From e50f2f1a8e5d56d162cf7dd58b835c5ee96295a1 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 26 Oct 2022 15:14:33 +0100
Subject: [PATCH] Add mbedtls_mpi_core_ct_uint_table_lookup

This will be needed for extracting modular exponentiation from the
prototype. The function signature is kept aligned to the prototype, but
the implementation is new. (The implementation of this function in the
prototype has further optimisations which are out of scope for now.)

The function is not reused in the bignum counterpart as it will become
redundant soon.

This function is meant to be static, but doesn't have the qualifier as
it is not used yet and would cause compiler warnings. The
MBEDTLS_STATIC_TESTABLE macro will be added in a later commit.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 library/bignum_core.c | 14 ++++++++++++++
 library/bignum_core.h | 19 +++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/library/bignum_core.c b/library/bignum_core.c
index b401fa36cb..c1da93d0a0 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -540,4 +540,18 @@ cleanup:
     return( ret );
 }
 
+void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest,
+                                        const mbedtls_mpi_uint *table,
+                                        size_t limbs,
+                                        size_t count,
+                                        size_t index )
+{
+    for( size_t i = 0; i < count; i++ )
+    {
+        unsigned char assign = mbedtls_ct_size_bool_eq( i, index );
+        const mbedtls_mpi_uint *current = table + i * limbs;
+        mbedtls_mpi_core_cond_assign( dest, current, limbs, assign );
+    }
+}
+
 #endif /* MBEDTLS_BIGNUM_C */
diff --git a/library/bignum_core.h b/library/bignum_core.h
index 9a5b89fc6e..3618e42006 100644
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@@ -452,4 +452,23 @@ void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X,
 int mbedtls_mpi_core_get_mont_r2_unsafe( mbedtls_mpi *X,
                                          const mbedtls_mpi *N );
 
+/**
+ * Select an MPI from a table without leaking the index.
+ *
+ * \param dest              The destination buffer. This must point to a writable
+ *                          buffer of at least \p limbs limbs.
+ * \param table             The address of the table. This must point to a readable
+ *                          array of \p count elements of
+ *                          \p limbs limbs each each.
+ * \param limbs             The length of a table entry in limbs.
+ * \param count             The number of elements in \p table.
+ * \param index             The secret table index to look up. This must be in the
+ *                          range `0,..,count-1`.
+ */
+void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest,
+                                            const mbedtls_mpi_uint *table,
+                                            size_t limbs,
+                                            size_t count,
+                                            size_t index );
+
 #endif /* MBEDTLS_BIGNUM_CORE_H */