TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 322752ba20246bd9df46437fce7fb235164a89ee / . / library / bignum.c
blob: 9af17aabd4eb2c31da2110a005b945acb4d82389 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * Multi-precision integer library
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]21
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]22/*
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]23 * The following sources were referenced in the design of this Multi-precision
24 * Integer library:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]25 *
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]26 * [1] Handbook of Applied Cryptography - 1997
27 * Menezes, van Oorschot and Vanstone
28 *
29 * [2] Multi-Precision Math
30 * Tom St Denis
31 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
32 *
33 * [3] GNU Multi-Precision Arithmetic Library
34 * https://gmplib.org/manual/index.html
35 *
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]36 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]38#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]39#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]40#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_BIGNUM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/bignum.h"
47#include "mbedtls/bn_mul.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]48#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]49#include "mbedtls/error.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <string.h>
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/platform.h"
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]55#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]56#include <stdio.h>
57#include <stdlib.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#define mbedtls_printf printf
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]59#define mbedtls_calloc calloc
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]60#define mbedtls_free free
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]61#endif
62
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]63#define MPI_VALIDATE_RET( cond ) \
64 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
65#define MPI_VALIDATE( cond ) \
66 MBEDTLS_INTERNAL_VALIDATE( cond )
67
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]69#define biL (ciL << 3) /* bits in limb */
70#define biH (ciL << 2) /* half limb size */
71
Manuel Pégourié-Gonnard2d708342015-10-05 15:23:11 +0100[diff] [blame]72#define MPI_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
73
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74/*
75 * Convert between bits/chars and number of limbs
Manuel Pégourié-Gonnard58fb4952015-09-28 13:48:04 +0200[diff] [blame]76 * Divide first in order to avoid potential overflows
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77 */
Manuel Pégourié-Gonnard58fb4952015-09-28 13:48:04 +0200[diff] [blame]78#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) )
79#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]81/* Implementation that should never be optimized out by the compiler */
Andres Amaya Garcia6698d2f2018-04-24 08:39:07 -0500[diff] [blame]82static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n )
83{
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]84 mbedtls_platform_zeroize( v, ciL * n );
85}
86
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]88 * Initialize one MPI
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]90void mbedtls_mpi_init( mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91{
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]92 MPI_VALIDATE( X != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]93
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]94 X->s = 1;
95 X->n = 0;
96 X->p = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]97}
98
99/*
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]100 * Unallocate one MPI
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]101 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]102void mbedtls_mpi_free( mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]103{
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]104 if( X == NULL )
105 return;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]106
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]107 if( X->p != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]108 {
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]109 mbedtls_mpi_zeroize( X->p, X->n );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]110 mbedtls_free( X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]111 }
112
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]113 X->s = 1;
114 X->n = 0;
115 X->p = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]116}
117
118/*
119 * Enlarge to the specified number of limbs
120 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]121int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]122{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123 mbedtls_mpi_uint *p;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]124 MPI_VALIDATE_RET( X != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]125
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]126 if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]127 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]128
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]129 if( X->n < nblimbs )
130 {
Simon Butcher29176892016-05-20 00:19:09 +0100[diff] [blame]131 if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]132 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]133
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]134 if( X->p != NULL )
135 {
136 memcpy( p, X->p, X->n * ciL );
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]137 mbedtls_mpi_zeroize( X->p, X->n );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]138 mbedtls_free( X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]139 }
140
141 X->n = nblimbs;
142 X->p = p;
143 }
144
145 return( 0 );
146}
147
148/*
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]149 * Resize down as much as possible,
150 * while keeping at least the specified number of limbs
151 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]152int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]153{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]154 mbedtls_mpi_uint *p;
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]155 size_t i;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]156 MPI_VALIDATE_RET( X != NULL );
157
158 if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
159 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]160
Gilles Peskinee2f563e2020-01-20 21:17:43 +0100[diff] [blame]161 /* Actually resize up if there are currently fewer than nblimbs limbs. */
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]162 if( X->n <= nblimbs )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]163 return( mbedtls_mpi_grow( X, nblimbs ) );
Gilles Peskine322752b2020-01-21 13:59:51 +0100[diff] [blame^]164 /* After this point, then X->n > nblimbs and in particular X->n > 0. */
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]165
166 for( i = X->n - 1; i > 0; i-- )
167 if( X->p[i] != 0 )
168 break;
169 i++;
170
171 if( i < nblimbs )
172 i = nblimbs;
173
Simon Butcher29176892016-05-20 00:19:09 +0100[diff] [blame]174 if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]175 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]176
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]177 if( X->p != NULL )
178 {
179 memcpy( p, X->p, i * ciL );
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]180 mbedtls_mpi_zeroize( X->p, X->n );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]181 mbedtls_free( X->p );
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]182 }
183
184 X->n = i;
185 X->p = p;
186
187 return( 0 );
188}
189
190/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191 * Copy the contents of Y into X
192 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]193int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194{
Gilles Peskine4e4be7c2018-03-21 16:29:03 +0100[diff] [blame]195 int ret = 0;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]196 size_t i;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]197 MPI_VALIDATE_RET( X != NULL );
198 MPI_VALIDATE_RET( Y != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]199
200 if( X == Y )
201 return( 0 );
202
Gilles Peskinedb420622020-01-20 21:12:50 +0100[diff] [blame]203 if( Y->n == 0 )
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200[diff] [blame]204 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]205 mbedtls_mpi_free( X );
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200[diff] [blame]206 return( 0 );
207 }
208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209 for( i = Y->n - 1; i > 0; i-- )
210 if( Y->p[i] != 0 )
211 break;
212 i++;
213
214 X->s = Y->s;
215
Gilles Peskine4e4be7c2018-03-21 16:29:03 +0100[diff] [blame]216 if( X->n < i )
217 {
218 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
219 }
220 else
221 {
222 memset( X->p + i, 0, ( X->n - i ) * ciL );
223 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]225 memcpy( X->p, Y->p, i * ciL );
226
227cleanup:
228
229 return( ret );
230}
231
232/*
233 * Swap the contents of X and Y
234 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]235void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]237 mbedtls_mpi T;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]238 MPI_VALIDATE( X != NULL );
239 MPI_VALIDATE( Y != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]241 memcpy( &T, X, sizeof( mbedtls_mpi ) );
242 memcpy( X, Y, sizeof( mbedtls_mpi ) );
243 memcpy( Y, &T, sizeof( mbedtls_mpi ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244}
245
246/*
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]247 * Conditionally assign X = Y, without leaking information
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]248 * about whether the assignment was made or not.
249 * (Leaking information about the respective sizes of X and Y is ok however.)
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]250 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]251int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign )
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]252{
253 int ret = 0;
254 size_t i;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]255 MPI_VALIDATE_RET( X != NULL );
256 MPI_VALIDATE_RET( Y != NULL );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]257
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]258 /* make sure assign is 0 or 1 in a time-constant manner */
259 assign = (assign | (unsigned char)-assign) >> 7;
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]260
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]261 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]262
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]263 X->s = X->s * ( 1 - assign ) + Y->s * assign;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]264
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]265 for( i = 0; i < Y->n; i++ )
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]266 X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]267
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]268 for( ; i < X->n; i++ )
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]269 X->p[i] *= ( 1 - assign );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]270
271cleanup:
272 return( ret );
273}
274
275/*
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]276 * Conditionally swap X and Y, without leaking information
277 * about whether the swap was made or not.
278 * Here it is not ok to simply swap the pointers, which whould lead to
279 * different memory access patterns when X and Y are used afterwards.
