Blame - library/bignum.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 7681982298ffcd24ece49fbe4a82d1b28de86207 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Multi-precision integer library
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Dave Rodgman	16799db	2023-11-02 19:47:20 +0000	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	6	*/
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	7
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	8	/*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	9	* The following sources were referenced in the design of this Multi-precision
				10	* Integer library:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	11	*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	12	* [1] Handbook of Applied Cryptography - 1997
				13	* Menezes, van Oorschot and Vanstone
				14	*
				15	* [2] Multi-Precision Math
				16	* Tom St Denis
				17	* https://github.com/libtom/libtommath/blob/develop/tommath.pdf
				18	*
				19	* [3] GNU Multi-Precision Arithmetic Library
				20	* https://gmplib.org/manual/index.html
				21	*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	22	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	24	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	25
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	26	#if defined(MBEDTLS_BIGNUM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	27
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/bignum.h"
Janos Follath	4614b9a	2022-07-21 15:34:47 +0100	[diff] [blame]	29	#include "bignum_core.h"
Chris Jones	4c5819c	2021-03-03 17:45:34 +0000	[diff] [blame]	30	#include "bn_mul.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	31	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	32	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	33	#include "constant_time_internal.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	34
Dave Rodgman	351c71b	2021-12-06 17:50:53 +0000	[diff] [blame]	35	#include <limits.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	36	#include <string.h>
				37
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	38	#include "mbedtls/platform.h"
Paul Bakker	6e339b5	2013-07-03 13:37:05 +0200	[diff] [blame]	39
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	40	/*
				41	* Compare signed values in constant time
				42	*/
				43	int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
				44	const mbedtls_mpi *Y,
				45	unsigned *ret)
				46	{
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	47	mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	48
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	49	if (X->n != Y->n) {
				50	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				51	}
				52
				53	/*
Dave Rodgman	b69239c	2023-08-09 14:53:18 +0100	[diff] [blame]	54	* Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	55	* We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
				56	*/
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	57	X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
				58	Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	59
				60	/*
				61	* If the signs are different, then the positive operand is the bigger.
				62	* That is if X is negative (X_is_negative == 1), then X < Y is true and it
				63	* is false if X is positive (X_is_negative == 0).
				64	*/
Dave Rodgman	1cfc43c	2023-09-19 16:18:59 +0100	[diff] [blame]	65	different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	66	result = mbedtls_ct_bool_and(different_sign, X_is_negative);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	67
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	68	/*
				69	* Assuming signs are the same, compare X and Y. We switch the comparison
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	70	* order if they are negative so that we get the right result, regardles of
				71	* sign.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	72	*/
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	73
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	74	/* This array is used to conditionally swap the pointers in const time */
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	75	void * const p[2] = { X->p, Y->p };
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	76	size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
Dave Rodgman	2c76484	2023-05-18 13:28:21 +0100	[diff] [blame]	77	mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	78
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	79	/*
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	80	* Store in result iff the signs are the same (i.e., iff different_sign == false). If
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	81	* the signs differ, result has already been set, so we don't change it.
				82	*/
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	83	result = mbedtls_ct_bool_or(result,
				84	mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	85
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	86	*ret = mbedtls_ct_uint_if_else_0(result, 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	87
				88	return 0;
				89	}
				90
				91	/*
				92	* Conditionally assign X = Y, without leaking information
				93	* about whether the assignment was made or not.
				94	* (Leaking information about the respective sizes of X and Y is ok however.)
				95	*/
Dave Rodgman	0a48717	2023-09-15 11:52:06 +0100	[diff] [blame]	96	#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
				97	(_MSC_FULL_VER < 193131103)
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	98	/*
				99	* MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
				100	* https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
				101	*/
				102	__declspec(noinline)
				103	#endif
				104	int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
				105	const mbedtls_mpi *Y,
				106	unsigned char assign)
				107	{
				108	int ret = 0;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	109
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	110	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				111
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	112	{
				113	mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
Dave Rodgman	589ccb8	2023-05-17 13:55:01 +0100	[diff] [blame]	114
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	115	X->s = (int) mbedtls_ct_uint_if(do_assign, Y->s, X->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	116
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	117	mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	118
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	119	mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
				120	for (size_t i = Y->n; i < X->n; i++) {
				121	X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
				122	}
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	123	}
				124
				125	cleanup:
				126	return ret;
				127	}
				128
				129	/*
				130	* Conditionally swap X and Y, without leaking information
				131	* about whether the swap was made or not.
				132	* Here it is not ok to simply swap the pointers, which would lead to
				133	* different memory access patterns when X and Y are used afterwards.
				134	*/
				135	int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
				136	mbedtls_mpi *Y,
				137	unsigned char swap)
				138	{
				139	int ret = 0;
				140	int s;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	141
				142	if (X == Y) {
				143	return 0;
				144	}
				145
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	146	mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
				147
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	148	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				149	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
				150
				151	s = X->s;
Dave Rodgman	2b4486a	2023-05-17 15:51:59 +0100	[diff] [blame]	152	X->s = (int) mbedtls_ct_uint_if(do_swap, Y->s, X->s);
				153	Y->s = (int) mbedtls_ct_uint_if(do_swap, s, Y->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	154
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	155	mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	156
				157	cleanup:
				158	return ret;
				159	}
				160
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	161	/* Implementation that should never be optimized out by the compiler */
Tom Cosgrove	bc345e8	2023-07-25 15:17:39 +0100	[diff] [blame]	162	#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	163
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	164	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	165	* Initialize one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	166	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	167	void mbedtls_mpi_init(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	168	{
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	169	X->s = 1;
				170	X->n = 0;
				171	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	172	}
				173
				174	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	175	* Unallocate one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	176	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	177	void mbedtls_mpi_free(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	178	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	179	if (X == NULL) {
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	180	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	181	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	182
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	183	if (X->p != NULL) {
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	184	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	185	}
				186
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	187	X->s = 1;
				188	X->n = 0;
				189	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	190	}
				191
				192	/*
				193	* Enlarge to the specified number of limbs
				194	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	195	int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	196	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	197	mbedtls_mpi_uint *p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	198
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	199	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				200	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				201	}
Paul Bakker	f968857	2011-05-05 10:00:45 +0000	[diff] [blame]	202
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	203	if (X->n < nblimbs) {
				204	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
				205	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				206	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	207
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	208	if (X->p != NULL) {
				209	memcpy(p, X->p, X->n * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	210	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	211	}
				212
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	213	/* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				214	* fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				215	X->n = (unsigned short) nblimbs;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	216	X->p = p;
				217	}
				218
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	219	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	220	}
				221
				222	/*
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	223	* Resize down as much as possible,
				224	* while keeping at least the specified number of limbs
				225	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	226	int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	227	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	228	mbedtls_mpi_uint *p;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	229	size_t i;
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	230
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	231	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				232	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				233	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	234
Gilles Peskine	e2f563e	2020-01-20 21:17:43 +0100	[diff] [blame]	235	/* Actually resize up if there are currently fewer than nblimbs limbs. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	236	if (X->n <= nblimbs) {
				237	return mbedtls_mpi_grow(X, nblimbs);
				238	}
Gilles Peskine	322752b	2020-01-21 13:59:51 +0100	[diff] [blame]	239	/* After this point, then X->n > nblimbs and in particular X->n > 0. */
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	240
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	241	for (i = X->n - 1; i > 0; i--) {
				242	if (X->p[i] != 0) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	243	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	244	}
				245	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	246	i++;
				247
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	248	if (i < nblimbs) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	249	i = nblimbs;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	250	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	251
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	252	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
				253	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				254	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	255
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	256	if (X->p != NULL) {
				257	memcpy(p, X->p, i * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	258	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	259	}
				260
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	261	/* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				262	* fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				263	X->n = (unsigned short) i;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	264	X->p = p;
				265
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	266	return 0;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	267	}
				268
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	269	/* Resize X to have exactly n limbs and set it to 0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	270	static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	271	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	272	if (limbs == 0) {
				273	mbedtls_mpi_free(X);
				274	return 0;
				275	} else if (X->n == limbs) {
				276	memset(X->p, 0, limbs * ciL);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	277	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	278	return 0;
				279	} else {
				280	mbedtls_mpi_free(X);
				281	return mbedtls_mpi_grow(X, limbs);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	282	}
				283	}
				284
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	285	/*
Gilles Peskine	3da1a8f	2021-06-08 23:17:42 +0200	[diff] [blame]	286	* Copy the contents of Y into X.
				287	*
				288	* This function is not constant-time. Leading zeros in Y may be removed.
