bignum.c (66561B)
1 /* 2 * Multi-precision integer library 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8 /* 9 * The following sources were referenced in the design of this Multi-precision 10 * Integer library: 11 * 12 * [1] Handbook of Applied Cryptography - 1997 13 * Menezes, van Oorschot and Vanstone 14 * 15 * [2] Multi-Precision Math 16 * Tom St Denis 17 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf 18 * 19 * [3] GNU Multi-Precision Arithmetic Library 20 * https://gmplib.org/manual/index.html 21 * 22 */ 23 24 #include "common.h" 25 26 #if defined(MBEDTLS_BIGNUM_C) 27 28 #include "mbedtls/bignum.h" 29 #include "bignum_core.h" 30 #include "bignum_internal.h" 31 #include "bn_mul.h" 32 #include "mbedtls/platform_util.h" 33 #include "mbedtls/error.h" 34 #include "constant_time_internal.h" 35 36 #include <limits.h> 37 #include <string.h> 38 39 #include "mbedtls/platform.h" 40 41 42 43 /* 44 * Conditionally select an MPI sign in constant time. 45 * (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid 46 * values.) 47 */ 48 static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond, 49 signed short sign1, signed short sign2) 50 { 51 return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1; 52 } 53 54 /* 55 * Compare signed values in constant time 56 */ 57 int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, 58 const mbedtls_mpi *Y, 59 unsigned *ret) 60 { 61 mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result; 62 63 if (X->n != Y->n) { 64 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 65 } 66 67 /* 68 * Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0. 69 * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0. 70 */ 71 X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1); 72 Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1); 73 74 /* 75 * If the signs are different, then the positive operand is the bigger. 76 * That is if X is negative (X_is_negative == 1), then X < Y is true and it 77 * is false if X is positive (X_is_negative == 0). 78 */ 79 different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign 80 result = mbedtls_ct_bool_and(different_sign, X_is_negative); 81 82 /* 83 * Assuming signs are the same, compare X and Y. We switch the comparison 84 * order if they are negative so that we get the right result, regardles of 85 * sign. 86 */ 87 88 /* This array is used to conditionally swap the pointers in const time */ 89 void * const p[2] = { X->p, Y->p }; 90 size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1); 91 mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n); 92 93 /* 94 * Store in result iff the signs are the same (i.e., iff different_sign == false). If 95 * the signs differ, result has already been set, so we don't change it. 96 */ 97 result = mbedtls_ct_bool_or(result, 98 mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt)); 99 100 *ret = mbedtls_ct_uint_if_else_0(result, 1); 101 102 return 0; 103 } 104 105 /* 106 * Conditionally assign X = Y, without leaking information 107 * about whether the assignment was made or not. 108 * (Leaking information about the respective sizes of X and Y is ok however.) 109 */ 110 #if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \ 111 (_MSC_FULL_VER < 193131103) 112 /* 113 * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See: 114 * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989 115 */ 116 __declspec(noinline) 117 #endif 118 int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, 119 const mbedtls_mpi *Y, 120 unsigned char assign) 121 { 122 int ret = 0; 123 124 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n)); 125 126 { 127 mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign); 128 129 X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s); 130 131 mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign); 132 133 mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign); 134 for (size_t i = Y->n; i < X->n; i++) { 135 X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]); 136 } 137 } 138 139 cleanup: 140 return ret; 141 } 142 143 /* 144 * Conditionally swap X and Y, without leaking information 145 * about whether the swap was made or not. 146 * Here it is not ok to simply swap the pointers, which would lead to 147 * different memory access patterns when X and Y are used afterwards. 148 */ 149 int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, 150 mbedtls_mpi *Y, 151 unsigned char swap) 152 { 153 int ret = 0; 154 int s; 155 156 if (X == Y) { 157 return 0; 158 } 159 160 mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap); 161 162 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n)); 163 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n)); 164 165 s = X->s; 166 X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s); 167 Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s); 168 169 mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap); 170 171 cleanup: 172 return ret; 173 } 174 175 /* Implementation that should never be optimized out by the compiler */ 176 #define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n)) 177 178 /* 179 * Initialize one MPI 180 */ 181 void mbedtls_mpi_init(mbedtls_mpi *X) 182 { 183 X->s = 1; 184 X->n = 0; 185 X->p = NULL; 186 } 187 188 /* 189 * Unallocate one MPI 190 */ 191 void mbedtls_mpi_free(mbedtls_mpi *X) 192 { 193 if (X == NULL) { 194 return; 195 } 196 197 if (X->p != NULL) { 198 mbedtls_mpi_zeroize_and_free(X->p, X->n); 199 } 200 201 X->s = 1; 202 X->n = 0; 203 X->p = NULL; 204 } 205 206 /* 207 * Enlarge to the specified number of limbs 208 */ 209 int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs) 210 { 211 mbedtls_mpi_uint *p; 212 213 if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) { 214 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 215 } 216 217 if (X->n < nblimbs) { 218 if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) { 219 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 220 } 221 222 if (X->p != NULL) { 223 memcpy(p, X->p, X->n * ciL); 224 mbedtls_mpi_zeroize_and_free(X->p, X->n); 225 } 226 227 /* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS 228 * fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */ 229 X->n = (unsigned short) nblimbs; 230 X->p = p; 231 } 232 233 return 0; 234 } 235 236 /* 237 * Resize down as much as possible, 238 * while keeping at least the specified number of limbs 239 */ 240 int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs) 241 { 242 mbedtls_mpi_uint *p; 243 size_t i; 244 245 if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) { 246 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 247 } 248 249 /* Actually resize up if there are currently fewer than nblimbs limbs. */ 250 if (X->n <= nblimbs) { 251 return mbedtls_mpi_grow(X, nblimbs); 252 } 253 /* After this point, then X->n > nblimbs and in particular X->n > 0. */ 254 255 for (i = X->n - 1; i > 0; i--) { 256 if (X->p[i] != 0) { 257 break; 258 } 259 } 260 i++; 261 262 if (i < nblimbs) { 263 i = nblimbs; 264 } 265 266 if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) { 267 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 268 } 269 270 if (X->p != NULL) { 271 memcpy(p, X->p, i * ciL); 272 mbedtls_mpi_zeroize_and_free(X->p, X->n); 273 } 274 275 /* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS 276 * fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */ 277 X->n = (unsigned short) i; 278 X->p = p; 279 280 return 0; 281 } 282 283 /* Resize X to have exactly n limbs and set it to 0. */ 284 static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs) 285 { 286 if (limbs == 0) { 287 mbedtls_mpi_free(X); 288 return 0; 289 } else if (X->n == limbs) { 290 memset(X->p, 0, limbs * ciL); 291 X->s = 1; 292 return 0; 293 } else { 294 mbedtls_mpi_free(X); 295 return mbedtls_mpi_grow(X, limbs); 296 } 297 } 298 299 /* 300 * Copy the contents of Y into X. 301 * 302 * This function is not constant-time. Leading zeros in Y may be removed. 303 * 304 * Ensure that X does not shrink. This is not guaranteed by the public API, 305 * but some code in the bignum module might still rely on this property. 