12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606 |
- /* tfm.c
- *
- * Copyright (C) 2006-2020 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- /*
- * Based on public domain TomsFastMath 0.10 by Tom St Denis, tomstdenis@iahu.ca,
- * http://math.libtomcrypt.com
- */
- /**
- * Edited by Moises Guimaraes (moises@wolfssl.com)
- * to fit wolfSSL's needs.
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- /* in case user set USE_FAST_MATH there */
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #ifdef USE_FAST_MATH
- #include <wolfssl/wolfcrypt/random.h>
- #include <wolfssl/wolfcrypt/tfm.h>
- #include <wolfcrypt/src/asm.c> /* will define asm MACROS or C ones */
- #include <wolfssl/wolfcrypt/wolfmath.h> /* common functions */
- #if defined(FREESCALE_LTC_TFM)
- #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
- #endif
- #ifdef WOLFSSL_DEBUG_MATH
- #include <stdio.h>
- #endif
- #ifdef USE_WINDOWS_API
- #pragma warning(disable:4127)
- /* Disables the warning:
- * 4127: conditional expression is constant
- * in this file.
- */
- #endif
- #if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
- #ifdef __cplusplus
- extern "C" {
- #endif
- WOLFSSL_LOCAL int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod,
- mp_int* res);
- WOLFSSL_LOCAL int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod,
- mp_int* res);
- WOLFSSL_LOCAL int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod,
- mp_int* res);
- WOLFSSL_LOCAL int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod,
- mp_int* res);
- WOLFSSL_LOCAL int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod,
- mp_int* res);
- #ifdef __cplusplus
- } /* extern "C" */
- #endif
- #endif
- #ifndef WOLFSSL_SP_MATH
- /* math settings check */
- word32 CheckRunTimeSettings(void)
- {
- return CTC_SETTINGS;
- }
- #endif
- /* math settings size check */
- word32 CheckRunTimeFastMath(void)
- {
- return FP_SIZE;
- }
- /* Functions */
- static int fp_cmp_mag_ct(fp_int *a, fp_int *b, int len)
- {
- int i;
- fp_digit r = FP_EQ;
- fp_digit mask = (fp_digit)-1;
- for (i = len - 1; i >= 0; i--) {
- /* 0 is placed into unused digits. */
- fp_digit ad = a->dp[i];
- fp_digit bd = b->dp[i];
- r |= mask & (ad > bd);
- mask &= (ad > bd) - 1;
- r |= mask & (-(ad < bd));
- mask &= (ad < bd) - 1;
- }
- return (int)r;
- }
- int fp_add(fp_int *a, fp_int *b, fp_int *c)
- {
- int sa, sb;
- int ret = FP_OKAY;
- /* get sign of both inputs */
- sa = a->sign;
- sb = b->sign;
- /* handle two cases, not four */
- if (sa == sb) {
- /* both positive or both negative */
- /* add their magnitudes, copy the sign */
- c->sign = sa;
- ret = s_fp_add (a, b, c);
- } else {
- /* one positive, the other negative */
- /* subtract the one with the greater magnitude from */
- /* the one of the lesser magnitude. The result gets */
- /* the sign of the one with the greater magnitude. */
- if (fp_cmp_mag (a, b) == FP_LT) {
- c->sign = sb;
- s_fp_sub (b, a, c);
- } else {
- c->sign = sa;
- s_fp_sub (a, b, c);
- }
- }
- return ret;
- }
- /* unsigned addition */
- int s_fp_add(fp_int *a, fp_int *b, fp_int *c)
- {
- int x, y, oldused;
- fp_word t;
- y = MAX(a->used, b->used);
- oldused = MIN(c->used, FP_SIZE); /* help static analysis w/ largest size */
- c->used = y;
- t = 0;
- for (x = 0; x < y; x++) {
- t += ((fp_word)a->dp[x]) + ((fp_word)b->dp[x]);
- c->dp[x] = (fp_digit)t;
- t >>= DIGIT_BIT;
- }
- if (t != 0 && x < FP_SIZE) {
- c->dp[c->used++] = (fp_digit)t;
- ++x;
- }
- if (x == FP_SIZE) {
- return FP_VAL;
- }
- c->used = x;
- /* zero any excess digits on the destination that we didn't write to */
- for (; x < oldused; x++) {
- c->dp[x] = 0;
- }
- fp_clamp(c);
- return FP_OKAY;
- }
- /* c = a - b */
- int fp_sub(fp_int *a, fp_int *b, fp_int *c)
- {
- int sa, sb;
- int ret = FP_OKAY;
- sa = a->sign;
- sb = b->sign;
- if (sa != sb) {
- /* subtract a negative from a positive, OR */
- /* subtract a positive from a negative. */
- /* In either case, ADD their magnitudes, */
- /* and use the sign of the first number. */
- c->sign = sa;
- ret = s_fp_add (a, b, c);
- } else {
- /* subtract a positive from a positive, OR */
- /* subtract a negative from a negative. */
- /* First, take the difference between their */
- /* magnitudes, then... */
- if (fp_cmp_mag (a, b) != FP_LT) {
- /* Copy the sign from the first */
- c->sign = sa;
- /* The first has a larger or equal magnitude */
- s_fp_sub (a, b, c);
- } else {
- /* The result has the *opposite* sign from */
- /* the first number. */
- c->sign = (sa == FP_ZPOS) ? FP_NEG : FP_ZPOS;
- /* The second has a larger magnitude */
- s_fp_sub (b, a, c);
- }
- }
- return ret;
- }
- /* unsigned subtraction ||a|| >= ||b|| ALWAYS! */
- void s_fp_sub(fp_int *a, fp_int *b, fp_int *c)
- {
- int x, oldbused, oldused;
- fp_word t;
- oldused = c->used;
- oldbused = b->used;
- c->used = a->used;
- t = 0;
- for (x = 0; x < oldbused; x++) {
- t = ((fp_word)a->dp[x]) - (((fp_word)b->dp[x]) + t);
- c->dp[x] = (fp_digit)t;
- t = (t >> DIGIT_BIT)&1;
- }
- for (; x < a->used; x++) {
- t = ((fp_word)a->dp[x]) - t;
- c->dp[x] = (fp_digit)t;
- t = (t >> DIGIT_BIT)&1;
- }
- /* zero any excess digits on the destination that we didn't write to */
- for (; x < oldused; x++) {
- c->dp[x] = 0;
- }
- fp_clamp(c);
- }
- /* c = a * b */
- int fp_mul(fp_int *A, fp_int *B, fp_int *C)
- {
- int ret = 0;
- int y, yy, oldused;
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- ret = esp_mp_mul(A, B, C);
- if(ret != -2) return ret;
- #endif
- oldused = C->used;
- y = MAX(A->used, B->used);
- yy = MIN(A->used, B->used);
- /* fail if we are out of range */
- if (y + yy > FP_SIZE) {
- ret = FP_VAL;
- goto clean;
- }
- /* pick a comba (unrolled 4/8/16/32 x or rolled) based on the size
- of the largest input. We also want to avoid doing excess mults if the
- inputs are not close to the next power of two. That is, for example,
- if say y=17 then we would do (32-17)^2 = 225 unneeded multiplications
- */
- #if defined(TFM_MUL3) && FP_SIZE >= 6
- if (y <= 3) {
- ret = fp_mul_comba3(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL4) && FP_SIZE >= 8
- if (y == 4) {
- ret = fp_mul_comba4(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL6) && FP_SIZE >= 12
- if (y <= 6) {
- ret = fp_mul_comba6(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL7) && FP_SIZE >= 14
- if (y == 7) {
- ret = fp_mul_comba7(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL8) && FP_SIZE >= 16
- if (y == 8) {
- ret = fp_mul_comba8(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL9) && FP_SIZE >= 18
- if (y == 9) {
- ret = fp_mul_comba9(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL12) && FP_SIZE >= 24
- if (y <= 12) {
- ret = fp_mul_comba12(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL17) && FP_SIZE >= 34
- if (y <= 17) {
- ret = fp_mul_comba17(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_SMALL_SET) && FP_SIZE >= 32
- if (y <= 16) {
- ret = fp_mul_comba_small(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL20) && FP_SIZE >= 40
- if (y <= 20) {
- ret = fp_mul_comba20(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL24) && FP_SIZE >= 48
- if (yy >= 16 && y <= 24) {
- ret = fp_mul_comba24(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL28) && FP_SIZE >= 56
- if (yy >= 20 && y <= 28) {
- ret = fp_mul_comba28(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL32) && FP_SIZE >= 64
- if (yy >= 24 && y <= 32) {
- ret = fp_mul_comba32(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL48) && FP_SIZE >= 96
- if (yy >= 40 && y <= 48) {
- ret = fp_mul_comba48(A,B,C);
- goto clean;
- }
- #endif
- #if defined(TFM_MUL64) && FP_SIZE >= 128
- if (yy >= 56 && y <= 64) {
- ret = fp_mul_comba64(A,B,C);
- goto clean;
- }
- #endif
- ret = fp_mul_comba(A,B,C);
- clean:
- /* zero any excess digits on the destination that we didn't write to */
- for (y = C->used; y >= 0 && y < oldused; y++) {
- C->dp[y] = 0;
- }
- return ret;
- }
- int fp_mul_2(fp_int * a, fp_int * b)
- {
- int x, oldused;
- /* Make sure value to double and result are in range. */
- if ((a->used > (FP_SIZE-1)) || ((a->used == (FP_SIZE - 1)) &&
- ((a->dp[FP_SIZE - 1] & ((fp_digit)1 << (DIGIT_BIT - 1))) != 0))) {
- return FP_VAL;
- }
- oldused = b->used;
- b->used = a->used;
- {
- fp_digit r, rr, *tmpa, *tmpb;
- /* alias for source */
- tmpa = a->dp;
- /* alias for dest */
- tmpb = b->dp;
- /* carry */
- r = 0;
- for (x = 0; x < a->used; x++) {
- /* get what will be the *next* carry bit from the
- * MSB of the current digit
- */
- rr = *tmpa >> ((fp_digit)(DIGIT_BIT - 1));
- /* now shift up this digit, add in the carry [from the previous] */
- *tmpb++ = ((*tmpa++ << ((fp_digit)1)) | r);
- /* copy the carry that would be from the source
- * digit into the next iteration
- */
- r = rr;
- }
- /* new leading digit? */
- if (r != 0) {
- /* add a MSB which is always 1 at this point */
- *tmpb = 1;
- ++(b->used);
- }
- /* zero any excess digits on the destination that we didn't write to */
- tmpb = b->dp + b->used;
- for (x = b->used; x < oldused; x++) {
- *tmpb++ = 0;
- }
- }
- b->sign = a->sign;
- return FP_OKAY;
- }
- /* c = a * b */
- int fp_mul_d(fp_int *a, fp_digit b, fp_int *c)
- {
- fp_word w;
- int x, oldused;
- oldused = c->used;
- c->used = a->used;
- c->sign = a->sign;
- w = 0;
- for (x = 0; x < a->used; x++) {
- w = ((fp_word)a->dp[x]) * ((fp_word)b) + w;
- c->dp[x] = (fp_digit)w;
- w = w >> DIGIT_BIT;
- }
- if (w != 0 && (a->used != FP_SIZE)) {
- c->dp[c->used++] = (fp_digit) w;
- ++x;
- }
- /* zero any excess digits on the destination that we didn't write to */
- /* also checking FP_SIZE here for static analysis */
- for (; x < oldused && x < FP_SIZE; x++) {
- c->dp[x] = 0;
- }
- if (x == FP_SIZE)
- return FP_VAL;
- fp_clamp(c);
- return FP_OKAY;
- }
- /* c = a * 2**d */
- int fp_mul_2d(fp_int *a, int b, fp_int *c)
- {
- fp_digit carry, carrytmp, shift;
- int x;
- /* copy it */
- fp_copy(a, c);
- /* handle whole digits */
- if (b >= DIGIT_BIT) {
- int ret = fp_lshd(c, b/DIGIT_BIT);
- if (ret != FP_OKAY)
- return ret;
- }
- b %= DIGIT_BIT;
- /* shift the digits */
- if (b != 0) {
- carry = 0;
- shift = DIGIT_BIT - b;
- for (x = 0; x < c->used; x++) {
- carrytmp = c->dp[x] >> shift;
- c->dp[x] = (c->dp[x] << b) + carry;
- carry = carrytmp;
- }
- /* store last carry if room */
- if (carry && x < FP_SIZE) {
- c->dp[c->used++] = carry;
- }
- if (x == FP_SIZE)
- return FP_VAL;
- }
- fp_clamp(c);
- return FP_OKAY;
- }
- /* generic PxQ multiplier */
- #if defined(HAVE_INTEL_MULX)
- WC_INLINE static int fp_mul_comba_mulx(fp_int *A, fp_int *B, fp_int *C)
- {
- int ix, iy, iz, pa;
- fp_int *dst;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[1];
- #else
- fp_int *tmp;
- #endif
-
- /* Variables used but not seen by cppcheck. */
- (void)ix; (void)iy; (void)iz;
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- /* get size of output and trim */
- pa = A->used + B->used;
- if (pa >= FP_SIZE) {
- pa = FP_SIZE-1;
- }
- /* Always take branch to use tmp variable. This avoids a cache attack for
