lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-30 10:45:34 +03:00
Code Activity
Files
20a8e63b2359abe20e467aec9238ba10bce9d19c
mbedtls/library/bignum_core.c
Gilles Peskine db2996357c Merge pull request #6289 from gabor-mezei-arm/6237_Add_conditional_assign_and_swap_for_bignum 
Bignum: Add safe conditional assign and swap for the new MPI types
2022-10-19 15:51:19 +02:00

469 lines
13 KiB
C
Raw Blame History

/*
* Core bignum functions
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "common.h"
#if defined(MBEDTLS_BIGNUM_C)
#include <string.h>
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "constant_time_internal.h"
#include "mbedtls/platform.h"
#include "bignum_core.h"
#include "bn_mul.h"
#include "constant_time_internal.h"
size_t mbedtls_mpi_core_clz( mbedtls_mpi_uint a )
{
size_t j;
mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
for( j = 0; j < biL; j++ )
{
if( a & mask ) break;
mask >>= 1;
}
return( j );
}
size_t mbedtls_mpi_core_bitlen( const mbedtls_mpi_uint *A, size_t A_limbs )
{
size_t i, j;
if( A_limbs == 0 )
return( 0 );
for( i = A_limbs - 1; i > 0; i-- )
if( A[i] != 0 )
break;
j = biL - mbedtls_mpi_core_clz( A[i] );
return( ( i * biL ) + j );
}
/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
* into the storage form used by mbedtls_mpi. */
static mbedtls_mpi_uint mpi_bigendian_to_host_c( mbedtls_mpi_uint a )
{
uint8_t i;
unsigned char *a_ptr;
mbedtls_mpi_uint tmp = 0;
for( i = 0, a_ptr = (unsigned char *) &a; i < ciL; i++, a_ptr++ )
{
tmp <<= CHAR_BIT;
tmp |= (mbedtls_mpi_uint) *a_ptr;
}
return( tmp );
}
static mbedtls_mpi_uint mpi_bigendian_to_host( mbedtls_mpi_uint a )
{
#if defined(__BYTE_ORDER__)
/* Nothing to do on bigendian systems. */
#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
return( a );
#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
/* For GCC and Clang, have builtins for byte swapping. */
#if defined(__GNUC__) && defined(__GNUC_PREREQ)
#if __GNUC_PREREQ(4,3)
#define have_bswap
#endif
#endif
#if defined(__clang__) && defined(__has_builtin)
#if __has_builtin(__builtin_bswap32) && \
__has_builtin(__builtin_bswap64)
#define have_bswap
#endif
#endif
#if defined(have_bswap)
/* The compiler is hopefully able to statically evaluate this! */
switch( sizeof(mbedtls_mpi_uint) )
{
case 4:
return( __builtin_bswap32(a) );
case 8:
return( __builtin_bswap64(a) );
}
#endif
#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
#endif /* __BYTE_ORDER__ */
/* Fall back to C-based reordering if we don't know the byte order
* or we couldn't use a compiler-specific builtin. */
return( mpi_bigendian_to_host_c( a ) );
}
void mbedtls_mpi_core_bigendian_to_host( mbedtls_mpi_uint *A,
size_t A_limbs )
{
mbedtls_mpi_uint *cur_limb_left;
mbedtls_mpi_uint *cur_limb_right;
if( A_limbs == 0 )
return;
/*
* Traverse limbs and
* - adapt byte-order in each limb
* - swap the limbs themselves.
* For that, simultaneously traverse the limbs from left to right
* and from right to left, as long as the left index is not bigger
* than the right index (it's not a problem if limbs is odd and the
* indices coincide in the last iteration).