280 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]281int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]282{
283 int ret, s;
284 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]285 mbedtls_mpi_uint tmp;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]286 MPI_VALIDATE_RET( X != NULL );
287 MPI_VALIDATE_RET( Y != NULL );
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]288
289 if( X == Y )
290 return( 0 );
291
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]292 /* make sure swap is 0 or 1 in a time-constant manner */
293 swap = (swap | (unsigned char)-swap) >> 7;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]294
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]295 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
296 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]297
298 s = X->s;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]299 X->s = X->s * ( 1 - swap ) + Y->s * swap;
300 Y->s = Y->s * ( 1 - swap ) + s * swap;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]301
302
303 for( i = 0; i < X->n; i++ )
304 {
305 tmp = X->p[i];
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]306 X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
307 Y->p[i] = Y->p[i] * ( 1 - swap ) + tmp * swap;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]308 }
309
310cleanup:
311 return( ret );
312}
313
314/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315 * Set value from integer
316 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]317int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]320 MPI_VALIDATE_RET( X != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]322 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323 memset( X->p, 0, X->n * ciL );
324
325 X->p[0] = ( z < 0 ) ? -z : z;
326 X->s = ( z < 0 ) ? -1 : 1;
327
328cleanup:
329
330 return( ret );
331}
332
333/*
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]334 * Get a specific bit
335 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]336int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]337{
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]338 MPI_VALIDATE_RET( X != NULL );
339
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]340 if( X->n * biL <= pos )
341 return( 0 );
342
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]343 return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]344}
345
Gilles Peskine11cdb052018-11-20 16:47:47 +0100[diff] [blame]346/* Get a specific byte, without range checks. */
347#define GET_BYTE( X, i ) \
348 ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
349
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]350/*
351 * Set a bit to a specific value of 0 or 1
352 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]353int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]354{
355 int ret = 0;
356 size_t off = pos / biL;
357 size_t idx = pos % biL;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]358 MPI_VALIDATE_RET( X != NULL );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]359
360 if( val != 0 && val != 1 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]362
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]363 if( X->n * biL <= pos )
364 {
365 if( val == 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]366 return( 0 );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]368 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]369 }
370
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]371 X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
372 X->p[off] |= (mbedtls_mpi_uint) val << idx;
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]373
374cleanup:
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]375
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]376 return( ret );
377}
378
379/*
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]380 * Return the number of less significant zero-bits
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]382size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]384 size_t i, j, count = 0;
Hanno Beckerf25ee7f2018-12-19 16:51:02 +0000[diff] [blame]385 MBEDTLS_INTERNAL_VALIDATE_RET( X != NULL, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387 for( i = 0; i < X->n; i++ )
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]388 for( j = 0; j < biL; j++, count++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
390 return( count );
391
392 return( 0 );
393}
394
395/*
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]396 * Count leading zero bits in a given integer
397 */
398static size_t mbedtls_clz( const mbedtls_mpi_uint x )
399{
400 size_t j;
Manuel Pégourié-Gonnarde3e8edf2015-12-01 09:31:52 +0100[diff] [blame]401 mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]402
403 for( j = 0; j < biL; j++ )
404 {
405 if( x & mask ) break;
406
407 mask >>= 1;
408 }
409
410 return j;
411}
412
413/*
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]414 * Return the number of bits
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 */
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]416size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]417{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]418 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419
Manuel Pégourié-Gonnard770b5e12015-04-29 17:02:01 +0200[diff] [blame]420 if( X->n == 0 )
421 return( 0 );
422
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 for( i = X->n - 1; i > 0; i-- )
424 if( X->p[i] != 0 )
425 break;
426
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]427 j = biL - mbedtls_clz( X->p[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]429 return( ( i * biL ) + j );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]430}
431
432/*
433 * Return the total size in bytes
434 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]435size_t mbedtls_mpi_size( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436{
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]437 return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438}
439
440/*
441 * Convert an ASCII character to digit value
442 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]443static int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444{
445 *d = 255;
446
447 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
448 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
449 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]451 if( *d >= (mbedtls_mpi_uint) radix )
452 return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453
454 return( 0 );
455}
456
457/*
458 * Import from an ASCII string
459 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]460int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]462 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]463 size_t i, j, slen, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464 mbedtls_mpi_uint d;
465 mbedtls_mpi T;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]466 MPI_VALIDATE_RET( X != NULL );
467 MPI_VALIDATE_RET( s != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 if( radix < 2 || radix > 16 )
Hanno Becker54c91dd2018-12-12 13:37:06 +0000[diff] [blame]470 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]472 mbedtls_mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]473
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]474 slen = strlen( s );
475
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 if( radix == 16 )
477 {
Manuel Pégourié-Gonnard2d708342015-10-05 15:23:11 +0100[diff] [blame]478 if( slen > MPI_SIZE_T_MAX >> 2 )
Manuel Pégourié-Gonnard58fb4952015-09-28 13:48:04 +0200[diff] [blame]479 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
480
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]481 n = BITS_TO_LIMBS( slen << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]483 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
484 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]486 for( i = slen, j = 0; i > 0; i--, j++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]488 if( i == 1 && s[i - 1] == '-' )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 {
490 X->s = -1;
491 break;
492 }
493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]495 X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496 }
497 }
498 else
499 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]500 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]502 for( i = 0; i < slen; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 {
504 if( i == 0 && s[i] == '-' )
505 {
506 X->s = -1;
507 continue;
508 }
509
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]510 MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
511 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]512
513 if( X->s == 1 )
514 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]516 }
517 else
518 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, &T, d ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]520 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521 }
522 }
523
524cleanup:
525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]526 mbedtls_mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527
528 return( ret );
529}
530
531/*
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]532 * Helper to write the digits high-order first.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533 */
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]534static int mpi_write_hlp( mbedtls_mpi *X, int radix,
535 char **p, const size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]537 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]538 mbedtls_mpi_uint r;
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]539 size_t length = 0;
540 char *p_end = *p + buflen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]542 do
543 {
544 if( length >= buflen )
545 {
546 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
547 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]549 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
550 MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
551 /*
552 * Write the residue in the current position, as an ASCII character.
553 */
554 if( r < 0xA )
555 *(--p_end) = (char)( '0' + r );
556 else
557 *(--p_end) = (char)( 'A' + ( r - 0xA ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]559 length++;
560 } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]562 memmove( *p, p_end, length );
563 *p += length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
565cleanup:
566
567 return( ret );
568}
569
570/*
571 * Export into an ASCII string
572 */
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]573int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
574 char *buf, size_t buflen, size_t *olen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]576 int ret = 0;
577 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]578 char *p;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]579 mbedtls_mpi T;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]580 MPI_VALIDATE_RET( X != NULL );
581 MPI_VALIDATE_RET( olen != NULL );
582 MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583
584 if( radix < 2 || radix > 16 )
Hanno Becker54c91dd2018-12-12 13:37:06 +0000[diff] [blame]585 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Hanno Becker23cfea02019-02-04 09:45:07 +0000[diff] [blame]587 n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
588 if( radix >= 4 ) n >>= 1; /* Number of 4-adic digits necessary to present
589 * `n`. If radix > 4, this might be a strict
590 * overapproximation of the number of
591 * radix-adic digits needed to present `n`. */
592 if( radix >= 16 ) n >>= 1; /* Number of hexadecimal digits necessary to
593 * present `n`. */
594
Janos Follath80470622019-03-06 13:43:02 +0000[diff] [blame]595 n += 1; /* Terminating null byte */
Hanno Becker23cfea02019-02-04 09:45:07 +0000[diff] [blame]596 n += 1; /* Compensate for the divisions above, which round down `n`
597 * in case it's not even. */
598 n += 1; /* Potential '-'-sign. */
599 n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
600 * which always uses an even number of hex-digits. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]602 if( buflen < n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]603 {
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]604 *olen = n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]605 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]606 }
607
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]608 p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]609 mbedtls_mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]610
611 if( X->s == -1 )
Hanno Beckerc983c812019-02-01 16:41:30 +0000[diff] [blame]612 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 *p++ = '-';
Hanno Beckerc983c812019-02-01 16:41:30 +0000[diff] [blame]614 buflen--;
615 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616
617 if( radix == 16 )
618 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]619 int c;
620 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]621
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]622 for( i = X->n, k = 0; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]624 for( j = ciL; j > 0; j-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]626 c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
Paul Bakker6c343d72014-07-10 14:36:19 +0200[diff] [blame]628 if( c == 0 && k == 0 && ( i + j ) != 2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629 continue;
630
Paul Bakker98fe5ea2012-10-24 11:17:48 +0000[diff] [blame]631 *(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakkerd2c167e2012-10-30 07:49:19 +0000[diff] [blame]632 *(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633 k = 1;
634 }
635 }
636 }
637 else
638 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]640
641 if( T.s == -1 )
642 T.s = 1;
643
Ron Eldora16fa292018-11-20 14:07:01 +0200[diff] [blame]644 MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]645 }
646
647 *p++ = '\0';
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]648 *olen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649
650cleanup:
651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652 mbedtls_mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 return( ret );
655}
656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657#if defined(MBEDTLS_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658/*
659 * Read X from an opened file
660 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]661int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]663 mbedtls_mpi_uint d;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]664 size_t slen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 char *p;
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]666 /*
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]667 * Buffer should have space for (short) label and decimal formatted MPI,
668 * newline characters and '\0'
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]669 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]670 char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]672 MPI_VALIDATE_RET( X != NULL );
673 MPI_VALIDATE_RET( fin != NULL );
674
675 if( radix < 2 || radix > 16 )
676 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
677
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]678 memset( s, 0, sizeof( s ) );
679 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682 slen = strlen( s );
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]683 if( slen == sizeof( s ) - 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]685
Hanno Beckerb2034b72017-04-26 11:46:46 +0100[diff] [blame]686 if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
687 if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]688
689 p = s + slen;
Hanno Beckerb2034b72017-04-26 11:46:46 +0100[diff] [blame]690 while( p-- > s )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 if( mpi_get_digit( &d, radix, *p ) != 0 )
692 break;
693
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]694 return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695}
696
697/*
698 * Write X into an opened file (or stdout if fout == NULL)
699 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]700int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]702 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]703 size_t n, slen, plen;
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]704 /*
Paul Bakker5531c6d2012-09-26 19:20:46 +0000[diff] [blame]705 * Buffer should have space for (short) label and decimal formatted MPI,
706 * newline characters and '\0'
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]707 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]709 MPI_VALIDATE_RET( X != NULL );
710
711 if( radix < 2 || radix > 16 )
712 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]714 memset( s, 0, sizeof( s ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]715
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]716 MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717
718 if( p == NULL ) p = "";
719
720 plen = strlen( p );
721 slen = strlen( s );
722 s[slen++] = '\r';
723 s[slen++] = '\n';
724
725 if( fout != NULL )
726 {
727 if( fwrite( p, 1, plen, fout ) != plen ||
728 fwrite( s, 1, slen, fout ) != slen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]730 }
731 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]732 mbedtls_printf( "%s%s", p, s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733
734cleanup:
735
736 return( ret );
737}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]738#endif /* MBEDTLS_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]739
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]740
741/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
742 * into the storage form used by mbedtls_mpi. */
Hanno Beckerf8720072018-11-08 11:53:49 +0000[diff] [blame]743
744static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
745{
746 uint8_t i;
Hanno Becker031d6332019-05-01 17:09:11 +0100[diff] [blame]747 unsigned char *x_ptr;
Hanno Beckerf8720072018-11-08 11:53:49 +0000[diff] [blame]748 mbedtls_mpi_uint tmp = 0;
Hanno Becker031d6332019-05-01 17:09:11 +0100[diff] [blame]749
750 for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ )
751 {
752 tmp <<= CHAR_BIT;
753 tmp |= (mbedtls_mpi_uint) *x_ptr;
754 }
755
Hanno Beckerf8720072018-11-08 11:53:49 +0000[diff] [blame]756 return( tmp );
757}
758
759static mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x )
760{
761#if defined(__BYTE_ORDER__)
762
763/* Nothing to do on bigendian systems. */
764#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
765 return( x );
766#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
767
768#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
769
770/* For GCC and Clang, have builtins for byte swapping. */
Hanno Becker9f6d16a2019-01-02 17:15:06 +0000[diff] [blame]771#if defined(__GNUC__) && defined(__GNUC_PREREQ)
772#if __GNUC_PREREQ(4,3)
Hanno Beckerf8720072018-11-08 11:53:49 +0000[diff] [blame]773#define have_bswap
774#endif
Hanno Becker9f6d16a2019-01-02 17:15:06 +0000[diff] [blame]775#endif
776
777#if defined(__clang__) && defined(__has_builtin)
778#if __has_builtin(__builtin_bswap32) && \
779 __has_builtin(__builtin_bswap64)
780#define have_bswap
781#endif
782#endif
783
Hanno Beckerf8720072018-11-08 11:53:49 +0000[diff] [blame]784#if defined(have_bswap)
785 /* The compiler is hopefully able to statically evaluate this! */
786 switch( sizeof(mbedtls_mpi_uint) )
787 {
788 case 4:
789 return( __builtin_bswap32(x) );
790 case 8:
791 return( __builtin_bswap64(x) );
792 }
793#endif
794#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
795#endif /* __BYTE_ORDER__ */
796
797 /* Fall back to C-based reordering if we don't know the byte order
798 * or we couldn't use a compiler-specific builtin. */
799 return( mpi_uint_bigendian_to_host_c( x ) );
800}
801
Hanno Becker2be8a552018-10-25 12:40:09 +0100[diff] [blame]802static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs )
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]803{
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]804 mbedtls_mpi_uint *cur_limb_left;
805 mbedtls_mpi_uint *cur_limb_right;
Hanno Becker2be8a552018-10-25 12:40:09 +0100[diff] [blame]806 if( limbs == 0 )
807 return;
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]808
809 /*
810 * Traverse limbs and
811 * - adapt byte-order in each limb
812 * - swap the limbs themselves.
