1 /*
2 * Multi-precision integer library
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following sources were referenced in the design of this Multi-precision
22 * Integer library:
23 *
24 * [1] Handbook of Applied Cryptography - 1997
25 * Menezes, van Oorschot and Vanstone
26 *
27 * [2] Multi-Precision Math
28 * Tom St Denis
29 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
30 *
31 * [3] GNU Multi-Precision Arithmetic Library
32 * https://gmplib.org/manual/index.html
33 *
34 */
35
36 #include "common.h"
37
38 #if defined(MBEDTLS_BIGNUM_C)
39
40 #include "mbedtls/bignum.h"
41 #include "bignum_internal.h"
42 #include "bn_mul.h"
43 #include "mbedtls/platform_util.h"
44 #include "mbedtls/error.h"
45 #include "constant_time_internal.h"
46 #include "mbedtls/hw_tee_tag.h"
47
48 #include <limits.h>
49 #include <string.h>
50
51 #if defined(MBEDTLS_PLATFORM_C)
52 #include "mbedtls/platform.h"
53 #else
54 #include <stdio.h>
55 #include <stdlib.h>
56 #define mbedtls_printf printf
57 #define mbedtls_calloc calloc
58 #define mbedtls_free free
59 #endif
60
61 #if defined(MBEDTLS_BIGNUM_EXP_MOD_USE_HARDWARE) || defined(MBEDTLS_BIGNUM_MOD_USE_HARDWARE)
62 #include "bignum_harden.h"
63 #endif /* MBEDTLS_BIGNUM_EXP_MOD_USE_HARDWARE || MBEDTLS_BIGNUM_MOD_USE_HARDWARE */
64
65 #define MPI_VALIDATE_RET( cond ) \
66 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
67 #define MPI_VALIDATE( cond ) \
68 MBEDTLS_INTERNAL_VALIDATE( cond )
69
70 #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
71 #define biL (ciL << 3) /* bits in limb */
72 #define biH (ciL << 2) /* half limb size */
73
74 #define MPI_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
75
76 /*
77 * Convert between bits/chars and number of limbs
78 * Divide first in order to avoid potential overflows
79 */
80 #define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) )
81 #define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
82
83 /* Implementation that should never be optimized out by the compiler */
mbedtls_mpi_zeroize(mbedtls_mpi_uint * v,size_t n)84 static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n )
85 {
86 mbedtls_platform_zeroize( v, ciL * n );
87 }
88
89 /*
90 * Initialize one MPI
91 */
mbedtls_mpi_init(mbedtls_mpi * X)92 void mbedtls_mpi_init( mbedtls_mpi *X )
93 {
94 MPI_VALIDATE( X != NULL );
95
96 X->s = 1;
97 X->n = 0;
98 X->p = NULL;
99 }
100
101 /*
102 * Unallocate one MPI
103 */
mbedtls_mpi_free(mbedtls_mpi * X)104 void mbedtls_mpi_free( mbedtls_mpi *X )
105 {
106 if( X == NULL )
107 return;
108
109 if( X->p != NULL )
110 {
111 mbedtls_mpi_zeroize( X->p, X->n );
112 mbedtls_free( X->p );
113 }
114
115 X->s = 1;
116 X->n = 0;
117 X->p = NULL;
118 }
119
120 /*
121 * Enlarge to the specified number of limbs
122 */
mbedtls_mpi_grow(mbedtls_mpi * X,size_t nblimbs)123 int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
124 {
125 mbedtls_mpi_uint *p;
126 MPI_VALIDATE_RET( X != NULL );
127
128 if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
129 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
130
131 if( X->n < nblimbs )
132 {
133 if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
134 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
135
136 if( X->p != NULL )
137 {
138 memcpy( p, X->p, X->n * ciL );
139 mbedtls_mpi_zeroize( X->p, X->n );
140 mbedtls_free( X->p );
141 }
142
143 X->n = nblimbs;
144 X->p = p;
145 }
146
147 return( 0 );
148 }
149
150 /*
151 * Resize down as much as possible,
152 * while keeping at least the specified number of limbs
153 */
mbedtls_mpi_shrink(mbedtls_mpi * X,size_t nblimbs)154 int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
155 {
156 mbedtls_mpi_uint *p;
157 size_t i;
158 MPI_VALIDATE_RET( X != NULL );
159
160 if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
161 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
162
163 /* Actually resize up if there are currently fewer than nblimbs limbs. */
164 if( X->n <= nblimbs )
165 return( mbedtls_mpi_grow( X, nblimbs ) );
166 /* After this point, then X->n > nblimbs and in particular X->n > 0. */
167
168 for( i = X->n - 1; i > 0; i-- )
169 if( X->p[i] != 0 )
170 break;
171 i++;
172
173 if( i < nblimbs )
174 i = nblimbs;
175
176 if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
177 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
178
179 if( X->p != NULL )
180 {
181 memcpy( p, X->p, i * ciL );
182 mbedtls_mpi_zeroize( X->p, X->n );
183 mbedtls_free( X->p );
184 }
185
186 X->n = i;
187 X->p = p;
188
189 return( 0 );
190 }
191
192 /* Resize X to have exactly n limbs and set it to 0. */
mbedtls_mpi_resize_clear(mbedtls_mpi * X,size_t limbs)193 static int mbedtls_mpi_resize_clear( mbedtls_mpi *X, size_t limbs )
194 {
195 if( limbs == 0 )
196 {
197 mbedtls_mpi_free( X );
198 return( 0 );
199 }
200 else if( X->n == limbs )
201 {
202 memset( X->p, 0, limbs * ciL );
203 X->s = 1;
204 return( 0 );
205 }
206 else
207 {
208 mbedtls_mpi_free( X );
209 return( mbedtls_mpi_grow( X, limbs ) );
210 }
211 }
212
213 /*
214 * Copy the contents of Y into X.
215 *
216 * This function is not constant-time. Leading zeros in Y may be removed.
217 *
218 * Ensure that X does not shrink. This is not guaranteed by the public API,
219 * but some code in the bignum module relies on this property, for example
220 * in mbedtls_mpi_exp_mod().
221 */
mbedtls_mpi_copy(mbedtls_mpi * X,const mbedtls_mpi * Y)222 int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
223 {
224 int ret = 0;
225 size_t i;
226 MPI_VALIDATE_RET( X != NULL );
227 MPI_VALIDATE_RET( Y != NULL );
228
229 if( X == Y )
230 return( 0 );
231
232 if( Y->n == 0 )
233 {
234 if( X->n != 0 )
235 {
236 X->s = 1;
237 memset( X->p, 0, X->n * ciL );
238 }
239 return( 0 );
240 }
241
242 for( i = Y->n - 1; i > 0; i-- )
243 if( Y->p[i] != 0 )
244 break;
245 i++;
246
247 X->s = Y->s;
248
249 if( X->n < i )
250 {
251 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
252 }
253 else
254 {
255 memset( X->p + i, 0, ( X->n - i ) * ciL );
256 }
257
258 memcpy( X->p, Y->p, i * ciL );
259
260 cleanup:
261
262 return( ret );
263 }
264
265 /*
266 * Swap the contents of X and Y
267 */
mbedtls_mpi_swap(mbedtls_mpi * X,mbedtls_mpi * Y)268 void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
269 {
270 mbedtls_mpi T;
271 MPI_VALIDATE( X != NULL );
272 MPI_VALIDATE( Y != NULL );
273
274 memcpy( &T, X, sizeof( mbedtls_mpi ) );
275 memcpy( X, Y, sizeof( mbedtls_mpi ) );
276 memcpy( Y, &T, sizeof( mbedtls_mpi ) );
277 }
278
279 /*
280 * Set value from integer
281 */
mbedtls_mpi_lset(mbedtls_mpi * X,mbedtls_mpi_sint z)282 int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
283 {
284 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
285 MPI_VALIDATE_RET( X != NULL );
286
287 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
288 memset( X->p, 0, X->n * ciL );
289
290 X->p[0] = ( z < 0 ) ? -z : z;
291 X->s = ( z < 0 ) ? -1 : 1;
292
293 cleanup:
294
295 return( ret );
296 }
297
298 /*
299 * Get a specific bit
300 */
mbedtls_mpi_get_bit(const mbedtls_mpi * X,size_t pos)301 int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
302 {
303 MPI_VALIDATE_RET( X != NULL );
304
305 if( X->n * biL <= pos )
306 return( 0 );
307
308 return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
309 }
310
311 /* Get a specific byte, without range checks. */
312 #define GET_BYTE( X, i ) \
313 ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
314
315 /*
316 * Set a bit to a specific value of 0 or 1
317 */
mbedtls_mpi_set_bit(mbedtls_mpi * X,size_t pos,unsigned char val)318 int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
319 {
320 int ret = 0;
321 size_t off = pos / biL;
322 size_t idx = pos % biL;
323 MPI_VALIDATE_RET( X != NULL );
324
325 if( val != 0 && val != 1 )
326 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
327
328 if( X->n * biL <= pos )
329 {
330 if( val == 0 )
331 return( 0 );
332
333 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
334 }
335
336 X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
337 X->p[off] |= (mbedtls_mpi_uint) val << idx;
338
339 cleanup:
340
341 return( ret );
342 }
343
344 /*
345 * Return the number of less significant zero-bits
346 */
mbedtls_mpi_lsb(const mbedtls_mpi * X)347 size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
348 {
349 size_t i, j, count = 0;
350 MBEDTLS_INTERNAL_VALIDATE_RET( X != NULL, 0 );
351
352 for( i = 0; i < X->n; i++ )
353 for( j = 0; j < biL; j++, count++ )
354 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
355 return( count );
356
357 return( 0 );
358 }
359
360 /*
361 * Count leading zero bits in a given integer
362 */
363 FORCEINLINE
mbedtls_clz(const mbedtls_mpi_uint x)364 static size_t mbedtls_clz( const mbedtls_mpi_uint x )
365 {
366 size_t j;
367 mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
368
369 for( j = 0; j < biL; j++ )
370 {
371 if( x & mask ) break;
372
373 mask >>= 1;
374 }
375
376 return j;
377 }
378
379 /*
380 * Return the number of bits
381 */
mbedtls_mpi_bitlen(const mbedtls_mpi * X)382 size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
383 {
384 size_t i, j;
385
386 if( X->n == 0 )
387 return( 0 );
388
389 for( i = X->n - 1; i > 0; i-- )
390 if( X->p[i] != 0 )
391 break;
392
393 j = biL - mbedtls_clz( X->p[i] );
394
395 return( ( i * biL ) + j );
396 }
397
398 #if defined(VENDOR_TEE_WRAP_C)
399 VMP_TAG
internal_mpi_bitlen(const mbedtls_mpi * X)400 static size_t internal_mpi_bitlen( const mbedtls_mpi *X )
401 {
402 size_t i, j;
403
404 if( X->n == 0 )
405 return( 0 );
406
407 for( i = X->n - 1; i > 0; i-- )
408 if( X->p[i] != 0 )
409 break;
410
411 j = biL - mbedtls_clz( X->p[i] );
412
413 return( ( i * biL ) + j );
414 }
415 #endif
416
417 /*
418 * Return the total size in bytes
419 */
mbedtls_mpi_size(const mbedtls_mpi * X)420 size_t mbedtls_mpi_size( const mbedtls_mpi *X )
421 {
422 return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
423 }
424
425 /*
426 * Convert an ASCII character to digit value
427 */
mpi_get_digit(mbedtls_mpi_uint * d,int radix,char c)428 static int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
429 {
430 *d = 255;
431
432 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
433 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
434 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
435
436 if( *d >= (mbedtls_mpi_uint) radix )
437 return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
438
439 return( 0 );
440 }
441
442 /*
443 * Import from an ASCII string
444 */
mbedtls_mpi_read_string(mbedtls_mpi * X,int radix,const char * s)445 int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
446 {
447 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
448 size_t i, j, slen, n;
449 int sign = 1;
450 mbedtls_mpi_uint d;
451 mbedtls_mpi T;
452 MPI_VALIDATE_RET( X != NULL );
453 MPI_VALIDATE_RET( s != NULL );
454
455 if( radix < 2 || radix > 16 )
456 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
457
458 mbedtls_mpi_init( &T );
459
460 if( s[0] == 0 )
461 {
462 mbedtls_mpi_free( X );
463 return( 0 );
464 }
465
466 if( s[0] == '-' )
467 {
468 ++s;
469 sign = -1;
470 }
471
472 slen = strlen( s );
473
474 if( radix == 16 )
475 {
476 if( slen > MPI_SIZE_T_MAX >> 2 )
477 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
478
479 n = BITS_TO_LIMBS( slen << 2 );
480
481 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
482 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
483
484 for( i = slen, j = 0; i > 0; i--, j++ )
485 {
486 MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
487 X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
488 }
489 }
490 else
491 {
492 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
493
494 for( i = 0; i < slen; i++ )
495 {
496 MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
497 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
498 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
499 }
500 }
501
502 if( sign < 0 && mbedtls_mpi_bitlen( X ) != 0 )
503 X->s = -1;
504
505 cleanup:
506
507 mbedtls_mpi_free( &T );
508
509 return( ret );
510 }
511
512 /*
513 * Helper to write the digits high-order first.
