1 /*
2 * Multi-precision integer library
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * The following sources were referenced in the design of this Multi-precision
10 * Integer library:
11 *
12 * [1] Handbook of Applied Cryptography - 1997
13 * Menezes, van Oorschot and Vanstone
14 *
15 * [2] Multi-Precision Math
16 * Tom St Denis
17 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
18 *
19 * [3] GNU Multi-Precision Arithmetic Library
20 * https://gmplib.org/manual/index.html
21 *
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_BIGNUM_C)
27
28 #include "mbedtls/bignum.h"
29 #include "mbedtls/bn_mul.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "constant_time_internal.h"
33 #include "bignum_internal.h"
34
35 #include <limits.h>
36 #include <string.h>
37
38 #include "mbedtls/platform.h"
39
40 #define MPI_VALIDATE_RET(cond) \
41 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA)
42 #define MPI_VALIDATE(cond) \
43 MBEDTLS_INTERNAL_VALIDATE(cond)
44
45 #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
46 #define biL (ciL << 3) /* bits in limb */
47 #define biH (ciL << 2) /* half limb size */
48
49 #define MPI_SIZE_T_MAX ((size_t) -1) /* SIZE_T_MAX is not standard */
50
51 /*
52 * Convert between bits/chars and number of limbs
53 * Divide first in order to avoid potential overflows
54 */
55 #define BITS_TO_LIMBS(i) ((i) / biL + ((i) % biL != 0))
56 #define CHARS_TO_LIMBS(i) ((i) / ciL + ((i) % ciL != 0))
57
58 /* Implementation that should never be optimized out by the compiler */
mbedtls_mpi_zeroize(mbedtls_mpi_uint * v,size_t n)59 static void mbedtls_mpi_zeroize(mbedtls_mpi_uint *v, size_t n)
60 {
61 mbedtls_platform_zeroize(v, ciL * n);
62 }
63
64 /*
65 * Initialize one MPI
66 */
mbedtls_mpi_init(mbedtls_mpi * X)67 void mbedtls_mpi_init(mbedtls_mpi *X)
68 {
69 MPI_VALIDATE(X != NULL);
70
71 X->s = 1;
72 X->n = 0;
73 X->p = NULL;
74 }
75
76 /*
77 * Unallocate one MPI
78 */
mbedtls_mpi_free(mbedtls_mpi * X)79 void mbedtls_mpi_free(mbedtls_mpi *X)
80 {
81 if (X == NULL) {
82 return;
83 }
84
85 if (X->p != NULL) {
86 mbedtls_mpi_zeroize(X->p, X->n);
87 mbedtls_free(X->p);
88 }
89
90 X->s = 1;
91 X->n = 0;
92 X->p = NULL;
93 }
94
95 /*
96 * Enlarge to the specified number of limbs
97 */
mbedtls_mpi_grow(mbedtls_mpi * X,size_t nblimbs)98 int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
99 {
100 mbedtls_mpi_uint *p;
101 MPI_VALIDATE_RET(X != NULL);
102
103 if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
104 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
105 }
106
107 if (X->n < nblimbs) {
108 if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
109 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
110 }
111
112 if (X->p != NULL) {
113 memcpy(p, X->p, X->n * ciL);
114 mbedtls_mpi_zeroize(X->p, X->n);
115 mbedtls_free(X->p);
116 }
117
118 X->n = nblimbs;
119 X->p = p;
120 }
121
122 return 0;
123 }
124
125 /*
126 * Resize down as much as possible,
127 * while keeping at least the specified number of limbs
128 */
mbedtls_mpi_shrink(mbedtls_mpi * X,size_t nblimbs)129 int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
130 {
131 mbedtls_mpi_uint *p;
132 size_t i;
133 MPI_VALIDATE_RET(X != NULL);
134
135 if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
136 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
137 }
138
139 /* Actually resize up if there are currently fewer than nblimbs limbs. */
140 if (X->n <= nblimbs) {
141 return mbedtls_mpi_grow(X, nblimbs);
142 }
143 /* After this point, then X->n > nblimbs and in particular X->n > 0. */
144
145 for (i = X->n - 1; i > 0; i--) {
146 if (X->p[i] != 0) {
147 break;
148 }
149 }
150 i++;
151
152 if (i < nblimbs) {
153 i = nblimbs;
154 }
155
156 if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
157 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
158 }
159
160 if (X->p != NULL) {
161 memcpy(p, X->p, i * ciL);
162 mbedtls_mpi_zeroize(X->p, X->n);
163 mbedtls_free(X->p);
164 }
165
166 X->n = i;
167 X->p = p;
168
169 return 0;
170 }
171
172 /* Resize X to have exactly n limbs and set it to 0. */
mbedtls_mpi_resize_clear(mbedtls_mpi * X,size_t limbs)173 static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
174 {
175 if (limbs == 0) {
176 mbedtls_mpi_free(X);
177 return 0;
178 } else if (X->n == limbs) {
179 memset(X->p, 0, limbs * ciL);
180 X->s = 1;
181 return 0;
182 } else {
183 mbedtls_mpi_free(X);
184 return mbedtls_mpi_grow(X, limbs);
185 }
186 }
187
188 /*
189 * Copy the contents of Y into X.
190 *
191 * This function is not constant-time. Leading zeros in Y may be removed.
192 *
193 * Ensure that X does not shrink. This is not guaranteed by the public API,
194 * but some code in the bignum module relies on this property, for example
195 * in mbedtls_mpi_exp_mod().
196 */
mbedtls_mpi_copy(mbedtls_mpi * X,const mbedtls_mpi * Y)197 int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
198 {
199 int ret = 0;
200 size_t i;
201 MPI_VALIDATE_RET(X != NULL);
202 MPI_VALIDATE_RET(Y != NULL);
203
204 if (X == Y) {
205 return 0;
206 }
207
208 if (Y->n == 0) {
209 if (X->n != 0) {
210 X->s = 1;
211 memset(X->p, 0, X->n * ciL);
212 }
213 return 0;
214 }
215
216 for (i = Y->n - 1; i > 0; i--) {
217 if (Y->p[i] != 0) {
218 break;
219 }
220 }
221 i++;
222
223 X->s = Y->s;
224
225 if (X->n < i) {
226 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
227 } else {
228 memset(X->p + i, 0, (X->n - i) * ciL);
229 }
230
231 memcpy(X->p, Y->p, i * ciL);
232
233 cleanup:
234
235 return ret;
236 }
237
238 /*
239 * Swap the contents of X and Y
240 */
mbedtls_mpi_swap(mbedtls_mpi * X,mbedtls_mpi * Y)241 void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
242 {
243 mbedtls_mpi T;
244 MPI_VALIDATE(X != NULL);
245 MPI_VALIDATE(Y != NULL);
246
247 memcpy(&T, X, sizeof(mbedtls_mpi));
248 memcpy(X, Y, sizeof(mbedtls_mpi));
249 memcpy(Y, &T, sizeof(mbedtls_mpi));
250 }
251
mpi_sint_abs(mbedtls_mpi_sint z)252 static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
253 {
254 if (z >= 0) {
255 return z;
256 }
257 /* Take care to handle the most negative value (-2^(biL-1)) correctly.
258 * A naive -z would have undefined behavior.
259 * Write this in a way that makes popular compilers happy (GCC, Clang,
260 * MSVC). */
261 return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
262 }
263
264 /*
265 * Set value from integer
266 */
mbedtls_mpi_lset(mbedtls_mpi * X,mbedtls_mpi_sint z)267 int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
268 {
269 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
270 MPI_VALIDATE_RET(X != NULL);
271
272 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
273 memset(X->p, 0, X->n * ciL);
274
275 X->p[0] = mpi_sint_abs(z);
276 X->s = (z < 0) ? -1 : 1;
277
278 cleanup:
279
280 return ret;
281 }
282
283 /*
284 * Get a specific bit
285 */
mbedtls_mpi_get_bit(const mbedtls_mpi * X,size_t pos)286 int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
287 {
288 MPI_VALIDATE_RET(X != NULL);
289
290 if (X->n * biL <= pos) {
291 return 0;
292 }
293
294 return (X->p[pos / biL] >> (pos % biL)) & 0x01;
295 }
296
297 /* Get a specific byte, without range checks. */
298 #define GET_BYTE(X, i) \
299 (((X)->p[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff)
300
301 /*
302 * Set a bit to a specific value of 0 or 1
303 */
mbedtls_mpi_set_bit(mbedtls_mpi * X,size_t pos,unsigned char val)304 int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
305 {
306 int ret = 0;
307 size_t off = pos / biL;
308 size_t idx = pos % biL;
309 MPI_VALIDATE_RET(X != NULL);
310
311 if (val != 0 && val != 1) {
312 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
313 }
314
315 if (X->n * biL <= pos) {
316 if (val == 0) {
317 return 0;
318 }
319
320 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
321 }
322
323 X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
324 X->p[off] |= (mbedtls_mpi_uint) val << idx;
325
326 cleanup:
327
328 return ret;
329 }
330
331 /*
332 * Return the number of less significant zero-bits
333 */
mbedtls_mpi_lsb(const mbedtls_mpi * X)334 size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
335 {
336 size_t i, j, count = 0;
337 MBEDTLS_INTERNAL_VALIDATE_RET(X != NULL, 0);
338
339 for (i = 0; i < X->n; i++) {
340 for (j = 0; j < biL; j++, count++) {
341 if (((X->p[i] >> j) & 1) != 0) {
342 return count;
343 }
344 }
345 }
346
347 return 0;
348 }
349
350 /*
351 * Count leading zero bits in a given integer
352 */
mbedtls_clz(const mbedtls_mpi_uint x)353 static size_t mbedtls_clz(const mbedtls_mpi_uint x)
354 {
355 size_t j;
356 mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
357
358 for (j = 0; j < biL; j++) {
359 if (x & mask) {
360 break;
361 }
362
363 mask >>= 1;
364 }
365
366 return j;
367 }
368
369 /*
370 * Return the number of bits
371 */
mbedtls_mpi_bitlen(const mbedtls_mpi * X)372 size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
373 {
374 size_t i, j;
375
376 if (X->n == 0) {
377 return 0;
378 }
379
380 for (i = X->n - 1; i > 0; i--) {
381 if (X->p[i] != 0) {
382 break;
383 }
384 }
385
386 j = biL - mbedtls_clz(X->p[i]);
387
388 return (i * biL) + j;
389 }
390
391 /*
392 * Return the total size in bytes
393 */
mbedtls_mpi_size(const mbedtls_mpi * X)394 size_t mbedtls_mpi_size(const mbedtls_mpi *X)
395 {
396 return (mbedtls_mpi_bitlen(X) + 7) >> 3;
397 }
398
399 /*
400 * Convert an ASCII character to digit value
401 */
mpi_get_digit(mbedtls_mpi_uint * d,int radix,char c)402 static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
403 {
404 *d = 255;
405
406 if (c >= 0x30 && c <= 0x39) {
407 *d = c - 0x30;
408 }
409 if (c >= 0x41 && c <= 0x46) {
410 *d = c - 0x37;
411 }
412 if (c >= 0x61 && c <= 0x66) {
413 *d = c - 0x57;
414 }
415
416 if (*d >= (mbedtls_mpi_uint) radix) {
417 return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
418 }
419
420 return 0;
421 }
422
423 /*
424 * Import from an ASCII string
425 */
mbedtls_mpi_read_string(mbedtls_mpi * X,int radix,const char * s)426 int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
427 {
428 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
429 size_t i, j, slen, n;
430 int sign = 1;
431 mbedtls_mpi_uint d;
432 mbedtls_mpi T;
433 MPI_VALIDATE_RET(X != NULL);
434 MPI_VALIDATE_RET(s != NULL);
435
436 if (radix < 2 || radix > 16) {
437 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
438 }
439
440 mbedtls_mpi_init(&T);
441
442 if (s[0] == 0) {
443 mbedtls_mpi_free(X);
444 return 0;
445 }
446
447 if (s[0] == '-') {
448 ++s;
449 sign = -1;
450 }
451
452 slen = strlen(s);
453
454 if (radix == 16) {
455 if (slen > MPI_SIZE_T_MAX >> 2) {
456 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
457 }
458
459 n = BITS_TO_LIMBS(slen << 2);
460
461 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
462 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
463
464 for (i = slen, j = 0; i > 0; i--, j++) {
465 MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
466 X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2);
467 }
468 } else {
469 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
470
471 for (i = 0; i < slen; i++) {
472 MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
473 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
474 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
475 }
476 }
477
478 if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
479 X->s = -1;
480 }
481
482 cleanup:
483
484 mbedtls_mpi_free(&T);
485
486 return ret;
487 }
488
489 /*
490 * Helper to write the digits high-order first.
