lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-26 15:08:51 +03:00
Code

Move some bignum functions to internal header

Browse Source 
We will need a couple of low level functions to implement safe
unblinding in RSA.

Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2024-01-08 14:08:17 +00:00 committed by Dave Rodgman
parent 42175031ca
commit 4fe396f1e1
2 changed files with 63 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
library/bignum.c
View File

@ -1907,7 +1907,7 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s
/* /*
* Fast Montgomery initialization (thanks to Tom St Denis) * Fast Montgomery initialization (thanks to Tom St Denis)
*/ */
static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N) void mbedtls_mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)
{ {
mbedtls_mpi_uint x, m0 = N->p[0]; mbedtls_mpi_uint x, m0 = N->p[0];
unsigned int i; unsigned int i;
@ -1922,33 +1922,11 @@ static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)
*mm = ~x + 1; *mm = ~x + 1;
} }
/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36) void mbedtls_mpi_montmul(mbedtls_mpi *A,
* const mbedtls_mpi *B,
* \param[in,out] A One of the numbers to multiply. const mbedtls_mpi *N,
* It must have at least as many limbs as N mbedtls_mpi_uint mm,
* (A->n >= N->n), and any limbs beyond n are ignored. const mbedtls_mpi *T)
* On successful completion, A contains the result of
* the multiplication A * B * R^-1 mod N where
* R = (2^ciL)^n.
* \param[in] B One of the numbers to multiply.
* It must be nonzero and must not have more limbs than N
* (B->n <= N->n).
* \param[in] N The modulo. N must be odd.
* \param mm The value calculated by `mpi_montg_init(&mm, N)`.
* This is -N^-1 mod 2^ciL.
* \param[in,out] T A bignum for temporary storage.
* It must be at least twice the limb size of N plus 2
* (T->n >= 2 * (N->n + 1)).
* Its initial content is unused and
* its final content is indeterminate.
* Note that unlike the usual convention in the library
* for `const mbedtls_mpi*`, the content of T can change.
*/
static void mpi_montmul(mbedtls_mpi *A,
const mbedtls_mpi *B,
const mbedtls_mpi *N,
mbedtls_mpi_uint mm,
const mbedtls_mpi *T)
{ {
size_t i, n, m; size_t i, n, m;
mbedtls_mpi_uint u0, u1, *d; mbedtls_mpi_uint u0, u1, *d;
@ -1996,7 +1974,8 @@ static void mpi_montmul(mbedtls_mpi *A,
/* /*
* Montgomery reduction: A = A * R^-1 mod N * Montgomery reduction: A = A * R^-1 mod N
* *
* See mpi_montmul() regarding constraints and guarantees on the parameters. * See mbedtls_mpi_montmul() regarding constraints and guarantees on the
* parameters.
*/ */
static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N, static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
mbedtls_mpi_uint mm, const mbedtls_mpi *T) mbedtls_mpi_uint mm, const mbedtls_mpi *T)
@ -2007,7 +1986,7 @@ static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
U.n = U.s = (int) z; U.n = U.s = (int) z;
U.p = &z; U.p = &z;
mpi_montmul(A, &U, N, mm, T); mbedtls_mpi_montmul(A, &U, N, mm, T);
} }
/** /**
@ -2090,7 +2069,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
/* /*
* Init temps and window size * Init temps and window size
*/ */
mpi_montg_init(&mm, N); mbedtls_mpi_montg_init(&mm, N);
mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T); mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T);
mbedtls_mpi_init(&Apos); mbedtls_mpi_init(&Apos);
mbedtls_mpi_init(&WW); mbedtls_mpi_init(&WW);
@ -2144,10 +2123,10 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
j = N->n + 1; j = N->n + 1;
/* All W[i] including the accumulator must have at least N->n limbs for /* All W[i] including the accumulator must have at least N->n limbs for
* the mpi_montmul() and mpi_montred() calls later. Here we ensure that * the mbedtls_mpi_montmul() and mpi_montred() calls later. Here we ensure
* W[1] and the accumulator W[x_index] are large enough. later we'll grow * that W[1] and the accumulator W[x_index] are large enough. later we'll
* other W[i] to the same length. They must not be shrunk midway through * grow other W[i] to the same length. They must not be shrunk midway
* this function! * through this function!
*/ */
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));
@ -2183,7 +2162,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N)); MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N));
/* This should be a no-op because W[1] is already that large before /* This should be a no-op because W[1] is already that large before
* mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
* in mpi_montmul() below, so let's make sure. */ * in mbedtls_mpi_montmul() below, so let's make sure. */
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1));
} else { } else {
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A)); MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A));
@ -2191,7 +2170,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
/* Note that this is safe because W[1] always has at least N->n limbs /* Note that this is safe because W[1] always has at least N->n limbs
* (it grew above and was preserved by mbedtls_mpi_copy()). */ * (it grew above and was preserved by mbedtls_mpi_copy()). */
mpi_montmul(&W[1], &RR, N, mm, &T); mbedtls_mpi_montmul(&W[1], &RR, N, mm, &T);
/* /*
* W[x_index] = R^2 * R^-1 mod N = R mod N * W[x_index] = R^2 * R^-1 mod N = R mod N
@ -2217,7 +2196,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1])); MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1]));
for (i = 0; i < window_bitsize - 1; i++) { for (i = 0; i < window_bitsize - 1; i++) {
mpi_montmul(&W[j], &W[j], N, mm, &T); mbedtls_mpi_montmul(&W[j], &W[j], N, mm, &T);
} }
/* /*
@ -2227,7 +2206,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1));
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1])); MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1]));
mpi_montmul(&W[i], &W[1], N, mm, &T); mbedtls_mpi_montmul(&W[i], &W[1], N, mm, &T);
} }
} }
@ -2263,7 +2242,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
* out of window, square W[x_index] * out of window, square W[x_index]
*/ */
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index)); MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
mpi_montmul(&W[x_index], &WW, N, mm, &T); mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
continue; continue;
} }
@ -2282,7 +2261,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
for (i = 0; i < window_bitsize; i++) { for (i = 0; i < window_bitsize; i++) {
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
x_index)); x_index));
mpi_montmul(&W[x_index], &WW, N, mm, &T); mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
} }
/* /*
@ -2290,7 +2269,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
*/ */
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
exponent_bits_in_window)); exponent_bits_in_window));
mpi_montmul(&W[x_index], &WW, N, mm, &T); mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
state--; state--;
nbits = 0; nbits = 0;
@ -2303,13 +2282,13 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
*/ */
for (i = 0; i < nbits; i++) { for (i = 0; i < nbits; i++) {
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index)); MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
mpi_montmul(&W[x_index], &WW, N, mm, &T); mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
exponent_bits_in_window <<= 1; exponent_bits_in_window <<= 1;
if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) { if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) {
MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1)); MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1));
mpi_montmul(&W[x_index], &WW, N, mm, &T); mbedtls_mpi_montmul(&W[x_index], &WW, N, mm, &T);
} }
} }

