1 /*
2 * Multi-precision integer library
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following sources were referenced in the design of this Multi-precision
22 * Integer library:
23 *
24 * [1] Handbook of Applied Cryptography - 1997
25 * Menezes, van Oorschot and Vanstone
26 *
27 * [2] Multi-Precision Math
28 * Tom St Denis
29 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
30 *
31 * [3] GNU Multi-Precision Arithmetic Library
32 * https://gmplib.org/manual/index.html
33 *
34 */
35
36 #include "common.h"
37
38 #if defined(MBEDTLS_BIGNUM_C)
39
40 #include "mbedtls/bignum.h"
41 #include "bignum_core.h"
42 #include "bn_mul.h"
43 #include "mbedtls/platform_util.h"
44 #include "mbedtls/error.h"
45 #include "constant_time_internal.h"
46
47 #include <limits.h>
48 #include <string.h>
49
50 #include "mbedtls/platform.h"
51
52 #define MPI_VALIDATE_RET(cond) \
53 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA)
54 #define MPI_VALIDATE(cond) \
55 MBEDTLS_INTERNAL_VALIDATE(cond)
56
57 #define MPI_SIZE_T_MAX ((size_t) -1) /* SIZE_T_MAX is not standard */
58
59 /* Implementation that should never be optimized out by the compiler */
mbedtls_mpi_zeroize(mbedtls_mpi_uint * v,size_t n)60 static void mbedtls_mpi_zeroize(mbedtls_mpi_uint *v, size_t n)
61 {
62 mbedtls_platform_zeroize(v, ciL * n);
63 }
64
65 /*
66 * Initialize one MPI
67 */
mbedtls_mpi_init(mbedtls_mpi * X)68 void mbedtls_mpi_init(mbedtls_mpi *X)
69 {
70 MPI_VALIDATE(X != NULL);
71
72 X->s = 1;
73 X->n = 0;
74 X->p = NULL;
75 }
76
77 /*
78 * Unallocate one MPI
79 */
mbedtls_mpi_free(mbedtls_mpi * X)80 void mbedtls_mpi_free(mbedtls_mpi *X)
81 {
82 if (X == NULL) {
83 return;
84 }
85
86 if (X->p != NULL) {
87 mbedtls_mpi_zeroize(X->p, X->n);
88 mbedtls_free(X->p);
89 }
90
91 X->s = 1;
92 X->n = 0;
93 X->p = NULL;
94 }
95
96 /*
97 * Enlarge to the specified number of limbs
98 */
mbedtls_mpi_grow(mbedtls_mpi * X,size_t nblimbs)99 int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
100 {
101 mbedtls_mpi_uint *p;
102 MPI_VALIDATE_RET(X != NULL);
103
104 if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
105 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
106 }
107
108 if (X->n < nblimbs) {
109 if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
110 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
111 }
112
113 if (X->p != NULL) {
114 memcpy(p, X->p, X->n * ciL);
115 mbedtls_mpi_zeroize(X->p, X->n);
116 mbedtls_free(X->p);
117 }
118
119 X->n = nblimbs;
120 X->p = p;
121 }
122
123 return 0;
124 }
125
126 /*
127 * Resize down as much as possible,
128 * while keeping at least the specified number of limbs
129 */
mbedtls_mpi_shrink(mbedtls_mpi * X,size_t nblimbs)130 int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
131 {
132 mbedtls_mpi_uint *p;
133 size_t i;
134 MPI_VALIDATE_RET(X != NULL);
135
136 if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
137 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
138 }
139
140 /* Actually resize up if there are currently fewer than nblimbs limbs. */
141 if (X->n <= nblimbs) {
142 return mbedtls_mpi_grow(X, nblimbs);
143 }
144 /* After this point, then X->n > nblimbs and in particular X->n > 0. */
145
146 for (i = X->n - 1; i > 0; i--) {
147 if (X->p[i] != 0) {
148 break;
149 }
150 }
151 i++;
152
153 if (i < nblimbs) {
154 i = nblimbs;
155 }
156
157 if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
158 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
159 }
160
161 if (X->p != NULL) {
162 memcpy(p, X->p, i * ciL);
163 mbedtls_mpi_zeroize(X->p, X->n);
164 mbedtls_free(X->p);
165 }
166
167 X->n = i;
168 X->p = p;
169
170 return 0;
171 }
172
173 /* Resize X to have exactly n limbs and set it to 0. */
mbedtls_mpi_resize_clear(mbedtls_mpi * X,size_t limbs)174 static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
175 {
176 if (limbs == 0) {
177 mbedtls_mpi_free(X);
178 return 0;
179 } else if (X->n == limbs) {
180 memset(X->p, 0, limbs * ciL);
181 X->s = 1;
182 return 0;
183 } else {
184 mbedtls_mpi_free(X);
185 return mbedtls_mpi_grow(X, limbs);
186 }
187 }
188
189 /*
190 * Copy the contents of Y into X.
191 *
192 * This function is not constant-time. Leading zeros in Y may be removed.
193 *
194 * Ensure that X does not shrink. This is not guaranteed by the public API,
195 * but some code in the bignum module relies on this property, for example
196 * in mbedtls_mpi_exp_mod().
197 */
mbedtls_mpi_copy(mbedtls_mpi * X,const mbedtls_mpi * Y)198 int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
199 {
200 int ret = 0;
201 size_t i;
202 MPI_VALIDATE_RET(X != NULL);
203 MPI_VALIDATE_RET(Y != NULL);
204
205 if (X == Y) {
206 return 0;
207 }
208
209 if (Y->n == 0) {
210 if (X->n != 0) {
211 X->s = 1;
212 memset(X->p, 0, X->n * ciL);
213 }
214 return 0;
215 }
216
217 for (i = Y->n - 1; i > 0; i--) {
218 if (Y->p[i] != 0) {
219 break;
220 }
221 }
222 i++;
223
224 X->s = Y->s;
225
226 if (X->n < i) {
227 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
228 } else {
229 memset(X->p + i, 0, (X->n - i) * ciL);
230 }
231
232 memcpy(X->p, Y->p, i * ciL);
233
234 cleanup:
235
236 return ret;
237 }
238
239 /*
240 * Swap the contents of X and Y
241 */
mbedtls_mpi_swap(mbedtls_mpi * X,mbedtls_mpi * Y)242 void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
243 {
244 mbedtls_mpi T;
245 MPI_VALIDATE(X != NULL);
246 MPI_VALIDATE(Y != NULL);
247
248 memcpy(&T, X, sizeof(mbedtls_mpi));
249 memcpy(X, Y, sizeof(mbedtls_mpi));
250 memcpy(Y, &T, sizeof(mbedtls_mpi));
251 }
252
mpi_sint_abs(mbedtls_mpi_sint z)253 static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
254 {
255 if (z >= 0) {
256 return z;
257 }
258 /* Take care to handle the most negative value (-2^(biL-1)) correctly.
259 * A naive -z would have undefined behavior.
260 * Write this in a way that makes popular compilers happy (GCC, Clang,
261 * MSVC). */
262 return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
263 }
264
265 /*
266 * Set value from integer
267 */
mbedtls_mpi_lset(mbedtls_mpi * X,mbedtls_mpi_sint z)268 int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
269 {
270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
271 MPI_VALIDATE_RET(X != NULL);
272
273 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
274 memset(X->p, 0, X->n * ciL);
275
276 X->p[0] = mpi_sint_abs(z);
277 X->s = (z < 0) ? -1 : 1;
278
279 cleanup:
280
281 return ret;
282 }
283
284 /*
285 * Get a specific bit
286 */
mbedtls_mpi_get_bit(const mbedtls_mpi * X,size_t pos)287 int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
288 {
289 MPI_VALIDATE_RET(X != NULL);
290
291 if (X->n * biL <= pos) {
292 return 0;
293 }
294
295 return (X->p[pos / biL] >> (pos % biL)) & 0x01;
296 }
297
298 /*
299 * Set a bit to a specific value of 0 or 1
300 */
mbedtls_mpi_set_bit(mbedtls_mpi * X,size_t pos,unsigned char val)301 int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
302 {
303 int ret = 0;
304 size_t off = pos / biL;
305 size_t idx = pos % biL;
306 MPI_VALIDATE_RET(X != NULL);
307
308 if (val != 0 && val != 1) {
309 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
310 }
311
312 if (X->n * biL <= pos) {
313 if (val == 0) {
314 return 0;
315 }
316
317 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
318 }
319
320 X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
321 X->p[off] |= (mbedtls_mpi_uint) val << idx;
322
323 cleanup:
324
325 return ret;
326 }
327
328 /*
329 * Return the number of less significant zero-bits
330 */
mbedtls_mpi_lsb(const mbedtls_mpi * X)331 size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
332 {
333 size_t i, j, count = 0;
334 MBEDTLS_INTERNAL_VALIDATE_RET(X != NULL, 0);
335
336 for (i = 0; i < X->n; i++) {
337 for (j = 0; j < biL; j++, count++) {
338 if (((X->p[i] >> j) & 1) != 0) {
339 return count;
340 }
341 }
342 }
343
344 return 0;
345 }
346
347 /*
348 * Return the number of bits
349 */
mbedtls_mpi_bitlen(const mbedtls_mpi * X)350 size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
351 {
352 return mbedtls_mpi_core_bitlen(X->p, X->n);
353 }
354
355 /*
356 * Return the total size in bytes
357 */
mbedtls_mpi_size(const mbedtls_mpi * X)358 size_t mbedtls_mpi_size(const mbedtls_mpi *X)
359 {
360 return (mbedtls_mpi_bitlen(X) + 7) >> 3;
361 }
362
363 /*
364 * Convert an ASCII character to digit value
365 */
mpi_get_digit(mbedtls_mpi_uint * d,int radix,char c)366 static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
367 {
368 *d = 255;
369
370 if (c >= 0x30 && c <= 0x39) {
371 *d = c - 0x30;
372 }
373 if (c >= 0x41 && c <= 0x46) {
374 *d = c - 0x37;
375 }
376 if (c >= 0x61 && c <= 0x66) {
377 *d = c - 0x57;
378 }
379
380 if (*d >= (mbedtls_mpi_uint) radix) {
381 return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
382 }
383
384 return 0;
385 }
386
387 /*
388 * Import from an ASCII string
389 */
mbedtls_mpi_read_string(mbedtls_mpi * X,int radix,const char * s)390 int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
391 {
392 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
393 size_t i, j, slen, n;
394 int sign = 1;
395 mbedtls_mpi_uint d;
396 mbedtls_mpi T;
397 MPI_VALIDATE_RET(X != NULL);
398 MPI_VALIDATE_RET(s != NULL);
399
400 if (radix < 2 || radix > 16) {
401 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
402 }
403
404 mbedtls_mpi_init(&T);
405
406 if (s[0] == 0) {
407 mbedtls_mpi_free(X);
408 return 0;
409 }
410
411 if (s[0] == '-') {
412 ++s;
413 sign = -1;
414 }
415
416 slen = strlen(s);
417
418 if (radix == 16) {
419 if (slen > MPI_SIZE_T_MAX >> 2) {
420 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
421 }
422
423 n = BITS_TO_LIMBS(slen << 2);
424
425 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
426 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
427
428 for (i = slen, j = 0; i > 0; i--, j++) {
429 MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
430 X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2);
431 }
432 } else {
433 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
434
435 for (i = 0; i < slen; i++) {
436 MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
437 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
438 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
439 }
440 }
441
442 if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
443 X->s = -1;
444 }
445
446 cleanup:
447
448 mbedtls_mpi_free(&T);
449
450 return ret;
451 }
452
453 /*
454 * Helper to write the digits high-order first.