813 * For that, simultaneously traverse the limbs from left to right
814 * and from right to left, as long as the left index is not bigger
815 * than the right index (it's not a problem if limbs is odd and the
816 * indices coincide in the last iteration).
817 */
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]818 for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 );
819 cur_limb_left <= cur_limb_right;
820 cur_limb_left++, cur_limb_right-- )
821 {
Hanno Beckerf8720072018-11-08 11:53:49 +0000[diff] [blame]822 mbedtls_mpi_uint tmp;
823 /* Note that if cur_limb_left == cur_limb_right,
824 * this code effectively swaps the bytes only once. */
825 tmp = mpi_uint_bigendian_to_host( *cur_limb_left );
826 *cur_limb_left = mpi_uint_bigendian_to_host( *cur_limb_right );
827 *cur_limb_right = tmp;
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]828 }
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]829}
830
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831/*
Janos Follatha778a942019-02-13 10:28:28 +0000[diff] [blame]832 * Import X from unsigned binary data, little endian
833 */
834int mbedtls_mpi_read_binary_le( mbedtls_mpi *X,
835 const unsigned char *buf, size_t buflen )
836{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]837 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Janos Follatha778a942019-02-13 10:28:28 +0000[diff] [blame]838 size_t i;
839 size_t const limbs = CHARS_TO_LIMBS( buflen );
840
841 /* Ensure that target MPI has exactly the necessary number of limbs */
842 if( X->n != limbs )
843 {
844 mbedtls_mpi_free( X );
845 mbedtls_mpi_init( X );
846 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
847 }
848
849 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
850
851 for( i = 0; i < buflen; i++ )
852 X->p[i / ciL] |= ((mbedtls_mpi_uint) buf[i]) << ((i % ciL) << 3);
853
854cleanup:
855
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]856 /*
857 * This function is also used to import keys. However, wiping the buffers
858 * upon failure is not necessary because failure only can happen before any
859 * input is copied.
860 */
Janos Follatha778a942019-02-13 10:28:28 +0000[diff] [blame]861 return( ret );
862}
863
864/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865 * Import X from unsigned binary data, big endian
866 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]867int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]869 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]870 size_t const limbs = CHARS_TO_LIMBS( buflen );
871 size_t const overhead = ( limbs * ciL ) - buflen;
872 unsigned char *Xp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873
Hanno Becker8ce11a32018-12-19 16:18:52 +0000[diff] [blame]874 MPI_VALIDATE_RET( X != NULL );
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]875 MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
876
Hanno Becker073c1992017-10-17 15:17:27 +0100[diff] [blame]877 /* Ensure that target MPI has exactly the necessary number of limbs */
878 if( X->n != limbs )
879 {
880 mbedtls_mpi_free( X );
881 mbedtls_mpi_init( X );
882 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
883 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]884 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]885
Hanno Becker0e810b92019-01-03 17:13:11 +0000[diff] [blame]886 /* Avoid calling `memcpy` with NULL source argument,
887 * even if buflen is 0. */
888 if( buf != NULL )
889 {
890 Xp = (unsigned char*) X->p;
891 memcpy( Xp + overhead, buf, buflen );
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]892
Hanno Becker0e810b92019-01-03 17:13:11 +0000[diff] [blame]893 mpi_bigendian_to_host( X->p, limbs );
894 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]895
896cleanup:
897
Janos Follath171a7ef2019-02-15 16:17:45 +0000[diff] [blame]898 /*
899 * This function is also used to import keys. However, wiping the buffers
900 * upon failure is not necessary because failure only can happen before any
901 * input is copied.
902 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]903 return( ret );
904}
905
906/*
Janos Follathe344d0f2019-02-19 16:17:40 +0000[diff] [blame]907 * Export X into unsigned binary data, little endian
908 */
909int mbedtls_mpi_write_binary_le( const mbedtls_mpi *X,
910 unsigned char *buf, size_t buflen )
911{
912 size_t stored_bytes = X->n * ciL;
913 size_t bytes_to_copy;
914 size_t i;
915
916 if( stored_bytes < buflen )
917 {
918 bytes_to_copy = stored_bytes;
919 }
920 else
921 {
922 bytes_to_copy = buflen;
923
924 /* The output buffer is smaller than the allocated size of X.
925 * However X may fit if its leading bytes are zero. */
926 for( i = bytes_to_copy; i < stored_bytes; i++ )
927 {
928 if( GET_BYTE( X, i ) != 0 )
929 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
930 }
931 }
932
933 for( i = 0; i < bytes_to_copy; i++ )
934 buf[i] = GET_BYTE( X, i );
935
936 if( stored_bytes < buflen )
937 {
938 /* Write trailing 0 bytes */
939 memset( buf + stored_bytes, 0, buflen - stored_bytes );
940 }
941
942 return( 0 );
943}
944
945/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]946 * Export X into unsigned binary data, big endian
947 */
Gilles Peskine11cdb052018-11-20 16:47:47 +0100[diff] [blame]948int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
949 unsigned char *buf, size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950{
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]951 size_t stored_bytes;
Gilles Peskine11cdb052018-11-20 16:47:47 +0100[diff] [blame]952 size_t bytes_to_copy;
953 unsigned char *p;
954 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]956 MPI_VALIDATE_RET( X != NULL );
957 MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
958
959 stored_bytes = X->n * ciL;
960
Gilles Peskine11cdb052018-11-20 16:47:47 +0100[diff] [blame]961 if( stored_bytes < buflen )
962 {
963 /* There is enough space in the output buffer. Write initial
964 * null bytes and record the position at which to start
965 * writing the significant bytes. In this case, the execution
966 * trace of this function does not depend on the value of the
967 * number. */
968 bytes_to_copy = stored_bytes;
969 p = buf + buflen - stored_bytes;
970 memset( buf, 0, buflen - stored_bytes );
971 }
972 else
973 {
974 /* The output buffer is smaller than the allocated size of X.