- * determining if C equals A */
- if (1) {
- fp_init(tmp);
- dst = tmp;
- }
- TFM_INTEL_MUL_COMBA(A, B, dst) ;
- dst->used = pa;
- dst->sign = A->sign ^ B->sign;
- fp_clamp(dst);
- fp_copy(dst, C);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- #endif
- int fp_mul_comba(fp_int *A, fp_int *B, fp_int *C)
- {
- int ret = 0;
- int ix, iy, iz, tx, ty, pa;
- fp_digit c0, c1, c2, *tmpx, *tmpy;
- fp_int *dst;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[1];
- #else
- fp_int *tmp;
- #endif
- if (A->used + B->used >= FP_SIZE) return FP_VAL;
- IF_HAVE_INTEL_MULX(ret = fp_mul_comba_mulx(A, B, C), return ret) ;
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- COMBA_START;
- COMBA_CLEAR;
- /* get size of output and trim */
- pa = A->used + B->used;
- if (pa >= FP_SIZE) {
- pa = FP_SIZE-1;
- }
- /* Always take branch to use tmp variable. This avoids a cache attack for
- * determining if C equals A */
- if (1) {
- fp_init(tmp);
- dst = tmp;
- }
- for (ix = 0; ix < pa; ix++) {
- /* get offsets into the two bignums */
- ty = MIN(ix, (B->used > 0 ? B->used - 1 : 0));
- tx = ix - ty;
- /* setup temp aliases */
- tmpx = A->dp + tx;
- tmpy = B->dp + ty;
- /* this is the number of times the loop will iterate, essentially its
- while (tx++ < a->used && ty-- >= 0) { ... }
- */
- iy = MIN(A->used-tx, ty+1);
- /* execute loop */
- COMBA_FORWARD;
- for (iz = 0; iz < iy; ++iz) {
- fp_digit _tmpx = *tmpx++;
- fp_digit _tmpy = *tmpy--;
- MULADD(_tmpx, _tmpy);
- }
- /* store term */
- COMBA_STORE(dst->dp[ix]);
- }
- COMBA_FINI;
- dst->used = pa;
- dst->sign = A->sign ^ B->sign;
- fp_clamp(dst);
- fp_copy(dst, C);
-
- /* Variables used but not seen by cppcheck. */
- (void)c0; (void)c1; (void)c2;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- /* a/b => cb + d == a */
- int fp_div(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
- {
- int n, t, i, norm, neg;
- int ret;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int q[1], x[1], y[1], t1[1], t2[1];
- #else
- fp_int *q, *x, *y, *t1, *t2;
- #endif
- /* is divisor zero ? */
- if (fp_iszero (b) == FP_YES) {
- return FP_VAL;
- }
- /* if a < b then q=0, r = a */
- if (fp_cmp_mag (a, b) == FP_LT)
- {
- if (d != NULL) {
- fp_copy (a, d);
- }
- if (c != NULL) {
- fp_zero (c);
- }
- return FP_OKAY;
- }
- #ifdef WOLFSSL_SMALL_STACK
- q = (fp_int*)XMALLOC(sizeof(fp_int) * 5, NULL, DYNAMIC_TYPE_BIGINT);
- if (q == NULL) {
- return FP_MEM;
- }
- x = &q[1]; y = &q[2]; t1 = &q[3]; t2 = &q[4];
- #endif
- fp_init(q);
- q->used = a->used + 2;
- fp_init(t1);
- fp_init(t2);
- fp_init_copy(x, a);
- fp_init_copy(y, b);
- /* fix the sign */
- neg = (a->sign == b->sign) ? FP_ZPOS : FP_NEG;
- x->sign = y->sign = FP_ZPOS;
- /* normalize both x and y, ensure that y >= b/2, [b == 2**DIGIT_BIT] */
- norm = fp_count_bits(y) % DIGIT_BIT;
- if (norm < (int)(DIGIT_BIT-1)) {
- norm = (DIGIT_BIT-1) - norm;
- ret = fp_mul_2d (x, norm, x);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- ret = fp_mul_2d (y, norm, y);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- } else {
- norm = 0;
- }
- /* note hac does 0 based, so if used==5 then its 0,1,2,3,4, e.g. use 4 */
- n = x->used - 1;
- t = y->used - 1;
- /* while (x >= y*b**n-t) do { q[n-t] += 1; x -= y*b**{n-t} } */
- ret = fp_lshd (y, n - t); /* y = y*b**{n-t} */
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- while (fp_cmp (x, y) != FP_LT) {
- ++(q->dp[n - t]);
- ret = fp_sub (x, y, x);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- }
- /* reset y by shifting it back down */
- fp_rshd (y, n - t);
- /* step 3. for i from n down to (t + 1) */
- for (i = n; i >= (t + 1); i--) {
- if (i > x->used) {
- continue;
- }
- /* step 3.1 if xi == yt then set q{i-t-1} to b-1,
- * otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */
- if (x->dp[i] == y->dp[t]) {
- q->dp[i - t - 1] = (fp_digit) ((((fp_word)1) << DIGIT_BIT) - 1);
- } else {
- fp_word tmp;
- tmp = ((fp_word) x->dp[i]) << ((fp_word) DIGIT_BIT);
- tmp |= ((fp_word) x->dp[i - 1]);
- tmp /= ((fp_word)y->dp[t]);
- q->dp[i - t - 1] = (fp_digit) (tmp);
- }
- /* while (q{i-t-1} * (yt * b + y{t-1})) >
- xi * b**2 + xi-1 * b + xi-2
- do q{i-t-1} -= 1;
- */
- q->dp[i - t - 1] = (q->dp[i - t - 1] + 1);
- do {
- q->dp[i - t - 1] = (q->dp[i - t - 1] - 1);
- /* find left hand */
- fp_zero (t1);
- t1->dp[0] = (t - 1 < 0) ? 0 : y->dp[t - 1];
- t1->dp[1] = y->dp[t];
- t1->used = 2;
- ret = fp_mul_d (t1, q->dp[i - t - 1], t1);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- /* find right hand */
- t2->dp[0] = (i - 2 < 0) ? 0 : x->dp[i - 2];
- t2->dp[1] = (i - 1 < 0) ? 0 : x->dp[i - 1];
- t2->dp[2] = x->dp[i];
- t2->used = 3;
- } while (fp_cmp_mag(t1, t2) == FP_GT);
- /* step 3.3 x = x - q{i-t-1} * y * b**{i-t-1} */
- ret = fp_mul_d (y, q->dp[i - t - 1], t1);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- ret = fp_lshd (t1, i - t - 1);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- ret = fp_sub (x, t1, x);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- /* if x < 0 then { x = x + y*b**{i-t-1}; q{i-t-1} -= 1; } */
- if (x->sign == FP_NEG) {
- fp_copy (y, t1);
- ret = fp_lshd (t1, i - t - 1);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- ret = fp_add (x, t1, x);
- if (ret != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return ret;
- }
- q->dp[i - t - 1] = q->dp[i - t - 1] - 1;
- }
- }
- /* now q is the quotient and x is the remainder
- * [which we have to normalize]
- */
- /* get sign before writing to c */
- x->sign = x->used == 0 ? FP_ZPOS : a->sign;
- if (c != NULL) {
- fp_clamp (q);
- fp_copy (q, c);
- c->sign = neg;
- }
- if (d != NULL) {
- fp_div_2d (x, norm, x, NULL);
- /* zero any excess digits on the destination that we didn't write to */
- for (i = b->used; i < x->used; i++) {
- x->dp[i] = 0;
- }
- fp_clamp(x);
- fp_copy (x, d);
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- /* b = a/2 */
- void fp_div_2(fp_int * a, fp_int * b)
- {
- int x, oldused;
- oldused = b->used;
- b->used = a->used;
- {
- fp_digit r, rr, *tmpa, *tmpb;
- /* source alias */
- tmpa = a->dp + b->used - 1;
- /* dest alias */
- tmpb = b->dp + b->used - 1;
- /* carry */
- r = 0;
- for (x = b->used - 1; x >= 0; x--) {
- /* get the carry for the next iteration */
- rr = *tmpa & 1;
- /* shift the current digit, add in carry and store */
- *tmpb-- = (*tmpa-- >> 1) | (r << (DIGIT_BIT - 1));
- /* forward carry to next iteration */
- r = rr;
- }
- /* zero any excess digits on the destination that we didn't write to */
- tmpb = b->dp + b->used;
- for (x = b->used; x < oldused; x++) {
- *tmpb++ = 0;
- }
- }
- b->sign = a->sign;
- fp_clamp (b);
- }
- /* c = a / 2 (mod b) - constant time (a < b and positive) */
- int fp_div_2_mod_ct(fp_int *a, fp_int *b, fp_int *c)
- {
- fp_word w = 0;
- fp_digit mask;
- int i;
- mask = 0 - (a->dp[0] & 1);
- for (i = 0; i < b->used; i++) {
- fp_digit mask_a = 0 - (i < a->used);
- w += b->dp[i] & mask;
- w += a->dp[i] & mask_a;
- c->dp[i] = (fp_digit)w;
- w >>= DIGIT_BIT;
- }
- c->dp[i] = (fp_digit)w;
- c->used = i + 1;
- c->sign = FP_ZPOS;
- fp_clamp(c);
- fp_div_2(c, c);
- return FP_OKAY;
- }
- /* c = a / 2**b */
- void fp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d)
- {
- int D;
- /* if the shift count is <= 0 then we do no work */
- if (b <= 0) {
- fp_copy (a, c);
- if (d != NULL) {
- fp_zero (d);
- }
- return;
- }
- /* get the remainder before a is changed in calculating c */
- if (a == c && d != NULL) {
- fp_mod_2d (a, b, d);
- }
- /* copy */
- fp_copy(a, c);
- /* shift by as many digits in the bit count */
- if (b >= (int)DIGIT_BIT) {
- fp_rshd (c, b / DIGIT_BIT);
- }
- /* shift any bit count < DIGIT_BIT */
- D = (b % DIGIT_BIT);
- if (D != 0) {
- fp_rshb(c, D);
- }
- /* get the remainder if a is not changed in calculating c */
- if (a != c && d != NULL) {
- fp_mod_2d (a, b, d);
- }
- fp_clamp (c);
- }
- /* c = a mod b, 0 <= c < b */
- int fp_mod(fp_int *a, fp_int *b, fp_int *c)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- int err;
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init(t);
- err = fp_div(a, b, NULL, t);
- if (err == FP_OKAY) {
- if (t->sign != b->sign) {
- err = fp_add(t, b, c);
- } else {
- fp_copy(t, c);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* c = a mod 2**d */
- void fp_mod_2d(fp_int *a, int b, fp_int *c)
- {
- int x;
- /* zero if count less than or equal to zero */
- if (b <= 0) {
- fp_zero(c);
- return;
- }
- /* get copy of input */
- fp_copy(a, c);
- /* if 2**d is larger than we just return */
- if (b >= (DIGIT_BIT * a->used)) {
- return;
- }
- /* zero digits above the last digit of the modulus */
- for (x = (b / DIGIT_BIT) + ((b % DIGIT_BIT) == 0 ? 0 : 1); x < c->used; x++) {
- c->dp[x] = 0;
- }
- /* clear the digit that is not completely outside/inside the modulus */
- c->dp[b / DIGIT_BIT] &= ~((fp_digit)0) >> (DIGIT_BIT - b);
- fp_clamp (c);
- }
- static int fp_invmod_slow (fp_int * a, fp_int * b, fp_int * c)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int x[1], y[1], u[1], v[1], A[1], B[1], C[1], D[1];
- #else
- fp_int *x, *y, *u, *v, *A, *B, *C, *D;
- #endif
- int err;
- /* b cannot be negative */
- if (b->sign == FP_NEG || fp_iszero(b) == FP_YES) {
- return FP_VAL;
- }
- if (fp_iszero(a) == FP_YES) {
- return FP_VAL;
- }
- #ifdef WOLFSSL_SMALL_STACK
- x = (fp_int*)XMALLOC(sizeof(fp_int) * 8, NULL, DYNAMIC_TYPE_BIGINT);
- if (x == NULL) {
- return FP_MEM;
- }
- y = &x[1]; u = &x[2]; v = &x[3]; A = &x[4]; B = &x[5]; C = &x[6]; D = &x[7];
- #endif
- /* init temps */
- fp_init(x); fp_init(y);
- fp_init(u); fp_init(v);
- fp_init(A); fp_init(B);
- fp_init(C); fp_init(D);
- /* x = a, y = b */
- if ((err = fp_mod(a, b, x)) != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- fp_copy(b, y);
- /* 2. [modified] if x,y are both even then return an error! */
- if (fp_iseven(x) == FP_YES && fp_iseven(y) == FP_YES) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_VAL;
- }
- /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
- fp_copy (x, u);
- fp_copy (y, v);
- fp_set (A, 1);
- fp_set (D, 1);
- top:
- /* 4. while u is even do */
- while (fp_iseven (u) == FP_YES) {
- /* 4.1 u = u/2 */
- fp_div_2 (u, u);
- /* 4.2 if A or B is odd then */
- if (fp_isodd (A) == FP_YES || fp_isodd (B) == FP_YES) {
- /* A = (A+y)/2, B = (B-x)/2 */
- err = fp_add (A, y, A);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- err = fp_sub (B, x, B);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* A = A/2, B = B/2 */
- fp_div_2 (A, A);
- fp_div_2 (B, B);
- }
- /* 5. while v is even do */
- while (fp_iseven (v) == FP_YES) {
- /* 5.1 v = v/2 */
- fp_div_2 (v, v);
- /* 5.2 if C or D is odd then */
- if (fp_isodd (C) == FP_YES || fp_isodd (D) == FP_YES) {
- /* C = (C+y)/2, D = (D-x)/2 */
- err = fp_add (C, y, C);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- err = fp_sub (D, x, D);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* C = C/2, D = D/2 */
- fp_div_2 (C, C);
- fp_div_2 (D, D);
- }
- /* 6. if u >= v then */
