/* * Multi-precision integer library * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ /* * The following sources were referenced in the design of this Multi-precision * Integer library: * * [1] Handbook of Applied Cryptography - 1997 * Menezes, van Oorschot and Vanstone * * [2] Multi-Precision Math * Tom St Denis * https://github.com/libtom/libtommath/blob/develop/tommath.pdf * * [3] GNU Multi-Precision Arithmetic Library * https://gmplib.org/manual/index.html * */ #include "common.h" #if defined(MBEDTLS_BIGNUM_C) #include "mbedtls/bignum.h" #include "bignum_core.h" #include "bignum_internal.h" #include "bn_mul.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include "constant_time_internal.h" #include <limits.h> #include <string.h> #include "mbedtls/platform.h" /* * Conditionally select an MPI sign in constant time. * (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid * values.) */ static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond, signed short sign1, signed short sign2) { … } /* * Compare signed values in constant time */ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned *ret) { … } /* * Conditionally assign X = Y, without leaking information * about whether the assignment was made or not. * (Leaking information about the respective sizes of X and Y is ok however.) */ #if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \ (_MSC_FULL_VER < 193131103) /* * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See: * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989 */ __declspec(noinline) #endif int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign) { … } /* * Conditionally swap X and Y, without leaking information * about whether the swap was made or not. * Here it is not ok to simply swap the pointers, which would lead to * different memory access patterns when X and Y are used afterwards. */ int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap) { … } /* Implementation that should never be optimized out by the compiler */ #define mbedtls_mpi_zeroize_and_free(v, n) … /* * Initialize one MPI */ void mbedtls_mpi_init(mbedtls_mpi *X) { … } /* * Unallocate one MPI */ void mbedtls_mpi_free(mbedtls_mpi *X) { … } /* * Enlarge to the specified number of limbs */ int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs) { … } /* * Resize down as much as possible, * while keeping at least the specified number of limbs */ int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs) { … } /* Resize X to have exactly n limbs and set it to 0. */ static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs) { … } /* * Copy the contents of Y into X. * * This function is not constant-time. Leading zeros in Y may be removed. * * Ensure that X does not shrink. This is not guaranteed by the public API, * but some code in the bignum module might still rely on this property. */ int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y) { … } /* * Swap the contents of X and Y */ void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y) { … } static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z) { … } /* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative. * This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */ #define TO_SIGN(x) … /* * Set value from integer */ int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z) { … } /* * Get a specific bit */ int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos) { … } /* * Set a bit to a specific value of 0 or 1 */ int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val) { … } /* * Return the number of less significant zero-bits */ size_t mbedtls_mpi_lsb(const mbedtls_mpi *X) { … } /* * Return the number of bits */ size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X) { … } /* * Return the total size in bytes */ size_t mbedtls_mpi_size(const mbedtls_mpi *X) { … } /* * Convert an ASCII character to digit value */ static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c) { … } /* * Import from an ASCII string */ int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s) { … } /* * Helper to write the digits high-order first. */ static int mpi_write_hlp(mbedtls_mpi *X, int radix, char **p, const size_t buflen) { … } /* * Export into an ASCII string */ int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix, char *buf, size_t buflen, size_t *olen) { … } #if defined(MBEDTLS_FS_IO) /* * Read X from an opened file */ int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin) { … } /* * Write X into an opened file (or stdout if fout == NULL) */ int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout) { … } #endif /* MBEDTLS_FS_IO */ /* * Import X from unsigned binary data, little endian * * This function is guaranteed to return an MPI with exactly the necessary * number of limbs (in particular, it does not skip 0s in the input). */ int mbedtls_mpi_read_binary_le(mbedtls_mpi *X, const unsigned char *buf, size_t buflen) { … } /* * Import X from unsigned binary data, big endian * * This function is guaranteed to return an MPI with exactly the necessary * number of limbs (in particular, it does not skip 0s in the input). */ int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen) { … } /* * Export X into unsigned binary data, little endian */ int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X, unsigned char *buf, size_t buflen) { … } /* * Export X into unsigned binary data, big endian */ int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf, size_t buflen) { … } /* * Left-shift: X <<= count */ int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count) { … } /* * Right-shift: X >>= count */ int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count) { … } /* * Compare unsigned values */ int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y) { … } /* * Compare signed values */ int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y) { … } /* * Compare signed values */ int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z) { … } /* * Unsigned addition: X = |A| + |B| (HAC 14.7) */ int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10) */ int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* Common function for signed addition and subtraction. * Calculate A + B * flip_B where flip_B is 1 or -1. */ static int add_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B, int flip_B) { … } /* * Signed addition: X = A + B */ int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Signed subtraction: X = A - B */ int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Signed addition: X = A + b */ int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b) { … } /* * Signed subtraction: X = A - b */ int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b) { … } /* * Baseline multiplication: X = A * B (HAC 14.12) */ int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Baseline multiplication: X = A * b */ int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b) { … } /* * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and * mbedtls_mpi_uint divisor, d */ static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1, mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r) { … } /* * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20) */ int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Division by int: A = Q * b + R */ int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b) { … } /* * Modulo: R = A mod B */ int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Modulo: r = A mod b */ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b) { … } /* * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, * this function is not constant time with respect to the exponent (parameter E). */ static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, int E_public, const mbedtls_mpi *N, mbedtls_mpi *prec_RR) { … } int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *prec_RR) { … } int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *prec_RR) { … } /* * Greatest common divisor: G = gcd(A, B) (HAC 14.54) */ int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B) { … } /* * Fill X with size bytes of random. * The bytes returned from the RNG are used in a specific order which * is suitable for deterministic ECDSA (see the specification of * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()). */ int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } int mbedtls_mpi_random(mbedtls_mpi *X, mbedtls_mpi_sint min, const mbedtls_mpi *N, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } /* * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) */ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N) { … } #if defined(MBEDTLS_GENPRIME) /* Gaps between primes, starting at 3. https://oeis.org/A001223 */ static const unsigned char small_prime_gaps[] = …; /* * Small divisors test (X must be positive) * * Return values: * 0: no small factor (possible prime, more tests needed) * 1: certain prime * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime * other negative: error */ static int mpi_check_small_factors(const mbedtls_mpi *X) { … } /* * Miller-Rabin pseudo-primality test (HAC 4.24) */ static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } /* * Pseudo-primality test: small factors, then Miller-Rabin */ int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } /* * Prime number generation * * To generate an RSA key in a way recommended by FIPS 186-4, both primes must * be either 1024 bits or 1536 bits long, and flags must contain * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR. */ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } #endif /* MBEDTLS_GENPRIME */ #if defined(MBEDTLS_SELF_TEST) #define GCD_PAIR_COUNT … static const int gcd_pairs[GCD_PAIR_COUNT][3] = …; /* * Checkup routine */ int mbedtls_mpi_self_test(int verbose) { … } #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_BIGNUM_C */
Codebase Browser
godot