975 * However X may fit if its leading bytes are zero. */
976 bytes_to_copy = buflen;
977 p = buf;
978 for( i = bytes_to_copy; i < stored_bytes; i++ )
979 {
980 if( GET_BYTE( X, i ) != 0 )
981 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
982 }
983 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984
Gilles Peskine11cdb052018-11-20 16:47:47 +0100[diff] [blame]985 for( i = 0; i < bytes_to_copy; i++ )
986 p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]987
988 return( 0 );
989}
990
991/*
992 * Left-shift: X <<= count
993 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]996 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]997 size_t i, v0, t1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998 mbedtls_mpi_uint r0 = 0, r1;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]999 MPI_VALIDATE_RET( X != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000
1001 v0 = count / (biL );
1002 t1 = count & (biL - 1);
1003
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]1004 i = mbedtls_mpi_bitlen( X ) + count;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]1006 if( X->n * biL < i )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1007 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
1009 ret = 0;
1010
1011 /*
1012 * shift by count / limb_size
1013 */
1014 if( v0 > 0 )
1015 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1016 for( i = X->n; i > v0; i-- )
1017 X->p[i - 1] = X->p[i - v0 - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1018
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1019 for( ; i > 0; i-- )
1020 X->p[i - 1] = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021 }
1022
1023 /*
1024 * shift by count % limb_size
1025 */
1026 if( t1 > 0 )
1027 {
1028 for( i = v0; i < X->n; i++ )
1029 {
1030 r1 = X->p[i] >> (biL - t1);
1031 X->p[i] <<= t1;
1032 X->p[i] |= r0;
1033 r0 = r1;
1034 }
1035 }
1036
1037cleanup:
1038
1039 return( ret );
1040}
1041
1042/*
1043 * Right-shift: X >>= count
1044 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1045int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1047 size_t i, v0, v1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1048 mbedtls_mpi_uint r0 = 0, r1;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1049 MPI_VALIDATE_RET( X != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1050
1051 v0 = count / biL;
1052 v1 = count & (biL - 1);
1053
Manuel Pégourié-Gonnarde44ec102012-11-17 12:42:51 +0100[diff] [blame]1054 if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055 return mbedtls_mpi_lset( X, 0 );
Manuel Pégourié-Gonnarde44ec102012-11-17 12:42:51 +0100[diff] [blame]1056
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057 /*
1058 * shift by count / limb_size
1059 */
1060 if( v0 > 0 )
1061 {
1062 for( i = 0; i < X->n - v0; i++ )
1063 X->p[i] = X->p[i + v0];
1064
1065 for( ; i < X->n; i++ )
1066 X->p[i] = 0;
1067 }
1068
1069 /*
1070 * shift by count % limb_size
1071 */
1072 if( v1 > 0 )
1073 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1074 for( i = X->n; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1076 r1 = X->p[i - 1] << (biL - v1);
1077 X->p[i - 1] >>= v1;
1078 X->p[i - 1] |= r0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 r0 = r1;
1080 }
1081 }
1082
1083 return( 0 );
1084}
1085
1086/*
1087 * Compare unsigned values
1088 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1091 size_t i, j;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1092 MPI_VALIDATE_RET( X != NULL );
1093 MPI_VALIDATE_RET( Y != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1095 for( i = X->n; i > 0; i-- )
1096 if( X->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097 break;
1098
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1099 for( j = Y->n; j > 0; j-- )
1100 if( Y->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 break;
1102
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1103 if( i == 0 && j == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104 return( 0 );
1105
1106 if( i > j ) return( 1 );
1107 if( j > i ) return( -1 );
1108
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1109 for( ; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1111 if( X->p[i - 1] > Y->p[i - 1] ) return( 1 );
1112 if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1113 }
1114
1115 return( 0 );
1116}
1117
1118/*
1119 * Compare signed values
1120 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1121int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1122{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1123 size_t i, j;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1124 MPI_VALIDATE_RET( X != NULL );
1125 MPI_VALIDATE_RET( Y != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1126
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1127 for( i = X->n; i > 0; i-- )
1128 if( X->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1129 break;
1130
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1131 for( j = Y->n; j > 0; j-- )
1132 if( Y->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1133 break;
1134
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1135 if( i == 0 && j == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136 return( 0 );
1137
1138 if( i > j ) return( X->s );
Paul Bakker0c8f73b2012-03-22 14:08:57 +0000[diff] [blame]1139 if( j > i ) return( -Y->s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1140
1141 if( X->s > 0 && Y->s < 0 ) return( 1 );
1142 if( Y->s > 0 && X->s < 0 ) return( -1 );
1143
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1144 for( ; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1146 if( X->p[i - 1] > Y->p[i - 1] ) return( X->s );
1147 if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1148 }
1149
1150 return( 0 );
1151}
1152
1153/*
1154 * Compare signed values
1155 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1156int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1157{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1158 mbedtls_mpi Y;
1159 mbedtls_mpi_uint p[1];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1160 MPI_VALIDATE_RET( X != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1161
1162 *p = ( z < 0 ) ? -z : z;
1163 Y.s = ( z < 0 ) ? -1 : 1;
1164 Y.n = 1;
1165 Y.p = p;
1166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1167 return( mbedtls_mpi_cmp_mpi( X, &Y ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1168}
1169
1170/*
1171 * Unsigned addition: X = |A| + |B| (HAC 14.7)
1172 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1173int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1174{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1175 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1176 size_t i, j;
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1177 mbedtls_mpi_uint *o, *p, c, tmp;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1178 MPI_VALIDATE_RET( X != NULL );
1179 MPI_VALIDATE_RET( A != NULL );
1180 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1181
1182 if( X == B )
1183 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1184 const mbedtls_mpi *T = A; A = X; B = T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185 }
1186
1187 if( X != A )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1188 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1189
Paul Bakkerf7ca7b92009-06-20 10:31:06 +0000[diff] [blame]1190 /*
1191 * X should always be positive as a result of unsigned additions.
1192 */
1193 X->s = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1194
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1195 for( j = B->n; j > 0; j-- )
1196 if( B->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1197 break;
1198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1199 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200
1201 o = B->p; p = X->p; c = 0;
1202
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1203 /*
1204 * tmp is used because it might happen that p == o
1205 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1206 for( i = 0; i < j; i++, o++, p++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1207 {
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1208 tmp= *o;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1209 *p += c; c = ( *p < c );
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1210 *p += tmp; c += ( *p < tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1211 }
1212
1213 while( c != 0 )
1214 {
1215 if( i >= X->n )
1216 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1217 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1218 p = X->p + i;
1219 }
1220
Paul Bakker2d319fd2012-09-16 21:34:26 +0000[diff] [blame]1221 *p += c; c = ( *p < c ); i++; p++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1222 }
1223
1224cleanup:
1225
1226 return( ret );
1227}
1228
1229/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1230 * Helper for mbedtls_mpi subtraction
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1231 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1232static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1233{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1234 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235 mbedtls_mpi_uint c, z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236
1237 for( i = c = 0; i < n; i++, s++, d++ )
1238 {
1239 z = ( *d < c ); *d -= c;
1240 c = ( *d < *s ) + z; *d -= *s;
1241 }
1242
1243 while( c != 0 )
1244 {
1245 z = ( *d < c ); *d -= c;
Alexey Skalozub8e75e682016-01-13 21:59:27 +0200[diff] [blame]1246 c = z; d++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1247 }
1248}
1249
1250/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1251 * Unsigned subtraction: X = |A| - |B| (HAC 14.9)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1253int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1254{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1255 mbedtls_mpi TB;
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1256 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1257 size_t n;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1258 MPI_VALIDATE_RET( X != NULL );
1259 MPI_VALIDATE_RET( A != NULL );
1260 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1262 if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
1263 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1265 mbedtls_mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266
1267 if( X == B )
1268 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1269 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1270 B = &TB;
1271 }
1272
1273 if( X != A )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1274 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275
Paul Bakker1ef7a532009-06-20 10:50:55 +0000[diff] [blame]1276 /*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1277 * X should always be positive as a result of unsigned subtractions.
Paul Bakker1ef7a532009-06-20 10:50:55 +0000[diff] [blame]1278 */
1279 X->s = 1;
1280
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281 ret = 0;
1282
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1283 for( n = B->n; n > 0; n-- )
1284 if( B->p[n - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285 break;
1286
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1287 mpi_sub_hlp( n, B->p, X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288
1289cleanup:
1290
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1291 mbedtls_mpi_free( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292
1293 return( ret );
1294}
1295
1296/*
1297 * Signed addition: X = A + B
1298 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1299int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300{
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1301 int ret, s;
1302 MPI_VALIDATE_RET( X != NULL );
1303 MPI_VALIDATE_RET( A != NULL );
1304 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1305
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1306 s = A->s;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 if( A->s * B->s < 0 )
1308 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1309 if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312 X->s = s;
1313 }
1314 else
1315 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317 X->s = -s;
1318 }
1319 }
1320 else
1321 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1322 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323 X->s = s;
1324 }
1325
1326cleanup:
1327
1328 return( ret );
1329}
1330
1331/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1332 * Signed subtraction: X = A - B
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1334int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335{
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1336 int ret, s;
1337 MPI_VALIDATE_RET( X != NULL );
1338 MPI_VALIDATE_RET( A != NULL );
1339 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1341 s = A->s;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 if( A->s * B->s > 0 )
1343 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1344 if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1345 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347 X->s = s;
1348 }
1349 else
1350 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352 X->s = -s;
1353 }
1354 }
1355 else
1356 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1358 X->s = s;
1359 }
1360
1361cleanup:
1362
1363 return( ret );
1364}
1365
1366/*
1367 * Signed addition: X = A + b
1368 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1370{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1371 mbedtls_mpi _B;
1372 mbedtls_mpi_uint p[1];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1373 MPI_VALIDATE_RET( X != NULL );
1374 MPI_VALIDATE_RET( A != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375
1376 p[0] = ( b < 0 ) ? -b : b;
1377 _B.s = ( b < 0 ) ? -1 : 1;
1378 _B.n = 1;
1379 _B.p = p;
1380
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381 return( mbedtls_mpi_add_mpi( X, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1382}
1383
1384/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1385 * Signed subtraction: X = A - b
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1386 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389 mbedtls_mpi _B;
1390 mbedtls_mpi_uint p[1];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1391 MPI_VALIDATE_RET( X != NULL );
1392 MPI_VALIDATE_RET( A != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1393
1394 p[0] = ( b < 0 ) ? -b : b;
1395 _B.s = ( b < 0 ) ? -1 : 1;
1396 _B.n = 1;
1397 _B.p = p;
1398
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399 return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400}
1401
1402/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1403 * Helper for mbedtls_mpi multiplication
Paul Bakkerfc4f46f2013-06-24 19:23:56 +0200[diff] [blame]1404 */
1405static
1406#if defined(__APPLE__) && defined(__arm__)
1407/*
1408 * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
1409 * appears to need this to prevent bad ARM code generation at -O3.
