Blame - library/bignum.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 22e22aa076490f6eb8af64b76a918664f2854b99 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Multi-precision integer library
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Dave Rodgman	16799db	2023-11-02 19:47:20 +0000	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	6	*/
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	7
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	8	/*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	9	* The following sources were referenced in the design of this Multi-precision
				10	* Integer library:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	11	*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	12	* [1] Handbook of Applied Cryptography - 1997
				13	* Menezes, van Oorschot and Vanstone
				14	*
				15	* [2] Multi-Precision Math
				16	* Tom St Denis
				17	* https://github.com/libtom/libtommath/blob/develop/tommath.pdf
				18	*
				19	* [3] GNU Multi-Precision Arithmetic Library
				20	* https://gmplib.org/manual/index.html
				21	*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	22	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	24	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	25
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	26	#if defined(MBEDTLS_BIGNUM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	27
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/bignum.h"
Janos Follath	4614b9a	2022-07-21 15:34:47 +0100	[diff] [blame]	29	#include "bignum_core.h"
Chris Jones	4c5819c	2021-03-03 17:45:34 +0000	[diff] [blame]	30	#include "bn_mul.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	31	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	32	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	33	#include "constant_time_internal.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	34
Dave Rodgman	351c71b	2021-12-06 17:50:53 +0000	[diff] [blame]	35	#include <limits.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	36	#include <string.h>
				37
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	38	#include "mbedtls/platform.h"
Paul Bakker	6e339b5	2013-07-03 13:37:05 +0200	[diff] [blame]	39
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	40
				41
				42	/*
				43	* Conditionally select an MPI sign in constant time.
				44	* (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid
				45	* values.)
				46	*/
				47	static inline unsigned short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond,
				48	unsigned short sign1, unsigned short sign2)
				49	{
				50	return (unsigned short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1;
				51	}
				52
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	53	/*
				54	* Compare signed values in constant time
				55	*/
				56	int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
				57	const mbedtls_mpi *Y,
				58	unsigned *ret)
				59	{
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	60	mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	61
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	62	if (X->n != Y->n) {
				63	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				64	}
				65
				66	/*
Dave Rodgman	b69239c	2023-08-09 14:53:18 +0100	[diff] [blame]	67	* Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	68	* We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
				69	*/
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	70	X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
				71	Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	72
				73	/*
				74	* If the signs are different, then the positive operand is the bigger.
				75	* That is if X is negative (X_is_negative == 1), then X < Y is true and it
				76	* is false if X is positive (X_is_negative == 0).
				77	*/
Dave Rodgman	1cfc43c	2023-09-19 16:18:59 +0100	[diff] [blame]	78	different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	79	result = mbedtls_ct_bool_and(different_sign, X_is_negative);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	80
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	81	/*
				82	* Assuming signs are the same, compare X and Y. We switch the comparison
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	83	* order if they are negative so that we get the right result, regardles of
				84	* sign.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	85	*/
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	86
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	87	/* This array is used to conditionally swap the pointers in const time */
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	88	void * const p[2] = { X->p, Y->p };
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	89	size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
Dave Rodgman	2c76484	2023-05-18 13:28:21 +0100	[diff] [blame]	90	mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	91
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	92	/*
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	93	* Store in result iff the signs are the same (i.e., iff different_sign == false). If
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	94	* the signs differ, result has already been set, so we don't change it.
				95	*/
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	96	result = mbedtls_ct_bool_or(result,
				97	mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	98
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	99	*ret = mbedtls_ct_uint_if_else_0(result, 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	100
				101	return 0;
				102	}
				103
				104	/*
				105	* Conditionally assign X = Y, without leaking information
				106	* about whether the assignment was made or not.
				107	* (Leaking information about the respective sizes of X and Y is ok however.)
				108	*/
Dave Rodgman	0a48717	2023-09-15 11:52:06 +0100	[diff] [blame]	109	#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
				110	(_MSC_FULL_VER < 193131103)
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	111	/*
				112	* MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
				113	* https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
				114	*/
				115	__declspec(noinline)
				116	#endif
				117	int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
				118	const mbedtls_mpi *Y,
				119	unsigned char assign)
				120	{
				121	int ret = 0;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	122
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	123	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				124
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	125	{
				126	mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
Dave Rodgman	589ccb8	2023-05-17 13:55:01 +0100	[diff] [blame]	127
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	128	X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	129
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	130	mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	131
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	132	mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
				133	for (size_t i = Y->n; i < X->n; i++) {
				134	X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
				135	}
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	136	}
				137
				138	cleanup:
				139	return ret;
				140	}
				141
				142	/*
				143	* Conditionally swap X and Y, without leaking information
				144	* about whether the swap was made or not.
				145	* Here it is not ok to simply swap the pointers, which would lead to
				146	* different memory access patterns when X and Y are used afterwards.
				147	*/
				148	int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
				149	mbedtls_mpi *Y,
				150	unsigned char swap)
				151	{
				152	int ret = 0;
				153	int s;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	154
				155	if (X == Y) {
				156	return 0;
				157	}
				158
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	159	mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
				160
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	161	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				162	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
				163
				164	s = X->s;
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	165	X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s);
				166	Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	167
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	168	mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	169
				170	cleanup:
				171	return ret;
				172	}
				173
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	174	/* Implementation that should never be optimized out by the compiler */
Tom Cosgrove	bc345e8	2023-07-25 15:17:39 +0100	[diff] [blame]	175	#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	176
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	177	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	178	* Initialize one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	179	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	180	void mbedtls_mpi_init(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	181	{
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	182	X->s = 1;
				183	X->n = 0;
				184	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	185	}
				186
				187	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	188	* Unallocate one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	189	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	190	void mbedtls_mpi_free(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	191	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	192	if (X == NULL) {
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	193	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	194	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	195
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	196	if (X->p != NULL) {
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	197	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	198	}
				199
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	200	X->s = 1;
				201	X->n = 0;
				202	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	203	}
				204
				205	/*
				206	* Enlarge to the specified number of limbs
				207	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	208	int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	209	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	210	mbedtls_mpi_uint *p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	211
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	212	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				213	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				214	}
Paul Bakker	f968857	2011-05-05 10:00:45 +0000	[diff] [blame]	215
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	216	if (X->n < nblimbs) {
				217	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
				218	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				219	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	220
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	221	if (X->p != NULL) {
				222	memcpy(p, X->p, X->n * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	223	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	224	}
				225
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	226	/* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				227	* fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				228	X->n = (unsigned short) nblimbs;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	229	X->p = p;
				230	}
				231
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	232	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	233	}
				234
				235	/*
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	236	* Resize down as much as possible,
				237	* while keeping at least the specified number of limbs
				238	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	239	int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	240	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	241	mbedtls_mpi_uint *p;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	242	size_t i;
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	243
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	244	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				245	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				246	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	247
Gilles Peskine	e2f563e	2020-01-20 21:17:43 +0100	[diff] [blame]	248	/* Actually resize up if there are currently fewer than nblimbs limbs. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	249	if (X->n <= nblimbs) {
				250	return mbedtls_mpi_grow(X, nblimbs);
				251	}
Gilles Peskine	322752b	2020-01-21 13:59:51 +0100	[diff] [blame]	252	/* After this point, then X->n > nblimbs and in particular X->n > 0. */
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	253
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	254	for (i = X->n - 1; i > 0; i--) {
				255	if (X->p[i] != 0) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	256	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	257	}
				258	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	259	i++;
				260
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	261	if (i < nblimbs) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	262	i = nblimbs;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	263	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	264
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	265	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
				266	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				267	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	268
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	269	if (X->p != NULL) {
				270	memcpy(p, X->p, i * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	271	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	272	}
				273
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	274	/* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				275	* fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				276	X->n = (unsigned short) i;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	277	X->p = p;
				278
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	279	return 0;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	280	}
				281
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	282	/* Resize X to have exactly n limbs and set it to 0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	283	static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	284	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	285	if (limbs == 0) {
				286	mbedtls_mpi_free(X);
				287	return 0;
				288	} else if (X->n == limbs) {
				289	memset(X->p, 0, limbs * ciL);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	290	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	291	return 0;
				292	} else {
				293	mbedtls_mpi_free(X);
				294	return mbedtls_mpi_grow(X, limbs);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	295	}
				296	}
				297
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	298	/*
Gilles Peskine	3da1a8f	2021-06-08 23:17:42 +0200	[diff] [blame]	299	* Copy the contents of Y into X.
				300	*
				301	* This function is not constant-time. Leading zeros in Y may be removed.