				289	*
				290	* Ensure that X does not shrink. This is not guaranteed by the public API,
Janos Follath	c9faea0	2024-02-19 10:49:18 +0000	[diff] [blame]	291	* but some code in the bignum module might still rely on this property.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	292	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	293	int mbedtls_mpi_copy(mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	294	{
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	295	int ret = 0;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	296	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	297
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	298	if (X == Y) {
				299	return 0;
Manuel Pégourié-Gonnard	f499993	2013-08-12 17:02:59 +0200	[diff] [blame]	300	}
				301
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	302	if (Y->n == 0) {
				303	if (X->n != 0) {
				304	X->s = 1;
				305	memset(X->p, 0, X->n * ciL);
				306	}
				307	return 0;
				308	}
				309
				310	for (i = Y->n - 1; i > 0; i--) {
				311	if (Y->p[i] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	312	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	313	}
				314	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	315	i++;
				316
				317	X->s = Y->s;
				318
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	319	if (X->n < i) {
				320	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
				321	} else {
				322	memset(X->p + i, 0, (X->n - i) * ciL);
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	323	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	324
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	325	memcpy(X->p, Y->p, i * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	326
				327	cleanup:
				328
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	329	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	330	}
				331
				332	/*
				333	* Swap the contents of X and Y
				334	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	335	void mbedtls_mpi_swap(mbedtls_mpi X, mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	336	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	337	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	338
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	339	memcpy(&T, X, sizeof(mbedtls_mpi));
				340	memcpy(X, Y, sizeof(mbedtls_mpi));
				341	memcpy(Y, &T, sizeof(mbedtls_mpi));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	342	}
				343
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	344	static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	345	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	346	if (z >= 0) {
				347	return z;
				348	}
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	349	/* Take care to handle the most negative value (-2^(biL-1)) correctly.
				350	* A naive -z would have undefined behavior.
				351	* Write this in a way that makes popular compilers happy (GCC, Clang,
				352	* MSVC). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	353	return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	354	}
				355
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	356	/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
				357	* This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
Dave Rodgman	73d8591	2023-09-28 17:00:50 +0100	[diff] [blame]	358	#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	359
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	360	/*
				361	* Set value from integer
				362	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	363	int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	364	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	365	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	366
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	367	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
				368	memset(X->p, 0, X->n * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	369
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	370	X->p[0] = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	371	X->s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	372
				373	cleanup:
				374
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	375	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	376	}
				377
				378	/*
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	379	* Get a specific bit
				380	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	381	int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	382	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	383	if (X->n * biL <= pos) {
				384	return 0;
				385	}
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	386
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	387	return (X->p[pos / biL] >> (pos % biL)) & 0x01;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	388	}
				389
				390	/*
				391	* Set a bit to a specific value of 0 or 1
				392	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	393	int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	394	{
				395	int ret = 0;
				396	size_t off = pos / biL;
				397	size_t idx = pos % biL;
				398
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	399	if (val != 0 && val != 1) {
				400	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	401	}
				402
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	403	if (X->n * biL <= pos) {
				404	if (val == 0) {
				405	return 0;
				406	}
				407
				408	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
				409	}
				410
				411	X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	412	X->p[off] \|= (mbedtls_mpi_uint) val << idx;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	413
				414	cleanup:
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	415
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	416	return ret;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	417	}
				418
				419	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	420	* Return the number of less significant zero-bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	421	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	422	size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	423	{
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	424	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	425
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	426	#if defined(__has_builtin)
				427	#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
				428	#define mbedtls_mpi_uint_ctz __builtin_ctz
				429	#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
				430	#define mbedtls_mpi_uint_ctz __builtin_ctzl
				431	#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
				432	#define mbedtls_mpi_uint_ctz __builtin_ctzll
				433	#endif
				434	#endif
				435
				436	#if defined(mbedtls_mpi_uint_ctz)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	437	for (i = 0; i < X->n; i++) {
Dave Rodgman	960eca9	2023-08-09 20:43:18 +0100	[diff] [blame]	438	if (X->p[i] != 0) {
				439	return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
				440	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	441	}
				442	#else
				443	size_t count = 0;
				444	for (i = 0; i < X->n; i++) {
				445	for (size_t j = 0; j < biL; j++, count++) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	446	if (((X->p[i] >> j) & 1) != 0) {
				447	return count;
				448	}
				449	}
				450	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	451	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	452
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	453	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	454	}
				455
				456	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	457	* Return the number of bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	458	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	459	size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	460	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	461	return mbedtls_mpi_core_bitlen(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	462	}
				463
				464	/*
				465	* Return the total size in bytes
				466	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	467	size_t mbedtls_mpi_size(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	468	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	469	return (mbedtls_mpi_bitlen(X) + 7) >> 3;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	470	}
				471
				472	/*
				473	* Convert an ASCII character to digit value
				474	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	475	static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	476	{
				477	*d = 255;
				478
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	479	if (c >= 0x30 && c <= 0x39) {
				480	*d = c - 0x30;
				481	}
				482	if (c >= 0x41 && c <= 0x46) {
				483	*d = c - 0x37;
				484	}
				485	if (c >= 0x61 && c <= 0x66) {
				486	*d = c - 0x57;
				487	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	488
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	489	if (*d >= (mbedtls_mpi_uint) radix) {
				490	return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
				491	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	492
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	493	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	494	}
				495
				496	/*
				497	* Import from an ASCII string
				498	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	499	int mbedtls_mpi_read_string(mbedtls_mpi X, int radix, const char s)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	500	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	501	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	502	size_t i, j, slen, n;
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	503	int sign = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	504	mbedtls_mpi_uint d;
				505	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	506
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	507	if (radix < 2 \|\| radix > 16) {
				508	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Gilles Peskine	7cba859	2021-06-08 18:32:34 +0200	[diff] [blame]	509	}
				510
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	511	mbedtls_mpi_init(&T);
				512
				513	if (s[0] == 0) {
				514	mbedtls_mpi_free(X);
				515	return 0;
				516	}
				517
				518	if (s[0] == '-') {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	519	++s;
				520	sign = -1;
				521	}
				522
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	523	slen = strlen(s);
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	524
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	525	if (radix == 16) {
Dave Rodgman	68ef1d6	2023-05-18 20:49:03 +0100	[diff] [blame]	526	if (slen > SIZE_MAX >> 2) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	527	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	528	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	529
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	530	n = BITS_TO_LIMBS(slen << 2);
				531
				532	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
				533	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				534
				535	for (i = slen, j = 0; i > 0; i--, j++) {
				536	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
				537	X->p[j / (2 * ciL)] \|= d << ((j % (2 * ciL)) << 2);
				538	}
				539	} else {
				540	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				541
				542	for (i = 0; i < slen; i++) {
				543	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
				544	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
				545	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	546	}
				547	}
				548
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	549	if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	550	X->s = -1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	551	}
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	552
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	553	cleanup:
				554
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	555	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	556
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	557	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	558	}
				559
				560	/*
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	561	* Helper to write the digits high-order first.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	562	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	563	static int mpi_write_hlp(mbedtls_mpi *X, int radix,
				564	char **p, const size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	565	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	566	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	567	mbedtls_mpi_uint r;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	568	size_t length = 0;
				569	char p_end = p + buflen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	570
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	571	do {
				572	if (length >= buflen) {
				573	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	574	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	575
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	576	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
				577	MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	578	/*
				579	* Write the residue in the current position, as an ASCII character.