306 */ 307 int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y) 308 { 309 int ret = 0; 310 size_t i; 311 312 if (X == Y) { 313 return 0; 314 } 315 316 if (Y->n == 0) { 317 if (X->n != 0) { 318 X->s = 1; 319 memset(X->p, 0, X->n * ciL); 320 } 321 return 0; 322 } 323 324 for (i = Y->n - 1; i > 0; i--) { 325 if (Y->p[i] != 0) { 326 break; 327 } 328 } 329 i++; 330 331 X->s = Y->s; 332 333 if (X->n < i) { 334 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i)); 335 } else { 336 memset(X->p + i, 0, (X->n - i) * ciL); 337 } 338 339 memcpy(X->p, Y->p, i * ciL); 340 341 cleanup: 342 343 return ret; 344 } 345 346 /* 347 * Swap the contents of X and Y 348 */ 349 void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y) 350 { 351 mbedtls_mpi T; 352 353 memcpy(&T, X, sizeof(mbedtls_mpi)); 354 memcpy(X, Y, sizeof(mbedtls_mpi)); 355 memcpy(Y, &T, sizeof(mbedtls_mpi)); 356 } 357 358 static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z) 359 { 360 if (z >= 0) { 361 return z; 362 } 363 /* Take care to handle the most negative value (-2^(biL-1)) correctly. 364 * A naive -z would have undefined behavior. 365 * Write this in a way that makes popular compilers happy (GCC, Clang, 366 * MSVC). */ 367 return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z; 368 } 369 370 /* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative. 371 * This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */ 372 #define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1) 373 374 /* 375 * Set value from integer 376 */ 377 int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z) 378 { 379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 380 381 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1)); 382 memset(X->p, 0, X->n * ciL); 383 384 X->p[0] = mpi_sint_abs(z); 385 X->s = TO_SIGN(z); 386 387 cleanup: 388 389 return ret; 390 } 391 392 /* 393 * Get a specific bit 394 */ 395 int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos) 396 { 397 if (X->n * biL <= pos) { 398 return 0; 399 } 400 401 return (X->p[pos / biL] >> (pos % biL)) & 0x01; 402 } 403 404 /* 405 * Set a bit to a specific value of 0 or 1 406 */ 407 int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val) 408 { 409 int ret = 0; 410 size_t off = pos / biL; 411 size_t idx = pos % biL; 412 413 if (val != 0 && val != 1) { 414 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 415 } 416 417 if (X->n * biL <= pos) { 418 if (val == 0) { 419 return 0; 420 } 421 422 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1)); 423 } 424 425 X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx); 426 X->p[off] |= (mbedtls_mpi_uint) val << idx; 427 428 cleanup: 429 430 return ret; 431 } 432 433 /* 434 * Return the number of less significant zero-bits 435 */ 436 size_t mbedtls_mpi_lsb(const mbedtls_mpi *X) 437 { 438 size_t i; 439 440 #if defined(__has_builtin) 441 #if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz) 442 #define mbedtls_mpi_uint_ctz __builtin_ctz 443 #elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl) 444 #define mbedtls_mpi_uint_ctz __builtin_ctzl 445 #elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll) 446 #define mbedtls_mpi_uint_ctz __builtin_ctzll 447 #endif 448 #endif 449 450 #if defined(mbedtls_mpi_uint_ctz) 451 for (i = 0; i < X->n; i++) { 452 if (X->p[i] != 0) { 453 return i * biL + mbedtls_mpi_uint_ctz(X->p[i]); 454 } 455 } 456 #else 457 size_t count = 0; 458 for (i = 0; i < X->n; i++) { 459 for (size_t j = 0; j < biL; j++, count++) { 460 if (((X->p[i] >> j) & 1) != 0) { 461 return count; 462 } 463 } 464 } 465 #endif 466 467 return 0; 468 } 469 470 /* 471 * Return the number of bits 472 */ 473 size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X) 474 { 475 return mbedtls_mpi_core_bitlen(X->p, X->n); 476 } 477 478 /* 479 * Return the total size in bytes 480 */ 481 size_t mbedtls_mpi_size(const mbedtls_mpi *X) 482 { 483 return (mbedtls_mpi_bitlen(X) + 7) >> 3; 484 } 485 486 /* 487 * Convert an ASCII character to digit value 488 */ 489 static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c) 490 { 491 *d = 255; 492 493 if (c >= 0x30 && c <= 0x39) { 494 *d = c - 0x30; 495 } 496 if (c >= 0x41 && c <= 0x46) { 497 *d = c - 0x37; 498 } 499 if (c >= 0x61 && c <= 0x66) { 500 *d = c - 0x57; 501 } 502 503 if (*d >= (mbedtls_mpi_uint) radix) { 504 return MBEDTLS_ERR_MPI_INVALID_CHARACTER; 505 } 506 507 return 0; 508 } 509 510 /* 511 * Import from an ASCII string 512 */ 513 int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s) 514 { 515 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 516 size_t i, j, slen, n; 517 int sign = 1; 518 mbedtls_mpi_uint d; 519 mbedtls_mpi T; 520 521 if (radix < 2 || radix > 16) { 522 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 523 } 524 525 mbedtls_mpi_init(&T); 526 527 if (s[0] == 0) { 528 mbedtls_mpi_free(X); 529 return 0; 530 } 531 532 if (s[0] == '-') { 533 ++s; 534 sign = -1; 535 } 536 537 slen = strlen(s); 538 539 if (radix == 16) { 540 if (slen > SIZE_MAX >> 2) { 541 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 542 } 543 544 n = BITS_TO_LIMBS(slen << 2); 545 546 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n)); 547 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0)); 548 549 for (i = slen, j = 0; i > 0; i--, j++) { 550 MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1])); 551 X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2); 552 } 553 } else { 554 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0)); 555 556 for (i = 0; i < slen; i++) { 557 MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i])); 558 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix)); 559 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d)); 560 } 561 } 562 563 if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) { 564 X->s = -1; 565 } 566 567 cleanup: 568 569 mbedtls_mpi_free(&T); 570 571 return ret; 572 } 573 574 /* 575 * Helper to write the digits high-order first. 576 */ 577 static int mpi_write_hlp(mbedtls_mpi *X, int radix, 578 char **p, const size_t buflen) 579 { 580 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 581 mbedtls_mpi_uint r; 582 size_t length = 0; 583 char *p_end = *p + buflen; 584 585 do { 586 if (length >= buflen) { 587 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL; 588 } 589 590 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix)); 591 MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix)); 592 /* 593 * Write the residue in the current position, as an ASCII character. 594 */ 595 if (r < 0xA) { 596 *(--p_end) = (char) ('0' + r); 597 } else { 598 *(--p_end) = (char) ('A' + (r - 0xA)); 599 } 600 601 length++; 602 } while (mbedtls_mpi_cmp_int(X, 0) != 0); 603 604 memmove(*p, p_end, length); 605 *p += length; 606 607 cleanup: 608 609 return ret; 610 } 611 612 /* 613 * Export into an ASCII string 614 */ 615 int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix, 616 char *buf, size_t buflen, size_t *olen) 617 { 618 int ret = 0; 619 size_t n; 620 char *p; 621 mbedtls_mpi T; 622 623 if (radix < 2 || radix > 16) { 624 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 625 } 626 627 n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */ 628 if (radix >= 4) { 629 n >>= 1; /* Number of 4-adic digits necessary to present 630 * `n`. If radix > 4, this might be a strict 631 * overapproximation of the number of 632 * radix-adic digits needed to present `n`. */ 633 } 634 if (radix >= 16) { 635 n >>= 1; /* Number of hexadecimal digits necessary to 636 * present `n`. */ 637 638 } 639 n += 1; /* Terminating null byte */ 640 n += 1; /* Compensate for the divisions above, which round down `n` 641 * in case it's not even. */ 642 n += 1; /* Potential '-'-sign. */ 643 n += (n & 1); /* Make n even to have enough space for hexadecimal writing, 644 * which always uses an even number of hex-digits. */ 645 646 if (buflen < n) { 647 *olen = n; 648 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL; 649 } 650 651 p = buf; 652 mbedtls_mpi_init(&T); 653 654 if (X->s == -1) { 655 *p++ = '-'; 656 buflen--; 657 } 658 659 if (radix == 16) { 660 int c; 661 size_t i, j, k; 662 663 for (i = X->n, k = 0; i > 0; i--) { 664 for (j = ciL; j > 0; j--) { 665 c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF; 666 667 if (c == 0 && k == 0 && (i + j) != 2) { 668 continue; 669 } 670 671 *(p++) = "0123456789ABCDEF" [c / 16]; 672 *(p++) = "0123456789ABCDEF" [c % 16]; 673 k = 1; 674 } 675 } 676 } else { 677 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X)); 678 679 if (T.s == -1) { 680 T.s = 1; 681 } 682 683 MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen)); 684 } 685 686 *p++ = '\0'; 687 *olen = (size_t) (p - buf); 688 689 cleanup: 690 691 mbedtls_mpi_free(&T); 692 693 return ret; 694 } 695 696 #if defined(MBEDTLS_FS_IO) 697 /* 698 * Read X from an opened file 699 */ 700 int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin) 701 { 702 mbedtls_mpi_uint d; 703 size_t slen; 704 char *p; 705 /* 706 * Buffer should have space for (short) label and decimal formatted MPI, 707 * newline characters and '\0' 708 */ 709 char s[MBEDTLS_MPI_RW_BUFFER_SIZE]; 710 711 if (radix < 2 || radix > 16) { 712 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 713 } 714 715 memset(s, 0, sizeof(s)); 716 if (fgets(s, sizeof(s) - 1, fin) == NULL) { 717 return MBEDTLS_ERR_MPI_FILE_IO_ERROR; 718 } 719 720 slen = strlen(s); 721 if (slen == sizeof(s) - 2) { 722 return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL; 723 } 724 725 if (slen > 0 && s[slen - 1] == '\n') { 726 slen--; s[slen] = '\0'; 727 } 728 if (slen > 0 && s[slen - 1] == '\r') { 729 slen--; s[slen] = '\0'; 730 } 731 732 p = s + slen; 733 while (p-- > s) { 734 if (mpi_get_digit(&d, radix, *p) != 0) { 735 break; 736 } 737 } 738 739 return mbedtls_mpi_read_string(X, radix, p + 1); 740 } 741 742 /* 743 * Write X into an opened file (or stdout if fout == NULL) 744 */ 745 int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout) 746 { 747 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 748 size_t n, slen, plen; 749 /* 750 * Buffer should have space for (short) label and decimal formatted MPI, 751 * newline characters and '\0' 752 */ 753 char s[MBEDTLS_MPI_RW_BUFFER_SIZE]; 754 755 if (radix < 2 || radix > 16) { 756 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 757 } 758 759 memset(s, 0, sizeof(s)); 760 761 MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n)); 762 763 if (p == NULL) { 764 p = ""; 765 } 766 767 plen = strlen(p); 768 slen = strlen(s); 769 s[slen++] = '\r'; 770 s[slen++] = '\n'; 771 772 if (fout != NULL) { 773 if (fwrite(p, 1, plen, fout) != plen || 774 fwrite(s, 1, slen, fout) != slen) { 775 return MBEDTLS_ERR_MPI_FILE_IO_ERROR; 776 } 777 } else { 778 mbedtls_printf("%s%s", p, s); 779 } 780 781 cleanup: 782 783 return ret; 784 } 785 #endif /* MBEDTLS_FS_IO */ 786 787 /* 788 * Import X from unsigned binary data, little endian 789 * 790 * This function is guaranteed to return an MPI with exactly the necessary 791 * number of limbs (in particular, it does not skip 0s in the input). 792 */ 793 int mbedtls_mpi_read_binary_le(mbedtls_mpi *X, 794 const unsigned char *buf, size_t buflen) 795 { 796 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 797 const size_t limbs = CHARS_TO_LIMBS(buflen); 798 799 /* Ensure that target MPI has exactly the necessary number of limbs */ 800 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs)); 801 802 MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen)); 803 804 cleanup: 805 806 /* 807 * This function is also used to import keys. However, wiping the buffers 808 * upon failure is not necessary because failure only can happen before any 809 * input is copied. 810 */ 811 return ret; 812 } 813 814 /* 815 * Import X from unsigned binary data, big endian 816 * 817 * This function is guaranteed to return an MPI with exactly the necessary 818 * number of limbs (in particular, it does not skip 0s in the input). 819 */ 820 int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen) 821 { 822 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 823 const size_t limbs = CHARS_TO_LIMBS(buflen); 824 825 /* Ensure that target MPI has exactly the necessary number of limbs */ 826 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs)); 827 828 MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen)); 829 830 cleanup: 831 832 /* 833 * This function is also used to import keys. However, wiping the buffers 834 * upon failure is not necessary because failure only can happen before any 835 * input is copied. 836 */ 837 return ret; 838 } 839 840 /* 841 * Export X into unsigned binary data, little endian 842 */ 843 int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X, 844 unsigned char *buf, size_t buflen) 845 { 846 return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen); 847 } 848 849 /* 850 * Export X into unsigned binary data, big endian 851 */ 852 int mbedtls_mpi_write_binary(const mbedtls_mpi *X, 853 unsigned char *buf, size_t buflen) 854 { 855 return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen); 856 } 857 858 /* 859 * Left-shift: X <<= count 860 */ 861 int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count) 862 { 863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 864 size_t i; 865 866 i = mbedtls_mpi_bitlen(X) + count; 867 868 if (X->n * biL < i) { 869 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i))); 870 } 871 872 ret = 0; 873 874 mbedtls_mpi_core_shift_l(X->p, X->n, count); 875 cleanup: 876 877 return ret; 878 } 879 880 /* 881 * Right-shift: X >>= count 882 */ 883 int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count) 884 { 885 if (X->n != 0) { 886 mbedtls_mpi_core_shift_r(X->p, X->n, count); 887 } 888 return 0; 889 } 890 891 /* 892 * Compare unsigned values 893 */ 894 int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y) 895 { 896 size_t i, j; 897 898 for (i = X->n; i > 0; i--) { 899 if (X->p[i - 1] != 0) { 900 break; 901 } 902 } 903 904 for (j = Y->n; j > 0; j--) { 905 if (Y->p[j - 1] != 0) { 906 break; 907 } 908 } 909 910 /* If i == j == 0, i.e. abs(X) == abs(Y), 911 * we end up returning 0 at the end of the function. */ 912 913 if (i > j) { 914 return 1; 915 } 916 if (j > i) { 917 return -1; 918 } 919 920 for (; i > 0; i--) { 921 if (X->p[i - 1] > Y->p[i - 1]) { 922 return 1; 923 } 924 if (X->p[i - 1] < Y->p[i - 1]) { 925 return -1; 926 } 927 } 928 929 return 0; 930 } 931 932 /* 933 * Compare signed values 934 */ 935 int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y) 936 { 937 size_t i, j; 938 939 for (i = X->n; i > 0; i--) { 940 if (X->p[i - 1] != 0) { 941 break; 942 } 943 } 944 945 for (j = Y->n; j > 0; j--) { 946 if (Y->p[j - 1] != 0) { 947 break; 948 } 949 } 950 951 if (i == 0 && j == 0) { 952 return 0; 953 } 954 955 if (i > j) { 956 return X->s; 957 } 958 if (j > i) { 959 return -Y->s; 960 } 961 962 if (X->s > 0 && Y->s < 0) { 963 return 1; 964 } 965 if (Y->s > 0 && X->s < 0) { 966 return -1; 967 } 968 969 for (; i > 0; i--) { 970 if (X->p[i - 1] > Y->p[i - 1]) { 971 return X->s; 972 } 973 if (X->p[i - 1] < Y->p[i - 1]) { 974 return -X->s; 975 } 976 } 977 978 return 0; 979 } 980 981 /* 982 * Compare signed values 983 */ 984 int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z) 985 { 986 mbedtls_mpi Y; 987 mbedtls_mpi_uint p[1]; 988 989 *p = mpi_sint_abs(z); 990 Y.s = TO_SIGN(z); 991 Y.n = 1; 992 Y.p = p; 993 994 return mbedtls_mpi_cmp_mpi(X, &Y); 995 } 996 997 /* 998 * Unsigned addition: X = |A| + |B| (HAC 14.7) 999 */ 1000 int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) 1001 { 1002 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1003 size_t j; 1004 mbedtls_mpi_uint *p; 1005 mbedtls_mpi_uint c; 1006 1007 if (X == B) { 1008 const mbedtls_mpi *T = A; A = X; B = T; 1009 } 1010 1011 if (X != A) { 1012 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A)); 1013 } 1014 1015 /* 1016 * X must always be positive as a result of unsigned additions. 