				302	*
				303	* Ensure that X does not shrink. This is not guaranteed by the public API,
Janos Follath	c9faea0	2024-02-19 10:49:18 +0000	[diff] [blame]	304	* but some code in the bignum module might still rely on this property.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	305	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	306	int mbedtls_mpi_copy(mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	307	{
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	308	int ret = 0;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	309	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	310
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	311	if (X == Y) {
				312	return 0;
Manuel Pégourié-Gonnard	f499993	2013-08-12 17:02:59 +0200	[diff] [blame]	313	}
				314
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	315	if (Y->n == 0) {
				316	if (X->n != 0) {
				317	X->s = 1;
				318	memset(X->p, 0, X->n * ciL);
				319	}
				320	return 0;
				321	}
				322
				323	for (i = Y->n - 1; i > 0; i--) {
				324	if (Y->p[i] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	325	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	326	}
				327	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	328	i++;
				329
				330	X->s = Y->s;
				331
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	332	if (X->n < i) {
				333	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
				334	} else {
				335	memset(X->p + i, 0, (X->n - i) * ciL);
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	336	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	337
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	338	memcpy(X->p, Y->p, i * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	339
				340	cleanup:
				341
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	342	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	343	}
				344
				345	/*
				346	* Swap the contents of X and Y
				347	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	348	void mbedtls_mpi_swap(mbedtls_mpi X, mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	349	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	350	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	351
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	352	memcpy(&T, X, sizeof(mbedtls_mpi));
				353	memcpy(X, Y, sizeof(mbedtls_mpi));
				354	memcpy(Y, &T, sizeof(mbedtls_mpi));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	355	}
				356
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	357	static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	358	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	359	if (z >= 0) {
				360	return z;
				361	}
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	362	/* Take care to handle the most negative value (-2^(biL-1)) correctly.
				363	* A naive -z would have undefined behavior.
				364	* Write this in a way that makes popular compilers happy (GCC, Clang,
				365	* MSVC). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	366	return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	367	}
				368
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	369	/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
				370	* This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
Dave Rodgman	73d8591	2023-09-28 17:00:50 +0100	[diff] [blame]	371	#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	372
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	373	/*
				374	* Set value from integer
				375	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	376	int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	377	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	378	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	379
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	380	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
				381	memset(X->p, 0, X->n * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	382
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	383	X->p[0] = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	384	X->s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	385
				386	cleanup:
				387
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	388	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	389	}
				390
				391	/*
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	392	* Get a specific bit
				393	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	394	int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	395	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	396	if (X->n * biL <= pos) {
				397	return 0;
				398	}
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	399
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	400	return (X->p[pos / biL] >> (pos % biL)) & 0x01;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	401	}
				402
				403	/*
				404	* Set a bit to a specific value of 0 or 1
				405	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	406	int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	407	{
				408	int ret = 0;
				409	size_t off = pos / biL;
				410	size_t idx = pos % biL;
				411
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	412	if (val != 0 && val != 1) {
				413	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	414	}
				415
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	416	if (X->n * biL <= pos) {
				417	if (val == 0) {
				418	return 0;
				419	}
				420
				421	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
				422	}
				423
				424	X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	425	X->p[off] \|= (mbedtls_mpi_uint) val << idx;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	426
				427	cleanup:
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	428
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	429	return ret;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	430	}
				431
				432	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	433	* Return the number of less significant zero-bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	434	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	435	size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	436	{
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	437	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	438
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	439	#if defined(__has_builtin)
				440	#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
				441	#define mbedtls_mpi_uint_ctz __builtin_ctz
				442	#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
				443	#define mbedtls_mpi_uint_ctz __builtin_ctzl
				444	#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
				445	#define mbedtls_mpi_uint_ctz __builtin_ctzll
				446	#endif
				447	#endif
				448
				449	#if defined(mbedtls_mpi_uint_ctz)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	450	for (i = 0; i < X->n; i++) {
Dave Rodgman	960eca9	2023-08-09 20:43:18 +0100	[diff] [blame]	451	if (X->p[i] != 0) {
				452	return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
				453	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	454	}
				455	#else
				456	size_t count = 0;
				457	for (i = 0; i < X->n; i++) {
				458	for (size_t j = 0; j < biL; j++, count++) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	459	if (((X->p[i] >> j) & 1) != 0) {
				460	return count;
				461	}
				462	}
				463	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	464	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	465
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	466	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	467	}
				468
				469	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	470	* Return the number of bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	471	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	472	size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	473	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	474	return mbedtls_mpi_core_bitlen(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	475	}
				476
				477	/*
				478	* Return the total size in bytes
				479	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	480	size_t mbedtls_mpi_size(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	481	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	482	return (mbedtls_mpi_bitlen(X) + 7) >> 3;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	483	}
				484
				485	/*
				486	* Convert an ASCII character to digit value
				487	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	488	static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	489	{
				490	*d = 255;
				491
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	492	if (c >= 0x30 && c <= 0x39) {
				493	*d = c - 0x30;
				494	}
				495	if (c >= 0x41 && c <= 0x46) {
				496	*d = c - 0x37;
				497	}
				498	if (c >= 0x61 && c <= 0x66) {
				499	*d = c - 0x57;
				500	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	501
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	502	if (*d >= (mbedtls_mpi_uint) radix) {
				503	return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
				504	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	505
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	506	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	507	}
				508
				509	/*
				510	* Import from an ASCII string
				511	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	512	int mbedtls_mpi_read_string(mbedtls_mpi X, int radix, const char s)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	513	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	514	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	515	size_t i, j, slen, n;
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	516	int sign = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	517	mbedtls_mpi_uint d;
				518	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	519
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	520	if (radix < 2 \|\| radix > 16) {
				521	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Gilles Peskine	7cba859	2021-06-08 18:32:34 +0200	[diff] [blame]	522	}
				523
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	524	mbedtls_mpi_init(&T);
				525
				526	if (s[0] == 0) {
				527	mbedtls_mpi_free(X);
				528	return 0;
				529	}
				530
				531	if (s[0] == '-') {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	532	++s;
				533	sign = -1;
				534	}
				535
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	536	slen = strlen(s);
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	537
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	538	if (radix == 16) {
Dave Rodgman	68ef1d6	2023-05-18 20:49:03 +0100	[diff] [blame]	539	if (slen > SIZE_MAX >> 2) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	540	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	541	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	542
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	543	n = BITS_TO_LIMBS(slen << 2);
				544
				545	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
				546	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				547
				548	for (i = slen, j = 0; i > 0; i--, j++) {
				549	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
				550	X->p[j / (2 * ciL)] \|= d << ((j % (2 * ciL)) << 2);
				551	}
				552	} else {
				553	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				554
				555	for (i = 0; i < slen; i++) {
				556	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
				557	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
				558	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	559	}
				560	}
				561
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	562	if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	563	X->s = -1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	564	}
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	565
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	566	cleanup:
				567
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	568	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	569
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	570	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	571	}
				572
				573	/*
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	574	* Helper to write the digits high-order first.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	575	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	576	static int mpi_write_hlp(mbedtls_mpi *X, int radix,
				577	char **p, const size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	578	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	579	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	580	mbedtls_mpi_uint r;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	581	size_t length = 0;
				582	char p_end = p + buflen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	583
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	584	do {
				585	if (length >= buflen) {
				586	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	587	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	588
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	589	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
				590	MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	591	/*
				592	* Write the residue in the current position, as an ASCII character.