- if (fp_cmp (u, v) != FP_LT) {
- /* u = u - v, A = A - C, B = B - D */
- err = fp_sub (u, v, u);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sub (A, C, A);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sub (B, D, B);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- } else {
- /* v - v - u, C = C - A, D = D - B */
- err = fp_sub (v, u, v);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sub (C, A, C);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sub (D, B, D);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* if not zero goto step 4 */
- if (fp_iszero (u) == FP_NO)
- goto top;
- /* now a = C, b = D, gcd == g*v */
- /* if v != 1 then there is no inverse */
- if (fp_cmp_d (v, 1) != FP_EQ) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_VAL;
- }
- /* if its too low */
- while (fp_cmp_d(C, 0) == FP_LT) {
- err = fp_add(C, b, C);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- }
- /* too big */
- while (fp_cmp_mag(C, b) != FP_LT) {
- err = fp_sub(C, b, C);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- }
- /* C is now the inverse */
- fp_copy(C, c);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- /* c = 1/a (mod b) for odd b only */
- int fp_invmod(fp_int *a, fp_int *b, fp_int *c)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int x[1], y[1], u[1], v[1], B[1], D[1];
- #else
- fp_int *x, *y, *u, *v, *B, *D;
- #endif
- int neg;
- int err;
- if (b->sign == FP_NEG || fp_iszero(b) == FP_YES) {
- return FP_VAL;
- }
- /* [modified] sanity check on "a" */
- if (fp_iszero(a) == FP_YES) {
- return FP_VAL; /* can not divide by 0 here */
- }
- /* 2. [modified] b must be odd */
- if (fp_iseven(b) == FP_YES) {
- return fp_invmod_slow(a,b,c);
- }
- #ifdef WOLFSSL_SMALL_STACK
- x = (fp_int*)XMALLOC(sizeof(fp_int) * 6, NULL, DYNAMIC_TYPE_BIGINT);
- if (x == NULL) {
- return FP_MEM;
- }
- y = &x[1]; u = &x[2]; v = &x[3]; B = &x[4]; D = &x[5];
- #endif
- /* init all our temps */
- fp_init(x); fp_init(y);
- fp_init(u); fp_init(v);
- fp_init(B); fp_init(D);
- if (fp_cmp(a, b) != MP_LT) {
- err = mp_mod(a, b, y);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- a = y;
- }
- if (fp_iszero(a) == FP_YES) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_VAL;
- }
- /* x == modulus, y == value to invert */
- fp_copy(b, x);
- /* we need y = |a| */
- fp_abs(a, y);
- /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
- fp_copy(x, u);
- fp_copy(y, v);
- fp_set (D, 1);
- top:
- /* 4. while u is even do */
- while (fp_iseven (u) == FP_YES) {
- /* 4.1 u = u/2 */
- fp_div_2 (u, u);
- /* 4.2 if B is odd then */
- if (fp_isodd (B) == FP_YES) {
- err = fp_sub (B, x, B);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* B = B/2 */
- fp_div_2 (B, B);
- }
- /* 5. while v is even do */
- while (fp_iseven (v) == FP_YES) {
- /* 5.1 v = v/2 */
- fp_div_2 (v, v);
- /* 5.2 if D is odd then */
- if (fp_isodd (D) == FP_YES) {
- /* D = (D-x)/2 */
- err = fp_sub (D, x, D);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* D = D/2 */
- fp_div_2 (D, D);
- }
- /* 6. if u >= v then */
- if (fp_cmp (u, v) != FP_LT) {
- /* u = u - v, B = B - D */
- err = fp_sub (u, v, u);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sub (B, D, B);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- } else {
- /* v - v - u, D = D - B */
- err = fp_sub (v, u, v);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sub (D, B, D);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* if not zero goto step 4 */
- if (fp_iszero (u) == FP_NO) {
- goto top;
- }
- /* now a = C, b = D, gcd == g*v */
- /* if v != 1 then there is no inverse */
- if (fp_cmp_d (v, 1) != FP_EQ) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_VAL;
- }
- /* b is now the inverse */
- neg = a->sign;
- while (D->sign == FP_NEG) {
- fp_add (D, b, D);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- }
- /* too big */
- while (fp_cmp_mag(D, b) != FP_LT) {
- err = fp_sub(D, b, D);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- fp_copy (D, c);
- c->sign = neg;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- #define CT_INV_MOD_PRE_CNT 8
- /* modulus (b) must be greater than 2 and a prime */
- int fp_invmod_mont_ct(fp_int *a, fp_int *b, fp_int *c, fp_digit mp)
- {
- int i, j;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1], e[1];
- fp_int pre[CT_INV_MOD_PRE_CNT];
- #else
- fp_int* t;
- fp_int* e;
- fp_int* pre;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int) * (2 + CT_INV_MOD_PRE_CNT), NULL,
- DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- e = t + 1;
- pre = t + 2;
- #endif
- fp_init(t);
- fp_init(e);
- fp_init(&pre[0]);
- fp_copy(a, &pre[0]);
- for (i = 1; i < CT_INV_MOD_PRE_CNT; i++) {
- fp_init(&pre[i]);
- fp_sqr(&pre[i-1], &pre[i]);
- fp_montgomery_reduce(&pre[i], b, mp);
- fp_mul(&pre[i], a, &pre[i]);
- fp_montgomery_reduce(&pre[i], b, mp);
- }
- fp_sub_d(b, 2, e);
- /* Highest bit is always set. */
- for (i = fp_count_bits(e)-2, j = 1; i >= 0; i--, j++) {
- if (!fp_is_bit_set(e, i) || j == CT_INV_MOD_PRE_CNT)
- break;
- }
- fp_copy(&pre[j-1], t);
- for (j = 0; i >= 0; i--) {
- int set = fp_is_bit_set(e, i);
- if ((j == CT_INV_MOD_PRE_CNT) || (!set && j > 0)) {
- fp_mul(t, &pre[j-1], t);
- fp_montgomery_reduce(t, b, mp);
- j = 0;
- }
- fp_sqr(t, t);
- fp_montgomery_reduce(t, b, mp);
- j += set;
- }
- if (j > 0) {
- fp_mul(t, &pre[j-1], c);
- fp_montgomery_reduce(c, b, mp);
- }
- else
- fp_copy(t, c);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- /* d = a * b (mod c) */
- int fp_mulmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
- {
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init(t);
- err = fp_mul(a, b, t);
- if (err == FP_OKAY) {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- if (d->size < FP_SIZE) {
- err = fp_mod(t, c, t);
- fp_copy(t, d);
- } else
- #endif
- {
- err = fp_mod(t, c, d);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* d = a - b (mod c) */
- int fp_submod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
- {
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init(t);
- err = fp_sub(a, b, t);
- if (err == FP_OKAY) {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- if (d->size < FP_SIZE) {
- err = fp_mod(t, c, t);
- fp_copy(t, d);
- } else
- #endif
- {
- err = fp_mod(t, c, d);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* d = a + b (mod c) */
- int fp_addmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
- {
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init(t);
- err = fp_add(a, b, t);
- if (err == FP_OKAY) {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- if (d->size < FP_SIZE) {
- err = fp_mod(t, c, t);
- fp_copy(t, d);
- } else
- #endif
- {
- err = fp_mod(t, c, d);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* d = a - b (mod c) - constant time (a < c and b < c and positive) */
- int fp_submod_ct(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
- {
- fp_word w = 0;
- fp_digit mask;
- int i;
- mask = 0 - (fp_cmp_mag_ct(a, b, c->used + 1) == FP_LT);
- for (i = 0; i < c->used + 1; i++) {
- fp_digit mask_a = 0 - (i < a->used);
- w += c->dp[i] & mask;
- w += a->dp[i] & mask_a;
- d->dp[i] = (fp_digit)w;
- w >>= DIGIT_BIT;
- }
- d->dp[i] = (fp_digit)w;
- d->used = i + 1;
- d->sign = FP_ZPOS;
- fp_clamp(d);
- s_fp_sub(d, b, d);
- return FP_OKAY;
- }
- /* d = a + b (mod c) - constant time (|a| < c and |b| < c and positive) */
- int fp_addmod_ct(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
- {
- fp_word w = 0;
- fp_digit mask;
- int i;
- s_fp_add(a, b, d);
- mask = 0 - (fp_cmp_mag_ct(d, c, c->used + 1) != FP_LT);
- for (i = 0; i < c->used; i++) {
- w += c->dp[i] & mask;
- w = d->dp[i] - w;
- d->dp[i] = (fp_digit)w;
- w = (w >> DIGIT_BIT)&1;
- }
- d->dp[i] = 0;
- d->used = i;
- d->sign = a->sign;
- fp_clamp(d);
- return FP_OKAY;
- }
- #ifdef TFM_TIMING_RESISTANT
- #ifdef WC_RSA_NONBLOCK
- #ifdef WC_RSA_NONBLOCK_TIME
- /* User can override the check-time at build-time using the
- * FP_EXPTMOD_NB_CHECKTIME macro to define your own function */
- #ifndef FP_EXPTMOD_NB_CHECKTIME
- /* instruction count for each type of operation */
- /* array lookup is using TFM_EXPTMOD_NB_* states */
- static const word32 exptModNbInst[TFM_EXPTMOD_NB_COUNT] = {
- #ifdef TFM_PPC32
- #ifdef _DEBUG
- 11098, 8701, 3971, 178394, 858093, 1040, 822, 178056, 181574, 90883, 184339, 236813
- #else
- 7050, 2554, 3187, 43178, 200422, 384, 275, 43024, 43550, 30450, 46270, 61376
- #endif
- #elif defined(TFM_X86_64)
- #ifdef _DEBUG
- 954, 2377, 858, 19027, 90840, 287, 407, 20140, 7874, 11385, 8005, 6151
- #else
- 765, 1007, 771, 5216, 34993, 248, 193, 4975, 4201, 3947, 4275, 3811
- #endif
- #else /* software only fast math */
- #ifdef _DEBUG
- 798, 2245, 802, 16657, 66920, 352, 186, 16997, 16145, 12789, 16742, 15006
- #else
- 775, 1084, 783, 4692, 37510, 207, 183, 4374, 4392, 3097, 4442, 4079
- #endif
- #endif
- };
- static int fp_exptmod_nb_checktime(exptModNb_t* nb)
- {
- word32 totalInst;
- /* if no max time has been set then stop (do not block) */
- if (nb->maxBlockInst == 0 || nb->state >= TFM_EXPTMOD_NB_COUNT) {
- return TFM_EXPTMOD_NB_STOP;
- }
- /* if instruction table not set then use maxBlockInst as simple counter */
- if (exptModNbInst[nb->state] == 0) {
- if (++nb->totalInst < nb->maxBlockInst)
- return TFM_EXPTMOD_NB_CONTINUE;
- nb->totalInst = 0; /* reset counter */
- return TFM_EXPTMOD_NB_STOP;
- }
- /* get total instruction count including next operation */
- totalInst = nb->totalInst + exptModNbInst[nb->state];
- /* if the next operation can completed within the maximum then continue */
- if (totalInst <= nb->maxBlockInst) {
- return TFM_EXPTMOD_NB_CONTINUE;
- }
- return TFM_EXPTMOD_NB_STOP;
- }
- #define FP_EXPTMOD_NB_CHECKTIME(nb) fp_exptmod_nb_checktime((nb))
- #endif /* !FP_EXPTMOD_NB_CHECKTIME */
- #endif /* WC_RSA_NONBLOCK_TIME */
- /* non-blocking version of timing resistant fp_exptmod function */
- /* supports cache resistance */
- int fp_exptmod_nb(exptModNb_t* nb, fp_int* G, fp_int* X, fp_int* P, fp_int* Y)
- {
- int err, ret = FP_WOULDBLOCK;
- if (nb == NULL)
- return FP_VAL;
- #ifdef WC_RSA_NONBLOCK_TIME
- nb->totalInst = 0;
- do {
- nb->totalInst += exptModNbInst[nb->state];
- #endif
- switch (nb->state) {
- case TFM_EXPTMOD_NB_INIT:
- /* now setup montgomery */
- if ((err = fp_montgomery_setup(P, &nb->mp)) != FP_OKAY) {
- nb->state = TFM_EXPTMOD_NB_INIT;
- return err;
- }
- /* init ints */
- fp_init(&nb->R[0]);
- fp_init(&nb->R[1]);
- #ifndef WC_NO_CACHE_RESISTANT
- fp_init(&nb->R[2]);
- #endif
- nb->state = TFM_EXPTMOD_NB_MONT;
- break;
- case TFM_EXPTMOD_NB_MONT:
- /* mod m -> R[0] */
- err = fp_montgomery_calc_normalization(&nb->R[0], P);
- if (err != FP_OKAY) {
- nb->state = TFM_EXPTMOD_NB_INIT;
- return err;
- }
- nb->state = TFM_EXPTMOD_NB_MONT_RED;
- break;
- case TFM_EXPTMOD_NB_MONT_RED:
- /* reduce G -> R[1] */
- if (fp_cmp_mag(P, G) != FP_GT) {
- /* G > P so we reduce it first */
- fp_mod(G, P, &nb->R[1]);
- } else {
- fp_copy(G, &nb->R[1]);
