/* * Core bignum functions * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ #include "common.h" #if defined(MBEDTLS_BIGNUM_C) #include <string.h> #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "constant_time_internal.h" #include "mbedtls/platform.h" #include "bignum_core.h" #include "bn_mul.h" #include "constant_time_internal.h" size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a) { … } size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs) { … } static mbedtls_mpi_uint mpi_bigendian_to_host(mbedtls_mpi_uint a) { … } void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A, size_t A_limbs) { … } /* Whether min <= A, in constant time. * A_limbs must be at least 1. */ mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min, const mbedtls_mpi_uint *A, size_t A_limbs) { … } mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *B, size_t limbs) { … } void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, size_t limbs, mbedtls_ct_condition_t assign) { … } void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X, mbedtls_mpi_uint *Y, size_t limbs, mbedtls_ct_condition_t swap) { … } int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X, size_t X_limbs, const unsigned char *input, size_t input_length) { … } int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X, size_t X_limbs, const unsigned char *input, size_t input_length) { … } int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A, size_t A_limbs, unsigned char *output, size_t output_length) { … } int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *X, size_t X_limbs, unsigned char *output, size_t output_length) { … } void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs, size_t count) { … } void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs, size_t count) { … } mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *B, size_t limbs) { … } mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, size_t limbs, unsigned cond) { … } mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *B, size_t limbs) { … } mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *d, size_t d_len, const mbedtls_mpi_uint *s, size_t s_len, mbedtls_mpi_uint b) { … } void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, size_t A_limbs, const mbedtls_mpi_uint *B, size_t B_limbs) { … } /* * Fast Montgomery initialization (thanks to Tom St Denis). */ mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N) { … } void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *B, size_t B_limbs, const mbedtls_mpi_uint *N, size_t AN_limbs, mbedtls_mpi_uint mm, mbedtls_mpi_uint *T) { … } int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X, const mbedtls_mpi *N) { … } MBEDTLS_STATIC_TESTABLE void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest, const mbedtls_mpi_uint *table, size_t limbs, size_t count, size_t index) { … } /* Fill X with n_bytes random bytes. * X must already have room for those bytes. * The ordering of the bytes returned from the RNG is suitable for * deterministic ECDSA (see RFC 6979 §3.3 and the specification of * mbedtls_mpi_core_random()). */ int mbedtls_mpi_core_fill_random( mbedtls_mpi_uint *X, size_t X_limbs, size_t n_bytes, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } int mbedtls_mpi_core_random(mbedtls_mpi_uint *X, mbedtls_mpi_uint min, const mbedtls_mpi_uint *N, size_t limbs, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { … } static size_t exp_mod_get_window_size(size_t Ebits) { … } size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs) { … } static void exp_mod_precompute_window(const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, size_t AN_limbs, mbedtls_mpi_uint mm, const mbedtls_mpi_uint *RR, size_t welem, mbedtls_mpi_uint *Wtable, mbedtls_mpi_uint *temp) { … } #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) // Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; #endif /* * This function calculates the indices of the exponent where the exponentiation algorithm should * start processing. * * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, * this function is not constant time with respect to the exponent (parameter E). */ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E, size_t E_limbs, int E_public, size_t *E_limb_index, size_t *E_bit_index) { … } /* * Warning! If the parameter window_public has MBEDTLS_MPI_IS_PUBLIC as its value, this function is * not constant time with respect to the window parameter and consequently the exponent of the * exponentiation (parameter E of mbedtls_mpi_core_exp_mod_optionally_safe). */ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselect, mbedtls_mpi_uint *Wtable, size_t AN_limbs, size_t welem, mbedtls_mpi_uint window, int window_public) { … } /* Exponentiation: X := A^E mod N. * * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, * this function is not constant time with respect to the exponent (parameter E). * * A must already be in Montgomery form. * * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero. * * RR must contain 2^{2*biL} mod N. * * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82 * (The difference is that the body in our loop processes a single bit instead * of a full window.) */ static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, size_t AN_limbs, const mbedtls_mpi_uint *E, size_t E_limbs, int E_public, const mbedtls_mpi_uint *RR, mbedtls_mpi_uint *T) { … } void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, size_t AN_limbs, const mbedtls_mpi_uint *E, size_t E_limbs, const mbedtls_mpi_uint *RR, mbedtls_mpi_uint *T) { … } void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, size_t AN_limbs, const mbedtls_mpi_uint *E, size_t E_limbs, const mbedtls_mpi_uint *RR, mbedtls_mpi_uint *T) { … } mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, mbedtls_mpi_uint c, /* doubles as carry */ size_t limbs) { … } mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, size_t limbs) { … } void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, size_t AN_limbs, mbedtls_mpi_uint mm, const mbedtls_mpi_uint *rr, mbedtls_mpi_uint *T) { … } void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, size_t AN_limbs, mbedtls_mpi_uint mm, mbedtls_mpi_uint *T) { … } #endif /* MBEDTLS_BIGNUM_C */
Codebase Browser
godot