow() is not required since
Gilles Peskine	e1bba7c	2021-03-10 23:44:10 +0100	[diff] [blame]	1275	* copy() will take care of the growth if needed. However, experimentally,
				1276	* making the call to grow() unconditional causes slightly fewer
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1277	* calls to calloc() in ECP code, presumably because it reuses the
				1278	* same mpi for a while and this way the mpi is more likely to directly
Hanno Becker	9137b9c	2022-04-12 10:51:54 +0100	[diff] [blame]	1279	* grow to its final size.
				1280	*
				1281	* Note that calculating Ab as 0 + Ab doesn't work as-is because
				1282	* A,X can be the same. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1283	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
				1284	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1285	mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1286
				1287	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1288	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1289	}
				1290
				1291	/*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1292	* Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
				1293	* mbedtls_mpi_uint divisor, d
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1294	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1295	static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
				1296	mbedtls_mpi_uint u0,
				1297	mbedtls_mpi_uint d,
				1298	mbedtls_mpi_uint *r)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1299	{
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1300	#if defined(MBEDTLS_HAVE_UDBL)
				1301	mbedtls_t_udbl dividend, quotient;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1302	#else
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1303	const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1304	const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1305	mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
				1306	mbedtls_mpi_uint u0_msw, u0_lsw;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1307	size_t s;
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1308	#endif
				1309
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1310	/*
				1311	* Check for overflow
				1312	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1313	if (0 == d \|\| u1 >= d) {
				1314	if (r != NULL) {
				1315	*r = ~(mbedtls_mpi_uint) 0u;
				1316	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1317
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1318	return ~(mbedtls_mpi_uint) 0u;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1319	}
				1320
				1321	#if defined(MBEDTLS_HAVE_UDBL)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1322	dividend = (mbedtls_t_udbl) u1 << biL;
				1323	dividend \|= (mbedtls_t_udbl) u0;
				1324	quotient = dividend / d;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1325	if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
				1326	quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
				1327	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1328
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1329	if (r != NULL) {
				1330	r = (mbedtls_mpi_uint) (dividend - (quotient d));
				1331	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1332
				1333	return (mbedtls_mpi_uint) quotient;
				1334	#else
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1335
				1336	/*
				1337	* Algorithm D, Section 4.3.1 - The Art of Computer Programming
				1338	* Vol. 2 - Seminumerical Algorithms, Knuth
				1339	*/
				1340
				1341	/*
				1342	* Normalize the divisor, d, and dividend, u0, u1
				1343	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1344	s = mbedtls_mpi_core_clz(d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1345	d = d << s;
				1346
				1347	u1 = u1 << s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1348	u1 \|= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1349	u0 = u0 << s;
				1350
				1351	d1 = d >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1352	d0 = d & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1353
				1354	u0_msw = u0 >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1355	u0_lsw = u0 & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1356
				1357	/*
				1358	* Find the first quotient and remainder
				1359	*/
				1360	q1 = u1 / d1;
				1361	r0 = u1 - d1 * q1;
				1362
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1363	while (q1 >= radix \|\| (q1 * d0 > radix * r0 + u0_msw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1364	q1 -= 1;
				1365	r0 += d1;
				1366
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1367	if (r0 >= radix) {
				1368	break;
				1369	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1370	}
				1371
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1372	rAX = (u1 * radix) + (u0_msw - q1 * d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1373	q0 = rAX / d1;
				1374	r0 = rAX - q0 * d1;
				1375
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1376	while (q0 >= radix \|\| (q0 * d0 > radix * r0 + u0_lsw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1377	q0 -= 1;
				1378	r0 += d1;
				1379
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1380	if (r0 >= radix) {
				1381	break;
				1382	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1383	}
				1384
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1385	if (r != NULL) {
				1386	r = (rAX radix + u0_lsw - q0 * d) >> s;
				1387	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1388
				1389	quotient = q1 * radix + q0;
				1390
				1391	return quotient;
				1392	#endif
				1393	}
				1394
				1395	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1396	* Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1397	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1398	int mbedtls_mpi_div_mpi(mbedtls_mpi Q, mbedtls_mpi R, const mbedtls_mpi *A,
				1399	const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1400	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1401	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1402	size_t i, n, t, k;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1403	mbedtls_mpi X, Y, Z, T1, T2;
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1404	mbedtls_mpi_uint TP2[3];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1405
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1406	if (mbedtls_mpi_cmp_int(B, 0) == 0) {
				1407	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1408	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1409
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1410	mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
				1411	mbedtls_mpi_init(&T1);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1412	/*
				1413	* Avoid dynamic memory allocations for constant-size T2.
				1414	*
				1415	* T2 is used for comparison only and the 3 limbs are assigned explicitly,
				1416	* so nobody increase the size of the MPI and we're safe to use an on-stack
				1417	* buffer.