491 */
mpi_write_hlp(mbedtls_mpi * X,int radix,char ** p,const size_t buflen)492 static int mpi_write_hlp(mbedtls_mpi *X, int radix,
493 char **p, const size_t buflen)
494 {
495 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
496 mbedtls_mpi_uint r;
497 size_t length = 0;
498 char *p_end = *p + buflen;
499
500 do {
501 if (length >= buflen) {
502 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
503 }
504
505 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
506 MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
507 /*
508 * Write the residue in the current position, as an ASCII character.
509 */
510 if (r < 0xA) {
511 *(--p_end) = (char) ('0' + r);
512 } else {
513 *(--p_end) = (char) ('A' + (r - 0xA));
514 }
515
516 length++;
517 } while (mbedtls_mpi_cmp_int(X, 0) != 0);
518
519 memmove(*p, p_end, length);
520 *p += length;
521
522 cleanup:
523
524 return ret;
525 }
526
527 /*
528 * Export into an ASCII string
529 */
mbedtls_mpi_write_string(const mbedtls_mpi * X,int radix,char * buf,size_t buflen,size_t * olen)530 int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
531 char *buf, size_t buflen, size_t *olen)
532 {
533 int ret = 0;
534 size_t n;
535 char *p;
536 mbedtls_mpi T;
537 MPI_VALIDATE_RET(X != NULL);
538 MPI_VALIDATE_RET(olen != NULL);
539 MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
540
541 if (radix < 2 || radix > 16) {
542 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
543 }
544
545 n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
546 if (radix >= 4) {
547 n >>= 1; /* Number of 4-adic digits necessary to present
548 * `n`. If radix > 4, this might be a strict
549 * overapproximation of the number of
550 * radix-adic digits needed to present `n`. */
551 }
552 if (radix >= 16) {
553 n >>= 1; /* Number of hexadecimal digits necessary to
554 * present `n`. */
555
556 }
557 n += 1; /* Terminating null byte */
558 n += 1; /* Compensate for the divisions above, which round down `n`
559 * in case it's not even. */
560 n += 1; /* Potential '-'-sign. */
561 n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
562 * which always uses an even number of hex-digits. */
563
564 if (buflen < n) {
565 *olen = n;
566 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
567 }
568
569 p = buf;
570 mbedtls_mpi_init(&T);
571
572 if (X->s == -1) {
573 *p++ = '-';
574 buflen--;
575 }
576
577 if (radix == 16) {
578 int c;
579 size_t i, j, k;
580
581 for (i = X->n, k = 0; i > 0; i--) {
582 for (j = ciL; j > 0; j--) {
583 c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
584
585 if (c == 0 && k == 0 && (i + j) != 2) {
586 continue;
587 }
588
589 *(p++) = "0123456789ABCDEF" [c / 16];
590 *(p++) = "0123456789ABCDEF" [c % 16];
591 k = 1;
592 }
593 }
594 } else {
595 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
596
597 if (T.s == -1) {
598 T.s = 1;
599 }
600
601 MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
602 }
603
604 *p++ = '\0';
605 *olen = p - buf;
606
607 cleanup:
608
609 mbedtls_mpi_free(&T);
610
611 return ret;
612 }
613
614 #if defined(MBEDTLS_FS_IO)
615 /*
616 * Read X from an opened file
617 */
mbedtls_mpi_read_file(mbedtls_mpi * X,int radix,FILE * fin)618 int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin)
619 {
620 mbedtls_mpi_uint d;
621 size_t slen;
622 char *p;
623 /*
624 * Buffer should have space for (short) label and decimal formatted MPI,
625 * newline characters and '\0'
626 */
627 char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
628
629 MPI_VALIDATE_RET(X != NULL);
630 MPI_VALIDATE_RET(fin != NULL);
631
632 if (radix < 2 || radix > 16) {
633 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
634 }
635
636 memset(s, 0, sizeof(s));
637 if (fgets(s, sizeof(s) - 1, fin) == NULL) {
638 return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
639 }
640
641 slen = strlen(s);
642 if (slen == sizeof(s) - 2) {
643 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
644 }
645
646 if (slen > 0 && s[slen - 1] == '\n') {
647 slen--; s[slen] = '\0';
648 }
649 if (slen > 0 && s[slen - 1] == '\r') {
650 slen--; s[slen] = '\0';
651 }
652
653 p = s + slen;
654 while (p-- > s) {
655 if (mpi_get_digit(&d, radix, *p) != 0) {
656 break;
657 }
658 }
659
660 return mbedtls_mpi_read_string(X, radix, p + 1);
661 }
662
663 /*
664 * Write X into an opened file (or stdout if fout == NULL)
665 */
mbedtls_mpi_write_file(const char * p,const mbedtls_mpi * X,int radix,FILE * fout)666 int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout)
667 {
668 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
669 size_t n, slen, plen;
670 /*
671 * Buffer should have space for (short) label and decimal formatted MPI,
672 * newline characters and '\0'
673 */
674 char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
675 MPI_VALIDATE_RET(X != NULL);
676
677 if (radix < 2 || radix > 16) {
678 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
679 }
680
681 memset(s, 0, sizeof(s));
682
683 MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
684
685 if (p == NULL) {
686 p = "";
687 }
688
689 plen = strlen(p);
690 slen = strlen(s);
691 s[slen++] = '\r';
692 s[slen++] = '\n';
693
694 if (fout != NULL) {
695 if (fwrite(p, 1, plen, fout) != plen ||
696 fwrite(s, 1, slen, fout) != slen) {
697 return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
698 }
699 } else {
700 mbedtls_printf("%s%s", p, s);
701 }
702
703 cleanup:
704
705 return ret;
706 }
707 #endif /* MBEDTLS_FS_IO */
708
709
710 /* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
711 * into the storage form used by mbedtls_mpi. */
712
mpi_uint_bigendian_to_host_c(mbedtls_mpi_uint x)713 static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c(mbedtls_mpi_uint x)
714 {
715 uint8_t i;
716 unsigned char *x_ptr;
717 mbedtls_mpi_uint tmp = 0;
718
719 for (i = 0, x_ptr = (unsigned char *) &x; i < ciL; i++, x_ptr++) {
720 tmp <<= CHAR_BIT;
721 tmp |= (mbedtls_mpi_uint) *x_ptr;
722 }
723
724 return tmp;
725 }
726
mpi_uint_bigendian_to_host(mbedtls_mpi_uint x)727 static mbedtls_mpi_uint mpi_uint_bigendian_to_host(mbedtls_mpi_uint x)
728 {
729 #if defined(__BYTE_ORDER__)
730
731 /* Nothing to do on bigendian systems. */
732 #if (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
733 return x;
734 #endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
735
736 #if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
737
738 /* For GCC and Clang, have builtins for byte swapping. */
739 #if defined(__GNUC__) && defined(__GNUC_PREREQ)
740 #if __GNUC_PREREQ(4, 3)
741 #define have_bswap
742 #endif
743 #endif
744
745 #if defined(__clang__) && defined(__has_builtin)
746 #if __has_builtin(__builtin_bswap32) && \
747 __has_builtin(__builtin_bswap64)
748 #define have_bswap
749 #endif
750 #endif
751
752 #if defined(have_bswap)
753 /* The compiler is hopefully able to statically evaluate this! */
754 switch (sizeof(mbedtls_mpi_uint)) {
755 case 4:
756 return __builtin_bswap32(x);
757 case 8:
758 return __builtin_bswap64(x);
759 }
760 #endif
761 #endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
762 #endif /* __BYTE_ORDER__ */
763
764 /* Fall back to C-based reordering if we don't know the byte order
765 * or we couldn't use a compiler-specific builtin. */
766 return mpi_uint_bigendian_to_host_c(x);
767 }
768
mpi_bigendian_to_host(mbedtls_mpi_uint * const p,size_t limbs)769 static void mpi_bigendian_to_host(mbedtls_mpi_uint * const p, size_t limbs)
770 {
771 mbedtls_mpi_uint *cur_limb_left;
772 mbedtls_mpi_uint *cur_limb_right;
773 if (limbs == 0) {
774 return;
775 }
776
777 /*
778 * Traverse limbs and
779 * - adapt byte-order in each limb
780 * - swap the limbs themselves.
781 * For that, simultaneously traverse the limbs from left to right
782 * and from right to left, as long as the left index is not bigger
783 * than the right index (it's not a problem if limbs is odd and the
784 * indices coincide in the last iteration).
785 */
786 for (cur_limb_left = p, cur_limb_right = p + (limbs - 1);
787 cur_limb_left <= cur_limb_right;
788 cur_limb_left++, cur_limb_right--) {
789 mbedtls_mpi_uint tmp;
790 /* Note that if cur_limb_left == cur_limb_right,
791 * this code effectively swaps the bytes only once. */
792 tmp = mpi_uint_bigendian_to_host(*cur_limb_left);
793 *cur_limb_left = mpi_uint_bigendian_to_host(*cur_limb_right);
794 *cur_limb_right = tmp;
795 }
796 }
797
798 /*
799 * Import X from unsigned binary data, little endian
800 */
mbedtls_mpi_read_binary_le(mbedtls_mpi * X,const unsigned char * buf,size_t buflen)801 int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
802 const unsigned char *buf, size_t buflen)
803 {
804 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
805 size_t i;
806 size_t const limbs = CHARS_TO_LIMBS(buflen);
807
808 /* Ensure that target MPI has exactly the necessary number of limbs */
809 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
810
811 for (i = 0; i < buflen; i++) {
812 X->p[i / ciL] |= ((mbedtls_mpi_uint) buf[i]) << ((i % ciL) << 3);
813 }
814
815 cleanup:
816
817 /*
818 * This function is also used to import keys. However, wiping the buffers
819 * upon failure is not necessary because failure only can happen before any
820 * input is copied.
821 */
822 return ret;
823 }
824
825 /*
826 * Import X from unsigned binary data, big endian
827 */
mbedtls_mpi_read_binary(mbedtls_mpi * X,const unsigned char * buf,size_t buflen)828 int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
829 {
830 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
831 size_t const limbs = CHARS_TO_LIMBS(buflen);
832 size_t const overhead = (limbs * ciL) - buflen;
833 unsigned char *Xp;
834
835 MPI_VALIDATE_RET(X != NULL);
836 MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
837
838 /* Ensure that target MPI has exactly the necessary number of limbs */
839 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
840
841 /* Avoid calling `memcpy` with NULL source or destination argument,
842 * even if buflen is 0. */
843 if (buflen != 0) {
844 Xp = (unsigned char *) X->p;
845 memcpy(Xp + overhead, buf, buflen);
846
847 mpi_bigendian_to_host(X->p, limbs);
848 }
849
850 cleanup:
851
852 /*
853 * This function is also used to import keys. However, wiping the buffers
854 * upon failure is not necessary because failure only can happen before any
855 * input is copied.