				580	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	581	if (r < 0xA) {
				582	*(--p_end) = (char) ('0' + r);
				583	} else {
				584	*(--p_end) = (char) ('A' + (r - 0xA));
				585	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	586
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	587	length++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	588	} while (mbedtls_mpi_cmp_int(X, 0) != 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	589
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	590	memmove(*p, p_end, length);
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	591	*p += length;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	592
				593	cleanup:
				594
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	595	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	596	}
				597
				598	/*
				599	* Export into an ASCII string
				600	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	601	int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
				602	char buf, size_t buflen, size_t olen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	603	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	604	int ret = 0;
				605	size_t n;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	606	char *p;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	607	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	608
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	609	if (radix < 2 \|\| radix > 16) {
				610	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				611	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	612
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	613	n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
				614	if (radix >= 4) {
				615	n >>= 1; /* Number of 4-adic digits necessary to present
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	616	* `n`. If radix > 4, this might be a strict
				617	* overapproximation of the number of
				618	* radix-adic digits needed to present `n`. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	619	}
				620	if (radix >= 16) {
				621	n >>= 1; /* Number of hexadecimal digits necessary to
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	622	* present `n`. */
				623
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	624	}
Janos Follath	8047062	2019-03-06 13:43:02 +0000	[diff] [blame]	625	n += 1; /* Terminating null byte */
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	626	n += 1; /* Compensate for the divisions above, which round down `n`
				627	* in case it's not even. */
				628	n += 1; /* Potential '-'-sign. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	629	n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	630	* which always uses an even number of hex-digits. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	631
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	632	if (buflen < n) {
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	633	*olen = n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	634	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	635	}
				636
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	637	p = buf;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	638	mbedtls_mpi_init(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	639
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	640	if (X->s == -1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	641	*p++ = '-';
Hanno Becker	c983c81	2019-02-01 16:41:30 +0000	[diff] [blame]	642	buflen--;
				643	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	644
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	645	if (radix == 16) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	646	int c;
				647	size_t i, j, k;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	648
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	649	for (i = X->n, k = 0; i > 0; i--) {
				650	for (j = ciL; j > 0; j--) {
				651	c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	652
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	653	if (c == 0 && k == 0 && (i + j) != 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	654	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	655	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	656
Paul Bakker	98fe5ea	2012-10-24 11:17:48 +0000	[diff] [blame]	657	*(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakker	d2c167e	2012-10-30 07:49:19 +0000	[diff] [blame]	658	*(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	659	k = 1;
				660	}
				661	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	662	} else {
				663	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	664
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	665	if (T.s == -1) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	666	T.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	667	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	668
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	669	MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	670	}
				671
				672	*p++ = '\0';
Dave Rodgman	e4a6f5a	2023-11-04 12:20:09 +0000	[diff] [blame]	673	*olen = (size_t) (p - buf);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	674
				675	cleanup:
				676
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	677	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	678
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	679	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	680	}
				681
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	682	#if defined(MBEDTLS_FS_IO)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	683	/*
				684	* Read X from an opened file
				685	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	686	int mbedtls_mpi_read_file(mbedtls_mpi X, int radix, FILE fin)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	687	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	688	mbedtls_mpi_uint d;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	689	size_t slen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	690	char *p;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	691	/*
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	692	* Buffer should have space for (short) label and decimal formatted MPI,
				693	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	694	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	695	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	696
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	697	if (radix < 2 \|\| radix > 16) {
				698	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				699	}
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	700
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	701	memset(s, 0, sizeof(s));
				702	if (fgets(s, sizeof(s) - 1, fin) == NULL) {
				703	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				704	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	705
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	706	slen = strlen(s);
				707	if (slen == sizeof(s) - 2) {
				708	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
				709	}
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	710
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	711	if (slen > 0 && s[slen - 1] == '\n') {
				712	slen--; s[slen] = '\0';
				713	}
				714	if (slen > 0 && s[slen - 1] == '\r') {
				715	slen--; s[slen] = '\0';
				716	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	717
				718	p = s + slen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	719	while (p-- > s) {
				720	if (mpi_get_digit(&d, radix, *p) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	721	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	722	}
				723	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	724
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	725	return mbedtls_mpi_read_string(X, radix, p + 1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	726	}
				727
				728	/*
				729	* Write X into an opened file (or stdout if fout == NULL)
				730	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	731	int mbedtls_mpi_write_file(const char p, const mbedtls_mpi X, int radix, FILE *fout)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	732	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	733	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	734	size_t n, slen, plen;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	735	/*
Paul Bakker	5531c6d	2012-09-26 19:20:46 +0000	[diff] [blame]	736	* Buffer should have space for (short) label and decimal formatted MPI,
				737	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	738	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	739	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	740
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	741	if (radix < 2 \|\| radix > 16) {
				742	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				743	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	744
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	745	memset(s, 0, sizeof(s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	746
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	747	MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	748
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	749	if (p == NULL) {
				750	p = "";
				751	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	752
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	753	plen = strlen(p);
				754	slen = strlen(s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	755	s[slen++] = '\r';
				756	s[slen++] = '\n';
				757
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	758	if (fout != NULL) {
				759	if (fwrite(p, 1, plen, fout) != plen \|\|
				760	fwrite(s, 1, slen, fout) != slen) {
				761	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				762	}
				763	} else {
				764	mbedtls_printf("%s%s", p, s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	765	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	766
				767	cleanup:
				768
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	769	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	770	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	771	#endif /* MBEDTLS_FS_IO */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	772
				773	/*
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	774	* Import X from unsigned binary data, little endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	775	*
				776	* This function is guaranteed to return an MPI with exactly the necessary
				777	* number of limbs (in particular, it does not skip 0s in the input).
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	778	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	779	int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
				780	const unsigned char *buf, size_t buflen)
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	781	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	782	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	783	const size_t limbs = CHARS_TO_LIMBS(buflen);
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	784
				785	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	786	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	787
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	788	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	789
				790	cleanup:
				791
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	792	/*
				793	* This function is also used to import keys. However, wiping the buffers
				794	* upon failure is not necessary because failure only can happen before any
				795	* input is copied.
				796	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	797	return ret;
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	798	}
				799
				800	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	801	* Import X from unsigned binary data, big endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	802	*
				803	* This function is guaranteed to return an MPI with exactly the necessary
				804	* number of limbs (in particular, it does not skip 0s in the input).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	805	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	806	int mbedtls_mpi_read_binary(mbedtls_mpi X, const unsigned char buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	807	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	808	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	809	const size_t limbs = CHARS_TO_LIMBS(buflen);
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	810
Hanno Becker	073c199	2017-10-17 15:17:27 +0100	[diff] [blame]	811	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	812	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	813
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	814	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	815
				816	cleanup:
				817
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	818	/*
				819	* This function is also used to import keys. However, wiping the buffers
				820	* upon failure is not necessary because failure only can happen before any
				821	* input is copied.
				822	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	823	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	824	}
				825
				826	/*
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	827	* Export X into unsigned binary data, little endian
				828	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	829	int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
				830	unsigned char *buf, size_t buflen)
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	831	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	832	return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	833	}
				834
				835	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	836	* Export X into unsigned binary data, big endian
				837	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	838	int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
				839	unsigned char *buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	840	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	841	return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	842	}
				843
				844	/*
				845	* Left-shift: X <<= count
				846	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	847	int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	848	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	849	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	850	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	851
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	852	i = mbedtls_mpi_bitlen(X) + count;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	853
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	854	if (X->n * biL < i) {
				855	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
				856	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	857
				858	ret = 0;
				859
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	860	mbedtls_mpi_core_shift_l(X->p, X->n, count);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	861	cleanup:
				862
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	863	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	864	}
				865
				866	/*
				867	* Right-shift: X >>= count
				868	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	869	int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	870	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	871	if (X->n != 0) {
				872	mbedtls_mpi_core_shift_r(X->p, X->n, count);
				873	}
				874	return 0;
Gilles Peskine	6641420	2022-09-21 15:36:16 +0200	[diff] [blame]	875	}
				876
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	877	/*
				878	* Compare unsigned values
				879	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	880	int mbedtls_mpi_cmp_abs(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	881	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	882	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	883
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	884	for (i = X->n; i > 0; i--) {
				885	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	886	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	887	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	888	}
				889
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	890	for (j = Y->n; j > 0; j--) {
				891	if (Y->p[j - 1] != 0) {
				892	break;
				893	}
				894	}
				895
Dave Rodgman	ebcd785	2023-08-09 18:56:42 +0100	[diff] [blame]	896	/* If i == j == 0, i.e. abs(X) == abs(Y),
				897	* we end up returning 0 at the end of the function. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	898
				899	if (i > j) {
				900	return 1;
				901	}
				902	if (j > i) {
				903	return -1;
				904	}
				905
				906	for (; i > 0; i--) {
				907	if (X->p[i - 1] > Y->p[i - 1]) {
				908	return 1;
				909	}
				910	if (X->p[i - 1] < Y->p[i - 1]) {
				911	return -1;
				912	}
				913	}
				914
				915	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	916	}
				917
				918	/*
				919	* Compare signed values
				920	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	921	int mbedtls_mpi_cmp_mpi(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	922	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	923	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	924
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	925	for (i = X->n; i > 0; i--) {
				926	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	927	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	928	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	929	}
				930
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	931	for (j = Y->n; j > 0; j--) {
				932	if (Y->p[j - 1] != 0) {
				933	break;
				934	}
				935	}
				936
				937	if (i == 0 && j == 0) {
				938	return 0;
				939	}
				940
				941	if (i > j) {
				942	return X->s;
				943	}
				944	if (j > i) {
				945	return -Y->s;
				946	}
				947
				948	if (X->s > 0 && Y->s < 0) {
				949	return 1;
				950	}
				951	if (Y->s > 0 && X->s < 0) {
				952	return -1;
				953	}
				954
				955	for (; i > 0; i--) {
				956	if (X->p[i - 1] > Y->p[i - 1]) {
				957	return X->s;
				958	}
				959	if (X->p[i - 1] < Y->p[i - 1]) {
				960	return -X->s;
				961	}
				962	}
				963
				964	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	965	}
				966
Janos Follath	ee6abce	2019-09-05 14:47:19 +0100	[diff] [blame]	967	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	968	* Compare signed values
				969	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	970	int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	971	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	972	mbedtls_mpi Y;
				973	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	974
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	975	*p = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	976	Y.s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	977	Y.n = 1;
				978	Y.p = p;
				979
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	980	return mbedtls_mpi_cmp_mpi(X, &Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	981	}
				982
				983	/*
				984	* Unsigned addition: X = \|A\| + \|B\| (HAC 14.7)
				985	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	986	int mbedtls_mpi_add_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	987	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	988	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	989	size_t j;
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	990	mbedtls_mpi_uint *p;
				991	mbedtls_mpi_uint c;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	992
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	993	if (X == B) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	994	const mbedtls_mpi *T = A; A = X; B = T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	995	}
				996
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	997	if (X != A) {
				998	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				999	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1000
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1001	/*
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1002	* X must always be positive as a result of unsigned additions.