455 */
mpi_write_hlp(mbedtls_mpi * X,int radix,char ** p,const size_t buflen)456 static int mpi_write_hlp(mbedtls_mpi *X, int radix,
457 char **p, const size_t buflen)
458 {
459 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
460 mbedtls_mpi_uint r;
461 size_t length = 0;
462 char *p_end = *p + buflen;
463
464 do {
465 if (length >= buflen) {
466 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
467 }
468
469 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
470 MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
471 /*
472 * Write the residue in the current position, as an ASCII character.
473 */
474 if (r < 0xA) {
475 *(--p_end) = (char) ('0' + r);
476 } else {
477 *(--p_end) = (char) ('A' + (r - 0xA));
478 }
479
480 length++;
481 } while (mbedtls_mpi_cmp_int(X, 0) != 0);
482
483 memmove(*p, p_end, length);
484 *p += length;
485
486 cleanup:
487
488 return ret;
489 }
490
491 /*
492 * Export into an ASCII string
493 */
mbedtls_mpi_write_string(const mbedtls_mpi * X,int radix,char * buf,size_t buflen,size_t * olen)494 int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
495 char *buf, size_t buflen, size_t *olen)
496 {
497 int ret = 0;
498 size_t n;
499 char *p;
500 mbedtls_mpi T;
501 MPI_VALIDATE_RET(X != NULL);
502 MPI_VALIDATE_RET(olen != NULL);
503 MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
504
505 if (radix < 2 || radix > 16) {
506 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
507 }
508
509 n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
510 if (radix >= 4) {
511 n >>= 1; /* Number of 4-adic digits necessary to present
512 * `n`. If radix > 4, this might be a strict
513 * overapproximation of the number of
514 * radix-adic digits needed to present `n`. */
515 }
516 if (radix >= 16) {
517 n >>= 1; /* Number of hexadecimal digits necessary to
518 * present `n`. */
519
520 }
521 n += 1; /* Terminating null byte */
522 n += 1; /* Compensate for the divisions above, which round down `n`
523 * in case it's not even. */
524 n += 1; /* Potential '-'-sign. */
525 n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
526 * which always uses an even number of hex-digits. */
527
528 if (buflen < n) {
529 *olen = n;
530 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
531 }
532
533 p = buf;
534 mbedtls_mpi_init(&T);
535
536 if (X->s == -1) {
537 *p++ = '-';
538 buflen--;
539 }
540
541 if (radix == 16) {
542 int c;
543 size_t i, j, k;
544
545 for (i = X->n, k = 0; i > 0; i--) {
546 for (j = ciL; j > 0; j--) {
547 c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
548
549 if (c == 0 && k == 0 && (i + j) != 2) {
550 continue;
551 }
552
553 *(p++) = "0123456789ABCDEF" [c / 16];
554 *(p++) = "0123456789ABCDEF" [c % 16];
555 k = 1;
556 }
557 }
558 } else {
559 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
560
561 if (T.s == -1) {
562 T.s = 1;
563 }
564
565 MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
566 }
567
568 *p++ = '\0';
569 *olen = p - buf;
570
571 cleanup:
572
573 mbedtls_mpi_free(&T);
574
575 return ret;
576 }
577
578 #if defined(MBEDTLS_FS_IO)
579 /*
580 * Read X from an opened file
581 */
mbedtls_mpi_read_file(mbedtls_mpi * X,int radix,FILE * fin)582 int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin)
583 {
584 mbedtls_mpi_uint d;
585 size_t slen;
586 char *p;
587 /*
588 * Buffer should have space for (short) label and decimal formatted MPI,
589 * newline characters and '\0'
590 */
591 char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
592
593 MPI_VALIDATE_RET(X != NULL);
594 MPI_VALIDATE_RET(fin != NULL);
595
596 if (radix < 2 || radix > 16) {
597 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
598 }
599
600 memset(s, 0, sizeof(s));
601 if (fgets(s, sizeof(s) - 1, fin) == NULL) {
602 return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
603 }
604
605 slen = strlen(s);
606 if (slen == sizeof(s) - 2) {
607 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
608 }
609
610 if (slen > 0 && s[slen - 1] == '\n') {
611 slen--; s[slen] = '\0';
612 }
613 if (slen > 0 && s[slen - 1] == '\r') {
614 slen--; s[slen] = '\0';
615 }
616
617 p = s + slen;
618 while (p-- > s) {
619 if (mpi_get_digit(&d, radix, *p) != 0) {
620 break;
621 }
622 }
623
624 return mbedtls_mpi_read_string(X, radix, p + 1);
625 }
626
627 /*
628 * Write X into an opened file (or stdout if fout == NULL)
629 */
mbedtls_mpi_write_file(const char * p,const mbedtls_mpi * X,int radix,FILE * fout)630 int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout)
631 {
632 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
633 size_t n, slen, plen;
634 /*
635 * Buffer should have space for (short) label and decimal formatted MPI,
636 * newline characters and '\0'
637 */
638 char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
639 MPI_VALIDATE_RET(X != NULL);
640
641 if (radix < 2 || radix > 16) {
642 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
643 }
644
645 memset(s, 0, sizeof(s));
646
647 MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
648
649 if (p == NULL) {
650 p = "";
651 }
652
653 plen = strlen(p);
654 slen = strlen(s);
655 s[slen++] = '\r';
656 s[slen++] = '\n';
657
658 if (fout != NULL) {
659 if (fwrite(p, 1, plen, fout) != plen ||
660 fwrite(s, 1, slen, fout) != slen) {
661 return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
662 }
663 } else {
664 mbedtls_printf("%s%s", p, s);
665 }
666
667 cleanup:
668
669 return ret;
670 }
671 #endif /* MBEDTLS_FS_IO */
672
673 /*
674 * Import X from unsigned binary data, little endian
675 *
676 * This function is guaranteed to return an MPI with exactly the necessary
677 * number of limbs (in particular, it does not skip 0s in the input).
678 */
mbedtls_mpi_read_binary_le(mbedtls_mpi * X,const unsigned char * buf,size_t buflen)679 int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
680 const unsigned char *buf, size_t buflen)
681 {
682 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
683 const size_t limbs = CHARS_TO_LIMBS(buflen);
684
685 /* Ensure that target MPI has exactly the necessary number of limbs */
686 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
687
688 MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
689
690 cleanup:
691
692 /*
693 * This function is also used to import keys. However, wiping the buffers
694 * upon failure is not necessary because failure only can happen before any
695 * input is copied.
696 */
697 return ret;
698 }
699
700 /*
701 * Import X from unsigned binary data, big endian
702 *
703 * This function is guaranteed to return an MPI with exactly the necessary
704 * number of limbs (in particular, it does not skip 0s in the input).
705 */
mbedtls_mpi_read_binary(mbedtls_mpi * X,const unsigned char * buf,size_t buflen)706 int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
707 {
708 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
709 const size_t limbs = CHARS_TO_LIMBS(buflen);
710
711 MPI_VALIDATE_RET(X != NULL);
712 MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
713
714 /* Ensure that target MPI has exactly the necessary number of limbs */
715 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
716
717 MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
718
719 cleanup:
720
721 /*
722 * This function is also used to import keys. However, wiping the buffers
723 * upon failure is not necessary because failure only can happen before any
724 * input is copied.