- }
- nb->state = TFM_EXPTMOD_NB_MONT_MUL;
- break;
- case TFM_EXPTMOD_NB_MONT_MUL:
- /* G (R[1]) * m (R[0]) */
- err = fp_mul(&nb->R[1], &nb->R[0], &nb->R[1]);
- if (err != FP_OKAY) {
- nb->state = TFM_EXPTMOD_NB_INIT;
- return err;
- }
- nb->state = TFM_EXPTMOD_NB_MONT_MOD;
- break;
- case TFM_EXPTMOD_NB_MONT_MOD:
- /* mod m */
- err = fp_div(&nb->R[1], P, NULL, &nb->R[1]);
- if (err != FP_OKAY) {
- nb->state = TFM_EXPTMOD_NB_INIT;
- return err;
- }
- nb->state = TFM_EXPTMOD_NB_MONT_MODCHK;
- break;
- case TFM_EXPTMOD_NB_MONT_MODCHK:
- /* m matches sign of (G * R mod m) */
- if (nb->R[1].sign != P->sign) {
- err = fp_add(&nb->R[1], P, &nb->R[1]);
- if (err != FP_OKAY) {
- nb->state = TFM_EXPTMOD_NB_INIT;
- return err;
- }
- }
- /* set initial mode and bit cnt */
- nb->bitcnt = 1;
- nb->buf = 0;
- nb->digidx = X->used - 1;
- nb->state = TFM_EXPTMOD_NB_NEXT;
- break;
- case TFM_EXPTMOD_NB_NEXT:
- /* grab next digit as required */
- if (--nb->bitcnt == 0) {
- /* if nb->digidx == -1 we are out of digits so break */
- if (nb->digidx == -1) {
- nb->state = TFM_EXPTMOD_NB_RED;
- break;
- }
- /* read next digit and reset nb->bitcnt */
- nb->buf = X->dp[nb->digidx--];
- nb->bitcnt = (int)DIGIT_BIT;
- }
- /* grab the next msb from the exponent */
- nb->y = (int)(nb->buf >> (DIGIT_BIT - 1)) & 1;
- nb->buf <<= (fp_digit)1;
- nb->state = TFM_EXPTMOD_NB_MUL;
- FALL_THROUGH;
- case TFM_EXPTMOD_NB_MUL:
- fp_mul(&nb->R[0], &nb->R[1], &nb->R[nb->y^1]);
- nb->state = TFM_EXPTMOD_NB_MUL_RED;
- break;
- case TFM_EXPTMOD_NB_MUL_RED:
- fp_montgomery_reduce(&nb->R[nb->y^1], P, nb->mp);
- nb->state = TFM_EXPTMOD_NB_SQR;
- break;
- case TFM_EXPTMOD_NB_SQR:
- #ifdef WC_NO_CACHE_RESISTANT
- fp_sqr(&nb->R[nb->y], &nb->R[nb->y]);
- #else
- fp_copy((fp_int*) ( ((wolfssl_word)&nb->R[0] & wc_off_on_addr[nb->y^1]) +
- ((wolfssl_word)&nb->R[1] & wc_off_on_addr[nb->y]) ),
- &nb->R[2]);
- fp_sqr(&nb->R[2], &nb->R[2]);
- #endif /* WC_NO_CACHE_RESISTANT */
- nb->state = TFM_EXPTMOD_NB_SQR_RED;
- break;
- case TFM_EXPTMOD_NB_SQR_RED:
- #ifdef WC_NO_CACHE_RESISTANT
- fp_montgomery_reduce(&nb->R[nb->y], P, nb->mp);
- #else
- fp_montgomery_reduce(&nb->R[2], P, nb->mp);
- fp_copy(&nb->R[2],
- (fp_int*) ( ((wolfssl_word)&nb->R[0] & wc_off_on_addr[nb->y^1]) +
- ((wolfssl_word)&nb->R[1] & wc_off_on_addr[nb->y]) ) );
- #endif /* WC_NO_CACHE_RESISTANT */
- nb->state = TFM_EXPTMOD_NB_NEXT;
- break;
- case TFM_EXPTMOD_NB_RED:
- /* final reduce */
- fp_montgomery_reduce(&nb->R[0], P, nb->mp);
- fp_copy(&nb->R[0], Y);
- nb->state = TFM_EXPTMOD_NB_INIT;
- ret = FP_OKAY;
- break;
- } /* switch */
- #ifdef WC_RSA_NONBLOCK_TIME
- /* determine if maximum blocking time has been reached */
- } while (ret == FP_WOULDBLOCK &&
- FP_EXPTMOD_NB_CHECKTIME(nb) == TFM_EXPTMOD_NB_CONTINUE);
- #endif
- return ret;
- }
- #endif /* WC_RSA_NONBLOCK */
- /* timing resistant montgomery ladder based exptmod
- Based on work by Marc Joye, Sung-Ming Yen, "The Montgomery Powering Ladder",
- Cryptographic Hardware and Embedded Systems, CHES 2002
- */
- static int _fp_exptmod_ct(fp_int * G, fp_int * X, int digits, fp_int * P,
- fp_int * Y)
- {
- #ifndef WOLFSSL_SMALL_STACK
- #ifdef WC_NO_CACHE_RESISTANT
- fp_int R[2];
- #else
- fp_int R[3]; /* need a temp for cache resistance */
- #endif
- #else
- fp_int *R;
- #endif
- fp_digit buf, mp;
- int err, bitcnt, digidx, y;
- /* now setup montgomery */
- if ((err = fp_montgomery_setup (P, &mp)) != FP_OKAY) {
- return err;
- }
- #ifdef WOLFSSL_SMALL_STACK
- #ifndef WC_NO_CACHE_RESISTANT
- R = (fp_int*)XMALLOC(sizeof(fp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
- #else
- R = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- if (R == NULL)
- return FP_MEM;
- #endif
- fp_init(&R[0]);
- fp_init(&R[1]);
- #ifndef WC_NO_CACHE_RESISTANT
- fp_init(&R[2]);
- #endif
- /* now we need R mod m */
- err = fp_montgomery_calc_normalization (&R[0], P);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* now set R[0][1] to G * R mod m */
- if (fp_cmp_mag(P, G) != FP_GT) {
- /* G > P so we reduce it first */
- fp_mod(G, P, &R[1]);
- } else {
- fp_copy(G, &R[1]);
- }
- fp_mulmod (&R[1], &R[0], P, &R[1]);
- /* for j = t-1 downto 0 do
- r_!k = R0*R1; r_k = r_k^2
- */
- /* set initial mode and bit cnt */
- bitcnt = 1;
- buf = 0;
- digidx = digits - 1;
- for (;;) {
- /* grab next digit as required */
- if (--bitcnt == 0) {
- /* if digidx == -1 we are out of digits so break */
- if (digidx == -1) {
- break;
- }
- /* read next digit and reset bitcnt */
- buf = X->dp[digidx--];
- bitcnt = (int)DIGIT_BIT;
- }
- /* grab the next msb from the exponent */
- y = (int)(buf >> (DIGIT_BIT - 1)) & 1;
- buf <<= (fp_digit)1;
- #ifdef WC_NO_CACHE_RESISTANT
- /* do ops */
- err = fp_mul(&R[0], &R[1], &R[y^1]);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce(&R[y^1], P, mp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_sqr(&R[y], &R[y]);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce(&R[y], P, mp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- #else
- /* do ops */
- err = fp_mul(&R[0], &R[1], &R[2]);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce(&R[2], P, mp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* instead of using R[y^1] for mul, which leaks key bit to cache monitor,
- * use R[2] as temp, make sure address calc is constant, keep
- * &R[0] and &R[1] in cache */
- fp_copy(&R[2],
- (fp_int*) ( ((wolfssl_word)&R[0] & wc_off_on_addr[y]) +
- ((wolfssl_word)&R[1] & wc_off_on_addr[y^1]) ) );
- /* instead of using R[y] for sqr, which leaks key bit to cache monitor,
- * use R[2] as temp, make sure address calc is constant, keep
- * &R[0] and &R[1] in cache */
- fp_copy((fp_int*) ( ((wolfssl_word)&R[0] & wc_off_on_addr[y^1]) +
- ((wolfssl_word)&R[1] & wc_off_on_addr[y]) ),
- &R[2]);
- err = fp_sqr(&R[2], &R[2]);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce(&R[2], P, mp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- fp_copy(&R[2],
- (fp_int*) ( ((wolfssl_word)&R[0] & wc_off_on_addr[y^1]) +
- ((wolfssl_word)&R[1] & wc_off_on_addr[y]) ) );
- #endif /* WC_NO_CACHE_RESISTANT */
- }
- err = fp_montgomery_reduce(&R[0], P, mp);
- fp_copy(&R[0], Y);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- #endif /* TFM_TIMING_RESISTANT */
- /* y = g**x (mod b)
- * Some restrictions... x must be positive and < b
- */
- static int _fp_exptmod_nct(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
- {
- fp_int *res;
- fp_digit buf, mp;
- int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
- #ifndef WOLFSSL_NO_MALLOC
- fp_int *M;
- #else
- fp_int M[(1 << 6) + 1];
- #endif
- /* find window size */
- x = fp_count_bits (X);
- if (x <= 21) {
- winsize = 1;
- } else if (x <= 36) {
- winsize = 3;
- } else if (x <= 140) {
- winsize = 4;
- } else if (x <= 450) {
- winsize = 5;
- } else {
- winsize = 6;
- }
- /* now setup montgomery */
- if ((err = fp_montgomery_setup (P, &mp)) != FP_OKAY) {
- return err;
- }
- #ifndef WOLFSSL_NO_MALLOC
- /* only allocate space for what's needed for window plus res */
- M = (fp_int*)XMALLOC(sizeof(fp_int)*((1 << winsize) + 1), NULL,
- DYNAMIC_TYPE_BIGINT);
- if (M == NULL) {
- return FP_MEM;
- }
- #endif
- res = &M[(word32)(1 << winsize)];
- /* init M array */
- for(x = 0; x < (1 << winsize); x++)
- fp_init(&M[x]);
- /* setup result */
- fp_init(res);
- /* create M table
- *
- * The M table contains powers of the input base, e.g. M[x] = G^x mod P
- *
- * The first half of the table is not computed though except for M[0] and M[1]
- */
- /* now we need R mod m */
- err = fp_montgomery_calc_normalization (res, P);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* now set M[1] to G * R mod m */
- if (fp_cmp_mag(P, G) != FP_GT) {
- /* G > P so we reduce it first */
- fp_mod(G, P, &M[1]);
- } else {
- fp_copy(G, &M[1]);
- }
- fp_mulmod (&M[1], res, P, &M[1]);
- /* compute the value at M[1<<(winsize-1)] by
- * squaring M[1] (winsize-1) times */
- fp_copy (&M[1], &M[(word32)(1 << (winsize - 1))]);
- for (x = 0; x < (winsize - 1); x++) {
- fp_sqr (&M[(word32)(1 << (winsize - 1))], &M[(word32)(1 << (winsize - 1))]);
- err = fp_montgomery_reduce_ex(&M[(word32)(1 << (winsize - 1))], P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* create upper table */
- for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
- err = fp_mul(&M[x - 1], &M[1], &M[x]);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce_ex(&M[x], P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* set initial mode and bit cnt */
- mode = 0;
- bitcnt = (x % DIGIT_BIT) + 1;
- buf = 0;
- digidx = X->used - 1;
- bitcpy = 0;
- bitbuf = 0;
- for (;;) {
- /* grab next digit as required */
- if (--bitcnt == 0) {
- /* if digidx == -1 we are out of digits so break */
- if (digidx == -1) {
- break;
- }
- /* read next digit and reset bitcnt */
- buf = X->dp[digidx--];
- bitcnt = (int)DIGIT_BIT;
- }
- /* grab the next msb from the exponent */
- y = (int)(buf >> (DIGIT_BIT - 1)) & 1;
- buf <<= (fp_digit)1;
- /* if the bit is zero and mode == 0 then we ignore it
- * These represent the leading zero bits before the first 1 bit
- * in the exponent. Technically this opt is not required but it
- * does lower the # of trivial squaring/reductions used
- */
- if (mode == 0 && y == 0) {
- continue;
- }
- /* if the bit is zero and mode == 1 then we square */
- if (mode == 1 && y == 0) {
- err = fp_sqr(res, res);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- fp_montgomery_reduce_ex(res, P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- continue;
- }
- /* else we add it to the window */
- bitbuf |= (y << (winsize - ++bitcpy));
- mode = 2;
- if (bitcpy == winsize) {
- /* ok window is filled so square as required and multiply */
- /* square first */
- for (x = 0; x < winsize; x++) {
- err = fp_sqr(res, res);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce_ex(res, P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- /* then multiply */
- err = fp_mul(res, &M[bitbuf], res);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce_ex(res, P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* empty window and reset */
- bitcpy = 0;
- bitbuf = 0;
- mode = 1;
- }
- }
- /* if bits remain then square/multiply */
- if (mode == 2 && bitcpy > 0) {
- /* square then multiply if the bit is set */
- for (x = 0; x < bitcpy; x++) {
- err = fp_sqr(res, res);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce_ex(res, P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* get next bit of the window */
- bitbuf <<= 1;
- if ((bitbuf & (1 << winsize)) != 0) {
- /* then multiply */
- err = fp_mul(res, &M[1], res);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- err = fp_montgomery_reduce_ex(res, P, mp, 0);
- if (err != FP_OKAY) {
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- }
- }
- }
- /* fixup result if Montgomery reduction is used
- * recall that any value in a Montgomery system is
- * actually multiplied by R mod n. So we have
- * to reduce one more time to cancel out the factor
- * of R.