514 */
mpi_write_hlp(mbedtls_mpi * X,int radix,char ** p,const size_t buflen)515 static int mpi_write_hlp( mbedtls_mpi *X, int radix,
516 char **p, const size_t buflen )
517 {
518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
519 mbedtls_mpi_uint r;
520 size_t length = 0;
521 char *p_end = *p + buflen;
522
523 do
524 {
525 if( length >= buflen )
526 {
527 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
528 }
529
530 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
531 MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
532 /*
533 * Write the residue in the current position, as an ASCII character.
534 */
535 if( r < 0xA )
536 *(--p_end) = (char)( '0' + r );
537 else
538 *(--p_end) = (char)( 'A' + ( r - 0xA ) );
539
540 length++;
541 } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
542
543 memmove( *p, p_end, length );
544 *p += length;
545
546 cleanup:
547
548 return( ret );
549 }
550
551 /*
552 * Export into an ASCII string
553 */
554 STRLITE_TAG
mbedtls_mpi_write_string(const mbedtls_mpi * X,int radix,char * buf,size_t buflen,size_t * olen)555 int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
556 char *buf, size_t buflen, size_t *olen )
557 {
558 int ret = 0;
559 size_t n;
560 char *p;
561 mbedtls_mpi T;
562 MPI_VALIDATE_RET( X != NULL );
563 MPI_VALIDATE_RET( olen != NULL );
564 MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
565
566 if( radix < 2 || radix > 16 )
567 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
568 #if defined(VENDOR_TEE_WRAP_C)
569 n = internal_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
570 #else
571 n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
572 #endif
573 if( radix >= 4 ) n >>= 1; /* Number of 4-adic digits necessary to present
574 * `n`. If radix > 4, this might be a strict
575 * overapproximation of the number of
576 * radix-adic digits needed to present `n`. */
577 if( radix >= 16 ) n >>= 1; /* Number of hexadecimal digits necessary to
578 * present `n`. */
579
580 n += 1; /* Terminating null byte */
581 n += 1; /* Compensate for the divisions above, which round down `n`
582 * in case it's not even. */
583 n += 1; /* Potential '-'-sign. */
584 n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
585 * which always uses an even number of hex-digits. */
586
587 if( buflen < n )
588 {
589 *olen = n;
590 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
591 }
592
593 p = buf;
594 mbedtls_mpi_init( &T );
595
596 if( X->s == -1 )
597 {
598 *p++ = '-';
599 buflen--;
600 }
601
602 if( radix == 16 )
603 {
604 int c;
605 size_t i, j, k;
606
607 for( i = X->n, k = 0; i > 0; i-- )
608 {
609 for( j = ciL; j > 0; j-- )
610 {
611 c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
612
613 if( c == 0 && k == 0 && ( i + j ) != 2 )
614 continue;
615
616 *(p++) = "0123456789ABCDEF" [c / 16];
617 *(p++) = "0123456789ABCDEF" [c % 16];
618 k = 1;
619 }
620 }
621 }
622 else
623 {
624 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
625
626 if( T.s == -1 )
627 T.s = 1;
628
629 MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
630 }
631
632 *p++ = '\0';
633 *olen = p - buf;
634
635 cleanup:
636
637 mbedtls_mpi_free( &T );
638
639 return( ret );
640 }
641
642 #if defined(MBEDTLS_FS_IO)
643 /*
644 * Read X from an opened file
645 */
mbedtls_mpi_read_file(mbedtls_mpi * X,int radix,FILE * fin)646 int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
647 {
648 mbedtls_mpi_uint d;
649 size_t slen;
650 char *p;
651 /*
652 * Buffer should have space for (short) label and decimal formatted MPI,
653 * newline characters and '\0'
654 */
655 char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
656
657 MPI_VALIDATE_RET( X != NULL );
658 MPI_VALIDATE_RET( fin != NULL );
659
660 if( radix < 2 || radix > 16 )
661 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
662
663 memset( s, 0, sizeof( s ) );
664 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
665 return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
666
667 slen = strlen( s );
668 if( slen == sizeof( s ) - 2 )
669 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
670
671 if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
672 if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
673
674 p = s + slen;
675 while( p-- > s )
676 if( mpi_get_digit( &d, radix, *p ) != 0 )
677 break;
678
679 return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
680 }
681
682 /*
683 * Write X into an opened file (or stdout if fout == NULL)
684 */
mbedtls_mpi_write_file(const char * p,const mbedtls_mpi * X,int radix,FILE * fout)685 int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
686 {
687 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
688 size_t n, slen, plen;
689 /*
690 * Buffer should have space for (short) label and decimal formatted MPI,
691 * newline characters and '\0'
692 */
693 char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
694 MPI_VALIDATE_RET( X != NULL );
695
696 if( radix < 2 || radix > 16 )
697 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
698
699 memset( s, 0, sizeof( s ) );
700
701 MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
702
703 if( p == NULL ) p = "";
704
705 plen = strlen( p );
706 slen = strlen( s );
707 s[slen++] = '\r';
708 s[slen++] = '\n';
709
710 if( fout != NULL )
711 {
712 if( fwrite( p, 1, plen, fout ) != plen ||
713 fwrite( s, 1, slen, fout ) != slen )
714 return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
715 }
716 else
717 mbedtls_printf( "%s%s", p, s );
718
719 cleanup:
720
721 return( ret );
722 }
723 #endif /* MBEDTLS_FS_IO */
724
725
726 /* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
727 * into the storage form used by mbedtls_mpi. */
728 FORCEINLINE
mpi_uint_bigendian_to_host_c(mbedtls_mpi_uint x)729 static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
730 {
731 uint8_t i;
732 unsigned char *x_ptr;
733 mbedtls_mpi_uint tmp = 0;
734
735 for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ )
736 {
737 tmp <<= CHAR_BIT;
738 tmp |= (mbedtls_mpi_uint) *x_ptr;
739 }
740
741 return( tmp );
742 }
743
744 FORCEINLINE
mpi_uint_bigendian_to_host(mbedtls_mpi_uint x)745 static mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x )
746 {
747 #if defined(__BYTE_ORDER__)
748
749 /* Nothing to do on bigendian systems. */
750 #if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
751 return( x );
752 #endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
753
754 #if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
755
756 /* For GCC and Clang, have builtins for byte swapping. */
757 #if defined(__GNUC__) && defined(__GNUC_PREREQ)
758 #if __GNUC_PREREQ(4,3)
759 #define have_bswap
760 #endif
761 #endif
762
763 #if defined(__clang__) && defined(__has_builtin)
764 #if __has_builtin(__builtin_bswap32) && \
765 __has_builtin(__builtin_bswap64)
766 #define have_bswap
767 #endif
768 #endif
769
770 #if defined(have_bswap)
771 /* The compiler is hopefully able to statically evaluate this! */
772 switch( sizeof(mbedtls_mpi_uint) )
773 {
774 case 4:
775 return( __builtin_bswap32(x) );
776 case 8:
777 return( __builtin_bswap64(x) );
778 }
779 #endif
780 #endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
781 #endif /* __BYTE_ORDER__ */
782
783 /* Fall back to C-based reordering if we don't know the byte order
784 * or we couldn't use a compiler-specific builtin. */
785 return( mpi_uint_bigendian_to_host_c( x ) );
786 }
787
788 FORCEINLINE
mpi_bigendian_to_host(mbedtls_mpi_uint * const p,size_t limbs)789 static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs )
790 {
791 mbedtls_mpi_uint *cur_limb_left;
792 mbedtls_mpi_uint *cur_limb_right;
793 if( limbs == 0 )
794 return;
795
796 /*
797 * Traverse limbs and
798 * - adapt byte-order in each limb
799 * - swap the limbs themselves.
800 * For that, simultaneously traverse the limbs from left to right
801 * and from right to left, as long as the left index is not bigger
802 * than the right index (it's not a problem if limbs is odd and the
803 * indices coincide in the last iteration).
804 */
805 for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 );
806 cur_limb_left <= cur_limb_right;
807 cur_limb_left++, cur_limb_right-- )
808 {
809 mbedtls_mpi_uint tmp;
810 /* Note that if cur_limb_left == cur_limb_right,
811 * this code effectively swaps the bytes only once. */
812 tmp = mpi_uint_bigendian_to_host( *cur_limb_left );
813 *cur_limb_left = mpi_uint_bigendian_to_host( *cur_limb_right );
814 *cur_limb_right = tmp;
815 }
816 }
817
818 /*
819 * Import X from unsigned binary data, little endian
820 */
mbedtls_mpi_read_binary_le(mbedtls_mpi * X,const unsigned char * buf,size_t buflen)821 int mbedtls_mpi_read_binary_le( mbedtls_mpi *X,
822 const unsigned char *buf, size_t buflen )
823 {
824 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
825 size_t i;
826 size_t const limbs = CHARS_TO_LIMBS( buflen );
827
828 /* Ensure that target MPI has exactly the necessary number of limbs */
829 MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) );
830
831 for( i = 0; i < buflen; i++ )
832 X->p[i / ciL] |= ((mbedtls_mpi_uint) buf[i]) << ((i % ciL) << 3);
833
834 cleanup:
835
836 /*
837 * This function is also used to import keys. However, wiping the buffers
838 * upon failure is not necessary because failure only can happen before any
839 * input is copied.
840 */
841 return( ret );
842 }
843
844 /*
845 * Import X from unsigned binary data, big endian
846 */
847 VMP_TAG
mbedtls_mpi_read_binary(mbedtls_mpi * X,const unsigned char * buf,size_t buflen)848 int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
849 {
850 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
851 size_t const limbs = CHARS_TO_LIMBS( buflen );
852 size_t const overhead = ( limbs * ciL ) - buflen;
853 unsigned char *Xp;
854
855 MPI_VALIDATE_RET( X != NULL );
856 MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
857
858 /* Ensure that target MPI has exactly the necessary number of limbs */
859 MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) );
860
861 /* Avoid calling `memcpy` with NULL source or destination argument,
862 * even if buflen is 0. */
863 if( buflen != 0 )
864 {
865 Xp = (unsigned char*) X->p;
866 memcpy( Xp + overhead, buf, buflen );
867
868 mpi_bigendian_to_host( X->p, limbs );
869 }
870
871 cleanup:
872
873 /*
874 * This function is also used to import keys. However, wiping the buffers
875 * upon failure is not necessary because failure only can happen before any
876 * input is copied.
