New constant-flow function mbedtls_mpi_core_uint_le_mpi

Compare a single-limb MPI with a multi-limb MPI. This is rather ad hoc, but will be useful for mbedtls_mpi_core_random. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-30 22:43:08 +03:00 · 2022-09-20 18:38:35 +02:00
parent c3902ac661
commit 6f949ea67b
4 changed files with 150 additions and 0 deletions
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@ -154,6 +154,27 @@ void mbedtls_mpi_core_bigendian_to_host( mbedtls_mpi_uint *A,
    }
 }

+/* Whether min <= A, in constant time.
+ * A_limbs must be at least 1. */
+unsigned mbedtls_mpi_core_uint_le_mpi( mbedtls_mpi_uint min,
+                                       const mbedtls_mpi_uint *A,
+                                       size_t A_limbs )
+{
+    /* min <= least significant limb? */
+    unsigned min_le_lsl = 1 ^ mbedtls_ct_mpi_uint_lt( A[0], min );
+
+    /* most significant limbs (excluding 1) are all zero? */
+    mbedtls_mpi_uint msll_mask = 0;
+    for( size_t i = 1; i < A_limbs; i++ )
+        msll_mask |= A[i];
+    /* The most significant limbs of A are not all zero iff msll_mask != 0. */
+    unsigned msll_nonzero = mbedtls_ct_mpi_uint_mask( msll_mask ) & 1;
+
+    /* min <= A iff the lowest limb of A is >= min or the other limbs
+     * are not all zero. */
+    return( min_le_lsl | msll_nonzero );
+}
+
 void mbedtls_mpi_core_cond_assign( mbedtls_mpi_uint *X,
                                   const mbedtls_mpi_uint *A,
                                   size_t limbs,