1017 */ 1018 X->s = 1; 1019 1020 for (j = B->n; j > 0; j--) { 1021 if (B->p[j - 1] != 0) { 1022 break; 1023 } 1024 } 1025 1026 /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0 1027 * and B is 0 (of any size). */ 1028 if (j == 0) { 1029 return 0; 1030 } 1031 1032 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j)); 1033 1034 /* j is the number of non-zero limbs of B. Add those to X. */ 1035 1036 p = X->p; 1037 1038 c = mbedtls_mpi_core_add(p, p, B->p, j); 1039 1040 p += j; 1041 1042 /* Now propagate any carry */ 1043 1044 while (c != 0) { 1045 if (j >= X->n) { 1046 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1)); 1047 p = X->p + j; 1048 } 1049 1050 *p += c; c = (*p < c); j++; p++; 1051 } 1052 1053 cleanup: 1054 1055 return ret; 1056 } 1057 1058 /* 1059 * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10) 1060 */ 1061 int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) 1062 { 1063 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1064 size_t n; 1065 mbedtls_mpi_uint carry; 1066 1067 for (n = B->n; n > 0; n--) { 1068 if (B->p[n - 1] != 0) { 1069 break; 1070 } 1071 } 1072 if (n > A->n) { 1073 /* B >= (2^ciL)^n > A */ 1074 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE; 1075 goto cleanup; 1076 } 1077 1078 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n)); 1079 1080 /* Set the high limbs of X to match A. Don't touch the lower limbs 1081 * because X might be aliased to B, and we must not overwrite the 1082 * significant digits of B. */ 1083 if (A->n > n && A != X) { 1084 memcpy(X->p + n, A->p + n, (A->n - n) * ciL); 1085 } 1086 if (X->n > A->n) { 1087 memset(X->p + A->n, 0, (X->n - A->n) * ciL); 1088 } 1089 1090 carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n); 1091 if (carry != 0) { 1092 /* Propagate the carry through the rest of X. */ 1093 carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n); 1094 1095 /* If we have further carry/borrow, the result is negative. */ 1096 if (carry != 0) { 1097 ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE; 1098 goto cleanup; 1099 } 1100 } 1101 1102 /* X should always be positive as a result of unsigned subtractions. */ 1103 X->s = 1; 1104 1105 cleanup: 1106 return ret; 1107 } 1108 1109 /* Common function for signed addition and subtraction. 1110 * Calculate A + B * flip_B where flip_B is 1 or -1. 1111 */ 1112 static int add_sub_mpi(mbedtls_mpi *X, 1113 const mbedtls_mpi *A, const mbedtls_mpi *B, 1114 int flip_B) 1115 { 1116 int ret, s; 1117 1118 s = A->s; 1119 if (A->s * B->s * flip_B < 0) { 1120 int cmp = mbedtls_mpi_cmp_abs(A, B); 1121 if (cmp >= 0) { 1122 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B)); 1123 /* If |A| = |B|, the result is 0 and we must set the sign bit 1124 * to +1 regardless of which of A or B was negative. Otherwise, 1125 * since |A| > |B|, the sign is the sign of A. */ 1126 X->s = cmp == 0 ? 1 : s; 1127 } else { 1128 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A)); 1129 /* Since |A| < |B|, the sign is the opposite of A. */ 1130 X->s = -s; 1131 } 1132 } else { 1133 MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B)); 1134 X->s = s; 1135 } 1136 1137 cleanup: 1138 1139 return ret; 1140 } 1141 1142 /* 1143 * Signed addition: X = A + B 1144 */ 1145 int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) 1146 { 1147 return add_sub_mpi(X, A, B, 1); 1148 } 1149 1150 /* 1151 * Signed subtraction: X = A - B 1152 */ 1153 int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) 1154 { 1155 return add_sub_mpi(X, A, B, -1); 1156 } 1157 1158 /* 1159 * Signed addition: X = A + b 1160 */ 1161 int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b) 1162 { 1163 mbedtls_mpi B; 1164 mbedtls_mpi_uint p[1]; 1165 1166 p[0] = mpi_sint_abs(b); 1167 B.s = TO_SIGN(b); 1168 B.n = 1; 1169 B.p = p; 1170 1171 return mbedtls_mpi_add_mpi(X, A, &B); 1172 } 1173 1174 /* 1175 * Signed subtraction: X = A - b 1176 */ 1177 int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b) 1178 { 1179 mbedtls_mpi B; 1180 mbedtls_mpi_uint p[1]; 1181 1182 p[0] = mpi_sint_abs(b); 1183 B.s = TO_SIGN(b); 1184 B.n = 1; 1185 B.p = p; 1186 1187 return mbedtls_mpi_sub_mpi(X, A, &B); 1188 } 1189 1190 /* 1191 * Baseline multiplication: X = A * B (HAC 14.12) 1192 */ 1193 int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) 1194 { 1195 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1196 size_t i, j; 1197 mbedtls_mpi TA, TB; 1198 int result_is_zero = 0; 1199 1200 mbedtls_mpi_init(&TA); 1201 mbedtls_mpi_init(&TB); 1202 1203 if (X == A) { 1204 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA; 1205 } 1206 if (X == B) { 1207 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB; 1208 } 1209 1210 for (i = A->n; i > 0; i--) { 1211 if (A->p[i - 1] != 0) { 1212 break; 1213 } 1214 } 1215 if (i == 0) { 1216 result_is_zero = 1; 1217 } 1218 1219 for (j = B->n; j > 0; j--) { 1220 if (B->p[j - 1] != 0) { 1221 break; 1222 } 1223 } 1224 if (j == 0) { 1225 result_is_zero = 1; 1226 } 1227 1228 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j)); 1229 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0)); 1230 1231 mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j); 1232 1233 /* If the result is 0, we don't shortcut the operation, which reduces 1234 * but does not eliminate side channels leaking the zero-ness. We do 1235 * need to take care to set the sign bit properly since the library does 1236 * not fully support an MPI object with a value of 0 and s == -1. */ 1237 if (result_is_zero) { 1238 X->s = 1; 1239 } else { 1240 X->s = A->s * B->s; 1241 } 1242 1243 cleanup: 1244 1245 mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA); 1246 1247 return ret; 1248 } 1249 1250 /* 1251 * Baseline multiplication: X = A * b 1252 */ 1253 int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b) 1254 { 1255 size_t n = A->n; 1256 while (n > 0 && A->p[n - 1] == 0) { 1257 --n; 1258 } 1259 1260 /* The general method below doesn't work if b==0. */ 1261 if (b == 0 || n == 0) { 1262 return mbedtls_mpi_lset(X, 0); 1263 } 1264 1265 /* Calculate A*b as A + A*(b-1) to take advantage of mbedtls_mpi_core_mla */ 1266 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1267 /* In general, A * b requires 1 limb more than b. If 1268 * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same 1269 * number of limbs as A and the call to grow() is not required since 1270 * copy() will take care of the growth if needed. However, experimentally, 1271 * making the call to grow() unconditional causes slightly fewer 1272 * calls to calloc() in ECP code, presumably because it reuses the 1273 * same mpi for a while and this way the mpi is more likely to directly 1274 * grow to its final size. 1275 * 1276 * Note that calculating A*b as 0 + A*b doesn't work as-is because 1277 * A,X can be the same. */ 1278 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1)); 1279 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A)); 1280 mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1); 1281 1282 cleanup: 1283 return ret; 1284 } 1285 1286 /* 1287 * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and 1288 * mbedtls_mpi_uint divisor, d 1289 */ 1290 static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1, 1291 mbedtls_mpi_uint u0, 1292 mbedtls_mpi_uint d, 1293 mbedtls_mpi_uint *r) 1294 { 1295 #if defined(MBEDTLS_HAVE_UDBL) 1296 mbedtls_t_udbl dividend, quotient; 1297 #else 1298 const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH; 1299 const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1; 1300 mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient; 1301 mbedtls_mpi_uint u0_msw, u0_lsw; 1302 size_t s; 1303 #endif 1304 1305 /* 1306 * Check for overflow 1307 */ 1308 if (0 == d || u1 >= d) { 1309 if (r != NULL) { 1310 *r = ~(mbedtls_mpi_uint) 0u; 1311 } 1312 1313 return ~(mbedtls_mpi_uint) 0u; 1314 } 1315 1316 #if defined(MBEDTLS_HAVE_UDBL) 1317 dividend = (mbedtls_t_udbl) u1 << biL; 1318 dividend |= (mbedtls_t_udbl) u0; 1319 quotient = dividend / d; 1320 if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) { 1321 quotient = ((mbedtls_t_udbl) 1 << biL) - 1; 1322 } 1323 1324 if (r != NULL) { 1325 *r = (mbedtls_mpi_uint) (dividend - (quotient * d)); 1326 } 1327 1328 return (mbedtls_mpi_uint) quotient; 1329 #else 1330 1331 /* 1332 * Algorithm D, Section 4.3.1 - The Art of Computer Programming 1333 * Vol. 2 - Seminumerical Algorithms, Knuth 1334 */ 1335 1336 /* 1337 * Normalize the divisor, d, and dividend, u0, u1 1338 */ 1339 s = mbedtls_mpi_core_clz(d); 1340 d = d << s; 1341 1342 u1 = u1 << s; 1343 u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1)); 1344 u0 = u0 << s; 1345 1346 d1 = d >> biH; 1347 d0 = d & uint_halfword_mask; 1348 1349 u0_msw = u0 >> biH; 1350 u0_lsw = u0 & uint_halfword_mask; 1351 1352 /* 1353 * Find the first quotient and remainder 1354 */ 1355 q1 = u1 / d1; 1356 r0 = u1 - d1 * q1; 1357 1358 while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) { 1359 q1 -= 1; 1360 r0 += d1; 1361 1362 if (r0 >= radix) { 1363 break; 1364 } 1365 } 1366 1367 rAX = (u1 * radix) + (u0_msw - q1 * d); 1368 q0 = rAX / d1; 1369 r0 = rAX - q0 * d1; 1370 1371 while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) { 1372 q0 -= 1; 1373 r0 += d1; 1374 1375 if (r0 >= radix) { 1376 break; 1377 } 1378 } 1379 1380 if (r != NULL) { 1381 *r = (rAX * radix + u0_lsw - q0 * d) >> s; 1382 } 1383 1384 quotient = q1 * radix + q0; 1385 1386 return quotient; 1387 #endif 1388 } 1389 1390 /* 1391 * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20) 1392 */ 1393 int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, 1394 const mbedtls_mpi *B) 1395 { 1396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1397 size_t i, n, t, k; 1398 mbedtls_mpi X, Y, Z, T1, T2; 1399 mbedtls_mpi_uint TP2[3]; 1400 1401 if (mbedtls_mpi_cmp_int(B, 0) == 0) { 1402 return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO; 1403 } 1404 1405 mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z); 1406 mbedtls_mpi_init(&T1); 1407 /* 1408 * Avoid dynamic memory allocations for constant-size T2. 