				1418	*/
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1419	T2.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1420	T2.n = sizeof(TP2) / sizeof(*TP2);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1421	T2.p = TP2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1422
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1423	if (mbedtls_mpi_cmp_abs(A, B) < 0) {
				1424	if (Q != NULL) {
				1425	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
				1426	}
				1427	if (R != NULL) {
				1428	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
				1429	}
				1430	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1431	}
				1432
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1433	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
				1434	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1435	X.s = Y.s = 1;
				1436
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1437	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
				1438	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
				1439	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1440
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1441	k = mbedtls_mpi_bitlen(&Y) % biL;
				1442	if (k < biL - 1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1443	k = biL - 1 - k;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1444	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
				1445	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
				1446	} else {
				1447	k = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1448	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1449
				1450	n = X.n - 1;
				1451	t = Y.n - 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1452	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1453
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1454	while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1455	Z.p[n - t]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1456	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1457	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1458	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1459
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1460	for (i = n; i > t; i--) {
				1461	if (X.p[i] >= Y.p[t]) {
				1462	Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
				1463	} else {
				1464	Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
				1465	Y.p[t], NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1466	}
				1467
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1468	T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
				1469	T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1470	T2.p[2] = X.p[i];
				1471
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1472	Z.p[i - t - 1]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1473	do {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1474	Z.p[i - t - 1]--;
				1475
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1476	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
				1477	T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1478	T1.p[1] = Y.p[t];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1479	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
				1480	} while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1481
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1482	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
				1483	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1484	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1485
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1486	if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
				1487	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
				1488	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1489	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1490	Z.p[i - t - 1]--;
				1491	}
				1492	}
				1493
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1494	if (Q != NULL) {
				1495	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1496	Q->s = A->s * B->s;
				1497	}
				1498
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1499	if (R != NULL) {
				1500	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
Paul Bakker	f02c564	2012-11-13 10:25:21 +0000	[diff] [blame]	1501	X.s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1502	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1503
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1504	if (mbedtls_mpi_cmp_int(R, 0) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1505	R->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1506	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1507	}
				1508
				1509	cleanup:
				1510
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1511	mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
				1512	mbedtls_mpi_free(&T1);
				1513	mbedtls_platform_zeroize(TP2, sizeof(TP2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1514
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1515	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1516	}
				1517
				1518	/*
				1519	* Division by int: A = Q * b + R
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1520	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1521	int mbedtls_mpi_div_int(mbedtls_mpi Q, mbedtls_mpi R,
				1522	const mbedtls_mpi *A,
				1523	mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1524	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1525	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1526	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1527
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1528	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1529	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1530	B.n = 1;
				1531	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1532
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1533	return mbedtls_mpi_div_mpi(Q, R, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1534	}
				1535
				1536	/*
				1537	* Modulo: R = A mod B
				1538	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1539	int mbedtls_mpi_mod_mpi(mbedtls_mpi R, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1540	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1541	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1542
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1543	if (mbedtls_mpi_cmp_int(B, 0) < 0) {
				1544	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1545	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1546
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1547	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1548
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1549	while (mbedtls_mpi_cmp_int(R, 0) < 0) {
				1550	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
				1551	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1552
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1553	while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
				1554	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
				1555	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1556
				1557	cleanup:
				1558
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1559	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1560	}
				1561
				1562	/*
				1563	* Modulo: r = A mod b
				1564	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1565	int mbedtls_mpi_mod_int(mbedtls_mpi_uint r, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1566	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1567	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1568	mbedtls_mpi_uint x, y, z;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1569
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1570	if (b == 0) {
				1571	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1572	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1573
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1574	if (b < 0) {
				1575	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1576	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1577
				1578	/*
				1579	* handle trivial cases
				1580	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1581	if (b == 1 \|\| A->n == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1582	*r = 0;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1583	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1584	}
				1585
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1586	if (b == 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1587	*r = A->p[0] & 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1588	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1589	}
				1590
				1591	/*
				1592	* general case
				1593	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1594	for (i = A->n, y = 0; i > 0; i--) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1595	x = A->p[i - 1];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1596	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1597	z = y / b;
				1598	y -= z * b;
				1599
				1600	x <<= biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1601	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1602	z = y / b;
				1603	y -= z * b;
				1604	}
				1605
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1606	/*
				1607	* If A is negative, then the current y represents a negative value.
				1608	* Flipping it to the positive side.
				1609	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1610	if (A->s < 0 && y != 0) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1611	y = b - y;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1612	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1613
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1614	*r = y;
				1615
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1616	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1617	}
				1618
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1619	/*
				1620	* Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
				1621	* this function is not constant time with respect to the exponent (parameter E).