725 */
726 return ret;
727 }
728
729 /*
730 * Export X into unsigned binary data, little endian
731 */
mbedtls_mpi_write_binary_le(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)732 int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
733 unsigned char *buf, size_t buflen)
734 {
735 return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
736 }
737
738 /*
739 * Export X into unsigned binary data, big endian
740 */
mbedtls_mpi_write_binary(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)741 int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
742 unsigned char *buf, size_t buflen)
743 {
744 return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
745 }
746
747 /*
748 * Left-shift: X <<= count
749 */
mbedtls_mpi_shift_l(mbedtls_mpi * X,size_t count)750 int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
751 {
752 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
753 size_t i, v0, t1;
754 mbedtls_mpi_uint r0 = 0, r1;
755 MPI_VALIDATE_RET(X != NULL);
756
757 v0 = count / (biL);
758 t1 = count & (biL - 1);
759
760 i = mbedtls_mpi_bitlen(X) + count;
761
762 if (X->n * biL < i) {
763 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
764 }
765
766 ret = 0;
767
768 /*
769 * shift by count / limb_size
770 */
771 if (v0 > 0) {
772 for (i = X->n; i > v0; i--) {
773 X->p[i - 1] = X->p[i - v0 - 1];
774 }
775
776 for (; i > 0; i--) {
777 X->p[i - 1] = 0;
778 }
779 }
780
781 /*
782 * shift by count % limb_size
783 */
784 if (t1 > 0) {
785 for (i = v0; i < X->n; i++) {
786 r1 = X->p[i] >> (biL - t1);
787 X->p[i] <<= t1;
788 X->p[i] |= r0;
789 r0 = r1;
790 }
791 }
792
793 cleanup:
794
795 return ret;
796 }
797
798 /*
799 * Right-shift: X >>= count
800 */
mbedtls_mpi_shift_r(mbedtls_mpi * X,size_t count)801 int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
802 {
803 MPI_VALIDATE_RET(X != NULL);
804 if (X->n != 0) {
805 mbedtls_mpi_core_shift_r(X->p, X->n, count);
806 }
807 return 0;
808 }
809
810 /*
811 * Compare unsigned values
812 */
mbedtls_mpi_cmp_abs(const mbedtls_mpi * X,const mbedtls_mpi * Y)813 int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)
814 {
815 size_t i, j;
816 MPI_VALIDATE_RET(X != NULL);
817 MPI_VALIDATE_RET(Y != NULL);
818
819 for (i = X->n; i > 0; i--) {
820 if (X->p[i - 1] != 0) {
821 break;
822 }
823 }
824
825 for (j = Y->n; j > 0; j--) {
826 if (Y->p[j - 1] != 0) {
827 break;
828 }
829 }
830
831 if (i == 0 && j == 0) {
832 return 0;
833 }
834
835 if (i > j) {
836 return 1;
837 }
838 if (j > i) {
839 return -1;
840 }
841
842 for (; i > 0; i--) {
843 if (X->p[i - 1] > Y->p[i - 1]) {
844 return 1;
845 }
846 if (X->p[i - 1] < Y->p[i - 1]) {
847 return -1;
848 }
849 }
850
851 return 0;
852 }
853
854 /*
855 * Compare signed values
856 */
mbedtls_mpi_cmp_mpi(const mbedtls_mpi * X,const mbedtls_mpi * Y)857 int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
858 {
859 size_t i, j;
860 MPI_VALIDATE_RET(X != NULL);
861 MPI_VALIDATE_RET(Y != NULL);
862
863 for (i = X->n; i > 0; i--) {
864 if (X->p[i - 1] != 0) {
865 break;
866 }
867 }
868
869 for (j = Y->n; j > 0; j--) {
870 if (Y->p[j - 1] != 0) {
871 break;
872 }
873 }
874
875 if (i == 0 && j == 0) {
876 return 0;
877 }
878
879 if (i > j) {
880 return X->s;
881 }
882 if (j > i) {
883 return -Y->s;
884 }
885
886 if (X->s > 0 && Y->s < 0) {
887 return 1;
888 }
889 if (Y->s > 0 && X->s < 0) {
890 return -1;
891 }
892
893 for (; i > 0; i--) {
894 if (X->p[i - 1] > Y->p[i - 1]) {
895 return X->s;
896 }
897 if (X->p[i - 1] < Y->p[i - 1]) {
898 return -X->s;
899 }
900 }
901
902 return 0;
903 }
904
905 /*
906 * Compare signed values
907 */
mbedtls_mpi_cmp_int(const mbedtls_mpi * X,mbedtls_mpi_sint z)908 int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
909 {
910 mbedtls_mpi Y;
911 mbedtls_mpi_uint p[1];
912 MPI_VALIDATE_RET(X != NULL);
913
914 *p = mpi_sint_abs(z);
915 Y.s = (z < 0) ? -1 : 1;
916 Y.n = 1;
917 Y.p = p;
918
919 return mbedtls_mpi_cmp_mpi(X, &Y);
920 }
921
922 /*
923 * Unsigned addition: X = |A| + |B| (HAC 14.7)
924 */
mbedtls_mpi_add_abs(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)925 int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
926 {
927 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
928 size_t j;
929 MPI_VALIDATE_RET(X != NULL);
930 MPI_VALIDATE_RET(A != NULL);
931 MPI_VALIDATE_RET(B != NULL);
932
933 if (X == B) {
934 const mbedtls_mpi *T = A; A = X; B = T;
935 }
936
937 if (X != A) {
938 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
939 }
940
941 /*
942 * X must always be positive as a result of unsigned additions.
943 */
944 X->s = 1;
945
946 for (j = B->n; j > 0; j--) {
947 if (B->p[j - 1] != 0) {
948 break;
949 }
950 }
951
952 /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
953 * and B is 0 (of any size). */
954 if (j == 0) {
955 return 0;
956 }
957
958 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
959
960 /* j is the number of non-zero limbs of B. Add those to X. */
961
962 mbedtls_mpi_uint *p = X->p;
963
964 mbedtls_mpi_uint c = mbedtls_mpi_core_add(p, p, B->p, j);
965
966 p += j;
967
968 /* Now propagate any carry */
969
970 while (c != 0) {
971 if (j >= X->n) {
972 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
973 p = X->p + j;
974 }
975
976 *p += c; c = (*p < c); j++; p++;
977 }
978
979 cleanup:
980
981 return ret;
982 }
983
984 /*
985 * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
986 */
mbedtls_mpi_sub_abs(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)987 int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
988 {
989 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
990 size_t n;
991 mbedtls_mpi_uint carry;
992 MPI_VALIDATE_RET(X != NULL);
993 MPI_VALIDATE_RET(A != NULL);
994 MPI_VALIDATE_RET(B != NULL);
995
996 for (n = B->n; n > 0; n--) {
997 if (B->p[n - 1] != 0) {
998 break;
999 }
1000 }
1001 if (n > A->n) {
1002 /* B >= (2^ciL)^n > A */
1003 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1004 goto cleanup;
1005 }
1006
1007 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
1008
1009 /* Set the high limbs of X to match A. Don't touch the lower limbs
1010 * because X might be aliased to B, and we must not overwrite the
1011 * significant digits of B. */
1012 if (A->n > n && A != X) {
1013 memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
1014 }
1015 if (X->n > A->n) {
1016 memset(X->p + A->n, 0, (X->n - A->n) * ciL);
1017 }
1018
1019 carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
1020 if (carry != 0) {
1021 /* Propagate the carry through the rest of X. */
1022 carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
1023
1024 /* If we have further carry/borrow, the result is negative. */
1025 if (carry != 0) {
1026 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1027 goto cleanup;
1028 }
1029 }
1030
1031 /* X should always be positive as a result of unsigned subtractions. */
1032 X->s = 1;
1033
1034 cleanup:
1035 return ret;
1036 }
1037
1038 /* Common function for signed addition and subtraction.
1039 * Calculate A + B * flip_B where flip_B is 1 or -1.
