Blame - library/bignum.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: b1f9c1bf0f385126f4146c355a4cd4809bbbcfb3 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Multi-precision integer library
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Dave Rodgman	16799db	2023-11-02 19:47:20 +0000	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	6	*/
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	7
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	8	/*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	9	* The following sources were referenced in the design of this Multi-precision
				10	* Integer library:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	11	*
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	12	* [1] Handbook of Applied Cryptography - 1997
				13	* Menezes, van Oorschot and Vanstone
				14	*
				15	* [2] Multi-Precision Math
				16	* Tom St Denis
				17	* https://github.com/libtom/libtommath/blob/develop/tommath.pdf
				18	*
				19	* [3] GNU Multi-Precision Arithmetic Library
				20	* https://gmplib.org/manual/index.html
				21	*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	22	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	24	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	25
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	26	#if defined(MBEDTLS_BIGNUM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	27
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/bignum.h"
Janos Follath	4614b9a	2022-07-21 15:34:47 +0100	[diff] [blame]	29	#include "bignum_core.h"
Chris Jones	4c5819c	2021-03-03 17:45:34 +0000	[diff] [blame]	30	#include "bn_mul.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	31	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	32	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	33	#include "constant_time_internal.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	34
Dave Rodgman	351c71b	2021-12-06 17:50:53 +0000	[diff] [blame]	35	#include <limits.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	36	#include <string.h>
				37
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	38	#include "mbedtls/platform.h"
Paul Bakker	6e339b5	2013-07-03 13:37:05 +0200	[diff] [blame]	39
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	40
				41
				42	/*
				43	* Conditionally select an MPI sign in constant time.
				44	* (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid
				45	* values.)
				46	*/
Janos Follath	b888bc0	2024-03-11 09:29:53 +0000	[diff] [blame]	47	static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond,
				48	signed short sign1, signed short sign2)
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	49	{
Janos Follath	b888bc0	2024-03-11 09:29:53 +0000	[diff] [blame]	50	return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1;
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	51	}
				52
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	53	/*
				54	* Compare signed values in constant time
				55	*/
				56	int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
				57	const mbedtls_mpi *Y,
				58	unsigned *ret)
				59	{
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	60	mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	61
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	62	if (X->n != Y->n) {
				63	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				64	}
				65
				66	/*
Dave Rodgman	b69239c	2023-08-09 14:53:18 +0100	[diff] [blame]	67	* Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	68	* We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
				69	*/
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	70	X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
				71	Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	72
				73	/*
				74	* If the signs are different, then the positive operand is the bigger.
				75	* That is if X is negative (X_is_negative == 1), then X < Y is true and it
				76	* is false if X is positive (X_is_negative == 0).
				77	*/
Dave Rodgman	1cfc43c	2023-09-19 16:18:59 +0100	[diff] [blame]	78	different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	79	result = mbedtls_ct_bool_and(different_sign, X_is_negative);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	80
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	81	/*
				82	* Assuming signs are the same, compare X and Y. We switch the comparison
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	83	* order if they are negative so that we get the right result, regardles of
				84	* sign.
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	85	*/
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	86
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	87	/* This array is used to conditionally swap the pointers in const time */
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	88	void * const p[2] = { X->p, Y->p };
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	89	size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
Dave Rodgman	2c76484	2023-05-18 13:28:21 +0100	[diff] [blame]	90	mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	91
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	92	/*
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	93	* Store in result iff the signs are the same (i.e., iff different_sign == false). If
Dave Rodgman	32d7260	2023-07-31 12:28:05 +0100	[diff] [blame]	94	* the signs differ, result has already been set, so we don't change it.
				95	*/
Dave Rodgman	1f39f03	2023-08-01 09:19:16 +0100	[diff] [blame]	96	result = mbedtls_ct_bool_or(result,
				97	mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
Dave Rodgman	1a7a562	2023-05-17 13:47:56 +0100	[diff] [blame]	98
Dave Rodgman	98ddc01	2023-08-10 12:11:31 +0100	[diff] [blame]	99	*ret = mbedtls_ct_uint_if_else_0(result, 1);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	100
				101	return 0;
				102	}
				103
				104	/*
				105	* Conditionally assign X = Y, without leaking information
				106	* about whether the assignment was made or not.
				107	* (Leaking information about the respective sizes of X and Y is ok however.)
				108	*/
Dave Rodgman	0a48717	2023-09-15 11:52:06 +0100	[diff] [blame]	109	#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
				110	(_MSC_FULL_VER < 193131103)
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	111	/*
				112	* MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
				113	* https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
				114	*/
				115	__declspec(noinline)
				116	#endif
				117	int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
				118	const mbedtls_mpi *Y,
				119	unsigned char assign)
				120	{
				121	int ret = 0;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	122
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	123	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				124
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	125	{
				126	mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
Dave Rodgman	589ccb8	2023-05-17 13:55:01 +0100	[diff] [blame]	127
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	128	X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	129
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	130	mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	131
Dave Rodgman	7e9af05	2023-09-28 17:08:16 +0100	[diff] [blame]	132	mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
				133	for (size_t i = Y->n; i < X->n; i++) {
				134	X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
				135	}
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	136	}
				137
				138	cleanup:
				139	return ret;
				140	}
				141
				142	/*
				143	* Conditionally swap X and Y, without leaking information
				144	* about whether the swap was made or not.
				145	* Here it is not ok to simply swap the pointers, which would lead to
				146	* different memory access patterns when X and Y are used afterwards.
				147	*/
				148	int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
				149	mbedtls_mpi *Y,
				150	unsigned char swap)
				151	{
				152	int ret = 0;
				153	int s;
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	154
				155	if (X == Y) {
				156	return 0;
				157	}
				158
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	159	mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
				160
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	161	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
				162	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
				163
				164	s = X->s;
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	165	X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s);
				166	Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	167
Dave Rodgman	cd2e38b	2023-05-17 13:31:55 +0100	[diff] [blame]	168	mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
Dave Rodgman	7d4f019	2023-05-09 14:01:05 +0100	[diff] [blame]	169
				170	cleanup:
				171	return ret;
				172	}
				173
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	174	/* Implementation that should never be optimized out by the compiler */
Tom Cosgrove	bc345e8	2023-07-25 15:17:39 +0100	[diff] [blame]	175	#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	176
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	177	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	178	* Initialize one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	179	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	180	void mbedtls_mpi_init(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	181	{
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	182	X->s = 1;
				183	X->n = 0;
				184	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	185	}
				186
				187	/*
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	188	* Unallocate one MPI
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	189	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	190	void mbedtls_mpi_free(mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	191	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	192	if (X == NULL) {
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	193	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	194	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	195
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	196	if (X->p != NULL) {
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	197	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	198	}
				199
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	200	X->s = 1;
				201	X->n = 0;
				202	X->p = NULL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	203	}
				204
				205	/*
				206	* Enlarge to the specified number of limbs
				207	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	208	int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	209	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	210	mbedtls_mpi_uint *p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	211
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	212	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				213	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				214	}
Paul Bakker	f968857	2011-05-05 10:00:45 +0000	[diff] [blame]	215
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	216	if (X->n < nblimbs) {
				217	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
				218	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				219	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	220
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	221	if (X->p != NULL) {
				222	memcpy(p, X->p, X->n * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	223	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	224	}
				225
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	226	/* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				227	* fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				228	X->n = (unsigned short) nblimbs;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	229	X->p = p;
				230	}
				231
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	232	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	233	}
				234
				235	/*
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	236	* Resize down as much as possible,
				237	* while keeping at least the specified number of limbs
				238	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	239	int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	240	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	241	mbedtls_mpi_uint *p;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	242	size_t i;
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	243
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	244	if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
				245	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				246	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	247
Gilles Peskine	e2f563e	2020-01-20 21:17:43 +0100	[diff] [blame]	248	/* Actually resize up if there are currently fewer than nblimbs limbs. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	249	if (X->n <= nblimbs) {
				250	return mbedtls_mpi_grow(X, nblimbs);
				251	}
Gilles Peskine	322752b	2020-01-21 13:59:51 +0100	[diff] [blame]	252	/* After this point, then X->n > nblimbs and in particular X->n > 0. */
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	253
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	254	for (i = X->n - 1; i > 0; i--) {
				255	if (X->p[i] != 0) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	256	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	257	}
				258	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	259	i++;
				260
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	261	if (i < nblimbs) {
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	262	i = nblimbs;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	263	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	264
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	265	if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
				266	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				267	}
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	268
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	269	if (X->p != NULL) {
				270	memcpy(p, X->p, i * ciL);
Tom Cosgrove	46259f6	2023-07-18 16:44:14 +0100	[diff] [blame]	271	mbedtls_mpi_zeroize_and_free(X->p, X->n);
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	272	}
				273
Gilles Peskine	053022f	2023-06-29 19:26:48 +0200	[diff] [blame]	274	/* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
				275	* fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
				276	X->n = (unsigned short) i;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	277	X->p = p;
				278
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	279	return 0;
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	280	}
				281
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	282	/* Resize X to have exactly n limbs and set it to 0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	283	static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	284	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	285	if (limbs == 0) {
				286	mbedtls_mpi_free(X);
				287	return 0;
				288	} else if (X->n == limbs) {
				289	memset(X->p, 0, limbs * ciL);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	290	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	291	return 0;
				292	} else {
				293	mbedtls_mpi_free(X);
				294	return mbedtls_mpi_grow(X, limbs);
Gilles Peskine	ed32b57	2021-06-02 22:17:52 +0200	[diff] [blame]	295	}
				296	}
				297
Manuel Pégourié-Gonnard	5868163	2013-11-21 10:39:37 +0100	[diff] [blame]	298	/*
Gilles Peskine	3da1a8f	2021-06-08 23:17:42 +0200	[diff] [blame]	299	* Copy the contents of Y into X.
				300	*
				301	* This function is not constant-time. Leading zeros in Y may be removed.