856 */
857 return ret;
858 }
859
860 /*
861 * Export X into unsigned binary data, little endian
862 */
mbedtls_mpi_write_binary_le(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)863 int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
864 unsigned char *buf, size_t buflen)
865 {
866 size_t stored_bytes = X->n * ciL;
867 size_t bytes_to_copy;
868 size_t i;
869
870 if (stored_bytes < buflen) {
871 bytes_to_copy = stored_bytes;
872 } else {
873 bytes_to_copy = buflen;
874
875 /* The output buffer is smaller than the allocated size of X.
876 * However X may fit if its leading bytes are zero. */
877 for (i = bytes_to_copy; i < stored_bytes; i++) {
878 if (GET_BYTE(X, i) != 0) {
879 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
880 }
881 }
882 }
883
884 for (i = 0; i < bytes_to_copy; i++) {
885 buf[i] = GET_BYTE(X, i);
886 }
887
888 if (stored_bytes < buflen) {
889 /* Write trailing 0 bytes */
890 memset(buf + stored_bytes, 0, buflen - stored_bytes);
891 }
892
893 return 0;
894 }
895
896 /*
897 * Export X into unsigned binary data, big endian
898 */
mbedtls_mpi_write_binary(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)899 int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
900 unsigned char *buf, size_t buflen)
901 {
902 size_t stored_bytes;
903 size_t bytes_to_copy;
904 unsigned char *p;
905 size_t i;
906
907 MPI_VALIDATE_RET(X != NULL);
908 MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
909
910 stored_bytes = X->n * ciL;
911
912 if (stored_bytes < buflen) {
913 /* There is enough space in the output buffer. Write initial
914 * null bytes and record the position at which to start
915 * writing the significant bytes. In this case, the execution
916 * trace of this function does not depend on the value of the
917 * number. */
918 bytes_to_copy = stored_bytes;
919 p = buf + buflen - stored_bytes;
920 memset(buf, 0, buflen - stored_bytes);
921 } else {
922 /* The output buffer is smaller than the allocated size of X.
923 * However X may fit if its leading bytes are zero. */
924 bytes_to_copy = buflen;
925 p = buf;
926 for (i = bytes_to_copy; i < stored_bytes; i++) {
927 if (GET_BYTE(X, i) != 0) {
928 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
929 }
930 }
931 }
932
933 for (i = 0; i < bytes_to_copy; i++) {
934 p[bytes_to_copy - i - 1] = GET_BYTE(X, i);
935 }
936
937 return 0;
938 }
939
940 /*
941 * Left-shift: X <<= count
942 */
mbedtls_mpi_shift_l(mbedtls_mpi * X,size_t count)943 int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
944 {
945 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
946 size_t i, v0, t1;
947 mbedtls_mpi_uint r0 = 0, r1;
948 MPI_VALIDATE_RET(X != NULL);
949
950 v0 = count / (biL);
951 t1 = count & (biL - 1);
952
953 i = mbedtls_mpi_bitlen(X) + count;
954
955 if (X->n * biL < i) {
956 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
957 }
958
959 ret = 0;
960
961 /*
962 * shift by count / limb_size
963 */
964 if (v0 > 0) {
965 for (i = X->n; i > v0; i--) {
966 X->p[i - 1] = X->p[i - v0 - 1];
967 }
968
969 for (; i > 0; i--) {
970 X->p[i - 1] = 0;
971 }
972 }
973
974 /*
975 * shift by count % limb_size
976 */
977 if (t1 > 0) {
978 for (i = v0; i < X->n; i++) {
979 r1 = X->p[i] >> (biL - t1);
980 X->p[i] <<= t1;
981 X->p[i] |= r0;
982 r0 = r1;
983 }
984 }
985
986 cleanup:
987
988 return ret;
989 }
990
991 /*
992 * Right-shift: X >>= count
993 */
mbedtls_mpi_shift_r(mbedtls_mpi * X,size_t count)994 int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
995 {
996 size_t i, v0, v1;
997 mbedtls_mpi_uint r0 = 0, r1;
998 MPI_VALIDATE_RET(X != NULL);
999
1000 v0 = count / biL;
1001 v1 = count & (biL - 1);
1002
1003 if (v0 > X->n || (v0 == X->n && v1 > 0)) {
1004 return mbedtls_mpi_lset(X, 0);
1005 }
1006
1007 /*
1008 * shift by count / limb_size
1009 */
1010 if (v0 > 0) {
1011 for (i = 0; i < X->n - v0; i++) {
1012 X->p[i] = X->p[i + v0];
1013 }
1014
1015 for (; i < X->n; i++) {
1016 X->p[i] = 0;
1017 }
1018 }
1019
1020 /*
1021 * shift by count % limb_size
1022 */
1023 if (v1 > 0) {
1024 for (i = X->n; i > 0; i--) {
1025 r1 = X->p[i - 1] << (biL - v1);
1026 X->p[i - 1] >>= v1;
1027 X->p[i - 1] |= r0;
1028 r0 = r1;
1029 }
1030 }
1031
1032 return 0;
1033 }
1034
1035 /*
1036 * Compare unsigned values
1037 */
mbedtls_mpi_cmp_abs(const mbedtls_mpi * X,const mbedtls_mpi * Y)1038 int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)
1039 {
1040 size_t i, j;
1041 MPI_VALIDATE_RET(X != NULL);
1042 MPI_VALIDATE_RET(Y != NULL);
1043
1044 for (i = X->n; i > 0; i--) {
1045 if (X->p[i - 1] != 0) {
1046 break;
1047 }
1048 }
1049
1050 for (j = Y->n; j > 0; j--) {
1051 if (Y->p[j - 1] != 0) {
1052 break;
1053 }
1054 }
1055
1056 if (i == 0 && j == 0) {
1057 return 0;
1058 }
1059
1060 if (i > j) {
1061 return 1;
1062 }
1063 if (j > i) {
1064 return -1;
1065 }
1066
1067 for (; i > 0; i--) {
1068 if (X->p[i - 1] > Y->p[i - 1]) {
1069 return 1;
1070 }
1071 if (X->p[i - 1] < Y->p[i - 1]) {
1072 return -1;
1073 }
1074 }
1075
1076 return 0;
1077 }
1078
1079 /*
1080 * Compare signed values
1081 */
mbedtls_mpi_cmp_mpi(const mbedtls_mpi * X,const mbedtls_mpi * Y)1082 int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
1083 {
1084 size_t i, j;
1085 MPI_VALIDATE_RET(X != NULL);
1086 MPI_VALIDATE_RET(Y != NULL);
1087
1088 for (i = X->n; i > 0; i--) {
1089 if (X->p[i - 1] != 0) {
1090 break;
1091 }
1092 }
1093
1094 for (j = Y->n; j > 0; j--) {
1095 if (Y->p[j - 1] != 0) {
1096 break;
1097 }
1098 }
1099
1100 if (i == 0 && j == 0) {
1101 return 0;
1102 }
1103
1104 if (i > j) {
1105 return X->s;
1106 }
1107 if (j > i) {
1108 return -Y->s;
1109 }
1110
1111 if (X->s > 0 && Y->s < 0) {
1112 return 1;
1113 }
1114 if (Y->s > 0 && X->s < 0) {
1115 return -1;
1116 }
1117
1118 for (; i > 0; i--) {
1119 if (X->p[i - 1] > Y->p[i - 1]) {
1120 return X->s;
1121 }
1122 if (X->p[i - 1] < Y->p[i - 1]) {
1123 return -X->s;
1124 }
1125 }
1126
1127 return 0;
1128 }
1129
1130 /*
1131 * Compare signed values
1132 */
mbedtls_mpi_cmp_int(const mbedtls_mpi * X,mbedtls_mpi_sint z)1133 int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
1134 {
1135 mbedtls_mpi Y;
1136 mbedtls_mpi_uint p[1];
1137 MPI_VALIDATE_RET(X != NULL);
1138
1139 *p = mpi_sint_abs(z);
1140 Y.s = (z < 0) ? -1 : 1;
1141 Y.n = 1;
1142 Y.p = p;
1143
1144 return mbedtls_mpi_cmp_mpi(X, &Y);
1145 }
1146
1147 /*
1148 * Unsigned addition: X = |A| + |B| (HAC 14.7)
1149 */
mbedtls_mpi_add_abs(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1150 int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1151 {
1152 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1153 size_t i, j;
1154 mbedtls_mpi_uint *o, *p, c, tmp;
1155 MPI_VALIDATE_RET(X != NULL);
1156 MPI_VALIDATE_RET(A != NULL);
1157 MPI_VALIDATE_RET(B != NULL);
1158
1159 if (X == B) {
1160 const mbedtls_mpi *T = A; A = X; B = T;
1161 }
1162
1163 if (X != A) {
1164 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
1165 }
1166
1167 /*
1168 * X should always be positive as a result of unsigned additions.
1169 */
1170 X->s = 1;
1171
1172 for (j = B->n; j > 0; j--) {
1173 if (B->p[j - 1] != 0) {
1174 break;
1175 }
1176 }
1177
1178 /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
1179 * and B is 0 (of any size). */
1180 if (j == 0) {
1181 return 0;
1182 }
1183
1184 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
1185
1186 o = B->p; p = X->p; c = 0;
1187
1188 /*
1189 * tmp is used because it might happen that p == o
1190 */
1191 for (i = 0; i < j; i++, o++, p++) {
1192 tmp = *o;
1193 *p += c; c = (*p < c);
1194 *p += tmp; c += (*p < tmp);
1195 }
1196
1197 while (c != 0) {
1198 if (i >= X->n) {
1199 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + 1));
1200 p = X->p + i;
1201 }
1202
1203 *p += c; c = (*p < c); i++; p++;
1204 }
1205
1206 cleanup:
1207
1208 return ret;
1209 }
1210
1211 /**
1212 * Helper for mbedtls_mpi subtraction.
1213 *
1214 * Calculate l - r where l and r have the same size.
1215 * This function operates modulo (2^ciL)^n and returns the carry
1216 * (1 if there was a wraparound, i.e. if `l < r`, and 0 otherwise).
1217 *
1218 * d may be aliased to l or r.
1219 *
1220 * \param n Number of limbs of \p d, \p l and \p r.
1221 * \param[out] d The result of the subtraction.
1222 * \param[in] l The left operand.
1223 * \param[in] r The right operand.
1224 *
1225 * \return 1 if `l < r`.
1226 * 0 if `l >= r`.