1040 */
add_sub_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B,int flip_B)1041 static int add_sub_mpi(mbedtls_mpi *X,
1042 const mbedtls_mpi *A, const mbedtls_mpi *B,
1043 int flip_B)
1044 {
1045 int ret, s;
1046 MPI_VALIDATE_RET(X != NULL);
1047 MPI_VALIDATE_RET(A != NULL);
1048 MPI_VALIDATE_RET(B != NULL);
1049
1050 s = A->s;
1051 if (A->s * B->s * flip_B < 0) {
1052 int cmp = mbedtls_mpi_cmp_abs(A, B);
1053 if (cmp >= 0) {
1054 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
1055 /* If |A| = |B|, the result is 0 and we must set the sign bit
1056 * to +1 regardless of which of A or B was negative. Otherwise,
1057 * since |A| > |B|, the sign is the sign of A. */
1058 X->s = cmp == 0 ? 1 : s;
1059 } else {
1060 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
1061 /* Since |A| < |B|, the sign is the opposite of A. */
1062 X->s = -s;
1063 }
1064 } else {
1065 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
1066 X->s = s;
1067 }
1068
1069 cleanup:
1070
1071 return ret;
1072 }
1073
1074 /*
1075 * Signed addition: X = A + B
1076 */
mbedtls_mpi_add_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1077 int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1078 {
1079 return add_sub_mpi(X, A, B, 1);
1080 }
1081
1082 /*
1083 * Signed subtraction: X = A - B
1084 */
mbedtls_mpi_sub_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1085 int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1086 {
1087 return add_sub_mpi(X, A, B, -1);
1088 }
1089
1090 /*
1091 * Signed addition: X = A + b
1092 */
mbedtls_mpi_add_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_sint b)1093 int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
1094 {
1095 mbedtls_mpi B;
1096 mbedtls_mpi_uint p[1];
1097 MPI_VALIDATE_RET(X != NULL);
1098 MPI_VALIDATE_RET(A != NULL);
1099
1100 p[0] = mpi_sint_abs(b);
1101 B.s = (b < 0) ? -1 : 1;
1102 B.n = 1;
1103 B.p = p;
1104
1105 return mbedtls_mpi_add_mpi(X, A, &B);
1106 }
1107
1108 /*
1109 * Signed subtraction: X = A - b
1110 */
mbedtls_mpi_sub_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_sint b)1111 int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
1112 {
1113 mbedtls_mpi B;
1114 mbedtls_mpi_uint p[1];
1115 MPI_VALIDATE_RET(X != NULL);
1116 MPI_VALIDATE_RET(A != NULL);
1117
1118 p[0] = mpi_sint_abs(b);
1119 B.s = (b < 0) ? -1 : 1;
1120 B.n = 1;
1121 B.p = p;
1122
1123 return mbedtls_mpi_sub_mpi(X, A, &B);
1124 }
1125
1126 /*
1127 * Baseline multiplication: X = A * B (HAC 14.12)
1128 */
mbedtls_mpi_mul_mpi(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * B)1129 int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
1130 {
1131 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1132 size_t i, j;
1133 mbedtls_mpi TA, TB;
1134 int result_is_zero = 0;
1135 MPI_VALIDATE_RET(X != NULL);
1136 MPI_VALIDATE_RET(A != NULL);
1137 MPI_VALIDATE_RET(B != NULL);
1138
1139 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
1140
1141 if (X == A) {
1142 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
1143 }
1144 if (X == B) {
1145 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
1146 }
1147
1148 for (i = A->n; i > 0; i--) {
1149 if (A->p[i - 1] != 0) {
1150 break;
1151 }
1152 }
1153 if (i == 0) {
1154 result_is_zero = 1;
1155 }
1156
1157 for (j = B->n; j > 0; j--) {
1158 if (B->p[j - 1] != 0) {
1159 break;
1160 }
1161 }
1162 if (j == 0) {
1163 result_is_zero = 1;
1164 }
1165
1166 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
1167 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
1168
1169 for (size_t k = 0; k < j; k++) {
1170 /* We know that there cannot be any carry-out since we're
1171 * iterating from bottom to top. */
1172 (void) mbedtls_mpi_core_mla(X->p + k, i + 1,
1173 A->p, i,
1174 B->p[k]);
1175 }
1176
1177 /* If the result is 0, we don't shortcut the operation, which reduces
1178 * but does not eliminate side channels leaking the zero-ness. We do
1179 * need to take care to set the sign bit properly since the library does
1180 * not fully support an MPI object with a value of 0 and s == -1. */
1181 if (result_is_zero) {
1182 X->s = 1;
1183 } else {
1184 X->s = A->s * B->s;
1185 }
1186
1187 cleanup:
1188
1189 mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
1190
1191 return ret;
1192 }
1193
1194 /*
1195 * Baseline multiplication: X = A * b
1196 */
mbedtls_mpi_mul_int(mbedtls_mpi * X,const mbedtls_mpi * A,mbedtls_mpi_uint b)1197 int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)
1198 {
1199 MPI_VALIDATE_RET(X != NULL);
1200 MPI_VALIDATE_RET(A != NULL);
1201
1202 size_t n = A->n;
1203 while (n > 0 && A->p[n - 1] == 0) {
1204 --n;
1205 }
1206
1207 /* The general method below doesn't work if b==0. */
1208 if (b == 0 || n == 0) {
1209 return mbedtls_mpi_lset(X, 0);
1210 }
1211
1212 /* Calculate A*b as A + A*(b-1) to take advantage of mbedtls_mpi_core_mla */
1213 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1214 /* In general, A * b requires 1 limb more than b. If
1215 * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
1216 * number of limbs as A and the call to grow() is not required since
1217 * copy() will take care of the growth if needed. However, experimentally,
1218 * making the call to grow() unconditional causes slightly fewer
1219 * calls to calloc() in ECP code, presumably because it reuses the
1220 * same mpi for a while and this way the mpi is more likely to directly
1221 * grow to its final size.
1222 *
1223 * Note that calculating A*b as 0 + A*b doesn't work as-is because
1224 * A,X can be the same. */
1225 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
1226 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
1227 mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
1228
1229 cleanup:
1230 return ret;
1231 }
1232
1233 /*
1234 * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
1235 * mbedtls_mpi_uint divisor, d
1236 */
mbedtls_int_div_int(mbedtls_mpi_uint u1,mbedtls_mpi_uint u0,mbedtls_mpi_uint d,mbedtls_mpi_uint * r)1237 static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
1238 mbedtls_mpi_uint u0,
1239 mbedtls_mpi_uint d,
1240 mbedtls_mpi_uint *r)
1241 {
1242 #if defined(MBEDTLS_HAVE_UDBL)
1243 mbedtls_t_udbl dividend, quotient;
1244 #else
1245 const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
1246 const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
1247 mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
1248 mbedtls_mpi_uint u0_msw, u0_lsw;
1249 size_t s;
1250 #endif
1251
1252 /*
1253 * Check for overflow
1254 */
1255 if (0 == d || u1 >= d) {
1256 if (r != NULL) {
1257 *r = ~(mbedtls_mpi_uint) 0u;
1258 }
1259
1260 return ~(mbedtls_mpi_uint) 0u;
1261 }
1262
1263 #if defined(MBEDTLS_HAVE_UDBL)
1264 dividend = (mbedtls_t_udbl) u1 << biL;
1265 dividend |= (mbedtls_t_udbl) u0;
1266 quotient = dividend / d;
1267 if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
1268 quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
1269 }
1270
1271 if (r != NULL) {
1272 *r = (mbedtls_mpi_uint) (dividend - (quotient * d));
1273 }
1274
1275 return (mbedtls_mpi_uint) quotient;
1276 #else
1277
1278 /*
1279 * Algorithm D, Section 4.3.1 - The Art of Computer Programming
1280 * Vol. 2 - Seminumerical Algorithms, Knuth
1281 */
1282
1283 /*
1284 * Normalize the divisor, d, and dividend, u0, u1
1285 */
1286 s = mbedtls_mpi_core_clz(d);
1287 d = d << s;
1288
1289 u1 = u1 << s;
1290 u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
1291 u0 = u0 << s;
1292
1293 d1 = d >> biH;
1294 d0 = d & uint_halfword_mask;
1295
1296 u0_msw = u0 >> biH;
1297 u0_lsw = u0 & uint_halfword_mask;
1298
1299 /*
1300 * Find the first quotient and remainder
1301 */
1302 q1 = u1 / d1;
1303 r0 = u1 - d1 * q1;
1304
1305 while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) {
1306 q1 -= 1;
1307 r0 += d1;
1308
1309 if (r0 >= radix) {
1310 break;
1311 }
1312 }
1313
1314 rAX = (u1 * radix) + (u0_msw - q1 * d);
1315 q0 = rAX / d1;
1316 r0 = rAX - q0 * d1;
1317
1318 while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) {
1319 q0 -= 1;
1320 r0 += d1;
1321
1322 if (r0 >= radix) {
1323 break;
1324 }
1325 }
1326
1327 if (r != NULL) {
1328 *r = (rAX * radix + u0_lsw - q0 * d) >> s;
1329 }
1330
1331 quotient = q1 * radix + q0;
1332
1333 return quotient;
1334 #endif
1335 }
1336
1337 /*
1338 * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
1339 */
mbedtls_mpi_div_mpi(mbedtls_mpi * Q,mbedtls_mpi * R,const mbedtls_mpi * A,const mbedtls_mpi * B)1340 int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
1341 const mbedtls_mpi *B)
1342 {
1343 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1344 size_t i, n, t, k;
1345 mbedtls_mpi X, Y, Z, T1, T2;
1346 mbedtls_mpi_uint TP2[3];
1347 MPI_VALIDATE_RET(A != NULL);
1348 MPI_VALIDATE_RET(B != NULL);
1349
1350 if (mbedtls_mpi_cmp_int(B, 0) == 0) {
1351 return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
1352 }
1353
1354 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
1355 mbedtls_mpi_init(&T1);
1356 /*
1357 * Avoid dynamic memory allocations for constant-size T2.
1358 *
1359 * T2 is used for comparison only and the 3 limbs are assigned explicitly,
1360 * so nobody increase the size of the MPI and we're safe to use an on-stack
1361 * buffer.