				593	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	594	if (r < 0xA) {
				595	*(--p_end) = (char) ('0' + r);
				596	} else {
				597	*(--p_end) = (char) ('A' + (r - 0xA));
				598	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	599
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	600	length++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	601	} while (mbedtls_mpi_cmp_int(X, 0) != 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	602
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	603	memmove(*p, p_end, length);
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	604	*p += length;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	605
				606	cleanup:
				607
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	608	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	609	}
				610
				611	/*
				612	* Export into an ASCII string
				613	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	614	int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
				615	char buf, size_t buflen, size_t olen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	616	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	617	int ret = 0;
				618	size_t n;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	619	char *p;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	620	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	621
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	622	if (radix < 2 \|\| radix > 16) {
				623	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				624	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	625
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	626	n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
				627	if (radix >= 4) {
				628	n >>= 1; /* Number of 4-adic digits necessary to present
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	629	* `n`. If radix > 4, this might be a strict
				630	* overapproximation of the number of
				631	* radix-adic digits needed to present `n`. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	632	}
				633	if (radix >= 16) {
				634	n >>= 1; /* Number of hexadecimal digits necessary to
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	635	* present `n`. */
				636
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	637	}
Janos Follath	8047062	2019-03-06 13:43:02 +0000	[diff] [blame]	638	n += 1; /* Terminating null byte */
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	639	n += 1; /* Compensate for the divisions above, which round down `n`
				640	* in case it's not even. */
				641	n += 1; /* Potential '-'-sign. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	642	n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	643	* which always uses an even number of hex-digits. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	644
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	645	if (buflen < n) {
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	646	*olen = n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	647	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	648	}
				649
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	650	p = buf;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	651	mbedtls_mpi_init(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	652
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	653	if (X->s == -1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	654	*p++ = '-';
Hanno Becker	c983c81	2019-02-01 16:41:30 +0000	[diff] [blame]	655	buflen--;
				656	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	657
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	658	if (radix == 16) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	659	int c;
				660	size_t i, j, k;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	661
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	662	for (i = X->n, k = 0; i > 0; i--) {
				663	for (j = ciL; j > 0; j--) {
				664	c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	665
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	666	if (c == 0 && k == 0 && (i + j) != 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	667	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	668	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	669
Paul Bakker	98fe5ea	2012-10-24 11:17:48 +0000	[diff] [blame]	670	*(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakker	d2c167e	2012-10-30 07:49:19 +0000	[diff] [blame]	671	*(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	672	k = 1;
				673	}
				674	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	675	} else {
				676	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	677
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	678	if (T.s == -1) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	679	T.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	680	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	681
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	682	MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	683	}
				684
				685	*p++ = '\0';
Dave Rodgman	e4a6f5a	2023-11-04 12:20:09 +0000	[diff] [blame]	686	*olen = (size_t) (p - buf);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	687
				688	cleanup:
				689
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	690	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	691
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	692	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	693	}
				694
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	695	#if defined(MBEDTLS_FS_IO)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	696	/*
				697	* Read X from an opened file
				698	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	699	int mbedtls_mpi_read_file(mbedtls_mpi X, int radix, FILE fin)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	700	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	701	mbedtls_mpi_uint d;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	702	size_t slen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	703	char *p;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	704	/*
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	705	* Buffer should have space for (short) label and decimal formatted MPI,
				706	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	707	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	708	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	709
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	710	if (radix < 2 \|\| radix > 16) {
				711	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				712	}
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	713
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	714	memset(s, 0, sizeof(s));
				715	if (fgets(s, sizeof(s) - 1, fin) == NULL) {
				716	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				717	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	718
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	719	slen = strlen(s);
				720	if (slen == sizeof(s) - 2) {
				721	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
				722	}
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	723
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	724	if (slen > 0 && s[slen - 1] == '\n') {
				725	slen--; s[slen] = '\0';
				726	}
				727	if (slen > 0 && s[slen - 1] == '\r') {
				728	slen--; s[slen] = '\0';
				729	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	730
				731	p = s + slen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	732	while (p-- > s) {
				733	if (mpi_get_digit(&d, radix, *p) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	734	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	735	}
				736	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	737
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	738	return mbedtls_mpi_read_string(X, radix, p + 1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	739	}
				740
				741	/*
				742	* Write X into an opened file (or stdout if fout == NULL)
				743	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	744	int mbedtls_mpi_write_file(const char p, const mbedtls_mpi X, int radix, FILE *fout)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	745	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	746	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	747	size_t n, slen, plen;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	748	/*
Paul Bakker	5531c6d	2012-09-26 19:20:46 +0000	[diff] [blame]	749	* Buffer should have space for (short) label and decimal formatted MPI,
				750	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	751	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	752	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	753
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	754	if (radix < 2 \|\| radix > 16) {
				755	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				756	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	757
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	758	memset(s, 0, sizeof(s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	759
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	760	MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	761
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	762	if (p == NULL) {
				763	p = "";
				764	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	765
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	766	plen = strlen(p);
				767	slen = strlen(s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	768	s[slen++] = '\r';
				769	s[slen++] = '\n';
				770
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	771	if (fout != NULL) {
				772	if (fwrite(p, 1, plen, fout) != plen \|\|
				773	fwrite(s, 1, slen, fout) != slen) {
				774	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				775	}
				776	} else {
				777	mbedtls_printf("%s%s", p, s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	778	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	779
				780	cleanup:
				781
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	782	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	783	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	784	#endif /* MBEDTLS_FS_IO */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	785
				786	/*
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	787	* Import X from unsigned binary data, little endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	788	*
				789	* This function is guaranteed to return an MPI with exactly the necessary
				790	* number of limbs (in particular, it does not skip 0s in the input).
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	791	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	792	int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
				793	const unsigned char *buf, size_t buflen)
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	794	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	795	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	796	const size_t limbs = CHARS_TO_LIMBS(buflen);
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	797
				798	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	799	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	800
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	801	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	802
				803	cleanup:
				804
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	805	/*
				806	* This function is also used to import keys. However, wiping the buffers
				807	* upon failure is not necessary because failure only can happen before any
				808	* input is copied.
				809	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	810	return ret;
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	811	}
				812
				813	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	814	* Import X from unsigned binary data, big endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	815	*
				816	* This function is guaranteed to return an MPI with exactly the necessary
				817	* number of limbs (in particular, it does not skip 0s in the input).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	818	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	819	int mbedtls_mpi_read_binary(mbedtls_mpi X, const unsigned char buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	820	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	821	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	822	const size_t limbs = CHARS_TO_LIMBS(buflen);
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	823
Hanno Becker	073c199	2017-10-17 15:17:27 +0100	[diff] [blame]	824	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	825	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	826
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	827	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	828
				829	cleanup:
				830
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	831	/*
				832	* This function is also used to import keys. However, wiping the buffers
				833	* upon failure is not necessary because failure only can happen before any
				834	* input is copied.
				835	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	836	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	837	}
				838
				839	/*
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	840	* Export X into unsigned binary data, little endian
				841	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	842	int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
				843	unsigned char *buf, size_t buflen)
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	844	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	845	return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	846	}
				847
				848	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	849	* Export X into unsigned binary data, big endian
				850	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	851	int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
				852	unsigned char *buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	853	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	854	return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	855	}
				856
				857	/*
				858	* Left-shift: X <<= count
				859	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	860	int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	861	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	862	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	863	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	864
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	865	i = mbedtls_mpi_bitlen(X) + count;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	866
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	867	if (X->n * biL < i) {
				868	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
				869	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	870
				871	ret = 0;
				872
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	873	mbedtls_mpi_core_shift_l(X->p, X->n, count);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	874	cleanup:
				875
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	876	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	877	}
				878
				879	/*
				880	* Right-shift: X >>= count
				881	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	882	int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	883	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	884	if (X->n != 0) {
				885	mbedtls_mpi_core_shift_r(X->p, X->n, count);
				886	}
				887	return 0;
Gilles Peskine	6641420	2022-09-21 15:36:16 +0200	[diff] [blame]	888	}
				889
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	890	/*
				891	* Compare unsigned values
				892	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	893	int mbedtls_mpi_cmp_abs(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	894	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	895	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	896
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	897	for (i = X->n; i > 0; i--) {
				898	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	899	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	900	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	901	}
				902
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	903	for (j = Y->n; j > 0; j--) {
				904	if (Y->p[j - 1] != 0) {
				905	break;
				906	}
				907	}
				908
Dave Rodgman	ebcd785	2023-08-09 18:56:42 +0100	[diff] [blame]	909	/* If i == j == 0, i.e. abs(X) == abs(Y),
				910	* we end up returning 0 at the end of the function. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	911
				912	if (i > j) {
				913	return 1;
				914	}
				915	if (j > i) {
				916	return -1;
				917	}
				918
				919	for (; i > 0; i--) {
				920	if (X->p[i - 1] > Y->p[i - 1]) {
				921	return 1;
				922	}
				923	if (X->p[i - 1] < Y->p[i - 1]) {
				924	return -1;
				925	}
				926	}
				927
				928	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	929	}
				930
				931	/*
				932	* Compare signed values
				933	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	934	int mbedtls_mpi_cmp_mpi(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	935	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	936	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	937
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	938	for (i = X->n; i > 0; i--) {
				939	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	940	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	941	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	942	}
				943
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	944	for (j = Y->n; j > 0; j--) {
				945	if (Y->p[j - 1] != 0) {
				946	break;
				947	}
				948	}
				949
				950	if (i == 0 && j == 0) {
				951	return 0;
				952	}
				953
				954	if (i > j) {
				955	return X->s;
				956	}
				957	if (j > i) {
				958	return -Y->s;
				959	}
				960
				961	if (X->s > 0 && Y->s < 0) {
				962	return 1;
				963	}
				964	if (Y->s > 0 && X->s < 0) {
				965	return -1;
				966	}
				967
				968	for (; i > 0; i--) {
				969	if (X->p[i - 1] > Y->p[i - 1]) {
				970	return X->s;
				971	}
				972	if (X->p[i - 1] < Y->p[i - 1]) {
				973	return -X->s;
				974	}
				975	}
				976
				977	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	978	}
				979
Janos Follath	ee6abce	2019-09-05 14:47:19 +0100	[diff] [blame]	980	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	981	* Compare signed values
				982	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	983	int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	984	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	985	mbedtls_mpi Y;
				986	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	987
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	988	*p = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	989	Y.s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	990	Y.n = 1;
				991	Y.p = p;
				992
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	993	return mbedtls_mpi_cmp_mpi(X, &Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	994	}
				995
				996	/*
				997	* Unsigned addition: X = \|A\| + \|B\| (HAC 14.7)
				998	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	999	int mbedtls_mpi_add_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1000	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1001	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1002	size_t j;
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1003	mbedtls_mpi_uint *p;
				1004	mbedtls_mpi_uint c;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1005
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1006	if (X == B) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1007	const mbedtls_mpi *T = A; A = X; B = T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1008	}
				1009
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1010	if (X != A) {
				1011	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1012	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1013
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1014	/*
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1015	* X must always be positive as a result of unsigned additions.