1227 */
mpi_sub_hlp(size_t n,mbedtls_mpi_uint * d,const mbedtls_mpi_uint * l,const mbedtls_mpi_uint * r)1228 static mbedtls_mpi_uint mpi_sub_hlp(size_t n,
1229 mbedtls_mpi_uint *d,
1230 const mbedtls_mpi_uint *l,
1231 const mbedtls_mpi_uint *r)
1232 {
1233 size_t i;
1234 mbedtls_mpi_uint c = 0, t, z;
1235
1236 for (i = 0; i < n; i++) {
1237 z = (l[i] < c); t = l[i] - c;
1238 c = (t < r[i]) + z; d[i] = t - r[i];
1239 }
1240
1241 return c;
1242 }
1243
1244 /*
1245 * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
1246 */
mbedtls_mpi_sub_abs(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1247 int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1248 {
1249 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1250 size_t n;
1251 mbedtls_mpi_uint carry;
1252 MPI_VALIDATE_RET(X != NULL);
1253 MPI_VALIDATE_RET(A != NULL);
1254 MPI_VALIDATE_RET(B != NULL);
1255
1256 for (n = B->n; n > 0; n--) {
1257 if (B->p[n - 1] != 0) {
1258 break;
1259 }
1260 }
1261 if (n > A->n) {
1262 /* B >= (2^ciL)^n > A */
1263 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1264 goto cleanup;
1265 }
1266
1267 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
1268
1269 /* Set the high limbs of X to match A. Don't touch the lower limbs
1270 * because X might be aliased to B, and we must not overwrite the
1271 * significant digits of B. */
1272 if (A->n > n && A != X) {
1273 memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
1274 }
1275 if (X->n > A->n) {
1276 memset(X->p + A->n, 0, (X->n - A->n) * ciL);
1277 }
1278
1279 carry = mpi_sub_hlp(n, X->p, A->p, B->p);
1280 if (carry != 0) {
1281 /* Propagate the carry to the first nonzero limb of X. */
1282 for (; n < X->n && X->p[n] == 0; n++) {
1283 --X->p[n];
1284 }
1285 /* If we ran out of space for the carry, it means that the result
1286 * is negative. */
1287 if (n == X->n) {
1288 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1289 goto cleanup;
1290 }
1291 --X->p[n];
1292 }
1293
1294 /* X should always be positive as a result of unsigned subtractions. */
1295 X->s = 1;
1296
1297 cleanup:
1298 return ret;
1299 }
1300
1301 /* Common function for signed addition and subtraction.
1302 * Calculate A + B * flip_B where flip_B is 1 or -1.
1303 */
add_sub_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B,int flip_B)1304 static int add_sub_mpi(mbedtls_mpi *X,
1305 const mbedtls_mpi *A, const mbedtls_mpi *B,
1306 int flip_B)
1307 {
1308 int ret, s;
1309 MPI_VALIDATE_RET(X != NULL);
1310 MPI_VALIDATE_RET(A != NULL);
1311 MPI_VALIDATE_RET(B != NULL);
1312
1313 s = A->s;
1314 if (A->s * B->s * flip_B < 0) {
1315 int cmp = mbedtls_mpi_cmp_abs(A, B);
1316 if (cmp >= 0) {
1317 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
1318 /* If |A| = |B|, the result is 0 and we must set the sign bit
1319 * to +1 regardless of which of A or B was negative. Otherwise,
1320 * since |A| > |B|, the sign is the sign of A. */
1321 X->s = cmp == 0 ? 1 : s;
1322 } else {
1323 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
1324 /* Since |A| < |B|, the sign is the opposite of A. */
1325 X->s = -s;
1326 }
1327 } else {
1328 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
1329 X->s = s;
1330 }
1331
1332 cleanup:
1333
1334 return ret;
1335 }
1336
1337 /*
1338 * Signed addition: X = A + B
1339 */
mbedtls_mpi_add_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1340 int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1341 {
1342 return add_sub_mpi(X, A, B, 1);
1343 }
1344
1345 /*
1346 * Signed subtraction: X = A - B
1347 */
mbedtls_mpi_sub_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1348 int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1349 {
1350 return add_sub_mpi(X, A, B, -1);
1351 }
1352
1353 /*
1354 * Signed addition: X = A + b
1355 */
mbedtls_mpi_add_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_sint b)1356 int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
1357 {
1358 mbedtls_mpi B;
1359 mbedtls_mpi_uint p[1];
1360 MPI_VALIDATE_RET(X != NULL);
1361 MPI_VALIDATE_RET(A != NULL);
1362
1363 p[0] = mpi_sint_abs(b);
1364 B.s = (b < 0) ? -1 : 1;
1365 B.n = 1;
1366 B.p = p;
1367
1368 return mbedtls_mpi_add_mpi(X, A, &B);
1369 }
1370
1371 /*
1372 * Signed subtraction: X = A - b
1373 */
mbedtls_mpi_sub_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_sint b)1374 int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
1375 {
1376 mbedtls_mpi B;
1377 mbedtls_mpi_uint p[1];
1378 MPI_VALIDATE_RET(X != NULL);
1379 MPI_VALIDATE_RET(A != NULL);
1380
1381 p[0] = mpi_sint_abs(b);
1382 B.s = (b < 0) ? -1 : 1;
1383 B.n = 1;
1384 B.p = p;
1385
1386 return mbedtls_mpi_sub_mpi(X, A, &B);
1387 }
1388
1389 /** Helper for mbedtls_mpi multiplication.
1390 *
1391 * Add \p b * \p s to \p d.
1392 *
1393 * \param i The number of limbs of \p s.
1394 * \param[in] s A bignum to multiply, of size \p i.
1395 * It may overlap with \p d, but only if
1396 * \p d <= \p s.
1397 * Its leading limb must not be \c 0.
1398 * \param[in,out] d The bignum to add to.
1399 * It must be sufficiently large to store the
1400 * result of the multiplication. This means
1401 * \p i + 1 limbs if \p d[\p i - 1] started as 0 and \p b
1402 * is not known a priori.
1403 * \param b A scalar to multiply.
1404 */
1405 static
1406 #if defined(__APPLE__) && defined(__arm__)
1407 /*
1408 * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
1409 * appears to need this to prevent bad ARM code generation at -O3.
1410 */
1411 __attribute__((noinline))
1412 #endif
mpi_mul_hlp(size_t i,const mbedtls_mpi_uint * s,mbedtls_mpi_uint * d,mbedtls_mpi_uint b)1413 void mpi_mul_hlp(size_t i,
1414 const mbedtls_mpi_uint *s,
1415 mbedtls_mpi_uint *d,
1416 mbedtls_mpi_uint b)
1417 {
1418 mbedtls_mpi_uint c = 0, t = 0;
1419 (void) t; /* Unused in some architectures */
1420
1421 #if defined(MULADDC_HUIT)
1422 for (; i >= 8; i -= 8) {
1423 MULADDC_INIT
1424 MULADDC_HUIT
1425 MULADDC_STOP
1426 }
1427
1428 for (; i > 0; i--) {
1429 MULADDC_INIT
1430 MULADDC_CORE
1431 MULADDC_STOP
1432 }
1433 #else /* MULADDC_HUIT */
1434 for (; i >= 16; i -= 16) {
1435 MULADDC_INIT
1436 MULADDC_CORE MULADDC_CORE
1437 MULADDC_CORE MULADDC_CORE
1438 MULADDC_CORE MULADDC_CORE
1439 MULADDC_CORE MULADDC_CORE
1440
1441 MULADDC_CORE MULADDC_CORE
1442 MULADDC_CORE MULADDC_CORE
1443 MULADDC_CORE MULADDC_CORE
1444 MULADDC_CORE MULADDC_CORE
1445 MULADDC_STOP
1446 }
1447
1448 for (; i >= 8; i -= 8) {
1449 MULADDC_INIT
1450 MULADDC_CORE MULADDC_CORE
1451 MULADDC_CORE MULADDC_CORE
1452
1453 MULADDC_CORE MULADDC_CORE
1454 MULADDC_CORE MULADDC_CORE
1455 MULADDC_STOP
1456 }
1457
1458 for (; i > 0; i--) {
1459 MULADDC_INIT
1460 MULADDC_CORE
1461 MULADDC_STOP
1462 }
1463 #endif /* MULADDC_HUIT */
1464
1465 while (c != 0) {
1466 *d += c; c = (*d < c); d++;
1467 }
1468 }
1469
1470 /*
1471 * Baseline multiplication: X = A * B (HAC 14.12)
1472 */
mbedtls_mpi_mul_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1473 int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1474 {
1475 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1476 size_t i, j;
1477 mbedtls_mpi TA, TB;
1478 int result_is_zero = 0;
1479 MPI_VALIDATE_RET(X != NULL);
1480 MPI_VALIDATE_RET(A != NULL);
1481 MPI_VALIDATE_RET(B != NULL);
1482
1483 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
1484
1485 if (X == A) {
1486 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
1487 }
1488 if (X == B) {
1489 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
1490 }
1491
1492 for (i = A->n; i > 0; i--) {
1493 if (A->p[i - 1] != 0) {
1494 break;
1495 }
1496 }
1497 if (i == 0) {
1498 result_is_zero = 1;
1499 }
1500
1501 for (j = B->n; j > 0; j--) {
1502 if (B->p[j - 1] != 0) {
1503 break;
1504 }
1505 }
1506 if (j == 0) {
1507 result_is_zero = 1;
1508 }
1509
1510 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
1511 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
1512
1513 for (; j > 0; j--) {
1514 mpi_mul_hlp(i, A->p, X->p + j - 1, B->p[j - 1]);
1515 }
1516
1517 /* If the result is 0, we don't shortcut the operation, which reduces
1518 * but does not eliminate side channels leaking the zero-ness. We do
1519 * need to take care to set the sign bit properly since the library does
1520 * not fully support an MPI object with a value of 0 and s == -1. */
1521 if (result_is_zero) {
1522 X->s = 1;
1523 } else {
1524 X->s = A->s * B->s;
1525 }
1526
1527 cleanup:
1528
1529 mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
1530
1531 return ret;
1532 }
1533
1534 /*
1535 * Baseline multiplication: X = A * b
1536 */
mbedtls_mpi_mul_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_uint b)1537 int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)
1538 {
1539 MPI_VALIDATE_RET(X != NULL);
1540 MPI_VALIDATE_RET(A != NULL);
1541
1542 /* mpi_mul_hlp can't deal with a leading 0. */
1543 size_t n = A->n;
1544 while (n > 0 && A->p[n - 1] == 0) {
1545 --n;
1546 }
1547
1548 /* The general method below doesn't work if n==0 or b==0. By chance
1549 * calculating the result is trivial in those cases. */
1550 if (b == 0 || n == 0) {
1551 return mbedtls_mpi_lset(X, 0);
1552 }
1553
1554 /* Calculate A*b as A + A*(b-1) to take advantage of mpi_mul_hlp */
1555 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1556 /* In general, A * b requires 1 limb more than b. If
1557 * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
1558 * number of limbs as A and the call to grow() is not required since
1559 * copy() will take care of the growth if needed. However, experimentally,
1560 * making the call to grow() unconditional causes slightly fewer
1561 * calls to calloc() in ECP code, presumably because it reuses the
1562 * same mpi for a while and this way the mpi is more likely to directly
1563 * grow to its final size. */
1564 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
1565 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
1566 mpi_mul_hlp(n, A->p, X->p, b - 1);
1567
1568 cleanup:
1569 return ret;
1570 }
1571
1572 /*
1573 * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
1574 * mbedtls_mpi_uint divisor, d
1575 */
mbedtls_int_div_int(mbedtls_mpi_uint u1,mbedtls_mpi_uint u0,mbedtls_mpi_uint d,mbedtls_mpi_uint * r)1576 static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
1577 mbedtls_mpi_uint u0,
1578 mbedtls_mpi_uint d,
1579 mbedtls_mpi_uint *r)
1580 {
1581 #if defined(MBEDTLS_HAVE_UDBL)
1582 mbedtls_t_udbl dividend, quotient;
1583 #else
1584 const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
1585 const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
1586 mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
1587 mbedtls_mpi_uint u0_msw, u0_lsw;
1588 size_t s;
1589 #endif
1590
1591 /*
1592 * Check for overflow
1593 */
1594 if (0 == d || u1 >= d) {
1595 if (r != NULL) {
1596 *r = ~(mbedtls_mpi_uint) 0u;
1597 }
1598
1599 return ~(mbedtls_mpi_uint) 0u;
1600 }
1601
1602 #if defined(MBEDTLS_HAVE_UDBL)
1603 dividend = (mbedtls_t_udbl) u1 << biL;
1604 dividend |= (mbedtls_t_udbl) u0;
1605 quotient = dividend / d;
1606 if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
1607 quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
1608 }
1609
1610 if (r != NULL) {
1611 *r = (mbedtls_mpi_uint) (dividend - (quotient * d));
1612 }
1613
1614 return (mbedtls_mpi_uint) quotient;
1615 #else
1616
1617 /*
1618 * Algorithm D, Section 4.3.1 - The Art of Computer Programming
1619 * Vol. 2 - Seminumerical Algorithms, Knuth
1620 */
1621
1622 /*
1623 * Normalize the divisor, d, and dividend, u0, u1
1624 */
1625 s = mbedtls_clz(d);
1626 d = d << s;
1627
1628 u1 = u1 << s;
1629 u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
1630 u0 = u0 << s;
1631
1632 d1 = d >> biH;
1633 d0 = d & uint_halfword_mask;
1634
1635 u0_msw = u0 >> biH;
1636 u0_lsw = u0 & uint_halfword_mask;
1637
1638 /*
1639 * Find the first quotient and remainder
1640 */
1641 q1 = u1 / d1;
1642 r0 = u1 - d1 * q1;
1643
1644 while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) {
1645 q1 -= 1;
1646 r0 += d1;
1647
1648 if (r0 >= radix) {
1649 break;
1650 }
1651 }
1652
1653 rAX = (u1 * radix) + (u0_msw - q1 * d);
1654 q0 = rAX / d1;
1655 r0 = rAX - q0 * d1;
1656
1657 while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) {
1658 q0 -= 1;
1659 r0 += d1;
1660
1661 if (r0 >= radix) {
1662 break;
1663 }
1664 }
1665
1666 if (r != NULL) {
1667 *r = (rAX * radix + u0_lsw - q0 * d) >> s;
1668 }
1669
1670 quotient = q1 * radix + q0;
1671
1672 return quotient;
1673 #endif
1674 }
1675
1676 /*
1677 * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
1678 */
mbedtls_mpi_div_mpi(mbedtls_mpi * Q,mbedtls_mpi * R,const mbedtls_mpi * A,const mbedtls_mpi * B)1679 int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
1680 const mbedtls_mpi *B)
1681 {
1682 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1683 size_t i, n, t, k;
1684 mbedtls_mpi X, Y, Z, T1, T2;
1685 mbedtls_mpi_uint TP2[3];
1686 MPI_VALIDATE_RET(A != NULL);
1687 MPI_VALIDATE_RET(B != NULL);
1688
1689 if (mbedtls_mpi_cmp_int(B, 0) == 0) {
1690 return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
1691 }
1692
1693 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
1694 mbedtls_mpi_init(&T1);
1695 /*
1696 * Avoid dynamic memory allocations for constant-size T2.