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1003	*/
				1004	X->s = 1;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1005
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1006	for (j = B->n; j > 0; j--) {
				1007	if (B->p[j - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1008	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1009	}
				1010	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1011
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1012	/* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
				1013	* and B is 0 (of any size). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1014	if (j == 0) {
				1015	return 0;
				1016	}
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1017
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1018	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1019
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1020	/* j is the number of non-zero limbs of B. Add those to X. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1021
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1022	p = X->p;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1023
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1024	c = mbedtls_mpi_core_add(p, p, B->p, j);
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1025
				1026	p += j;
				1027
				1028	/* Now propagate any carry */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1029
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1030	while (c != 0) {
				1031	if (j >= X->n) {
				1032	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1033	p = X->p + j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1034	}
				1035
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1036	p += c; c = (p < c); j++; p++;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1037	}
				1038
				1039	cleanup:
				1040
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1041	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1042	}
				1043
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1044	/*
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1045	* Unsigned subtraction: X = \|A\| - \|B\| (HAC 14.9, 14.10)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1046	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1047	int mbedtls_mpi_sub_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1048	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1049	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1050	size_t n;
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1051	mbedtls_mpi_uint carry;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1052
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1053	for (n = B->n; n > 0; n--) {
				1054	if (B->p[n - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1055	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1056	}
				1057	}
				1058	if (n > A->n) {
Gilles Peskine	c8a9177	2021-01-27 22:30:43 +0100	[diff] [blame]	1059	/* B >= (2^ciL)^n > A */
				1060	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1061	goto cleanup;
				1062	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1063
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1064	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1065
				1066	/* Set the high limbs of X to match A. Don't touch the lower limbs
				1067	* because X might be aliased to B, and we must not overwrite the
				1068	* significant digits of B. */
Aaron M. Ucko	af67d2c	2023-01-17 11:52:22 -0500	[diff] [blame]	1069	if (A->n > n && A != X) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1070	memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
				1071	}
				1072	if (X->n > A->n) {
				1073	memset(X->p + A->n, 0, (X->n - A->n) * ciL);
				1074	}
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1075
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1076	carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
				1077	if (carry != 0) {
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1078	/* Propagate the carry through the rest of X. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1079	carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1080
				1081	/* If we have further carry/borrow, the result is negative. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1082	if (carry != 0) {
Gilles Peskine	89b4130	2020-07-23 01:16:46 +0200	[diff] [blame]	1083	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1084	goto cleanup;
				1085	}
Gilles Peskine	c097e9e	2020-06-08 21:58:22 +0200	[diff] [blame]	1086	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1087
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1088	/* X should always be positive as a result of unsigned subtractions. */
				1089	X->s = 1;
				1090
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1091	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1092	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1093	}
				1094
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1095	/* Common function for signed addition and subtraction.
				1096	* Calculate A + B * flip_B where flip_B is 1 or -1.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1097	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1098	static int add_sub_mpi(mbedtls_mpi *X,
				1099	const mbedtls_mpi A, const mbedtls_mpi B,
				1100	int flip_B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1101	{
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1102	int ret, s;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1103
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1104	s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1105	if (A->s * B->s * flip_B < 0) {
				1106	int cmp = mbedtls_mpi_cmp_abs(A, B);
				1107	if (cmp >= 0) {
				1108	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1109	/* If \|A\| = \|B\|, the result is 0 and we must set the sign bit
				1110	* to +1 regardless of which of A or B was negative. Otherwise,
				1111	* since \|A\| > \|B\|, the sign is the sign of A. */
				1112	X->s = cmp == 0 ? 1 : s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1113	} else {
				1114	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1115	/* Since \|A\| < \|B\|, the sign is the opposite of A. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1116	X->s = -s;
				1117	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1118	} else {
				1119	MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1120	X->s = s;
				1121	}
				1122
				1123	cleanup:
				1124
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1125	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1126	}
				1127
				1128	/*
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1129	* Signed addition: X = A + B
				1130	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1131	int mbedtls_mpi_add_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1132	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1133	return add_sub_mpi(X, A, B, 1);
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1134	}
				1135
				1136	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1137	* Signed subtraction: X = A - B
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1138	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1139	int mbedtls_mpi_sub_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1140	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1141	return add_sub_mpi(X, A, B, -1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1142	}
				1143
				1144	/*
				1145	* Signed addition: X = A + b
				1146	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1147	int mbedtls_mpi_add_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1148	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1149	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1150	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1151
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1152	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1153	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1154	B.n = 1;
				1155	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1156
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1157	return mbedtls_mpi_add_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1158	}
				1159
				1160	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1161	* Signed subtraction: X = A - b
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1162	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1163	int mbedtls_mpi_sub_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1164	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1165	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1166	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1167
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1168	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1169	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1170	B.n = 1;
				1171	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1172
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1173	return mbedtls_mpi_sub_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1174	}
				1175
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1176	/*
				1177	* Baseline multiplication: X = A * B (HAC 14.12)
				1178	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1179	int mbedtls_mpi_mul_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1180	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1181	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	1772e05	2022-04-13 06:51:40 +0100	[diff] [blame]	1182	size_t i, j;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1183	mbedtls_mpi TA, TB;
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1184	int result_is_zero = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1185
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1186	mbedtls_mpi_init(&TA);
				1187	mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1188
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1189	if (X == A) {
				1190	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
				1191	}
				1192	if (X == B) {
				1193	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
				1194	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1195
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1196	for (i = A->n; i > 0; i--) {
				1197	if (A->p[i - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1198	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1199	}
				1200	}
				1201	if (i == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1202	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1203	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1204
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1205	for (j = B->n; j > 0; j--) {
				1206	if (B->p[j - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1207	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1208	}
				1209	}
				1210	if (j == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1211	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1212	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1213
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1214	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
				1215	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1216
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1217	mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1218
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1219	/* If the result is 0, we don't shortcut the operation, which reduces
				1220	* but does not eliminate side channels leaking the zero-ness. We do
				1221	* need to take care to set the sign bit properly since the library does
				1222	* not fully support an MPI object with a value of 0 and s == -1. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1223	if (result_is_zero) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1224	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1225	} else {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1226	X->s = A->s * B->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1227	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1228
				1229	cleanup:
				1230
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1231	mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1232
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1233	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1234	}
				1235
				1236	/*
				1237	* Baseline multiplication: X = A * b
				1238	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1239	int mbedtls_mpi_mul_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_uint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1240	{
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1241	size_t n = A->n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1242	while (n > 0 && A->p[n - 1] == 0) {
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1243	--n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1244	}
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1245
Hanno Becker	74a11a3	2022-04-06 06:27:00 +0100	[diff] [blame]	1246	/* The general method below doesn't work if b==0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1247	if (b == 0 \|\| n == 0) {
				1248	return mbedtls_mpi_lset(X, 0);
				1249	}
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1250
Hanno Becker	aef9cc4	2022-04-11 06:36:29 +0100	[diff] [blame]	1251	/* Calculate Ab as A + A(b-1) to take advantage of mbedtls_mpi_core_mla */
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1252	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1253	/* In general, A * b requires 1 limb more than b. If
				1254	* A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
				1255	* number of limbs as A and the call to grow() is not required since
Gilles Peskine	e1bba7c	2021-03-10 23:44:10 +0100	[diff] [blame]	1256	* copy() will take care of the growth if needed. However, experimentally,
				1257	* making the call to grow() unconditional causes slightly fewer
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1258	* calls to calloc() in ECP code, presumably because it reuses the
				1259	* same mpi for a while and this way the mpi is more likely to directly
Hanno Becker	9137b9c	2022-04-12 10:51:54 +0100	[diff] [blame]	1260	* grow to its final size.