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1016	*/
				1017	X->s = 1;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1018
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1019	for (j = B->n; j > 0; j--) {
				1020	if (B->p[j - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1021	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1022	}
				1023	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1024
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1025	/* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
				1026	* and B is 0 (of any size). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1027	if (j == 0) {
				1028	return 0;
				1029	}
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1030
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1031	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1032
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1033	/* j is the number of non-zero limbs of B. Add those to X. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1034
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1035	p = X->p;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1036
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1037	c = mbedtls_mpi_core_add(p, p, B->p, j);
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1038
				1039	p += j;
				1040
				1041	/* Now propagate any carry */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1042
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1043	while (c != 0) {
				1044	if (j >= X->n) {
				1045	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1046	p = X->p + j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1047	}
				1048
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1049	p += c; c = (p < c); j++; p++;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1050	}
				1051
				1052	cleanup:
				1053
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1054	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1055	}
				1056
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1057	/*
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1058	* Unsigned subtraction: X = \|A\| - \|B\| (HAC 14.9, 14.10)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1059	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1060	int mbedtls_mpi_sub_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1061	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1062	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1063	size_t n;
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1064	mbedtls_mpi_uint carry;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1065
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1066	for (n = B->n; n > 0; n--) {
				1067	if (B->p[n - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1068	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1069	}
				1070	}
				1071	if (n > A->n) {
Gilles Peskine	c8a9177	2021-01-27 22:30:43 +0100	[diff] [blame]	1072	/* B >= (2^ciL)^n > A */
				1073	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1074	goto cleanup;
				1075	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1076
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1077	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1078
				1079	/* Set the high limbs of X to match A. Don't touch the lower limbs
				1080	* because X might be aliased to B, and we must not overwrite the
				1081	* significant digits of B. */
Aaron M. Ucko	af67d2c	2023-01-17 11:52:22 -0500	[diff] [blame]	1082	if (A->n > n && A != X) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1083	memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
				1084	}
				1085	if (X->n > A->n) {
				1086	memset(X->p + A->n, 0, (X->n - A->n) * ciL);
				1087	}
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1088
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1089	carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
				1090	if (carry != 0) {
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1091	/* Propagate the carry through the rest of X. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1092	carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1093
				1094	/* If we have further carry/borrow, the result is negative. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1095	if (carry != 0) {
Gilles Peskine	89b4130	2020-07-23 01:16:46 +0200	[diff] [blame]	1096	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1097	goto cleanup;
				1098	}
Gilles Peskine	c097e9e	2020-06-08 21:58:22 +0200	[diff] [blame]	1099	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1100
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1101	/* X should always be positive as a result of unsigned subtractions. */
				1102	X->s = 1;
				1103
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1104	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1105	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1106	}
				1107
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1108	/* Common function for signed addition and subtraction.
				1109	* Calculate A + B * flip_B where flip_B is 1 or -1.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1110	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1111	static int add_sub_mpi(mbedtls_mpi *X,
				1112	const mbedtls_mpi A, const mbedtls_mpi B,
				1113	int flip_B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1114	{
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1115	int ret, s;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1116
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1117	s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1118	if (A->s * B->s * flip_B < 0) {
				1119	int cmp = mbedtls_mpi_cmp_abs(A, B);
				1120	if (cmp >= 0) {
				1121	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1122	/* If \|A\| = \|B\|, the result is 0 and we must set the sign bit
				1123	* to +1 regardless of which of A or B was negative. Otherwise,
				1124	* since \|A\| > \|B\|, the sign is the sign of A. */
				1125	X->s = cmp == 0 ? 1 : s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1126	} else {
				1127	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1128	/* Since \|A\| < \|B\|, the sign is the opposite of A. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1129	X->s = -s;
				1130	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1131	} else {
				1132	MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1133	X->s = s;
				1134	}
				1135
				1136	cleanup:
				1137
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1138	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1139	}
				1140
				1141	/*
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1142	* Signed addition: X = A + B
				1143	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1144	int mbedtls_mpi_add_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1145	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1146	return add_sub_mpi(X, A, B, 1);
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1147	}
				1148
				1149	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1150	* Signed subtraction: X = A - B
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1151	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1152	int mbedtls_mpi_sub_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1153	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1154	return add_sub_mpi(X, A, B, -1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1155	}
				1156
				1157	/*
				1158	* Signed addition: X = A + b
				1159	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1160	int mbedtls_mpi_add_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1161	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1162	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1163	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1164
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1165	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1166	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1167	B.n = 1;
				1168	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1169
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1170	return mbedtls_mpi_add_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1171	}
				1172
				1173	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1174	* Signed subtraction: X = A - b
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1175	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1176	int mbedtls_mpi_sub_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1177	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1178	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1179	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1180
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1181	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1182	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1183	B.n = 1;
				1184	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1185
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1186	return mbedtls_mpi_sub_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1187	}
				1188
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1189	/*
				1190	* Baseline multiplication: X = A * B (HAC 14.12)
				1191	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1192	int mbedtls_mpi_mul_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1193	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1194	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	1772e05	2022-04-13 06:51:40 +0100	[diff] [blame]	1195	size_t i, j;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1196	mbedtls_mpi TA, TB;
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1197	int result_is_zero = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1198
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1199	mbedtls_mpi_init(&TA);
				1200	mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1201
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1202	if (X == A) {
				1203	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
				1204	}
				1205	if (X == B) {
				1206	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
				1207	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1208
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1209	for (i = A->n; i > 0; i--) {
				1210	if (A->p[i - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1211	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1212	}
				1213	}
				1214	if (i == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1215	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1216	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1217
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1218	for (j = B->n; j > 0; j--) {
				1219	if (B->p[j - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1220	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1221	}
				1222	}
				1223	if (j == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1224	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1225	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1226
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1227	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
				1228	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1229
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1230	mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1231
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1232	/* If the result is 0, we don't shortcut the operation, which reduces
				1233	* but does not eliminate side channels leaking the zero-ness. We do
				1234	* need to take care to set the sign bit properly since the library does
				1235	* not fully support an MPI object with a value of 0 and s == -1. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1236	if (result_is_zero) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1237	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1238	} else {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1239	X->s = A->s * B->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1240	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1241
				1242	cleanup:
				1243
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1244	mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1245
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1246	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1247	}
				1248
				1249	/*
				1250	* Baseline multiplication: X = A * b
				1251	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1252	int mbedtls_mpi_mul_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_uint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1253	{
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1254	size_t n = A->n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1255	while (n > 0 && A->p[n - 1] == 0) {
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1256	--n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1257	}
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1258
Hanno Becker	74a11a3	2022-04-06 06:27:00 +0100	[diff] [blame]	1259	/* The general method below doesn't work if b==0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1260	if (b == 0 \|\| n == 0) {
				1261	return mbedtls_mpi_lset(X, 0);
				1262	}
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1263
Hanno Becker	aef9cc4	2022-04-11 06:36:29 +0100	[diff] [blame]	1264	/* Calculate Ab as A + A(b-1) to take advantage of mbedtls_mpi_core_mla */
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1265	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1266	/* In general, A * b requires 1 limb more than b. If
				1267	* A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
				1268	* number of limbs as A and the call to grow() is not required since
Gilles Peskine	e1bba7c	2021-03-10 23:44:10 +0100	[diff] [blame]	1269	* copy() will take care of the growth if needed. However, experimentally,
				1270	* making the call to grow() unconditional causes slightly fewer
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1271	* calls to calloc() in ECP code, presumably because it reuses the
				1272	* same mpi for a while and this way the mpi is more likely to directly
Hanno Becker	9137b9c	2022-04-12 10:51:54 +0100	[diff] [blame]	1273	* grow to its final size.