877 */
878 return( ret );
879 }
880
881 /*
882 * Export X into unsigned binary data, little endian
883 */
mbedtls_mpi_write_binary_le(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)884 int mbedtls_mpi_write_binary_le( const mbedtls_mpi *X,
885 unsigned char *buf, size_t buflen )
886 {
887 size_t stored_bytes = X->n * ciL;
888 size_t bytes_to_copy;
889 size_t i;
890
891 if( stored_bytes < buflen )
892 {
893 bytes_to_copy = stored_bytes;
894 }
895 else
896 {
897 bytes_to_copy = buflen;
898
899 /* The output buffer is smaller than the allocated size of X.
900 * However X may fit if its leading bytes are zero. */
901 for( i = bytes_to_copy; i < stored_bytes; i++ )
902 {
903 if( GET_BYTE( X, i ) != 0 )
904 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
905 }
906 }
907
908 for( i = 0; i < bytes_to_copy; i++ )
909 buf[i] = GET_BYTE( X, i );
910
911 if( stored_bytes < buflen )
912 {
913 /* Write trailing 0 bytes */
914 memset( buf + stored_bytes, 0, buflen - stored_bytes );
915 }
916
917 return( 0 );
918 }
919
920 /*
921 * Export X into unsigned binary data, big endian
922 */
923 VMP_TAG
mbedtls_mpi_write_binary(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)924 int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
925 unsigned char *buf, size_t buflen )
926 {
927 size_t stored_bytes;
928 size_t bytes_to_copy;
929 unsigned char *p;
930 size_t i;
931
932 MPI_VALIDATE_RET( X != NULL );
933 MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
934
935 stored_bytes = X->n * ciL;
936
937 if( stored_bytes < buflen )
938 {
939 /* There is enough space in the output buffer. Write initial
940 * null bytes and record the position at which to start
941 * writing the significant bytes. In this case, the execution
942 * trace of this function does not depend on the value of the
943 * number. */
944 bytes_to_copy = stored_bytes;
945 p = buf + buflen - stored_bytes;
946 memset( buf, 0, buflen - stored_bytes );
947 }
948 else
949 {
950 /* The output buffer is smaller than the allocated size of X.
951 * However X may fit if its leading bytes are zero. */
952 bytes_to_copy = buflen;
953 p = buf;
954 for( i = bytes_to_copy; i < stored_bytes; i++ )
955 {
956 if( GET_BYTE( X, i ) != 0 )
957 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
958 }
959 }
960
961 for( i = 0; i < bytes_to_copy; i++ )
962 p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
963
964 return( 0 );
965 }
966
967 /*
968 * Left-shift: X <<= count
969 */
mbedtls_mpi_shift_l(mbedtls_mpi * X,size_t count)970 int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
971 {
972 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
973 size_t i, v0, t1;
974 mbedtls_mpi_uint r0 = 0, r1;
975 MPI_VALIDATE_RET( X != NULL );
976
977 v0 = count / (biL );
978 t1 = count & (biL - 1);
979
980 i = mbedtls_mpi_bitlen( X ) + count;
981
982 if( X->n * biL < i )
983 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
984
985 ret = 0;
986
987 /*
988 * shift by count / limb_size
989 */
990 if( v0 > 0 )
991 {
992 for( i = X->n; i > v0; i-- )
993 X->p[i - 1] = X->p[i - v0 - 1];
994
995 for( ; i > 0; i-- )
996 X->p[i - 1] = 0;
997 }
998
999 /*
1000 * shift by count % limb_size
1001 */
1002 if( t1 > 0 )
1003 {
1004 for( i = v0; i < X->n; i++ )
1005 {
1006 r1 = X->p[i] >> (biL - t1);
1007 X->p[i] <<= t1;
1008 X->p[i] |= r0;
1009 r0 = r1;
1010 }
1011 }
1012
1013 cleanup:
1014
1015 return( ret );
1016 }
1017
1018 /*
1019 * Right-shift: X >>= count
1020 */
mbedtls_mpi_shift_r(mbedtls_mpi * X,size_t count)1021 int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
1022 {
1023 size_t i, v0, v1;
1024 mbedtls_mpi_uint r0 = 0, r1;
1025 MPI_VALIDATE_RET( X != NULL );
1026
1027 v0 = count / biL;
1028 v1 = count & (biL - 1);
1029
1030 if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
1031 return mbedtls_mpi_lset( X, 0 );
1032
1033 /*
1034 * shift by count / limb_size
1035 */
1036 if( v0 > 0 )
1037 {
1038 for( i = 0; i < X->n - v0; i++ )
1039 X->p[i] = X->p[i + v0];
1040
1041 for( ; i < X->n; i++ )
1042 X->p[i] = 0;
1043 }
1044
1045 /*
1046 * shift by count % limb_size
1047 */
1048 if( v1 > 0 )
1049 {
1050 for( i = X->n; i > 0; i-- )
1051 {
1052 r1 = X->p[i - 1] << (biL - v1);
1053 X->p[i - 1] >>= v1;
1054 X->p[i - 1] |= r0;
1055 r0 = r1;
1056 }
1057 }
1058
1059 return( 0 );
1060 }
1061
1062 /*
1063 * Compare unsigned values
1064 */
mbedtls_mpi_cmp_abs(const mbedtls_mpi * X,const mbedtls_mpi * Y)1065 int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
1066 {
1067 size_t i, j;
1068 MPI_VALIDATE_RET( X != NULL );
1069 MPI_VALIDATE_RET( Y != NULL );
1070
1071 for( i = X->n; i > 0; i-- )
1072 if( X->p[i - 1] != 0 )
1073 break;
1074
1075 for( j = Y->n; j > 0; j-- )
1076 if( Y->p[j - 1] != 0 )
1077 break;
1078
1079 if( i == 0 && j == 0 )
1080 return( 0 );
1081
1082 if( i > j ) return( 1 );
1083 if( j > i ) return( -1 );
1084
1085 for( ; i > 0; i-- )
1086 {
1087 if( X->p[i - 1] > Y->p[i - 1] ) return( 1 );
1088 if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
1089 }
1090
1091 return( 0 );
1092 }
1093
1094 /*
1095 * Compare signed values
1096 */
mbedtls_mpi_cmp_mpi(const mbedtls_mpi * X,const mbedtls_mpi * Y)1097 int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
1098 {
1099 size_t i, j;
1100 MPI_VALIDATE_RET( X != NULL );
1101 MPI_VALIDATE_RET( Y != NULL );
1102
1103 for( i = X->n; i > 0; i-- )
1104 if( X->p[i - 1] != 0 )
1105 break;
1106
1107 for( j = Y->n; j > 0; j-- )
1108 if( Y->p[j - 1] != 0 )
1109 break;
1110
1111 if( i == 0 && j == 0 )
1112 return( 0 );
1113
1114 if( i > j ) return( X->s );
1115 if( j > i ) return( -Y->s );
1116
1117 if( X->s > 0 && Y->s < 0 ) return( 1 );
1118 if( Y->s > 0 && X->s < 0 ) return( -1 );
1119
1120 for( ; i > 0; i-- )
1121 {
1122 if( X->p[i - 1] > Y->p[i - 1] ) return( X->s );
1123 if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
1124 }
1125
1126 return( 0 );
1127 }
1128
1129 #if defined(VENDOR_TEE_WRAP_C)
1130 VMP_TAG
internal_mpi_cmp_mpi(const mbedtls_mpi * X,const mbedtls_mpi * Y)1131 static int internal_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
1132 {
1133 size_t i, j;
1134 MPI_VALIDATE_RET( X != NULL );
1135 MPI_VALIDATE_RET( Y != NULL );
1136
1137 for( i = X->n; i > 0; i-- )
1138 if( X->p[i - 1] != 0 )
1139 break;
1140
1141 for( j = Y->n; j > 0; j-- )
1142 if( Y->p[j - 1] != 0 )
1143 break;
1144
1145 if( i == 0 && j == 0 )
1146 return( 0 );
1147
1148 if( i > j ) return( X->s );
1149 if( j > i ) return( -Y->s );
1150
1151 if( X->s > 0 && Y->s < 0 ) return( 1 );
1152 if( Y->s > 0 && X->s < 0 ) return( -1 );
1153
1154 for( ; i > 0; i-- )
1155 {
1156 if( X->p[i - 1] > Y->p[i - 1] ) return( X->s );
1157 if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
1158 }
1159
1160 return( 0 );
1161 }
1162 #endif
1163
1164 /*
1165 * Compare signed values
1166 */
mbedtls_mpi_cmp_int(const mbedtls_mpi * X,mbedtls_mpi_sint z)1167 int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
1168 {
1169 mbedtls_mpi Y;
1170 mbedtls_mpi_uint p[1];
1171 MPI_VALIDATE_RET( X != NULL );
1172
1173 *p = ( z < 0 ) ? -z : z;
1174 Y.s = ( z < 0 ) ? -1 : 1;
1175 Y.n = 1;
1176 Y.p = p;
1177
1178 return( mbedtls_mpi_cmp_mpi( X, &Y ) );
1179 }
1180
1181 #if defined(VENDOR_TEE_WRAP_C)
1182 VMP_TAG
internal_mpi_cmp_int(const mbedtls_mpi * X,mbedtls_mpi_sint z)1183 static int internal_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
1184 {
1185 mbedtls_mpi Y;
1186 mbedtls_mpi_uint p[1];
1187 MPI_VALIDATE_RET( X != NULL );
1188
1189 *p = ( z < 0 ) ? -z : z;
1190 Y.s = ( z < 0 ) ? -1 : 1;
1191 Y.n = 1;
1192 Y.p = p;
1193
1194 return( internal_mpi_cmp_mpi( X, &Y ) );
1195 }
1196 #endif
1197
1198 /*
1199 * Unsigned addition: X = |A| + |B| (HAC 14.7)
1200 */
mbedtls_mpi_add_abs(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1201 int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
1202 {
1203 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1204 size_t i, j;
1205 mbedtls_mpi_uint *o, *p, c, tmp;
1206 MPI_VALIDATE_RET( X != NULL );
1207 MPI_VALIDATE_RET( A != NULL );
1208 MPI_VALIDATE_RET( B != NULL );
1209
1210 if( X == B )
1211 {
1212 const mbedtls_mpi *T = A; A = X; B = T;
1213 }
1214
1215 if( X != A )
1216 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
1217
1218 /*
1219 * X should always be positive as a result of unsigned additions.
1220 */
1221 X->s = 1;
1222
1223 for( j = B->n; j > 0; j-- )
1224 if( B->p[j - 1] != 0 )
1225 break;
1226
1227 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
1228
1229 o = B->p; p = X->p; c = 0;
1230
1231 /*
1232 * tmp is used because it might happen that p == o
1233 */
1234 for( i = 0; i < j; i++, o++, p++ )
1235 {
1236 tmp= *o;
1237 *p += c; c = ( *p < c );
1238 *p += tmp; c += ( *p < tmp );
1239 }
1240
1241 while( c != 0 )
1242 {
1243 if( i >= X->n )
1244 {
1245 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
1246 p = X->p + i;
1247 }
1248
1249 *p += c; c = ( *p < c ); i++; p++;
1250 }
1251
1252 cleanup:
1253
1254 return( ret );
1255 }
1256
1257 /**
1258 * Helper for mbedtls_mpi subtraction.
1259 *
1260 * Calculate l - r where l and r have the same size.
1261 * This function operates modulo (2^ciL)^n and returns the carry
1262 * (1 if there was a wraparound, i.e. if `l < r`, and 0 otherwise).
1263 *
1264 * d may be aliased to l or r.
1265 *
1266 * \param n Number of limbs of \p d, \p l and \p r.
1267 * \param[out] d The result of the subtraction.
1268 * \param[in] l The left operand.
1269 * \param[in] r The right operand.
1270 *
1271 * \return 1 if `l < r`.
1272 * 0 if `l >= r`.