				1261	*
				1262	* Note that calculating Ab as 0 + Ab doesn't work as-is because
				1263	* A,X can be the same. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1264	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
				1265	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1266	mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1267
				1268	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1269	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1270	}
				1271
				1272	/*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1273	* Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
				1274	* mbedtls_mpi_uint divisor, d
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1275	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1276	static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
				1277	mbedtls_mpi_uint u0,
				1278	mbedtls_mpi_uint d,
				1279	mbedtls_mpi_uint *r)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1280	{
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1281	#if defined(MBEDTLS_HAVE_UDBL)
				1282	mbedtls_t_udbl dividend, quotient;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1283	#else
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1284	const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1285	const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1286	mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
				1287	mbedtls_mpi_uint u0_msw, u0_lsw;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1288	size_t s;
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1289	#endif
				1290
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1291	/*
				1292	* Check for overflow
				1293	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1294	if (0 == d \|\| u1 >= d) {
				1295	if (r != NULL) {
				1296	*r = ~(mbedtls_mpi_uint) 0u;
				1297	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1298
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1299	return ~(mbedtls_mpi_uint) 0u;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1300	}
				1301
				1302	#if defined(MBEDTLS_HAVE_UDBL)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1303	dividend = (mbedtls_t_udbl) u1 << biL;
				1304	dividend \|= (mbedtls_t_udbl) u0;
				1305	quotient = dividend / d;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1306	if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
				1307	quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
				1308	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1309
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1310	if (r != NULL) {
				1311	r = (mbedtls_mpi_uint) (dividend - (quotient d));
				1312	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1313
				1314	return (mbedtls_mpi_uint) quotient;
				1315	#else
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1316
				1317	/*
				1318	* Algorithm D, Section 4.3.1 - The Art of Computer Programming
				1319	* Vol. 2 - Seminumerical Algorithms, Knuth
				1320	*/
				1321
				1322	/*
				1323	* Normalize the divisor, d, and dividend, u0, u1
				1324	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1325	s = mbedtls_mpi_core_clz(d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1326	d = d << s;
				1327
				1328	u1 = u1 << s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1329	u1 \|= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1330	u0 = u0 << s;
				1331
				1332	d1 = d >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1333	d0 = d & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1334
				1335	u0_msw = u0 >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1336	u0_lsw = u0 & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1337
				1338	/*
				1339	* Find the first quotient and remainder
				1340	*/
				1341	q1 = u1 / d1;
				1342	r0 = u1 - d1 * q1;
				1343
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1344	while (q1 >= radix \|\| (q1 * d0 > radix * r0 + u0_msw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1345	q1 -= 1;
				1346	r0 += d1;
				1347
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1348	if (r0 >= radix) {
				1349	break;
				1350	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1351	}
				1352
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1353	rAX = (u1 * radix) + (u0_msw - q1 * d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1354	q0 = rAX / d1;
				1355	r0 = rAX - q0 * d1;
				1356
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1357	while (q0 >= radix \|\| (q0 * d0 > radix * r0 + u0_lsw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1358	q0 -= 1;
				1359	r0 += d1;
				1360
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1361	if (r0 >= radix) {
				1362	break;
				1363	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1364	}
				1365
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1366	if (r != NULL) {
				1367	r = (rAX radix + u0_lsw - q0 * d) >> s;
				1368	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1369
				1370	quotient = q1 * radix + q0;
				1371
				1372	return quotient;
				1373	#endif
				1374	}
				1375
				1376	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1377	* Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1378	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1379	int mbedtls_mpi_div_mpi(mbedtls_mpi Q, mbedtls_mpi R, const mbedtls_mpi *A,
				1380	const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1381	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1382	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1383	size_t i, n, t, k;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1384	mbedtls_mpi X, Y, Z, T1, T2;
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1385	mbedtls_mpi_uint TP2[3];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1386
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1387	if (mbedtls_mpi_cmp_int(B, 0) == 0) {
				1388	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1389	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1390
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1391	mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
				1392	mbedtls_mpi_init(&T1);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1393	/*
				1394	* Avoid dynamic memory allocations for constant-size T2.
				1395	*
				1396	* T2 is used for comparison only and the 3 limbs are assigned explicitly,
				1397	* so nobody increase the size of the MPI and we're safe to use an on-stack
				1398	* buffer.
				1399	*/
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1400	T2.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1401	T2.n = sizeof(TP2) / sizeof(*TP2);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1402	T2.p = TP2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1403
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1404	if (mbedtls_mpi_cmp_abs(A, B) < 0) {
				1405	if (Q != NULL) {
				1406	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
				1407	}
				1408	if (R != NULL) {
				1409	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
				1410	}
				1411	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1412	}
				1413
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1414	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
				1415	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1416	X.s = Y.s = 1;
				1417
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1418	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
				1419	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
				1420	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1421
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1422	k = mbedtls_mpi_bitlen(&Y) % biL;
				1423	if (k < biL - 1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1424	k = biL - 1 - k;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1425	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
				1426	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
				1427	} else {
				1428	k = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1429	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1430
				1431	n = X.n - 1;
				1432	t = Y.n - 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1433	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1434
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1435	while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1436	Z.p[n - t]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1437	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1438	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1439	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1440
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1441	for (i = n; i > t; i--) {
				1442	if (X.p[i] >= Y.p[t]) {
				1443	Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
				1444	} else {
				1445	Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
				1446	Y.p[t], NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1447	}
				1448
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1449	T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
				1450	T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1451	T2.p[2] = X.p[i];
				1452
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1453	Z.p[i - t - 1]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1454	do {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1455	Z.p[i - t - 1]--;
				1456
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1457	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
				1458	T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1459	T1.p[1] = Y.p[t];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1460	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
				1461	} while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1462
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1463	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
				1464	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1465	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1466
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1467	if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
				1468	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
				1469	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1470	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1471	Z.p[i - t - 1]--;
				1472	}
				1473	}
				1474
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1475	if (Q != NULL) {
				1476	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1477	Q->s = A->s * B->s;
				1478	}
				1479
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1480	if (R != NULL) {
				1481	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
Paul Bakker	f02c564	2012-11-13 10:25:21 +0000	[diff] [blame]	1482	X.s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1483	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1484
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1485	if (mbedtls_mpi_cmp_int(R, 0) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1486	R->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1487	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1488	}
				1489
				1490	cleanup:
				1491
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1492	mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
				1493	mbedtls_mpi_free(&T1);
				1494	mbedtls_platform_zeroize(TP2, sizeof(TP2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1495
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1496	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1497	}
				1498
				1499	/*
				1500	* Division by int: A = Q * b + R
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1501	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1502	int mbedtls_mpi_div_int(mbedtls_mpi Q, mbedtls_mpi R,
				1503	const mbedtls_mpi *A,
				1504	mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1505	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1506	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1507	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1508
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1509	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1510	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1511	B.n = 1;
				1512	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1513
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1514	return mbedtls_mpi_div_mpi(Q, R, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1515	}
				1516
				1517	/*
				1518	* Modulo: R = A mod B
				1519	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1520	int mbedtls_mpi_mod_mpi(mbedtls_mpi R, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1521	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1522	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1523
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1524	if (mbedtls_mpi_cmp_int(B, 0) < 0) {
				1525	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1526	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1527
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1528	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1529
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1530	while (mbedtls_mpi_cmp_int(R, 0) < 0) {
				1531	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
				1532	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1533
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1534	while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
				1535	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
				1536	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1537
				1538	cleanup:
				1539
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1540	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1541	}
				1542
				1543	/*
				1544	* Modulo: r = A mod b
				1545	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1546	int mbedtls_mpi_mod_int(mbedtls_mpi_uint r, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1547	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1548	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1549	mbedtls_mpi_uint x, y, z;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1550
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1551	if (b == 0) {
				1552	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1553	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1554
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1555	if (b < 0) {
				1556	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1557	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1558
				1559	/*
				1560	* handle trivial cases
				1561	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1562	if (b == 1 \|\| A->n == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1563	*r = 0;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1564	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1565	}
				1566
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1567	if (b == 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1568	*r = A->p[0] & 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1569	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1570	}
				1571
				1572	/*
				1573	* general case
				1574	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1575	for (i = A->n, y = 0; i > 0; i--) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1576	x = A->p[i - 1];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1577	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1578	z = y / b;
				1579	y -= z * b;
				1580
				1581	x <<= biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1582	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1583	z = y / b;
				1584	y -= z * b;
				1585	}
				1586
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1587	/*
				1588	* If A is negative, then the current y represents a negative value.