				302	*
				303	* Ensure that X does not shrink. This is not guaranteed by the public API,
Janos Follath	c9faea0	2024-02-19 10:49:18 +0000	[diff] [blame]	304	* but some code in the bignum module might still rely on this property.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	305	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	306	int mbedtls_mpi_copy(mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	307	{
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	308	int ret = 0;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	309	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	310
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	311	if (X == Y) {
				312	return 0;
Manuel Pégourié-Gonnard	f499993	2013-08-12 17:02:59 +0200	[diff] [blame]	313	}
				314
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	315	if (Y->n == 0) {
				316	if (X->n != 0) {
				317	X->s = 1;
				318	memset(X->p, 0, X->n * ciL);
				319	}
				320	return 0;
				321	}
				322
				323	for (i = Y->n - 1; i > 0; i--) {
				324	if (Y->p[i] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	325	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	326	}
				327	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	328	i++;
				329
				330	X->s = Y->s;
				331
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	332	if (X->n < i) {
				333	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
				334	} else {
				335	memset(X->p + i, 0, (X->n - i) * ciL);
Gilles Peskine	4e4be7c	2018-03-21 16:29:03 +0100	[diff] [blame]	336	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	337
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	338	memcpy(X->p, Y->p, i * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	339
				340	cleanup:
				341
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	342	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	343	}
				344
				345	/*
				346	* Swap the contents of X and Y
				347	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	348	void mbedtls_mpi_swap(mbedtls_mpi X, mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	349	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	350	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	351
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	352	memcpy(&T, X, sizeof(mbedtls_mpi));
				353	memcpy(X, Y, sizeof(mbedtls_mpi));
				354	memcpy(Y, &T, sizeof(mbedtls_mpi));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	355	}
				356
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	357	static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	358	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	359	if (z >= 0) {
				360	return z;
				361	}
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	362	/* Take care to handle the most negative value (-2^(biL-1)) correctly.
				363	* A naive -z would have undefined behavior.
				364	* Write this in a way that makes popular compilers happy (GCC, Clang,
				365	* MSVC). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	366	return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
Gilles Peskine	ef7f4e4	2022-11-15 23:25:27 +0100	[diff] [blame]	367	}
				368
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	369	/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
				370	* This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
Dave Rodgman	73d8591	2023-09-28 17:00:50 +0100	[diff] [blame]	371	#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	372
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	373	/*
				374	* Set value from integer
				375	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	376	int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	377	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	378	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	379
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	380	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
				381	memset(X->p, 0, X->n * ciL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	382
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	383	X->p[0] = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	384	X->s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	385
				386	cleanup:
				387
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	388	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	389	}
				390
				391	/*
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	392	* Get a specific bit
				393	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	394	int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	395	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	396	if (X->n * biL <= pos) {
				397	return 0;
				398	}
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	399
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	400	return (X->p[pos / biL] >> (pos % biL)) & 0x01;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	401	}
				402
				403	/*
				404	* Set a bit to a specific value of 0 or 1
				405	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	406	int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	407	{
				408	int ret = 0;
				409	size_t off = pos / biL;
				410	size_t idx = pos % biL;
				411
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	412	if (val != 0 && val != 1) {
				413	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	414	}
				415
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	416	if (X->n * biL <= pos) {
				417	if (val == 0) {
				418	return 0;
				419	}
				420
				421	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
				422	}
				423
				424	X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	425	X->p[off] \|= (mbedtls_mpi_uint) val << idx;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	426
				427	cleanup:
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	428
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	429	return ret;
Paul Bakker	2f5947e	2011-05-18 15:47:11 +0000	[diff] [blame]	430	}
				431
				432	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	433	* Return the number of less significant zero-bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	434	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	435	size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	436	{
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	437	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	438
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	439	#if defined(__has_builtin)
				440	#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
				441	#define mbedtls_mpi_uint_ctz __builtin_ctz
				442	#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
				443	#define mbedtls_mpi_uint_ctz __builtin_ctzl
				444	#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
				445	#define mbedtls_mpi_uint_ctz __builtin_ctzll
				446	#endif
				447	#endif
				448
				449	#if defined(mbedtls_mpi_uint_ctz)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	450	for (i = 0; i < X->n; i++) {
Dave Rodgman	960eca9	2023-08-09 20:43:18 +0100	[diff] [blame]	451	if (X->p[i] != 0) {
				452	return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
				453	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	454	}
				455	#else
				456	size_t count = 0;
				457	for (i = 0; i < X->n; i++) {
				458	for (size_t j = 0; j < biL; j++, count++) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	459	if (((X->p[i] >> j) & 1) != 0) {
				460	return count;
				461	}
				462	}
				463	}
Dave Rodgman	fa703e3	2023-08-09 18:56:07 +0100	[diff] [blame]	464	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	465
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	466	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	467	}
				468
				469	/*
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	470	* Return the number of bits
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	471	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	472	size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	473	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	474	return mbedtls_mpi_core_bitlen(X->p, X->n);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	475	}
				476
				477	/*
				478	* Return the total size in bytes
				479	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	480	size_t mbedtls_mpi_size(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	481	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	482	return (mbedtls_mpi_bitlen(X) + 7) >> 3;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	483	}
				484
				485	/*
				486	* Convert an ASCII character to digit value
				487	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	488	static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	489	{
				490	*d = 255;
				491
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	492	if (c >= 0x30 && c <= 0x39) {
				493	*d = c - 0x30;
				494	}
				495	if (c >= 0x41 && c <= 0x46) {
				496	*d = c - 0x37;
				497	}
				498	if (c >= 0x61 && c <= 0x66) {
				499	*d = c - 0x57;
				500	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	501
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	502	if (*d >= (mbedtls_mpi_uint) radix) {
				503	return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
				504	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	505
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	506	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	507	}
				508
				509	/*
				510	* Import from an ASCII string
				511	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	512	int mbedtls_mpi_read_string(mbedtls_mpi X, int radix, const char s)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	513	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	514	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	515	size_t i, j, slen, n;
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	516	int sign = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	517	mbedtls_mpi_uint d;
				518	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	519
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	520	if (radix < 2 \|\| radix > 16) {
				521	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Gilles Peskine	7cba859	2021-06-08 18:32:34 +0200	[diff] [blame]	522	}
				523
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	524	mbedtls_mpi_init(&T);
				525
				526	if (s[0] == 0) {
				527	mbedtls_mpi_free(X);
				528	return 0;
				529	}
				530
				531	if (s[0] == '-') {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	532	++s;
				533	sign = -1;
				534	}
				535
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	536	slen = strlen(s);
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	537
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	538	if (radix == 16) {
Dave Rodgman	68ef1d6	2023-05-18 20:49:03 +0100	[diff] [blame]	539	if (slen > SIZE_MAX >> 2) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	540	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	541	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	542
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	543	n = BITS_TO_LIMBS(slen << 2);
				544
				545	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
				546	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				547
				548	for (i = slen, j = 0; i > 0; i--, j++) {
				549	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
				550	X->p[j / (2 * ciL)] \|= d << ((j % (2 * ciL)) << 2);
				551	}
				552	} else {
				553	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
				554
				555	for (i = 0; i < slen; i++) {
				556	MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
				557	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
				558	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	559	}
				560	}
				561
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	562	if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	563	X->s = -1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	564	}
Gilles Peskine	80f5673	2021-04-03 18:26:13 +0200	[diff] [blame]	565
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	566	cleanup:
				567
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	568	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	569
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	570	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	571	}
				572
				573	/*
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	574	* Helper to write the digits high-order first.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	575	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	576	static int mpi_write_hlp(mbedtls_mpi *X, int radix,
				577	char **p, const size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	578	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	579	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	580	mbedtls_mpi_uint r;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	581	size_t length = 0;
				582	char p_end = p + buflen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	583
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	584	do {
				585	if (length >= buflen) {
				586	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	587	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	588
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	589	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
				590	MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	591	/*
				592	* Write the residue in the current position, as an ASCII character.