1273 */
mpi_sub_hlp(size_t n,mbedtls_mpi_uint * d,const mbedtls_mpi_uint * l,const mbedtls_mpi_uint * r)1274 static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
1275 mbedtls_mpi_uint *d,
1276 const mbedtls_mpi_uint *l,
1277 const mbedtls_mpi_uint *r )
1278 {
1279 size_t i;
1280 mbedtls_mpi_uint c = 0, t, z;
1281
1282 for( i = 0; i < n; i++ )
1283 {
1284 z = ( l[i] < c ); t = l[i] - c;
1285 c = ( t < r[i] ) + z; d[i] = t - r[i];
1286 }
1287
1288 return( c );
1289 }
1290
1291 /*
1292 * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
1293 */
mbedtls_mpi_sub_abs(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1294 int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
1295 {
1296 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1297 size_t n;
1298 mbedtls_mpi_uint carry;
1299 MPI_VALIDATE_RET( X != NULL );
1300 MPI_VALIDATE_RET( A != NULL );
1301 MPI_VALIDATE_RET( B != NULL );
1302
1303 for( n = B->n; n > 0; n-- )
1304 if( B->p[n - 1] != 0 )
1305 break;
1306 if( n > A->n )
1307 {
1308 /* B >= (2^ciL)^n > A */
1309 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1310 goto cleanup;
1311 }
1312
1313 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, A->n ) );
1314
1315 /* Set the high limbs of X to match A. Don't touch the lower limbs
1316 * because X might be aliased to B, and we must not overwrite the
1317 * significant digits of B. */
1318 if( A->n > n )
1319 memcpy( X->p + n, A->p + n, ( A->n - n ) * ciL );
1320 if( X->n > A->n )
1321 memset( X->p + A->n, 0, ( X->n - A->n ) * ciL );
1322
1323 carry = mpi_sub_hlp( n, X->p, A->p, B->p );
1324 if( carry != 0 )
1325 {
1326 /* Propagate the carry to the first nonzero limb of X. */
1327 for( ; n < X->n && X->p[n] == 0; n++ )
1328 --X->p[n];
1329 /* If we ran out of space for the carry, it means that the result
1330 * is negative. */
1331 if( n == X->n )
1332 {
1333 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1334 goto cleanup;
1335 }
1336 --X->p[n];
1337 }
1338
1339 /* X should always be positive as a result of unsigned subtractions. */
1340 X->s = 1;
1341
1342 cleanup:
1343 return( ret );
1344 }
1345
1346 /*
1347 * Signed addition: X = A + B
1348 */
mbedtls_mpi_add_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1349 int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
1350 {
1351 int ret, s;
1352 MPI_VALIDATE_RET( X != NULL );
1353 MPI_VALIDATE_RET( A != NULL );
1354 MPI_VALIDATE_RET( B != NULL );
1355
1356 s = A->s;
1357 if( A->s * B->s < 0 )
1358 {
1359 if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
1360 {
1361 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
1362 X->s = s;
1363 }
1364 else
1365 {
1366 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
1367 X->s = -s;
1368 }
1369 }
1370 else
1371 {
1372 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
1373 X->s = s;
1374 }
1375
1376 cleanup:
1377
1378 return( ret );
1379 }
1380
1381 /*
1382 * Signed subtraction: X = A - B
1383 */
mbedtls_mpi_sub_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1384 int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
1385 {
1386 int ret, s;
1387 MPI_VALIDATE_RET( X != NULL );
1388 MPI_VALIDATE_RET( A != NULL );
1389 MPI_VALIDATE_RET( B != NULL );
1390
1391 s = A->s;
1392 if( A->s * B->s > 0 )
1393 {
1394 if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
1395 {
1396 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
1397 X->s = s;
1398 }
1399 else
1400 {
1401 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
1402 X->s = -s;
1403 }
1404 }
1405 else
1406 {
1407 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
1408 X->s = s;
1409 }
1410
1411 cleanup:
1412
1413 return( ret );
1414 }
1415
1416 /*
1417 * Signed addition: X = A + b
1418 */
mbedtls_mpi_add_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_sint b)1419 int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
1420 {
1421 mbedtls_mpi B;
1422 mbedtls_mpi_uint p[1];
1423 MPI_VALIDATE_RET( X != NULL );
1424 MPI_VALIDATE_RET( A != NULL );
1425
1426 p[0] = ( b < 0 ) ? -b : b;
1427 B.s = ( b < 0 ) ? -1 : 1;
1428 B.n = 1;
1429 B.p = p;
1430
1431 return( mbedtls_mpi_add_mpi( X, A, &B ) );
1432 }
1433
1434 /*
1435 * Signed subtraction: X = A - b
1436 */
mbedtls_mpi_sub_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_sint b)1437 int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
1438 {
1439 mbedtls_mpi B;
1440 mbedtls_mpi_uint p[1];
1441 MPI_VALIDATE_RET( X != NULL );
1442 MPI_VALIDATE_RET( A != NULL );
1443
1444 p[0] = ( b < 0 ) ? -b : b;
1445 B.s = ( b < 0 ) ? -1 : 1;
1446 B.n = 1;
1447 B.p = p;
1448
1449 return( mbedtls_mpi_sub_mpi( X, A, &B ) );
1450 }
1451
1452 /** Helper for mbedtls_mpi multiplication.
1453 *
1454 * Add \p b * \p s to \p d.
1455 *
1456 * \param i The number of limbs of \p s.
1457 * \param[in] s A bignum to multiply, of size \p i.
1458 * It may overlap with \p d, but only if
1459 * \p d <= \p s.
1460 * Its leading limb must not be \c 0.
1461 * \param[in,out] d The bignum to add to.
1462 * It must be sufficiently large to store the
1463 * result of the multiplication. This means
1464 * \p i + 1 limbs if \p d[\p i - 1] started as 0 and \p b
1465 * is not known a priori.
1466 * \param b A scalar to multiply.
1467 */
1468 static
1469 #if defined(__APPLE__) && defined(__arm__)
1470 /*
1471 * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
1472 * appears to need this to prevent bad ARM code generation at -O3.
1473 */
1474 __attribute__ ((noinline))
1475 #endif
mpi_mul_hlp(size_t i,const mbedtls_mpi_uint * s,mbedtls_mpi_uint * d,mbedtls_mpi_uint b)1476 void mpi_mul_hlp( size_t i,
1477 const mbedtls_mpi_uint *s,
1478 mbedtls_mpi_uint *d,
1479 mbedtls_mpi_uint b )
1480 {
1481 mbedtls_mpi_uint c = 0, t = 0;
1482
1483 #if defined(MULADDC_HUIT)
1484 for( ; i >= 8; i -= 8 )
1485 {
1486 MULADDC_INIT
1487 MULADDC_HUIT
1488 MULADDC_STOP
1489 }
1490
1491 for( ; i > 0; i-- )
1492 {
1493 MULADDC_INIT
1494 MULADDC_CORE
1495 MULADDC_STOP
1496 }
1497 #else /* MULADDC_HUIT */
1498 for( ; i >= 16; i -= 16 )
1499 {
1500 MULADDC_INIT
1501 MULADDC_CORE MULADDC_CORE
1502 MULADDC_CORE MULADDC_CORE
1503 MULADDC_CORE MULADDC_CORE
1504 MULADDC_CORE MULADDC_CORE
1505
1506 MULADDC_CORE MULADDC_CORE
1507 MULADDC_CORE MULADDC_CORE
1508 MULADDC_CORE MULADDC_CORE
1509 MULADDC_CORE MULADDC_CORE
1510 MULADDC_STOP
1511 }
1512
1513 for( ; i >= 8; i -= 8 )
1514 {
1515 MULADDC_INIT
1516 MULADDC_CORE MULADDC_CORE
1517 MULADDC_CORE MULADDC_CORE
1518
1519 MULADDC_CORE MULADDC_CORE
1520 MULADDC_CORE MULADDC_CORE
1521 MULADDC_STOP
1522 }
1523
1524 for( ; i > 0; i-- )
1525 {
1526 MULADDC_INIT
1527 MULADDC_CORE
1528 MULADDC_STOP
1529 }
1530 #endif /* MULADDC_HUIT */
1531
1532 t++;
1533
1534 while( c != 0 )
1535 {
1536 *d += c; c = ( *d < c ); d++;
1537 }
1538 }
1539
1540 /*
1541 * Baseline multiplication: X = A * B (HAC 14.12)
1542 */
mbedtls_mpi_mul_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1543 int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
1544 {
1545 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1546 size_t i, j;
1547 mbedtls_mpi TA, TB;
1548 int result_is_zero = 0;
1549 MPI_VALIDATE_RET( X != NULL );
1550 MPI_VALIDATE_RET( A != NULL );
1551 MPI_VALIDATE_RET( B != NULL );
1552
1553 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
1554
1555 if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
1556 if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
1557
1558 for( i = A->n; i > 0; i-- )
1559 if( A->p[i - 1] != 0 )
1560 break;
1561 if( i == 0 )
1562 result_is_zero = 1;
1563
1564 for( j = B->n; j > 0; j-- )
1565 if( B->p[j - 1] != 0 )
1566 break;
1567 if( j == 0 )
1568 result_is_zero = 1;
1569
1570 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
1571 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
1572
1573 for( ; j > 0; j-- )
1574 mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
1575
1576 /* If the result is 0, we don't shortcut the operation, which reduces
1577 * but does not eliminate side channels leaking the zero-ness. We do
1578 * need to take care to set the sign bit properly since the library does
1579 * not fully support an MPI object with a value of 0 and s == -1. */
1580 if( result_is_zero )
1581 X->s = 1;
1582 else
1583 X->s = A->s * B->s;
1584
1585 cleanup:
1586
1587 mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
1588
1589 return( ret );
1590 }
1591
1592 /*
1593 * Baseline multiplication: X = A * b
1594 */
mbedtls_mpi_mul_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_uint b)1595 int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
1596 {
1597 MPI_VALIDATE_RET( X != NULL );
1598 MPI_VALIDATE_RET( A != NULL );
1599
1600 /* mpi_mul_hlp can't deal with a leading 0. */
1601 size_t n = A->n;
1602 while( n > 0 && A->p[n - 1] == 0 )
1603 --n;
1604
1605 /* The general method below doesn't work if n==0 or b==0. By chance
1606 * calculating the result is trivial in those cases. */
1607 if( b == 0 || n == 0 )
1608 {
1609 return( mbedtls_mpi_lset( X, 0 ) );
1610 }
1611
1612 /* Calculate A*b as A + A*(b-1) to take advantage of mpi_mul_hlp */
1613 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1614 /* In general, A * b requires 1 limb more than b. If
1615 * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
1616 * number of limbs as A and the call to grow() is not required since
1617 * copy() will take care of the growth if needed. However, experimentally,
1618 * making the call to grow() unconditional causes slightly fewer
1619 * calls to calloc() in ECP code, presumably because it reuses the
1620 * same mpi for a while and this way the mpi is more likely to directly
1621 * grow to its final size. */
1622 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n + 1 ) );
1623 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
1624 mpi_mul_hlp( n, A->p, X->p, b - 1 );
1625
1626 cleanup:
1627 return( ret );
1628 }
1629
1630 /*
1631 * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
1632 * mbedtls_mpi_uint divisor, d
1633 */
mbedtls_int_div_int(mbedtls_mpi_uint u1,mbedtls_mpi_uint u0,mbedtls_mpi_uint d,mbedtls_mpi_uint * r)1634 static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
1635 mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
1636 {
1637 #if defined(MBEDTLS_HAVE_UDBL)
1638 mbedtls_t_udbl dividend, quotient;
1639 #else
1640 const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
1641 const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
1642 mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
1643 mbedtls_mpi_uint u0_msw, u0_lsw;
1644 size_t s;
1645 #endif
1646
1647 /*
1648 * Check for overflow
1649 */
1650 if( 0 == d || u1 >= d )
1651 {
1652 if (r != NULL) *r = ~0;
1653
1654 return ( ~0 );
1655 }
1656
1657 #if defined(MBEDTLS_HAVE_UDBL)
1658 dividend = (mbedtls_t_udbl) u1 << biL;
1659 dividend |= (mbedtls_t_udbl) u0;
1660 quotient = dividend / d;
1661 if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
1662 quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
1663
1664 if( r != NULL )
1665 *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
1666
1667 return (mbedtls_mpi_uint) quotient;
1668 #else
1669
1670 /*
1671 * Algorithm D, Section 4.3.1 - The Art of Computer Programming
1672 * Vol. 2 - Seminumerical Algorithms, Knuth
1673 */
1674
1675 /*
1676 * Normalize the divisor, d, and dividend, u0, u1
1677 */
1678 s = mbedtls_clz( d );
1679 d = d << s;
1680
1681 u1 = u1 << s;
1682 u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
1683 u0 = u0 << s;
1684
1685 d1 = d >> biH;
1686 d0 = d & uint_halfword_mask;
1687
1688 u0_msw = u0 >> biH;
1689 u0_lsw = u0 & uint_halfword_mask;
1690
1691 /*
1692 * Find the first quotient and remainder
1693 */
1694 q1 = u1 / d1;
1695 r0 = u1 - d1 * q1;
1696
1697 while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
1698 {
1699 q1 -= 1;
1700 r0 += d1;
1701
1702 if ( r0 >= radix ) break;
1703 }
1704
1705 rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
1706 q0 = rAX / d1;
1707 r0 = rAX - q0 * d1;
1708
1709 while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
1710 {
1711 q0 -= 1;
1712 r0 += d1;
1713
1714 if ( r0 >= radix ) break;
1715 }
1716
1717 if (r != NULL)
1718 *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
1719
1720 quotient = q1 * radix + q0;
1721
1722 return quotient;
1723 #endif
1724 }
1725
1726 /*
1727 * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
1728 */
mbedtls_mpi_div_mpi(mbedtls_mpi * Q,mbedtls_mpi * R,const mbedtls_mpi * A,const mbedtls_mpi * B)1729 int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
1730 const mbedtls_mpi *B )
1731 {
1732 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1733 size_t i, n, t, k;
1734 mbedtls_mpi X, Y, Z, T1, T2;
1735 mbedtls_mpi_uint TP2[3];
1736 MPI_VALIDATE_RET( A != NULL );
1737 MPI_VALIDATE_RET( B != NULL );
1738
1739 if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
1740 return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
1741
1742 mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
1743 mbedtls_mpi_init( &T1 );
1744 /*
1745 * Avoid dynamic memory allocations for constant-size T2.