				1622	*/
				1623	static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi X, const mbedtls_mpi A,
Janos Follath	a5fc8f3	2024-08-12 20:11:06 +0100	[diff] [blame]	1624	const mbedtls_mpi *E, int E_public,
				1625	const mbedtls_mpi N, mbedtls_mpi prec_RR)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1626	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1627	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1628
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1629	if (mbedtls_mpi_cmp_int(N, 0) <= 0 \|\| (N->p[0] & 1) == 0) {
				1630	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1631	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1632
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1633	if (mbedtls_mpi_cmp_int(E, 0) < 0) {
				1634	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1635	}
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1636
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1637	if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS \|\|
				1638	mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
				1639	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1640	}
Chris Jones	9246d04	2020-11-25 15:12:39 +0000	[diff] [blame]	1641
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1642	/*
				1643	* Ensure that the exponent that we are passing to the core is not NULL.
				1644	*/
				1645	if (E->n == 0) {
				1646	ret = mbedtls_mpi_lset(X, 1);
				1647	return ret;
				1648	}
				1649
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1650	/*
				1651	* Allocate working memory for mbedtls_mpi_core_exp_mod()
				1652	*/
				1653	size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);
Janos Follath	0902572	2024-02-21 11:50:25 +0000	[diff] [blame]	1654	mbedtls_mpi_uint T = (mbedtls_mpi_uint ) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1655	if (T == NULL) {
				1656	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				1657	}
				1658
Janos Follath	701ae1d	2024-02-19 10:56:54 +0000	[diff] [blame]	1659	mbedtls_mpi RR;
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1660	mbedtls_mpi_init(&RR);
Paul Bakker	5054692	2012-05-19 08:40:49 +0000	[diff] [blame]	1661
				1662	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1663	* If 1st call, pre-compute R^2 mod N
				1664	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1665	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1666	MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1667
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1668	if (prec_RR != NULL) {
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1669	*prec_RR = RR;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1670	}
				1671	} else {
Janos Follath	0512d17	2024-02-20 14:30:46 +0000	[diff] [blame]	1672	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1673	RR = *prec_RR;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1674	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1675
				1676	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1677	* To preserve constness we need to make a copy of A. Using X for this to
				1678	* save memory.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1679	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1680	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1681
				1682	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1683	* Compensate for negative A (and correct at the end).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1684	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1685	X->s = 1;
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1686
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1687	/*
Janos Follath	467a549	2024-02-19 11:27:38 +0000	[diff] [blame]	1688	* Make sure that X is in a form that is safe for consumption by
				1689	* the core functions.
				1690	*
				1691	* - The core functions will not touch the limbs of X above N->n. The
				1692	* result will be correct if those limbs are 0, which the mod call
				1693	* ensures.
				1694	* - Also, X must have at least as many limbs as N for the calls to the
				1695	* core functions.
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1696	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1697	if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {
				1698	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
				1699	}
				1700	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));
				1701
				1702	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1703	* Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().
				1704	*/
Dave Rodgman	d282e26	2024-03-11 15:28:48 +0000	[diff] [blame]	1705	{
				1706	mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
				1707	mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1708	if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
				1709	mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
				1710	} else {
				1711	mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
				1712	}
Dave Rodgman	d282e26	2024-03-11 15:28:48 +0000	[diff] [blame]	1713	mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
				1714	}
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1715
				1716	/*
				1717	* Correct for negative A.
				1718	*/
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1719	if (A->s == -1 && (E->p[0] & 1) != 0) {
Janos Follath	86258f5	2024-02-21 11:25:41 +0000	[diff] [blame]	1720	mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n);
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	1721	X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1);
Janos Follath	86258f5	2024-02-21 11:25:41 +0000	[diff] [blame]	1722
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1723	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));
				1724	}
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1725
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1726	cleanup:
				1727
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1728	mbedtls_mpi_zeroize_and_free(T, T_limbs);