- */
- err = fp_montgomery_reduce_ex(res, P, mp, 0);
- /* swap res with Y */
- fp_copy (res, Y);
- #ifndef WOLFSSL_NO_MALLOC
- XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- #ifdef TFM_TIMING_RESISTANT
- #if DIGIT_BIT <= 16
- #define WINSIZE 2
- #elif DIGIT_BIT <= 32
- #define WINSIZE 3
- #elif DIGIT_BIT <= 64
- #define WINSIZE 4
- #elif DIGIT_BIT <= 128
- #define WINSIZE 5
- #endif
- /* y = 2**x (mod b)
- * Some restrictions... x must be positive and < b
- */
- static int _fp_exptmod_base_2(fp_int * X, int digits, fp_int * P,
- fp_int * Y)
- {
- fp_digit buf, mp;
- int err, bitbuf, bitcpy, bitcnt, digidx, x, y;
- #ifdef WOLFSSL_SMALL_STACK
- fp_int *res;
- fp_int *tmp;
- #else
- fp_int res[1];
- fp_int tmp[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- res = (fp_int*)XMALLOC(2*sizeof(fp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (res == NULL) {
- return FP_MEM;
- }
- tmp = &res[1];
- #endif
- /* now setup montgomery */
- if ((err = fp_montgomery_setup(P, &mp)) != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* setup result */
- fp_init(res);
- fp_init(tmp);
- err = fp_mul_2d(P, 1 << WINSIZE, tmp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* now we need R mod m */
- err = fp_montgomery_calc_normalization(res, P);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* Get the top bits left over after taking WINSIZE bits starting at the
- * least-significant.
- */
- digidx = digits - 1;
- bitcpy = (digits * DIGIT_BIT) % WINSIZE;
- if (bitcpy > 0) {
- bitcnt = (int)DIGIT_BIT - bitcpy;
- buf = X->dp[digidx--];
- bitbuf = (int)(buf >> bitcnt);
- /* Multiply montgomery representation of 1 by 2 ^ top */
- err = fp_mul_2d(res, bitbuf, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_add(res, tmp, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_mod(res, P, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* Move out bits used */
- buf <<= bitcpy;
- bitcnt++;
- }
- else {
- bitcnt = 1;
- buf = 0;
- }
- /* empty window and reset */
- bitbuf = 0;
- bitcpy = 0;
- for (;;) {
- /* grab next digit as required */
- if (--bitcnt == 0) {
- /* if digidx == -1 we are out of digits so break */
- if (digidx == -1) {
- break;
- }
- /* read next digit and reset bitcnt */
- buf = X->dp[digidx--];
- bitcnt = (int)DIGIT_BIT;
- }
- /* grab the next msb from the exponent */
- y = (int)(buf >> (DIGIT_BIT - 1)) & 1;
- buf <<= (fp_digit)1;
- /* add bit to the window */
- bitbuf |= (y << (WINSIZE - ++bitcpy));
- if (bitcpy == WINSIZE) {
- /* ok window is filled so square as required and multiply */
- /* square first */
- for (x = 0; x < WINSIZE; x++) {
- err = fp_sqr(res, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_montgomery_reduce(res, P, mp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- }
- /* then multiply by 2^bitbuf */
- err = fp_mul_2d(res, bitbuf, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* Add in value to make mod operation take same time */
- err = fp_add(res, tmp, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_mod(res, P, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* empty window and reset */
- bitcpy = 0;
- bitbuf = 0;
- }
- }
- /* fixup result if Montgomery reduction is used
- * recall that any value in a Montgomery system is
- * actually multiplied by R mod n. So we have
- * to reduce one more time to cancel out the factor
- * of R.
- */
- err = fp_montgomery_reduce(res, P, mp);
- /* swap res with Y */
- fp_copy(res, Y);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- #undef WINSIZE
- #else
- #if DIGIT_BIT < 16
- #define WINSIZE 3
- #elif DIGIT_BIT < 32
- #define WINSIZE 4
- #elif DIGIT_BIT < 64
- #define WINSIZE 5
- #elif DIGIT_BIT < 128
- #define WINSIZE 6
- #elif DIGIT_BIT == 128
- #define WINSIZE 7
- #endif
- /* y = 2**x (mod b)
- * Some restrictions... x must be positive and < b
- */
- static int _fp_exptmod_base_2(fp_int * X, int digits, fp_int * P,
- fp_int * Y)
- {
- fp_digit buf, mp;
- int err, bitbuf, bitcpy, bitcnt, digidx, x, y;
- #ifdef WOLFSSL_SMALL_STACK
- fp_int *res;
- #else
- fp_int res[1];
- #endif
- /* now setup montgomery */
- if ((err = fp_montgomery_setup(P, &mp)) != FP_OKAY) {
- return err;
- }
- #ifdef WOLFSSL_SMALL_STACK
- res = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (res == NULL) {
- return FP_MEM;
- }
- #endif
- /* setup result */
- fp_init(res);
- /* now we need R mod m */
- err = fp_montgomery_calc_normalization(res, P);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* Get the top bits left over after taking WINSIZE bits starting at the
- * least-significant.
- */
- digidx = digits - 1;
- bitcpy = (digits * DIGIT_BIT) % WINSIZE;
- if (bitcpy > 0) {
- bitcnt = (int)DIGIT_BIT - bitcpy;
- buf = X->dp[digidx--];
- bitbuf = (int)(buf >> bitcnt);
- /* Multiply montgomery representation of 1 by 2 ^ top */
- err = fp_mul_2d(res, bitbuf, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_mod(res, P, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* Move out bits used */
- buf <<= bitcpy;
- bitcnt++;
- }
- else {
- bitcnt = 1;
- buf = 0;
- }
- /* empty window and reset */
- bitbuf = 0;
- bitcpy = 0;
- for (;;) {
- /* grab next digit as required */
- if (--bitcnt == 0) {
- /* if digidx == -1 we are out of digits so break */
- if (digidx == -1) {
- break;
- }
- /* read next digit and reset bitcnt */
- buf = X->dp[digidx--];
- bitcnt = (int)DIGIT_BIT;
- }
- /* grab the next msb from the exponent */
- y = (int)(buf >> (DIGIT_BIT - 1)) & 1;
- buf <<= (fp_digit)1;
- /* add bit to the window */
- bitbuf |= (y << (WINSIZE - ++bitcpy));
- if (bitcpy == WINSIZE) {
- /* ok window is filled so square as required and multiply */
- /* square first */
- for (x = 0; x < WINSIZE; x++) {
- err = fp_sqr(res, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_montgomery_reduce(res, P, mp);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- }
- /* then multiply by 2^bitbuf */
- err = fp_mul_2d(res, bitbuf, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_mod(res, P, res);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- /* empty window and reset */
- bitcpy = 0;
- bitbuf = 0;
- }
- }
- /* fixup result if Montgomery reduction is used
- * recall that any value in a Montgomery system is
- * actually multiplied by R mod n. So we have
- * to reduce one more time to cancel out the factor
- * of R.
- */
- err = fp_montgomery_reduce(res, P, mp);
- /* swap res with Y */
- fp_copy(res, Y);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- #undef WINSIZE
- #endif
- int fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
- {
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- int x = fp_count_bits (X);
- #endif
- /* handle modulus of zero and prevent overflows */
- if (fp_iszero(P) || (P->used > (FP_SIZE/2))) {
- return FP_VAL;
- }
- if (fp_isone(P)) {
- fp_set(Y, 0);
- return FP_OKAY;
- }
- if (fp_iszero(X)) {
- fp_set(Y, 1);
- return FP_OKAY;
- }
- if (fp_iszero(G)) {
- fp_set(Y, 0);
- return FP_OKAY;
- }
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- if(x > EPS_RSA_EXPT_XBTIS) {
- return esp_mp_exptmod(G, X, x, P, Y);
- }
- #endif
- if (X->sign == FP_NEG) {
- #ifndef POSITIVE_EXP_ONLY /* reduce stack if assume no negatives */
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[2];
- #else
- fp_int *tmp;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- /* yes, copy G and invmod it */
- fp_init_copy(&tmp[0], G);
- fp_init_copy(&tmp[1], P);
- tmp[1].sign = FP_ZPOS;
- err = fp_invmod(&tmp[0], &tmp[1], &tmp[0]);
- if (err == FP_OKAY) {
- fp_copy(X, &tmp[1]);
- tmp[1].sign = FP_ZPOS;
- #ifdef TFM_TIMING_RESISTANT
- err = _fp_exptmod_ct(&tmp[0], &tmp[1], tmp[1].used, P, Y);
- #else
- err = _fp_exptmod_nct(&tmp[0], &tmp[1], P, Y);
- #endif
- if ((err == 0) && (P->sign == FP_NEG)) {
- err = fp_add(Y, P, Y);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- #else
- return FP_VAL;
- #endif
- }
- else if (G->used == 1 && G->dp[0] == 2) {
- return _fp_exptmod_base_2(X, X->used, P, Y);
- }
- else {
- /* Positive exponent so just exptmod */
- #ifdef TFM_TIMING_RESISTANT
- return _fp_exptmod_ct(G, X, X->used, P, Y);
- #else
- return _fp_exptmod_nct(G, X, P, Y);
- #endif
- }
- }
- int fp_exptmod_ex(fp_int * G, fp_int * X, int digits, fp_int * P, fp_int * Y)
- {
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- int x = fp_count_bits (X);
- #endif
- if (fp_iszero(G)) {
- fp_set(G, 0);
- return FP_OKAY;
- }
- /* prevent overflows */
- if (P->used > (FP_SIZE/2)) {
- return FP_VAL;
- }
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- if(x > EPS_RSA_EXPT_XBTIS) {
- return esp_mp_exptmod(G, X, x, P, Y);
- }
- #endif
- if (X->sign == FP_NEG) {
- #ifndef POSITIVE_EXP_ONLY /* reduce stack if assume no negatives */
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[2];
- #else
- fp_int *tmp;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- /* yes, copy G and invmod it */
- fp_init_copy(&tmp[0], G);
- fp_init_copy(&tmp[1], P);
- tmp[1].sign = FP_ZPOS;
- err = fp_invmod(&tmp[0], &tmp[1], &tmp[0]);
- if (err == FP_OKAY) {
- X->sign = FP_ZPOS;
- #ifdef TFM_TIMING_RESISTANT
- err = _fp_exptmod_ct(&tmp[0], X, digits, P, Y);
- #else
- err = _fp_exptmod_nct(&tmp[0], X, P, Y);
- (void)digits;
- #endif
- if (X != Y) {
- X->sign = FP_NEG;
- }
- if ((err == 0) && (P->sign == FP_NEG)) {
- err = fp_add(Y, P, Y);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- #else
- return FP_VAL;
- #endif
- }
- else {
- /* Positive exponent so just exptmod */
- #ifdef TFM_TIMING_RESISTANT
- return _fp_exptmod_ct(G, X, digits, P, Y);
- #else
- return _fp_exptmod_nct(G, X, P, Y);
- #endif
- }
- }
- int fp_exptmod_nct(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
- {
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- int x = fp_count_bits (X);
- #endif
- if (fp_iszero(G)) {
- fp_set(G, 0);
- return FP_OKAY;
- }
- /* prevent overflows */
- if (P->used > (FP_SIZE/2)) {
- return FP_VAL;
- }
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- if(x > EPS_RSA_EXPT_XBTIS) {
- return esp_mp_exptmod(G, X, x, P, Y);
- }
- #endif
- if (X->sign == FP_NEG) {
- #ifndef POSITIVE_EXP_ONLY /* reduce stack if assume no negatives */
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[2];
- #else
- fp_int *tmp;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- /* yes, copy G and invmod it */
- fp_init_copy(&tmp[0], G);
- fp_init_copy(&tmp[1], P);
- tmp[1].sign = FP_ZPOS;
- err = fp_invmod(&tmp[0], &tmp[1], &tmp[0]);
- if (err == FP_OKAY) {
- X->sign = FP_ZPOS;
- err = _fp_exptmod_nct(&tmp[0], X, P, Y);
- if (X != Y) {
- X->sign = FP_NEG;
- }
- if ((err == 0) && (P->sign == FP_NEG)) {
- err = fp_add(Y, P, Y);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- #else
- return FP_VAL;
- #endif
- }
- else {
- /* Positive exponent so just exptmod */
- return _fp_exptmod_nct(G, X, P, Y);
- }
- }
- /* computes a = 2**b */
- void fp_2expt(fp_int *a, int b)
- {
- int z;
- /* zero a as per default */
- fp_zero (a);
- if (b < 0) {
- return;
- }
- z = b / DIGIT_BIT;
- if (z >= FP_SIZE) {
- return;
- }
- /* set the used count of where the bit will go */
- a->used = z + 1;
- /* put the single bit in its place */
- a->dp[z] = ((fp_digit)1) << (b % DIGIT_BIT);
- }
- /* b = a*a */
- int fp_sqr(fp_int *A, fp_int *B)
- {
- int err;
- int y, oldused;
- oldused = B->used;
- y = A->used;
- /* call generic if we're out of range */
- if (y + y > FP_SIZE) {
- err = fp_sqr_comba(A, B);
- goto clean;
- }
- #if defined(TFM_SQR3) && FP_SIZE >= 6
- if (y <= 3) {
- err = fp_sqr_comba3(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR4) && FP_SIZE >= 8