				1589	* Flipping it to the positive side.
				1590	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1591	if (A->s < 0 && y != 0) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1592	y = b - y;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1593	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1594
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1595	*r = y;
				1596
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1597	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1598	}
				1599
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1600	int mbedtls_mpi_exp_mod(mbedtls_mpi X, const mbedtls_mpi A,
				1601	const mbedtls_mpi E, const mbedtls_mpi N,
				1602	mbedtls_mpi *prec_RR)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1603	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1604	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1605
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1606	if (mbedtls_mpi_cmp_int(N, 0) <= 0 \|\| (N->p[0] & 1) == 0) {
				1607	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1608	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1609
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1610	if (mbedtls_mpi_cmp_int(E, 0) < 0) {
				1611	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1612	}
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1613
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1614	if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS \|\|
				1615	mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
				1616	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1617	}
Chris Jones	9246d04	2020-11-25 15:12:39 +0000	[diff] [blame]	1618
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1619	/*
				1620	* Ensure that the exponent that we are passing to the core is not NULL.
				1621	*/
				1622	if (E->n == 0) {
				1623	ret = mbedtls_mpi_lset(X, 1);
				1624	return ret;
				1625	}
				1626
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame^]	1627	/*
				1628	* Allocate working memory for mbedtls_mpi_core_exp_mod()
				1629	*/
				1630	size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);
				1631	mbedtls_mpi_uint T = (mbedtls_mpi_uint) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));
				1632	if (T == NULL) {
				1633	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				1634	}
				1635
Janos Follath	701ae1d	2024-02-19 10:56:54 +0000	[diff] [blame]	1636	mbedtls_mpi RR;
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1637	mbedtls_mpi_init(&RR);
Paul Bakker	5054692	2012-05-19 08:40:49 +0000	[diff] [blame]	1638
				1639	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1640	* If 1st call, pre-compute R^2 mod N
				1641	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1642	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1643	MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1644
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1645	if (prec_RR != NULL) {
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1646	*prec_RR = RR;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1647	}
				1648	} else {
Janos Follath	0512d17	2024-02-20 14:30:46 +0000	[diff] [blame]	1649	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1650	RR = *prec_RR;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1651	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1652
				1653	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1654	* To preserve constness we need to make a copy of A. Using X for this to
				1655	* save memory.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1656	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1657	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1658
				1659	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1660	* Compensate for negative A (and correct at the end).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1661	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1662	X->s = 1;
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1663
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1664	/*
Janos Follath	467a549	2024-02-19 11:27:38 +0000	[diff] [blame]	1665	* Make sure that X is in a form that is safe for consumption by
				1666	* the core functions.
				1667	*
				1668	* - The core functions will not touch the limbs of X above N->n. The
				1669	* result will be correct if those limbs are 0, which the mod call
				1670	* ensures.
				1671	* - Also, X must have at least as many limbs as N for the calls to the
				1672	* core functions.
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1673	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1674	if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {
				1675	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
				1676	}
				1677	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));
				1678
				1679	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1680	* Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().
				1681	*/
				1682	mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame^]	1683	mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1684	mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p,
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame^]	1685	T);
				1686	mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1687
				1688	/*
				1689	* Correct for negative A.
				1690	*/
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1691	if (A->s == -1 && (E->p[0] & 1) != 0) {
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1692	X->s = -1;
				1693	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));
				1694	}
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1695
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1696	cleanup:
				1697
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame^]	1698	mbedtls_mpi_zeroize_and_free(T, T_limbs);
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	1699
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1700	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
				1701	mbedtls_mpi_free(&RR);
				1702	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1703
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1704	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1705	}
				1706
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1707	/*
				1708	* Greatest common divisor: G = gcd(A, B) (HAC 14.54)
				1709	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1710	int mbedtls_mpi_gcd(mbedtls_mpi G, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1711	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1712	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1713	size_t lz, lzt;
Alexander K	e8ad49f	2019-08-16 16:16:07 +0300	[diff] [blame]	1714	mbedtls_mpi TA, TB;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1715
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1716	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1717
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1718	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
				1719	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1720
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1721	lz = mbedtls_mpi_lsb(&TA);
				1722	lzt = mbedtls_mpi_lsb(&TB);
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1723
Gilles Peskine	27253bc	2021-06-09 13:26:43 +0200	[diff] [blame]	1724	/* The loop below gives the correct result when A==0 but not when B==0.
				1725	* So have a special case for B==0. Leverage the fact that we just
				1726	* calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
				1727	* slightly more efficient than cmp_int(). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1728	if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
				1729	ret = mbedtls_mpi_copy(G, A);
Gilles Peskine	27253bc	2021-06-09 13:26:43 +0200	[diff] [blame]	1730	goto cleanup;
				1731	}
				1732
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1733	if (lzt < lz) {
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1734	lz = lzt;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1735	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1736
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1737	TA.s = TB.s = 1;
				1738
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1739	/* We mostly follow the procedure described in HAC 14.54, but with some
				1740	* minor differences:
				1741	* - Sequences of multiplications or divisions by 2 are grouped into a
				1742	* single shift operation.
Gilles Peskine	b09c7ee	2021-06-21 18:58:39 +0200	[diff] [blame]	1743	* - The procedure in HAC assumes that 0 < TB <= TA.
				1744	* - The condition TB <= TA is not actually necessary for correctness.
				1745	* TA and TB have symmetric roles except for the loop termination
				1746	* condition, and the shifts at the beginning of the loop body
				1747	* remove any significance from the ordering of TA vs TB before
				1748	* the shifts.
				1749	* - If TA = 0, the loop goes through 0 iterations and the result is
				1750	* correctly TB.
				1751	* - The case TB = 0 was short-circuited above.
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1752	*
				1753	* For the correctness proof below, decompose the original values of
				1754	* A and B as
				1755	* A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
				1756	* B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
				1757	* Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
				1758	* and gcd(A',B') is odd or 0.
				1759	*
				1760	* At the beginning, we have TA = \|A\| and TB = \|B\| so gcd(A,B) = gcd(TA,TB).
				1761	* The code maintains the following invariant:
				1762	* gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
Gilles Peskine	4df3f1f	2021-06-15 22:09:39 +0200	[diff] [blame]	1763	*/
				1764
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1765	/* Proof that the loop terminates:
				1766	* At each iteration, either the right-shift by 1 is made on a nonzero
				1767	* value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
				1768	* by at least 1, or the right-shift by 1 is made on zero and then
				1769	* TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
				1770	* since in that case TB is calculated from TB-TA with the condition TB>TA).
				1771	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1772	while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1773	/* Divisions by 2 preserve the invariant (I). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1774	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
				1775	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1776
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1777	/* Set either TA or TB to \|TA-TB\|/2. Since TA and TB are both odd,
				1778	* TA-TB is even so the division by 2 has an integer result.
				1779	* Invariant (I) is preserved since any odd divisor of both TA and TB
				1780	* also divides \|TA-TB\|/2, and any odd divisor of both TA and \|TA-TB\|/2
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	1781	* also divides TB, and any odd divisor of both TB and \|TA-TB\|/2 also
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1782	* divides TA.
				1783	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1784	if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
				1785	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
				1786	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
				1787	} else {
				1788	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
				1789	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1790	}
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1791	/* Note that one of TA or TB is still odd. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1792	}
				1793
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1794	/* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
				1795	* At the loop exit, TA = 0, so gcd(TA,TB) = TB.
				1796	* - If there was at least one loop iteration, then one of TA or TB is odd,
				1797	* and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
				1798	* lz = min(a,b) so gcd(A,B) = 2^lz * TB.
				1799	* - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
Gilles Peskine	4d3fd36	2021-06-21 11:40:38 +0200	[diff] [blame]	1800	* In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1801	*/
				1802
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1803	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
				1804	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1805
				1806	cleanup:
				1807
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1808	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1809
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1810	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1811	}
				1812
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1813	/*
				1814	* Fill X with size bytes of random.
