Move some bignum functions to internal header
We will need a couple of low level functions to implement safe
unblinding in RSA.
Signed-off-by: Janos Follath <janos.follath@arm.com>
diff --git a/library/bignum.c b/library/bignum.c
index 551fd81..50da6b3 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1907,7 +1907,7 @@
/*
* Fast Montgomery initialization (thanks to Tom St Denis)
*/
-static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)
+void mbedtls_mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)
{
mbedtls_mpi_uint x, m0 = N->p[0];
unsigned int i;
@@ -1922,33 +1922,11 @@
*mm = ~x + 1;
}
-/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
- *
- * \param[in,out] A One of the numbers to multiply.
- * It must have at least as many limbs as N
- * (A->n >= N->n), and any limbs beyond n are ignored.
- * On successful completion, A contains the result of
- * the multiplication A * B * R^-1 mod N where
- * R = (2^ciL)^n.
- * \param[in] B One of the numbers to multiply.
- * It must be nonzero and must not have more limbs than N
- * (B->n <= N->n).
- * \param[in] N The modulo. N must be odd.
- * \param mm The value calculated by `mpi_montg_init(&mm, N)`.
- * This is -N^-1 mod 2^ciL.
- * \param[in,out] T A bignum for temporary storage.
- * It must be at least twice the limb size of N plus 2
- * (T->n >= 2 * (N->n + 1)).
- * Its initial content is unused and
- * its final content is indeterminate.
- * Note that unlike the usual convention in the library
- * for `const mbedtls_mpi*`, the content of T can change.
- */
-static void mpi_montmul(mbedtls_mpi *A,
- const mbedtls_mpi *B,
- const mbedtls_mpi *N,
- mbedtls_mpi_uint mm,
- const mbedtls_mpi *T)
+void mbedtls_mpi_montmul(mbedtls_mpi *A,
+ const mbedtls_mpi *B,
+ const mbedtls_mpi *N,
+ mbedtls_mpi_uint mm,
+ const mbedtls_mpi *T)
{
size_t i, n, m;
mbedtls_mpi_uint u0, u1, *d;
@@ -1996,7 +1974,8 @@
/*
* Montgomery reduction: A = A * R^-1 mod N
*
- * See mpi_montmul() regarding constraints and guarantees on the parameters.
+ * See mbedtls_mpi_montmul() regarding constraints and guarantees on the
+ * parameters.
*/
static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
mbedtls_mpi_uint mm, const mbedtls_mpi *T)
@@ -2007,7 +1986,7 @@
U.n = U.s = (int) z;
U.p = &z;
- mpi_montmul(A, &U, N, mm, T);
+ mbedtls_mpi_montmul(A, &U, N, mm, T);
}
/**
@@ -2090,7 +2069,7 @@
/*
* Init temps and window size
*/
- mpi_montg_init(&mm, N);
+ mbedtls_mpi_montg_init(&mm, N);
mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T);
mbedtls_mpi_init(&Apos);
mbedtls_mpi_init(&WW);
@@ -2144,10 +2123,10 @@
j = N->n + 1;
/* All W[i] including the accumulator must have at least N->n limbs for
- * the mpi_montmul() and mpi_montred() calls later. Here we ensure that
- * W[1] and the accumulator W[x_index] are large enough. later we'll grow
- * other W[i] to the same length. They must not be shrunk midway through
- * this function!
+ * the mbedtls_mpi_montmul() and mpi_montred() calls later. Here we ensure
+ * that W[1] and the accumulator W[x_index] are large enough. later we'll
+ * grow other W[i] to the same length. They must not be shrunk midway
+ * through this function!
*/
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));
@@ -2183,7 +2162,7 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N));
/* This should be a no-op because W[1] is already that large before
* mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
- * in mpi_montmul() below, so let's make sure. */
+ * in mbedtls_mpi_montmul() below, so let's make sure. */
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1));
} else {
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A));
@@ -2191,7 +2170,7 @@
/* Note that this is safe because W[1] always has at least N->n limbs
* (it grew above and was preserved by mbedtls_mpi_copy()). */
- mpi_montmul(&W[1], &RR, N, mm, &T);
+ mbedtls_mpi_montmul(&W[1], &RR, N, mm, &T);
/*
* W[x_index] = R^2 * R^-1 mod N = R mod N
@@ -2217,7 +2196,7 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1]));
for (i = 0; i < window_bitsize - 1; i++) {
- mpi_montmul(&W[j], &W[j], N, mm, &T);
+ mbedtls_mpi_montmul(&W[j], &W[j], N, mm, &T);
}
/*
@@ -2227,7 +2206,7 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1));
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1]));
- mpi_montmul(&W[i], &W[1], N, mm, &T);
+ mbedtls_mpi_montmul(&W[i], &W[1], N, mm, &T);
}
}
@@ -2263,7 +2242,7 @@
* out of window, square W[x_index]
*/
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
- mpi_montmul(&W[x_index], &WW, N, mm, &T);
+ mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
continue;
}
@@ -2282,7 +2261,7 @@
for (i = 0; i < window_bitsize; i++) {
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
x_index));
- mpi_montmul(&W[x_index], &WW, N, mm, &T);
+ mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
}
/*
@@ -2290,7 +2269,7 @@
*/
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
exponent_bits_in_window));
- mpi_montmul(&W[x_index], &WW, N, mm, &T);
+ mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
state--;
nbits = 0;
@@ -2303,13 +2282,13 @@
*/
for (i = 0; i < nbits; i++) {
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
- mpi_montmul(&W[x_index], &WW, N, mm, &T);
+ mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
exponent_bits_in_window <<= 1;
if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) {
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1));
- mpi_montmul(&W[x_index], &WW, N, mm, &T);
+ mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
}
}