1409 * 1410 * T2 is used for comparison only and the 3 limbs are assigned explicitly, 1411 * so nobody increase the size of the MPI and we're safe to use an on-stack 1412 * buffer. 1413 */ 1414 T2.s = 1; 1415 T2.n = sizeof(TP2) / sizeof(*TP2); 1416 T2.p = TP2; 1417 1418 if (mbedtls_mpi_cmp_abs(A, B) < 0) { 1419 if (Q != NULL) { 1420 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0)); 1421 } 1422 if (R != NULL) { 1423 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A)); 1424 } 1425 return 0; 1426 } 1427 1428 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A)); 1429 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B)); 1430 X.s = Y.s = 1; 1431 1432 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2)); 1433 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0)); 1434 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2)); 1435 1436 k = mbedtls_mpi_bitlen(&Y) % biL; 1437 if (k < biL - 1) { 1438 k = biL - 1 - k; 1439 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k)); 1440 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k)); 1441 } else { 1442 k = 0; 1443 } 1444 1445 n = X.n - 1; 1446 t = Y.n - 1; 1447 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t))); 1448 1449 while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) { 1450 Z.p[n - t]++; 1451 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y)); 1452 } 1453 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t))); 1454 1455 for (i = n; i > t; i--) { 1456 if (X.p[i] >= Y.p[t]) { 1457 Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u; 1458 } else { 1459 Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1], 1460 Y.p[t], NULL); 1461 } 1462 1463 T2.p[0] = (i < 2) ? 0 : X.p[i - 2]; 1464 T2.p[1] = (i < 1) ? 0 : X.p[i - 1]; 1465 T2.p[2] = X.p[i]; 1466 1467 Z.p[i - t - 1]++; 1468 do { 1469 Z.p[i - t - 1]--; 1470 1471 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0)); 1472 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1]; 1473 T1.p[1] = Y.p[t]; 1474 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1])); 1475 } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0); 1476 1477 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1])); 1478 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1))); 1479 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1)); 1480 1481 if (mbedtls_mpi_cmp_int(&X, 0) < 0) { 1482 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y)); 1483 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1))); 1484 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1)); 1485 Z.p[i - t - 1]--; 1486 } 1487 } 1488 1489 if (Q != NULL) { 1490 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z)); 1491 Q->s = A->s * B->s; 1492 } 1493 1494 if (R != NULL) { 1495 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k)); 1496 X.s = A->s; 1497 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X)); 1498 1499 if (mbedtls_mpi_cmp_int(R, 0) == 0) { 1500 R->s = 1; 1501 } 1502 } 1503 1504 cleanup: 1505 1506 mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z); 1507 mbedtls_mpi_free(&T1); 1508 mbedtls_platform_zeroize(TP2, sizeof(TP2)); 1509 1510 return ret; 1511 } 1512 1513 /* 1514 * Division by int: A = Q * b + R 1515 */ 1516 int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, 1517 const mbedtls_mpi *A, 1518 mbedtls_mpi_sint b) 1519 { 1520 mbedtls_mpi B; 1521 mbedtls_mpi_uint p[1]; 1522 1523 p[0] = mpi_sint_abs(b); 1524 B.s = TO_SIGN(b); 1525 B.n = 1; 1526 B.p = p; 1527 1528 return mbedtls_mpi_div_mpi(Q, R, A, &B); 1529 } 1530 1531 /* 1532 * Modulo: R = A mod B 1533 */ 1534 int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B) 1535 { 1536 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1537 1538 if (mbedtls_mpi_cmp_int(B, 0) < 0) { 1539 return MBEDTLS_ERR_MPI_NEGATIVE_VALUE; 1540 } 1541 1542 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B)); 1543 1544 while (mbedtls_mpi_cmp_int(R, 0) < 0) { 1545 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B)); 1546 } 1547 1548 while (mbedtls_mpi_cmp_mpi(R, B) >= 0) { 1549 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B)); 1550 } 1551 1552 cleanup: 1553 1554 return ret; 1555 } 1556 1557 /* 1558 * Modulo: r = A mod b 1559 */ 1560 int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b) 1561 { 1562 size_t i; 1563 mbedtls_mpi_uint x, y, z; 1564 1565 if (b == 0) { 1566 return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO; 1567 } 1568 1569 if (b < 0) { 1570 return MBEDTLS_ERR_MPI_NEGATIVE_VALUE; 1571 } 1572 1573 /* 1574 * handle trivial cases 1575 */ 1576 if (b == 1 || A->n == 0) { 1577 *r = 0; 1578 return 0; 1579 } 1580 1581 if (b == 2) { 1582 *r = A->p[0] & 1; 1583 return 0; 1584 } 1585 1586 /* 1587 * general case 1588 */ 1589 for (i = A->n, y = 0; i > 0; i--) { 1590 x = A->p[i - 1]; 1591 y = (y << biH) | (x >> biH); 1592 z = y / b; 1593 y -= z * b; 1594 1595 x <<= biH; 1596 y = (y << biH) | (x >> biH); 1597 z = y / b; 1598 y -= z * b; 1599 } 1600 1601 /* 1602 * If A is negative, then the current y represents a negative value. 1603 * Flipping it to the positive side. 1604 */ 1605 if (A->s < 0 && y != 0) { 1606 y = b - y; 1607 } 1608 1609 *r = y; 1610 1611 return 0; 1612 } 1613 1614 /* 1615 * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, 1616 * this function is not constant time with respect to the exponent (parameter E). 1617 */ 1618 static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A, 1619 const mbedtls_mpi *E, int E_public, 1620 const mbedtls_mpi *N, mbedtls_mpi *prec_RR) 1621 { 1622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1623 1624 if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) { 1625 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1626 } 1627 1628 if (mbedtls_mpi_cmp_int(E, 0) < 0) { 1629 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1630 } 1631 1632 if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS || 1633 mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) { 1634 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1635 } 1636 1637 /* 1638 * Ensure that the exponent that we are passing to the core is not NULL. 1639 */ 1640 if (E->n == 0) { 1641 ret = mbedtls_mpi_lset(X, 1); 1642 return ret; 1643 } 1644 1645 /* 1646 * Allocate working memory for mbedtls_mpi_core_exp_mod() 1647 */ 1648 size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n); 1649 mbedtls_mpi_uint *T = (mbedtls_mpi_uint *) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint)); 1650 if (T == NULL) { 1651 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 1652 } 1653 1654 mbedtls_mpi RR; 1655 mbedtls_mpi_init(&RR); 1656 1657 /* 1658 * If 1st call, pre-compute R^2 mod N 1659 */ 1660 if (prec_RR == NULL || prec_RR->p == NULL) { 1661 MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N)); 1662 1663 if (prec_RR != NULL) { 1664 *prec_RR = RR; 1665 } 1666 } else { 1667 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n)); 1668 RR = *prec_RR; 1669 } 1670 1671 /* 1672 * To preserve constness we need to make a copy of A. Using X for this to 1673 * save memory. 1674 */ 1675 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A)); 1676 1677 /* 1678 * Compensate for negative A (and correct at the end). 1679 */ 1680 X->s = 1; 1681 1682 /* 1683 * Make sure that X is in a form that is safe for consumption by 1684 * the core functions. 