Correct the aliasing requirements in doc for mbedtls_mpi_core_montmul(), and test them

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2025-07-29 11:41:15 +03:00 · 2022-09-29 14:40:21 +01:00
parent 119eae2e51
commit 4386ead662
3 changed files with 24 additions and 10 deletions
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@ -439,7 +439,7 @@ void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X,
     * So the correct return value is already in X if (carry ^ borrow) = 0,
     * but is in (the lower AN_limbs limbs of) T if (carry ^ borrow) = 1.
     */
-     mbedtls_ct_mpi_uint_cond_assign( AN_limbs, X, T, (unsigned char) ( carry ^ borrow ) );
+    mbedtls_ct_mpi_uint_cond_assign( AN_limbs, X, T, (unsigned char) ( carry ^ borrow ) );
 }

 #endif /* MBEDTLS_BIGNUM_C */
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@ -250,15 +250,15 @@ mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *X, size_t X_limbs,
 mbedtls_mpi_uint mbedtls_mpi_core_montmul_init( const mbedtls_mpi_uint *N );

 /**
- * \brief Montgomery multiplication: X = A * B * R^-1 mod N  (HAC 14.36)
+ * \brief Montgomery multiplication: X = A * B * R^-1 mod N (HAC 14.36)
+ *
+ * \p A and \p B must be in canonical form. That is, < \p N.
 *
 * \p X may be aliased to \p A or \p N, or even \p B (if \p AN_limbs ==
 * \p B_limbs) but may not overlap any parameters otherwise.
 *
- * \p A, \p B and \p N must not alias or overlap each other in any way, even
- * if \p AN_limbs == \p B_limbs.
- *
- * \p A and \p B must be in canonical form: that is, <= \p N.
+ * \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may
+ * not alias \p N (since they must be in canonical form, they cannot == \p N).
 *
 * \param[out]    X         The destination MPI, as a little-endian array of
 *                          length \p AN_limbs.
@ -273,13 +273,16 @@ mbedtls_mpi_uint mbedtls_mpi_core_montmul_init( const mbedtls_mpi_uint *N );
 * \param[in]     N         Little-endian presentation of the modulus.
 *                          This must be odd, and have exactly the same number
 *                          of limbs as \p A.
+ *                          It must not alias or otherwise overlap any of the
+ *                          other parameters.
 * \param[in]     AN_limbs  The number of limbs in \p X, \p A and \p N.
 * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
 *                          This can be calculated by `mbedtls_mpi_core_montmul_init()`.
 * \param[in,out] T         Temporary storage of size at least 2*AN_limbs+1 limbs.
 *                          Its initial content is unused and
 *                          its final content is indeterminate.
- *                          It must not overlap any of the other parameters.
+ *                          It must not alias or otherwise overlap any of the
+ *                          other parameters.
 */
 void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X,
                               const mbedtls_mpi_uint *A,