Gilles Peskine	22cdd0c	2022-10-27 20:15:13 +0200	[diff] [blame]	1815	* The bytes returned from the RNG are used in a specific order which
				1816	* is suitable for deterministic ECDSA (see the specification of
				1817	* mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1818	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1819	int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
				1820	int (f_rng)(void , unsigned char *, size_t),
				1821	void *p_rng)
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1822	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1823	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1824	const size_t limbs = CHARS_TO_LIMBS(size);
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1825
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1826	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1827	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
				1828	if (size == 0) {
				1829	return 0;
				1830	}
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1831
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1832	ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1833
				1834	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1835	return ret;
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1836	}
				1837
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1838	int mbedtls_mpi_random(mbedtls_mpi *X,
				1839	mbedtls_mpi_sint min,
				1840	const mbedtls_mpi *N,
				1841	int (f_rng)(void , unsigned char *, size_t),
				1842	void *p_rng)
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1843	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1844	if (min < 0) {
				1845	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1846	}
				1847	if (mbedtls_mpi_cmp_int(N, min) <= 0) {
				1848	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1849	}
Gilles Peskine	1e918f4	2021-03-29 22:14:51 +0200	[diff] [blame]	1850
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1851	/* Ensure that target MPI has exactly the same number of limbs
				1852	* as the upper bound, even if the upper bound has leading zeros.
Gilles Peskine	6b7ce96	2022-12-15 15:04:33 +0100	[diff] [blame]	1853	* This is necessary for mbedtls_mpi_core_random. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1854	int ret = mbedtls_mpi_resize_clear(X, N->n);
				1855	if (ret != 0) {
				1856	return ret;
				1857	}
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1858
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1859	return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1860	}
				1861
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1862	/*
				1863	* Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
				1864	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1865	int mbedtls_mpi_inv_mod(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *N)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1866	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1867	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1868	mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1869
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1870	if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
				1871	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1872	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1873
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1874	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
				1875	mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
				1876	mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1877
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1878	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1879
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1880	if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1881	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1882	goto cleanup;
				1883	}
				1884
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1885	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
				1886	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
				1887	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
				1888	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1889
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1890	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
				1891	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
				1892	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
				1893	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1894
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1895	do {
				1896	while ((TU.p[0] & 1) == 0) {
				1897	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1898
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1899	if ((U1.p[0] & 1) != 0 \|\| (U2.p[0] & 1) != 0) {
				1900	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
				1901	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1902	}
				1903
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1904	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
				1905	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1906	}
				1907
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1908	while ((TV.p[0] & 1) == 0) {
				1909	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1910
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1911	if ((V1.p[0] & 1) != 0 \|\| (V2.p[0] & 1) != 0) {
				1912	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
				1913	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1914	}
				1915
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1916	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
				1917	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1918	}
				1919
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1920	if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
				1921	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
				1922	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
				1923	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
				1924	} else {
				1925	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
				1926	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
				1927	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1928	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1929	} while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
				1930
				1931	while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
				1932	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1933	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1934
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1935	while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
				1936	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
				1937	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1938
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1939	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1940
				1941	cleanup:
				1942
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1943	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
				1944	mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
				1945	mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1946
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1947	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1948	}
				1949
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1950	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	d9374b0	2012-11-02 11:02:58 +0000	[diff] [blame]	1951
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	1952	/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
				1953	static const unsigned char small_prime_gaps[] = {
				1954	2, 2, 4, 2, 4, 2, 4, 6,
				1955	2, 6, 4, 2, 4, 6, 6, 2,
				1956	6, 4, 2, 6, 4, 6, 8, 4,
				1957	2, 4, 2, 4, 14, 4, 6, 2,
				1958	10, 2, 6, 6, 4, 6, 6, 2,
				1959	10, 2, 4, 2, 12, 12, 4, 2,
				1960	4, 6, 2, 10, 6, 6, 6, 2,
				1961	6, 4, 2, 10, 14, 4, 2, 4,
				1962	14, 6, 10, 2, 4, 6, 8, 6,
				1963	6, 4, 6, 8, 4, 8, 10, 2,
				1964	10, 2, 6, 4, 6, 8, 4, 2,
				1965	4, 12, 8, 4, 8, 4, 6, 12,
				1966	2, 18, 6, 10, 6, 6, 2, 6,
				1967	10, 6, 6, 2, 6, 6, 4, 2,
				1968	12, 10, 2, 4, 6, 6, 2, 12,
				1969	4, 6, 8, 10, 8, 10, 8, 6,
				1970	6, 4, 8, 6, 4, 8, 4, 14,
				1971	10, 12, 2, 10, 2, 4, 2, 10,
				1972	14, 4, 2, 4, 14, 4, 2, 4,
				1973	20, 4, 8, 10, 8, 4, 6, 6,
				1974	14, 4, 6, 6, 8, 6, /reaches 997/
Gilles Peskine	30b0378	2023-08-22 11:06:47 +0200	[diff] [blame]	1975	0 /* the last entry is effectively unused */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1976	};
				1977
				1978	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	1979	* Small divisors test (X must be positive)
				1980	*
				1981	* Return values:
				1982	* 0: no small factor (possible prime, more tests needed)
				1983	* 1: certain prime
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1984	* MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	1985	* other negative: error
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1986	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1987	static int mpi_check_small_factors(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1988	{
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	1989	int ret = 0;
				1990	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1991	mbedtls_mpi_uint r;
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	1992	unsigned p = 3; /* The first odd prime */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1993
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1994	if ((X->p[0] & 1) == 0) {
				1995	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				1996	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1997
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	1998	for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
				1999	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2000	if (r == 0) {
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2001	if (mbedtls_mpi_cmp_int(X, p) == 0) {
				2002	return 1;
				2003	} else {
				2004	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2005	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2006	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2007	}
				2008
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2009	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2010	return ret;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2011	}
				2012
				2013	/*
				2014	* Miller-Rabin pseudo-primality test (HAC 4.24)
				2015	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2016	static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
				2017	int (f_rng)(void , unsigned char *, size_t),
				2018	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2019	{
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2020	int ret, count;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2021	size_t i, j, k, s;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2022	mbedtls_mpi W, R, T, A, RR;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2023
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2024	mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
				2025	mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
				2026	mbedtls_mpi_init(&RR);
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2027
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2028	/*
				2029	* W = \|X\| - 1
				2030	* R = W >> lsb( W )
				2031	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2032	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
				2033	s = mbedtls_mpi_lsb(&W);
				2034	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
				2035	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2036
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2037	for (i = 0; i < rounds; i++) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2038	/*
				2039	* pick a random A, 1 < A < \|X\| - 1
				2040	*/
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2041	count = 0;
				2042	do {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2043	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2044
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2045	j = mbedtls_mpi_bitlen(&A);
				2046	k = mbedtls_mpi_bitlen(&W);
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2047	if (j > k) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2048	A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2049	}
				2050
				2051	if (count++ > 30) {
Jens Wiklander	f08aa3e	2019-01-17 13:30:57 +0100	[diff] [blame]	2052	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2053	goto cleanup;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2054	}
				2055
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2056	} while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 \|\|
				2057	mbedtls_mpi_cmp_int(&A, 1) <= 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2058
				2059	/*
				2060	* A = A^R mod \|X\|
				2061	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2062	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2063
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2064	if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 \|\|
				2065	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2066	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2067	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2068
				2069	j = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2070	while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2071	/*
				2072	* A = A * A mod \|X\|
				2073	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2074	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
				2075	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2076
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2077	if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2078	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2079	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2080
				2081	j++;
				2082	}
				2083
				2084	/*
				2085	* not prime if A != \|X\| - 1 or A == 1
				2086	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2087	if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 \|\|
				2088	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2089	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2090	break;
				2091	}
				2092	}
				2093
				2094	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2095	mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
				2096	mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
				2097	mbedtls_mpi_free(&RR);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2098
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2099	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2100	}
				2101
				2102	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2103	* Pseudo-primality test: small factors, then Miller-Rabin
				2104	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2105	int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
				2106	int (f_rng)(void , unsigned char *, size_t),
				2107	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2108	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2109	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2110	mbedtls_mpi XX;
Manuel Pégourié-Gonnard	7f4ed67	2014-10-14 20:56:02 +0200	[diff] [blame]	2111
				2112	XX.s = 1;
				2113	XX.n = X->n;
				2114	XX.p = X->p;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2115
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2116	if (mbedtls_mpi_cmp_int(&XX, 0) == 0 \|\|
				2117	mbedtls_mpi_cmp_int(&XX, 1) == 0) {
				2118	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2119	}
				2120
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2121	if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
				2122	return 0;
				2123	}
				2124
				2125	if ((ret = mpi_check_small_factors(&XX)) != 0) {
				2126	if (ret == 1) {
				2127	return 0;
				2128	}
				2129
				2130	return ret;
				2131	}
				2132
				2133	return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2134	}
				2135