1685 * 1686 * - The core functions will not touch the limbs of X above N->n. The 1687 * result will be correct if those limbs are 0, which the mod call 1688 * ensures. 1689 * - Also, X must have at least as many limbs as N for the calls to the 1690 * core functions. 1691 */ 1692 if (mbedtls_mpi_cmp_mpi(X, N) >= 0) { 1693 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N)); 1694 } 1695 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n)); 1696 1697 /* 1698 * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod(). 1699 */ 1700 { 1701 mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); 1702 mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T); 1703 if (E_public == MBEDTLS_MPI_IS_PUBLIC) { 1704 mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); 1705 } else { 1706 mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); 1707 } 1708 mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T); 1709 } 1710 1711 /* 1712 * Correct for negative A. 1713 */ 1714 if (A->s == -1 && (E->p[0] & 1) != 0) { 1715 mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n); 1716 X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1); 1717 1718 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X)); 1719 } 1720 1721 cleanup: 1722 1723 mbedtls_mpi_zeroize_and_free(T, T_limbs); 1724 1725 if (prec_RR == NULL || prec_RR->p == NULL) { 1726 mbedtls_mpi_free(&RR); 1727 } 1728 1729 return ret; 1730 } 1731 1732 int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, 1733 const mbedtls_mpi *E, const mbedtls_mpi *N, 1734 mbedtls_mpi *prec_RR) 1735 { 1736 return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR); 1737 } 1738 1739 int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A, 1740 const mbedtls_mpi *E, const mbedtls_mpi *N, 1741 mbedtls_mpi *prec_RR) 1742 { 1743 return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_PUBLIC, N, prec_RR); 1744 } 1745 1746 /* 1747 * Greatest common divisor: G = gcd(A, B) (HAC 14.54) 1748 */ 1749 int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B) 1750 { 1751 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1752 size_t lz, lzt; 1753 mbedtls_mpi TA, TB; 1754 1755 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB); 1756 1757 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); 1758 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); 1759 1760 lz = mbedtls_mpi_lsb(&TA); 1761 lzt = mbedtls_mpi_lsb(&TB); 1762 1763 /* The loop below gives the correct result when A==0 but not when B==0. 1764 * So have a special case for B==0. Leverage the fact that we just 1765 * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test 1766 * slightly more efficient than cmp_int(). */ 1767 if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) { 1768 ret = mbedtls_mpi_copy(G, A); 1769 goto cleanup; 1770 } 1771 1772 if (lzt < lz) { 1773 lz = lzt; 1774 } 1775 1776 TA.s = TB.s = 1; 1777 1778 /* We mostly follow the procedure described in HAC 14.54, but with some 1779 * minor differences: 1780 * - Sequences of multiplications or divisions by 2 are grouped into a 1781 * single shift operation. 1782 * - The procedure in HAC assumes that 0 < TB <= TA. 1783 * - The condition TB <= TA is not actually necessary for correctness. 1784 * TA and TB have symmetric roles except for the loop termination 1785 * condition, and the shifts at the beginning of the loop body 1786 * remove any significance from the ordering of TA vs TB before 1787 * the shifts. 1788 * - If TA = 0, the loop goes through 0 iterations and the result is 1789 * correctly TB. 1790 * - The case TB = 0 was short-circuited above. 1791 * 1792 * For the correctness proof below, decompose the original values of 1793 * A and B as 1794 * A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1 1795 * B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1 1796 * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'), 1797 * and gcd(A',B') is odd or 0. 1798 * 1799 * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB). 1800 * The code maintains the following invariant: 1801 * gcd(A,B) = 2^k * gcd(TA,TB) for some k (I) 1802 */ 1803 1804 /* Proof that the loop terminates: 1805 * At each iteration, either the right-shift by 1 is made on a nonzero 1806 * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases 1807 * by at least 1, or the right-shift by 1 is made on zero and then 1808 * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted 1809 * since in that case TB is calculated from TB-TA with the condition TB>TA). 1810 */ 1811 while (mbedtls_mpi_cmp_int(&TA, 0) != 0) { 1812 /* Divisions by 2 preserve the invariant (I). */ 1813 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA))); 1814 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB))); 1815 1816 /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd, 1817 * TA-TB is even so the division by 2 has an integer result. 1818 * Invariant (I) is preserved since any odd divisor of both TA and TB 1819 * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2 1820 * also divides TB, and any odd divisor of both TB and |TA-TB|/2 also 1821 * divides TA. 1822 */ 1823 if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) { 1824 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB)); 1825 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1)); 1826 } else { 1827 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA)); 1828 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1)); 1829 } 1830 /* Note that one of TA or TB is still odd. */ 1831 } 1832 1833 /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k. 1834 * At the loop exit, TA = 0, so gcd(TA,TB) = TB. 1835 * - If there was at least one loop iteration, then one of TA or TB is odd, 1836 * and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case, 1837 * lz = min(a,b) so gcd(A,B) = 2^lz * TB. 1838 * - If there was no loop iteration, then A was 0, and gcd(A,B) = B. 1839 * In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well. 1840 */ 1841 1842 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz)); 1843 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB)); 1844 1845 cleanup: 1846 1847 mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB); 1848 1849 return ret; 1850 } 1851 1852 /* 1853 * Fill X with size bytes of random. 1854 * The bytes returned from the RNG are used in a specific order which 1855 * is suitable for deterministic ECDSA (see the specification of 1856 * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()). 1857 */ 1858 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size, 1859 int (*f_rng)(void *, unsigned char *, size_t), 1860 void *p_rng) 1861 { 1862 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1863 const size_t limbs = CHARS_TO_LIMBS(size); 1864 1865 /* Ensure that target MPI has exactly the necessary number of limbs */ 1866 MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs)); 1867 if (size == 0) { 1868 return 0; 1869 } 1870 1871 ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng); 1872 1873 cleanup: 1874 return ret; 1875 } 1876 1877 int mbedtls_mpi_random(mbedtls_mpi *X, 1878 mbedtls_mpi_sint min, 1879 const mbedtls_mpi *N, 1880 int (*f_rng)(void *, unsigned char *, size_t), 1881 void *p_rng) 1882 { 1883 if (min < 0) { 1884 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1885 } 1886 if (mbedtls_mpi_cmp_int(N, min) <= 0) { 1887 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1888 } 1889 1890 /* Ensure that target MPI has exactly the same number of limbs 1891 * as the upper bound, even if the upper bound has leading zeros. 