				593	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	594	if (r < 0xA) {
				595	*(--p_end) = (char) ('0' + r);
				596	} else {
				597	*(--p_end) = (char) ('A' + (r - 0xA));
				598	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	599
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	600	length++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	601	} while (mbedtls_mpi_cmp_int(X, 0) != 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	602
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	603	memmove(*p, p_end, length);
Ron Eldor	a16fa29	2018-11-20 14:07:01 +0200	[diff] [blame]	604	*p += length;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	605
				606	cleanup:
				607
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	608	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	609	}
				610
				611	/*
				612	* Export into an ASCII string
				613	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	614	int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
				615	char buf, size_t buflen, size_t olen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	616	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	617	int ret = 0;
				618	size_t n;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	619	char *p;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	620	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	621
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	622	if (radix < 2 \|\| radix > 16) {
				623	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				624	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	625
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	626	n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
				627	if (radix >= 4) {
				628	n >>= 1; /* Number of 4-adic digits necessary to present
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	629	* `n`. If radix > 4, this might be a strict
				630	* overapproximation of the number of
				631	* radix-adic digits needed to present `n`. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	632	}
				633	if (radix >= 16) {
				634	n >>= 1; /* Number of hexadecimal digits necessary to
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	635	* present `n`. */
				636
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	637	}
Janos Follath	8047062	2019-03-06 13:43:02 +0000	[diff] [blame]	638	n += 1; /* Terminating null byte */
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	639	n += 1; /* Compensate for the divisions above, which round down `n`
				640	* in case it's not even. */
				641	n += 1; /* Potential '-'-sign. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	642	n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
Hanno Becker	23cfea0	2019-02-04 09:45:07 +0000	[diff] [blame]	643	* which always uses an even number of hex-digits. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	644
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	645	if (buflen < n) {
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	646	*olen = n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	647	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	648	}
				649
Manuel Pégourié-Gonnard	f79b425	2015-06-02 15:41:48 +0100	[diff] [blame]	650	p = buf;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	651	mbedtls_mpi_init(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	652
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	653	if (X->s == -1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	654	*p++ = '-';
Hanno Becker	c983c81	2019-02-01 16:41:30 +0000	[diff] [blame]	655	buflen--;
				656	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	657
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	658	if (radix == 16) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	659	int c;
				660	size_t i, j, k;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	661
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	662	for (i = X->n, k = 0; i > 0; i--) {
				663	for (j = ciL; j > 0; j--) {
				664	c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	665
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	666	if (c == 0 && k == 0 && (i + j) != 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	667	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	668	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	669
Paul Bakker	98fe5ea	2012-10-24 11:17:48 +0000	[diff] [blame]	670	*(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakker	d2c167e	2012-10-30 07:49:19 +0000	[diff] [blame]	671	*(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	672	k = 1;
				673	}
				674	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	675	} else {
				676	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	677
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	678	if (T.s == -1) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	679	T.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	680	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	681
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	682	MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	683	}
				684
				685	*p++ = '\0';
Dave Rodgman	e4a6f5a	2023-11-04 12:20:09 +0000	[diff] [blame]	686	*olen = (size_t) (p - buf);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	687
				688	cleanup:
				689
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	690	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	691
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	692	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	693	}
				694
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	695	#if defined(MBEDTLS_FS_IO)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	696	/*
				697	* Read X from an opened file
				698	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	699	int mbedtls_mpi_read_file(mbedtls_mpi X, int radix, FILE fin)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	700	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	701	mbedtls_mpi_uint d;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	702	size_t slen;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	703	char *p;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	704	/*
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	705	* Buffer should have space for (short) label and decimal formatted MPI,
				706	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	707	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	708	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	709
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	710	if (radix < 2 \|\| radix > 16) {
				711	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				712	}
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	713
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	714	memset(s, 0, sizeof(s));
				715	if (fgets(s, sizeof(s) - 1, fin) == NULL) {
				716	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				717	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	718
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	719	slen = strlen(s);
				720	if (slen == sizeof(s) - 2) {
				721	return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
				722	}
Paul Bakker	cb37aa5	2011-11-30 16:00:20 +0000	[diff] [blame]	723
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	724	if (slen > 0 && s[slen - 1] == '\n') {
				725	slen--; s[slen] = '\0';
				726	}
				727	if (slen > 0 && s[slen - 1] == '\r') {
				728	slen--; s[slen] = '\0';
				729	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	730
				731	p = s + slen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	732	while (p-- > s) {
				733	if (mpi_get_digit(&d, radix, *p) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	734	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	735	}
				736	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	737
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	738	return mbedtls_mpi_read_string(X, radix, p + 1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	739	}
				740
				741	/*
				742	* Write X into an opened file (or stdout if fout == NULL)
				743	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	744	int mbedtls_mpi_write_file(const char p, const mbedtls_mpi X, int radix, FILE *fout)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	745	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	746	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	747	size_t n, slen, plen;
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	748	/*
Paul Bakker	5531c6d	2012-09-26 19:20:46 +0000	[diff] [blame]	749	* Buffer should have space for (short) label and decimal formatted MPI,
				750	* newline characters and '\0'
Paul Bakker	fe3256e	2011-11-25 12:11:43 +0000	[diff] [blame]	751	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	752	char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	753
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	754	if (radix < 2 \|\| radix > 16) {
				755	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				756	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	757
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	758	memset(s, 0, sizeof(s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	759
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	760	MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	761
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	762	if (p == NULL) {
				763	p = "";
				764	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	765
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	766	plen = strlen(p);
				767	slen = strlen(s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	768	s[slen++] = '\r';
				769	s[slen++] = '\n';
				770
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	771	if (fout != NULL) {
				772	if (fwrite(p, 1, plen, fout) != plen \|\|
				773	fwrite(s, 1, slen, fout) != slen) {
				774	return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
				775	}
				776	} else {
				777	mbedtls_printf("%s%s", p, s);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	778	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	779
				780	cleanup:
				781
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	782	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	783	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	784	#endif /* MBEDTLS_FS_IO */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	785
				786	/*
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	787	* Import X from unsigned binary data, little endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	788	*
				789	* This function is guaranteed to return an MPI with exactly the necessary
				790	* number of limbs (in particular, it does not skip 0s in the input).
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	791	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	792	int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
				793	const unsigned char *buf, size_t buflen)
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	794	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	795	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	796	const size_t limbs = CHARS_TO_LIMBS(buflen);
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	797
				798	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	799	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	800
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	801	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	802
				803	cleanup:
				804
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	805	/*
				806	* This function is also used to import keys. However, wiping the buffers
				807	* upon failure is not necessary because failure only can happen before any
				808	* input is copied.
				809	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	810	return ret;
Janos Follath	a778a94	2019-02-13 10:28:28 +0000	[diff] [blame]	811	}
				812
				813	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	814	* Import X from unsigned binary data, big endian
Przemyslaw Stekiel	76960a7	2022-02-21 13:42:09 +0100	[diff] [blame]	815	*
				816	* This function is guaranteed to return an MPI with exactly the necessary
				817	* number of limbs (in particular, it does not skip 0s in the input).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	818	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	819	int mbedtls_mpi_read_binary(mbedtls_mpi X, const unsigned char buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	820	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	821	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	822	const size_t limbs = CHARS_TO_LIMBS(buflen);
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	823
Hanno Becker	073c199	2017-10-17 15:17:27 +0100	[diff] [blame]	824	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	825	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	826
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	827	MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	828
				829	cleanup:
				830
Janos Follath	171a7ef	2019-02-15 16:17:45 +0000	[diff] [blame]	831	/*
				832	* This function is also used to import keys. However, wiping the buffers
				833	* upon failure is not necessary because failure only can happen before any
				834	* input is copied.
				835	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	836	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	837	}
				838
				839	/*
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	840	* Export X into unsigned binary data, little endian
				841	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	842	int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
				843	unsigned char *buf, size_t buflen)
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	844	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	845	return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
Janos Follath	e344d0f	2019-02-19 16:17:40 +0000	[diff] [blame]	846	}
				847
				848	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	849	* Export X into unsigned binary data, big endian
				850	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	851	int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
				852	unsigned char *buf, size_t buflen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	853	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	854	return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	855	}
				856
				857	/*
				858	* Left-shift: X <<= count
				859	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	860	int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	861	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	862	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	863	size_t i;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	864
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	865	i = mbedtls_mpi_bitlen(X) + count;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	866
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	867	if (X->n * biL < i) {
				868	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
				869	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	870
				871	ret = 0;
				872
Minos Galanakis	0144b35	2023-05-02 14:02:32 +0100	[diff] [blame]	873	mbedtls_mpi_core_shift_l(X->p, X->n, count);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	874	cleanup:
				875
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	876	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	877	}
				878
				879	/*
				880	* Right-shift: X >>= count
				881	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	882	int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	883	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	884	if (X->n != 0) {
				885	mbedtls_mpi_core_shift_r(X->p, X->n, count);
				886	}
				887	return 0;
Gilles Peskine	6641420	2022-09-21 15:36:16 +0200	[diff] [blame]	888	}
				889
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	890	/*
				891	* Compare unsigned values
				892	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	893	int mbedtls_mpi_cmp_abs(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	894	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	895	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	896
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	897	for (i = X->n; i > 0; i--) {
				898	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	899	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	900	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	901	}
				902
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	903	for (j = Y->n; j > 0; j--) {
				904	if (Y->p[j - 1] != 0) {
				905	break;
				906	}
				907	}
				908
Dave Rodgman	ebcd785	2023-08-09 18:56:42 +0100	[diff] [blame]	909	/* If i == j == 0, i.e. abs(X) == abs(Y),
				910	* we end up returning 0 at the end of the function. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	911
				912	if (i > j) {
				913	return 1;
				914	}
				915	if (j > i) {
				916	return -1;
				917	}
				918
				919	for (; i > 0; i--) {
				920	if (X->p[i - 1] > Y->p[i - 1]) {
				921	return 1;
				922	}
				923	if (X->p[i - 1] < Y->p[i - 1]) {
				924	return -1;
				925	}
				926	}
				927
				928	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	929	}
				930
				931	/*
				932	* Compare signed values
				933	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	934	int mbedtls_mpi_cmp_mpi(const mbedtls_mpi X, const mbedtls_mpi Y)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	935	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	936	size_t i, j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	937
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	938	for (i = X->n; i > 0; i--) {
				939	if (X->p[i - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	940	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	941	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	942	}
				943
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	944	for (j = Y->n; j > 0; j--) {
				945	if (Y->p[j - 1] != 0) {
				946	break;
				947	}
				948	}
				949
				950	if (i == 0 && j == 0) {
				951	return 0;
				952	}
				953
				954	if (i > j) {
				955	return X->s;
				956	}
				957	if (j > i) {
				958	return -Y->s;
				959	}
				960
				961	if (X->s > 0 && Y->s < 0) {
				962	return 1;
				963	}
				964	if (Y->s > 0 && X->s < 0) {
				965	return -1;
				966	}
				967
				968	for (; i > 0; i--) {
				969	if (X->p[i - 1] > Y->p[i - 1]) {
				970	return X->s;
				971	}
				972	if (X->p[i - 1] < Y->p[i - 1]) {
				973	return -X->s;
				974	}
				975	}
				976
				977	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	978	}
				979
Janos Follath	ee6abce	2019-09-05 14:47:19 +0100	[diff] [blame]	980	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	981	* Compare signed values
				982	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	983	int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	984	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	985	mbedtls_mpi Y;
				986	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	987
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	988	*p = mpi_sint_abs(z);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	989	Y.s = TO_SIGN(z);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	990	Y.n = 1;
				991	Y.p = p;
				992
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	993	return mbedtls_mpi_cmp_mpi(X, &Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	994	}
				995
				996	/*
				997	* Unsigned addition: X = \|A\| + \|B\| (HAC 14.7)
				998	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	999	int mbedtls_mpi_add_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1000	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1001	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1002	size_t j;
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1003	mbedtls_mpi_uint *p;
				1004	mbedtls_mpi_uint c;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1005
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1006	if (X == B) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1007	const mbedtls_mpi *T = A; A = X; B = T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1008	}
				1009
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1010	if (X != A) {
				1011	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1012	}
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1013
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1014	/*
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1015	* X must always be positive as a result of unsigned additions.