*/
for( cur_limb_left = A, cur_limb_right = A + ( A_limbs - 1 );
cur_limb_left <= cur_limb_right;
cur_limb_left++, cur_limb_right-- )
{
mbedtls_mpi_uint tmp;
/* Note that if cur_limb_left == cur_limb_right,
* this code effectively swaps the bytes only once. */
tmp = mpi_bigendian_to_host( *cur_limb_left );
*cur_limb_left = mpi_bigendian_to_host( *cur_limb_right );
*cur_limb_right = tmp;
}
}
void mbedtls_mpi_core_cond_assign( mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
size_t limbs,
unsigned char assign )
{
if( X == A )
return;
mbedtls_ct_mpi_uint_cond_assign( limbs, X, A, assign );
}
void mbedtls_mpi_core_cond_swap( mbedtls_mpi_uint *X,
mbedtls_mpi_uint *Y,
size_t limbs,
unsigned char swap )
{
if( X == Y )
return;
/* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
mbedtls_mpi_uint limb_mask = mbedtls_ct_mpi_uint_mask( swap );
for( size_t i = 0; i < limbs; i++ )
{
mbedtls_mpi_uint tmp = X[i];
X[i] = ( X[i] & ~limb_mask ) | ( Y[i] & limb_mask );
Y[i] = ( Y[i] & ~limb_mask ) | ( tmp & limb_mask );
}
}
int mbedtls_mpi_core_read_le( mbedtls_mpi_uint *X,
size_t X_limbs,
const unsigned char *input,
size_t input_length )
{
const size_t limbs = CHARS_TO_LIMBS( input_length );
if( X_limbs < limbs )
return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
if( X != NULL )
{
memset( X, 0, X_limbs * ciL );
for( size_t i = 0; i < input_length; i++ )
{
size_t offset = ( ( i % ciL ) << 3 );
X[i / ciL] |= ( (mbedtls_mpi_uint) input[i] ) << offset;
}
}
return( 0 );
}
int mbedtls_mpi_core_read_be( mbedtls_mpi_uint *X,
size_t X_limbs,
const unsigned char *input,
size_t input_length )
{
const size_t limbs = CHARS_TO_LIMBS( input_length );
if( X_limbs < limbs )
return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
/* If X_limbs is 0, input_length must also be 0 (from previous test).
* Nothing to do. */
if( X_limbs == 0 )
return( 0 );
memset( X, 0, X_limbs * ciL );
/* memcpy() with (NULL, 0) is undefined behaviour */
if( input_length != 0 )
{
size_t overhead = ( X_limbs * ciL ) - input_length;
unsigned char *Xp = (unsigned char *) X;
memcpy( Xp + overhead, input, input_length );
}
mbedtls_mpi_core_bigendian_to_host( X, X_limbs );
return( 0 );
}
int mbedtls_mpi_core_write_le( const mbedtls_mpi_uint *A,
size_t A_limbs,
unsigned char *output,
size_t output_length )
{
size_t stored_bytes = A_limbs * ciL;
size_t bytes_to_copy;
if( stored_bytes < output_length )
{
bytes_to_copy = stored_bytes;
}
else
{
bytes_to_copy = output_length;
/* The output buffer is smaller than the allocated size of A.
* However A may fit if its leading bytes are zero. */
for( size_t i = bytes_to_copy; i < stored_bytes; i++ )
{
if( GET_BYTE( A, i ) != 0 )
return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
}
}
for( size_t i = 0; i < bytes_to_copy; i++ )
output[i] = GET_BYTE( A, i );
if( stored_bytes < output_length )
{
/* Write trailing 0 bytes */
memset( output + stored_bytes, 0, output_length - stored_bytes );
}
return( 0 );
}
int mbedtls_mpi_core_write_be( const mbedtls_mpi_uint *X,
size_t X_limbs,
unsigned char *output,
size_t output_length )
{
size_t stored_bytes;
size_t bytes_to_copy;
unsigned char *p;
stored_bytes = X_limbs * ciL;
if( stored_bytes < output_length )
{
/* There is enough space in the output buffer. Write initial
* null bytes and record the position at which to start
* writing the significant bytes. In this case, the execution
* trace of this function does not depend on the value of the
* number. */
bytes_to_copy = stored_bytes;
p = output + output_length - stored_bytes;
memset( output, 0, output_length - stored_bytes );
}
else
{
/* The output buffer is smaller than the allocated size of X.