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	1729
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1730	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
				1731	mbedtls_mpi_free(&RR);
				1732	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1733
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1734	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1735	}
				1736
Manuel Pégourié-Gonnard	75ed587	2024-06-18 12:52:45 +0200	[diff] [blame]	1737	int mbedtls_mpi_exp_mod(mbedtls_mpi X, const mbedtls_mpi A,
				1738	const mbedtls_mpi E, const mbedtls_mpi N,
				1739	mbedtls_mpi *prec_RR)
				1740	{
Janos Follath	a5fc8f3	2024-08-12 20:11:06 +0100	[diff] [blame]	1741	return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR);
Manuel Pégourié-Gonnard	75ed587	2024-06-18 12:52:45 +0200	[diff] [blame]	1742	}
				1743
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1744	int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi X, const mbedtls_mpi A,
				1745	const mbedtls_mpi E, const mbedtls_mpi N,
				1746	mbedtls_mpi *prec_RR)
				1747	{
Janos Follath	a5fc8f3	2024-08-12 20:11:06 +0100	[diff] [blame]	1748	return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_PUBLIC, N, prec_RR);
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1749	}
				1750
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1751	/* Constant-time GCD and/or modinv with odd modulus and A <= N */
				1752	int mbedtls_mpi_gcd_modinv_odd(mbedtls_mpi *G,
				1753	mbedtls_mpi *I,
				1754	const mbedtls_mpi *A,
				1755	const mbedtls_mpi *N)
				1756	{
				1757	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1758	mbedtls_mpi local_g;
				1759	mbedtls_mpi_uint *T = NULL;
				1760	const size_t T_factor = I != NULL ? 5 : 4;
Felix Conway	eefdfe9	2025-08-05 14:35:53 +0100	[diff] [blame]	1761	const mbedtls_mpi_uint zero = 0;
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1762
				1763	/* Check requirements on A and N */
				1764	if (mbedtls_mpi_cmp_int(A, 0) < 0 \|\|
				1765	mbedtls_mpi_cmp_mpi(A, N) > 0 \|\|
				1766	mbedtls_mpi_get_bit(N, 0) != 1 \|\|
				1767	(I != NULL && mbedtls_mpi_cmp_int(N, 1) == 0)) {
				1768	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1769	}
				1770
				1771	/* Check aliasing requirements */
Felix Conway	d9c4c9c	2025-08-05 14:33:32 +0100	[diff] [blame]	1772	if (A == N \|\| (I != NULL && (I == N \|\| G == N))) {
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1773	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1774	}
				1775
				1776	mbedtls_mpi_init(&local_g);
				1777
				1778	if (G == NULL) {
				1779	G = &local_g;
				1780	}
				1781
Felix Conway	a1c95e3	2025-08-06 09:54:11 +0100	[diff] [blame]	1782	/* We can't modify the values of G or I before use in the main function,
				1783	* as they could be aliased to A or N. */
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1784	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(G, N->n));
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1785	if (I != NULL) {
				1786	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(I, N->n));
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1787	}
				1788
				1789	T = mbedtls_calloc(sizeof(mbedtls_mpi_uint) * N->n, T_factor);
				1790	if (T == NULL) {
				1791	ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
				1792	goto cleanup;
				1793	}
				1794
				1795	mbedtls_mpi_uint *Ip = I != NULL ? I->p : NULL;
Felix Conway	a1c95e3	2025-08-06 09:54:11 +0100	[diff] [blame]	1796	/* If A is 0 (null), then A->p would be null, and A->n would be 0,
				1797	* which would be an issue if A->p and A->n were passed to
				1798	* mbedtls_mpi_core_gcd_modinv_odd below. */
Felix Conway	eefdfe9	2025-08-05 14:35:53 +0100	[diff] [blame]	1799	const mbedtls_mpi_uint *Ap = A->p != NULL ? A->p : &zero;
Felix Conway	a1c95e3	2025-08-06 09:54:11 +0100	[diff] [blame]	1800	size_t An = A->n >= N->n ? N->n : A->p != NULL ? A->n : 1;
Felix Conway	eefdfe9	2025-08-05 14:35:53 +0100	[diff] [blame]	1801	mbedtls_mpi_core_gcd_modinv_odd(G->p, Ip, Ap, An, N->p, N->n, T);
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1802
Felix Conway	a1c95e3	2025-08-06 09:54:11 +0100	[diff] [blame]	1803	G->s = 1;
				1804	if (I != NULL) {
				1805	I->s = 1;
				1806	}
				1807
Felix Conway	bd7ede3	2025-08-04 11:33:48 +0100	[diff] [blame]	1808	if (G->n > N->n) {
				1809	memset(G->p + N->n, 0, ciL * (G->n - N->n));
				1810	}
				1811	if (I != NULL && I->n > N->n) {
				1812	memset(I->p + N->n, 0, ciL * (I->n - N->n));
				1813	}
				1814
				1815	cleanup:
				1816	mbedtls_mpi_free(&local_g);
				1817	mbedtls_free(T);
				1818	return ret;
				1819	}
				1820
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1821	/*
Manuel Pégourié-Gonnard	c6a9d84	2025-07-10 23:28:50 +0200	[diff] [blame]	1822	* Greatest common divisor: G = gcd(A, B)
				1823	* Wrapper around mbedtls_mpi_gcd_modinv() that removes its restrictions.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1824	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1825	int mbedtls_mpi_gcd(mbedtls_mpi G, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1826	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1827	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Alexander K	e8ad49f	2019-08-16 16:16:07 +0300	[diff] [blame]	1828	mbedtls_mpi TA, TB;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1829
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1830	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1831
Manuel Pégourié-Gonnard	c6a9d84	2025-07-10 23:28:50 +0200	[diff] [blame]	1832	/* Make copies and take absolute values */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1833	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
				1834	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1835	TA.s = TB.s = 1;
				1836
Manuel Pégourié-Gonnard	381d4ba	2025-08-04 10:57:13 +0200	[diff] [blame]	1837	/* Make the two values the same (non-zero) number of limbs.