1697 *
1698 * T2 is used for comparison only and the 3 limbs are assigned explicitly,
1699 * so nobody increase the size of the MPI and we're safe to use an on-stack
1700 * buffer.
1701 */
1702 T2.s = 1;
1703 T2.n = sizeof(TP2) / sizeof(*TP2);
1704 T2.p = TP2;
1705
1706 if (mbedtls_mpi_cmp_abs(A, B) < 0) {
1707 if (Q != NULL) {
1708 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
1709 }
1710 if (R != NULL) {
1711 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
1712 }
1713 return 0;
1714 }
1715
1716 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
1717 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
1718 X.s = Y.s = 1;
1719
1720 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
1721 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
1722 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
1723
1724 k = mbedtls_mpi_bitlen(&Y) % biL;
1725 if (k < biL - 1) {
1726 k = biL - 1 - k;
1727 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
1728 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
1729 } else {
1730 k = 0;
1731 }
1732
1733 n = X.n - 1;
1734 t = Y.n - 1;
1735 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
1736
1737 while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
1738 Z.p[n - t]++;
1739 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
1740 }
1741 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
1742
1743 for (i = n; i > t; i--) {
1744 if (X.p[i] >= Y.p[t]) {
1745 Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
1746 } else {
1747 Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
1748 Y.p[t], NULL);
1749 }
1750
1751 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1752 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1753 T2.p[2] = X.p[i];
1754
1755 Z.p[i - t - 1]++;
1756 do {
1757 Z.p[i - t - 1]--;
1758
1759 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
1760 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1761 T1.p[1] = Y.p[t];
1762 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
1763 } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
1764
1765 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
1766 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
1767 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
1768
1769 if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
1770 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
1771 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
1772 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
1773 Z.p[i - t - 1]--;
1774 }
1775 }
1776
1777 if (Q != NULL) {
1778 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
1779 Q->s = A->s * B->s;
1780 }
1781
1782 if (R != NULL) {
1783 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
1784 X.s = A->s;
1785 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
1786
1787 if (mbedtls_mpi_cmp_int(R, 0) == 0) {
1788 R->s = 1;
1789 }
1790 }
1791
1792 cleanup:
1793
1794 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
1795 mbedtls_mpi_free(&T1);
1796 mbedtls_platform_zeroize(TP2, sizeof(TP2));
1797
1798 return ret;
1799 }
1800
1801 /*
1802 * Division by int: A = Q * b + R
1803 */
mbedtls_mpi_div_int(mbedtls_mpi * Q,mbedtls_mpi * R,const mbedtls_mpi * A,mbedtls_mpi_sint b)1804 int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,
1805 const mbedtls_mpi *A,
1806 mbedtls_mpi_sint b)
1807 {
1808 mbedtls_mpi B;
1809 mbedtls_mpi_uint p[1];
1810 MPI_VALIDATE_RET(A != NULL);
1811
1812 p[0] = mpi_sint_abs(b);
1813 B.s = (b < 0) ? -1 : 1;
1814 B.n = 1;
1815 B.p = p;
1816
1817 return mbedtls_mpi_div_mpi(Q, R, A, &B);
1818 }
1819
1820 /*
1821 * Modulo: R = A mod B
1822 */
mbedtls_mpi_mod_mpi(mbedtls_mpi * R,const mbedtls_mpi * A,const mbedtls_mpi * B)1823 int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
1824 {
1825 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1826 MPI_VALIDATE_RET(R != NULL);
1827 MPI_VALIDATE_RET(A != NULL);
1828 MPI_VALIDATE_RET(B != NULL);
1829
1830 if (mbedtls_mpi_cmp_int(B, 0) < 0) {
1831 return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1832 }
1833
1834 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
1835
1836 while (mbedtls_mpi_cmp_int(R, 0) < 0) {
1837 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
1838 }
1839
1840 while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
1841 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
1842 }
1843
1844 cleanup:
1845
1846 return ret;
1847 }
1848
1849 /*
1850 * Modulo: r = A mod b
1851 */
mbedtls_mpi_mod_int(mbedtls_mpi_uint * r,const mbedtls_mpi * A,mbedtls_mpi_sint b)1852 int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b)
1853 {
1854 size_t i;
1855 mbedtls_mpi_uint x, y, z;
1856 MPI_VALIDATE_RET(r != NULL);
1857 MPI_VALIDATE_RET(A != NULL);
1858
1859 if (b == 0) {
1860 return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
1861 }
1862
1863 if (b < 0) {
1864 return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1865 }
1866
1867 /*
1868 * handle trivial cases
1869 */
1870 if (b == 1 || A->n == 0) {
1871 *r = 0;
1872 return 0;
1873 }
1874
1875 if (b == 2) {
1876 *r = A->p[0] & 1;
1877 return 0;
1878 }
1879
1880 /*
1881 * general case
1882 */
1883 for (i = A->n, y = 0; i > 0; i--) {
1884 x = A->p[i - 1];
1885 y = (y << biH) | (x >> biH);
1886 z = y / b;
1887 y -= z * b;
1888
1889 x <<= biH;
1890 y = (y << biH) | (x >> biH);
1891 z = y / b;
1892 y -= z * b;
1893 }
1894
1895 /*
1896 * If A is negative, then the current y represents a negative value.
1897 * Flipping it to the positive side.
1898 */
1899 if (A->s < 0 && y != 0) {
1900 y = b - y;
1901 }
1902
1903 *r = y;
1904
1905 return 0;
1906 }
1907
1908 /*
1909 * Fast Montgomery initialization (thanks to Tom St Denis)
1910 */
mbedtls_mpi_montmul_init(const mbedtls_mpi_uint * N)1911 mbedtls_mpi_uint mbedtls_mpi_montmul_init(const mbedtls_mpi_uint *N)
1912 {
1913 mbedtls_mpi_uint x = N[0];
1914
1915 x += ((N[0] + 2) & 4) << 1;
1916
1917 for (unsigned int i = biL; i >= 8; i /= 2) {
1918 x *= (2 - (N[0] * x));
1919 }
1920
1921 return ~x + 1;
1922 }
1923
mbedtls_mpi_montmul(mbedtls_mpi * A,const mbedtls_mpi * B,const mbedtls_mpi * N,mbedtls_mpi_uint mm,const mbedtls_mpi * T)1924 void mbedtls_mpi_montmul(mbedtls_mpi *A,
1925 const mbedtls_mpi *B,
1926 const mbedtls_mpi *N,
1927 mbedtls_mpi_uint mm,
1928 const mbedtls_mpi *T)
1929 {
1930 size_t i, n, m;
1931 mbedtls_mpi_uint u0, u1, *d;
1932
1933 memset(T->p, 0, T->n * ciL);
1934
1935 d = T->p;
1936 n = N->n;
1937 m = (B->n < n) ? B->n : n;
1938
1939 for (i = 0; i < n; i++) {
1940 /*
1941 * T = (T + u0*B + u1*N) / 2^biL
1942 */
1943 u0 = A->p[i];
1944 u1 = (d[0] + u0 * B->p[0]) * mm;
1945
1946 mpi_mul_hlp(m, B->p, d, u0);
1947 mpi_mul_hlp(n, N->p, d, u1);
1948
1949 *d++ = u0; d[n + 1] = 0;
1950 }
1951
1952 /* At this point, d is either the desired result or the desired result
1953 * plus N. We now potentially subtract N, avoiding leaking whether the
1954 * subtraction is performed through side channels. */
1955
1956 /* Copy the n least significant limbs of d to A, so that
1957 * A = d if d < N (recall that N has n limbs). */
1958 memcpy(A->p, d, n * ciL);
1959 /* If d >= N then we want to set A to d - N. To prevent timing attacks,
1960 * do the calculation without using conditional tests. */
1961 /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
1962 d[n] += 1;
1963 d[n] -= mpi_sub_hlp(n, d, d, N->p);
1964 /* If d0 < N then d < (2^biL)^n
1965 * so d[n] == 0 and we want to keep A as it is.
1966 * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
1967 * so d[n] == 1 and we want to set A to the result of the subtraction
1968 * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
1969 * This exactly corresponds to a conditional assignment. */
1970 mbedtls_ct_mpi_uint_cond_assign(n, A->p, d, (unsigned char) d[n]);
1971 }
1972
1973 /*
1974 * Montgomery reduction: A = A * R^-1 mod N
1975 *
1976 * See mbedtls_mpi_montmul() regarding constraints and guarantees on the
1977 * parameters.
1978 */
mpi_montred(mbedtls_mpi * A,const mbedtls_mpi * N,mbedtls_mpi_uint mm,const mbedtls_mpi * T)1979 static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
1980 mbedtls_mpi_uint mm, const mbedtls_mpi *T)
1981 {
1982 mbedtls_mpi_uint z = 1;
1983 mbedtls_mpi U;
1984
1985 U.n = U.s = (int) z;
1986 U.p = &z;
1987
1988 mbedtls_mpi_montmul(A, &U, N, mm, T);
1989 }
1990
1991 /**
1992 * Select an MPI from a table without leaking the index.
1993 *
1994 * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
1995 * reads the entire table in order to avoid leaking the value of idx to an
1996 * attacker able to observe memory access patterns.
1997 *
1998 * \param[out] R Where to write the selected MPI.