				1274	*
				1275	* Note that calculating Ab as 0 + Ab doesn't work as-is because
				1276	* A,X can be the same. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1277	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
				1278	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1279	mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1280
				1281	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1282	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1283	}
				1284
				1285	/*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1286	* Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
				1287	* mbedtls_mpi_uint divisor, d
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1288	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1289	static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
				1290	mbedtls_mpi_uint u0,
				1291	mbedtls_mpi_uint d,
				1292	mbedtls_mpi_uint *r)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1293	{
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1294	#if defined(MBEDTLS_HAVE_UDBL)
				1295	mbedtls_t_udbl dividend, quotient;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1296	#else
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1297	const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1298	const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1299	mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
				1300	mbedtls_mpi_uint u0_msw, u0_lsw;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1301	size_t s;
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1302	#endif
				1303
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1304	/*
				1305	* Check for overflow
				1306	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1307	if (0 == d \|\| u1 >= d) {
				1308	if (r != NULL) {
				1309	*r = ~(mbedtls_mpi_uint) 0u;
				1310	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1311
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1312	return ~(mbedtls_mpi_uint) 0u;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1313	}
				1314
				1315	#if defined(MBEDTLS_HAVE_UDBL)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1316	dividend = (mbedtls_t_udbl) u1 << biL;
				1317	dividend \|= (mbedtls_t_udbl) u0;
				1318	quotient = dividend / d;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1319	if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
				1320	quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
				1321	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1322
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1323	if (r != NULL) {
				1324	r = (mbedtls_mpi_uint) (dividend - (quotient d));
				1325	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1326
				1327	return (mbedtls_mpi_uint) quotient;
				1328	#else
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1329
				1330	/*
				1331	* Algorithm D, Section 4.3.1 - The Art of Computer Programming
				1332	* Vol. 2 - Seminumerical Algorithms, Knuth
				1333	*/
				1334
				1335	/*
				1336	* Normalize the divisor, d, and dividend, u0, u1
				1337	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1338	s = mbedtls_mpi_core_clz(d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1339	d = d << s;
				1340
				1341	u1 = u1 << s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1342	u1 \|= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1343	u0 = u0 << s;
				1344
				1345	d1 = d >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1346	d0 = d & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1347
				1348	u0_msw = u0 >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1349	u0_lsw = u0 & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1350
				1351	/*
				1352	* Find the first quotient and remainder
				1353	*/
				1354	q1 = u1 / d1;
				1355	r0 = u1 - d1 * q1;
				1356
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1357	while (q1 >= radix \|\| (q1 * d0 > radix * r0 + u0_msw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1358	q1 -= 1;
				1359	r0 += d1;
				1360
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1361	if (r0 >= radix) {
				1362	break;
				1363	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1364	}
				1365
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1366	rAX = (u1 * radix) + (u0_msw - q1 * d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1367	q0 = rAX / d1;
				1368	r0 = rAX - q0 * d1;
				1369
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1370	while (q0 >= radix \|\| (q0 * d0 > radix * r0 + u0_lsw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1371	q0 -= 1;
				1372	r0 += d1;
				1373
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1374	if (r0 >= radix) {
				1375	break;
				1376	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1377	}
				1378
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1379	if (r != NULL) {
				1380	r = (rAX radix + u0_lsw - q0 * d) >> s;
				1381	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1382
				1383	quotient = q1 * radix + q0;
				1384
				1385	return quotient;
				1386	#endif
				1387	}
				1388
				1389	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1390	* Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1391	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1392	int mbedtls_mpi_div_mpi(mbedtls_mpi Q, mbedtls_mpi R, const mbedtls_mpi *A,
				1393	const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1394	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1395	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1396	size_t i, n, t, k;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1397	mbedtls_mpi X, Y, Z, T1, T2;
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1398	mbedtls_mpi_uint TP2[3];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1399
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1400	if (mbedtls_mpi_cmp_int(B, 0) == 0) {
				1401	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1402	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1403
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1404	mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
				1405	mbedtls_mpi_init(&T1);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1406	/*
				1407	* Avoid dynamic memory allocations for constant-size T2.
				1408	*
				1409	* T2 is used for comparison only and the 3 limbs are assigned explicitly,
				1410	* so nobody increase the size of the MPI and we're safe to use an on-stack
				1411	* buffer.
				1412	*/
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1413	T2.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1414	T2.n = sizeof(TP2) / sizeof(*TP2);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1415	T2.p = TP2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1416
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1417	if (mbedtls_mpi_cmp_abs(A, B) < 0) {
				1418	if (Q != NULL) {
				1419	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
				1420	}
				1421	if (R != NULL) {
				1422	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
				1423	}
				1424	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1425	}
				1426
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1427	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
				1428	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1429	X.s = Y.s = 1;
				1430
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1431	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
				1432	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
				1433	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1434
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1435	k = mbedtls_mpi_bitlen(&Y) % biL;
				1436	if (k < biL - 1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1437	k = biL - 1 - k;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1438	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
				1439	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
				1440	} else {
				1441	k = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1442	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1443
				1444	n = X.n - 1;
				1445	t = Y.n - 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1446	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1447
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1448	while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1449	Z.p[n - t]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1450	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1451	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1452	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1453
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1454	for (i = n; i > t; i--) {
				1455	if (X.p[i] >= Y.p[t]) {
				1456	Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
				1457	} else {
				1458	Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
				1459	Y.p[t], NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1460	}
				1461
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1462	T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
				1463	T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1464	T2.p[2] = X.p[i];
				1465
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1466	Z.p[i - t - 1]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1467	do {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1468	Z.p[i - t - 1]--;
				1469
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1470	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
				1471	T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1472	T1.p[1] = Y.p[t];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1473	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
				1474	} while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1475
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1476	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
				1477	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1478	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1479
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1480	if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
				1481	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
				1482	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1483	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1484	Z.p[i - t - 1]--;
				1485	}
				1486	}
				1487
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1488	if (Q != NULL) {
				1489	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1490	Q->s = A->s * B->s;
				1491	}
				1492
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1493	if (R != NULL) {
				1494	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
Paul Bakker	f02c564	2012-11-13 10:25:21 +0000	[diff] [blame]	1495	X.s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1496	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1497
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1498	if (mbedtls_mpi_cmp_int(R, 0) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1499	R->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1500	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1501	}
				1502
				1503	cleanup:
				1504
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1505	mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
				1506	mbedtls_mpi_free(&T1);
				1507	mbedtls_platform_zeroize(TP2, sizeof(TP2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1508
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1509	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1510	}
				1511
				1512	/*
				1513	* Division by int: A = Q * b + R
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1514	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1515	int mbedtls_mpi_div_int(mbedtls_mpi Q, mbedtls_mpi R,
				1516	const mbedtls_mpi *A,
				1517	mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1518	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1519	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1520	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1521
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1522	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1523	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1524	B.n = 1;
				1525	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1526
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1527	return mbedtls_mpi_div_mpi(Q, R, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1528	}
				1529
				1530	/*
				1531	* Modulo: R = A mod B
				1532	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1533	int mbedtls_mpi_mod_mpi(mbedtls_mpi R, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1534	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1535	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1536
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1537	if (mbedtls_mpi_cmp_int(B, 0) < 0) {
				1538	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1539	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1540
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1541	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1542
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1543	while (mbedtls_mpi_cmp_int(R, 0) < 0) {
				1544	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
				1545	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1546
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1547	while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
				1548	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
				1549	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1550
				1551	cleanup:
				1552
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1553	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1554	}
				1555
				1556	/*
				1557	* Modulo: r = A mod b
				1558	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1559	int mbedtls_mpi_mod_int(mbedtls_mpi_uint r, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1560	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1561	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1562	mbedtls_mpi_uint x, y, z;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1563
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1564	if (b == 0) {
				1565	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1566	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1567
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1568	if (b < 0) {
				1569	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1570	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1571
				1572	/*
				1573	* handle trivial cases
				1574	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1575	if (b == 1 \|\| A->n == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1576	*r = 0;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1577	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1578	}
				1579
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1580	if (b == 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1581	*r = A->p[0] & 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1582	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1583	}
				1584
				1585	/*
				1586	* general case
				1587	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1588	for (i = A->n, y = 0; i > 0; i--) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1589	x = A->p[i - 1];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1590	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1591	z = y / b;
				1592	y -= z * b;
				1593
				1594	x <<= biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1595	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1596	z = y / b;
				1597	y -= z * b;
				1598	}
				1599
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1600	/*
				1601	* If A is negative, then the current y represents a negative value.