				1838	* This is needed to use mbedtls_mpi_core functions below. */
Manuel Pégourié-Gonnard	c6a9d84	2025-07-10 23:28:50 +0200	[diff] [blame]	1839	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&TA, TB.n != 0 ? TB.n : 1));
				1840	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&TB, TA.n)); // non-zero from above
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1841
Manuel Pégourié-Gonnard	381d4ba	2025-08-04 10:57:13 +0200	[diff] [blame]	1842	/* Handle special cases (that don't happen in crypto usage) */
				1843	if (mbedtls_mpi_core_check_zero_ct(TA.p, TA.n) == MBEDTLS_CT_FALSE) {
Manuel Pégourié-Gonnard	87e77d6	2025-08-11 10:45:41 +0200	[diff] [blame^]	1844	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB)); // GCD(0, B) = abs(B)
				1845	goto cleanup;
Manuel Pégourié-Gonnard	381d4ba	2025-08-04 10:57:13 +0200	[diff] [blame]	1846	}
				1847	if (mbedtls_mpi_core_check_zero_ct(TB.p, TB.n) == MBEDTLS_CT_FALSE) {
Manuel Pégourié-Gonnard	87e77d6	2025-08-11 10:45:41 +0200	[diff] [blame^]	1848	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TA)); // GCD(A, 0) = abs(A)
				1849	goto cleanup;
Manuel Pégourié-Gonnard	381d4ba	2025-08-04 10:57:13 +0200	[diff] [blame]	1850	}
				1851
Manuel Pégourié-Gonnard	c6a9d84	2025-07-10 23:28:50 +0200	[diff] [blame]	1852	const size_t za = mbedtls_mpi_lsb(&TA);
				1853	const size_t zb = mbedtls_mpi_lsb(&TB);
				1854
				1855	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, za));
				1856	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, zb));
				1857
				1858	/* Ensure A <= B: if B < A, swap them */
				1859	mbedtls_ct_condition_t swap = mbedtls_mpi_core_lt_ct(TB.p, TA.p, TA.n);
				1860	mbedtls_mpi_core_cond_swap(TA.p, TB.p, TA.n, swap);
				1861
				1862	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd_modinv_odd(G, NULL, &TA, &TB));
				1863
				1864	size_t zg = za > zb ? zb : za; // zg = min(za, zb)
				1865	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(G, zg));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1866
				1867	cleanup:
				1868
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1869	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1870
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1871	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1872	}
				1873
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1874	/*
				1875	* Fill X with size bytes of random.
Gilles Peskine	22cdd0c	2022-10-27 20:15:13 +0200	[diff] [blame]	1876	* The bytes returned from the RNG are used in a specific order which
				1877	* is suitable for deterministic ECDSA (see the specification of
				1878	* mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1879	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1880	int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
				1881	int (f_rng)(void , unsigned char *, size_t),
				1882	void *p_rng)
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1883	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1884	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1885	const size_t limbs = CHARS_TO_LIMBS(size);
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1886
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1887	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1888	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
				1889	if (size == 0) {
				1890	return 0;
				1891	}
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1892
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1893	ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1894
				1895	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1896	return ret;
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1897	}
				1898
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1899	int mbedtls_mpi_random(mbedtls_mpi *X,
				1900	mbedtls_mpi_sint min,
				1901	const mbedtls_mpi *N,
				1902	int (f_rng)(void , unsigned char *, size_t),
				1903	void *p_rng)
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1904	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1905	if (min < 0) {
				1906	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1907	}
				1908	if (mbedtls_mpi_cmp_int(N, min) <= 0) {
				1909	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1910	}
Gilles Peskine	1e918f4	2021-03-29 22:14:51 +0200	[diff] [blame]	1911
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1912	/* Ensure that target MPI has exactly the same number of limbs
				1913	* as the upper bound, even if the upper bound has leading zeros.
Gilles Peskine	6b7ce96	2022-12-15 15:04:33 +0100	[diff] [blame]	1914	* This is necessary for mbedtls_mpi_core_random. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1915	int ret = mbedtls_mpi_resize_clear(X, N->n);
				1916	if (ret != 0) {
				1917	return ret;
				1918	}
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1919
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1920	return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1921	}
				1922
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1923	/*
				1924	* Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
				1925	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1926	int mbedtls_mpi_inv_mod(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *N)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1927	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1928	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1929	mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1930
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1931	if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
				1932	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1933	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1934
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1935	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
				1936	mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
				1937	mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1938
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1939	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1940
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1941	if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1942	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1943	goto cleanup;
				1944	}
				1945
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1946	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
				1947	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
				1948	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
				1949	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1950
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1951	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
				1952	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
				1953	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
				1954	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1955
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1956	do {
				1957	while ((TU.p[0] & 1) == 0) {
				1958	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1959
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1960	if ((U1.p[0] & 1) != 0 \|\| (U2.p[0] & 1) != 0) {
				1961	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
				1962	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1963	}
				1964
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1965	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
				1966	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1967	}
				1968
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1969	while ((TV.p[0] & 1) == 0) {
				1970	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1971
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1972	if ((V1.p[0] & 1) != 0 \|\| (V2.p[0] & 1) != 0) {
				1973	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
				1974	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1975	}
				1976
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1977	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
				1978	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1979	}
				1980