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2136	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2137	* Prime number generation
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2138	*
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2139	* To generate an RSA key in a way recommended by FIPS 186-4, both primes must
				2140	* be either 1024 bits or 1536 bits long, and flags must contain
				2141	* MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2142	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2143	int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
				2144	int (f_rng)(void , unsigned char *, size_t),
				2145	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2146	{
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2147	#ifdef MBEDTLS_HAVE_INT64
				2148	// ceil(2^63.5)
				2149	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
				2150	#else
				2151	// ceil(2^31.5)
				2152	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
				2153	#endif
				2154	int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2155	size_t k, n;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2156	int rounds;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2157	mbedtls_mpi_uint r;
				2158	mbedtls_mpi Y;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2159
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2160	if (nbits < 3 \|\| nbits > MBEDTLS_MPI_MAX_BITS) {
				2161	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				2162	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2163
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2164	mbedtls_mpi_init(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2165
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2166	n = BITS_TO_LIMBS(nbits);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2167
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2168	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2169	/*
				2170	* 2^-80 error probability, number of rounds chosen per HAC, table 4.4
				2171	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2172	rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
				2173	(nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
				2174	(nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
				2175	} else {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2176	/*
				2177	* 2^-100 error probability, number of rounds computed based on HAC,
				2178	* fact 4.48
				2179	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2180	rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
				2181	(nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
				2182	(nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
				2183	(nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2184	}
				2185
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2186	while (1) {
				2187	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2188	/* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2189	if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
				2190	continue;
				2191	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2192
				2193	k = n * biL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2194	if (k > nbits) {
				2195	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
				2196	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2197	X->p[0] \|= 1;
				2198
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2199	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
				2200	ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2201
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2202	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2203	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2204	}
				2205	} else {
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2206	/*
Tom Cosgrove	ce7f18c	2022-07-28 05:50:56 +0100	[diff] [blame]	2207	* A necessary condition for Y and X = 2Y + 1 to be prime
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2208	* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
				2209	* Make sure it is satisfied, while keeping X = 3 mod 4
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2210	*/
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2211
				2212	X->p[0] \|= 2;
				2213
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2214	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
				2215	if (r == 0) {
				2216	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
				2217	} else if (r == 1) {
				2218	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
				2219	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2220
				2221	/* Set Y = (X-1) / 2, which is X / 2 because X is odd */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2222	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
				2223	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2224
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2225	while (1) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2226	/*
				2227	* First, check small factors for X and Y
				2228	* before doing Miller-Rabin on any of them
				2229	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2230	if ((ret = mpi_check_small_factors(X)) == 0 &&
				2231	(ret = mpi_check_small_factors(&Y)) == 0 &&
				2232	(ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
				2233	== 0 &&
				2234	(ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
				2235	== 0) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2236	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2237	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2238
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2239	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2240	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2241	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2242
				2243	/*
				2244	* Next candidates. We want to preserve Y = (X-1) / 2 and
				2245	* Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
				2246	* so up Y by 6 and X by 12.
				2247	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2248	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
				2249	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2250	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2251	}
				2252	}
				2253
				2254	cleanup:
				2255
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2256	mbedtls_mpi_free(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2257
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2258	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2259	}
				2260
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2261	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2262
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2263	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2264
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2265	#define GCD_PAIR_COUNT 3
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2266
				2267	static const int gcd_pairs[GCD_PAIR_COUNT][3] =
				2268	{
				2269	{ 693, 609, 21 },
				2270	{ 1764, 868, 28 },
				2271	{ 768454923, 542167814, 1 }
				2272	};
				2273
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2274	/*
				2275	* Checkup routine
				2276	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2277	int mbedtls_mpi_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2278	{
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2279	int ret, i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2280	mbedtls_mpi A, E, N, X, Y, U, V;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2281
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2282	mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
				2283	mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2284
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2285	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
				2286	"EFE021C2645FD1DC586E69184AF4A31E" \
				2287	"D5F53E93B5F123FA41680867BA110131" \
				2288	"944FE7952E2517337780CB0DB80E61AA" \
				2289	"E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2290
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2291	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
				2292	"B2E7EFD37075B9F03FF989C7C5051C20" \
				2293	"34D2A323810251127E7BF8625A4F49A5" \
				2294	"F3E27F4DA8BD59C47D6DAABA4C8127BD" \
				2295	"5B5C25763222FEFCCFC38B832366C29E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2296
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2297	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
				2298	"0066A198186C18C10B2F5ED9B522752A" \
				2299	"9830B69916E535C8F047518A889A43A5" \
				2300	"94B6BED27A168D31D4A52F88925AA8F5"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2301
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2302	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2303
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2304	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2305	"602AB7ECA597A3D6B56FF9829A5E8B85" \
				2306	"9E857EA95A03512E2BAE7391688D264A" \
				2307	"A5663B0341DB9CCFD2C4C5F421FEC814" \
				2308	"8001B72E848A38CAE1C65F78E56ABDEF" \
				2309	"E12D3C039B8A02D6BE593F0BBBDA56F1" \
				2310	"ECF677152EF804370C1A305CAF3B5BF1" \
				2311	"30879B56C61DE584A0F53A2447A51E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2312
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2313	if (verbose != 0) {
				2314	mbedtls_printf(" MPI test #1 (mul_mpi): ");
				2315	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2316
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2317	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2318	if (verbose != 0) {
				2319	mbedtls_printf("failed\n");
				2320	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2321
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2322	ret = 1;
				2323	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2324	}
				2325
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2326	if (verbose != 0) {
				2327	mbedtls_printf("passed\n");
				2328	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2329
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2330	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2331
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2332	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2333	"256567336059E52CAE22925474705F39A94"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2334
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2335	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
				2336	"6613F26162223DF488E9CD48CC132C7A" \
				2337	"0AC93C701B001B092E4E5B9F73BCD27B" \
				2338	"9EE50D0657C77F374E903CDFA4C642"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2339
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2340	if (verbose != 0) {
				2341	mbedtls_printf(" MPI test #2 (div_mpi): ");
				2342	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2343
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2344	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 \|\|
				2345	mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
				2346	if (verbose != 0) {
				2347	mbedtls_printf("failed\n");
				2348	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2349
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2350	ret = 1;
				2351	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2352	}
				2353
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2354	if (verbose != 0) {
				2355	mbedtls_printf("passed\n");
				2356	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2357
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2358	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2359
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2360	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2361	"36E139AEA55215609D2816998ED020BB" \
				2362	"BD96C37890F65171D948E9BC7CBAA4D9" \
				2363	"325D24D6A3C12710F10A09FA08AB87"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2364
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2365	if (verbose != 0) {
				2366	mbedtls_printf(" MPI test #3 (exp_mod): ");
				2367	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2368
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2369	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2370	if (verbose != 0) {
				2371	mbedtls_printf("failed\n");
				2372	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2373
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2374	ret = 1;
				2375	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2376	}
				2377
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2378	if (verbose != 0) {
				2379	mbedtls_printf("passed\n");
				2380	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2381
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2382	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2383
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2384	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2385	"003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
				2386	"C3DBA76456363A10869622EAC2DD84EC" \
				2387	"C5B8A74DAC4D09E03B5E0BE779F2DF61"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2388
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2389	if (verbose != 0) {
				2390	mbedtls_printf(" MPI test #4 (inv_mod): ");
				2391	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2392
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2393	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2394	if (verbose != 0) {
				2395	mbedtls_printf("failed\n");
				2396	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2397
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2398	ret = 1;
				2399	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2400	}
				2401
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2402	if (verbose != 0) {
				2403	mbedtls_printf("passed\n");
				2404	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2405
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2406	if (verbose != 0) {
				2407	mbedtls_printf(" MPI test #5 (simple gcd): ");
				2408	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2409
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2410	for (i = 0; i < GCD_PAIR_COUNT; i++) {
				2411	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
				2412	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2413
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2414	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2415
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2416	if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
				2417	if (verbose != 0) {
				2418	mbedtls_printf("failed at %d\n", i);
				2419	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2420
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2421	ret = 1;
				2422	goto cleanup;
				2423	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2424	}
				2425
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2426	if (verbose != 0) {
				2427	mbedtls_printf("passed\n");
				2428	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2429
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2430	cleanup:
				2431
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2432	if (ret != 0 && verbose != 0) {
				2433	mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
				2434	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2435
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2436	mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
				2437	mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2438
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2439	if (verbose != 0) {
				2440	mbedtls_printf("\n");
				2441	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2442
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2443	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2444	}
				2445
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2446	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2447
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2448	#endif /* MBEDTLS_BIGNUM_C */