- if (y == 4) {
- err = fp_sqr_comba4(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR6) && FP_SIZE >= 12
- if (y <= 6) {
- err = fp_sqr_comba6(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR7) && FP_SIZE >= 14
- if (y == 7) {
- err = fp_sqr_comba7(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR8) && FP_SIZE >= 16
- if (y == 8) {
- err = fp_sqr_comba8(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR9) && FP_SIZE >= 18
- if (y == 9) {
- err = fp_sqr_comba9(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR12) && FP_SIZE >= 24
- if (y <= 12) {
- err = fp_sqr_comba12(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR17) && FP_SIZE >= 34
- if (y <= 17) {
- err = fp_sqr_comba17(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SMALL_SET)
- if (y <= 16) {
- err = fp_sqr_comba_small(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR20) && FP_SIZE >= 40
- if (y <= 20) {
- err = fp_sqr_comba20(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR24) && FP_SIZE >= 48
- if (y <= 24) {
- err = fp_sqr_comba24(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR28) && FP_SIZE >= 56
- if (y <= 28) {
- err = fp_sqr_comba28(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR32) && FP_SIZE >= 64
- if (y <= 32) {
- err = fp_sqr_comba32(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR48) && FP_SIZE >= 96
- if (y <= 48) {
- err = fp_sqr_comba48(A,B);
- goto clean;
- }
- #endif
- #if defined(TFM_SQR64) && FP_SIZE >= 128
- if (y <= 64) {
- err = fp_sqr_comba64(A,B);
- goto clean;
- }
- #endif
- err = fp_sqr_comba(A, B);
- clean:
- /* zero any excess digits on the destination that we didn't write to */
- for (y = B->used; y >= 0 && y < oldused; y++) {
- B->dp[y] = 0;
- }
- return err;
- }
- /* generic comba squarer */
- int fp_sqr_comba(fp_int *A, fp_int *B)
- {
- int pa, ix, iz;
- fp_digit c0, c1, c2;
- #ifdef TFM_ISO
- fp_word tt;
- #endif
- fp_int *dst;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[1];
- #else
- fp_int *tmp;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- /* get size of output and trim */
- pa = A->used + A->used;
- if (pa >= FP_SIZE) {
- pa = FP_SIZE-1;
- }
- /* number of output digits to produce */
- COMBA_START;
- COMBA_CLEAR;
- if (A == B) {
- fp_init(tmp);
- dst = tmp;
- } else {
- fp_zero(B);
- dst = B;
- }
- for (ix = 0; ix < pa; ix++) {
- int tx, ty, iy;
- fp_digit *tmpy, *tmpx;
- /* get offsets into the two bignums */
- ty = MIN(A->used-1, ix);
- tx = ix - ty;
- /* setup temp aliases */
- tmpx = A->dp + tx;
- tmpy = A->dp + ty;
- /* this is the number of times the loop will iterate,
- while (tx++ < a->used && ty-- >= 0) { ... }
- */
- iy = MIN(A->used-tx, ty+1);
- /* now for squaring tx can never equal ty
- * we halve the distance since they approach
- * at a rate of 2x and we have to round because
- * odd cases need to be executed
- */
- iy = MIN(iy, (ty-tx+1)>>1);
- /* forward carries */
- COMBA_FORWARD;
- /* execute loop */
- for (iz = 0; iz < iy; iz++) {
- SQRADD2(*tmpx++, *tmpy--);
- }
- /* even columns have the square term in them */
- if ((ix&1) == 0) {
- /* TAO change COMBA_ADD back to SQRADD */
- SQRADD(A->dp[ix>>1], A->dp[ix>>1]);
- }
- /* store it */
- COMBA_STORE(dst->dp[ix]);
- }
- COMBA_FINI;
- /* setup dest */
- dst->used = pa;
- fp_clamp (dst);
- if (dst != B) {
- fp_copy(dst, B);
- }
- /* Variables used but not seen by cppcheck. */
- (void)c0; (void)c1; (void)c2;
- #ifdef TFM_ISO
- (void)tt;
- #endif
-
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- int fp_cmp(fp_int *a, fp_int *b)
- {
- if (a->sign == FP_NEG && b->sign == FP_ZPOS) {
- return FP_LT;
- } else if (a->sign == FP_ZPOS && b->sign == FP_NEG) {
- return FP_GT;
- } else {
- /* compare digits */
- if (a->sign == FP_NEG) {
- /* if negative compare opposite direction */
- return fp_cmp_mag(b, a);
- } else {
- return fp_cmp_mag(a, b);
- }
- }
- }
- /* compare against a single digit */
- int fp_cmp_d(fp_int *a, fp_digit b)
- {
- /* special case for zero*/
- if (a->used == 0 && b == 0)
- return FP_EQ;
- /* compare based on sign */
- if ((b && a->used == 0) || a->sign == FP_NEG) {
- return FP_LT;
- }
- /* compare based on magnitude */
- if (a->used > 1) {
- return FP_GT;
- }
- /* compare the only digit of a to b */
- if (a->dp[0] > b) {
- return FP_GT;
- } else if (a->dp[0] < b) {
- return FP_LT;
- } else {
- return FP_EQ;
- }
- }
- int fp_cmp_mag(fp_int *a, fp_int *b)
- {
- int x;
- if (a->used > b->used) {
- return FP_GT;
- } else if (a->used < b->used) {
- return FP_LT;
- } else {
- for (x = a->used - 1; x >= 0; x--) {
- if (a->dp[x] > b->dp[x]) {
- return FP_GT;
- } else if (a->dp[x] < b->dp[x]) {
- return FP_LT;
- }
- }
- }
- return FP_EQ;
- }
- /* sets up the montgomery reduction */
- int fp_montgomery_setup(fp_int *a, fp_digit *rho)
- {
- fp_digit x, b;
- /* fast inversion mod 2**k
- *
- * Based on the fact that
- *
- * XA = 1 (mod 2**n) => (X(2-XA)) A = 1 (mod 2**2n)
- * => 2*X*A - X*X*A*A = 1
- * => 2*(1) - (1) = 1
- */
- b = a->dp[0];
- if ((b & 1) == 0) {
- return FP_VAL;
- }
- x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
- x *= 2 - b * x; /* here x*a==1 mod 2**8 */
- x *= 2 - b * x; /* here x*a==1 mod 2**16 */
- x *= 2 - b * x; /* here x*a==1 mod 2**32 */
- #ifdef FP_64BIT
- x *= 2 - b * x; /* here x*a==1 mod 2**64 */
- #endif
- /* rho = -1/m mod b */
- *rho = (fp_digit) (((fp_word) 1 << ((fp_word) DIGIT_BIT)) - ((fp_word)x));
- return FP_OKAY;
- }
- /* computes a = B**n mod b without division or multiplication useful for
- * normalizing numbers in a Montgomery system.
- */
- int fp_montgomery_calc_normalization(fp_int *a, fp_int *b)
- {
- int x, bits;
- /* how many bits of last digit does b use */
- bits = fp_count_bits (b) % DIGIT_BIT;
- if (!bits) bits = DIGIT_BIT;
- /* compute A = B^(n-1) * 2^(bits-1) */
- if (b->used > 1) {
- fp_2expt (a, (b->used - 1) * DIGIT_BIT + bits - 1);
- } else {
- fp_set(a, 1);
- bits = 1;
- }
- /* now compute C = A * B mod b */
- for (x = bits - 1; x < (int)DIGIT_BIT; x++) {
- int err = fp_mul_2 (a, a);
- if (err != FP_OKAY) {
- return err;
- }
- if (fp_cmp_mag (a, b) != FP_LT) {
- s_fp_sub (a, b, a);
- }
- }
- return FP_OKAY;
- }
- #ifdef TFM_SMALL_MONT_SET
- #include "fp_mont_small.i"
- #endif
- #ifdef HAVE_INTEL_MULX
- static WC_INLINE void innermul8_mulx(fp_digit *c_mulx, fp_digit *cy_mulx, fp_digit *tmpm, fp_digit mu)
- {
- fp_digit cy = *cy_mulx ;
- INNERMUL8_MULX ;
- *cy_mulx = cy ;
- }
- /* computes x/R == x (mod N) via Montgomery Reduction */
- static int fp_montgomery_reduce_mulx(fp_int *a, fp_int *m, fp_digit mp, int ct)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_digit c[FP_SIZE+1];
- #else
- fp_digit *c;
- #endif
- fp_digit *_c, *tmpm, mu = 0;
- int oldused, x, y, pa;
- /* bail if too large */
- if (m->used > (FP_SIZE/2)) {
- (void)mu; /* shut up compiler */
- return FP_OKAY;
- }
- #ifdef TFM_SMALL_MONT_SET
- if (m->used <= 16) {
- return fp_montgomery_reduce_small(a, m, mp);
- }
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* only allocate space for what's needed for window plus res */
- c = (fp_digit*)XMALLOC(sizeof(fp_digit)*(FP_SIZE + 1), NULL, DYNAMIC_TYPE_BIGINT);
- if (c == NULL) {
- return FP_MEM;
- }
- #endif
- /* now zero the buff */
- XMEMSET(c, 0, sizeof(fp_digit)*(FP_SIZE + 1));
- pa = m->used;
- /* copy the input */
- oldused = a->used;
- for (x = 0; x < oldused; x++) {
- c[x] = a->dp[x];
- }
- MONT_START;
- for (x = 0; x < pa; x++) {
- fp_digit cy = 0;
- /* get Mu for this round */
- LOOP_START;
- _c = c + x;
- tmpm = m->dp;
- y = 0;
- for (; y < (pa & ~7); y += 8) {
- innermul8_mulx(_c, &cy, tmpm, mu) ;
- _c += 8;
- tmpm += 8;
- }
- for (; y < pa; y++) {
- INNERMUL;
- ++_c;
- }
- LOOP_END;
- while (cy) {
- PROPCARRY;
- ++_c;
- }
- }
- /* now copy out */
- _c = c + pa;
- tmpm = a->dp;
- for (x = 0; x < pa+1; x++) {
- *tmpm++ = *_c++;
- }
- /* zero any excess digits on the destination that we didn't write to */
- for (; x < oldused; x++) {
- *tmpm++ = 0;
- }
- MONT_FINI;
- a->used = pa+1;
- fp_clamp(a);
- #ifdef WOLFSSL_MONT_RED_NCT
- /* if A >= m then A = A - m */
- if (fp_cmp_mag (a, m) != FP_LT) {
- s_fp_sub (a, m, a);
- }
- (void)ct;
- #else
- if (ct) {
- fp_submod_ct(a, m, m, a);
- }
- else if (fp_cmp_mag (a, m) != FP_LT) {
- s_fp_sub (a, m, a);
- }
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(c, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- #endif
- /* computes x/R == x (mod N) via Montgomery Reduction */
- int fp_montgomery_reduce_ex(fp_int *a, fp_int *m, fp_digit mp, int ct)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_digit c[FP_SIZE+1];
- #else
- fp_digit *c;
- #endif
- fp_digit *_c, *tmpm, mu = 0;
- int oldused, x, y, pa, err = 0;
- IF_HAVE_INTEL_MULX(err=fp_montgomery_reduce_mulx(a, m, mp, ct), return err) ;
- (void)err;
- /* bail if too large */
- if (m->used > (FP_SIZE/2)) {
- (void)mu; /* shut up compiler */
- return FP_VAL;
- }
- #ifdef TFM_SMALL_MONT_SET
- if (m->used <= 16) {
- return fp_montgomery_reduce_small(a, m, mp);
- }
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* only allocate space for what's needed for window plus res */
- c = (fp_digit*)XMALLOC(sizeof(fp_digit)*(FP_SIZE + 1), NULL, DYNAMIC_TYPE_BIGINT);
- if (c == NULL) {
- return FP_MEM;
- }
- #endif
- /* now zero the buff */
- XMEMSET(c, 0, sizeof(fp_digit)*(FP_SIZE + 1));
- pa = m->used;
- /* copy the input */
- #ifdef TFM_TIMING_RESISTANT
- if (a->used <= m->used) {
- oldused = m->used;
- }
- else {
- oldused = m->used * 2;
- }
- #else
- oldused = a->used;
- #endif
- for (x = 0; x < oldused; x++) {
- c[x] = a->dp[x];
- }
- MONT_START;
- for (x = 0; x < pa; x++) {
- fp_digit cy = 0;
- /* get Mu for this round */
- LOOP_START;
- _c = c + x;
- tmpm = m->dp;
- y = 0;
- #if defined(INNERMUL8)
- for (; y < (pa & ~7); y += 8) {
- INNERMUL8 ;
- _c += 8;
- tmpm += 8;
- }
- #endif
- for (; y < pa; y++) {
- INNERMUL;
- ++_c;
- }
- LOOP_END;
- while (cy) {
- PROPCARRY;
- ++_c;
- }
- }
- /* now copy out */
- _c = c + pa;
- tmpm = a->dp;
- for (x = 0; x < pa+1; x++) {
- *tmpm++ = *_c++;
- }
- /* zero any excess digits on the destination that we didn't write to */
- for (; x < oldused; x++) {
- *tmpm++ = 0;
- }
- MONT_FINI;
- a->used = pa+1;
- fp_clamp(a);
- #ifndef WOLFSSL_MONT_RED_CT
- /* if A >= m then A = A - m */
- if (fp_cmp_mag (a, m) != FP_LT) {
- s_fp_sub (a, m, a);
- }
- (void)ct;
- #else
- if (ct) {
- fp_submod_ct(a, m, m, a);
- }
- else if (fp_cmp_mag (a, m) != FP_LT) {
- s_fp_sub (a, m, a);
- }
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(c, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- int fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
- {
- return fp_montgomery_reduce_ex(a, m, mp, 1);
- }
- int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c)
- {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- const word32 maxC = (a->size * sizeof(fp_digit));
- #else
- const word32 maxC = (FP_SIZE * sizeof(fp_digit));
- #endif
- /* zero the int */
- fp_zero (a);
- /* if input b excess max, then truncate */
- if (c > 0 && (word32)c > maxC) {
- int excess = (c - maxC);
- c -= excess;
- b += excess;
- }
- /* If we know the endianness of this architecture, and we're using
- 32-bit fp_digits, we can optimize this */
- #if (defined(LITTLE_ENDIAN_ORDER) || defined(BIG_ENDIAN_ORDER)) && \
- defined(FP_32BIT)
- /* But not for both simultaneously */
- #if defined(LITTLE_ENDIAN_ORDER) && defined(BIG_ENDIAN_ORDER)
- #error Both LITTLE_ENDIAN_ORDER and BIG_ENDIAN_ORDER defined.