1999 * \param[in] T The table to read from.
2000 * \param[in] T_size The number of elements in the table.
2001 * \param[in] idx The index of the element to select;
2002 * this must satisfy 0 <= idx < T_size.
2003 *
2004 * \return \c 0 on success, or a negative error code.
2005 */
mpi_select(mbedtls_mpi * R,const mbedtls_mpi * T,size_t T_size,size_t idx)2006 static int mpi_select(mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx)
2007 {
2008 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2009
2010 for (size_t i = 0; i < T_size; i++) {
2011 MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(R, &T[i],
2012 (unsigned char) mbedtls_ct_size_bool_eq(i,
2013 idx)));
2014 }
2015
2016 cleanup:
2017 return ret;
2018 }
2019
mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi * X,const mbedtls_mpi * N)2020 int mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi *X,
2021 const mbedtls_mpi *N)
2022 {
2023 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2024
2025 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 1));
2026 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, N->n * 2 * biL));
2027 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
2028 MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(X, N->n));
2029
2030 cleanup:
2031 return ret;
2032 }
2033
2034 /*
2035 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
2036 */
mbedtls_mpi_exp_mod(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * E,const mbedtls_mpi * N,mbedtls_mpi * prec_RR)2037 int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
2038 const mbedtls_mpi *E, const mbedtls_mpi *N,
2039 mbedtls_mpi *prec_RR)
2040 {
2041 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2042 size_t window_bitsize;
2043 size_t i, j, nblimbs;
2044 size_t bufsize, nbits;
2045 size_t exponent_bits_in_window = 0;
2046 mbedtls_mpi_uint ei, mm, state;
2047 mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos;
2048 int neg;
2049
2050 MPI_VALIDATE_RET(X != NULL);
2051 MPI_VALIDATE_RET(A != NULL);
2052 MPI_VALIDATE_RET(E != NULL);
2053 MPI_VALIDATE_RET(N != NULL);
2054
2055 if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {
2056 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2057 }
2058
2059 if (mbedtls_mpi_cmp_int(E, 0) < 0) {
2060 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2061 }
2062
2063 if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||
2064 mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
2065 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2066 }
2067
2068 /*
2069 * Init temps and window size
2070 */
2071 mm = mbedtls_mpi_montmul_init(N->p);
2072 mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T);
2073 mbedtls_mpi_init(&Apos);
2074 mbedtls_mpi_init(&WW);
2075 memset(W, 0, sizeof(W));
2076
2077 i = mbedtls_mpi_bitlen(E);
2078
2079 window_bitsize = (i > 671) ? 6 : (i > 239) ? 5 :
2080 (i > 79) ? 4 : (i > 23) ? 3 : 1;
2081
2082 #if (MBEDTLS_MPI_WINDOW_SIZE < 6)
2083 if (window_bitsize > MBEDTLS_MPI_WINDOW_SIZE) {
2084 window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
2085 }
2086 #endif
2087
2088 const size_t w_table_used_size = (size_t) 1 << window_bitsize;
2089
2090 /*
2091 * This function is not constant-trace: its memory accesses depend on the
2092 * exponent value. To defend against timing attacks, callers (such as RSA
2093 * and DHM) should use exponent blinding. However this is not enough if the
2094 * adversary can find the exponent in a single trace, so this function
2095 * takes extra precautions against adversaries who can observe memory
2096 * access patterns.
2097 *
2098 * This function performs a series of multiplications by table elements and
2099 * squarings, and we want the prevent the adversary from finding out which
2100 * table element was used, and from distinguishing between multiplications
2101 * and squarings. Firstly, when multiplying by an element of the window
2102 * W[i], we do a constant-trace table lookup to obfuscate i. This leaves
2103 * squarings as having a different memory access patterns from other
2104 * multiplications. So secondly, we put the accumulator in the table as
2105 * well, and also do a constant-trace table lookup to multiply by the
2106 * accumulator which is W[x_index].
2107 *
2108 * This way, all multiplications take the form of a lookup-and-multiply.
2109 * The number of lookup-and-multiply operations inside each iteration of
2110 * the main loop still depends on the bits of the exponent, but since the
2111 * other operations in the loop don't have an easily recognizable memory
2112 * trace, an adversary is unlikely to be able to observe the exact
2113 * patterns.
2114 *
2115 * An adversary may still be able to recover the exponent if they can
2116 * observe both memory accesses and branches. However, branch prediction
2117 * exploitation typically requires many traces of execution over the same
2118 * data, which is defeated by randomized blinding.
2119 */
2120 const size_t x_index = 0;
2121 mbedtls_mpi_init(&W[x_index]);
2122
2123 j = N->n + 1;
2124 /* All W[i] including the accumulator must have at least N->n limbs for
2125 * the mbedtls_mpi_montmul() and mpi_montred() calls later. Here we ensure
2126 * that W[1] and the accumulator W[x_index] are large enough. later we'll
2127 * grow other W[i] to the same length. They must not be shrunk midway
2128 * through this function!
2129 */
2130 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
2131 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));
2132 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, j * 2));
2133
2134 /*
2135 * Compensate for negative A (and correct at the end)
2136 */
2137 neg = (A->s == -1);
2138 if (neg) {
2139 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Apos, A));
2140 Apos.s = 1;
2141 A = &Apos;
2142 }
2143
2144 /*
2145 * If 1st call, pre-compute R^2 mod N
2146 */
2147 if (prec_RR == NULL || prec_RR->p == NULL) {
2148 mbedtls_mpi_get_mont_r2_unsafe(&RR, N);
2149
2150 if (prec_RR != NULL) {
2151 memcpy(prec_RR, &RR, sizeof(mbedtls_mpi));
2152 }
2153 } else {
2154 memcpy(&RR, prec_RR, sizeof(mbedtls_mpi));
2155 }
2156
2157 /*
2158 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
2159 */
2160 if (mbedtls_mpi_cmp_mpi(A, N) >= 0) {
2161 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N));
2162 /* This should be a no-op because W[1] is already that large before
2163 * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
2164 * in mbedtls_mpi_montmul() below, so let's make sure. */
2165 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1));
2166 } else {
2167 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A));
2168 }
2169
2170 /* Note that this is safe because W[1] always has at least N->n limbs
2171 * (it grew above and was preserved by mbedtls_mpi_copy()). */
2172 mbedtls_mpi_montmul(&W[1], &RR, N, mm, &T);
2173
2174 /*
2175 * W[x_index] = R^2 * R^-1 mod N = R mod N
2176 */
2177 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[x_index], &RR));
2178 mpi_montred(&W[x_index], N, mm, &T);
2179
2180
2181 if (window_bitsize > 1) {
2182 /*
2183 * W[i] = W[1] ^ i
2184 *
2185 * The first bit of the sliding window is always 1 and therefore we
2186 * only need to store the second half of the table.
2187 *
2188 * (There are two special elements in the table: W[0] for the
2189 * accumulator/result and W[1] for A in Montgomery form. Both of these
2190 * are already set at this point.)
2191 */
2192 j = w_table_used_size / 2;
2193
2194 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[j], N->n + 1));
2195 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1]));
2196
2197 for (i = 0; i < window_bitsize - 1; i++) {
2198 mbedtls_mpi_montmul(&W[j], &W[j], N, mm, &T);
2199 }
2200
2201 /*
2202 * W[i] = W[i - 1] * W[1]
2203 */
2204 for (i = j + 1; i < w_table_used_size; i++) {
2205 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1));
2206 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1]));
2207
2208 mbedtls_mpi_montmul(&W[i], &W[1], N, mm, &T);
2209 }
2210 }
2211
2212 nblimbs = E->n;
2213 bufsize = 0;
2214 nbits = 0;
2215 state = 0;
2216
2217 while (1) {
2218 if (bufsize == 0) {
2219 if (nblimbs == 0) {
2220 break;
2221 }
2222
2223 nblimbs--;
2224
2225 bufsize = sizeof(mbedtls_mpi_uint) << 3;
2226 }
2227
2228 bufsize--;
2229
2230 ei = (E->p[nblimbs] >> bufsize) & 1;
2231
2232 /*
2233 * skip leading 0s
2234 */
2235 if (ei == 0 && state == 0) {
2236 continue;
2237 }
2238
2239 if (ei == 0 && state == 1) {
2240 /*
2241 * out of window, square W[x_index]
2242 */
2243 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
2244 mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
2245 continue;
2246 }
2247
2248 /*
2249 * add ei to current window
2250 */
2251 state = 2;
2252
2253 nbits++;
2254 exponent_bits_in_window |= (ei << (window_bitsize - nbits));
2255
2256 if (nbits == window_bitsize) {
2257 /*
2258 * W[x_index] = W[x_index]^window_bitsize R^-1 mod N
2259 */
2260 for (i = 0; i < window_bitsize; i++) {
2261 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
2262 x_index));
2263 mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
2264 }
2265
2266 /*
2267 * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N
2268 */
2269 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
2270 exponent_bits_in_window));
2271 mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
2272
2273 state--;
2274 nbits = 0;
2275 exponent_bits_in_window = 0;
2276 }
2277 }
2278
2279 /*
2280 * process the remaining bits
2281 */
2282 for (i = 0; i < nbits; i++) {
2283 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
2284 mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
2285
2286 exponent_bits_in_window <<= 1;
2287
2288 if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) {
2289 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1));
2290 mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
2291 }
2292 }
2293
2294 /*
2295 * W[x_index] = A^E * R * R^-1 mod N = A^E mod N
2296 */
2297 mpi_montred(&W[x_index], N, mm, &T);
2298
2299 if (neg && E->n != 0 && (E->p[0] & 1) != 0) {
2300 W[x_index].s = -1;
2301 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&W[x_index], N, &W[x_index]));
2302 }
2303
2304 /*
2305 * Load the result in the output variable.
2306 */
2307 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index]));
2308
2309 cleanup:
2310
2311 /* The first bit of the sliding window is always 1 and therefore the first
2312 * half of the table was unused. */
2313 for (i = w_table_used_size/2; i < w_table_used_size; i++) {
2314 mbedtls_mpi_free(&W[i]);
2315 }
2316
2317 mbedtls_mpi_free(&W[x_index]);
2318 mbedtls_mpi_free(&W[1]);
2319 mbedtls_mpi_free(&T);
2320 mbedtls_mpi_free(&Apos);
2321 mbedtls_mpi_free(&WW);
2322
2323 if (prec_RR == NULL || prec_RR->p == NULL) {
2324 mbedtls_mpi_free(&RR);
2325 }
2326
2327 return ret;
2328 }
2329
2330 /*
2331 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
2332 */
mbedtls_mpi_gcd(mbedtls_mpi * G,const mbedtls_mpi * A,const mbedtls_mpi * B)2333 int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
2334 {
2335 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2336 size_t lz, lzt;
2337 mbedtls_mpi TA, TB;
2338
2339 MPI_VALIDATE_RET(G != NULL);
2340 MPI_VALIDATE_RET(A != NULL);
2341 MPI_VALIDATE_RET(B != NULL);
2342
2343 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
2344
2345 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
2346 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
2347
2348 lz = mbedtls_mpi_lsb(&TA);
2349 lzt = mbedtls_mpi_lsb(&TB);
2350
2351 /* The loop below gives the correct result when A==0 but not when B==0.
2352 * So have a special case for B==0. Leverage the fact that we just
2353 * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
2354 * slightly more efficient than cmp_int(). */
2355 if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
2356 ret = mbedtls_mpi_copy(G, A);
2357 goto cleanup;
2358 }
2359
2360 if (lzt < lz) {
2361 lz = lzt;
2362 }
2363
2364 TA.s = TB.s = 1;
2365
2366 /* We mostly follow the procedure described in HAC 14.54, but with some
2367 * minor differences:
2368 * - Sequences of multiplications or divisions by 2 are grouped into a
2369 * single shift operation.