Paul Bakker	f7ca7b9	2009-06-20 10:31:06 +0000	[diff] [blame]	1016	*/
				1017	X->s = 1;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1018
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1019	for (j = B->n; j > 0; j--) {
				1020	if (B->p[j - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1021	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1022	}
				1023	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1024
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1025	/* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
				1026	* and B is 0 (of any size). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1027	if (j == 0) {
				1028	return 0;
				1029	}
Gilles Peskine	db14a9d	2022-11-15 22:59:00 +0100	[diff] [blame]	1030
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1031	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1032
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1033	/* j is the number of non-zero limbs of B. Add those to X. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1034
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1035	p = X->p;
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1036
Agathiyan Bragadeesh	c99840a	2023-07-12 11:15:46 +0100	[diff] [blame]	1037	c = mbedtls_mpi_core_add(p, p, B->p, j);
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1038
				1039	p += j;
				1040
				1041	/* Now propagate any carry */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1042
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1043	while (c != 0) {
				1044	if (j >= X->n) {
				1045	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
Tom Cosgrove	af7d44b	2022-08-24 14:05:26 +0100	[diff] [blame]	1046	p = X->p + j;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1047	}
				1048
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1049	p += c; c = (p < c); j++; p++;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1050	}
				1051
				1052	cleanup:
				1053
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1054	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1055	}
				1056
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1057	/*
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1058	* Unsigned subtraction: X = \|A\| - \|B\| (HAC 14.9, 14.10)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1059	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1060	int mbedtls_mpi_sub_abs(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1061	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1062	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1063	size_t n;
Gilles Peskine	0e5faf6	2020-06-08 22:50:35 +0200	[diff] [blame]	1064	mbedtls_mpi_uint carry;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1065
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1066	for (n = B->n; n > 0; n--) {
				1067	if (B->p[n - 1] != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1068	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1069	}
				1070	}
				1071	if (n > A->n) {
Gilles Peskine	c8a9177	2021-01-27 22:30:43 +0100	[diff] [blame]	1072	/* B >= (2^ciL)^n > A */
				1073	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1074	goto cleanup;
				1075	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1076
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1077	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1078
				1079	/* Set the high limbs of X to match A. Don't touch the lower limbs
				1080	* because X might be aliased to B, and we must not overwrite the
				1081	* significant digits of B. */
Aaron M. Ucko	af67d2c	2023-01-17 11:52:22 -0500	[diff] [blame]	1082	if (A->n > n && A != X) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1083	memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
				1084	}
				1085	if (X->n > A->n) {
				1086	memset(X->p + A->n, 0, (X->n - A->n) * ciL);
				1087	}
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1088
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1089	carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
				1090	if (carry != 0) {
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1091	/* Propagate the carry through the rest of X. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1092	carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
Tom Cosgrove	452c99c	2022-08-25 10:07:07 +0100	[diff] [blame]	1093
				1094	/* If we have further carry/borrow, the result is negative. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1095	if (carry != 0) {
Gilles Peskine	89b4130	2020-07-23 01:16:46 +0200	[diff] [blame]	1096	ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1097	goto cleanup;
				1098	}
Gilles Peskine	c097e9e	2020-06-08 21:58:22 +0200	[diff] [blame]	1099	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1100
Gilles Peskine	1acf7cb	2020-07-23 01:03:22 +0200	[diff] [blame]	1101	/* X should always be positive as a result of unsigned subtractions. */
				1102	X->s = 1;
				1103
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1104	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1105	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1106	}
				1107
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1108	/* Common function for signed addition and subtraction.
				1109	* Calculate A + B * flip_B where flip_B is 1 or -1.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1110	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1111	static int add_sub_mpi(mbedtls_mpi *X,
				1112	const mbedtls_mpi A, const mbedtls_mpi B,
				1113	int flip_B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1114	{
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1115	int ret, s;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1116
Hanno Becker	73d7d79	2018-12-11 10:35:51 +0000	[diff] [blame]	1117	s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1118	if (A->s * B->s * flip_B < 0) {
				1119	int cmp = mbedtls_mpi_cmp_abs(A, B);
				1120	if (cmp >= 0) {
				1121	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1122	/* If \|A\| = \|B\|, the result is 0 and we must set the sign bit
				1123	* to +1 regardless of which of A or B was negative. Otherwise,
				1124	* since \|A\| > \|B\|, the sign is the sign of A. */
				1125	X->s = cmp == 0 ? 1 : s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1126	} else {
				1127	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
Gilles Peskine	4a768dd	2022-11-09 22:02:16 +0100	[diff] [blame]	1128	/* Since \|A\| < \|B\|, the sign is the opposite of A. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1129	X->s = -s;
				1130	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1131	} else {
				1132	MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1133	X->s = s;
				1134	}
				1135
				1136	cleanup:
				1137
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1138	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1139	}
				1140
				1141	/*
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1142	* Signed addition: X = A + B
				1143	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1144	int mbedtls_mpi_add_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1145	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1146	return add_sub_mpi(X, A, B, 1);
Gilles Peskine	72ee1e3	2022-11-09 21:34:09 +0100	[diff] [blame]	1147	}
				1148
				1149	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1150	* Signed subtraction: X = A - B
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1151	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1152	int mbedtls_mpi_sub_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1153	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1154	return add_sub_mpi(X, A, B, -1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1155	}
				1156
				1157	/*
				1158	* Signed addition: X = A + b
				1159	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1160	int mbedtls_mpi_add_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1161	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1162	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1163	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1164
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1165	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1166	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1167	B.n = 1;
				1168	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1169
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1170	return mbedtls_mpi_add_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1171	}
				1172
				1173	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1174	* Signed subtraction: X = A - b
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1175	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1176	int mbedtls_mpi_sub_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1177	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1178	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1179	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1180
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1181	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1182	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1183	B.n = 1;
				1184	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1185
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1186	return mbedtls_mpi_sub_mpi(X, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1187	}
				1188
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1189	/*
				1190	* Baseline multiplication: X = A * B (HAC 14.12)
				1191	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1192	int mbedtls_mpi_mul_mpi(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1193	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1194	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	1772e05	2022-04-13 06:51:40 +0100	[diff] [blame]	1195	size_t i, j;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1196	mbedtls_mpi TA, TB;
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1197	int result_is_zero = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1198
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1199	mbedtls_mpi_init(&TA);
				1200	mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1201
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1202	if (X == A) {
				1203	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
				1204	}
				1205	if (X == B) {
				1206	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
				1207	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1208
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1209	for (i = A->n; i > 0; i--) {
				1210	if (A->p[i - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1211	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1212	}
				1213	}
				1214	if (i == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1215	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1216	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1217
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1218	for (j = B->n; j > 0; j--) {
				1219	if (B->p[j - 1] != 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1220	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1221	}
				1222	}
				1223	if (j == 0) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1224	result_is_zero = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1225	}
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1226
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1227	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
				1228	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1229
Tom Cosgrove	6af26f3	2022-08-24 16:40:55 +0100	[diff] [blame]	1230	mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1231
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1232	/* If the result is 0, we don't shortcut the operation, which reduces
				1233	* but does not eliminate side channels leaking the zero-ness. We do
				1234	* need to take care to set the sign bit properly since the library does
				1235	* not fully support an MPI object with a value of 0 and s == -1. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1236	if (result_is_zero) {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1237	X->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1238	} else {
Hanno Becker	da763de	2022-04-13 06:50:02 +0100	[diff] [blame]	1239	X->s = A->s * B->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1240	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1241
				1242	cleanup:
				1243
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1244	mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1245
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1246	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1247	}
				1248
				1249	/*
				1250	* Baseline multiplication: X = A * b
				1251	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1252	int mbedtls_mpi_mul_int(mbedtls_mpi X, const mbedtls_mpi A, mbedtls_mpi_uint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1253	{
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1254	size_t n = A->n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1255	while (n > 0 && A->p[n - 1] == 0) {
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1256	--n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1257	}
Hanno Becker	3577131	2022-04-14 11:52:11 +0100	[diff] [blame]	1258
Hanno Becker	74a11a3	2022-04-06 06:27:00 +0100	[diff] [blame]	1259	/* The general method below doesn't work if b==0. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1260	if (b == 0 \|\| n == 0) {
				1261	return mbedtls_mpi_lset(X, 0);
				1262	}
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1263
Hanno Becker	aef9cc4	2022-04-11 06:36:29 +0100	[diff] [blame]	1264	/* Calculate Ab as A + A(b-1) to take advantage of mbedtls_mpi_core_mla */
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1265	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1266	/* In general, A * b requires 1 limb more than b. If
				1267	* A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
				1268	* number of limbs as A and the call to grow() is not required since
Gilles Peskine	e1bba7c	2021-03-10 23:44:10 +0100	[diff] [blame]	1269	* copy() will take care of the growth if needed. However, experimentally,
				1270	* making the call to grow() unconditional causes slightly fewer
Gilles Peskine	cd0dbf3	2020-07-24 00:09:04 +0200	[diff] [blame]	1271	* calls to calloc() in ECP code, presumably because it reuses the
				1272	* same mpi for a while and this way the mpi is more likely to directly
Hanno Becker	9137b9c	2022-04-12 10:51:54 +0100	[diff] [blame]	1273	* grow to its final size.