1362 */
1363 T2.s = 1;
1364 T2.n = sizeof(TP2) / sizeof(*TP2);
1365 T2.p = TP2;
1366
1367 if (mbedtls_mpi_cmp_abs(A, B) < 0) {
1368 if (Q != NULL) {
1369 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
1370 }
1371 if (R != NULL) {
1372 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
1373 }
1374 return 0;
1375 }
1376
1377 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
1378 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
1379 X.s = Y.s = 1;
1380
1381 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
1382 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
1383 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
1384
1385 k = mbedtls_mpi_bitlen(&Y) % biL;
1386 if (k < biL - 1) {
1387 k = biL - 1 - k;
1388 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
1389 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
1390 } else {
1391 k = 0;
1392 }
1393
1394 n = X.n - 1;
1395 t = Y.n - 1;
1396 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
1397
1398 while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
1399 Z.p[n - t]++;
1400 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
1401 }
1402 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
1403
1404 for (i = n; i > t; i--) {
1405 if (X.p[i] >= Y.p[t]) {
1406 Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
1407 } else {
1408 Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
1409 Y.p[t], NULL);
1410 }
1411
1412 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1413 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1414 T2.p[2] = X.p[i];
1415
1416 Z.p[i - t - 1]++;
1417 do {
1418 Z.p[i - t - 1]--;
1419
1420 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
1421 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1422 T1.p[1] = Y.p[t];
1423 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
1424 } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
1425
1426 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
1427 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
1428 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
1429
1430 if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
1431 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
1432 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
1433 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
1434 Z.p[i - t - 1]--;
1435 }
1436 }
1437
1438 if (Q != NULL) {
1439 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
1440 Q->s = A->s * B->s;
1441 }
1442
1443 if (R != NULL) {
1444 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
1445 X.s = A->s;
1446 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
1447
1448 if (mbedtls_mpi_cmp_int(R, 0) == 0) {
1449 R->s = 1;
1450 }
1451 }
1452
1453 cleanup:
1454
1455 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
1456 mbedtls_mpi_free(&T1);
1457 mbedtls_platform_zeroize(TP2, sizeof(TP2));
1458
1459 return ret;
1460 }
1461
1462 /*
1463 * Division by int: A = Q * b + R
1464 */
mbedtls_mpi_div_int(mbedtls_mpi * Q,mbedtls_mpi * R,const mbedtls_mpi * A,mbedtls_mpi_sint b)1465 int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,
1466 const mbedtls_mpi *A,
1467 mbedtls_mpi_sint b)
1468 {
1469 mbedtls_mpi B;
1470 mbedtls_mpi_uint p[1];
1471 MPI_VALIDATE_RET(A != NULL);
1472
1473 p[0] = mpi_sint_abs(b);
1474 B.s = (b < 0) ? -1 : 1;
1475 B.n = 1;
1476 B.p = p;
1477
1478 return mbedtls_mpi_div_mpi(Q, R, A, &B);
1479 }
1480
1481 /*
1482 * Modulo: R = A mod B
1483 */
mbedtls_mpi_mod_mpi(mbedtls_mpi * R,const mbedtls_mpi * A,const mbedtls_mpi * B)1484 int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
1485 {
1486 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1487 MPI_VALIDATE_RET(R != NULL);
1488 MPI_VALIDATE_RET(A != NULL);
1489 MPI_VALIDATE_RET(B != NULL);
1490
1491 if (mbedtls_mpi_cmp_int(B, 0) < 0) {
1492 return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1493 }
1494
1495 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
1496
1497 while (mbedtls_mpi_cmp_int(R, 0) < 0) {
1498 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
1499 }
1500
1501 while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
1502 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
1503 }
1504
1505 cleanup:
1506
1507 return ret;
1508 }
1509
1510 /*
1511 * Modulo: r = A mod b
1512 */
mbedtls_mpi_mod_int(mbedtls_mpi_uint * r,const mbedtls_mpi * A,mbedtls_mpi_sint b)1513 int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b)
1514 {
1515 size_t i;
1516 mbedtls_mpi_uint x, y, z;
1517 MPI_VALIDATE_RET(r != NULL);
1518 MPI_VALIDATE_RET(A != NULL);
1519
1520 if (b == 0) {
1521 return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
1522 }
1523
1524 if (b < 0) {
1525 return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
1526 }
1527
1528 /*
1529 * handle trivial cases
1530 */
1531 if (b == 1 || A->n == 0) {
1532 *r = 0;
1533 return 0;
1534 }
1535
1536 if (b == 2) {
1537 *r = A->p[0] & 1;
1538 return 0;
1539 }
1540
1541 /*
1542 * general case
1543 */
1544 for (i = A->n, y = 0; i > 0; i--) {
1545 x = A->p[i - 1];
1546 y = (y << biH) | (x >> biH);
1547 z = y / b;
1548 y -= z * b;
1549
1550 x <<= biH;
1551 y = (y << biH) | (x >> biH);
1552 z = y / b;
1553 y -= z * b;
1554 }
1555
1556 /*
1557 * If A is negative, then the current y represents a negative value.
1558 * Flipping it to the positive side.
1559 */
1560 if (A->s < 0 && y != 0) {
1561 y = b - y;
1562 }
1563
1564 *r = y;
1565
1566 return 0;
1567 }
1568
mpi_montg_init(mbedtls_mpi_uint * mm,const mbedtls_mpi * N)1569 static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)
1570 {
1571 *mm = mbedtls_mpi_core_montmul_init(N->p);
1572 }
1573
1574 /** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1575 *
1576 * \param[in,out] A One of the numbers to multiply.
1577 * It must have at least as many limbs as N
1578 * (A->n >= N->n), and any limbs beyond n are ignored.
1579 * On successful completion, A contains the result of
1580 * the multiplication A * B * R^-1 mod N where
1581 * R = (2^ciL)^n.
1582 * \param[in] B One of the numbers to multiply.
1583 * It must be nonzero and must not have more limbs than N
1584 * (B->n <= N->n).
1585 * \param[in] N The modulus. \p N must be odd.
1586 * \param mm The value calculated by `mpi_montg_init(&mm, N)`.
1587 * This is -N^-1 mod 2^ciL.
1588 * \param[in,out] T A bignum for temporary storage.
1589 * It must be at least twice the limb size of N plus 1
1590 * (T->n >= 2 * N->n + 1).
1591 * Its initial content is unused and
1592 * its final content is indeterminate.
1593 * It does not get reallocated.
1594 */
mpi_montmul(mbedtls_mpi * A,const mbedtls_mpi * B,const mbedtls_mpi * N,mbedtls_mpi_uint mm,mbedtls_mpi * T)1595 static void mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B,
1596 const mbedtls_mpi *N, mbedtls_mpi_uint mm,
1597 mbedtls_mpi *T)
1598 {
1599 mbedtls_mpi_core_montmul(A->p, A->p, B->p, B->n, N->p, N->n, mm, T->p);
1600 }
1601
1602 /*
1603 * Montgomery reduction: A = A * R^-1 mod N
1604 *
1605 * See mpi_montmul() regarding constraints and guarantees on the parameters.
1606 */
mpi_montred(mbedtls_mpi * A,const mbedtls_mpi * N,mbedtls_mpi_uint mm,mbedtls_mpi * T)1607 static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
1608 mbedtls_mpi_uint mm, mbedtls_mpi *T)
1609 {
1610 mbedtls_mpi_uint z = 1;
1611 mbedtls_mpi U;
1612
1613 U.n = U.s = (int) z;
1614 U.p = &z;
1615
1616 mpi_montmul(A, &U, N, mm, T);
1617 }
1618
1619 /**
1620 * Select an MPI from a table without leaking the index.
1621 *
1622 * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
1623 * reads the entire table in order to avoid leaking the value of idx to an
1624 * attacker able to observe memory access patterns.
1625 *
1626 * \param[out] R Where to write the selected MPI.
1627 * \param[in] T The table to read from.
1628 * \param[in] T_size The number of elements in the table.
1629 * \param[in] idx The index of the element to select;
1630 * this must satisfy 0 <= idx < T_size.
1631 *
1632 * \return \c 0 on success, or a negative error code.
1633 */
mpi_select(mbedtls_mpi * R,const mbedtls_mpi * T,size_t T_size,size_t idx)1634 static int mpi_select(mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx)
1635 {
1636 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1637
1638 for (size_t i = 0; i < T_size; i++) {
1639 MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(R, &T[i],
1640 (unsigned char) mbedtls_ct_size_bool_eq(i,
1641 idx)));
1642 }
1643
1644 cleanup:
1645 return ret;
1646 }
1647
1648 /*
1649 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1650 */
mbedtls_mpi_exp_mod(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * E,const mbedtls_mpi * N,mbedtls_mpi * prec_RR)1651 int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
1652 const mbedtls_mpi *E, const mbedtls_mpi *N,
1653 mbedtls_mpi *prec_RR)
1654 {
1655 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1656 size_t window_bitsize;
1657 size_t i, j, nblimbs;
1658 size_t bufsize, nbits;
1659 size_t exponent_bits_in_window = 0;
1660 mbedtls_mpi_uint ei, mm, state;
1661 mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos;
1662 int neg;
1663
1664 MPI_VALIDATE_RET(X != NULL);
1665 MPI_VALIDATE_RET(A != NULL);
1666 MPI_VALIDATE_RET(E != NULL);
1667 MPI_VALIDATE_RET(N != NULL);
1668
1669 if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {
1670 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
1671 }
1672
1673 if (mbedtls_mpi_cmp_int(E, 0) < 0) {
1674 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
1675 }
1676
1677 if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||
1678 mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
1679 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
1680 }
1681
1682 /*
1683 * Init temps and window size
1684 */
1685 mpi_montg_init(&mm, N);
1686 mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T);
1687 mbedtls_mpi_init(&Apos);
1688 mbedtls_mpi_init(&WW);
1689 memset(W, 0, sizeof(W));
1690
1691 i = mbedtls_mpi_bitlen(E);
1692
1693 window_bitsize = (i > 671) ? 6 : (i > 239) ? 5 :
1694 (i > 79) ? 4 : (i > 23) ? 3 : 1;
1695
1696 #if (MBEDTLS_MPI_WINDOW_SIZE < 6)
1697 if (window_bitsize > MBEDTLS_MPI_WINDOW_SIZE) {
1698 window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
1699 }
1700 #endif
1701
1702 const size_t w_table_used_size = (size_t) 1 << window_bitsize;
1703
1704 /*
1705 * This function is not constant-trace: its memory accesses depend on the
1706 * exponent value. To defend against timing attacks, callers (such as RSA
1707 * and DHM) should use exponent blinding. However this is not enough if the
1708 * adversary can find the exponent in a single trace, so this function
1709 * takes extra precautions against adversaries who can observe memory
1710 * access patterns.