- #endif
- {
- unsigned char *pd = (unsigned char *)a->dp;
- a->used = (c + sizeof(fp_digit) - 1)/sizeof(fp_digit);
- /* read the bytes in */
- #ifdef BIG_ENDIAN_ORDER
- {
- /* Use Duff's device to unroll the loop. */
- int idx = (c - 1) & ~3;
- switch (c % 4) {
- case 0: do { pd[idx+0] = *b++; // fallthrough
- case 3: pd[idx+1] = *b++; // fallthrough
- case 2: pd[idx+2] = *b++; // fallthrough
- case 1: pd[idx+3] = *b++; // fallthrough
- idx -= 4;
- } while ((c -= 4) > 0);
- }
- }
- #else
- for (c -= 1; c >= 0; c -= 1) {
- pd[c] = *b++;
- }
- #endif
- }
- #else
- /* read the bytes in */
- for (; c > 0; c--) {
- int err = fp_mul_2d (a, 8, a);
- if (err != FP_OKAY) {
- return err;
- }
- a->dp[0] |= *b++;
- if (a->used == 0) {
- a->used = 1;
- }
- }
- #endif
- fp_clamp (a);
- return FP_OKAY;
- }
- int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b)
- {
- #if DIGIT_BIT == 64 || DIGIT_BIT == 32
- int i, j;
- fp_digit n;
- for (j=0,i=0; i<t->used-1; ) {
- b[x++] = (unsigned char)(t->dp[i] >> j);
- j += 8;
- i += j == DIGIT_BIT;
- j &= DIGIT_BIT - 1;
- }
- n = t->dp[i];
- while (n != 0) {
- b[x++] = (unsigned char)n;
- n >>= 8;
- }
- return x;
- #else
- while (fp_iszero (t) == FP_NO) {
- b[x++] = (unsigned char) (t->dp[0] & 255);
- fp_div_2d (t, 8, t, NULL);
- }
- return x;
- #endif
- }
- int fp_to_unsigned_bin(fp_int *a, unsigned char *b)
- {
- int x;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init_copy(t, a);
- x = fp_to_unsigned_bin_at_pos(0, t, b);
- fp_reverse (b, x);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c)
- {
- #if DIGIT_BIT == 64 || DIGIT_BIT == 32
- int i, j, x;
- for (x=c-1,j=0,i=0; x >= 0; x--) {
- b[x] = (unsigned char)(a->dp[i] >> j);
- j += 8;
- i += j == DIGIT_BIT;
- j &= DIGIT_BIT - 1;
- }
- return FP_OKAY;
- #else
- int x;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init_copy(t, a);
- for (x = 0; x < c; x++) {
- b[x] = (unsigned char) (t->dp[0] & 255);
- fp_div_2d (t, 8, t, NULL);
- }
- fp_reverse (b, x);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- #endif
- }
- int fp_unsigned_bin_size(fp_int *a)
- {
- int size = fp_count_bits (a);
- return (size / 8 + ((size & 7) != 0 ? 1 : 0));
- }
- void fp_set(fp_int *a, fp_digit b)
- {
- fp_zero(a);
- a->dp[0] = b;
- a->used = a->dp[0] ? 1 : 0;
- }
- #ifndef MP_SET_CHUNK_BITS
- #define MP_SET_CHUNK_BITS 4
- #endif
- int fp_set_int(fp_int *a, unsigned long b)
- {
- int x;
- /* use direct fp_set if b is less than fp_digit max */
- if (b < FP_DIGIT_MAX) {
- fp_set (a, (fp_digit)b);
- return FP_OKAY;
- }
- fp_zero (a);
- /* set chunk bits at a time */
- for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) {
- int err = fp_mul_2d (a, MP_SET_CHUNK_BITS, a);
- if (err != FP_OKAY)
- return err;
- /* OR in the top bits of the source */
- a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) &
- ((1 << MP_SET_CHUNK_BITS) - 1);
- /* shift the source up to the next chunk bits */
- b <<= MP_SET_CHUNK_BITS;
- /* ensure that digits are not clamped off */
- a->used += 1;
- }
- /* clamp digits */
- fp_clamp(a);
- return FP_OKAY;
- }
- /* check if a bit is set */
- int fp_is_bit_set (fp_int *a, fp_digit b)
- {
- fp_digit i;
- if (b > FP_MAX_BITS)
- return FP_VAL;
- i = b/DIGIT_BIT;
- if ((fp_digit)a->used < i)
- return 0;
- return (int)((a->dp[i] >> b%DIGIT_BIT) & (fp_digit)1);
- }
- /* set the b bit of a */
- int fp_set_bit (fp_int * a, fp_digit b)
- {
- fp_digit i;
- if (b > FP_MAX_BITS)
- return FP_VAL;
- i = b/DIGIT_BIT;
- /* set the used count of where the bit will go if required */
- if (a->used < (int)(i+1))
- a->used = (int)(i+1);
- /* put the single bit in its place */
- a->dp[i] |= ((fp_digit)1) << (b % DIGIT_BIT);
- return MP_OKAY;
- }
- int fp_count_bits (fp_int * a)
- {
- int r;
- fp_digit q;
- /* shortcut */
- if (a->used == 0) {
- return 0;
- }
- /* get number of digits and add that */
- r = (a->used - 1) * DIGIT_BIT;
- /* take the last digit and count the bits in it */
- q = a->dp[a->used - 1];
- while (q > ((fp_digit) 0)) {
- ++r;
- q >>= ((fp_digit) 1);
- }
- return r;
- }
- int fp_leading_bit(fp_int *a)
- {
- int bit = 0;
- if (a->used != 0) {
- fp_digit q = a->dp[a->used - 1];
- int qSz = sizeof(fp_digit);
- while (qSz > 0) {
- if ((unsigned char)q != 0)
- bit = (q & 0x80) != 0;
- q >>= 8;
- qSz--;
- }
- }
- return bit;
- }
- int fp_lshd(fp_int *a, int x)
- {
- int y;
- if (a->used + x > FP_SIZE) return FP_VAL;
- y = a->used + x - 1;
- /* store new size */
- a->used = y + 1;
- /* move digits */
- for (; y >= x; y--) {
- a->dp[y] = a->dp[y-x];
- }
- /* zero lower digits */
- for (; y >= 0; y--) {
- a->dp[y] = 0;
- }
- /* clamp digits */
- fp_clamp(a);
- return FP_OKAY;
- }
- /* right shift by bit count */
- void fp_rshb(fp_int *c, int x)
- {
- fp_digit *tmpc, mask, shift;
- fp_digit r, rr;
- fp_digit D = x;
- /* shifting by a negative number not supported */
- if (x < 0) return;
- /* shift digits first if needed */
- if (x >= DIGIT_BIT) {
- fp_rshd(c, x / DIGIT_BIT);
- /* recalculate number of bits to shift */
- D = x % DIGIT_BIT;
- }
- /* zero shifted is always zero */
- if (fp_iszero(c)) return;
- /* mask */
- mask = (((fp_digit)1) << D) - 1;
- /* shift for lsb */
- shift = DIGIT_BIT - D;
- /* alias */
- tmpc = c->dp + (c->used - 1);
- /* carry */
- r = 0;
- for (x = c->used - 1; x >= 0; x--) {
- /* get the lower bits of this word in a temp */
- rr = *tmpc & mask;
- /* shift the current word and mix in the carry bits from previous word */
- *tmpc = (*tmpc >> D) | (r << shift);
- --tmpc;
- /* set the carry to the carry bits of the current word found above */
- r = rr;
- }
- /* clamp digits */
- fp_clamp(c);
- }
- void fp_rshd(fp_int *a, int x)
- {
- int y;
- /* too many digits just zero and return */
- if (x >= a->used) {
- fp_zero(a);
- return;
- }
- /* shift */
- for (y = 0; y < a->used - x; y++) {
- a->dp[y] = a->dp[y+x];
- }
- /* zero rest */
- for (; y < a->used; y++) {
- a->dp[y] = 0;
- }
- /* decrement count */
- a->used -= x;
- fp_clamp(a);
- }
- /* reverse an array, used for radix code */
- void fp_reverse (unsigned char *s, int len)
- {
- int ix, iy;
- unsigned char t;
- ix = 0;
- iy = len - 1;
- while (ix < iy) {
- t = s[ix];
- s[ix] = s[iy];
- s[iy] = t;
- ++ix;
- --iy;
- }
- }
- /* c = a - b */
- int fp_sub_d(fp_int *a, fp_digit b, fp_int *c)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp[1];
- #else
- fp_int *tmp;
- #endif
- int err = FP_OKAY;
- #ifdef WOLFSSL_SMALL_STACK
- tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (tmp == NULL)
- return FP_MEM;
- #endif
- fp_init(tmp);
- fp_set(tmp, b);
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- if (c->size < FP_SIZE) {
- err = fp_sub(a, tmp, tmp);
- fp_copy(tmp, c);
- } else
- #endif
- {
- err = fp_sub(a, tmp, c);
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* wolfSSL callers from normal lib */
- /* init a new mp_int */
- int mp_init (mp_int * a)
- {
- if (a)
- fp_init(a);
- return MP_OKAY;
- }
- void fp_init(fp_int *a)
- {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- a->size = FP_SIZE;
- #endif
- #ifdef HAVE_WOLF_BIGINT
- wc_bigint_init(&a->raw);
- #endif
- fp_zero(a);
- }
- void fp_zero(fp_int *a)
- {
- int size;
- a->used = 0;
- a->sign = FP_ZPOS;
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- size = a->size;
- #else
- size = FP_SIZE;
- #endif
- XMEMSET(a->dp, 0, size * sizeof(fp_digit));
- }
- void fp_clear(fp_int *a)
- {
- int size;
- a->used = 0;
- a->sign = FP_ZPOS;
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- size = a->size;
- #else
- size = FP_SIZE;
- #endif
- XMEMSET(a->dp, 0, size * sizeof(fp_digit));
- fp_free(a);
- }
- void fp_forcezero (mp_int * a)
- {
- int size;
- a->used = 0;
- a->sign = FP_ZPOS;
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- size = a->size;
- #else
- size = FP_SIZE;
- #endif
- ForceZero(a->dp, size * sizeof(fp_digit));
- #ifdef HAVE_WOLF_BIGINT
- wc_bigint_zero(&a->raw);
- #endif
- fp_free(a);
- }
- void mp_forcezero (mp_int * a)
- {
- fp_forcezero(a);
- }
- void fp_free(fp_int* a)
- {
- #ifdef HAVE_WOLF_BIGINT
- wc_bigint_free(&a->raw);
- #else
- (void)a;
- #endif
- }
- /* clear one (frees) */
- void mp_clear (mp_int * a)
- {
- if (a == NULL)
- return;
- fp_clear(a);
- }
- void mp_free(mp_int* a)
- {
- fp_free(a);
- }
- /* handle up to 6 inits */
- int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d,
- mp_int* e, mp_int* f)
- {
- if (a)
- fp_init(a);
- if (b)
- fp_init(b);
- if (c)
- fp_init(c);
- if (d)
- fp_init(d);
- if (e)
- fp_init(e);
- if (f)
- fp_init(f);
- return MP_OKAY;
- }
- /* high level addition (handles signs) */
- int mp_add (mp_int * a, mp_int * b, mp_int * c)
- {
- return fp_add(a, b, c);
- }
- /* high level subtraction (handles signs) */
- int mp_sub (mp_int * a, mp_int * b, mp_int * c)
- {
- return fp_sub(a, b, c);
- }
- /* high level multiplication (handles sign) */
- #if defined(FREESCALE_LTC_TFM)
- int wolfcrypt_mp_mul(mp_int * a, mp_int * b, mp_int * c)
- #else
- int mp_mul (mp_int * a, mp_int * b, mp_int * c)
- #endif
- {
- return fp_mul(a, b, c);
- }
- int mp_mul_d (mp_int * a, mp_digit b, mp_int * c)
- {
- return fp_mul_d(a, b, c);
- }
- /* d = a * b (mod c) */
- #if defined(FREESCALE_LTC_TFM)
- int wolfcrypt_mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
- #else
- int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
- #endif
- {
- #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
- !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
- int A = fp_count_bits (a);