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1981	if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
				1982	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
				1983	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
				1984	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
				1985	} else {
				1986	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
				1987	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
				1988	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1989	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1990	} while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
				1991
				1992	while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
				1993	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1994	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1995
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1996	while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
				1997	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
				1998	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1999
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2000	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2001
				2002	cleanup:
				2003
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2004	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
				2005	mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
				2006	mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2007
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2008	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2009	}
				2010
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2011	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	d9374b0	2012-11-02 11:02:58 +0000	[diff] [blame]	2012
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2013	/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
				2014	static const unsigned char small_prime_gaps[] = {
				2015	2, 2, 4, 2, 4, 2, 4, 6,
				2016	2, 6, 4, 2, 4, 6, 6, 2,
				2017	6, 4, 2, 6, 4, 6, 8, 4,
				2018	2, 4, 2, 4, 14, 4, 6, 2,
				2019	10, 2, 6, 6, 4, 6, 6, 2,
				2020	10, 2, 4, 2, 12, 12, 4, 2,
				2021	4, 6, 2, 10, 6, 6, 6, 2,
				2022	6, 4, 2, 10, 14, 4, 2, 4,
				2023	14, 6, 10, 2, 4, 6, 8, 6,
				2024	6, 4, 6, 8, 4, 8, 10, 2,
				2025	10, 2, 6, 4, 6, 8, 4, 2,
				2026	4, 12, 8, 4, 8, 4, 6, 12,
				2027	2, 18, 6, 10, 6, 6, 2, 6,
				2028	10, 6, 6, 2, 6, 6, 4, 2,
				2029	12, 10, 2, 4, 6, 6, 2, 12,
				2030	4, 6, 8, 10, 8, 10, 8, 6,
				2031	6, 4, 8, 6, 4, 8, 4, 14,
				2032	10, 12, 2, 10, 2, 4, 2, 10,
				2033	14, 4, 2, 4, 14, 4, 2, 4,
				2034	20, 4, 8, 10, 8, 4, 6, 6,
				2035	14, 4, 6, 6, 8, 6, /reaches 997/
Gilles Peskine	30b0378	2023-08-22 11:06:47 +0200	[diff] [blame]	2036	0 /* the last entry is effectively unused */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2037	};
				2038
				2039	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2040	* Small divisors test (X must be positive)
				2041	*
				2042	* Return values:
				2043	* 0: no small factor (possible prime, more tests needed)
				2044	* 1: certain prime
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2045	* MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2046	* other negative: error
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2047	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2048	static int mpi_check_small_factors(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2049	{
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2050	int ret = 0;
				2051	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2052	mbedtls_mpi_uint r;
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2053	unsigned p = 3; /* The first odd prime */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2054
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2055	if ((X->p[0] & 1) == 0) {
				2056	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2057	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2058
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2059	for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
				2060	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2061	if (r == 0) {
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2062	if (mbedtls_mpi_cmp_int(X, p) == 0) {
				2063	return 1;
				2064	} else {
				2065	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2066	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2067	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2068	}
				2069
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2070	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2071	return ret;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2072	}
				2073
				2074	/*
				2075	* Miller-Rabin pseudo-primality test (HAC 4.24)
				2076	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2077	static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
				2078	int (f_rng)(void , unsigned char *, size_t),
				2079	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2080	{
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2081	int ret, count;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2082	size_t i, j, k, s;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2083	mbedtls_mpi W, R, T, A, RR;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2084
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2085	mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
				2086	mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
				2087	mbedtls_mpi_init(&RR);
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2088
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2089	/*
				2090	* W = \|X\| - 1
				2091	* R = W >> lsb( W )
				2092	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2093	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
				2094	s = mbedtls_mpi_lsb(&W);
				2095	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
				2096	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2097
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2098	for (i = 0; i < rounds; i++) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2099	/*
				2100	* pick a random A, 1 < A < \|X\| - 1
				2101	*/
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2102	count = 0;
				2103	do {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2104	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2105
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2106	j = mbedtls_mpi_bitlen(&A);
				2107	k = mbedtls_mpi_bitlen(&W);
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2108	if (j > k) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2109	A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2110	}
				2111
				2112	if (count++ > 30) {
Jens Wiklander	f08aa3e	2019-01-17 13:30:57 +0100	[diff] [blame]	2113	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2114	goto cleanup;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2115	}
				2116
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2117	} while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 \|\|
				2118	mbedtls_mpi_cmp_int(&A, 1) <= 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2119
				2120	/*
				2121	* A = A^R mod \|X\|
				2122	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2123	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2124
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2125	if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 \|\|
				2126	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2127	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2128	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2129
				2130	j = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2131	while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2132	/*
				2133	* A = A * A mod \|X\|
				2134	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2135	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
				2136	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2137
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2138	if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2139	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2140	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2141