1711 *
1712 * This function performs a series of multiplications by table elements and
1713 * squarings, and we want the prevent the adversary from finding out which
1714 * table element was used, and from distinguishing between multiplications
1715 * and squarings. Firstly, when multiplying by an element of the window
1716 * W[i], we do a constant-trace table lookup to obfuscate i. This leaves
1717 * squarings as having a different memory access patterns from other
1718 * multiplications. So secondly, we put the accumulator X in the table as
1719 * well, and also do a constant-trace table lookup to multiply by X.
1720 *
1721 * This way, all multiplications take the form of a lookup-and-multiply.
1722 * The number of lookup-and-multiply operations inside each iteration of
1723 * the main loop still depends on the bits of the exponent, but since the
1724 * other operations in the loop don't have an easily recognizable memory
1725 * trace, an adversary is unlikely to be able to observe the exact
1726 * patterns.
1727 *
1728 * An adversary may still be able to recover the exponent if they can
1729 * observe both memory accesses and branches. However, branch prediction
1730 * exploitation typically requires many traces of execution over the same
1731 * data, which is defeated by randomized blinding.
1732 *
1733 * To achieve this, we make a copy of X and we use the table entry in each
1734 * calculation from this point on.
1735 */
1736 const size_t x_index = 0;
1737 mbedtls_mpi_init(&W[x_index]);
1738 mbedtls_mpi_copy(&W[x_index], X);
1739
1740 j = N->n + 1;
1741 /* All W[i] and X must have at least N->n limbs for the mpi_montmul()
1742 * and mpi_montred() calls later. Here we ensure that W[1] and X are
1743 * large enough, and later we'll grow other W[i] to the same length.
1744 * They must not be shrunk midway through this function!
1745 */
1746 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
1747 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));
1748 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, j * 2));
1749
1750 /*
1751 * Compensate for negative A (and correct at the end)
1752 */
1753 neg = (A->s == -1);
1754 if (neg) {
1755 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Apos, A));
1756 Apos.s = 1;
1757 A = &Apos;
1758 }
1759
1760 /*
1761 * If 1st call, pre-compute R^2 mod N
1762 */
1763 if (prec_RR == NULL || prec_RR->p == NULL) {
1764 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&RR, 1));
1765 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&RR, N->n * 2 * biL));
1766 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&RR, &RR, N));
1767
1768 if (prec_RR != NULL) {
1769 memcpy(prec_RR, &RR, sizeof(mbedtls_mpi));
1770 }
1771 } else {
1772 memcpy(&RR, prec_RR, sizeof(mbedtls_mpi));
1773 }
1774
1775 /*
1776 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1777 */
1778 if (mbedtls_mpi_cmp_mpi(A, N) >= 0) {
1779 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N));
1780 /* This should be a no-op because W[1] is already that large before
1781 * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
1782 * in mpi_montmul() below, so let's make sure. */
1783 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1));
1784 } else {
1785 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A));
1786 }
1787
1788 /* Note that this is safe because W[1] always has at least N->n limbs
1789 * (it grew above and was preserved by mbedtls_mpi_copy()). */
1790 mpi_montmul(&W[1], &RR, N, mm, &T);
1791
1792 /*
1793 * W[x_index] = R^2 * R^-1 mod N = R mod N
1794 */
1795 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[x_index], &RR));
1796 mpi_montred(&W[x_index], N, mm, &T);
1797
1798
1799 if (window_bitsize > 1) {
1800 /*
1801 * W[i] = W[1] ^ i
1802 *
1803 * The first bit of the sliding window is always 1 and therefore we
1804 * only need to store the second half of the table.
1805 *
1806 * (There are two special elements in the table: W[0] for the
1807 * accumulator/result and W[1] for A in Montgomery form. Both of these
1808 * are already set at this point.)
1809 */
1810 j = w_table_used_size / 2;
1811
1812 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[j], N->n + 1));
1813 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1]));
1814
1815 for (i = 0; i < window_bitsize - 1; i++) {
1816 mpi_montmul(&W[j], &W[j], N, mm, &T);
1817 }
1818
1819 /*
1820 * W[i] = W[i - 1] * W[1]
1821 */
1822 for (i = j + 1; i < w_table_used_size; i++) {
1823 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1));
1824 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1]));
1825
1826 mpi_montmul(&W[i], &W[1], N, mm, &T);
1827 }
1828 }
1829
1830 nblimbs = E->n;
1831 bufsize = 0;
1832 nbits = 0;
1833 state = 0;
1834
1835 while (1) {
1836 if (bufsize == 0) {
1837 if (nblimbs == 0) {
1838 break;
1839 }
1840
1841 nblimbs--;
1842
1843 bufsize = sizeof(mbedtls_mpi_uint) << 3;
1844 }
1845
1846 bufsize--;
1847
1848 ei = (E->p[nblimbs] >> bufsize) & 1;
1849
1850 /*
1851 * skip leading 0s
1852 */
1853 if (ei == 0 && state == 0) {
1854 continue;
1855 }
1856
1857 if (ei == 0 && state == 1) {
1858 /*
1859 * out of window, square W[x_index]
1860 */
1861 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
1862 mpi_montmul(&W[x_index], &WW, N, mm, &T);
1863 continue;
1864 }
1865
1866 /*
1867 * add ei to current window
1868 */
1869 state = 2;
1870
1871 nbits++;
1872 exponent_bits_in_window |= (ei << (window_bitsize - nbits));
1873
1874 if (nbits == window_bitsize) {
1875 /*
1876 * W[x_index] = W[x_index]^window_bitsize R^-1 mod N
1877 */
1878 for (i = 0; i < window_bitsize; i++) {
1879 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
1880 x_index));
1881 mpi_montmul(&W[x_index], &WW, N, mm, &T);
1882 }
1883
1884 /*
1885 * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N
1886 */
1887 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
1888 exponent_bits_in_window));
1889 mpi_montmul(&W[x_index], &WW, N, mm, &T);
1890
1891 state--;
1892 nbits = 0;
1893 exponent_bits_in_window = 0;
1894 }
1895 }
1896
1897 /*
1898 * process the remaining bits
1899 */
1900 for (i = 0; i < nbits; i++) {
1901 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
1902 mpi_montmul(&W[x_index], &WW, N, mm, &T);
1903
1904 exponent_bits_in_window <<= 1;
1905
1906 if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) {
1907 MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1));
1908 mpi_montmul(&W[x_index], &WW, N, mm, &T);
1909 }
1910 }
1911
1912 /*
1913 * W[x_index] = A^E * R * R^-1 mod N = A^E mod N
1914 */
1915 mpi_montred(&W[x_index], N, mm, &T);
1916
1917 if (neg && E->n != 0 && (E->p[0] & 1) != 0) {
1918 W[x_index].s = -1;
1919 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&W[x_index], N, &W[x_index]));
1920 }
1921
1922 /*
1923 * Load the result in the output variable.
1924 */
1925 mbedtls_mpi_copy(X, &W[x_index]);
1926
1927 cleanup:
1928
1929 /* The first bit of the sliding window is always 1 and therefore the first
1930 * half of the table was unused. */
1931 for (i = w_table_used_size/2; i < w_table_used_size; i++) {
1932 mbedtls_mpi_free(&W[i]);
1933 }
1934
1935 mbedtls_mpi_free(&W[x_index]);
1936 mbedtls_mpi_free(&W[1]);
1937 mbedtls_mpi_free(&T);
1938 mbedtls_mpi_free(&Apos);
1939 mbedtls_mpi_free(&WW);
1940
1941 if (prec_RR == NULL || prec_RR->p == NULL) {
1942 mbedtls_mpi_free(&RR);
1943 }
1944
1945 return ret;
1946 }
1947
1948 /*
1949 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1950 */
mbedtls_mpi_gcd(mbedtls_mpi * G,const mbedtls_mpi * A,const mbedtls_mpi * B)1951 int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
1952 {
1953 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1954 size_t lz, lzt;
1955 mbedtls_mpi TA, TB;
1956
1957 MPI_VALIDATE_RET(G != NULL);
1958 MPI_VALIDATE_RET(A != NULL);
1959 MPI_VALIDATE_RET(B != NULL);
1960
1961 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
1962
1963 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
1964 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
1965
1966 lz = mbedtls_mpi_lsb(&TA);
1967 lzt = mbedtls_mpi_lsb(&TB);
1968
1969 /* The loop below gives the correct result when A==0 but not when B==0.
1970 * So have a special case for B==0. Leverage the fact that we just
1971 * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
1972 * slightly more efficient than cmp_int(). */
1973 if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
1974 ret = mbedtls_mpi_copy(G, A);
1975 goto cleanup;
1976 }
1977
1978 if (lzt < lz) {
1979 lz = lzt;
1980 }
1981
1982 TA.s = TB.s = 1;
1983
1984 /* We mostly follow the procedure described in HAC 14.54, but with some
1985 * minor differences:
1986 * - Sequences of multiplications or divisions by 2 are grouped into a
1987 * single shift operation.
1988 * - The procedure in HAC assumes that 0 < TB <= TA.
1989 * - The condition TB <= TA is not actually necessary for correctness.
1990 * TA and TB have symmetric roles except for the loop termination
1991 * condition, and the shifts at the beginning of the loop body
1992 * remove any significance from the ordering of TA vs TB before
1993 * the shifts.