1410 */
1411__attribute__ ((noinline))
1412#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1413void mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1414{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415 mbedtls_mpi_uint c = 0, t = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416
1417#if defined(MULADDC_HUIT)
1418 for( ; i >= 8; i -= 8 )
1419 {
1420 MULADDC_INIT
1421 MULADDC_HUIT
1422 MULADDC_STOP
1423 }
1424
1425 for( ; i > 0; i-- )
1426 {
1427 MULADDC_INIT
1428 MULADDC_CORE
1429 MULADDC_STOP
1430 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1431#else /* MULADDC_HUIT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432 for( ; i >= 16; i -= 16 )
1433 {
1434 MULADDC_INIT
1435 MULADDC_CORE MULADDC_CORE
1436 MULADDC_CORE MULADDC_CORE
1437 MULADDC_CORE MULADDC_CORE
1438 MULADDC_CORE MULADDC_CORE
1439
1440 MULADDC_CORE MULADDC_CORE
1441 MULADDC_CORE MULADDC_CORE
1442 MULADDC_CORE MULADDC_CORE
1443 MULADDC_CORE MULADDC_CORE
1444 MULADDC_STOP
1445 }
1446
1447 for( ; i >= 8; i -= 8 )
1448 {
1449 MULADDC_INIT
1450 MULADDC_CORE MULADDC_CORE
1451 MULADDC_CORE MULADDC_CORE
1452
1453 MULADDC_CORE MULADDC_CORE
1454 MULADDC_CORE MULADDC_CORE
1455 MULADDC_STOP
1456 }
1457
1458 for( ; i > 0; i-- )
1459 {
1460 MULADDC_INIT
1461 MULADDC_CORE
1462 MULADDC_STOP
1463 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1464#endif /* MULADDC_HUIT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1465
1466 t++;
1467
1468 do {
1469 *d += c; c = ( *d < c ); d++;
1470 }
1471 while( c != 0 );
1472}
1473
1474/*
1475 * Baseline multiplication: X = A * B (HAC 14.12)
1476 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1477int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1480 size_t i, j;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1481 mbedtls_mpi TA, TB;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1482 MPI_VALIDATE_RET( X != NULL );
1483 MPI_VALIDATE_RET( A != NULL );
1484 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1486 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1488 if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
1489 if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1490
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1491 for( i = A->n; i > 0; i-- )
1492 if( A->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1493 break;
1494
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1495 for( j = B->n; j > 0; j-- )
1496 if( B->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497 break;
1498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
1500 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1501
Alexey Skalozub8e75e682016-01-13 21:59:27 +0200[diff] [blame]1502 for( ; j > 0; j-- )
1503 mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1504
1505 X->s = A->s * B->s;
1506
1507cleanup:
1508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509 mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510
1511 return( ret );
1512}
1513
1514/*
1515 * Baseline multiplication: X = A * b
1516 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1517int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1518{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519 mbedtls_mpi _B;
1520 mbedtls_mpi_uint p[1];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1521 MPI_VALIDATE_RET( X != NULL );
1522 MPI_VALIDATE_RET( A != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1523
1524 _B.s = 1;
1525 _B.n = 1;
1526 _B.p = p;
1527 p[0] = b;
1528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1529 return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1530}
1531
1532/*
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1533 * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
1534 * mbedtls_mpi_uint divisor, d
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1535 */
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1536static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
1537 mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1538{
Manuel Pégourié-Gonnard16308882015-12-01 10:27:00 +0100[diff] [blame]1539#if defined(MBEDTLS_HAVE_UDBL)
1540 mbedtls_t_udbl dividend, quotient;
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1541#else
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1542 const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
1543 const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1544 mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
1545 mbedtls_mpi_uint u0_msw, u0_lsw;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1546 size_t s;
Manuel Pégourié-Gonnard16308882015-12-01 10:27:00 +0100[diff] [blame]1547#endif
1548
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1549 /*
1550 * Check for overflow
1551 */
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1552 if( 0 == d || u1 >= d )
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1553 {
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1554 if (r != NULL) *r = ~0;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1555
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1556 return ( ~0 );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1557 }
1558
1559#if defined(MBEDTLS_HAVE_UDBL)
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1560 dividend = (mbedtls_t_udbl) u1 << biL;
1561 dividend |= (mbedtls_t_udbl) u0;
1562 quotient = dividend / d;
1563 if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
1564 quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
1565
1566 if( r != NULL )
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1567 *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1568
1569 return (mbedtls_mpi_uint) quotient;
1570#else
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1571
1572 /*
1573 * Algorithm D, Section 4.3.1 - The Art of Computer Programming
1574 * Vol. 2 - Seminumerical Algorithms, Knuth
1575 */
1576
1577 /*
1578 * Normalize the divisor, d, and dividend, u0, u1
1579 */
1580 s = mbedtls_clz( d );
1581 d = d << s;
1582
1583 u1 = u1 << s;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1584 u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1585 u0 = u0 << s;
1586
1587 d1 = d >> biH;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1588 d0 = d & uint_halfword_mask;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1589
1590 u0_msw = u0 >> biH;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1591 u0_lsw = u0 & uint_halfword_mask;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1592
1593 /*
1594 * Find the first quotient and remainder
1595 */
1596 q1 = u1 / d1;
1597 r0 = u1 - d1 * q1;
1598
1599 while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
1600 {
1601 q1 -= 1;
1602 r0 += d1;
1603
1604 if ( r0 >= radix ) break;
1605 }
1606
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1607 rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1608 q0 = rAX / d1;
1609 r0 = rAX - q0 * d1;
1610
1611 while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
1612 {
1613 q0 -= 1;
1614 r0 += d1;
1615
1616 if ( r0 >= radix ) break;
1617 }
1618
1619 if (r != NULL)
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1620 *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1621
1622 quotient = q1 * radix + q0;
1623
1624 return quotient;
1625#endif
1626}
1627
1628/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1629 * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1630 */
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1631int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
1632 const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1633{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1634 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1635 size_t i, n, t, k;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 mbedtls_mpi X, Y, Z, T1, T2;
Alexander Kd19a1932019-11-01 18:20:42 +0300[diff] [blame]1637 mbedtls_mpi_uint TP2[3];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1638 MPI_VALIDATE_RET( A != NULL );
1639 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1640
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1641 if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
1642 return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1644 mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
Alexander K35d6d462019-10-31 14:46:45 +0300[diff] [blame]1645 mbedtls_mpi_init( &T1 );
Alexander Kd19a1932019-11-01 18:20:42 +0300[diff] [blame]1646 /*
1647 * Avoid dynamic memory allocations for constant-size T2.
1648 *
1649 * T2 is used for comparison only and the 3 limbs are assigned explicitly,
1650 * so nobody increase the size of the MPI and we're safe to use an on-stack
1651 * buffer.
1652 */
Alexander K35d6d462019-10-31 14:46:45 +0300[diff] [blame]1653 T2.s = 1;
Alexander Kd19a1932019-11-01 18:20:42 +0300[diff] [blame]1654 T2.n = sizeof( TP2 ) / sizeof( *TP2 );
1655 T2.p = TP2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657 if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1658 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1659 if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
1660 if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661 return( 0 );
1662 }
1663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1664 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
1665 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1666 X.s = Y.s = 1;
1667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1668 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
1669 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z, 0 ) );
1670 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1671
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]1672 k = mbedtls_mpi_bitlen( &Y ) % biL;
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]1673 if( k < biL - 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674 {
1675 k = biL - 1 - k;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
1677 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 }
1679 else k = 0;
1680
1681 n = X.n - 1;
1682 t = Y.n - 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1683 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685 while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1686 {
1687 Z.p[n - t]++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1688 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1689 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1690 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1691
1692 for( i = n; i > t ; i-- )
1693 {
1694 if( X.p[i] >= Y.p[t] )
1695 Z.p[i - t - 1] = ~0;
1696 else
1697 {
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1698 Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
1699 Y.p[t], NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700 }
1701
Alexander K35d6d462019-10-31 14:46:45 +0300[diff] [blame]1702 T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
1703 T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
1704 T2.p[2] = X.p[i];
1705
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1706 Z.p[i - t - 1]++;
1707 do
1708 {
1709 Z.p[i - t - 1]--;
1710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1711 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1712 T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1713 T1.p[1] = Y.p[t];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1715 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716 while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1718 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1719 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
1720 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1722 if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
1725 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
1726 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727 Z.p[i - t - 1]--;
1728 }
1729 }
1730
1731 if( Q != NULL )
1732 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1733 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734 Q->s = A->s * B->s;
1735 }
1736
1737 if( R != NULL )
1738 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1739 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
Paul Bakkerf02c5642012-11-13 10:25:21 +0000[diff] [blame]1740 X.s = A->s;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743 if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744 R->s = 1;
1745 }
1746
1747cleanup:
1748
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1749 mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
Alexander K35d6d462019-10-31 14:46:45 +0300[diff] [blame]1750 mbedtls_mpi_free( &T1 );
Alexander Kd19a1932019-11-01 18:20:42 +0300[diff] [blame]1751 mbedtls_platform_zeroize( TP2, sizeof( TP2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752
1753 return( ret );
1754}
1755
1756/*
1757 * Division by int: A = Q * b + R
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1758 */
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1759int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
1760 const mbedtls_mpi *A,
1761 mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1763 mbedtls_mpi _B;
1764 mbedtls_mpi_uint p[1];
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1765 MPI_VALIDATE_RET( A != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1766
1767 p[0] = ( b < 0 ) ? -b : b;
1768 _B.s = ( b < 0 ) ? -1 : 1;
1769 _B.n = 1;
1770 _B.p = p;
1771
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1772 return( mbedtls_mpi_div_mpi( Q, R, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773}
1774
1775/*
1776 * Modulo: R = A mod B
1777 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1778int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1779{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1780 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1781 MPI_VALIDATE_RET( R != NULL );
1782 MPI_VALIDATE_RET( A != NULL );
1783 MPI_VALIDATE_RET( B != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1785 if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
1786 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1787
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1788 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1789
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1790 while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
1791 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1793 while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
1794 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795
1796cleanup:
1797
1798 return( ret );
1799}
1800
1801/*
1802 * Modulo: r = A mod b
1803 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1804int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1806 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1807 mbedtls_mpi_uint x, y, z;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1808 MPI_VALIDATE_RET( r != NULL );
1809 MPI_VALIDATE_RET( A != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1810
1811 if( b == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812 return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813
1814 if( b < 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1815 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816
1817 /*
1818 * handle trivial cases
1819 */
1820 if( b == 1 )
1821 {
1822 *r = 0;
1823 return( 0 );
1824 }
1825
1826 if( b == 2 )
1827 {
1828 *r = A->p[0] & 1;
1829 return( 0 );
1830 }
1831
1832 /*
1833 * general case
1834 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1835 for( i = A->n, y = 0; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1837 x = A->p[i - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838 y = ( y << biH ) | ( x >> biH );
1839 z = y / b;
1840 y -= z * b;
1841
1842 x <<= biH;
1843 y = ( y << biH ) | ( x >> biH );
1844 z = y / b;
1845 y -= z * b;
1846 }
1847
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1848 /*
1849 * If A is negative, then the current y represents a negative value.