1746 *
1747 * T2 is used for comparison only and the 3 limbs are assigned explicitly,
1748 * so nobody increase the size of the MPI and we're safe to use an on-stack
1749 * buffer.
1750 */
1751 T2.s = 1;
1752 T2.n = sizeof( TP2 ) / sizeof( *TP2 );
1753 T2.p = TP2;
1754
1755 if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
1756 {
1757 if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
1758 if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
1759 return( 0 );
1760 }
1761
1762 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
1763 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
1764 X.s = Y.s = 1;
1765
1766 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
1767 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z, 0 ) );
1768 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, A->n + 2 ) );
1769
1770 k = mbedtls_mpi_bitlen( &Y ) % biL;
1771 if( k < biL - 1 )
1772 {
1773 k = biL - 1 - k;
1774 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
1775 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
1776 }
1777 else k = 0;
1778
1779 n = X.n - 1;
1780 t = Y.n - 1;
1781 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
1782
1783 while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
1784 {
1785 Z.p[n - t]++;
1786 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
1787 }
1788 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
1789
1790 for( i = n; i > t ; i-- )
1791 {
1792 if( X.p[i] >= Y.p[t] )
1793 Z.p[i - t - 1] = ~0;
1794 else
1795 {
1796 Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
1797 Y.p[t], NULL);
1798 }
1799
1800 T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
1801 T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
1802 T2.p[2] = X.p[i];
1803
1804 Z.p[i - t - 1]++;
1805 do
1806 {
1807 Z.p[i - t - 1]--;
1808
1809 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
1810 T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
1811 T1.p[1] = Y.p[t];
1812 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1813 }
1814 while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
1815
1816 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1817 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
1818 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
1819
1820 if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
1821 {
1822 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
1823 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
1824 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
1825 Z.p[i - t - 1]--;
1826 }
1827 }
1828
1829 if( Q != NULL )
1830 {
1831 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
1832 Q->s = A->s * B->s;
1833 }
1834
1835 if( R != NULL )
1836 {
1837 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
1838 X.s = A->s;
1839 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
1840
1841 if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
1842 R->s = 1;
1843 }
1844
1845 cleanup:
1846
1847 mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
1848 mbedtls_mpi_free( &T1 );
1849 mbedtls_platform_zeroize( TP2, sizeof( TP2 ) );
1850
1851 return( ret );
1852 }
1853
1854 /*
1855 * Division by int: A = Q * b + R
1856 */
mbedtls_mpi_div_int(mbedtls_mpi * Q,mbedtls_mpi * R,const mbedtls_mpi * A,mbedtls_mpi_sint b)1857 int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
1858 const mbedtls_mpi *A,
1859 mbedtls_mpi_sint b )
1860 {
1861 mbedtls_mpi B;
1862 mbedtls_mpi_uint p[1];
1863 MPI_VALIDATE_RET( A != NULL );
1864
1865 p[0] = ( b < 0 ) ? -b : b;
1866 B.s = ( b < 0 ) ? -1 : 1;
1867 B.n = 1;
1868 B.p = p;
1869
1870 return( mbedtls_mpi_div_mpi( Q, R, A, &B ) );
1871 }
1872
1873 /*
1874 * Modulo: R = A mod B
1875 */
mbedtls_mpi_mod_mpi(mbedtls_mpi * R,const mbedtls_mpi * A,const mbedtls_mpi * B)1876 int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
1877 {
1878 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1879 MPI_VALIDATE_RET( R != NULL );
1880 MPI_VALIDATE_RET( A != NULL );
1881 MPI_VALIDATE_RET( B != NULL );
1882
1883 if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
1884 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
1885
1886 #if defined(MBEDTLS_BIGNUM_MOD_USE_HARDWARE)
1887 if( check_mod_harden_can_do( A, B ) == 1 )
1888 {
1889 return mod_harden( R, A, B );
1890 }
1891 #endif /* MBEDTLS_BIGNUM_MOD_USE_HARDWARE */
1892
1893 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
1894
1895 while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
1896 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
1897
1898 while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
1899 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
1900
1901 cleanup:
1902
1903 return( ret );
1904 }
1905
1906 /*
1907 * Modulo: r = A mod b
1908 */
mbedtls_mpi_mod_int(mbedtls_mpi_uint * r,const mbedtls_mpi * A,mbedtls_mpi_sint b)1909 int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
1910 {
1911 size_t i;
1912 mbedtls_mpi_uint x, y, z;
1913 MPI_VALIDATE_RET( r != NULL );
1914 MPI_VALIDATE_RET( A != NULL );
1915
1916 if( b == 0 )
1917 return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
1918
1919 if( b < 0 )
1920 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
1921
1922 /*
1923 * handle trivial cases
1924 */
1925 if( b == 1 )
1926 {
1927 *r = 0;
1928 return( 0 );
1929 }
1930
1931 if( b == 2 )
1932 {
1933 *r = A->p[0] & 1;
1934 return( 0 );
1935 }
1936
1937 /*
1938 * general case
1939 */
1940 for( i = A->n, y = 0; i > 0; i-- )
1941 {
1942 x = A->p[i - 1];
1943 y = ( y << biH ) | ( x >> biH );
1944 z = y / b;
1945 y -= z * b;
1946
1947 x <<= biH;
1948 y = ( y << biH ) | ( x >> biH );
1949 z = y / b;
1950 y -= z * b;
1951 }
1952
1953 /*
1954 * If A is negative, then the current y represents a negative value.
1955 * Flipping it to the positive side.
1956 */
1957 if( A->s < 0 && y != 0 )
1958 y = b - y;
1959
1960 *r = y;
1961
1962 return( 0 );
1963 }
1964
1965 /*
1966 * Fast Montgomery initialization (thanks to Tom St Denis)
1967 */
mbedtls_mpi_montmul_init(const mbedtls_mpi_uint * N)1968 mbedtls_mpi_uint mbedtls_mpi_montmul_init(const mbedtls_mpi_uint *N)
1969 {
1970 mbedtls_mpi_uint x = N[0];
1971
1972 x += ((N[0] + 2) & 4) << 1;
1973
1974 for (unsigned int i = biL; i >= 8; i /= 2) {
1975 x *= (2 - (N[0] * x));
1976 }
1977
1978 return ~x + 1;
1979 }
1980
mbedtls_mpi_montmul(mbedtls_mpi * A,const mbedtls_mpi * B,const mbedtls_mpi * N,mbedtls_mpi_uint mm,const mbedtls_mpi * T)1981 void mbedtls_mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
1982 const mbedtls_mpi *T )
1983 {
1984 size_t i, n, m;
1985 mbedtls_mpi_uint u0, u1, *d;
1986
1987 memset( T->p, 0, T->n * ciL );
1988
1989 d = T->p;
1990 n = N->n;
1991 m = ( B->n < n ) ? B->n : n;
1992
1993 for( i = 0; i < n; i++ )
1994 {
1995 /*
1996 * T = (T + u0*B + u1*N) / 2^biL
1997 */
1998 u0 = A->p[i];
1999 u1 = ( d[0] + u0 * B->p[0] ) * mm;
2000
2001 mpi_mul_hlp( m, B->p, d, u0 );
2002 mpi_mul_hlp( n, N->p, d, u1 );
2003
2004 *d++ = u0; d[n + 1] = 0;
2005 }
2006
2007 /* At this point, d is either the desired result or the desired result
2008 * plus N. We now potentially subtract N, avoiding leaking whether the
2009 * subtraction is performed through side channels. */
2010
2011 /* Copy the n least significant limbs of d to A, so that
2012 * A = d if d < N (recall that N has n limbs). */
2013 memcpy( A->p, d, n * ciL );
2014 /* If d >= N then we want to set A to d - N. To prevent timing attacks,
2015 * do the calculation without using conditional tests. */
2016 /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
2017 d[n] += 1;
2018 d[n] -= mpi_sub_hlp( n, d, d, N->p );
2019 /* If d0 < N then d < (2^biL)^n
2020 * so d[n] == 0 and we want to keep A as it is.
2021 * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
2022 * so d[n] == 1 and we want to set A to the result of the subtraction
2023 * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
2024 * This exactly corresponds to a conditional assignment. */
2025 mbedtls_ct_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] );
2026 }
2027
2028 /*
2029 * Montgomery reduction: A = A * R^-1 mod N
2030 *
2031 * See mpi_montmul() regarding constraints and guarantees on the parameters.
2032 */
mpi_montred(mbedtls_mpi * A,const mbedtls_mpi * N,mbedtls_mpi_uint mm,const mbedtls_mpi * T)2033 static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
2034 mbedtls_mpi_uint mm, const mbedtls_mpi *T )
2035 {
2036 mbedtls_mpi_uint z = 1;
2037 mbedtls_mpi U;
2038
2039 U.n = U.s = (int) z;
2040 U.p = &z;
2041
2042 mbedtls_mpi_montmul( A, &U, N, mm, T );
2043 }
2044
2045 /**
2046 * Select an MPI from a table without leaking the index.
2047 *
2048 * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
2049 * reads the entire table in order to avoid leaking the value of idx to an
2050 * attacker able to observe memory access patterns.
2051 *
2052 * \param[out] R Where to write the selected MPI.
2053 * \param[in] T The table to read from.
2054 * \param[in] T_size The number of elements in the table.
2055 * \param[in] idx The index of the element to select;
2056 * this must satisfy 0 <= idx < T_size.
2057 *
2058 * \return \c 0 on success, or a negative error code.