				1274	*
				1275	* Note that calculating Ab as 0 + Ab doesn't work as-is because
				1276	* A,X can be the same. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1277	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
				1278	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
				1279	mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
Gilles Peskine	8fd95c6	2020-07-23 21:58:50 +0200	[diff] [blame]	1280
				1281	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1282	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1283	}
				1284
				1285	/*
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1286	* Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
				1287	* mbedtls_mpi_uint divisor, d
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1288	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1289	static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
				1290	mbedtls_mpi_uint u0,
				1291	mbedtls_mpi_uint d,
				1292	mbedtls_mpi_uint *r)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1293	{
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1294	#if defined(MBEDTLS_HAVE_UDBL)
				1295	mbedtls_t_udbl dividend, quotient;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1296	#else
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1297	const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1298	const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
Simon Butcher	f5ba045	2015-12-27 23:01:55 +0000	[diff] [blame]	1299	mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
				1300	mbedtls_mpi_uint u0_msw, u0_lsw;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1301	size_t s;
Manuel Pégourié-Gonnard	1630888	2015-12-01 10:27:00 +0100	[diff] [blame]	1302	#endif
				1303
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1304	/*
				1305	* Check for overflow
				1306	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1307	if (0 == d \|\| u1 >= d) {
				1308	if (r != NULL) {
				1309	*r = ~(mbedtls_mpi_uint) 0u;
				1310	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1311
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1312	return ~(mbedtls_mpi_uint) 0u;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1313	}
				1314
				1315	#if defined(MBEDTLS_HAVE_UDBL)
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1316	dividend = (mbedtls_t_udbl) u1 << biL;
				1317	dividend \|= (mbedtls_t_udbl) u0;
				1318	quotient = dividend / d;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1319	if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
				1320	quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
				1321	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1322
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1323	if (r != NULL) {
				1324	r = (mbedtls_mpi_uint) (dividend - (quotient d));
				1325	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1326
				1327	return (mbedtls_mpi_uint) quotient;
				1328	#else
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1329
				1330	/*
				1331	* Algorithm D, Section 4.3.1 - The Art of Computer Programming
				1332	* Vol. 2 - Seminumerical Algorithms, Knuth
				1333	*/
				1334
				1335	/*
				1336	* Normalize the divisor, d, and dividend, u0, u1
				1337	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1338	s = mbedtls_mpi_core_clz(d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1339	d = d << s;
				1340
				1341	u1 = u1 << s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1342	u1 \|= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1343	u0 = u0 << s;
				1344
				1345	d1 = d >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1346	d0 = d & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1347
				1348	u0_msw = u0 >> biH;
Simon Butcher	9803d07	2016-01-03 00:24:34 +0000	[diff] [blame]	1349	u0_lsw = u0 & uint_halfword_mask;
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1350
				1351	/*
				1352	* Find the first quotient and remainder
				1353	*/
				1354	q1 = u1 / d1;
				1355	r0 = u1 - d1 * q1;
				1356
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1357	while (q1 >= radix \|\| (q1 * d0 > radix * r0 + u0_msw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1358	q1 -= 1;
				1359	r0 += d1;
				1360
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1361	if (r0 >= radix) {
				1362	break;
				1363	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1364	}
				1365
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1366	rAX = (u1 * radix) + (u0_msw - q1 * d);
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1367	q0 = rAX / d1;
				1368	r0 = rAX - q0 * d1;
				1369
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1370	while (q0 >= radix \|\| (q0 * d0 > radix * r0 + u0_lsw)) {
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1371	q0 -= 1;
				1372	r0 += d1;
				1373
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1374	if (r0 >= radix) {
				1375	break;
				1376	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1377	}
				1378
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1379	if (r != NULL) {
				1380	r = (rAX radix + u0_lsw - q0 * d) >> s;
				1381	}
Simon Butcher	15b15d1	2015-11-26 19:35:03 +0000	[diff] [blame]	1382
				1383	quotient = q1 * radix + q0;
				1384
				1385	return quotient;
				1386	#endif
				1387	}
				1388
				1389	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1390	* Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1391	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1392	int mbedtls_mpi_div_mpi(mbedtls_mpi Q, mbedtls_mpi R, const mbedtls_mpi *A,
				1393	const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1394	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1395	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1396	size_t i, n, t, k;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1397	mbedtls_mpi X, Y, Z, T1, T2;
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1398	mbedtls_mpi_uint TP2[3];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1399
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1400	if (mbedtls_mpi_cmp_int(B, 0) == 0) {
				1401	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1402	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1403
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1404	mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
				1405	mbedtls_mpi_init(&T1);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1406	/*
				1407	* Avoid dynamic memory allocations for constant-size T2.
				1408	*
				1409	* T2 is used for comparison only and the 3 limbs are assigned explicitly,
				1410	* so nobody increase the size of the MPI and we're safe to use an on-stack
				1411	* buffer.
				1412	*/
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1413	T2.s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1414	T2.n = sizeof(TP2) / sizeof(*TP2);
Alexander K	d19a193	2019-11-01 18:20:42 +0300	[diff] [blame]	1415	T2.p = TP2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1416
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1417	if (mbedtls_mpi_cmp_abs(A, B) < 0) {
				1418	if (Q != NULL) {
				1419	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
				1420	}
				1421	if (R != NULL) {
				1422	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
				1423	}
				1424	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1425	}
				1426
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1427	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
				1428	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1429	X.s = Y.s = 1;
				1430
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1431	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
				1432	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
				1433	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1434
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1435	k = mbedtls_mpi_bitlen(&Y) % biL;
				1436	if (k < biL - 1) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1437	k = biL - 1 - k;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1438	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
				1439	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
				1440	} else {
				1441	k = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1442	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1443
				1444	n = X.n - 1;
				1445	t = Y.n - 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1446	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1447
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1448	while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1449	Z.p[n - t]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1450	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1451	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1452	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1453
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1454	for (i = n; i > t; i--) {
				1455	if (X.p[i] >= Y.p[t]) {
				1456	Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
				1457	} else {
				1458	Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
				1459	Y.p[t], NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1460	}
				1461
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1462	T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
				1463	T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
Alexander K	35d6d46	2019-10-31 14:46:45 +0300	[diff] [blame]	1464	T2.p[2] = X.p[i];
				1465
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1466	Z.p[i - t - 1]++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1467	do {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1468	Z.p[i - t - 1]--;
				1469
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1470	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
				1471	T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1472	T1.p[1] = Y.p[t];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1473	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
				1474	} while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1475
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1476	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
				1477	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1478	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1479
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1480	if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
				1481	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
				1482	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
				1483	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1484	Z.p[i - t - 1]--;
				1485	}
				1486	}
				1487
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1488	if (Q != NULL) {
				1489	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1490	Q->s = A->s * B->s;
				1491	}
				1492
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1493	if (R != NULL) {
				1494	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
Paul Bakker	f02c564	2012-11-13 10:25:21 +0000	[diff] [blame]	1495	X.s = A->s;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1496	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1497
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1498	if (mbedtls_mpi_cmp_int(R, 0) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1499	R->s = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1500	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1501	}
				1502
				1503	cleanup:
				1504
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1505	mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
				1506	mbedtls_mpi_free(&T1);
				1507	mbedtls_platform_zeroize(TP2, sizeof(TP2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1508
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1509	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1510	}
				1511
				1512	/*
				1513	* Division by int: A = Q * b + R
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1514	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1515	int mbedtls_mpi_div_int(mbedtls_mpi Q, mbedtls_mpi R,
				1516	const mbedtls_mpi *A,
				1517	mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1518	{
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1519	mbedtls_mpi B;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1520	mbedtls_mpi_uint p[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1521
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1522	p[0] = mpi_sint_abs(b);
Dave Rodgman	f3df105	2023-08-09 18:55:41 +0100	[diff] [blame]	1523	B.s = TO_SIGN(b);
Yuto Takano	36c8ddc	2021-07-05 09:10:52 +0100	[diff] [blame]	1524	B.n = 1;
				1525	B.p = p;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1526
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1527	return mbedtls_mpi_div_mpi(Q, R, A, &B);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1528	}
				1529
				1530	/*
				1531	* Modulo: R = A mod B
				1532	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1533	int mbedtls_mpi_mod_mpi(mbedtls_mpi R, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1534	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1535	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1536
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1537	if (mbedtls_mpi_cmp_int(B, 0) < 0) {
				1538	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1539	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1540
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1541	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1542
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1543	while (mbedtls_mpi_cmp_int(R, 0) < 0) {
				1544	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
				1545	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1546
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1547	while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
				1548	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
				1549	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1550
				1551	cleanup:
				1552
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1553	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1554	}
				1555
				1556	/*
				1557	* Modulo: r = A mod b
				1558	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1559	int mbedtls_mpi_mod_int(mbedtls_mpi_uint r, const mbedtls_mpi A, mbedtls_mpi_sint b)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1560	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1561	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1562	mbedtls_mpi_uint x, y, z;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1563
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1564	if (b == 0) {
				1565	return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
				1566	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1567
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1568	if (b < 0) {
				1569	return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
				1570	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1571
				1572	/*
				1573	* handle trivial cases
				1574	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1575	if (b == 1 \|\| A->n == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1576	*r = 0;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1577	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1578	}
				1579
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1580	if (b == 2) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1581	*r = A->p[0] & 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1582	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1583	}
				1584
				1585	/*
				1586	* general case
				1587	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1588	for (i = A->n, y = 0; i > 0; i--) {
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1589	x = A->p[i - 1];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1590	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1591	z = y / b;
				1592	y -= z * b;
				1593
				1594	x <<= biH;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1595	y = (y << biH) \| (x >> biH);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1596	z = y / b;
				1597	y -= z * b;
				1598	}
				1599
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1600	/*
				1601	* If A is negative, then the current y represents a negative value.
				1602	* Flipping it to the positive side.