1850 * Flipping it to the positive side.
1851 */
1852 if( A->s < 0 && y != 0 )
1853 y = b - y;
1854
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855 *r = y;
1856
1857 return( 0 );
1858}
1859
1860/*
1861 * Fast Montgomery initialization (thanks to Tom St Denis)
1862 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1863static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1865 mbedtls_mpi_uint x, m0 = N->p[0];
Manuel Pégourié-Gonnardfdf3f0e2014-03-11 13:47:05 +0100[diff] [blame]1866 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867
1868 x = m0;
1869 x += ( ( m0 + 2 ) & 4 ) << 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1870
Manuel Pégourié-Gonnardfdf3f0e2014-03-11 13:47:05 +0100[diff] [blame]1871 for( i = biL; i >= 8; i /= 2 )
1872 x *= ( 2 - ( m0 * x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873
1874 *mm = ~x + 1;
1875}
1876
1877/*
1878 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1879 */
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]1880static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1881 const mbedtls_mpi *T )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1883 size_t i, n, m;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1884 mbedtls_mpi_uint u0, u1, *d;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]1886 if( T->n < N->n + 1 || T->p == NULL )
1887 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
1888
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 memset( T->p, 0, T->n * ciL );
1890
1891 d = T->p;
1892 n = N->n;
1893 m = ( B->n < n ) ? B->n : n;
1894
1895 for( i = 0; i < n; i++ )
1896 {
1897 /*
1898 * T = (T + u0*B + u1*N) / 2^biL
1899 */
1900 u0 = A->p[i];
1901 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1902
1903 mpi_mul_hlp( m, B->p, d, u0 );
1904 mpi_mul_hlp( n, N->p, d, u1 );
1905
1906 *d++ = u0; d[n + 1] = 0;
1907 }
1908
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1909 memcpy( A->p, d, ( n + 1 ) * ciL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911 if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 mpi_sub_hlp( n, N->p, A->p );
1913 else
1914 /* prevent timing attacks */
1915 mpi_sub_hlp( n, A->p, T->p );
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]1916
1917 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918}
1919
1920/*
1921 * Montgomery reduction: A = A * R^-1 mod N
1922 */
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1923static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
1924 mbedtls_mpi_uint mm, const mbedtls_mpi *T )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1925{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1926 mbedtls_mpi_uint z = 1;
1927 mbedtls_mpi U;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928
Paul Bakker8ddb6452013-02-27 14:56:33 +0100[diff] [blame]1929 U.n = U.s = (int) z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930 U.p = &z;
1931
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]1932 return( mpi_montmul( A, &U, N, mm, T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933}
1934
1935/*
1936 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1937 */
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1938int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
1939 const mbedtls_mpi *E, const mbedtls_mpi *N,
1940 mbedtls_mpi *_RR )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1942 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1943 size_t wbits, wsize, one = 1;
1944 size_t i, j, nblimbs;
1945 size_t bufsize, nbits;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1946 mbedtls_mpi_uint ei, mm, state;
1947 mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1948 int neg;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]1950 MPI_VALIDATE_RET( X != NULL );
1951 MPI_VALIDATE_RET( A != NULL );
1952 MPI_VALIDATE_RET( E != NULL );
1953 MPI_VALIDATE_RET( N != NULL );
1954
Hanno Becker8d1dd1b2017-09-28 11:02:24 +0100[diff] [blame]1955 if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1956 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1958 if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
1959 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1960
1961 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1962 * Init temps and window size
1963 */
1964 mpi_montg_init( &mm, N );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1965 mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
1966 mbedtls_mpi_init( &Apos );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967 memset( W, 0, sizeof( W ) );
1968
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]1969 i = mbedtls_mpi_bitlen( E );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1970
1971 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1972 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1973
Peter Kolbuse6bcad32018-12-11 14:01:44 -0600[diff] [blame]1974#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1975 if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
1976 wsize = MBEDTLS_MPI_WINDOW_SIZE;
Peter Kolbuse6bcad32018-12-11 14:01:44 -0600[diff] [blame]1977#endif
Paul Bakkerb6d5f082011-11-25 11:52:11 +0000[diff] [blame]1978
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979 j = N->n + 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1980 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
1981 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) );
1982 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1983
1984 /*
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1985 * Compensate for negative A (and correct at the end)
1986 */
1987 neg = ( A->s == -1 );
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1988 if( neg )
1989 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1990 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1991 Apos.s = 1;
1992 A = &Apos;
1993 }
1994
1995 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996 * If 1st call, pre-compute R^2 mod N
1997 */
1998 if( _RR == NULL || _RR->p == NULL )
1999 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2000 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &RR, 1 ) );
2001 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &RR, N->n * 2 * biL ) );
2002 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &RR, &RR, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003
2004 if( _RR != NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2005 memcpy( _RR, &RR, sizeof( mbedtls_mpi ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2006 }
2007 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2008 memcpy( &RR, _RR, sizeof( mbedtls_mpi ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009
2010 /*
2011 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
2012 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013 if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
2014 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
Paul Bakkerc2024f42014-01-23 20:38:35 +0100[diff] [blame]2015 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2016 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2018 MBEDTLS_MPI_CHK( mpi_montmul( &W[1], &RR, N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019
2020 /*
2021 * X = R^2 * R^-1 mod N = R mod N
2022 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2023 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2024 MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025
2026 if( wsize > 1 )
2027 {
2028 /*
2029 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
2030 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2031 j = one << ( wsize - 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2033 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
2034 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035
2036 for( i = 0; i < wsize - 1; i++ )
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2037 MBEDTLS_MPI_CHK( mpi_montmul( &W[j], &W[j], N, mm, &T ) );
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]2038
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039 /*
2040 * W[i] = W[i - 1] * W[1]
2041 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2042 for( i = j + 1; i < ( one << wsize ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2044 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
2045 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2047 MBEDTLS_MPI_CHK( mpi_montmul( &W[i], &W[1], N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2048 }
2049 }
2050
2051 nblimbs = E->n;
2052 bufsize = 0;
2053 nbits = 0;
2054 wbits = 0;
2055 state = 0;
2056
2057 while( 1 )
2058 {
2059 if( bufsize == 0 )
2060 {
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]2061 if( nblimbs == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062 break;
2063
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]2064 nblimbs--;
2065
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2066 bufsize = sizeof( mbedtls_mpi_uint ) << 3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067 }
2068
2069 bufsize--;
2070
2071 ei = (E->p[nblimbs] >> bufsize) & 1;
2072
2073 /*
2074 * skip leading 0s
2075 */
2076 if( ei == 0 && state == 0 )
2077 continue;
2078
2079 if( ei == 0 && state == 1 )
2080 {
2081 /*
2082 * out of window, square X
2083 */
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2084 MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2085 continue;
2086 }
2087
2088 /*
2089 * add ei to current window
2090 */
2091 state = 2;
2092
2093 nbits++;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2094 wbits |= ( ei << ( wsize - nbits ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2095
2096 if( nbits == wsize )
2097 {
2098 /*
2099 * X = X^wsize R^-1 mod N
2100 */
2101 for( i = 0; i < wsize; i++ )
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2102 MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2103
2104 /*
2105 * X = X * W[wbits] R^-1 mod N
2106 */
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2107 MBEDTLS_MPI_CHK( mpi_montmul( X, &W[wbits], N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108
2109 state--;
2110 nbits = 0;
2111 wbits = 0;
2112 }
2113 }
2114
2115 /*
2116 * process the remaining bits
2117 */
2118 for( i = 0; i < nbits; i++ )
2119 {
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2120 MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2121
2122 wbits <<= 1;
2123
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2124 if( ( wbits & ( one << wsize ) ) != 0 )
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2125 MBEDTLS_MPI_CHK( mpi_montmul( X, &W[1], N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2126 }
2127
2128 /*
2129 * X = A^E * R * R^-1 mod N = A^E mod N
2130 */
Nicholas Wilson91c68a52016-04-13 11:44:29 +0100[diff] [blame]2131 MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2132
Hanno Beckera4af1c42017-04-18 09:07:45 +0100[diff] [blame]2133 if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]2134 {
2135 X->s = -1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2136 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]2137 }
2138
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139cleanup:
2140
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2141 for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2142 mbedtls_mpi_free( &W[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2143
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2144 mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2145
Paul Bakker75a28602014-03-31 12:08:17 +0200[diff] [blame]2146 if( _RR == NULL || _RR->p == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2147 mbedtls_mpi_free( &RR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2148
2149 return( ret );
2150}
2151
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2152/*
2153 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
2154 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2155int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]2157 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2158 size_t lz, lzt;
Alexander Ke8ad49f2019-08-16 16:16:07 +0300[diff] [blame]2159 mbedtls_mpi TA, TB;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2160
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2161 MPI_VALIDATE_RET( G != NULL );
2162 MPI_VALIDATE_RET( A != NULL );
2163 MPI_VALIDATE_RET( B != NULL );
2164
Alexander Ke8ad49f2019-08-16 16:16:07 +0300[diff] [blame]2165 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2167 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
2168 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2170 lz = mbedtls_mpi_lsb( &TA );
2171 lzt = mbedtls_mpi_lsb( &TB );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2172
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2173 if( lzt < lz )
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2174 lz = lzt;
2175
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2176 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
2177 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2178
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179 TA.s = TB.s = 1;
2180
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2181 while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2183 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
2184 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2186 if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2187 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
2189 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2190 }
2191 else
2192 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2193 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
2194 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195 }
2196 }
2197
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2198 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
2199 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2200
2201cleanup:
2202
Alexander Ke8ad49f2019-08-16 16:16:07 +0300[diff] [blame]2203 mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204
2205 return( ret );
2206}
2207
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]2208/*
2209 * Fill X with size bytes of random.