				1602	* Flipping it to the positive side.
				1603	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1604	if (A->s < 0 && y != 0) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1605	y = b - y;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1606	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1607
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1608	*r = y;
				1609
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1610	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1611	}
				1612
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1613	int mbedtls_mpi_exp_mod(mbedtls_mpi X, const mbedtls_mpi A,
				1614	const mbedtls_mpi E, const mbedtls_mpi N,
				1615	mbedtls_mpi *prec_RR)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1616	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1617	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1618
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1619	if (mbedtls_mpi_cmp_int(N, 0) <= 0 \|\| (N->p[0] & 1) == 0) {
				1620	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1621	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1622
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1623	if (mbedtls_mpi_cmp_int(E, 0) < 0) {
				1624	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1625	}
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1626
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1627	if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS \|\|
				1628	mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
				1629	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1630	}
Chris Jones	9246d04	2020-11-25 15:12:39 +0000	[diff] [blame]	1631
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1632	/*
				1633	* Ensure that the exponent that we are passing to the core is not NULL.
				1634	*/
				1635	if (E->n == 0) {
				1636	ret = mbedtls_mpi_lset(X, 1);
				1637	return ret;
				1638	}
				1639
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1640	/*
				1641	* Allocate working memory for mbedtls_mpi_core_exp_mod()
				1642	*/
				1643	size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);
Janos Follath	0902572	2024-02-21 11:50:25 +0000	[diff] [blame]	1644	mbedtls_mpi_uint T = (mbedtls_mpi_uint ) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1645	if (T == NULL) {
				1646	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				1647	}
				1648
Janos Follath	701ae1d	2024-02-19 10:56:54 +0000	[diff] [blame]	1649	mbedtls_mpi RR;
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1650	mbedtls_mpi_init(&RR);
Paul Bakker	5054692	2012-05-19 08:40:49 +0000	[diff] [blame]	1651
				1652	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1653	* If 1st call, pre-compute R^2 mod N
				1654	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1655	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1656	MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1657
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1658	if (prec_RR != NULL) {
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1659	*prec_RR = RR;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1660	}
				1661	} else {
Janos Follath	0512d17	2024-02-20 14:30:46 +0000	[diff] [blame]	1662	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1663	RR = *prec_RR;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1664	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1665
				1666	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1667	* To preserve constness we need to make a copy of A. Using X for this to
				1668	* save memory.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1669	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1670	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1671
				1672	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1673	* Compensate for negative A (and correct at the end).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1674	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1675	X->s = 1;
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1676
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1677	/*
Janos Follath	467a549	2024-02-19 11:27:38 +0000	[diff] [blame]	1678	* Make sure that X is in a form that is safe for consumption by
				1679	* the core functions.
				1680	*
				1681	* - The core functions will not touch the limbs of X above N->n. The
				1682	* result will be correct if those limbs are 0, which the mod call
				1683	* ensures.
				1684	* - Also, X must have at least as many limbs as N for the calls to the
				1685	* core functions.
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1686	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1687	if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {
				1688	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
				1689	}
				1690	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));
				1691
				1692	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1693	* Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().
				1694	*/
				1695	mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1696	mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
Janos Follath	16ef486	2024-03-08 17:25:57 +0000	[diff] [blame^]	1697	mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1698	mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1699
				1700	/*
				1701	* Correct for negative A.
				1702	*/
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1703	if (A->s == -1 && (E->p[0] & 1) != 0) {
Janos Follath	86258f5	2024-02-21 11:25:41 +0000	[diff] [blame]	1704	mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n);
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	1705	X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1);
Janos Follath	86258f5	2024-02-21 11:25:41 +0000	[diff] [blame]	1706
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1707	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));
				1708	}
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1709
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1710	cleanup:
				1711
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1712	mbedtls_mpi_zeroize_and_free(T, T_limbs);
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	1713
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1714	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
				1715	mbedtls_mpi_free(&RR);
				1716	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1717
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1718	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1719	}
				1720
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1721	/*
				1722	* Greatest common divisor: G = gcd(A, B) (HAC 14.54)
				1723	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1724	int mbedtls_mpi_gcd(mbedtls_mpi G, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1725	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1726	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1727	size_t lz, lzt;
Alexander K	e8ad49f	2019-08-16 16:16:07 +0300	[diff] [blame]	1728	mbedtls_mpi TA, TB;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1729
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1730	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1731
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1732	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
				1733	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1734
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1735	lz = mbedtls_mpi_lsb(&TA);
				1736	lzt = mbedtls_mpi_lsb(&TB);
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1737
Gilles Peskine	27253bc	2021-06-09 13:26:43 +0200	[diff] [blame]	1738	/* The loop below gives the correct result when A==0 but not when B==0.
				1739	* So have a special case for B==0. Leverage the fact that we just
				1740	* calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
				1741	* slightly more efficient than cmp_int(). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1742	if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
				1743	ret = mbedtls_mpi_copy(G, A);
Gilles Peskine	27253bc	2021-06-09 13:26:43 +0200	[diff] [blame]	1744	goto cleanup;
				1745	}
				1746
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1747	if (lzt < lz) {
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1748	lz = lzt;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1749	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1750
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1751	TA.s = TB.s = 1;
				1752
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1753	/* We mostly follow the procedure described in HAC 14.54, but with some
				1754	* minor differences:
				1755	* - Sequences of multiplications or divisions by 2 are grouped into a
				1756	* single shift operation.
Gilles Peskine	b09c7ee	2021-06-21 18:58:39 +0200	[diff] [blame]	1757	* - The procedure in HAC assumes that 0 < TB <= TA.
				1758	* - The condition TB <= TA is not actually necessary for correctness.
				1759	* TA and TB have symmetric roles except for the loop termination
				1760	* condition, and the shifts at the beginning of the loop body
				1761	* remove any significance from the ordering of TA vs TB before
				1762	* the shifts.
				1763	* - If TA = 0, the loop goes through 0 iterations and the result is
				1764	* correctly TB.
				1765	* - The case TB = 0 was short-circuited above.
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1766	*
				1767	* For the correctness proof below, decompose the original values of
				1768	* A and B as
				1769	* A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
				1770	* B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
				1771	* Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
				1772	* and gcd(A',B') is odd or 0.
				1773	*
				1774	* At the beginning, we have TA = \|A\| and TB = \|B\| so gcd(A,B) = gcd(TA,TB).
				1775	* The code maintains the following invariant:
				1776	* gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
Gilles Peskine	4df3f1f	2021-06-15 22:09:39 +0200	[diff] [blame]	1777	*/
				1778
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1779	/* Proof that the loop terminates:
				1780	* At each iteration, either the right-shift by 1 is made on a nonzero
				1781	* value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
				1782	* by at least 1, or the right-shift by 1 is made on zero and then
				1783	* TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
				1784	* since in that case TB is calculated from TB-TA with the condition TB>TA).
				1785	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1786	while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1787	/* Divisions by 2 preserve the invariant (I). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1788	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
				1789	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1790
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1791	/* Set either TA or TB to \|TA-TB\|/2. Since TA and TB are both odd,
				1792	* TA-TB is even so the division by 2 has an integer result.
				1793	* Invariant (I) is preserved since any odd divisor of both TA and TB
				1794	* also divides \|TA-TB\|/2, and any odd divisor of both TA and \|TA-TB\|/2
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	1795	* also divides TB, and any odd divisor of both TB and \|TA-TB\|/2 also
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1796	* divides TA.
				1797	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1798	if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
				1799	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
				1800	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
				1801	} else {
				1802	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
				1803	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1804	}
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1805	/* Note that one of TA or TB is still odd. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1806	}
				1807
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1808	/* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
				1809	* At the loop exit, TA = 0, so gcd(TA,TB) = TB.
				1810	* - If there was at least one loop iteration, then one of TA or TB is odd,
				1811	* and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
				1812	* lz = min(a,b) so gcd(A,B) = 2^lz * TB.
				1813	* - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
Gilles Peskine	4d3fd36	2021-06-21 11:40:38 +0200	[diff] [blame]	1814	* In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1815	*/
				1816
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1817	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
				1818	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1819
				1820	cleanup:
				1821
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1822	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1823
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1824	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1825	}
				1826
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1827	/*
				1828	* Fill X with size bytes of random.