				1603	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1604	if (A->s < 0 && y != 0) {
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1605	y = b - y;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1606	}
Paul Bakker	ce40a6d	2009-06-23 19:46:08 +0000	[diff] [blame]	1607
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1608	*r = y;
				1609
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1610	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1611	}
				1612
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1613	/*
				1614	* Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
				1615	* this function is not constant time with respect to the exponent (parameter E).
				1616	*/
				1617	static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi X, const mbedtls_mpi A,
Janos Follath	a5fc8f3	2024-08-12 20:11:06 +0100	[diff] [blame^]	1618	const mbedtls_mpi *E, int E_public,
				1619	const mbedtls_mpi N, mbedtls_mpi prec_RR)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1620	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1621	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1622
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1623	if (mbedtls_mpi_cmp_int(N, 0) <= 0 \|\| (N->p[0] & 1) == 0) {
				1624	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1625	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1626
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1627	if (mbedtls_mpi_cmp_int(E, 0) < 0) {
				1628	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1629	}
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1630
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1631	if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS \|\|
				1632	mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
				1633	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1634	}
Chris Jones	9246d04	2020-11-25 15:12:39 +0000	[diff] [blame]	1635
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1636	/*
				1637	* Ensure that the exponent that we are passing to the core is not NULL.
				1638	*/
				1639	if (E->n == 0) {
				1640	ret = mbedtls_mpi_lset(X, 1);
				1641	return ret;
				1642	}
				1643
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1644	/*
				1645	* Allocate working memory for mbedtls_mpi_core_exp_mod()
				1646	*/
				1647	size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);
Janos Follath	0902572	2024-02-21 11:50:25 +0000	[diff] [blame]	1648	mbedtls_mpi_uint T = (mbedtls_mpi_uint ) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1649	if (T == NULL) {
				1650	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				1651	}
				1652
Janos Follath	701ae1d	2024-02-19 10:56:54 +0000	[diff] [blame]	1653	mbedtls_mpi RR;
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1654	mbedtls_mpi_init(&RR);
Paul Bakker	5054692	2012-05-19 08:40:49 +0000	[diff] [blame]	1655
				1656	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1657	* If 1st call, pre-compute R^2 mod N
				1658	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1659	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1660	MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1661
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1662	if (prec_RR != NULL) {
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1663	*prec_RR = RR;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1664	}
				1665	} else {
Janos Follath	0512d17	2024-02-20 14:30:46 +0000	[diff] [blame]	1666	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));
Janos Follath	576087d	2024-02-19 11:05:01 +0000	[diff] [blame]	1667	RR = *prec_RR;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1668	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1669
				1670	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1671	* To preserve constness we need to make a copy of A. Using X for this to
				1672	* save memory.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1673	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1674	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1675
				1676	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1677	* Compensate for negative A (and correct at the end).
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1678	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1679	X->s = 1;
Paul Bakker	f6198c1	2012-05-16 08:02:29 +0000	[diff] [blame]	1680
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1681	/*
Janos Follath	467a549	2024-02-19 11:27:38 +0000	[diff] [blame]	1682	* Make sure that X is in a form that is safe for consumption by
				1683	* the core functions.
				1684	*
				1685	* - The core functions will not touch the limbs of X above N->n. The
				1686	* result will be correct if those limbs are 0, which the mod call
				1687	* ensures.
				1688	* - Also, X must have at least as many limbs as N for the calls to the
				1689	* core functions.
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1690	*/
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1691	if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {
				1692	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
				1693	}
				1694	MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));
				1695
				1696	/*
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1697	* Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().
				1698	*/
Dave Rodgman	d282e26	2024-03-11 15:28:48 +0000	[diff] [blame]	1699	{
				1700	mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
				1701	mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1702	if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
				1703	mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
				1704	} else {
				1705	mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
				1706	}
Dave Rodgman	d282e26	2024-03-11 15:28:48 +0000	[diff] [blame]	1707	mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
				1708	}
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1709
				1710	/*
				1711	* Correct for negative A.
				1712	*/
Janos Follath	583f047	2024-02-19 11:16:44 +0000	[diff] [blame]	1713	if (A->s == -1 && (E->p[0] & 1) != 0) {
Janos Follath	86258f5	2024-02-21 11:25:41 +0000	[diff] [blame]	1714	mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n);
Janos Follath	4ec0fb5	2024-03-08 17:22:40 +0000	[diff] [blame]	1715	X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1);
Janos Follath	86258f5	2024-02-21 11:25:41 +0000	[diff] [blame]	1716
Janos Follath	1ba4058	2024-02-13 12:36:13 +0000	[diff] [blame]	1717	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));
				1718	}
Janos Follath	8e7d6a0	2022-10-04 13:27:40 +0100	[diff] [blame]	1719
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1720	cleanup:
				1721
Janos Follath	424c265	2024-02-21 09:26:36 +0000	[diff] [blame]	1722	mbedtls_mpi_zeroize_and_free(T, T_limbs);
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	1723
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1724	if (prec_RR == NULL \|\| prec_RR->p == NULL) {
				1725	mbedtls_mpi_free(&RR);
				1726	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1727
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1728	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1729	}
				1730
Manuel Pégourié-Gonnard	75ed587	2024-06-18 12:52:45 +0200	[diff] [blame]	1731	int mbedtls_mpi_exp_mod(mbedtls_mpi X, const mbedtls_mpi A,
				1732	const mbedtls_mpi E, const mbedtls_mpi N,
				1733	mbedtls_mpi *prec_RR)
				1734	{
Janos Follath	a5fc8f3	2024-08-12 20:11:06 +0100	[diff] [blame^]	1735	return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR);
Manuel Pégourié-Gonnard	75ed587	2024-06-18 12:52:45 +0200	[diff] [blame]	1736	}
				1737
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1738	int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi X, const mbedtls_mpi A,
				1739	const mbedtls_mpi E, const mbedtls_mpi N,
				1740	mbedtls_mpi *prec_RR)
				1741	{
Janos Follath	a5fc8f3	2024-08-12 20:11:06 +0100	[diff] [blame^]	1742	return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_PUBLIC, N, prec_RR);
Janos Follath	38ff70e	2024-08-12 18:20:59 +0100	[diff] [blame]	1743	}
				1744
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1745	/*
				1746	* Greatest common divisor: G = gcd(A, B) (HAC 14.54)
				1747	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1748	int mbedtls_mpi_gcd(mbedtls_mpi G, const mbedtls_mpi A, const mbedtls_mpi *B)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1749	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1750	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1751	size_t lz, lzt;
Alexander K	e8ad49f	2019-08-16 16:16:07 +0300	[diff] [blame]	1752	mbedtls_mpi TA, TB;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1753
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1754	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1755
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1756	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
				1757	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1758
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1759	lz = mbedtls_mpi_lsb(&TA);
				1760	lzt = mbedtls_mpi_lsb(&TB);
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1761
Gilles Peskine	27253bc	2021-06-09 13:26:43 +0200	[diff] [blame]	1762	/* The loop below gives the correct result when A==0 but not when B==0.
				1763	* So have a special case for B==0. Leverage the fact that we just
				1764	* calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
				1765	* slightly more efficient than cmp_int(). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1766	if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
				1767	ret = mbedtls_mpi_copy(G, A);
Gilles Peskine	27253bc	2021-06-09 13:26:43 +0200	[diff] [blame]	1768	goto cleanup;
				1769	}
				1770
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1771	if (lzt < lz) {
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1772	lz = lzt;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1773	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	1774
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1775	TA.s = TB.s = 1;
				1776
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1777	/* We mostly follow the procedure described in HAC 14.54, but with some
				1778	* minor differences:
				1779	* - Sequences of multiplications or divisions by 2 are grouped into a
				1780	* single shift operation.
Gilles Peskine	b09c7ee	2021-06-21 18:58:39 +0200	[diff] [blame]	1781	* - The procedure in HAC assumes that 0 < TB <= TA.
				1782	* - The condition TB <= TA is not actually necessary for correctness.
				1783	* TA and TB have symmetric roles except for the loop termination
				1784	* condition, and the shifts at the beginning of the loop body
				1785	* remove any significance from the ordering of TA vs TB before
				1786	* the shifts.
				1787	* - If TA = 0, the loop goes through 0 iterations and the result is
				1788	* correctly TB.
				1789	* - The case TB = 0 was short-circuited above.
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1790	*
				1791	* For the correctness proof below, decompose the original values of
				1792	* A and B as
				1793	* A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
				1794	* B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
				1795	* Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
				1796	* and gcd(A',B') is odd or 0.
				1797	*
				1798	* At the beginning, we have TA = \|A\| and TB = \|B\| so gcd(A,B) = gcd(TA,TB).
				1799	* The code maintains the following invariant:
				1800	* gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
Gilles Peskine	4df3f1f	2021-06-15 22:09:39 +0200	[diff] [blame]	1801	*/
				1802
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1803	/* Proof that the loop terminates:
				1804	* At each iteration, either the right-shift by 1 is made on a nonzero
				1805	* value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
				1806	* by at least 1, or the right-shift by 1 is made on zero and then
				1807	* TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
				1808	* since in that case TB is calculated from TB-TA with the condition TB>TA).
				1809	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1810	while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1811	/* Divisions by 2 preserve the invariant (I). */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1812	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
				1813	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1814
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1815	/* Set either TA or TB to \|TA-TB\|/2. Since TA and TB are both odd,
				1816	* TA-TB is even so the division by 2 has an integer result.
				1817	* Invariant (I) is preserved since any odd divisor of both TA and TB
				1818	* also divides \|TA-TB\|/2, and any odd divisor of both TA and \|TA-TB\|/2
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	1819	* also divides TB, and any odd divisor of both TB and \|TA-TB\|/2 also
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1820	* divides TA.
				1821	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1822	if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
				1823	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
				1824	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
				1825	} else {
				1826	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
				1827	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1828	}
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1829	/* Note that one of TA or TB is still odd. */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1830	}
				1831
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1832	/* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
				1833	* At the loop exit, TA = 0, so gcd(TA,TB) = TB.