				2142	j++;
				2143	}
				2144
				2145	/*
				2146	* not prime if A != \|X\| - 1 or A == 1
				2147	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2148	if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 \|\|
				2149	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2150	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2151	break;
				2152	}
				2153	}
				2154
				2155	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2156	mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
				2157	mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
				2158	mbedtls_mpi_free(&RR);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2159
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2160	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2161	}
				2162
				2163	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2164	* Pseudo-primality test: small factors, then Miller-Rabin
				2165	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2166	int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
				2167	int (f_rng)(void , unsigned char *, size_t),
				2168	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2169	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2170	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2171	mbedtls_mpi XX;
Manuel Pégourié-Gonnard	7f4ed67	2014-10-14 20:56:02 +0200	[diff] [blame]	2172
				2173	XX.s = 1;
				2174	XX.n = X->n;
				2175	XX.p = X->p;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2176
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2177	if (mbedtls_mpi_cmp_int(&XX, 0) == 0 \|\|
				2178	mbedtls_mpi_cmp_int(&XX, 1) == 0) {
				2179	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2180	}
				2181
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2182	if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
				2183	return 0;
				2184	}
				2185
				2186	if ((ret = mpi_check_small_factors(&XX)) != 0) {
				2187	if (ret == 1) {
				2188	return 0;
				2189	}
				2190
				2191	return ret;
				2192	}
				2193
				2194	return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2195	}
				2196
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2197	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2198	* Prime number generation
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2199	*
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2200	* To generate an RSA key in a way recommended by FIPS 186-4, both primes must
				2201	* be either 1024 bits or 1536 bits long, and flags must contain
				2202	* MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2203	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2204	int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
				2205	int (f_rng)(void , unsigned char *, size_t),
				2206	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2207	{
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2208	#ifdef MBEDTLS_HAVE_INT64
				2209	// ceil(2^63.5)
				2210	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
				2211	#else
				2212	// ceil(2^31.5)
				2213	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
				2214	#endif
				2215	int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2216	size_t k, n;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2217	int rounds;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2218	mbedtls_mpi_uint r;
				2219	mbedtls_mpi Y;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2220
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2221	if (nbits < 3 \|\| nbits > MBEDTLS_MPI_MAX_BITS) {
				2222	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				2223	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2224
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2225	mbedtls_mpi_init(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2226
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2227	n = BITS_TO_LIMBS(nbits);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2228
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2229	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2230	/*
				2231	* 2^-80 error probability, number of rounds chosen per HAC, table 4.4
				2232	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2233	rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
				2234	(nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
				2235	(nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
				2236	} else {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2237	/*
				2238	* 2^-100 error probability, number of rounds computed based on HAC,
				2239	* fact 4.48
				2240	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2241	rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
				2242	(nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
				2243	(nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
				2244	(nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2245	}
				2246
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2247	while (1) {
				2248	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2249	/* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2250	if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
				2251	continue;
				2252	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2253
				2254	k = n * biL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2255	if (k > nbits) {
				2256	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
				2257	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2258	X->p[0] \|= 1;
				2259
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2260	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
				2261	ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2262
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2263	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2264	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2265	}
				2266	} else {
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2267	/*
Tom Cosgrove	ce7f18c	2022-07-28 05:50:56 +0100	[diff] [blame]	2268	* A necessary condition for Y and X = 2Y + 1 to be prime
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2269	* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
				2270	* Make sure it is satisfied, while keeping X = 3 mod 4
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2271	*/
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2272
				2273	X->p[0] \|= 2;
				2274
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2275	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
				2276	if (r == 0) {
				2277	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
				2278	} else if (r == 1) {
				2279	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
				2280	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2281
				2282	/* Set Y = (X-1) / 2, which is X / 2 because X is odd */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2283	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
				2284	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2285
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2286	while (1) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2287	/*
				2288	* First, check small factors for X and Y
				2289	* before doing Miller-Rabin on any of them
				2290	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2291	if ((ret = mpi_check_small_factors(X)) == 0 &&
				2292	(ret = mpi_check_small_factors(&Y)) == 0 &&
				2293	(ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
				2294	== 0 &&
				2295	(ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
				2296	== 0) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2297	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2298	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2299
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2300	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2301	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2302	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2303
				2304	/*
				2305	* Next candidates. We want to preserve Y = (X-1) / 2 and
				2306	* Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
				2307	* so up Y by 6 and X by 12.