40
library/bignum_internal.h
View File

@ -28,4 +28,44 @@
int mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi *X, int mbedtls_mpi_get_mont_r2_unsafe(mbedtls_mpi *X,
const mbedtls_mpi *N); const mbedtls_mpi *N);
/**
* \brief Calculate initialisation value for fast Montgomery modular
* multiplication.
*
* \param[out] mm The initialisation value for fast Montgomery modular
* multiplication.
* \param[in] N Little-endian presentation of the modulus. This must have
* at least one limb.
*/
void mbedtls_mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N);
/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
*
* \param[in,out] A One of the numbers to multiply.
* It must have at least as many limbs as N
* (A->n >= N->n), and any limbs beyond n are ignored.
* On successful completion, A contains the result of
* the multiplication A * B * R^-1 mod N where
* R = (2^ciL)^n.
* \param[in] B One of the numbers to multiply.
* It must be nonzero and must not have more limbs than N
* (B->n <= N->n).
* \param[in] N The modulo. N must be odd.
* \param mm The value calculated by
* `mbedtls_mpi_montg_init(&mm, N)`.
* This is -N^-1 mod 2^ciL.
* \param[in,out] T A bignum for temporary storage.
* It must be at least twice the limb size of N plus 2
* (T->n >= 2 * (N->n + 1)).
* Its initial content is unused and
* its final content is indeterminate.
* Note that unlike the usual convention in the library
* for `const mbedtls_mpi*`, the content of T can change.
*/
void mbedtls_mpi_montmul(mbedtls_mpi *A,
const mbedtls_mpi *B,
const mbedtls_mpi *N,
mbedtls_mpi_uint mm,
const mbedtls_mpi *T);
#endif /* MBEDTLS_BIGNUM_INTERNAL_H */ #endif /* MBEDTLS_BIGNUM_INTERNAL_H */