2059 */
mpi_select(mbedtls_mpi * R,const mbedtls_mpi * T,size_t T_size,size_t idx)2060 static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx )
2061 {
2062 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2063 size_t i;
2064
2065 for( i = 0; i < T_size; i++ )
2066 {
2067 MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
2068 (unsigned char) mbedtls_ct_size_bool_eq( i, idx ) ) );
2069 }
2070
2071 cleanup:
2072 return( ret );
2073 }
2074
mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi * X,const mbedtls_mpi * N)2075 int mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi *X,
2076 const mbedtls_mpi *N)
2077 {
2078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2079
2080 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 1));
2081 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, N->n * 2 * biL));
2082 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
2083 MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(X, N->n));
2084
2085 cleanup:
2086 return ret;
2087 }
2088
2089 /*
2090 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
2091 */
2092 VMP_TAG
mbedtls_mpi_exp_mod(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * E,const mbedtls_mpi * N,mbedtls_mpi * prec_RR)2093 int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
2094 const mbedtls_mpi *E, const mbedtls_mpi *N,
2095 mbedtls_mpi *prec_RR )
2096 {
2097 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2098 size_t window_bitsize;
2099 size_t i, j, nblimbs;
2100 size_t bufsize, nbits;
2101 mbedtls_mpi_uint ei, mm, state;
2102 mbedtls_mpi RR, T, W[ (size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
2103 int neg;
2104
2105 MPI_VALIDATE_RET( X != NULL );
2106 MPI_VALIDATE_RET( A != NULL );
2107 MPI_VALIDATE_RET( E != NULL );
2108 MPI_VALIDATE_RET( N != NULL );
2109 #if defined(VENDOR_TEE_WRAP_C)
2110 if( internal_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
2111 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2112
2113 if( internal_mpi_cmp_int( E, 0 ) < 0 )
2114 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2115
2116 if( internal_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS ||
2117 internal_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS )
2118 return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2119 #else
2120 if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
2121 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2122
2123 if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
2124 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2125
2126 if( mbedtls_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS ||
2127 mbedtls_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS )
2128 return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2129 #endif
2130
2131 #if defined(MBEDTLS_BIGNUM_EXP_MOD_USE_HARDWARE)
2132 if( check_exp_mod_harden_can_do( A, E, N ) == 1 )
2133 {
2134 return exp_mod_harden( X, A, E, N );
2135 }
2136 #endif /* MBEDTLS_BIGNUM_EXP_MOD_USE_HARDWARE */
2137 /*
2138 * Init temps and window size
2139 */
2140 mm = mbedtls_mpi_montmul_init(N->p);
2141 mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
2142 mbedtls_mpi_init( &Apos );
2143 mbedtls_mpi_init( &WW );
2144 memset( W, 0, sizeof( W ) );
2145
2146 #if defined(VENDOR_TEE_WRAP_C)
2147 i = internal_mpi_bitlen( E );
2148 #else
2149 i = mbedtls_mpi_bitlen( E );
2150 #endif
2151
2152 window_bitsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
2153 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
2154
2155 #if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
2156 if( window_bitsize > MBEDTLS_MPI_WINDOW_SIZE )
2157 window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
2158 #endif
2159
2160 const size_t w_table_used_size = (size_t) 1 << window_bitsize;
2161
2162 /*
2163 * This function is not constant-trace: its memory accesses depend on the
2164 * exponent value. To defend against timing attacks, callers (such as RSA
2165 * and DHM) should use exponent blinding. However this is not enough if the
2166 * adversary can find the exponent in a single trace, so this function
2167 * takes extra precautions against adversaries who can observe memory
2168 * access patterns.
2169 *
2170 * This function performs a series of multiplications by table elements and
2171 * squarings, and we want the prevent the adversary from finding out which
2172 * table element was used, and from distinguishing between multiplications
2173 * and squarings. Firstly, when multiplying by an element of the window
2174 * W[i], we do a constant-trace table lookup to obfuscate i. This leaves
2175 * squarings as having a different memory access patterns from other
2176 * multiplications. So secondly, we put the accumulator X in the table as
2177 * well, and also do a constant-trace table lookup to multiply by X.
2178 *
2179 * This way, all multiplications take the form of a lookup-and-multiply.
2180 * The number of lookup-and-multiply operations inside each iteration of
2181 * the main loop still depends on the bits of the exponent, but since the
2182 * other operations in the loop don't have an easily recognizable memory
2183 * trace, an adversary is unlikely to be able to observe the exact
2184 * patterns.
2185 *
2186 * An adversary may still be able to recover the exponent if they can
2187 * observe both memory accesses and branches. However, branch prediction
2188 * exploitation typically requires many traces of execution over the same
2189 * data, which is defeated by randomized blinding.
2190 *
2191 * To achieve this, we make a copy of X and we use the table entry in each
2192 * calculation from this point on.
2193 */
2194 const size_t x_index = 0;
2195 mbedtls_mpi_init( &W[x_index] );
2196 mbedtls_mpi_copy( &W[x_index], X );
2197
2198 j = N->n + 1;
2199 /* All W[i] and X must have at least N->n limbs for the mpi_montmul()
2200 * and mpi_montred() calls later. Here we ensure that W[1] and X are
2201 * large enough, and later we'll grow other W[i] to the same length.
2202 * They must not be shrunk midway through this function!
2203 */
2204 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[x_index], j ) );
2205 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) );
2206 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
2207
2208 /*
2209 * Compensate for negative A (and correct at the end)
2210 */
2211 neg = ( A->s == -1 );
2212 if( neg )
2213 {
2214 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
2215 Apos.s = 1;
2216 A = &Apos;
2217 }
2218
2219 /*
2220 * If 1st call, pre-compute R^2 mod N
2221 */
2222 if( prec_RR == NULL || prec_RR->p == NULL )
2223 {
2224 mbedtls_mpi_get_mont_r2_unsafe(&RR, N);
2225 if( prec_RR != NULL )
2226 memcpy( prec_RR, &RR, sizeof( mbedtls_mpi ) );
2227 }
2228 else
2229 memcpy( &RR, prec_RR, sizeof( mbedtls_mpi ) );
2230
2231 /*
2232 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
2233 */
2234 #if defined(VENDOR_TEE_WRAP_C)
2235 if( internal_mpi_cmp_mpi( A, N ) >= 0 )
2236 #else
2237 if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
2238 #endif
2239 {
2240 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
2241 /* This should be a no-op because W[1] is already that large before
2242 * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
2243 * in mpi_montmul() below, so let's make sure. */
2244 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], N->n + 1 ) );
2245 }
2246 else
2247 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
2248
2249 /* Note that this is safe because W[1] always has at least N->n limbs
2250 * (it grew above and was preserved by mbedtls_mpi_copy()). */
2251 mbedtls_mpi_montmul( &W[1], &RR, N, mm, &T );
2252
2253 /*
2254 * W[x_index] = R^2 * R^-1 mod N = R mod N
2255 */
2256 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) );
2257 mpi_montred( &W[x_index], N, mm, &T );
2258
2259
2260 if( window_bitsize > 1 )
2261 {
2262 /*
2263 * W[i] = W[1] ^ i
2264 *
2265 * The first bit of the sliding window is always 1 and therefore we
2266 * only need to store the second half of the table.
2267 *
2268 * (There are two special elements in the table: W[0] for the
2269 * accumulator/result and W[1] for A in Montgomery form. Both of these
2270 * are already set at this point.)
2271 */
2272 j = w_table_used_size / 2;
2273
2274 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
2275 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
2276
2277 for( i = 0; i < window_bitsize - 1; i++ )
2278 mbedtls_mpi_montmul( &W[j], &W[j], N, mm, &T );
2279
2280 /*
2281 * W[i] = W[i - 1] * W[1]
2282 */
2283 for( i = j + 1; i < w_table_used_size; i++ )
2284 {
2285 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
2286 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
2287
2288 mbedtls_mpi_montmul( &W[i], &W[1], N, mm, &T );
2289 }
2290 }
2291
2292 nblimbs = E->n;
2293 bufsize = 0;
2294 nbits = 0;
2295 size_t exponent_bits_in_window = 0;
2296 state = 0;
2297
2298 while( 1 )
2299 {
2300 if( bufsize == 0 )
2301 {
2302 if( nblimbs == 0 )
2303 break;
2304
2305 nblimbs--;
2306
2307 bufsize = sizeof( mbedtls_mpi_uint ) << 3;
2308 }
2309
2310 bufsize--;
2311
2312 ei = (E->p[nblimbs] >> bufsize) & 1;
2313
2314 /*
2315 * skip leading 0s
2316 */
2317 if( ei == 0 && state == 0 )
2318 continue;
2319
2320 if( ei == 0 && state == 1 )
2321 {
2322 /*
2323 * out of window, square W[x_index]
2324 */
2325 MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) );
2326 mbedtls_mpi_montmul( &W[x_index], &WW, N, mm, &T );
2327 continue;
2328 }
2329
2330 /*
2331 * add ei to current window
2332 */
2333 state = 2;
2334
2335 nbits++;
2336 exponent_bits_in_window |= ( ei << ( window_bitsize - nbits ) );
2337
2338 if( nbits == window_bitsize )
2339 {
2340 /*
2341 * W[x_index] = W[x_index]^window_bitsize R^-1 mod N
2342 */
2343 for( i = 0; i < window_bitsize; i++ )
2344 {
2345 MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size,
2346 x_index ) );
2347 mbedtls_mpi_montmul( &W[x_index], &WW, N, mm, &T );
2348 }
2349
2350 /*
2351 * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N
2352 */
2353 MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size,
2354 exponent_bits_in_window ) );
2355 mbedtls_mpi_montmul( &W[x_index], &WW, N, mm, &T );
2356
2357 state--;
2358 nbits = 0;
2359 exponent_bits_in_window = 0;
2360 }
2361 }
2362
2363 /*
2364 * process the remaining bits
2365 */
2366 for( i = 0; i < nbits; i++ )
2367 {
2368 MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) );
2369 mbedtls_mpi_montmul( &W[x_index], &WW, N, mm, &T );
2370
2371 exponent_bits_in_window <<= 1;
2372
2373 if( ( exponent_bits_in_window & ( (size_t) 1 << window_bitsize ) ) != 0 )
2374 {
2375 MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, 1 ) );
2376 mbedtls_mpi_montmul( &W[x_index], &WW, N, mm, &T );
2377 }
2378 }
2379
2380 /*
2381 * W[x_index] = A^E * R * R^-1 mod N = A^E mod N
2382 */
2383 mpi_montred( &W[x_index], N, mm, &T );
2384
2385 if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
2386 {
2387 W[x_index].s = -1;
2388 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &W[x_index], N, &W[x_index] ) );
2389 }
2390
2391 /*
2392 * Load the result in the output variable.
2393 */
2394 mbedtls_mpi_copy( X, &W[x_index] );
2395
2396 cleanup:
2397
2398 /* The first bit of the sliding window is always 1 and therefore the first
2399 * half of the table was unused. */
2400 for( i = w_table_used_size/2; i < w_table_used_size; i++ )
2401 mbedtls_mpi_free( &W[i] );
2402
2403 mbedtls_mpi_free( &W[x_index] );
2404 mbedtls_mpi_free( &W[1] );
2405 mbedtls_mpi_free( &T );
2406 mbedtls_mpi_free( &Apos );
2407 mbedtls_mpi_free( &WW );
2408
2409 if( prec_RR == NULL || prec_RR->p == NULL )
2410 mbedtls_mpi_free( &RR );
2411
2412 return( ret );
2413 }
2414
2415 /*
2416 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
2417 */
mbedtls_mpi_gcd(mbedtls_mpi * G,const mbedtls_mpi * A,const mbedtls_mpi * B)2418 int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
2419 {
2420 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2421 size_t lz, lzt;
2422 mbedtls_mpi TA, TB;
2423
2424 MPI_VALIDATE_RET( G != NULL );
2425 MPI_VALIDATE_RET( A != NULL );
2426 MPI_VALIDATE_RET( B != NULL );
2427
2428 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
2429
2430 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
2431 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
2432
2433 lz = mbedtls_mpi_lsb( &TA );
2434 lzt = mbedtls_mpi_lsb( &TB );
2435
2436 /* The loop below gives the correct result when A==0 but not when B==0.