Gilles Peskine	22cdd0c	2022-10-27 20:15:13 +0200	[diff] [blame]	1829	* The bytes returned from the RNG are used in a specific order which
				1830	* is suitable for deterministic ECDSA (see the specification of
				1831	* mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1832	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1833	int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
				1834	int (f_rng)(void , unsigned char *, size_t),
				1835	void *p_rng)
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1836	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1837	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1838	const size_t limbs = CHARS_TO_LIMBS(size);
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1839
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1840	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1841	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
				1842	if (size == 0) {
				1843	return 0;
				1844	}
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1845
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1846	ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1847
				1848	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1849	return ret;
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1850	}
				1851
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1852	int mbedtls_mpi_random(mbedtls_mpi *X,
				1853	mbedtls_mpi_sint min,
				1854	const mbedtls_mpi *N,
				1855	int (f_rng)(void , unsigned char *, size_t),
				1856	void *p_rng)
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1857	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1858	if (min < 0) {
				1859	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1860	}
				1861	if (mbedtls_mpi_cmp_int(N, min) <= 0) {
				1862	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1863	}
Gilles Peskine	1e918f4	2021-03-29 22:14:51 +0200	[diff] [blame]	1864
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1865	/* Ensure that target MPI has exactly the same number of limbs
				1866	* as the upper bound, even if the upper bound has leading zeros.
Gilles Peskine	6b7ce96	2022-12-15 15:04:33 +0100	[diff] [blame]	1867	* This is necessary for mbedtls_mpi_core_random. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1868	int ret = mbedtls_mpi_resize_clear(X, N->n);
				1869	if (ret != 0) {
				1870	return ret;
				1871	}
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1872
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1873	return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1874	}
				1875
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1876	/*
				1877	* Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
				1878	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1879	int mbedtls_mpi_inv_mod(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *N)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1880	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1881	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1882	mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1883
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1884	if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
				1885	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1886	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1887
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1888	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
				1889	mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
				1890	mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1891
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1892	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1893
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1894	if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1895	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1896	goto cleanup;
				1897	}
				1898
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1899	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
				1900	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
				1901	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
				1902	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1903
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1904	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
				1905	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
				1906	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
				1907	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1908
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1909	do {
				1910	while ((TU.p[0] & 1) == 0) {
				1911	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1912
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1913	if ((U1.p[0] & 1) != 0 \|\| (U2.p[0] & 1) != 0) {
				1914	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
				1915	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1916	}
				1917
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1918	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
				1919	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1920	}
				1921
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1922	while ((TV.p[0] & 1) == 0) {
				1923	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1924
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1925	if ((V1.p[0] & 1) != 0 \|\| (V2.p[0] & 1) != 0) {
				1926	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
				1927	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1928	}
				1929
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1930	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
				1931	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1932	}
				1933
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1934	if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
				1935	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
				1936	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
				1937	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
				1938	} else {
				1939	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
				1940	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
				1941	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1942	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1943	} while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
				1944
				1945	while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
				1946	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1947	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1948
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1949	while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
				1950	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
				1951	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1952
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1953	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1954
				1955	cleanup:
				1956
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1957	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
				1958	mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
				1959	mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1960
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1961	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1962	}
				1963
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1964	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	d9374b0	2012-11-02 11:02:58 +0000	[diff] [blame]	1965
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	1966	/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
				1967	static const unsigned char small_prime_gaps[] = {
				1968	2, 2, 4, 2, 4, 2, 4, 6,
				1969	2, 6, 4, 2, 4, 6, 6, 2,
				1970	6, 4, 2, 6, 4, 6, 8, 4,
				1971	2, 4, 2, 4, 14, 4, 6, 2,
				1972	10, 2, 6, 6, 4, 6, 6, 2,
				1973	10, 2, 4, 2, 12, 12, 4, 2,
				1974	4, 6, 2, 10, 6, 6, 6, 2,
				1975	6, 4, 2, 10, 14, 4, 2, 4,
				1976	14, 6, 10, 2, 4, 6, 8, 6,
				1977	6, 4, 6, 8, 4, 8, 10, 2,
				1978	10, 2, 6, 4, 6, 8, 4, 2,
				1979	4, 12, 8, 4, 8, 4, 6, 12,
				1980	2, 18, 6, 10, 6, 6, 2, 6,
				1981	10, 6, 6, 2, 6, 6, 4, 2,
				1982	12, 10, 2, 4, 6, 6, 2, 12,
				1983	4, 6, 8, 10, 8, 10, 8, 6,
				1984	6, 4, 8, 6, 4, 8, 4, 14,
				1985	10, 12, 2, 10, 2, 4, 2, 10,
				1986	14, 4, 2, 4, 14, 4, 2, 4,
				1987	20, 4, 8, 10, 8, 4, 6, 6,
				1988	14, 4, 6, 6, 8, 6, /reaches 997/
Gilles Peskine	30b0378	2023-08-22 11:06:47 +0200	[diff] [blame]	1989	0 /* the last entry is effectively unused */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1990	};
				1991
				1992	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	1993	* Small divisors test (X must be positive)
				1994	*
				1995	* Return values:
				1996	* 0: no small factor (possible prime, more tests needed)
				1997	* 1: certain prime
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1998	* MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	1999	* other negative: error
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2000	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2001	static int mpi_check_small_factors(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2002	{
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2003	int ret = 0;
				2004	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2005	mbedtls_mpi_uint r;
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2006	unsigned p = 3; /* The first odd prime */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2007
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2008	if ((X->p[0] & 1) == 0) {
				2009	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2010	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2011
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2012	for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
				2013	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2014	if (r == 0) {
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2015	if (mbedtls_mpi_cmp_int(X, p) == 0) {
				2016	return 1;
				2017	} else {
				2018	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2019	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2020	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2021	}
				2022
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2023	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2024	return ret;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2025	}
				2026
				2027	/*
				2028	* Miller-Rabin pseudo-primality test (HAC 4.24)
				2029	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2030	static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
				2031	int (f_rng)(void , unsigned char *, size_t),
				2032	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2033	{
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2034	int ret, count;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2035	size_t i, j, k, s;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2036	mbedtls_mpi W, R, T, A, RR;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2037
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2038	mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
				2039	mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
				2040	mbedtls_mpi_init(&RR);
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2041
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2042	/*
				2043	* W = \|X\| - 1
				2044	* R = W >> lsb( W )
				2045	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2046	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
				2047	s = mbedtls_mpi_lsb(&W);
				2048	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
				2049	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2050
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2051	for (i = 0; i < rounds; i++) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2052	/*
				2053	* pick a random A, 1 < A < \|X\| - 1
				2054	*/
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2055	count = 0;
				2056	do {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2057	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2058
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2059	j = mbedtls_mpi_bitlen(&A);
				2060	k = mbedtls_mpi_bitlen(&W);
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2061	if (j > k) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2062	A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2063	}
				2064
				2065	if (count++ > 30) {
Jens Wiklander	f08aa3e	2019-01-17 13:30:57 +0100	[diff] [blame]	2066	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2067	goto cleanup;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2068	}
				2069
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2070	} while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 \|\|
				2071	mbedtls_mpi_cmp_int(&A, 1) <= 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2072
				2073	/*
				2074	* A = A^R mod \|X\|
				2075	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2076	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2077
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2078	if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 \|\|
				2079	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2080	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2081	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2082
				2083	j = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2084	while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2085	/*
				2086	* A = A * A mod \|X\|
				2087	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2088	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
				2089	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2090
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2091	if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2092	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2093	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2094
				2095	j++;
				2096	}
				2097
				2098	/*
				2099	* not prime if A != \|X\| - 1 or A == 1
				2100	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2101	if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 \|\|
				2102	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2103	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2104	break;
				2105	}
				2106	}
				2107
				2108	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2109	mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
				2110	mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
				2111	mbedtls_mpi_free(&RR);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2112
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2113	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2114	}
				2115
				2116	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2117	* Pseudo-primality test: small factors, then Miller-Rabin
				2118	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2119	int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
				2120	int (f_rng)(void , unsigned char *, size_t),
				2121	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2122	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2123	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2124	mbedtls_mpi XX;
Manuel Pégourié-Gonnard	7f4ed67	2014-10-14 20:56:02 +0200	[diff] [blame]	2125
				2126	XX.s = 1;
				2127	XX.n = X->n;
				2128	XX.p = X->p;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2129
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2130	if (mbedtls_mpi_cmp_int(&XX, 0) == 0 \|\|
				2131	mbedtls_mpi_cmp_int(&XX, 1) == 0) {
				2132	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2133	}
				2134
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2135	if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
				2136	return 0;
				2137	}
				2138
				2139	if ((ret = mpi_check_small_factors(&XX)) != 0) {
				2140	if (ret == 1) {
				2141	return 0;
				2142	}
				2143
				2144	return ret;
				2145	}
				2146
				2147	return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2148	}
				2149