1994 * - If TA = 0, the loop goes through 0 iterations and the result is
1995 * correctly TB.
1996 * - The case TB = 0 was short-circuited above.
1997 *
1998 * For the correctness proof below, decompose the original values of
1999 * A and B as
2000 * A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
2001 * B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
2002 * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
2003 * and gcd(A',B') is odd or 0.
2004 *
2005 * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
2006 * The code maintains the following invariant:
2007 * gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
2008 */
2009
2010 /* Proof that the loop terminates:
2011 * At each iteration, either the right-shift by 1 is made on a nonzero
2012 * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
2013 * by at least 1, or the right-shift by 1 is made on zero and then
2014 * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
2015 * since in that case TB is calculated from TB-TA with the condition TB>TA).
2016 */
2017 while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
2018 /* Divisions by 2 preserve the invariant (I). */
2019 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
2020 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
2021
2022 /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
2023 * TA-TB is even so the division by 2 has an integer result.
2024 * Invariant (I) is preserved since any odd divisor of both TA and TB
2025 * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
2026 * also divides TB, and any odd divisor of both TB and |TA-TB|/2 also
2027 * divides TA.
2028 */
2029 if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
2030 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
2031 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
2032 } else {
2033 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
2034 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
2035 }
2036 /* Note that one of TA or TB is still odd. */
2037 }
2038
2039 /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
2040 * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
2041 * - If there was at least one loop iteration, then one of TA or TB is odd,
2042 * and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
2043 * lz = min(a,b) so gcd(A,B) = 2^lz * TB.
2044 * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
2045 * In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
2046 */
2047
2048 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
2049 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
2050
2051 cleanup:
2052
2053 mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
2054
2055 return ret;
2056 }
2057
2058 /*
2059 * Fill X with size bytes of random.
2060 * The bytes returned from the RNG are used in a specific order which
2061 * is suitable for deterministic ECDSA (see the specification of
2062 * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
2063 */
mbedtls_mpi_fill_random(mbedtls_mpi * X,size_t size,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2064 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
2065 int (*f_rng)(void *, unsigned char *, size_t),
2066 void *p_rng)
2067 {
2068 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2069 const size_t limbs = CHARS_TO_LIMBS(size);
2070
2071 MPI_VALIDATE_RET(X != NULL);
2072 MPI_VALIDATE_RET(f_rng != NULL);
2073
2074 /* Ensure that target MPI has exactly the necessary number of limbs */
2075 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
2076 if (size == 0) {
2077 return 0;
2078 }
2079
2080 ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
2081
2082 cleanup:
2083 return ret;
2084 }
2085
mbedtls_mpi_random(mbedtls_mpi * X,mbedtls_mpi_sint min,const mbedtls_mpi * N,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2086 int mbedtls_mpi_random(mbedtls_mpi *X,
2087 mbedtls_mpi_sint min,
2088 const mbedtls_mpi *N,
2089 int (*f_rng)(void *, unsigned char *, size_t),
2090 void *p_rng)
2091 {
2092 if (min < 0) {
2093 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2094 }
2095 if (mbedtls_mpi_cmp_int(N, min) <= 0) {
2096 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2097 }
2098
2099 /* Ensure that target MPI has exactly the same number of limbs
2100 * as the upper bound, even if the upper bound has leading zeros.
2101 * This is necessary for mbedtls_mpi_core_random. */
2102 int ret = mbedtls_mpi_resize_clear(X, N->n);
2103 if (ret != 0) {
2104 return ret;
2105 }
2106
2107 return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
2108 }
2109
2110 /*
2111 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
2112 */
mbedtls_mpi_inv_mod(mbedtls_mpi * X,const mbedtls_mpi * A,const mbedtls_mpi * N)2113 int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)
2114 {
2115 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2116 mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
2117 MPI_VALIDATE_RET(X != NULL);
2118 MPI_VALIDATE_RET(A != NULL);
2119 MPI_VALIDATE_RET(N != NULL);
2120
2121 if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
2122 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2123 }
2124
2125 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
2126 mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
2127 mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
2128
2129 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
2130
2131 if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
2132 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2133 goto cleanup;
2134 }
2135
2136 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
2137 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
2138 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
2139 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
2140
2141 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
2142 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
2143 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
2144 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
2145
2146 do {
2147 while ((TU.p[0] & 1) == 0) {
2148 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
2149
2150 if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) {
2151 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
2152 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
2153 }
2154
2155 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
2156 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
2157 }
2158
2159 while ((TV.p[0] & 1) == 0) {
2160 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
2161
2162 if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) {
2163 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
2164 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
2165 }
2166
2167 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
2168 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
2169 }
2170
2171 if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
2172 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
2173 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
2174 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
2175 } else {
2176 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
2177 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
2178 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
2179 }
2180 } while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
2181
2182 while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
2183 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
2184 }
2185
2186 while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
2187 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
2188 }
2189
2190 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
2191
2192 cleanup:
2193
2194 mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
2195 mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
2196 mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
2197
2198 return ret;
2199 }
2200
2201 #if defined(MBEDTLS_GENPRIME)
2202
2203 static const int small_prime[] =
2204 {
2205 3, 5, 7, 11, 13, 17, 19, 23,
2206 29, 31, 37, 41, 43, 47, 53, 59,
2207 61, 67, 71, 73, 79, 83, 89, 97,
2208 101, 103, 107, 109, 113, 127, 131, 137,
2209 139, 149, 151, 157, 163, 167, 173, 179,
2210 181, 191, 193, 197, 199, 211, 223, 227,
2211 229, 233, 239, 241, 251, 257, 263, 269,
2212 271, 277, 281, 283, 293, 307, 311, 313,
2213 317, 331, 337, 347, 349, 353, 359, 367,
2214 373, 379, 383, 389, 397, 401, 409, 419,
2215 421, 431, 433, 439, 443, 449, 457, 461,
2216 463, 467, 479, 487, 491, 499, 503, 509,
2217 521, 523, 541, 547, 557, 563, 569, 571,
2218 577, 587, 593, 599, 601, 607, 613, 617,
2219 619, 631, 641, 643, 647, 653, 659, 661,
2220 673, 677, 683, 691, 701, 709, 719, 727,
2221 733, 739, 743, 751, 757, 761, 769, 773,
2222 787, 797, 809, 811, 821, 823, 827, 829,
2223 839, 853, 857, 859, 863, 877, 881, 883,
2224 887, 907, 911, 919, 929, 937, 941, 947,
2225 953, 967, 971, 977, 983, 991, 997, -103
2226 };
2227
2228 /*
2229 * Small divisors test (X must be positive)
2230 *
2231 * Return values:
2232 * 0: no small factor (possible prime, more tests needed)
2233 * 1: certain prime
2234 * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
2235 * other negative: error
2236 */
mpi_check_small_factors(const mbedtls_mpi * X)2237 static int mpi_check_small_factors(const mbedtls_mpi *X)
2238 {
2239 int ret = 0;
2240 size_t i;
2241 mbedtls_mpi_uint r;
2242
2243 if ((X->p[0] & 1) == 0) {
2244 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2245 }
2246
2247 for (i = 0; small_prime[i] > 0; i++) {
2248 if (mbedtls_mpi_cmp_int(X, small_prime[i]) <= 0) {
2249 return 1;
2250 }
2251
2252 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, small_prime[i]));
2253
2254 if (r == 0) {
2255 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2256 }
2257 }
2258
2259 cleanup:
2260 return ret;
2261 }
2262
2263 /*
2264 * Miller-Rabin pseudo-primality test (HAC 4.24)
2265 */
mpi_miller_rabin(const mbedtls_mpi * X,size_t rounds,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2266 static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
2267 int (*f_rng)(void *, unsigned char *, size_t),
2268 void *p_rng)
2269 {
2270 int ret, count;
2271 size_t i, j, k, s;
2272 mbedtls_mpi W, R, T, A, RR;
2273
2274 MPI_VALIDATE_RET(X != NULL);
2275 MPI_VALIDATE_RET(f_rng != NULL);
2276
2277 mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
2278 mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
2279 mbedtls_mpi_init(&RR);
2280
2281 /*
2282 * W = |X| - 1
2283 * R = W >> lsb( W )
2284 */
2285 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
2286 s = mbedtls_mpi_lsb(&W);
2287 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
2288 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
2289
2290 for (i = 0; i < rounds; i++) {
2291 /*
2292 * pick a random A, 1 < A < |X| - 1
2293 */
2294 count = 0;
2295 do {
2296 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
2297
2298 j = mbedtls_mpi_bitlen(&A);
2299 k = mbedtls_mpi_bitlen(&W);
2300 if (j > k) {
2301 A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
2302 }
2303
2304 if (count++ > 30) {