2437 * So have a special case for B==0. Leverage the fact that we just
2438 * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
2439 * slightly more efficient than cmp_int(). */
2440 if( lzt == 0 && mbedtls_mpi_get_bit( &TB, 0 ) == 0 )
2441 {
2442 ret = mbedtls_mpi_copy( G, A );
2443 goto cleanup;
2444 }
2445
2446 if( lzt < lz )
2447 lz = lzt;
2448
2449 TA.s = TB.s = 1;
2450
2451 /* We mostly follow the procedure described in HAC 14.54, but with some
2452 * minor differences:
2453 * - Sequences of multiplications or divisions by 2 are grouped into a
2454 * single shift operation.
2455 * - The procedure in HAC assumes that 0 < TB <= TA.
2456 * - The condition TB <= TA is not actually necessary for correctness.
2457 * TA and TB have symmetric roles except for the loop termination
2458 * condition, and the shifts at the beginning of the loop body
2459 * remove any significance from the ordering of TA vs TB before
2460 * the shifts.
2461 * - If TA = 0, the loop goes through 0 iterations and the result is
2462 * correctly TB.
2463 * - The case TB = 0 was short-circuited above.
2464 *
2465 * For the correctness proof below, decompose the original values of
2466 * A and B as
2467 * A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
2468 * B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
2469 * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
2470 * and gcd(A',B') is odd or 0.
2471 *
2472 * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
2473 * The code maintains the following invariant:
2474 * gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
2475 */
2476
2477 /* Proof that the loop terminates:
2478 * At each iteration, either the right-shift by 1 is made on a nonzero
2479 * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
2480 * by at least 1, or the right-shift by 1 is made on zero and then
2481 * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
2482 * since in that case TB is calculated from TB-TA with the condition TB>TA).
2483 */
2484 while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
2485 {
2486 /* Divisions by 2 preserve the invariant (I). */
2487 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
2488 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
2489
2490 /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
2491 * TA-TB is even so the division by 2 has an integer result.
2492 * Invariant (I) is preserved since any odd divisor of both TA and TB
2493 * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
2494 * also divides TB, and any odd divisior of both TB and |TA-TB|/2 also
2495 * divides TA.
2496 */
2497 if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
2498 {
2499 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
2500 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
2501 }
2502 else
2503 {
2504 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
2505 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
2506 }
2507 /* Note that one of TA or TB is still odd. */
2508 }
2509
2510 /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
2511 * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
2512 * - If there was at least one loop iteration, then one of TA or TB is odd,
2513 * and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
2514 * lz = min(a,b) so gcd(A,B) = 2^lz * TB.
2515 * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
2516 * In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
2517 */
2518
2519 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
2520 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
2521
2522 cleanup:
2523
2524 mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
2525
2526 return( ret );
2527 }
2528
2529 /* Fill X with n_bytes random bytes.
2530 * X must already have room for those bytes.
2531 * The ordering of the bytes returned from the RNG is suitable for
2532 * deterministic ECDSA (see RFC 6979 §3.3 and mbedtls_mpi_random()).
2533 * The size and sign of X are unchanged.
2534 * n_bytes must not be 0.
2535 */
mpi_fill_random_internal(mbedtls_mpi * X,size_t n_bytes,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2536 static int mpi_fill_random_internal(
2537 mbedtls_mpi *X, size_t n_bytes,
2538 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
2539 {
2540 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2541 const size_t limbs = CHARS_TO_LIMBS( n_bytes );
2542 const size_t overhead = ( limbs * ciL ) - n_bytes;
2543
2544 if( X->n < limbs )
2545 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2546
2547 memset( X->p, 0, overhead );
2548 memset( (unsigned char *) X->p + limbs * ciL, 0, ( X->n - limbs ) * ciL );
2549 MBEDTLS_MPI_CHK( f_rng( p_rng, (unsigned char *) X->p + overhead, n_bytes ) );
2550 mpi_bigendian_to_host( X->p, limbs );
2551
2552 cleanup:
2553 return( ret );
2554 }
2555
2556 /*
2557 * Fill X with size bytes of random.
2558 *
2559 * Use a temporary bytes representation to make sure the result is the same
2560 * regardless of the platform endianness (useful when f_rng is actually
2561 * deterministic, eg for tests).
2562 */
mbedtls_mpi_fill_random(mbedtls_mpi * X,size_t size,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2563 int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
2564 int (*f_rng)(void *, unsigned char *, size_t),
2565 void *p_rng )
2566 {
2567 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2568 size_t const limbs = CHARS_TO_LIMBS( size );
2569
2570 MPI_VALIDATE_RET( X != NULL );
2571 MPI_VALIDATE_RET( f_rng != NULL );
2572
2573 /* Ensure that target MPI has exactly the necessary number of limbs */
2574 MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) );
2575 if( size == 0 )
2576 return( 0 );
2577
2578 ret = mpi_fill_random_internal( X, size, f_rng, p_rng );
2579
2580 cleanup:
2581 return( ret );
2582 }
2583
mbedtls_mpi_random(mbedtls_mpi * X,mbedtls_mpi_sint min,const mbedtls_mpi * N,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2584 int mbedtls_mpi_random( mbedtls_mpi *X,
2585 mbedtls_mpi_sint min,
2586 const mbedtls_mpi *N,
2587 int (*f_rng)(void *, unsigned char *, size_t),
2588 void *p_rng )
2589 {
2590 int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2591 int count;
2592 unsigned lt_lower = 1, lt_upper = 0;
2593 size_t n_bits = mbedtls_mpi_bitlen( N );
2594 size_t n_bytes = ( n_bits + 7 ) / 8;
2595 mbedtls_mpi lower_bound;
2596
2597 if( min < 0 )
2598 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2599 if( mbedtls_mpi_cmp_int( N, min ) <= 0 )
2600 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2601
2602 /*
2603 * When min == 0, each try has at worst a probability 1/2 of failing
2604 * (the msb has a probability 1/2 of being 0, and then the result will
2605 * be < N), so after 30 tries failure probability is a most 2**(-30).
2606 *
2607 * When N is just below a power of 2, as is the case when generating
2608 * a random scalar on most elliptic curves, 1 try is enough with
2609 * overwhelming probability. When N is just above a power of 2,
2610 * as when generating a random scalar on secp224k1, each try has
2611 * a probability of failing that is almost 1/2.
2612 *
2613 * The probabilities are almost the same if min is nonzero but negligible
2614 * compared to N. This is always the case when N is crypto-sized, but
2615 * it's convenient to support small N for testing purposes. When N
2616 * is small, use a higher repeat count, otherwise the probability of
2617 * failure is macroscopic.
2618 */
2619 count = ( n_bytes > 4 ? 30 : 250 );
2620
2621 mbedtls_mpi_init( &lower_bound );
2622
2623 /* Ensure that target MPI has exactly the same number of limbs
2624 * as the upper bound, even if the upper bound has leading zeros.
2625 * This is necessary for the mbedtls_mpi_lt_mpi_ct() check. */
2626 MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, N->n ) );
2627 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &lower_bound, N->n ) );
2628 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &lower_bound, min ) );
2629
2630 /*
2631 * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
2632 * when f_rng is a suitably parametrized instance of HMAC_DRBG:
2633 * - use the same byte ordering;
2634 * - keep the leftmost n_bits bits of the generated octet string;
2635 * - try until result is in the desired range.
2636 * This also avoids any bias, which is especially important for ECDSA.
2637 */
2638 do
2639 {
2640 MBEDTLS_MPI_CHK( mpi_fill_random_internal( X, n_bytes, f_rng, p_rng ) );
2641 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, 8 * n_bytes - n_bits ) );
2642
2643 if( --count == 0 )
2644 {
2645 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2646 goto cleanup;
2647 }
2648
2649 MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, &lower_bound, <_lower ) );
2650 MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, N, <_upper ) );
2651 }
2652 while( lt_lower != 0 || lt_upper == 0 );
2653
2654 cleanup:
2655 mbedtls_mpi_free( &lower_bound );
2656 return( ret );
2657 }
2658
2659 /*
2660 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
2661 */
mbedtls_mpi_inv_mod(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * N)2662 int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
2663 {
2664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2665 mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
2666 MPI_VALIDATE_RET( X != NULL );
2667 MPI_VALIDATE_RET( A != NULL );
2668 MPI_VALIDATE_RET( N != NULL );
2669
2670 if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
2671 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2672
2673 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
2674 mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
2675 mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
2676
2677 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
2678
2679 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
2680 {
2681 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2682 goto cleanup;
2683 }
2684
2685 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
2686 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
2687 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
2688 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
2689
2690 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
2691 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
2692 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
2693 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
2694
2695 do
2696 {
2697 while( ( TU.p[0] & 1 ) == 0 )
2698 {
2699 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
2700
2701 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
2702 {
2703 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
2704 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
2705 }
2706
2707 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
2708 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
2709 }
2710
2711 while( ( TV.p[0] & 1 ) == 0 )
2712 {
2713 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
2714
2715 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
2716 {
2717 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
2718 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
2719 }
2720
2721 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
2722 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
2723 }
2724
2725 if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
2726 {
2727 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
2728 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
2729 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
2730 }
2731 else
2732 {
2733 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
2734 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
2735 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
2736 }
2737 }
2738 while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
2739
2740 while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
2741 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
2742
2743 while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
2744 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
2745
2746 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
2747
2748 cleanup:
2749
2750 mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
2751 mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
2752 mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
2753
2754 return( ret );
2755 }
2756
2757 #if defined(MBEDTLS_GENPRIME)
2758
2759 static const int small_prime[] =
2760 {
2761 3, 5, 7, 11, 13, 17, 19, 23,
2762 29, 31, 37, 41, 43, 47, 53, 59,
2763 61, 67, 71, 73, 79, 83, 89, 97,
2764 101, 103, 107, 109, 113, 127, 131, 137,
2765 139, 149, 151, 157, 163, 167, 173, 179,
2766 181, 191, 193, 197, 199, 211, 223, 227,
2767 229, 233, 239, 241, 251, 257, 263, 269,
2768 271, 277, 281, 283, 293, 307, 311, 313,
2769 317, 331, 337, 347, 349, 353, 359, 367,
2770 373, 379, 383, 389, 397, 401, 409, 419,
2771 421, 431, 433, 439, 443, 449, 457, 461,
2772 463, 467, 479, 487, 491, 499, 503, 509,
2773 521, 523, 541, 547, 557, 563, 569, 571,
2774 577, 587, 593, 599, 601, 607, 613, 617,
2775 619, 631, 641, 643, 647, 653, 659, 661,
2776 673, 677, 683, 691, 701, 709, 719, 727,
2777 733, 739, 743, 751, 757, 761, 769, 773,
2778 787, 797, 809, 811, 821, 823, 827, 829,
2779 839, 853, 857, 859, 863, 877, 881, 883,
2780 887, 907, 911, 919, 929, 937, 941, 947,
2781 953, 967, 971, 977, 983, 991, 997, -103
2782 };