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2150	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2151	* Prime number generation
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2152	*
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2153	* To generate an RSA key in a way recommended by FIPS 186-4, both primes must
				2154	* be either 1024 bits or 1536 bits long, and flags must contain
				2155	* MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2156	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2157	int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
				2158	int (f_rng)(void , unsigned char *, size_t),
				2159	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2160	{
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2161	#ifdef MBEDTLS_HAVE_INT64
				2162	// ceil(2^63.5)
				2163	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
				2164	#else
				2165	// ceil(2^31.5)
				2166	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
				2167	#endif
				2168	int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2169	size_t k, n;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2170	int rounds;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2171	mbedtls_mpi_uint r;
				2172	mbedtls_mpi Y;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2173
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2174	if (nbits < 3 \|\| nbits > MBEDTLS_MPI_MAX_BITS) {
				2175	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				2176	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2177
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2178	mbedtls_mpi_init(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2179
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2180	n = BITS_TO_LIMBS(nbits);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2181
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2182	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2183	/*
				2184	* 2^-80 error probability, number of rounds chosen per HAC, table 4.4
				2185	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2186	rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
				2187	(nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
				2188	(nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
				2189	} else {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2190	/*
				2191	* 2^-100 error probability, number of rounds computed based on HAC,
				2192	* fact 4.48
				2193	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2194	rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
				2195	(nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
				2196	(nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
				2197	(nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2198	}
				2199
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2200	while (1) {
				2201	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2202	/* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2203	if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
				2204	continue;
				2205	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2206
				2207	k = n * biL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2208	if (k > nbits) {
				2209	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
				2210	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2211	X->p[0] \|= 1;
				2212
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2213	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
				2214	ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2215
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2216	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2217	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2218	}
				2219	} else {
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2220	/*
Tom Cosgrove	ce7f18c	2022-07-28 05:50:56 +0100	[diff] [blame]	2221	* A necessary condition for Y and X = 2Y + 1 to be prime
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2222	* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
				2223	* Make sure it is satisfied, while keeping X = 3 mod 4
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2224	*/
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2225
				2226	X->p[0] \|= 2;
				2227
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2228	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
				2229	if (r == 0) {
				2230	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
				2231	} else if (r == 1) {
				2232	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
				2233	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2234
				2235	/* Set Y = (X-1) / 2, which is X / 2 because X is odd */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2236	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
				2237	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2238
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2239	while (1) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2240	/*
				2241	* First, check small factors for X and Y
				2242	* before doing Miller-Rabin on any of them
				2243	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2244	if ((ret = mpi_check_small_factors(X)) == 0 &&
				2245	(ret = mpi_check_small_factors(&Y)) == 0 &&
				2246	(ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
				2247	== 0 &&
				2248	(ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
				2249	== 0) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2250	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2251	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2252
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2253	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2254	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2255	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2256
				2257	/*
				2258	* Next candidates. We want to preserve Y = (X-1) / 2 and
				2259	* Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
				2260	* so up Y by 6 and X by 12.
				2261	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2262	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
				2263	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2264	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2265	}
				2266	}
				2267
				2268	cleanup:
				2269
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2270	mbedtls_mpi_free(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2271
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2272	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2273	}
				2274
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2275	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2276
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2277	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2278
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2279	#define GCD_PAIR_COUNT 3
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2280
				2281	static const int gcd_pairs[GCD_PAIR_COUNT][3] =
				2282	{
				2283	{ 693, 609, 21 },
				2284	{ 1764, 868, 28 },
				2285	{ 768454923, 542167814, 1 }
				2286	};
				2287
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2288	/*
				2289	* Checkup routine
				2290	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2291	int mbedtls_mpi_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2292	{
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2293	int ret, i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2294	mbedtls_mpi A, E, N, X, Y, U, V;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2295
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2296	mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
				2297	mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2298
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2299	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
				2300	"EFE021C2645FD1DC586E69184AF4A31E" \
				2301	"D5F53E93B5F123FA41680867BA110131" \
				2302	"944FE7952E2517337780CB0DB80E61AA" \
				2303	"E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2304
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2305	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
				2306	"B2E7EFD37075B9F03FF989C7C5051C20" \
				2307	"34D2A323810251127E7BF8625A4F49A5" \
				2308	"F3E27F4DA8BD59C47D6DAABA4C8127BD" \
				2309	"5B5C25763222FEFCCFC38B832366C29E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2310
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2311	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
				2312	"0066A198186C18C10B2F5ED9B522752A" \
				2313	"9830B69916E535C8F047518A889A43A5" \
				2314	"94B6BED27A168D31D4A52F88925AA8F5"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2315
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2316	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2317
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2318	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2319	"602AB7ECA597A3D6B56FF9829A5E8B85" \
				2320	"9E857EA95A03512E2BAE7391688D264A" \
				2321	"A5663B0341DB9CCFD2C4C5F421FEC814" \
				2322	"8001B72E848A38CAE1C65F78E56ABDEF" \
				2323	"E12D3C039B8A02D6BE593F0BBBDA56F1" \
				2324	"ECF677152EF804370C1A305CAF3B5BF1" \
				2325	"30879B56C61DE584A0F53A2447A51E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2326
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2327	if (verbose != 0) {
				2328	mbedtls_printf(" MPI test #1 (mul_mpi): ");
				2329	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2330
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2331	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2332	if (verbose != 0) {
				2333	mbedtls_printf("failed\n");
				2334	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2335
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2336	ret = 1;
				2337	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2338	}
				2339
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2340	if (verbose != 0) {
				2341	mbedtls_printf("passed\n");
				2342	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2343
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2344	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2345
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2346	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2347	"256567336059E52CAE22925474705F39A94"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2348
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2349	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
				2350	"6613F26162223DF488E9CD48CC132C7A" \
				2351	"0AC93C701B001B092E4E5B9F73BCD27B" \
				2352	"9EE50D0657C77F374E903CDFA4C642"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2353
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2354	if (verbose != 0) {
				2355	mbedtls_printf(" MPI test #2 (div_mpi): ");
				2356	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2357
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2358	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 \|\|
				2359	mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
				2360	if (verbose != 0) {
				2361	mbedtls_printf("failed\n");
				2362	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2363
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2364	ret = 1;
				2365	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2366	}
				2367
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2368	if (verbose != 0) {
				2369	mbedtls_printf("passed\n");
				2370	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2371
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2372	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2373
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2374	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2375	"36E139AEA55215609D2816998ED020BB" \
				2376	"BD96C37890F65171D948E9BC7CBAA4D9" \
				2377	"325D24D6A3C12710F10A09FA08AB87"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2378
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2379	if (verbose != 0) {
				2380	mbedtls_printf(" MPI test #3 (exp_mod): ");
				2381	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2382
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2383	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2384	if (verbose != 0) {
				2385	mbedtls_printf("failed\n");
				2386	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2387
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2388	ret = 1;
				2389	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2390	}
				2391
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2392	if (verbose != 0) {
				2393	mbedtls_printf("passed\n");
				2394	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2395
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2396	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2397
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2398	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2399	"003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
				2400	"C3DBA76456363A10869622EAC2DD84EC" \
				2401	"C5B8A74DAC4D09E03B5E0BE779F2DF61"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2402
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2403	if (verbose != 0) {
				2404	mbedtls_printf(" MPI test #4 (inv_mod): ");
				2405	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2406
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2407	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2408	if (verbose != 0) {
				2409	mbedtls_printf("failed\n");
				2410	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2411
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2412	ret = 1;
				2413	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2414	}
				2415
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2416	if (verbose != 0) {
				2417	mbedtls_printf("passed\n");
				2418	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2419
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2420	if (verbose != 0) {
				2421	mbedtls_printf(" MPI test #5 (simple gcd): ");
				2422	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2423
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2424	for (i = 0; i < GCD_PAIR_COUNT; i++) {
				2425	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
				2426	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2427
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2428	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2429
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2430	if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
				2431	if (verbose != 0) {
				2432	mbedtls_printf("failed at %d\n", i);
				2433	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2434
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2435	ret = 1;
				2436	goto cleanup;
				2437	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2438	}
				2439
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2440	if (verbose != 0) {
				2441	mbedtls_printf("passed\n");
				2442	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2443
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2444	cleanup:
				2445
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2446	if (ret != 0 && verbose != 0) {
				2447	mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
				2448	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2449
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2450	mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
				2451	mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2452
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2453	if (verbose != 0) {
				2454	mbedtls_printf("\n");
				2455	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2456
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2457	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2458	}
				2459
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2460	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2461
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2462	#endif /* MBEDTLS_BIGNUM_C */