2370 * - The procedure in HAC assumes that 0 < TB <= TA.
2371 * - The condition TB <= TA is not actually necessary for correctness.
2372 * TA and TB have symmetric roles except for the loop termination
2373 * condition, and the shifts at the beginning of the loop body
2374 * remove any significance from the ordering of TA vs TB before
2375 * the shifts.
2376 * - If TA = 0, the loop goes through 0 iterations and the result is
2377 * correctly TB.
2378 * - The case TB = 0 was short-circuited above.
2379 *
2380 * For the correctness proof below, decompose the original values of
2381 * A and B as
2382 * A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
2383 * B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
2384 * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
2385 * and gcd(A',B') is odd or 0.
2386 *
2387 * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
2388 * The code maintains the following invariant:
2389 * gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
2390 */
2391
2392 /* Proof that the loop terminates:
2393 * At each iteration, either the right-shift by 1 is made on a nonzero
2394 * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
2395 * by at least 1, or the right-shift by 1 is made on zero and then
2396 * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
2397 * since in that case TB is calculated from TB-TA with the condition TB>TA).
2398 */
2399 while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
2400 /* Divisions by 2 preserve the invariant (I). */
2401 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
2402 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
2403
2404 /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
2405 * TA-TB is even so the division by 2 has an integer result.
2406 * Invariant (I) is preserved since any odd divisor of both TA and TB
2407 * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
2408 * also divides TB, and any odd divisor of both TB and |TA-TB|/2 also
2409 * divides TA.
2410 */
2411 if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
2412 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
2413 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
2414 } else {
2415 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
2416 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
2417 }
2418 /* Note that one of TA or TB is still odd. */
2419 }
2420
2421 /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
2422 * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
2423 * - If there was at least one loop iteration, then one of TA or TB is odd,
2424 * and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
2425 * lz = min(a,b) so gcd(A,B) = 2^lz * TB.
2426 * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
2427 * In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
2428 */
2429
2430 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
2431 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
2432
2433 cleanup:
2434
2435 mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
2436
2437 return ret;
2438 }
2439
2440 /* Fill X with n_bytes random bytes.
2441 * X must already have room for those bytes.
2442 * The ordering of the bytes returned from the RNG is suitable for
2443 * deterministic ECDSA (see RFC 6979 §3.3 and mbedtls_mpi_random()).
2444 * The size and sign of X are unchanged.
2445 * n_bytes must not be 0.
2446 */
mpi_fill_random_internal(mbedtls_mpi * X,size_t n_bytes,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2447 static int mpi_fill_random_internal(
2448 mbedtls_mpi *X, size_t n_bytes,
2449 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
2450 {
2451 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2452 const size_t limbs = CHARS_TO_LIMBS(n_bytes);
2453 const size_t overhead = (limbs * ciL) - n_bytes;
2454
2455 if (X->n < limbs) {
2456 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2457 }
2458
2459 memset(X->p, 0, overhead);
2460 memset((unsigned char *) X->p + limbs * ciL, 0, (X->n - limbs) * ciL);
2461 MBEDTLS_MPI_CHK(f_rng(p_rng, (unsigned char *) X->p + overhead, n_bytes));
2462 mpi_bigendian_to_host(X->p, limbs);
2463
2464 cleanup:
2465 return ret;
2466 }
2467
2468 /*
2469 * Fill X with size bytes of random.
2470 *
2471 * Use a temporary bytes representation to make sure the result is the same
2472 * regardless of the platform endianness (useful when f_rng is actually
2473 * deterministic, eg for tests).
2474 */
mbedtls_mpi_fill_random(mbedtls_mpi * X,size_t size,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2475 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
2476 int (*f_rng)(void *, unsigned char *, size_t),
2477 void *p_rng)
2478 {
2479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2480 size_t const limbs = CHARS_TO_LIMBS(size);
2481
2482 MPI_VALIDATE_RET(X != NULL);
2483 MPI_VALIDATE_RET(f_rng != NULL);
2484
2485 /* Ensure that target MPI has exactly the necessary number of limbs */
2486 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
2487 if (size == 0) {
2488 return 0;
2489 }
2490
2491 ret = mpi_fill_random_internal(X, size, f_rng, p_rng);
2492
2493 cleanup:
2494 return ret;
2495 }
2496
mbedtls_mpi_random(mbedtls_mpi * X,mbedtls_mpi_sint min,const mbedtls_mpi * N,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2497 int mbedtls_mpi_random(mbedtls_mpi *X,
2498 mbedtls_mpi_sint min,
2499 const mbedtls_mpi *N,
2500 int (*f_rng)(void *, unsigned char *, size_t),
2501 void *p_rng)
2502 {
2503 int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2504 int count;
2505 unsigned lt_lower = 1, lt_upper = 0;
2506 size_t n_bits = mbedtls_mpi_bitlen(N);
2507 size_t n_bytes = (n_bits + 7) / 8;
2508 mbedtls_mpi lower_bound;
2509
2510 if (min < 0) {
2511 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2512 }
2513 if (mbedtls_mpi_cmp_int(N, min) <= 0) {
2514 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2515 }
2516
2517 /*
2518 * When min == 0, each try has at worst a probability 1/2 of failing
2519 * (the msb has a probability 1/2 of being 0, and then the result will
2520 * be < N), so after 30 tries failure probability is a most 2**(-30).
2521 *
2522 * When N is just below a power of 2, as is the case when generating
2523 * a random scalar on most elliptic curves, 1 try is enough with
2524 * overwhelming probability. When N is just above a power of 2,
2525 * as when generating a random scalar on secp224k1, each try has
2526 * a probability of failing that is almost 1/2.
2527 *
2528 * The probabilities are almost the same if min is nonzero but negligible
2529 * compared to N. This is always the case when N is crypto-sized, but
2530 * it's convenient to support small N for testing purposes. When N
2531 * is small, use a higher repeat count, otherwise the probability of
2532 * failure is macroscopic.
2533 */
2534 count = (n_bytes > 4 ? 30 : 250);
2535
2536 mbedtls_mpi_init(&lower_bound);
2537
2538 /* Ensure that target MPI has exactly the same number of limbs
2539 * as the upper bound, even if the upper bound has leading zeros.
2540 * This is necessary for the mbedtls_mpi_lt_mpi_ct() check. */
2541 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, N->n));
2542 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&lower_bound, N->n));
2543 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&lower_bound, min));
2544
2545 /*
2546 * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
2547 * when f_rng is a suitably parametrized instance of HMAC_DRBG:
2548 * - use the same byte ordering;
2549 * - keep the leftmost n_bits bits of the generated octet string;
2550 * - try until result is in the desired range.
2551 * This also avoids any bias, which is especially important for ECDSA.
2552 */
2553 do {
2554 MBEDTLS_MPI_CHK(mpi_fill_random_internal(X, n_bytes, f_rng, p_rng));
2555 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, 8 * n_bytes - n_bits));
2556
2557 if (--count == 0) {
2558 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2559 goto cleanup;
2560 }
2561
2562 MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(X, &lower_bound, <_lower));
2563 MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(X, N, <_upper));
2564 } while (lt_lower != 0 || lt_upper == 0);
2565
2566 cleanup:
2567 mbedtls_mpi_free(&lower_bound);
2568 return ret;
2569 }
2570
2571 /*
2572 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
2573 */
mbedtls_mpi_inv_mod(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * N)2574 int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)
2575 {
2576 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2577 mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
2578 MPI_VALIDATE_RET(X != NULL);
2579 MPI_VALIDATE_RET(A != NULL);
2580 MPI_VALIDATE_RET(N != NULL);
2581
2582 if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
2583 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2584 }
2585
2586 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
2587 mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
2588 mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
2589
2590 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
2591
2592 if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
2593 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2594 goto cleanup;
2595 }
2596
2597 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
2598 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
2599 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
2600 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
2601
2602 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
2603 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
2604 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
2605 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
2606
2607 do {
2608 while ((TU.p[0] & 1) == 0) {
2609 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
2610
2611 if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) {
2612 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
2613 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
2614 }
2615
2616 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
2617 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
2618 }
2619
2620 while ((TV.p[0] & 1) == 0) {
2621 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
2622
2623 if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) {
2624 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
2625 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
2626 }
2627
2628 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
2629 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
2630 }
2631
2632 if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
2633 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
2634 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
2635 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
2636 } else {
2637 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
2638 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
2639 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
2640 }
2641 } while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
2642
2643 while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
2644 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
2645 }
2646
2647 while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
2648 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
2649 }
2650
2651 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
2652
2653 cleanup:
2654
2655 mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
2656 mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
2657 mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
2658
2659 return ret;
2660 }
2661
2662 #if defined(MBEDTLS_GENPRIME)
2663
2664 static const int small_prime[] =
2665 {
2666 3, 5, 7, 11, 13, 17, 19, 23,
2667 29, 31, 37, 41, 43, 47, 53, 59,
2668 61, 67, 71, 73, 79, 83, 89, 97,
2669 101, 103, 107, 109, 113, 127, 131, 137,
2670 139, 149, 151, 157, 163, 167, 173, 179,
2671 181, 191, 193, 197, 199, 211, 223, 227,
2672 229, 233, 239, 241, 251, 257, 263, 269,
2673 271, 277, 281, 283, 293, 307, 311, 313,
2674 317, 331, 337, 347, 349, 353, 359, 367,
2675 373, 379, 383, 389, 397, 401, 409, 419,
2676 421, 431, 433, 439, 443, 449, 457, 461,
2677 463, 467, 479, 487, 491, 499, 503, 509,
2678 521, 523, 541, 547, 557, 563, 569, 571,
2679 577, 587, 593, 599, 601, 607, 613, 617,
2680 619, 631, 641, 643, 647, 653, 659, 661,
2681 673, 677, 683, 691, 701, 709, 719, 727,
2682 733, 739, 743, 751, 757, 761, 769, 773,
2683 787, 797, 809, 811, 821, 823, 827, 829,
2684 839, 853, 857, 859, 863, 877, 881, 883,
2685 887, 907, 911, 919, 929, 937, 941, 947,
2686 953, 967, 971, 977, 983, 991, 997, -103
2687 };
2688
2689 /*
2690 * Small divisors test (X must be positive)
2691 *
2692 * Return values:
2693 * 0: no small factor (possible prime, more tests needed)
2694 * 1: certain prime
2695 * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
2696 * other negative: error
2697 */
mpi_check_small_factors(const mbedtls_mpi * X)2698 static int mpi_check_small_factors(const mbedtls_mpi *X)
2699 {
2700 int ret = 0;
2701 size_t i;
2702 mbedtls_mpi_uint r;
2703
2704 if ((X->p[0] & 1) == 0) {
2705 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2706 }
2707
2708 for (i = 0; small_prime[i] > 0; i++) {
2709 if (mbedtls_mpi_cmp_int(X, small_prime[i]) <= 0) {
2710 return 1;
2711 }
2712
2713 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, small_prime[i]));
2714
2715 if (r == 0) {
2716 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2717 }
2718 }
2719
2720 cleanup:
2721 return ret;
2722 }
2723
2724 /*
2725 * Miller-Rabin pseudo-primality test (HAC 4.24)
2726 */
mpi_miller_rabin(const mbedtls_mpi * X,size_t rounds,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2727 static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
2728 int (*f_rng)(void *, unsigned char *, size_t),
2729 void *p_rng)
2730 {
2731 int ret, count;
2732 size_t i, j, k, s;
2733 mbedtls_mpi W, R, T, A, RR;
2734
2735 MPI_VALIDATE_RET(X != NULL);
2736 MPI_VALIDATE_RET(f_rng != NULL);
2737
2738 mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
2739 mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
2740 mbedtls_mpi_init(&RR);
2741
2742 /*
2743 * W = |X| - 1
2744 * R = W >> lsb( W )
2745 */
2746 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
2747 s = mbedtls_mpi_lsb(&W);
2748 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
2749 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
2750
2751 for (i = 0; i < rounds; i++) {
2752 /*
2753 * pick a random A, 1 < A < |X| - 1
2754 */
2755 count = 0;
2756 do {
2757 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
2758
2759 j = mbedtls_mpi_bitlen(&A);
2760 k = mbedtls_mpi_bitlen(&W);
2761 if (j > k) {
2762 A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
2763 }
2764
2765 if (count++ > 30) {
2766 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2767 goto cleanup;
2768 }
2769
2770 } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||
2771 mbedtls_mpi_cmp_int(&A, 1) <= 0);
2772
2773 /*
2774 * A = A^R mod |X|
2775 */
2776 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
2777
2778 if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 ||
2779 mbedtls_mpi_cmp_int(&A, 1) == 0) {
2780 continue;
2781 }
2782
2783 j = 1;
2784 while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
2785 /*
2786 * A = A * A mod |X|
2787 */
2788 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
2789 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
2790
2791 if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
2792 break;
2793 }
2794
2795 j++;
2796 }
2797
2798 /*
2799 * not prime if A != |X| - 1 or A == 1
2800 */
2801 if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 ||
2802 mbedtls_mpi_cmp_int(&A, 1) == 0) {
2803 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2804 break;
2805 }
2806 }
2807
2808 cleanup:
2809 mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
2810 mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
2811 mbedtls_mpi_free(&RR);
2812
2813 return ret;
2814 }
2815
2816 /*
2817 * Pseudo-primality test: small factors, then Miller-Rabin
2818 */
mbedtls_mpi_is_prime_ext(const mbedtls_mpi * X,int rounds,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2819 int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
2820 int (*f_rng)(void *, unsigned char *, size_t),
2821 void *p_rng)
2822 {
2823 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2824 mbedtls_mpi XX;
2825 MPI_VALIDATE_RET(X != NULL);
2826 MPI_VALIDATE_RET(f_rng != NULL);
2827
2828 XX.s = 1;
2829 XX.n = X->n;
2830 XX.p = X->p;
2831
2832 if (mbedtls_mpi_cmp_int(&XX, 0) == 0 ||
2833 mbedtls_mpi_cmp_int(&XX, 1) == 0) {
2834 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2835 }
2836
2837 if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
2838 return 0;
2839 }
2840
2841 if ((ret = mpi_check_small_factors(&XX)) != 0) {
2842 if (ret == 1) {
2843 return 0;
2844 }
2845
2846 return ret;
2847 }
2848
2849 return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
2850 }
2851
2852 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2853 /*
2854 * Pseudo-primality test, error probability 2^-80
2855 */
mbedtls_mpi_is_prime(const mbedtls_mpi * X,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2856 int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
2857 int (*f_rng)(void *, unsigned char *, size_t),
2858 void *p_rng)
2859 {
2860 MPI_VALIDATE_RET(X != NULL);
2861 MPI_VALIDATE_RET(f_rng != NULL);
2862
2863 /*
2864 * In the past our key generation aimed for an error rate of at most
2865 * 2^-80. Since this function is deprecated, aim for the same certainty
2866 * here as well.