2210 *
2211 * Use a temporary bytes representation to make sure the result is the same
Paul Bakkerc37b0ac2014-05-01 14:19:23 +0200[diff] [blame]2212 * regardless of the platform endianness (useful when f_rng is actually
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]2213 * deterministic, eg for tests).
2214 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2215int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2216 int (*f_rng)(void *, unsigned char *, size_t),
2217 void *p_rng )
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2218{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]2219 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6dab6202019-01-02 16:42:29 +0000[diff] [blame]2220 size_t const limbs = CHARS_TO_LIMBS( size );
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]2221 size_t const overhead = ( limbs * ciL ) - size;
2222 unsigned char *Xp;
2223
Hanno Becker8ce11a32018-12-19 16:18:52 +0000[diff] [blame]2224 MPI_VALIDATE_RET( X != NULL );
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2225 MPI_VALIDATE_RET( f_rng != NULL );
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]2226
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]2227 /* Ensure that target MPI has exactly the necessary number of limbs */
2228 if( X->n != limbs )
2229 {
2230 mbedtls_mpi_free( X );
2231 mbedtls_mpi_init( X );
2232 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
2233 }
2234 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2235
Hanno Beckerda1655a2017-10-18 14:21:44 +0100[diff] [blame]2236 Xp = (unsigned char*) X->p;
2237 f_rng( p_rng, Xp + overhead, size );
2238
Hanno Becker2be8a552018-10-25 12:40:09 +0100[diff] [blame]2239 mpi_bigendian_to_host( X->p, limbs );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2240
2241cleanup:
2242 return( ret );
2243}
2244
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245/*
2246 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
2247 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2248int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]2250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2251 mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2252 MPI_VALIDATE_RET( X != NULL );
2253 MPI_VALIDATE_RET( A != NULL );
2254 MPI_VALIDATE_RET( N != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2255
Hanno Becker4bcb4912017-04-18 15:49:39 +0100[diff] [blame]2256 if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2257 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2258
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2259 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
2260 mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
2261 mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2263 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2265 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2266 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2267 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2268 goto cleanup;
2269 }
2270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
2272 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
2273 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
2274 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2276 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
2277 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
2278 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
2279 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2280
2281 do
2282 {
2283 while( ( TU.p[0] & 1 ) == 0 )
2284 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2285 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2286
2287 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
2288 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2289 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
2290 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2291 }
2292
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2293 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
2294 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2295 }
2296
2297 while( ( TV.p[0] & 1 ) == 0 )
2298 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2299 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2300
2301 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
2302 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2303 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
2304 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2305 }
2306
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2307 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
2308 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2309 }
2310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2311 if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2312 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2313 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
2314 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
2315 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2316 }
2317 else
2318 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2319 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
2320 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
2321 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2322 }
2323 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2324 while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2326 while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
2327 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2329 while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
2330 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2332 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2333
2334cleanup:
2335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2336 mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
2337 mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
2338 mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2339
2340 return( ret );
2341}
2342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2343#if defined(MBEDTLS_GENPRIME)
Paul Bakkerd9374b02012-11-02 11:02:58 +0000[diff] [blame]2344
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2345static const int small_prime[] =
2346{
2347 3, 5, 7, 11, 13, 17, 19, 23,
2348 29, 31, 37, 41, 43, 47, 53, 59,
2349 61, 67, 71, 73, 79, 83, 89, 97,
2350 101, 103, 107, 109, 113, 127, 131, 137,
2351 139, 149, 151, 157, 163, 167, 173, 179,
2352 181, 191, 193, 197, 199, 211, 223, 227,
2353 229, 233, 239, 241, 251, 257, 263, 269,
2354 271, 277, 281, 283, 293, 307, 311, 313,
2355 317, 331, 337, 347, 349, 353, 359, 367,
2356 373, 379, 383, 389, 397, 401, 409, 419,
2357 421, 431, 433, 439, 443, 449, 457, 461,
2358 463, 467, 479, 487, 491, 499, 503, 509,
2359 521, 523, 541, 547, 557, 563, 569, 571,
2360 577, 587, 593, 599, 601, 607, 613, 617,
2361 619, 631, 641, 643, 647, 653, 659, 661,
2362 673, 677, 683, 691, 701, 709, 719, 727,
2363 733, 739, 743, 751, 757, 761, 769, 773,
2364 787, 797, 809, 811, 821, 823, 827, 829,
2365 839, 853, 857, 859, 863, 877, 881, 883,
2366 887, 907, 911, 919, 929, 937, 941, 947,
2367 953, 967, 971, 977, 983, 991, 997, -103
2368};
2369
2370/*
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2371 * Small divisors test (X must be positive)
2372 *
2373 * Return values:
2374 * 0: no small factor (possible prime, more tests needed)
2375 * 1: certain prime
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2376 * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2377 * other negative: error
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2378 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2379static int mpi_check_small_factors( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2380{
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2381 int ret = 0;
2382 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2383 mbedtls_mpi_uint r;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2384
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2385 if( ( X->p[0] & 1 ) == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2386 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2387
2388 for( i = 0; small_prime[i] > 0; i++ )
2389 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2390 if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2391 return( 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2393 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394
2395 if( r == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2396 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2397 }
2398
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2399cleanup:
2400 return( ret );
2401}
2402
2403/*
2404 * Miller-Rabin pseudo-primality test (HAC 4.24)
2405 */
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2406static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2407 int (*f_rng)(void *, unsigned char *, size_t),
2408 void *p_rng )
2409{
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2410 int ret, count;
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2411 size_t i, j, k, s;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2412 mbedtls_mpi W, R, T, A, RR;
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2413
Hanno Becker8ce11a32018-12-19 16:18:52 +0000[diff] [blame]2414 MPI_VALIDATE_RET( X != NULL );
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2415 MPI_VALIDATE_RET( f_rng != NULL );
2416
2417 mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R );
2418 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2419 mbedtls_mpi_init( &RR );
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2420
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2421 /*
2422 * W = |X| - 1
2423 * R = W >> lsb( W )
2424 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2425 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
2426 s = mbedtls_mpi_lsb( &W );
2427 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
2428 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2429
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2430 for( i = 0; i < rounds; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431 {
2432 /*
2433 * pick a random A, 1 < A < |X| - 1
2434 */
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2435 count = 0;
2436 do {
Manuel Pégourié-Gonnard53c76c02015-04-17 20:15:36 +0200[diff] [blame]2437 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2438
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]2439 j = mbedtls_mpi_bitlen( &A );
2440 k = mbedtls_mpi_bitlen( &W );
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2441 if (j > k) {
Darryl Greene3f95ed2018-10-02 13:21:35 +0100[diff] [blame]2442 A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2443 }
2444
2445 if (count++ > 30) {
Jens Wiklanderf08aa3e2019-01-17 13:30:57 +0100[diff] [blame]2446 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2447 goto cleanup;
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2448 }
2449
Manuel Pégourié-Gonnard53c76c02015-04-17 20:15:36 +0200[diff] [blame]2450 } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
2451 mbedtls_mpi_cmp_int( &A, 1 ) <= 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2452
2453 /*
2454 * A = A^R mod |X|
2455 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2456 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2458 if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
2459 mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2460 continue;
2461
2462 j = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2463 while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2464 {
2465 /*
2466 * A = A * A mod |X|
2467 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2468 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
2469 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2471 if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2472 break;
2473
2474 j++;
2475 }
2476
2477 /*
2478 * not prime if A != |X| - 1 or A == 1
2479 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2480 if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
2481 mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2482 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2483 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484 break;
2485 }
2486 }
2487
2488cleanup:
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2489 mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R );
2490 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2491 mbedtls_mpi_free( &RR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2492
2493 return( ret );
2494}
2495
2496/*
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2497 * Pseudo-primality test: small factors, then Miller-Rabin
2498 */
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]2499int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
2500 int (*f_rng)(void *, unsigned char *, size_t),
2501 void *p_rng )
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2502{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]2503 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2504 mbedtls_mpi XX;
Hanno Becker8ce11a32018-12-19 16:18:52 +0000[diff] [blame]2505 MPI_VALIDATE_RET( X != NULL );
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2506 MPI_VALIDATE_RET( f_rng != NULL );
Manuel Pégourié-Gonnard7f4ed672014-10-14 20:56:02 +0200[diff] [blame]2507
2508 XX.s = 1;
2509 XX.n = X->n;
2510 XX.p = X->p;
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2512 if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
2513 mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
2514 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2517 return( 0 );
2518
2519 if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
2520 {
2521 if( ret == 1 )
2522 return( 0 );
2523
2524 return( ret );
2525 }
2526
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2527 return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
Janos Follathf301d232018-08-14 13:34:01 +0100[diff] [blame]2528}
2529
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]2530#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Janos Follathf301d232018-08-14 13:34:01 +0100[diff] [blame]2531/*
2532 * Pseudo-primality test, error probability 2^-80
2533 */
2534int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
2535 int (*f_rng)(void *, unsigned char *, size_t),
2536 void *p_rng )
2537{
Hanno Becker8ce11a32018-12-19 16:18:52 +0000[diff] [blame]2538 MPI_VALIDATE_RET( X != NULL );
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2539 MPI_VALIDATE_RET( f_rng != NULL );
2540
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]2541 /*
2542 * In the past our key generation aimed for an error rate of at most
2543 * 2^-80. Since this function is deprecated, aim for the same certainty
2544 * here as well.