1892 * This is necessary for mbedtls_mpi_core_random. */ 1893 int ret = mbedtls_mpi_resize_clear(X, N->n); 1894 if (ret != 0) { 1895 return ret; 1896 } 1897 1898 return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng); 1899 } 1900 1901 /* 1902 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) 1903 */ 1904 int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N) 1905 { 1906 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1907 mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2; 1908 1909 if (mbedtls_mpi_cmp_int(N, 1) <= 0) { 1910 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1911 } 1912 1913 mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2); 1914 mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV); 1915 mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2); 1916 1917 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N)); 1918 1919 if (mbedtls_mpi_cmp_int(&G, 1) != 0) { 1920 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 1921 goto cleanup; 1922 } 1923 1924 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N)); 1925 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA)); 1926 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N)); 1927 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N)); 1928 1929 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1)); 1930 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0)); 1931 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0)); 1932 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1)); 1933 1934 do { 1935 while ((TU.p[0] & 1) == 0) { 1936 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1)); 1937 1938 if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) { 1939 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB)); 1940 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA)); 1941 } 1942 1943 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1)); 1944 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1)); 1945 } 1946 1947 while ((TV.p[0] & 1) == 0) { 1948 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1)); 1949 1950 if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) { 1951 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB)); 1952 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA)); 1953 } 1954 1955 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1)); 1956 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1)); 1957 } 1958 1959 if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) { 1960 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV)); 1961 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1)); 1962 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2)); 1963 } else { 1964 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU)); 1965 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1)); 1966 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2)); 1967 } 1968 } while (mbedtls_mpi_cmp_int(&TU, 0) != 0); 1969 1970 while (mbedtls_mpi_cmp_int(&V1, 0) < 0) { 1971 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N)); 1972 } 1973 1974 while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) { 1975 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N)); 1976 } 1977 1978 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1)); 1979 1980 cleanup: 1981 1982 mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2); 1983 mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV); 1984 mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2); 1985 1986 return ret; 1987 } 1988 1989 #if defined(MBEDTLS_GENPRIME) 1990 1991 /* Gaps between primes, starting at 3. https://oeis.org/A001223 */ 1992 static const unsigned char small_prime_gaps[] = { 1993 2, 2, 4, 2, 4, 2, 4, 6, 1994 2, 6, 4, 2, 4, 6, 6, 2, 1995 6, 4, 2, 6, 4, 6, 8, 4, 1996 2, 4, 2, 4, 14, 4, 6, 2, 1997 10, 2, 6, 6, 4, 6, 6, 2, 1998 10, 2, 4, 2, 12, 12, 4, 2, 1999 4, 6, 2, 10, 6, 6, 6, 2, 2000 6, 4, 2, 10, 14, 4, 2, 4, 2001 14, 6, 10, 2, 4, 6, 8, 6, 2002 6, 4, 6, 8, 4, 8, 10, 2, 2003 10, 2, 6, 4, 6, 8, 4, 2, 2004 4, 12, 8, 4, 8, 4, 6, 12, 2005 2, 18, 6, 10, 6, 6, 2, 6, 2006 10, 6, 6, 2, 6, 6, 4, 2, 2007 12, 10, 2, 4, 6, 6, 2, 12, 2008 4, 6, 8, 10, 8, 10, 8, 6, 2009 6, 4, 8, 6, 4, 8, 4, 14, 2010 10, 12, 2, 10, 2, 4, 2, 10, 2011 14, 4, 2, 4, 14, 4, 2, 4, 2012 20, 4, 8, 10, 8, 4, 6, 6, 2013 14, 4, 6, 6, 8, 6, /*reaches 997*/ 2014 0 /* the last entry is effectively unused */ 2015 }; 2016 2017 /* 2018 * Small divisors test (X must be positive) 2019 * 2020 * Return values: 2021 * 0: no small factor (possible prime, more tests needed) 2022 * 1: certain prime 2023 * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime 2024 * other negative: error 2025 */ 2026 static int mpi_check_small_factors(const mbedtls_mpi *X) 2027 { 2028 int ret = 0; 2029 size_t i; 2030 mbedtls_mpi_uint r; 2031 unsigned p = 3; /* The first odd prime */ 2032 2033 if ((X->p[0] & 1) == 0) { 2034 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 2035 } 2036 2037 for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) { 2038 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p)); 2039 if (r == 0) { 2040 if (mbedtls_mpi_cmp_int(X, p) == 0) { 2041 return 1; 2042 } else { 2043 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 2044 } 2045 } 2046 } 2047 2048 cleanup: 2049 return ret; 2050 } 2051 2052 /* 2053 * Miller-Rabin pseudo-primality test (HAC 4.24) 2054 */ 2055 static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds, 2056 int (*f_rng)(void *, unsigned char *, size_t), 2057 void *p_rng) 2058 { 2059 int ret, count; 2060 size_t i, j, k, s; 2061 mbedtls_mpi W, R, T, A, RR; 2062 2063 mbedtls_mpi_init(&W); mbedtls_mpi_init(&R); 2064 mbedtls_mpi_init(&T); mbedtls_mpi_init(&A); 2065 mbedtls_mpi_init(&RR); 2066 2067 /* 2068 * W = |X| - 1 2069 * R = W >> lsb( W ) 2070 */ 2071 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1)); 2072 s = mbedtls_mpi_lsb(&W); 2073 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W)); 2074 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s)); 2075 2076 for (i = 0; i < rounds; i++) { 2077 /* 2078 * pick a random A, 1 < A < |X| - 1 2079 */ 2080 count = 0; 2081 do { 2082 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng)); 2083 2084 j = mbedtls_mpi_bitlen(&A); 2085 k = mbedtls_mpi_bitlen(&W); 2086 if (j > k) { 2087 A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1; 2088 } 2089 2090 if (count++ > 30) { 2091 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 2092 goto cleanup; 2093 } 2094 2095 } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 || 2096 mbedtls_mpi_cmp_int(&A, 1) <= 0); 2097 2098 /* 2099 * A = A^R mod |X| 2100 */ 2101 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR)); 2102 2103 if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 || 2104 mbedtls_mpi_cmp_int(&A, 1) == 0) { 2105 continue; 2106 } 2107 2108 j = 1; 2109 while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) { 2110 /* 2111 * A = A * A mod |X| 2112 */ 2113 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A)); 2114 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X)); 2115 2116 if (mbedtls_mpi_cmp_int(&A, 1) == 0) { 2117 break; 2118 } 2119 2120 j++; 2121 } 2122 2123 /* 2124 * not prime if A != |X| - 1 or A == 1 2125 */ 2126 if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 || 2127 mbedtls_mpi_cmp_int(&A, 1) == 0) { 2128 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 2129 break; 2130 } 2131 } 2132 2133 cleanup: 2134 mbedtls_mpi_free(&W); mbedtls_mpi_free(&R); 2135 mbedtls_mpi_free(&T); mbedtls_mpi_free(&A); 2136 mbedtls_mpi_free(&RR); 2137 2138 return ret; 2139 } 2140 2141 /* 2142 * Pseudo-primality test: small factors, then Miller-Rabin 2143 */ 2144 int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds, 2145 int (*f_rng)(void *, unsigned char *, size_t), 2146 void *p_rng) 2147 { 2148 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2149 mbedtls_mpi XX; 2150 2151 XX.s = 1; 2152 XX.n = X->n; 2153 XX.p = X->p; 2154 2155 if (mbedtls_mpi_cmp_int(&XX, 0) == 0 || 2156 mbedtls_mpi_cmp_int(&XX, 1) == 0) { 2157 return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 2158 } 2159 2160 if (mbedtls_mpi_cmp_int(&XX, 2) == 0) { 2161 return 0; 2162 } 2163 2164 if ((ret = mpi_check_small_factors(&XX)) != 0) { 2165 if (ret == 1) { 2166 return 0; 2167 } 2168 2169 return ret; 2170 } 2171 2172 return mpi_miller_rabin(&XX, rounds, f_rng, p_rng); 2173 } 2174 2175 /* 2176 * Prime number generation 2177 * 2178 * To generate an RSA key in a way recommended by FIPS 186-4, both primes must 2179 * be either 1024 bits or 1536 bits long, and flags must contain 2180 * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR. 2181 */ 2182 int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags, 2183 int (*f_rng)(void *, unsigned char *, size_t), 2184 void *p_rng) 2185 { 2186 #ifdef MBEDTLS_HAVE_INT64 2187 // ceil(2^63.5) 2188 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL 2189 #else 2190 // ceil(2^31.5) 2191 #define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U 2192 #endif 2193 int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; 2194 size_t k, n; 2195 int rounds; 2196 mbedtls_mpi_uint r; 2197 mbedtls_mpi Y; 2198 2199 if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) { 2200 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 2201 } 2202 2203 mbedtls_mpi_init(&Y); 2204 2205 n = BITS_TO_LIMBS(nbits); 2206 2207 if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) { 2208 /* 2209 * 2^-80 error probability, number of rounds chosen per HAC, table 4.4 2210 */ 2211 rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 : 2212 (nbits >= 650) ? 