				1834	* - If there was at least one loop iteration, then one of TA or TB is odd,
				1835	* and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
				1836	* lz = min(a,b) so gcd(A,B) = 2^lz * TB.
				1837	* - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
Gilles Peskine	4d3fd36	2021-06-21 11:40:38 +0200	[diff] [blame]	1838	* In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
Gilles Peskine	2a63c5b	2021-06-16 13:42:04 +0200	[diff] [blame]	1839	*/
				1840
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1841	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
				1842	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1843
				1844	cleanup:
				1845
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1846	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1847
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1848	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1849	}
				1850
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1851	/*
				1852	* Fill X with size bytes of random.
Gilles Peskine	22cdd0c	2022-10-27 20:15:13 +0200	[diff] [blame]	1853	* The bytes returned from the RNG are used in a specific order which
				1854	* is suitable for deterministic ECDSA (see the specification of
				1855	* mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
Paul Bakker	33dc46b	2014-04-30 16:11:39 +0200	[diff] [blame]	1856	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1857	int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
				1858	int (f_rng)(void , unsigned char *, size_t),
				1859	void *p_rng)
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1860	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1861	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1862	const size_t limbs = CHARS_TO_LIMBS(size);
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1863
Hanno Becker	da1655a	2017-10-18 14:21:44 +0100	[diff] [blame]	1864	/* Ensure that target MPI has exactly the necessary number of limbs */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1865	MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
				1866	if (size == 0) {
				1867	return 0;
				1868	}
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1869
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1870	ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1871
				1872	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1873	return ret;
Paul Bakker	287781a	2011-03-26 13:18:49 +0000	[diff] [blame]	1874	}
				1875
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1876	int mbedtls_mpi_random(mbedtls_mpi *X,
				1877	mbedtls_mpi_sint min,
				1878	const mbedtls_mpi *N,
				1879	int (f_rng)(void , unsigned char *, size_t),
				1880	void *p_rng)
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1881	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1882	if (min < 0) {
				1883	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1884	}
				1885	if (mbedtls_mpi_cmp_int(N, min) <= 0) {
				1886	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1887	}
Gilles Peskine	1e918f4	2021-03-29 22:14:51 +0200	[diff] [blame]	1888
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1889	/* Ensure that target MPI has exactly the same number of limbs
				1890	* as the upper bound, even if the upper bound has leading zeros.
Gilles Peskine	6b7ce96	2022-12-15 15:04:33 +0100	[diff] [blame]	1891	* This is necessary for mbedtls_mpi_core_random. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1892	int ret = mbedtls_mpi_resize_clear(X, N->n);
				1893	if (ret != 0) {
				1894	return ret;
				1895	}
Gilles Peskine	1a7df4e	2021-04-01 15:57:18 +0200	[diff] [blame]	1896
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1897	return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
Gilles Peskine	02ac93a	2021-03-29 22:02:55 +0200	[diff] [blame]	1898	}
				1899
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1900	/*
				1901	* Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
				1902	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1903	int mbedtls_mpi_inv_mod(mbedtls_mpi X, const mbedtls_mpi A, const mbedtls_mpi *N)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1904	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1905	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1906	mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1907
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1908	if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
				1909	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				1910	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1911
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1912	mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
				1913	mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
				1914	mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1915
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1916	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1917
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1918	if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1919	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1920	goto cleanup;
				1921	}
				1922
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1923	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
				1924	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
				1925	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
				1926	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1927
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1928	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
				1929	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
				1930	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
				1931	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1932
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1933	do {
				1934	while ((TU.p[0] & 1) == 0) {
				1935	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1936
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1937	if ((U1.p[0] & 1) != 0 \|\| (U2.p[0] & 1) != 0) {
				1938	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
				1939	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1940	}
				1941
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1942	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
				1943	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1944	}
				1945
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1946	while ((TV.p[0] & 1) == 0) {
				1947	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1948
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1949	if ((V1.p[0] & 1) != 0 \|\| (V2.p[0] & 1) != 0) {
				1950	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
				1951	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1952	}
				1953
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1954	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
				1955	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1956	}
				1957
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1958	if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
				1959	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
				1960	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
				1961	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
				1962	} else {
				1963	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
				1964	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
				1965	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1966	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1967	} while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
				1968
				1969	while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
				1970	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1971	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1972
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1973	while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
				1974	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
				1975	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1976
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1977	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1978
				1979	cleanup:
				1980
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1981	mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
				1982	mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
				1983	mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1984
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1985	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1986	}
				1987
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1988	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	d9374b0	2012-11-02 11:02:58 +0000	[diff] [blame]	1989
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	1990	/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
				1991	static const unsigned char small_prime_gaps[] = {
				1992	2, 2, 4, 2, 4, 2, 4, 6,
				1993	2, 6, 4, 2, 4, 6, 6, 2,
				1994	6, 4, 2, 6, 4, 6, 8, 4,
				1995	2, 4, 2, 4, 14, 4, 6, 2,
				1996	10, 2, 6, 6, 4, 6, 6, 2,
				1997	10, 2, 4, 2, 12, 12, 4, 2,
				1998	4, 6, 2, 10, 6, 6, 6, 2,
				1999	6, 4, 2, 10, 14, 4, 2, 4,
				2000	14, 6, 10, 2, 4, 6, 8, 6,
				2001	6, 4, 6, 8, 4, 8, 10, 2,
				2002	10, 2, 6, 4, 6, 8, 4, 2,
				2003	4, 12, 8, 4, 8, 4, 6, 12,
				2004	2, 18, 6, 10, 6, 6, 2, 6,
				2005	10, 6, 6, 2, 6, 6, 4, 2,
				2006	12, 10, 2, 4, 6, 6, 2, 12,
				2007	4, 6, 8, 10, 8, 10, 8, 6,
				2008	6, 4, 8, 6, 4, 8, 4, 14,
				2009	10, 12, 2, 10, 2, 4, 2, 10,
				2010	14, 4, 2, 4, 14, 4, 2, 4,
				2011	20, 4, 8, 10, 8, 4, 6, 6,
				2012	14, 4, 6, 6, 8, 6, /reaches 997/
Gilles Peskine	30b0378	2023-08-22 11:06:47 +0200	[diff] [blame]	2013	0 /* the last entry is effectively unused */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2014	};
				2015
				2016	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2017	* Small divisors test (X must be positive)
				2018	*
				2019	* Return values:
				2020	* 0: no small factor (possible prime, more tests needed)
				2021	* 1: certain prime
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2022	* MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2023	* other negative: error
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2024	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2025	static int mpi_check_small_factors(const mbedtls_mpi *X)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2026	{
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2027	int ret = 0;
				2028	size_t i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2029	mbedtls_mpi_uint r;
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2030	unsigned p = 3; /* The first odd prime */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2031
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2032	if ((X->p[0] & 1) == 0) {
				2033	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2034	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2035
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2036	for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
				2037	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2038	if (r == 0) {
Gilles Peskine	b2bc171	2019-02-08 17:27:11 +0100	[diff] [blame]	2039	if (mbedtls_mpi_cmp_int(X, p) == 0) {
				2040	return 1;
				2041	} else {
				2042	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2043	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2044	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2045	}
				2046
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2047	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2048	return ret;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2049	}
				2050
				2051	/*
				2052	* Miller-Rabin pseudo-primality test (HAC 4.24)
				2053	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2054	static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
				2055	int (f_rng)(void , unsigned char *, size_t),
				2056	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2057	{
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2058	int ret, count;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2059	size_t i, j, k, s;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2060	mbedtls_mpi W, R, T, A, RR;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2061
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2062	mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
				2063	mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
				2064	mbedtls_mpi_init(&RR);
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2065
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2066	/*
				2067	* W = \|X\| - 1
				2068	* R = W >> lsb( W )
				2069	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2070	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
				2071	s = mbedtls_mpi_lsb(&W);
				2072	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
				2073	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2074
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2075	for (i = 0; i < rounds; i++) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2076	/*
				2077	* pick a random A, 1 < A < \|X\| - 1
				2078	*/
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2079	count = 0;
				2080	do {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2081	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2082
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2083	j = mbedtls_mpi_bitlen(&A);
				2084	k = mbedtls_mpi_bitlen(&W);
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2085	if (j > k) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2086	A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2087	}
				2088
				2089	if (count++ > 30) {
Jens Wiklander	f08aa3e	2019-01-17 13:30:57 +0100	[diff] [blame]	2090	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
				2091	goto cleanup;
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	2092	}
				2093
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2094	} while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 \|\|
				2095	mbedtls_mpi_cmp_int(&A, 1) <= 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2096
				2097	/*
				2098	* A = A^R mod \|X\|
				2099	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2100	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2101
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2102	if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 \|\|
				2103	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2104	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2105	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2106
				2107	j = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2108	while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2109	/*
				2110	* A = A * A mod \|X\|
				2111	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2112	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
				2113	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2114
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2115	if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2116	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2117	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2118
				2119	j++;
				2120	}
				2121
				2122	/*
				2123	* not prime if A != \|X\| - 1 or A == 1
				2124	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2125	if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 \|\|
				2126	mbedtls_mpi_cmp_int(&A, 1) == 0) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2127	ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2128	break;
				2129	}
				2130	}
				2131
				2132	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2133	mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
				2134	mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
				2135	mbedtls_mpi_free(&RR);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2136
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2137	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2138	}
				2139
				2140	/*
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2141	* Pseudo-primality test: small factors, then Miller-Rabin
				2142	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2143	int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
				2144	int (f_rng)(void , unsigned char *, size_t),
				2145	void *p_rng)
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2146	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2147	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2148	mbedtls_mpi XX;
Manuel Pégourié-Gonnard	7f4ed67	2014-10-14 20:56:02 +0200	[diff] [blame]	2149
				2150	XX.s = 1;
				2151	XX.n = X->n;
				2152	XX.p = X->p;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2153
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2154	if (mbedtls_mpi_cmp_int(&XX, 0) == 0 \|\|