2545 */
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2546 return( mbedtls_mpi_is_prime_ext( X, 40, f_rng, p_rng ) );
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2547}
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]2548#endif
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2549
2550/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551 * Prime number generation
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2552 *
Janos Follathf301d232018-08-14 13:34:01 +0100[diff] [blame]2553 * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
2554 * be either 1024 bits or 1536 bits long, and flags must contain
2555 * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2556 */
Janos Follath7c025a92018-08-14 11:08:41 +0100[diff] [blame]2557int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2558 int (*f_rng)(void *, unsigned char *, size_t),
2559 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2560{
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2561#ifdef MBEDTLS_HAVE_INT64
2562// ceil(2^63.5)
2563#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
2564#else
2565// ceil(2^31.5)
2566#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
2567#endif
2568 int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2569 size_t k, n;
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2570 int rounds;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2571 mbedtls_mpi_uint r;
2572 mbedtls_mpi Y;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2573
Hanno Becker8ce11a32018-12-19 16:18:52 +0000[diff] [blame]2574 MPI_VALIDATE_RET( X != NULL );
Hanno Becker73d7d792018-12-11 10:35:51 +0000[diff] [blame]2575 MPI_VALIDATE_RET( f_rng != NULL );
2576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577 if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
2578 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2579
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2580 mbedtls_mpi_init( &Y );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2581
2582 n = BITS_TO_LIMBS( nbits );
2583
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2584 if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR ) == 0 )
2585 {
2586 /*
2587 * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
2588 */
2589 rounds = ( ( nbits >= 1300 ) ? 2 : ( nbits >= 850 ) ? 3 :
2590 ( nbits >= 650 ) ? 4 : ( nbits >= 350 ) ? 8 :
2591 ( nbits >= 250 ) ? 12 : ( nbits >= 150 ) ? 18 : 27 );
2592 }
2593 else
2594 {
2595 /*
2596 * 2^-100 error probability, number of rounds computed based on HAC,
2597 * fact 4.48
2598 */
2599 rounds = ( ( nbits >= 1450 ) ? 4 : ( nbits >= 1150 ) ? 5 :
2600 ( nbits >= 1000 ) ? 6 : ( nbits >= 850 ) ? 7 :
2601 ( nbits >= 750 ) ? 8 : ( nbits >= 500 ) ? 13 :
2602 ( nbits >= 250 ) ? 28 : ( nbits >= 150 ) ? 40 : 51 );
2603 }
2604
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2605 while( 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2606 {
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2607 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
2608 /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
2609 if( X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2 ) continue;
2610
2611 k = n * biL;
2612 if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
2613 X->p[0] |= 1;
2614
Janos Follath7c025a92018-08-14 11:08:41 +0100[diff] [blame]2615 if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2616 {
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]2617 ret = mbedtls_mpi_is_prime_ext( X, rounds, f_rng, p_rng );
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2618
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2619 if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2620 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2621 }
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2622 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2623 {
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2624 /*
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2625 * An necessary condition for Y and X = 2Y + 1 to be prime
2626 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
2627 * Make sure it is satisfied, while keeping X = 3 mod 4
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2628 */
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2629
2630 X->p[0] |= 2;
2631
2632 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
2633 if( r == 0 )
2634 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
2635 else if( r == 1 )
2636 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
2637
2638 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
2639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
2640 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
2641
2642 while( 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2643 {
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2644 /*
2645 * First, check small factors for X and Y
2646 * before doing Miller-Rabin on any of them
2647 */
2648 if( ( ret = mpi_check_small_factors( X ) ) == 0 &&
2649 ( ret = mpi_check_small_factors( &Y ) ) == 0 &&
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2650 ( ret = mpi_miller_rabin( X, rounds, f_rng, p_rng ) )
Janos Follathf301d232018-08-14 13:34:01 +0100[diff] [blame]2651 == 0 &&
Janos Follathda31fa12018-09-03 14:45:23 +0100[diff] [blame]2652 ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng ) )
Janos Follathf301d232018-08-14 13:34:01 +0100[diff] [blame]2653 == 0 )
Jethro Beekman66689272018-02-14 19:24:10 -0800[diff] [blame]2654 goto cleanup;
2655
2656 if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
2657 goto cleanup;
2658
2659 /*
2660 * Next candidates. We want to preserve Y = (X-1) / 2 and
2661 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
2662 * so up Y by 6 and X by 12.
2663 */
2664 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 12 ) );
2665 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2666 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2667 }
2668 }
2669
2670cleanup:
2671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2672 mbedtls_mpi_free( &Y );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2673
2674 return( ret );
2675}
2676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2677#endif /* MBEDTLS_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2679#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2680
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2681#define GCD_PAIR_COUNT 3
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2682
2683static const int gcd_pairs[GCD_PAIR_COUNT][3] =
2684{
2685 { 693, 609, 21 },
2686 { 1764, 868, 28 },
2687 { 768454923, 542167814, 1 }
2688};
2689
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2690/*
2691 * Checkup routine
2692 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2693int mbedtls_mpi_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2694{
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2695 int ret, i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2696 mbedtls_mpi A, E, N, X, Y, U, V;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2698 mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
2699 mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2701 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2702 "EFE021C2645FD1DC586E69184AF4A31E" \
2703 "D5F53E93B5F123FA41680867BA110131" \
2704 "944FE7952E2517337780CB0DB80E61AA" \
2705 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
2706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2707 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2708 "B2E7EFD37075B9F03FF989C7C5051C20" \
2709 "34D2A323810251127E7BF8625A4F49A5" \
2710 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
2711 "5B5C25763222FEFCCFC38B832366C29E" ) );
2712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2713 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2714 "0066A198186C18C10B2F5ED9B522752A" \
2715 "9830B69916E535C8F047518A889A43A5" \
2716 "94B6BED27A168D31D4A52F88925AA8F5" ) );
2717
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2718 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2719
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2720 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2721 "602AB7ECA597A3D6B56FF9829A5E8B85" \
2722 "9E857EA95A03512E2BAE7391688D264A" \
2723 "A5663B0341DB9CCFD2C4C5F421FEC814" \
2724 "8001B72E848A38CAE1C65F78E56ABDEF" \
2725 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
2726 "ECF677152EF804370C1A305CAF3B5BF1" \
2727 "30879B56C61DE584A0F53A2447A51E" ) );
2728
2729 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2730 mbedtls_printf( " MPI test #1 (mul_mpi): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2731
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2732 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2733 {
2734 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2735 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2736
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2737 ret = 1;
2738 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2739 }
2740
2741 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2742 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2743
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2744 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2745
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2746 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2747 "256567336059E52CAE22925474705F39A94" ) );
2748
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2749 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2750 "6613F26162223DF488E9CD48CC132C7A" \
2751 "0AC93C701B001B092E4E5B9F73BCD27B" \
2752 "9EE50D0657C77F374E903CDFA4C642" ) );
2753
2754 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2755 mbedtls_printf( " MPI test #2 (div_mpi): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2756
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2757 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
2758 mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2759 {
2760 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2761 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2762
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2763 ret = 1;
2764 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2765 }
2766
2767 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2768 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2769
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2770 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2771
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2772 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2773 "36E139AEA55215609D2816998ED020BB" \
2774 "BD96C37890F65171D948E9BC7CBAA4D9" \
2775 "325D24D6A3C12710F10A09FA08AB87" ) );
2776
2777 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2778 mbedtls_printf( " MPI test #3 (exp_mod): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2779
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2780 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2781 {
2782 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2783 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2784
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2785 ret = 1;
2786 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2787 }
2788
2789 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2790 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2791
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2792 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2793
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2794 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2795 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
2796 "C3DBA76456363A10869622EAC2DD84EC" \
2797 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
2798
2799 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2800 mbedtls_printf( " MPI test #4 (inv_mod): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2802 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2803 {
2804 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2805 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2806
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2807 ret = 1;
2808 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2809 }
2810
2811 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2812 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2813
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2814 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2815 mbedtls_printf( " MPI test #5 (simple gcd): " );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2816
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2817 for( i = 0; i < GCD_PAIR_COUNT; i++ )
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2818 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2819 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
2820 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2821
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2822 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2823
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2824 if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2825 {
2826 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2827 mbedtls_printf( "failed at %d\n", i );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2828
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2829 ret = 1;
2830 goto cleanup;
2831 }
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2832 }
2833
2834 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2835 mbedtls_printf( "passed\n" );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2836
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2837cleanup:
2838
2839 if( ret != 0 && verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2840 mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2841
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2842 mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
2843 mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2844
2845 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2846 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2847
2848 return( ret );
2849}
2850
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2851#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2853#endif /* MBEDTLS_BIGNUM_C */