4 : (nbits >= 350) ? 8 : 2213 (nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27); 2214 } else { 2215 /* 2216 * 2^-100 error probability, number of rounds computed based on HAC, 2217 * fact 4.48 2218 */ 2219 rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 : 2220 (nbits >= 1000) ? 6 : (nbits >= 850) ? 7 : 2221 (nbits >= 750) ? 8 : (nbits >= 500) ? 13 : 2222 (nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51); 2223 } 2224 2225 while (1) { 2226 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng)); 2227 /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */ 2228 if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) { 2229 continue; 2230 } 2231 2232 k = n * biL; 2233 if (k > nbits) { 2234 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits)); 2235 } 2236 X->p[0] |= 1; 2237 2238 if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) { 2239 ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng); 2240 2241 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) { 2242 goto cleanup; 2243 } 2244 } else { 2245 /* 2246 * A necessary condition for Y and X = 2Y + 1 to be prime 2247 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3). 2248 * Make sure it is satisfied, while keeping X = 3 mod 4 2249 */ 2250 2251 X->p[0] |= 2; 2252 2253 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3)); 2254 if (r == 0) { 2255 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8)); 2256 } else if (r == 1) { 2257 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4)); 2258 } 2259 2260 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */ 2261 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X)); 2262 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1)); 2263 2264 while (1) { 2265 /* 2266 * First, check small factors for X and Y 2267 * before doing Miller-Rabin on any of them 2268 */ 2269 if ((ret = mpi_check_small_factors(X)) == 0 && 2270 (ret = mpi_check_small_factors(&Y)) == 0 && 2271 (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng)) 2272 == 0 && 2273 (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng)) 2274 == 0) { 2275 goto cleanup; 2276 } 2277 2278 if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) { 2279 goto cleanup; 2280 } 2281 2282 /* 2283 * Next candidates. We want to preserve Y = (X-1) / 2 and 2284 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3) 2285 * so up Y by 6 and X by 12. 2286 */ 2287 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12)); 2288 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6)); 2289 } 2290 } 2291 } 2292 2293 cleanup: 2294 2295 mbedtls_mpi_free(&Y); 2296 2297 return ret; 2298 } 2299 2300 #endif /* MBEDTLS_GENPRIME */ 2301 2302 #if defined(MBEDTLS_SELF_TEST) 2303 2304 #define GCD_PAIR_COUNT 3 2305 2306 static const int gcd_pairs[GCD_PAIR_COUNT][3] = 2307 { 2308 { 693, 609, 21 }, 2309 { 1764, 868, 28 }, 2310 { 768454923, 542167814, 1 } 2311 }; 2312 2313 /* 2314 * Checkup routine 2315 */ 2316 int mbedtls_mpi_self_test(int verbose) 2317 { 2318 int ret, i; 2319 mbedtls_mpi A, E, N, X, Y, U, V; 2320 2321 mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X); 2322 mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V); 2323 2324 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16, 2325 "EFE021C2645FD1DC586E69184AF4A31E" \ 2326 "D5F53E93B5F123FA41680867BA110131" \ 2327 "944FE7952E2517337780CB0DB80E61AA" \ 2328 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6")); 2329 2330 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16, 2331 "B2E7EFD37075B9F03FF989C7C5051C20" \ 2332 "34D2A323810251127E7BF8625A4F49A5" \ 2333 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \ 2334 "5B5C25763222FEFCCFC38B832366C29E")); 2335 2336 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16, 2337 "0066A198186C18C10B2F5ED9B522752A" \ 2338 "9830B69916E535C8F047518A889A43A5" \ 2339 "94B6BED27A168D31D4A52F88925AA8F5")); 2340 2341 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N)); 2342 2343 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16, 2344 "602AB7ECA597A3D6B56FF9829A5E8B85" \ 2345 "9E857EA95A03512E2BAE7391688D264A" \ 2346 "A5663B0341DB9CCFD2C4C5F421FEC814" \ 2347 "8001B72E848A38CAE1C65F78E56ABDEF" \ 2348 "E12D3C039B8A02D6BE593F0BBBDA56F1" \ 2349 "ECF677152EF804370C1A305CAF3B5BF1" \ 2350 "30879B56C61DE584A0F53A2447A51E")); 2351 2352 if (verbose != 0) { 2353 mbedtls_printf(" MPI test #1 (mul_mpi): "); 2354 } 2355 2356 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) { 2357 if (verbose != 0) { 2358 mbedtls_printf("failed\n"); 2359 } 2360 2361 ret = 1; 2362 goto cleanup; 2363 } 2364 2365 if (verbose != 0) { 2366 mbedtls_printf("passed\n"); 2367 } 2368 2369 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N)); 2370 2371 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16, 2372 "256567336059E52CAE22925474705F39A94")); 2373 2374 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16, 2375 "6613F26162223DF488E9CD48CC132C7A" \ 2376 "0AC93C701B001B092E4E5B9F73BCD27B" \ 2377 "9EE50D0657C77F374E903CDFA4C642")); 2378 2379 if (verbose != 0) { 2380 mbedtls_printf(" MPI test #2 (div_mpi): "); 2381 } 2382 2383 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 || 2384 mbedtls_mpi_cmp_mpi(&Y, &V) != 0) { 2385 if (verbose != 0) { 2386 mbedtls_printf("failed\n"); 2387 } 2388 2389 ret = 1; 2390 goto cleanup; 2391 } 2392 2393 if (verbose != 0) { 2394 mbedtls_printf("passed\n"); 2395 } 2396 2397 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL)); 2398 2399 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16, 2400 "36E139AEA55215609D2816998ED020BB" \ 2401 "BD96C37890F65171D948E9BC7CBAA4D9" \ 2402 "325D24D6A3C12710F10A09FA08AB87")); 2403 2404 if (verbose != 0) { 2405 mbedtls_printf(" MPI test #3 (exp_mod): "); 2406 } 2407 2408 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) { 2409 if (verbose != 0) { 2410 mbedtls_printf("failed\n"); 2411 } 2412 2413 ret = 1; 2414 goto cleanup; 2415 } 2416 2417 if (verbose != 0) { 2418 mbedtls_printf("passed\n"); 2419 } 2420 2421 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N)); 2422 2423 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16, 2424 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \ 2425 "C3DBA76456363A10869622EAC2DD84EC" \ 2426 "C5B8A74DAC4D09E03B5E0BE779F2DF61")); 2427 2428 if (verbose != 0) { 2429 mbedtls_printf(" MPI test #4 (inv_mod): "); 2430 } 2431 2432 if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) { 2433 if (verbose != 0) { 2434 mbedtls_printf("failed\n"); 2435 } 2436 2437 ret = 1; 2438 goto cleanup; 2439 } 2440 2441 if (verbose != 0) { 2442 mbedtls_printf("passed\n"); 2443 } 2444 2445 if (verbose != 0) { 2446 mbedtls_printf(" MPI test #5 (simple gcd): "); 2447 } 2448 2449 for (i = 0; i < GCD_PAIR_COUNT; i++) { 2450 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0])); 2451 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1])); 2452 2453 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y)); 2454 2455 if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) { 2456 if (verbose != 0) { 2457 mbedtls_printf("failed at %d\n", i); 2458 } 2459 2460 ret = 1; 2461 goto cleanup; 2462 } 2463 } 2464 2465 if (verbose != 0) { 2466 mbedtls_printf("passed\n"); 2467 } 2468 2469 cleanup: 2470 2471 if (ret != 0 && verbose != 0) { 2472 mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret); 2473 } 2474 2475 mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X); 2476 mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V); 2477 2478 if (verbose != 0) { 2479 mbedtls_printf("\n"); 2480 } 2481 2482 return ret; 2483 } 2484 2485 #endif /* MBEDTLS_SELF_TEST */ 2486 2487 #endif /* MBEDTLS_BIGNUM_C */