2305 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2306 goto cleanup;
2307 }
2308
2309 } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||
2310 mbedtls_mpi_cmp_int(&A, 1) <= 0);
2311
2312 /*
2313 * A = A^R mod |X|
2314 */
2315 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
2316
2317 if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 ||
2318 mbedtls_mpi_cmp_int(&A, 1) == 0) {
2319 continue;
2320 }
2321
2322 j = 1;
2323 while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
2324 /*
2325 * A = A * A mod |X|
2326 */
2327 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
2328 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
2329
2330 if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
2331 break;
2332 }
2333
2334 j++;
2335 }
2336
2337 /*
2338 * not prime if A != |X| - 1 or A == 1
2339 */
2340 if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 ||
2341 mbedtls_mpi_cmp_int(&A, 1) == 0) {
2342 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2343 break;
2344 }
2345 }
2346
2347 cleanup:
2348 mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
2349 mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
2350 mbedtls_mpi_free(&RR);
2351
2352 return ret;
2353 }
2354
2355 /*
2356 * Pseudo-primality test: small factors, then Miller-Rabin
2357 */
mbedtls_mpi_is_prime_ext(const mbedtls_mpi * X,int rounds,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2358 int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
2359 int (*f_rng)(void *, unsigned char *, size_t),
2360 void *p_rng)
2361 {
2362 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2363 mbedtls_mpi XX;
2364 MPI_VALIDATE_RET(X != NULL);
2365 MPI_VALIDATE_RET(f_rng != NULL);
2366
2367 XX.s = 1;
2368 XX.n = X->n;
2369 XX.p = X->p;
2370
2371 if (mbedtls_mpi_cmp_int(&XX, 0) == 0 ||
2372 mbedtls_mpi_cmp_int(&XX, 1) == 0) {
2373 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2374 }
2375
2376 if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
2377 return 0;
2378 }
2379
2380 if ((ret = mpi_check_small_factors(&XX)) != 0) {
2381 if (ret == 1) {
2382 return 0;
2383 }
2384
2385 return ret;
2386 }
2387
2388 return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
2389 }
2390
2391 /*
2392 * Prime number generation
2393 *
2394 * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
2395 * be either 1024 bits or 1536 bits long, and flags must contain
2396 * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
2397 */
mbedtls_mpi_gen_prime(mbedtls_mpi * X,size_t nbits,int flags,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)2398 int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
2399 int (*f_rng)(void *, unsigned char *, size_t),
2400 void *p_rng)
2401 {
2402 #ifdef MBEDTLS_HAVE_INT64
2403 // ceil(2^63.5)
2404 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
2405 #else
2406 // ceil(2^31.5)
2407 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
2408 #endif
2409 int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2410 size_t k, n;
2411 int rounds;
2412 mbedtls_mpi_uint r;
2413 mbedtls_mpi Y;
2414
2415 MPI_VALIDATE_RET(X != NULL);
2416 MPI_VALIDATE_RET(f_rng != NULL);
2417
2418 if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {
2419 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
2420 }
2421
2422 mbedtls_mpi_init(&Y);
2423
2424 n = BITS_TO_LIMBS(nbits);
2425
2426 if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
2427 /*
2428 * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
2429 */
2430 rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
2431 (nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
2432 (nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
2433 } else {
2434 /*
2435 * 2^-100 error probability, number of rounds computed based on HAC,
2436 * fact 4.48
2437 */
2438 rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
2439 (nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
2440 (nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
2441 (nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
2442 }
2443
2444 while (1) {
2445 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
2446 /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
2447 if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
2448 continue;
2449 }
2450
2451 k = n * biL;
2452 if (k > nbits) {
2453 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
2454 }
2455 X->p[0] |= 1;
2456
2457 if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
2458 ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
2459
2460 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
2461 goto cleanup;
2462 }
2463 } else {
2464 /*
2465 * A necessary condition for Y and X = 2Y + 1 to be prime
2466 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
2467 * Make sure it is satisfied, while keeping X = 3 mod 4
2468 */
2469
2470 X->p[0] |= 2;
2471
2472 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
2473 if (r == 0) {
2474 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
2475 } else if (r == 1) {
2476 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
2477 }
2478
2479 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
2480 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
2481 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
2482
2483 while (1) {
2484 /*
2485 * First, check small factors for X and Y
2486 * before doing Miller-Rabin on any of them
2487 */
2488 if ((ret = mpi_check_small_factors(X)) == 0 &&
2489 (ret = mpi_check_small_factors(&Y)) == 0 &&
2490 (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
2491 == 0 &&
2492 (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
2493 == 0) {
2494 goto cleanup;
2495 }
2496
2497 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
2498 goto cleanup;
2499 }
2500
2501 /*
2502 * Next candidates. We want to preserve Y = (X-1) / 2 and
2503 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
2504 * so up Y by 6 and X by 12.
2505 */
2506 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
2507 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
2508 }
2509 }
2510 }
2511
2512 cleanup:
2513
2514 mbedtls_mpi_free(&Y);
2515
2516 return ret;
2517 }
2518
2519 #endif /* MBEDTLS_GENPRIME */
2520
2521 #if defined(MBEDTLS_SELF_TEST)
2522
2523 #define GCD_PAIR_COUNT 3
2524
2525 static const int gcd_pairs[GCD_PAIR_COUNT][3] =
2526 {
2527 { 693, 609, 21 },
2528 { 1764, 868, 28 },
2529 { 768454923, 542167814, 1 }
2530 };
2531
2532 /*
2533 * Checkup routine
2534 */
mbedtls_mpi_self_test(int verbose)2535 int mbedtls_mpi_self_test(int verbose)
2536 {
2537 int ret, i;
2538 mbedtls_mpi A, E, N, X, Y, U, V;
2539
2540 mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
2541 mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
2542
2543 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
2544 "EFE021C2645FD1DC586E69184AF4A31E" \
2545 "D5F53E93B5F123FA41680867BA110131" \
2546 "944FE7952E2517337780CB0DB80E61AA" \
2547 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
2548
2549 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
2550 "B2E7EFD37075B9F03FF989C7C5051C20" \
2551 "34D2A323810251127E7BF8625A4F49A5" \
2552 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
2553 "5B5C25763222FEFCCFC38B832366C29E"));
2554
2555 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
2556 "0066A198186C18C10B2F5ED9B522752A" \
2557 "9830B69916E535C8F047518A889A43A5" \
2558 "94B6BED27A168D31D4A52F88925AA8F5"));
2559
2560 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
2561
2562 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
2563 "602AB7ECA597A3D6B56FF9829A5E8B85" \
2564 "9E857EA95A03512E2BAE7391688D264A" \
2565 "A5663B0341DB9CCFD2C4C5F421FEC814" \
2566 "8001B72E848A38CAE1C65F78E56ABDEF" \
2567 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
2568 "ECF677152EF804370C1A305CAF3B5BF1" \
2569 "30879B56C61DE584A0F53A2447A51E"));
2570
2571 if (verbose != 0) {
2572 mbedtls_printf(" MPI test #1 (mul_mpi): ");
2573 }
2574
2575 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
2576 if (verbose != 0) {
2577 mbedtls_printf("failed\n");
2578 }
2579
2580 ret = 1;
2581 goto cleanup;
2582 }
2583
2584 if (verbose != 0) {
2585 mbedtls_printf("passed\n");
2586 }
2587
2588 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
2589
2590 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
2591 "256567336059E52CAE22925474705F39A94"));
2592
2593 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
2594 "6613F26162223DF488E9CD48CC132C7A" \
2595 "0AC93C701B001B092E4E5B9F73BCD27B" \
2596 "9EE50D0657C77F374E903CDFA4C642"));
2597
2598 if (verbose != 0) {
2599 mbedtls_printf(" MPI test #2 (div_mpi): ");
2600 }
2601
2602 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 ||
2603 mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
2604 if (verbose != 0) {
2605 mbedtls_printf("failed\n");
2606 }
2607
2608 ret = 1;
2609 goto cleanup;
2610 }
2611
2612 if (verbose != 0) {
2613 mbedtls_printf("passed\n");
2614 }
2615
2616 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
2617
2618 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
2619 "36E139AEA55215609D2816998ED020BB" \
2620 "BD96C37890F65171D948E9BC7CBAA4D9" \
2621 "325D24D6A3C12710F10A09FA08AB87"));
2622
2623 if (verbose != 0) {
2624 mbedtls_printf(" MPI test #3 (exp_mod): ");
2625 }
2626
2627 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
2628 if (verbose != 0) {
2629 mbedtls_printf("failed\n");
2630 }
2631
2632 ret = 1;
2633 goto cleanup;
2634 }
2635
2636 if (verbose != 0) {
2637 mbedtls_printf("passed\n");
2638 }
2639
2640 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
2641
2642 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
2643 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
2644 "C3DBA76456363A10869622EAC2DD84EC" \
2645 "C5B8A74DAC4D09E03B5E0BE779F2DF61"));
2646
2647 if (verbose != 0) {
2648 mbedtls_printf(" MPI test #4 (inv_mod): ");
2649 }
2650
2651 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
2652 if (verbose != 0) {
2653 mbedtls_printf("failed\n");
2654 }
2655
2656 ret = 1;
2657 goto cleanup;
2658 }
2659
2660 if (verbose != 0) {
2661 mbedtls_printf("passed\n");
2662 }
2663
2664 if (verbose != 0) {
2665 mbedtls_printf(" MPI test #5 (simple gcd): ");
2666 }
2667
2668 for (i = 0; i < GCD_PAIR_COUNT; i++) {
2669 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
2670 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
2671
2672 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
2673
2674 if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
2675 if (verbose != 0) {
2676 mbedtls_printf("failed at %d\n", i);
2677 }
2678
2679 ret = 1;
2680 goto cleanup;
2681 }
2682 }
2683
2684 if (verbose != 0) {
2685 mbedtls_printf("passed\n");
2686 }
2687
2688 cleanup:
2689
2690 if (ret != 0 && verbose != 0) {
2691 mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
2692 }
2693
2694 mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
2695 mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
2696
2697 if (verbose != 0) {
2698 mbedtls_printf("\n");
2699 }
2700
2701 return ret;
2702 }
2703
2704 #endif /* MBEDTLS_SELF_TEST */
2705
2706 #endif /* MBEDTLS_BIGNUM_C */
2707