				2308	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2309	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
				2310	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2311	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2312	}
				2313	}
				2314
				2315	cleanup:
				2316
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2317	mbedtls_mpi_free(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2318
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2319	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2320	}
				2321
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2322	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2323
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2324	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2325
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2326	#define GCD_PAIR_COUNT 3
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2327
				2328	static const int gcd_pairs[GCD_PAIR_COUNT][3] =
				2329	{
				2330	{ 693, 609, 21 },
				2331	{ 1764, 868, 28 },
				2332	{ 768454923, 542167814, 1 }
				2333	};
				2334
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2335	/*
				2336	* Checkup routine
				2337	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2338	int mbedtls_mpi_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2339	{
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2340	int ret, i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2341	mbedtls_mpi A, E, N, X, Y, U, V;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2342
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2343	mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
				2344	mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2345
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2346	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
				2347	"EFE021C2645FD1DC586E69184AF4A31E" \
				2348	"D5F53E93B5F123FA41680867BA110131" \
				2349	"944FE7952E2517337780CB0DB80E61AA" \
				2350	"E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2351
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2352	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
				2353	"B2E7EFD37075B9F03FF989C7C5051C20" \
				2354	"34D2A323810251127E7BF8625A4F49A5" \
				2355	"F3E27F4DA8BD59C47D6DAABA4C8127BD" \
				2356	"5B5C25763222FEFCCFC38B832366C29E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2357
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2358	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
				2359	"0066A198186C18C10B2F5ED9B522752A" \
				2360	"9830B69916E535C8F047518A889A43A5" \
				2361	"94B6BED27A168D31D4A52F88925AA8F5"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2362
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2363	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2364
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2365	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2366	"602AB7ECA597A3D6B56FF9829A5E8B85" \
				2367	"9E857EA95A03512E2BAE7391688D264A" \
				2368	"A5663B0341DB9CCFD2C4C5F421FEC814" \
				2369	"8001B72E848A38CAE1C65F78E56ABDEF" \
				2370	"E12D3C039B8A02D6BE593F0BBBDA56F1" \
				2371	"ECF677152EF804370C1A305CAF3B5BF1" \
				2372	"30879B56C61DE584A0F53A2447A51E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2373
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2374	if (verbose != 0) {
				2375	mbedtls_printf(" MPI test #1 (mul_mpi): ");
				2376	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2377
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2378	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2379	if (verbose != 0) {
				2380	mbedtls_printf("failed\n");
				2381	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2382
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2383	ret = 1;
				2384	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2385	}
				2386
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2387	if (verbose != 0) {
				2388	mbedtls_printf("passed\n");
				2389	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2390
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2391	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2392
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2393	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2394	"256567336059E52CAE22925474705F39A94"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2395
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2396	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
				2397	"6613F26162223DF488E9CD48CC132C7A" \
				2398	"0AC93C701B001B092E4E5B9F73BCD27B" \
				2399	"9EE50D0657C77F374E903CDFA4C642"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2400
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2401	if (verbose != 0) {
				2402	mbedtls_printf(" MPI test #2 (div_mpi): ");
				2403	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2404
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2405	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 \|\|
				2406	mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
				2407	if (verbose != 0) {
				2408	mbedtls_printf("failed\n");
				2409	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2410
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2411	ret = 1;
				2412	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2413	}
				2414
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2415	if (verbose != 0) {
				2416	mbedtls_printf("passed\n");
				2417	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2418
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2419	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2420
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2421	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2422	"36E139AEA55215609D2816998ED020BB" \
				2423	"BD96C37890F65171D948E9BC7CBAA4D9" \
				2424	"325D24D6A3C12710F10A09FA08AB87"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2425
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2426	if (verbose != 0) {
				2427	mbedtls_printf(" MPI test #3 (exp_mod): ");
				2428	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2429
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2430	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2431	if (verbose != 0) {
				2432	mbedtls_printf("failed\n");
				2433	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2434
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2435	ret = 1;
				2436	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2437	}
				2438
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2439	if (verbose != 0) {
				2440	mbedtls_printf("passed\n");
				2441	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2442
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2443	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2444
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2445	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2446	"003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
				2447	"C3DBA76456363A10869622EAC2DD84EC" \
				2448	"C5B8A74DAC4D09E03B5E0BE779F2DF61"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2449
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2450	if (verbose != 0) {
				2451	mbedtls_printf(" MPI test #4 (inv_mod): ");
				2452	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2453
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2454	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2455	if (verbose != 0) {
				2456	mbedtls_printf("failed\n");
				2457	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2458
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2459	ret = 1;
				2460	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2461	}
				2462
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2463	if (verbose != 0) {
				2464	mbedtls_printf("passed\n");
				2465	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2466
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2467	if (verbose != 0) {
				2468	mbedtls_printf(" MPI test #5 (simple gcd): ");
				2469	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2470
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2471	for (i = 0; i < GCD_PAIR_COUNT; i++) {
				2472	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
				2473	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2474
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2475	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2476
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2477	if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
				2478	if (verbose != 0) {
				2479	mbedtls_printf("failed at %d\n", i);
				2480	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2481
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2482	ret = 1;
				2483	goto cleanup;
				2484	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2485	}
				2486
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2487	if (verbose != 0) {
				2488	mbedtls_printf("passed\n");
				2489	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2490
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2491	cleanup:
				2492
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2493	if (ret != 0 && verbose != 0) {
				2494	mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
				2495	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2496
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2497	mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
				2498	mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2499
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2500	if (verbose != 0) {
				2501	mbedtls_printf("\n");
				2502	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2503
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2504	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2505	}
				2506
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2507	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2508
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2509	#endif /* MBEDTLS_BIGNUM_C */