* However X may fit if its leading bytes are zero. */
bytes_to_copy = output_length;
p = output;
for( size_t i = bytes_to_copy; i < stored_bytes; i++ )
{
if( GET_BYTE( X, i ) != 0 )
return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
}
}
for( size_t i = 0; i < bytes_to_copy; i++ )
p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
return( 0 );
}
mbedtls_mpi_uint mbedtls_mpi_core_add_if( mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
size_t limbs,
unsigned cond )
{
mbedtls_mpi_uint c = 0;
/* all-bits 0 if cond is 0, all-bits 1 if cond is non-0 */
const mbedtls_mpi_uint mask = mbedtls_ct_mpi_uint_mask( cond );
for( size_t i = 0; i < limbs; i++ )
{
mbedtls_mpi_uint add = mask & A[i];
mbedtls_mpi_uint t = c + X[i];
c = ( t < X[i] );
t += add;
c += ( t < add );
X[i] = t;
}
return( c );
}
mbedtls_mpi_uint mbedtls_mpi_core_sub( mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
const mbedtls_mpi_uint *B,
size_t limbs )
{
mbedtls_mpi_uint c = 0;
for( size_t i = 0; i < limbs; i++ )
{
mbedtls_mpi_uint z = ( A[i] < c );
mbedtls_mpi_uint t = A[i] - c;
c = ( t < B[i] ) + z;
X[i] = t - B[i];
}
return( c );
}
mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *d, size_t d_len,
const mbedtls_mpi_uint *s, size_t s_len,
mbedtls_mpi_uint b )
{
mbedtls_mpi_uint c = 0; /* carry */
/*
* It is a documented precondition of this function that d_len >= s_len.
* If that's not the case, we swap these round: this turns what would be
* a buffer overflow into an incorrect result.
*/
if( d_len < s_len )
s_len = d_len;
size_t excess_len = d_len - s_len;
size_t steps_x8 = s_len / 8;
size_t steps_x1 = s_len & 7;
while( steps_x8-- )
{
MULADDC_X8_INIT
MULADDC_X8_CORE
MULADDC_X8_STOP
}
while( steps_x1-- )
{
MULADDC_X1_INIT
MULADDC_X1_CORE
MULADDC_X1_STOP
}
while( excess_len-- )
{
*d += c;
c = ( *d < c );
d++;
}
return( c );
}
/*
* Fast Montgomery initialization (thanks to Tom St Denis).
*/
mbedtls_mpi_uint mbedtls_mpi_core_montmul_init( const mbedtls_mpi_uint *N )
{
mbedtls_mpi_uint x = N[0];
x += ( ( N[0] + 2 ) & 4 ) << 1;
for( unsigned int i = biL; i >= 8; i /= 2 )
x *= ( 2 - ( N[0] * x ) );
return( ~x + 1 );
}
void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
const mbedtls_mpi_uint *B,
size_t B_limbs,
const mbedtls_mpi_uint *N,
size_t AN_limbs,
mbedtls_mpi_uint mm,
mbedtls_mpi_uint *T )
{
memset( T, 0, ( 2 * AN_limbs + 1 ) * ciL );
for( size_t i = 0; i < AN_limbs; i++ )
{
/* T = (T + u0*B + u1*N) / 2^biL */
mbedtls_mpi_uint u0 = A[i];
mbedtls_mpi_uint u1 = ( T[0] + u0 * B[0] ) * mm;
(void) mbedtls_mpi_core_mla( T, AN_limbs + 2, B, B_limbs, u0 );
(void) mbedtls_mpi_core_mla( T, AN_limbs + 2, N, AN_limbs, u1 );
T++;
}
/*
* The result we want is (T >= N) ? T - N : T.
*
* For better constant-time properties in this function, we always do the
* subtraction, with the result in X.
*
* We also look to see if there was any carry in the final additions in the
* loop above.
*/
mbedtls_mpi_uint carry = T[AN_limbs];
mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub( X, T, N, AN_limbs );
/*
* Using R as the Montgomery radix (auxiliary modulus) i.e. 2^(biL*AN_limbs):
*
* T can be in one of 3 ranges:
*
* 1) T < N : (carry, borrow) = (0, 1): we want T
* 2) N <= T < R : (carry, borrow) = (0, 0): we want X
* 3) T >= R : (carry, borrow) = (1, 1): we want X
*
* and (carry, borrow) = (1, 0) can't happen.
*
* So the correct return value is already in X if (carry ^ borrow) = 0,
* but is in (the lower AN_limbs limbs of) T if (carry ^ borrow) = 1.
*/
mbedtls_ct_mpi_uint_cond_assign( AN_limbs, X, T, (unsigned char) ( carry ^ borrow ) );
}
#endif /* MBEDTLS_BIGNUM_C */
View Git Blame Copy Permalink