				2155	mbedtls_mpi_cmp_int(&XX, 1) == 0) {
				2156	return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2157	}
				2158
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2159	if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
				2160	return 0;
				2161	}
				2162
				2163	if ((ret = mpi_check_small_factors(&XX)) != 0) {
				2164	if (ret == 1) {
				2165	return 0;
				2166	}
				2167
				2168	return ret;
				2169	}
				2170
				2171	return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2172	}
				2173
Manuel Pégourié-Gonnard	378fb4b	2013-11-22 18:39:18 +0100	[diff] [blame]	2174	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2175	* Prime number generation
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2176	*
Janos Follath	f301d23	2018-08-14 13:34:01 +0100	[diff] [blame]	2177	* To generate an RSA key in a way recommended by FIPS 186-4, both primes must
				2178	* be either 1024 bits or 1536 bits long, and flags must contain
				2179	* MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2180	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2181	int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
				2182	int (f_rng)(void , unsigned char *, size_t),
				2183	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2184	{
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2185	#ifdef MBEDTLS_HAVE_INT64
				2186	// ceil(2^63.5)
				2187	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
				2188	#else
				2189	// ceil(2^31.5)
				2190	#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
				2191	#endif
				2192	int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2193	size_t k, n;
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2194	int rounds;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2195	mbedtls_mpi_uint r;
				2196	mbedtls_mpi Y;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2197
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2198	if (nbits < 3 \|\| nbits > MBEDTLS_MPI_MAX_BITS) {
				2199	return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				2200	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2201
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2202	mbedtls_mpi_init(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2203
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2204	n = BITS_TO_LIMBS(nbits);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2205
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2206	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2207	/*
				2208	* 2^-80 error probability, number of rounds chosen per HAC, table 4.4
				2209	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2210	rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
				2211	(nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
				2212	(nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
				2213	} else {
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2214	/*
				2215	* 2^-100 error probability, number of rounds computed based on HAC,
				2216	* fact 4.48
				2217	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2218	rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
				2219	(nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
				2220	(nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
				2221	(nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
Janos Follath	da31fa1	2018-09-03 14:45:23 +0100	[diff] [blame]	2222	}
				2223
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2224	while (1) {
				2225	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2226	/* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2227	if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
				2228	continue;
				2229	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2230
				2231	k = n * biL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2232	if (k > nbits) {
				2233	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
				2234	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2235	X->p[0] \|= 1;
				2236
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2237	if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
				2238	ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2239
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2240	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2241	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2242	}
				2243	} else {
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2244	/*
Tom Cosgrove	ce7f18c	2022-07-28 05:50:56 +0100	[diff] [blame]	2245	* A necessary condition for Y and X = 2Y + 1 to be prime
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2246	* is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
				2247	* Make sure it is satisfied, while keeping X = 3 mod 4
Manuel Pégourié-Gonnard	ddf7615	2013-11-22 19:58:22 +0100	[diff] [blame]	2248	*/
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2249
				2250	X->p[0] \|= 2;
				2251
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2252	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
				2253	if (r == 0) {
				2254	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
				2255	} else if (r == 1) {
				2256	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
				2257	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2258
				2259	/* Set Y = (X-1) / 2, which is X / 2 because X is odd */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2260	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
				2261	MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2262
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2263	while (1) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2264	/*
				2265	* First, check small factors for X and Y
				2266	* before doing Miller-Rabin on any of them
				2267	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2268	if ((ret = mpi_check_small_factors(X)) == 0 &&
				2269	(ret = mpi_check_small_factors(&Y)) == 0 &&
				2270	(ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
				2271	== 0 &&
				2272	(ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
				2273	== 0) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2274	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2275	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2276
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2277	if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2278	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2279	}
Jethro Beekman	6668927	2018-02-14 19:24:10 -0800	[diff] [blame]	2280
				2281	/*
				2282	* Next candidates. We want to preserve Y = (X-1) / 2 and
				2283	* Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
				2284	* so up Y by 6 and X by 12.
				2285	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2286	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
				2287	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2288	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2289	}
				2290	}
				2291
				2292	cleanup:
				2293
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2294	mbedtls_mpi_free(&Y);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2295
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2296	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2297	}
				2298
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2299	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2300
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2301	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2302
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2303	#define GCD_PAIR_COUNT 3
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2304
				2305	static const int gcd_pairs[GCD_PAIR_COUNT][3] =
				2306	{
				2307	{ 693, 609, 21 },
				2308	{ 1764, 868, 28 },
				2309	{ 768454923, 542167814, 1 }
				2310	};
				2311
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2312	/*
				2313	* Checkup routine
				2314	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2315	int mbedtls_mpi_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2316	{
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2317	int ret, i;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2318	mbedtls_mpi A, E, N, X, Y, U, V;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2319
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2320	mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
				2321	mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2322
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2323	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
				2324	"EFE021C2645FD1DC586E69184AF4A31E" \
				2325	"D5F53E93B5F123FA41680867BA110131" \
				2326	"944FE7952E2517337780CB0DB80E61AA" \
				2327	"E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2328
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2329	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
				2330	"B2E7EFD37075B9F03FF989C7C5051C20" \
				2331	"34D2A323810251127E7BF8625A4F49A5" \
				2332	"F3E27F4DA8BD59C47D6DAABA4C8127BD" \
				2333	"5B5C25763222FEFCCFC38B832366C29E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2334
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2335	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
				2336	"0066A198186C18C10B2F5ED9B522752A" \
				2337	"9830B69916E535C8F047518A889A43A5" \
				2338	"94B6BED27A168D31D4A52F88925AA8F5"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2339
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2340	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2341
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2342	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2343	"602AB7ECA597A3D6B56FF9829A5E8B85" \
				2344	"9E857EA95A03512E2BAE7391688D264A" \
				2345	"A5663B0341DB9CCFD2C4C5F421FEC814" \
				2346	"8001B72E848A38CAE1C65F78E56ABDEF" \
				2347	"E12D3C039B8A02D6BE593F0BBBDA56F1" \
				2348	"ECF677152EF804370C1A305CAF3B5BF1" \
				2349	"30879B56C61DE584A0F53A2447A51E"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2350
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2351	if (verbose != 0) {
				2352	mbedtls_printf(" MPI test #1 (mul_mpi): ");
				2353	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2354
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2355	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2356	if (verbose != 0) {
				2357	mbedtls_printf("failed\n");
				2358	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2359
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2360	ret = 1;
				2361	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2362	}
				2363
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2364	if (verbose != 0) {
				2365	mbedtls_printf("passed\n");
				2366	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2367
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2368	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2369
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2370	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2371	"256567336059E52CAE22925474705F39A94"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2372
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2373	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
				2374	"6613F26162223DF488E9CD48CC132C7A" \
				2375	"0AC93C701B001B092E4E5B9F73BCD27B" \
				2376	"9EE50D0657C77F374E903CDFA4C642"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2377
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2378	if (verbose != 0) {
				2379	mbedtls_printf(" MPI test #2 (div_mpi): ");
				2380	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2381
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2382	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 \|\|
				2383	mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
				2384	if (verbose != 0) {
				2385	mbedtls_printf("failed\n");
				2386	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2387
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2388	ret = 1;
				2389	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2390	}
				2391
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2392	if (verbose != 0) {
				2393	mbedtls_printf("passed\n");
				2394	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2395
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2396	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2397
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2398	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2399	"36E139AEA55215609D2816998ED020BB" \
				2400	"BD96C37890F65171D948E9BC7CBAA4D9" \
				2401	"325D24D6A3C12710F10A09FA08AB87"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2402
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2403	if (verbose != 0) {
				2404	mbedtls_printf(" MPI test #3 (exp_mod): ");
				2405	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2406
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2407	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2408	if (verbose != 0) {
				2409	mbedtls_printf("failed\n");
				2410	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2411
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2412	ret = 1;
				2413	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2414	}
				2415
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2416	if (verbose != 0) {
				2417	mbedtls_printf("passed\n");
				2418	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2419
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2420	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2421
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2422	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
				2423	"003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
				2424	"C3DBA76456363A10869622EAC2DD84EC" \
				2425	"C5B8A74DAC4D09E03B5E0BE779F2DF61"));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2426
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2427	if (verbose != 0) {
				2428	mbedtls_printf(" MPI test #4 (inv_mod): ");
				2429	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2430
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2431	if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
				2432	if (verbose != 0) {
				2433	mbedtls_printf("failed\n");
				2434	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2435
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2436	ret = 1;
				2437	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2438	}
				2439
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2440	if (verbose != 0) {
				2441	mbedtls_printf("passed\n");
				2442	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2443
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2444	if (verbose != 0) {
				2445	mbedtls_printf(" MPI test #5 (simple gcd): ");
				2446	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2447
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2448	for (i = 0; i < GCD_PAIR_COUNT; i++) {
				2449	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
				2450	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2451
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2452	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2453
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2454	if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
				2455	if (verbose != 0) {
				2456	mbedtls_printf("failed at %d\n", i);
				2457	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2458
Manuel Pégourié-Gonnard	9e987ed	2014-01-20 10:03:15 +0100	[diff] [blame]	2459	ret = 1;
				2460	goto cleanup;
				2461	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2462	}
				2463
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2464	if (verbose != 0) {
				2465	mbedtls_printf("passed\n");
				2466	}
Paul Bakker	4e0d7ca	2009-01-29 22:24:33 +0000	[diff] [blame]	2467
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2468	cleanup:
				2469
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2470	if (ret != 0 && verbose != 0) {
				2471	mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
				2472	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2473
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2474	mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
				2475	mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2476
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2477	if (verbose != 0) {
				2478	mbedtls_printf("\n");
				2479	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2480
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2481	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2482	}
				2483
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2484	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2485
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2486	#endif /* MBEDTLS_BIGNUM_C */