2867 */
2868 return mbedtls_mpi_is_prime_ext(X, 40, f_rng, p_rng);
2869 }
2870 #endif
2871
2872 /*
2873 * Prime number generation
2874 *
2875 * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
2876 * be either 1024 bits or 1536 bits long, and flags must contain
2877 * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
2878 */
mbedtls_mpi_gen_prime(mbedtls_mpi * X,size_t nbits,int flags,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2879 int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
2880 int (*f_rng)(void *, unsigned char *, size_t),
2881 void *p_rng)
2882 {
2883 #ifdef MBEDTLS_HAVE_INT64
2884 // ceil(2^63.5)
2885 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
2886 #else
2887 // ceil(2^31.5)
2888 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
2889 #endif
2890 int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2891 size_t k, n;
2892 int rounds;
2893 mbedtls_mpi_uint r;
2894 mbedtls_mpi Y;
2895
2896 MPI_VALIDATE_RET(X != NULL);
2897 MPI_VALIDATE_RET(f_rng != NULL);
2898
2899 if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {
2900 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2901 }
2902
2903 mbedtls_mpi_init(&Y);
2904
2905 n = BITS_TO_LIMBS(nbits);
2906
2907 if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
2908 /*
2909 * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
2910 */
2911 rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
2912 (nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
2913 (nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
2914 } else {
2915 /*
2916 * 2^-100 error probability, number of rounds computed based on HAC,
2917 * fact 4.48
2918 */
2919 rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
2920 (nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
2921 (nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
2922 (nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
2923 }
2924
2925 while (1) {
2926 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
2927 /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
2928 if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
2929 continue;
2930 }
2931
2932 k = n * biL;
2933 if (k > nbits) {
2934 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
2935 }
2936 X->p[0] |= 1;
2937
2938 if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
2939 ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
2940
2941 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
2942 goto cleanup;
2943 }
2944 } else {
2945 /*
2946 * A necessary condition for Y and X = 2Y + 1 to be prime
2947 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
2948 * Make sure it is satisfied, while keeping X = 3 mod 4
2949 */
2950
2951 X->p[0] |= 2;
2952
2953 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
2954 if (r == 0) {
2955 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
2956 } else if (r == 1) {
2957 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
2958 }
2959
2960 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
2961 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
2962 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
2963
2964 while (1) {
2965 /*
2966 * First, check small factors for X and Y
2967 * before doing Miller-Rabin on any of them
2968 */
2969 if ((ret = mpi_check_small_factors(X)) == 0 &&
2970 (ret = mpi_check_small_factors(&Y)) == 0 &&
2971 (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
2972 == 0 &&
2973 (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
2974 == 0) {
2975 goto cleanup;
2976 }
2977
2978 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
2979 goto cleanup;
2980 }
2981
2982 /*
2983 * Next candidates. We want to preserve Y = (X-1) / 2 and
2984 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
2985 * so up Y by 6 and X by 12.
2986 */
2987 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
2988 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
2989 }
2990 }
2991 }
2992
2993 cleanup:
2994
2995 mbedtls_mpi_free(&Y);
2996
2997 return ret;
2998 }
2999
3000 #endif /* MBEDTLS_GENPRIME */
3001
3002 #if defined(MBEDTLS_SELF_TEST)
3003
3004 #define GCD_PAIR_COUNT 3
3005
3006 static const int gcd_pairs[GCD_PAIR_COUNT][3] =
3007 {
3008 { 693, 609, 21 },
3009 { 1764, 868, 28 },
3010 { 768454923, 542167814, 1 }
3011 };
3012
3013 /*
3014 * Checkup routine
3015 */
mbedtls_mpi_self_test(int verbose)3016 int mbedtls_mpi_self_test(int verbose)
3017 {
3018 int ret, i;
3019 mbedtls_mpi A, E, N, X, Y, U, V;
3020
3021 mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
3022 mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
3023
3024 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
3025 "EFE021C2645FD1DC586E69184AF4A31E" \
3026 "D5F53E93B5F123FA41680867BA110131" \
3027 "944FE7952E2517337780CB0DB80E61AA" \
3028 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
3029
3030 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
3031 "B2E7EFD37075B9F03FF989C7C5051C20" \
3032 "34D2A323810251127E7BF8625A4F49A5" \
3033 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
3034 "5B5C25763222FEFCCFC38B832366C29E"));
3035
3036 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
3037 "0066A198186C18C10B2F5ED9B522752A" \
3038 "9830B69916E535C8F047518A889A43A5" \
3039 "94B6BED27A168D31D4A52F88925AA8F5"));
3040
3041 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
3042
3043 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
3044 "602AB7ECA597A3D6B56FF9829A5E8B85" \
3045 "9E857EA95A03512E2BAE7391688D264A" \
3046 "A5663B0341DB9CCFD2C4C5F421FEC814" \
3047 "8001B72E848A38CAE1C65F78E56ABDEF" \
3048 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
3049 "ECF677152EF804370C1A305CAF3B5BF1" \
3050 "30879B56C61DE584A0F53A2447A51E"));
3051
3052 if (verbose != 0) {
3053 mbedtls_printf(" MPI test #1 (mul_mpi): ");
3054 }
3055
3056 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
3057 if (verbose != 0) {
3058 mbedtls_printf("failed\n");
3059 }
3060
3061 ret = 1;
3062 goto cleanup;
3063 }
3064
3065 if (verbose != 0) {
3066 mbedtls_printf("passed\n");
3067 }
3068
3069 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
3070
3071 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
3072 "256567336059E52CAE22925474705F39A94"));
3073
3074 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
3075 "6613F26162223DF488E9CD48CC132C7A" \
3076 "0AC93C701B001B092E4E5B9F73BCD27B" \
3077 "9EE50D0657C77F374E903CDFA4C642"));
3078
3079 if (verbose != 0) {
3080 mbedtls_printf(" MPI test #2 (div_mpi): ");
3081 }
3082
3083 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 ||
3084 mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
3085 if (verbose != 0) {
3086 mbedtls_printf("failed\n");
3087 }
3088
3089 ret = 1;
3090 goto cleanup;
3091 }
3092
3093 if (verbose != 0) {
3094 mbedtls_printf("passed\n");
3095 }
3096
3097 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
3098
3099 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
3100 "36E139AEA55215609D2816998ED020BB" \
3101 "BD96C37890F65171D948E9BC7CBAA4D9" \
3102 "325D24D6A3C12710F10A09FA08AB87"));
3103
3104 if (verbose != 0) {
3105 mbedtls_printf(" MPI test #3 (exp_mod): ");
3106 }
3107
3108 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
3109 if (verbose != 0) {
3110 mbedtls_printf("failed\n");
3111 }
3112
3113 ret = 1;
3114 goto cleanup;
3115 }
3116
3117 if (verbose != 0) {
3118 mbedtls_printf("passed\n");
3119 }
3120
3121 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
3122
3123 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
3124 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
3125 "C3DBA76456363A10869622EAC2DD84EC" \
3126 "C5B8A74DAC4D09E03B5E0BE779F2DF61"));
3127
3128 if (verbose != 0) {
3129 mbedtls_printf(" MPI test #4 (inv_mod): ");
3130 }
3131
3132 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
3133 if (verbose != 0) {
3134 mbedtls_printf("failed\n");
3135 }
3136
3137 ret = 1;
3138 goto cleanup;
3139 }
3140
3141 if (verbose != 0) {
3142 mbedtls_printf("passed\n");
3143 }
3144
3145 if (verbose != 0) {
3146 mbedtls_printf(" MPI test #5 (simple gcd): ");
3147 }
3148
3149 for (i = 0; i < GCD_PAIR_COUNT; i++) {
3150 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
3151 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
3152
3153 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
3154
3155 if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
3156 if (verbose != 0) {
3157 mbedtls_printf("failed at %d\n", i);
3158 }
3159
3160 ret = 1;
3161 goto cleanup;
3162 }
3163 }
3164
3165 if (verbose != 0) {
3166 mbedtls_printf("passed\n");
3167 }
3168
3169 cleanup:
3170
3171 if (ret != 0 && verbose != 0) {
3172 mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
3173 }
3174
3175 mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
3176 mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
3177
3178 if (verbose != 0) {
3179 mbedtls_printf("\n");
3180 }
3181
3182 return ret;
3183 }
3184
3185 #endif /* MBEDTLS_SELF_TEST */
3186
3187 #endif /* MBEDTLS_BIGNUM_C */
3188