2783
2784 /*
2785 * Small divisors test (X must be positive)
2786 *
2787 * Return values:
2788 * 0: no small factor (possible prime, more tests needed)
2789 * 1: certain prime
2790 * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
2791 * other negative: error
2792 */
mpi_check_small_factors(const mbedtls_mpi * X)2793 static int mpi_check_small_factors( const mbedtls_mpi *X )
2794 {
2795 int ret = 0;
2796 size_t i;
2797 mbedtls_mpi_uint r;
2798
2799 if( ( X->p[0] & 1 ) == 0 )
2800 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
2801
2802 for( i = 0; small_prime[i] > 0; i++ )
2803 {
2804 if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
2805 return( 1 );
2806
2807 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
2808
2809 if( r == 0 )
2810 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
2811 }
2812
2813 cleanup:
2814 return( ret );
2815 }
2816
2817 /*
2818 * Miller-Rabin pseudo-primality test (HAC 4.24)
2819 */
mpi_miller_rabin(const mbedtls_mpi * X,size_t rounds,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2820 static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
2821 int (*f_rng)(void *, unsigned char *, size_t),
2822 void *p_rng )
2823 {
2824 int ret, count;
2825 size_t i, j, k, s;
2826 mbedtls_mpi W, R, T, A, RR;
2827
2828 MPI_VALIDATE_RET( X != NULL );
2829 MPI_VALIDATE_RET( f_rng != NULL );
2830
2831 mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R );
2832 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
2833 mbedtls_mpi_init( &RR );
2834
2835 /*
2836 * W = |X| - 1
2837 * R = W >> lsb( W )
2838 */
2839 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
2840 s = mbedtls_mpi_lsb( &W );
2841 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
2842 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
2843
2844 for( i = 0; i < rounds; i++ )
2845 {
2846 /*
2847 * pick a random A, 1 < A < |X| - 1
2848 */
2849 count = 0;
2850 do {
2851 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
2852
2853 j = mbedtls_mpi_bitlen( &A );
2854 k = mbedtls_mpi_bitlen( &W );
2855 if (j > k) {
2856 A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
2857 }
2858
2859 if (count++ > 30) {
2860 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2861 goto cleanup;
2862 }
2863
2864 } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
2865 mbedtls_mpi_cmp_int( &A, 1 ) <= 0 );
2866
2867 /*
2868 * A = A^R mod |X|
2869 */
2870 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
2871
2872 if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
2873 mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
2874 continue;
2875
2876 j = 1;
2877 while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
2878 {
2879 /*
2880 * A = A * A mod |X|
2881 */
2882 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
2883 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X ) );
2884
2885 if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
2886 break;
2887
2888 j++;
2889 }
2890
2891 /*
2892 * not prime if A != |X| - 1 or A == 1
2893 */
2894 if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
2895 mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
2896 {
2897 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2898 break;
2899 }
2900 }
2901
2902 cleanup:
2903 mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R );
2904 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
2905 mbedtls_mpi_free( &RR );
2906
2907 return( ret );
2908 }
2909
2910 /*
2911 * Pseudo-primality test: small factors, then Miller-Rabin
2912 */
mbedtls_mpi_is_prime_ext(const mbedtls_mpi * X,int rounds,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2913 int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
2914 int (*f_rng)(void *, unsigned char *, size_t),
2915 void *p_rng )
2916 {
2917 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2918 mbedtls_mpi XX;
2919 MPI_VALIDATE_RET( X != NULL );
2920 MPI_VALIDATE_RET( f_rng != NULL );
2921
2922 XX.s = 1;
2923 XX.n = X->n;
2924 XX.p = X->p;
2925
2926 if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
2927 mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
2928 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
2929
2930 if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
2931 return( 0 );
2932
2933 if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
2934 {
2935 if( ret == 1 )
2936 return( 0 );
2937
2938 return( ret );
2939 }
2940
2941 return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
2942 }
2943
2944 /*
2945 * Prime number generation
2946 *
2947 * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
2948 * be either 1024 bits or 1536 bits long, and flags must contain
2949 * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
2950 */
mbedtls_mpi_gen_prime(mbedtls_mpi * X,size_t nbits,int flags,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2951 int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
2952 int (*f_rng)(void *, unsigned char *, size_t),
2953 void *p_rng )
2954 {
2955 #ifdef MBEDTLS_HAVE_INT64
2956 // ceil(2^63.5)
2957 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
2958 #else
2959 // ceil(2^31.5)
2960 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
2961 #endif
2962 int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2963 size_t k, n;
2964 int rounds;
2965 mbedtls_mpi_uint r;
2966 mbedtls_mpi Y;
2967
2968 MPI_VALIDATE_RET( X != NULL );
2969 MPI_VALIDATE_RET( f_rng != NULL );
2970
2971 if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
2972 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2973
2974 mbedtls_mpi_init( &Y );
2975
2976 n = BITS_TO_LIMBS( nbits );
2977
2978 if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR ) == 0 )
2979 {
2980 /*
2981 * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
2982 */
2983 rounds = ( ( nbits >= 1300 ) ? 2 : ( nbits >= 850 ) ? 3 :
2984 ( nbits >= 650 ) ? 4 : ( nbits >= 350 ) ? 8 :
2985 ( nbits >= 250 ) ? 12 : ( nbits >= 150 ) ? 18 : 27 );
2986 }
2987 else
2988 {
2989 /*
2990 * 2^-100 error probability, number of rounds computed based on HAC,
2991 * fact 4.48
2992 */
2993 rounds = ( ( nbits >= 1450 ) ? 4 : ( nbits >= 1150 ) ? 5 :
2994 ( nbits >= 1000 ) ? 6 : ( nbits >= 850 ) ? 7 :
2995 ( nbits >= 750 ) ? 8 : ( nbits >= 500 ) ? 13 :
2996 ( nbits >= 250 ) ? 28 : ( nbits >= 150 ) ? 40 : 51 );
2997 }
2998
2999 while( 1 )
3000 {
3001 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
3002 /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
3003 if( X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2 ) continue;
3004
3005 k = n * biL;
3006 if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
3007 X->p[0] |= 1;
3008
3009 if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH ) == 0 )
3010 {
3011 ret = mbedtls_mpi_is_prime_ext( X, rounds, f_rng, p_rng );
3012
3013 if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
3014 goto cleanup;
3015 }
3016 else
3017 {
3018 /*
3019 * An necessary condition for Y and X = 2Y + 1 to be prime
3020 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
3021 * Make sure it is satisfied, while keeping X = 3 mod 4
3022 */
3023
3024 X->p[0] |= 2;
3025
3026 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
3027 if( r == 0 )
3028 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
3029 else if( r == 1 )
3030 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
3031
3032 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
3033 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
3034 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
3035
3036 while( 1 )
3037 {
3038 /*
3039 * First, check small factors for X and Y
3040 * before doing Miller-Rabin on any of them
3041 */
3042 if( ( ret = mpi_check_small_factors( X ) ) == 0 &&
3043 ( ret = mpi_check_small_factors( &Y ) ) == 0 &&
3044 ( ret = mpi_miller_rabin( X, rounds, f_rng, p_rng ) )
3045 == 0 &&
3046 ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng ) )
3047 == 0 )
3048 goto cleanup;
3049
3050 if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
3051 goto cleanup;
3052
3053 /*
3054 * Next candidates. We want to preserve Y = (X-1) / 2 and
3055 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
3056 * so up Y by 6 and X by 12.
3057 */
3058 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 12 ) );
3059 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6 ) );
3060 }
3061 }
3062 }
3063
3064 cleanup:
3065
3066 mbedtls_mpi_free( &Y );
3067
3068 return( ret );
3069 }
3070
3071 #endif /* MBEDTLS_GENPRIME */
3072
3073 #if defined(MBEDTLS_SELF_TEST)
3074
3075 #define GCD_PAIR_COUNT 3
3076
3077 static const int gcd_pairs[GCD_PAIR_COUNT][3] =
3078 {
3079 { 693, 609, 21 },
3080 { 1764, 868, 28 },
3081 { 768454923, 542167814, 1 }
3082 };
3083
3084 /*
3085 * Checkup routine
3086 */
mbedtls_mpi_self_test(int verbose)3087 int mbedtls_mpi_self_test( int verbose )
3088 {
3089 int ret, i;
3090 mbedtls_mpi A, E, N, X, Y, U, V;
3091
3092 mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
3093 mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
3094
3095 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
3096 "EFE021C2645FD1DC586E69184AF4A31E" \
3097 "D5F53E93B5F123FA41680867BA110131" \
3098 "944FE7952E2517337780CB0DB80E61AA" \
3099 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
3100
3101 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
3102 "B2E7EFD37075B9F03FF989C7C5051C20" \
3103 "34D2A323810251127E7BF8625A4F49A5" \
3104 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
3105 "5B5C25763222FEFCCFC38B832366C29E" ) );
3106
3107 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
3108 "0066A198186C18C10B2F5ED9B522752A" \
3109 "9830B69916E535C8F047518A889A43A5" \
3110 "94B6BED27A168D31D4A52F88925AA8F5" ) );
3111
3112 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
3113
3114 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
3115 "602AB7ECA597A3D6B56FF9829A5E8B85" \
3116 "9E857EA95A03512E2BAE7391688D264A" \
3117 "A5663B0341DB9CCFD2C4C5F421FEC814" \
3118 "8001B72E848A38CAE1C65F78E56ABDEF" \
3119 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
3120 "ECF677152EF804370C1A305CAF3B5BF1" \
3121 "30879B56C61DE584A0F53A2447A51E" ) );
3122
3123 if( verbose != 0 )
3124 mbedtls_printf( " MPI test #1 (mul_mpi): " );
3125
3126 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
3127 {
3128 if( verbose != 0 )
3129 mbedtls_printf( "failed\n" );
3130
3131 ret = 1;
3132 goto cleanup;
3133 }
3134
3135 if( verbose != 0 )
3136 mbedtls_printf( "passed\n" );
3137
3138 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
3139
3140 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
3141 "256567336059E52CAE22925474705F39A94" ) );
3142
3143 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
3144 "6613F26162223DF488E9CD48CC132C7A" \
3145 "0AC93C701B001B092E4E5B9F73BCD27B" \
3146 "9EE50D0657C77F374E903CDFA4C642" ) );
3147
3148 if( verbose != 0 )
3149 mbedtls_printf( " MPI test #2 (div_mpi): " );
3150
3151 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
3152 mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
3153 {
3154 if( verbose != 0 )
3155 mbedtls_printf( "failed\n" );
3156
3157 ret = 1;
3158 goto cleanup;
3159 }
3160
3161 if( verbose != 0 )
3162 mbedtls_printf( "passed\n" );
3163
3164 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
3165
3166 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
3167 "36E139AEA55215609D2816998ED020BB" \
3168 "BD96C37890F65171D948E9BC7CBAA4D9" \
3169 "325D24D6A3C12710F10A09FA08AB87" ) );
3170
3171 if( verbose != 0 )
3172 mbedtls_printf( " MPI test #3 (exp_mod): " );
3173
3174 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
3175 {
3176 if( verbose != 0 )
3177 mbedtls_printf( "failed\n" );
3178
3179 ret = 1;
3180 goto cleanup;
3181 }
3182
3183 if( verbose != 0 )
3184 mbedtls_printf( "passed\n" );
3185
3186 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
3187
3188 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
3189 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
3190 "C3DBA76456363A10869622EAC2DD84EC" \
3191 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
3192
3193 if( verbose != 0 )
3194 mbedtls_printf( " MPI test #4 (inv_mod): " );
3195
3196 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
3197 {
3198 if( verbose != 0 )
3199 mbedtls_printf( "failed\n" );
3200
3201 ret = 1;
3202 goto cleanup;
3203 }
3204
3205 if( verbose != 0 )
3206 mbedtls_printf( "passed\n" );
3207
3208 if( verbose != 0 )
3209 mbedtls_printf( " MPI test #5 (simple gcd): " );
3210
3211 for( i = 0; i < GCD_PAIR_COUNT; i++ )
3212 {
3213 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
3214 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
3215
3216 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
3217
3218 if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
3219 {
3220 if( verbose != 0 )
3221 mbedtls_printf( "failed at %d\n", i );
3222
3223 ret = 1;
3224 goto cleanup;
3225 }
3226 }
3227
3228 if( verbose != 0 )
3229 mbedtls_printf( "passed\n" );
3230
3231 cleanup:
3232
3233 if( ret != 0 && verbose != 0 )
3234 mbedtls_printf( "Unexpected error, return code = %08X\n", (unsigned int) ret );
3235
3236 mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
3237 mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
3238
3239 if( verbose != 0 )
3240 mbedtls_printf( "\n" );
3241
3242 return( ret );
3243 }
3244
3245 #endif /* MBEDTLS_SELF_TEST */
3246
3247 #endif /* MBEDTLS_BIGNUM_C */
3248