- int B = fp_count_bits (b);
- if( A >= ESP_RSA_MULM_BITS && B >= ESP_RSA_MULM_BITS)
- return esp_mp_mulmod(a, b, c, d);
- else
- #endif
- return fp_mulmod(a, b, c, d);
- }
- /* d = a - b (mod c) */
- int mp_submod(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
- {
- return fp_submod(a, b, c, d);
- }
- /* d = a + b (mod c) */
- int mp_addmod(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
- {
- return fp_addmod(a, b, c, d);
- }
- /* d = a - b (mod c) - constant time (a < c and b < c) */
- int mp_submod_ct(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
- {
- return fp_submod_ct(a, b, c, d);
- }
- /* d = a + b (mod c) - constant time (a < c and b < c) */
- int mp_addmod_ct(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
- {
- return fp_addmod_ct(a, b, c, d);
- }
- /* c = a mod b, 0 <= c < b */
- #if defined(FREESCALE_LTC_TFM)
- int wolfcrypt_mp_mod (mp_int * a, mp_int * b, mp_int * c)
- #else
- int mp_mod (mp_int * a, mp_int * b, mp_int * c)
- #endif
- {
- return fp_mod (a, b, c);
- }
- /* hac 14.61, pp608 */
- #if defined(FREESCALE_LTC_TFM)
- int wolfcrypt_mp_invmod (mp_int * a, mp_int * b, mp_int * c)
- #else
- int mp_invmod (mp_int * a, mp_int * b, mp_int * c)
- #endif
- {
- return fp_invmod(a, b, c);
- }
- /* hac 14.61, pp608 */
- int mp_invmod_mont_ct (mp_int * a, mp_int * b, mp_int * c, mp_digit mp)
- {
- return fp_invmod_mont_ct(a, b, c, mp);
- }
- /* this is a shell function that calls either the normal or Montgomery
- * exptmod functions. Originally the call to the montgomery code was
- * embedded in the normal function but that wasted a lot of stack space
- * for nothing (since 99% of the time the Montgomery code would be called)
- */
- #if defined(FREESCALE_LTC_TFM)
- int wolfcrypt_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
- #else
- int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
- #endif
- {
- return fp_exptmod(G, X, P, Y);
- }
- int mp_exptmod_ex (mp_int * G, mp_int * X, int digits, mp_int * P, mp_int * Y)
- {
- return fp_exptmod_ex(G, X, digits, P, Y);
- }
- int mp_exptmod_nct (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
- {
- return fp_exptmod_nct(G, X, P, Y);
- }
- /* compare two ints (signed)*/
- int mp_cmp (mp_int * a, mp_int * b)
- {
- return fp_cmp(a, b);
- }
- /* compare a digit */
- int mp_cmp_d(mp_int * a, mp_digit b)
- {
- return fp_cmp_d(a, b);
- }
- /* get the size for an unsigned equivalent */
- int mp_unsigned_bin_size (mp_int * a)
- {
- return fp_unsigned_bin_size(a);
- }
- int mp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b)
- {
- return fp_to_unsigned_bin_at_pos(x, t, b);
- }
- /* store in unsigned [big endian] format */
- int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
- {
- return fp_to_unsigned_bin(a,b);
- }
- int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c)
- {
- return fp_to_unsigned_bin_len(a, b, c);
- }
- /* reads a unsigned char array, assumes the msb is stored first [big endian] */
- int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c)
- {
- return fp_read_unsigned_bin(a, b, c);
- }
- int mp_sub_d(fp_int *a, fp_digit b, fp_int *c)
- {
- return fp_sub_d(a, b, c);
- }
- int mp_mul_2d(fp_int *a, int b, fp_int *c)
- {
- return fp_mul_2d(a, b, c);
- }
- int mp_2expt(fp_int* a, int b)
- {
- fp_2expt(a, b);
- return MP_OKAY;
- }
- int mp_div(fp_int * a, fp_int * b, fp_int * c, fp_int * d)
- {
- return fp_div(a, b, c, d);
- }
- int mp_div_2d(fp_int* a, int b, fp_int* c, fp_int* d)
- {
- fp_div_2d(a, b, c, d);
- return MP_OKAY;
- }
- void fp_copy(fp_int *a, fp_int *b)
- {
- /* if source and destination are different */
- if (a != b) {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- /* verify a will fit in b */
- if (b->size >= a->used) {
- int x, oldused;
- oldused = b->used;
- b->used = a->used;
- b->sign = a->sign;
- XMEMCPY(b->dp, a->dp, a->used * sizeof(fp_digit));
- /* zero any excess digits on the destination that we didn't write to */
- for (x = b->used; x >= 0 && x < oldused; x++) {
- b->dp[x] = 0;
- }
- }
- else {
- /* TODO: Handle error case */
- }
- #else
- /* all dp's are same size, so do straight copy */
- b->used = a->used;
- b->sign = a->sign;
- XMEMCPY(b->dp, a->dp, FP_SIZE * sizeof(fp_digit));
- #endif
- }
- }
- void fp_init_copy(fp_int *a, fp_int* b)
- {
- if (a != b) {
- fp_init(a);
- fp_copy(b, a);
- }
- }
- /* fast math wrappers */
- int mp_copy(fp_int* a, fp_int* b)
- {
- fp_copy(a, b);
- return MP_OKAY;
- }
- int mp_isodd(mp_int* a)
- {
- return fp_isodd(a);
- }
- int mp_iszero(mp_int* a)
- {
- return fp_iszero(a);
- }
- int mp_count_bits (mp_int* a)
- {
- return fp_count_bits(a);
- }
- int mp_leading_bit (mp_int* a)
- {
- return fp_leading_bit(a);
- }
- void mp_rshb (mp_int* a, int x)
- {
- fp_rshb(a, x);
- }
- void mp_rshd (mp_int* a, int x)
- {
- fp_rshd(a, x);
- }
- int mp_set_int(mp_int *a, unsigned long b)
- {
- return fp_set_int(a, b);
- }
- int mp_is_bit_set (mp_int *a, mp_digit b)
- {
- return fp_is_bit_set(a, b);
- }
- int mp_set_bit(mp_int *a, mp_digit b)
- {
- return fp_set_bit(a, b);
- }
- #if defined(WOLFSSL_KEY_GEN) || defined (HAVE_ECC) || !defined(NO_DH) || \
- !defined(NO_DSA) || !defined(NO_RSA)
- /* c = a * a (mod b) */
- int fp_sqrmod(fp_int *a, fp_int *b, fp_int *c)
- {
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- fp_init(t);
- err = fp_sqr(a, t);
- if (err == FP_OKAY) {
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- if (c->size < FP_SIZE) {
- err = fp_mod(t, b, t);
- fp_copy(t, c);
- }
- else
- #endif
- {
- err = fp_mod(t, b, c);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* fast math conversion */
- int mp_sqrmod(mp_int *a, mp_int *b, mp_int *c)
- {
- return fp_sqrmod(a, b, c);
- }
- /* fast math conversion */
- int mp_montgomery_calc_normalization(mp_int *a, mp_int *b)
- {
- return fp_montgomery_calc_normalization(a, b);
- }
- #endif /* WOLFSSL_KEYGEN || HAVE_ECC */
- #if defined(WC_MP_TO_RADIX) || !defined(NO_DH) || !defined(NO_DSA) || \
- !defined(NO_RSA)
- #ifdef WOLFSSL_KEY_GEN
- /* swap the elements of two integers, for cases where you can't simply swap the
- * mp_int pointers around
- */
- static int fp_exch (fp_int * a, fp_int * b)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- *t = *a;
- *a = *b;
- *b = *t;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- #endif
- static const int lnz[16] = {
- 4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
- };
- /* Counts the number of lsbs which are zero before the first zero bit */
- int fp_cnt_lsb(fp_int *a)
- {
- int x;
- fp_digit q, qq;
- /* easy out */
- if (fp_iszero(a) == FP_YES) {
- return 0;
- }
- /* scan lower digits until non-zero */
- for (x = 0; x < a->used && a->dp[x] == 0; x++) {}
- q = a->dp[x];
- x *= DIGIT_BIT;
- /* now scan this digit until a 1 is found */
- if ((q & 1) == 0) {
- do {
- qq = q & 15;
- x += lnz[qq];
- q >>= 4;
- } while (qq == 0);
- }
- return x;
- }
- static int s_is_power_of_two(fp_digit b, int *p)
- {
- int x;
- /* fast return if no power of two */
- if ((b==0) || (b & (b-1))) {
- return FP_NO;
- }
- for (x = 0; x < DIGIT_BIT; x++) {
- if (b == (((fp_digit)1)<<x)) {
- *p = x;
- return FP_YES;
- }
- }
- return FP_NO;
- }
- /* a/b => cb + d == a */
- static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int q[1];
- #else
- fp_int *q;
- #endif
- fp_word w;
- fp_digit t;
- int ix;
- /* cannot divide by zero */
- if (b == 0) {
- return FP_VAL;
- }
- /* quick outs */
- if (b == 1 || fp_iszero(a) == FP_YES) {
- if (d != NULL) {
- *d = 0;
- }
- if (c != NULL) {
- fp_copy(a, c);
- }
- return FP_OKAY;
- }
- /* power of two ? */
- if (s_is_power_of_two(b, &ix) == FP_YES) {
- if (d != NULL) {
- *d = a->dp[0] & ((((fp_digit)1)<<ix) - 1);
- }
- if (c != NULL) {
- fp_div_2d(a, ix, c, NULL);
- }
- return FP_OKAY;
- }
- #ifdef WOLFSSL_SMALL_STACK
- q = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (q == NULL)
- return FP_MEM;
- #endif
- fp_init(q);
- if (c != NULL) {
- q->used = a->used;
- q->sign = a->sign;
- }
- w = 0;
- for (ix = a->used - 1; ix >= 0; ix--) {
- w = (w << ((fp_word)DIGIT_BIT)) | ((fp_word)a->dp[ix]);
- if (w >= b) {
- t = (fp_digit)(w / b);
- w -= ((fp_word)t) * ((fp_word)b);
- } else {
- t = 0;
- }
- if (c != NULL)
- q->dp[ix] = (fp_digit)t;
- }
- if (d != NULL) {
- *d = (fp_digit)w;
- }
- if (c != NULL) {
- fp_clamp(q);
- fp_copy(q, c);
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- /* c = a mod b, 0 <= c < b */
- static int fp_mod_d(fp_int *a, fp_digit b, fp_digit *c)
- {
- return fp_div_d(a, b, NULL, c);
- }
- int mp_mod_d(fp_int *a, fp_digit b, fp_digit *c)
- {
- return fp_mod_d(a, b, c);
- }
- #endif /* WC_MP_TO_RADIX || !NO_DH || !NO_DSA || !NO_RSA */
- #if !defined(NO_DH) || !defined(NO_DSA) || !defined(NO_RSA) || \
- defined(WOLFSSL_KEY_GEN)
- static int fp_isprime_ex(fp_int *a, int t, int* result);
- int mp_prime_is_prime(mp_int* a, int t, int* result)
- {
- return fp_isprime_ex(a, t, result);
- }
- /* Miller-Rabin test of "a" to the base of "b" as described in
- * HAC pp. 139 Algorithm 4.24
- *
- * Sets result to 0 if definitely composite or 1 if probably prime.
- * Randomly the chance of error is no more than 1/4 and often
- * very much lower.
- */
- static int fp_prime_miller_rabin_ex(fp_int * a, fp_int * b, int *result,
- fp_int *n1, fp_int *y, fp_int *r)
- {
- int s, j;
- int err;
- /* default */
- *result = FP_NO;
- /* ensure b > 1 */
- if (fp_cmp_d(b, 1) != FP_GT) {
- return FP_OKAY;
- }
- /* get n1 = a - 1 */
- fp_copy(a, n1);
- err = fp_sub_d(n1, 1, n1);
- if (err != FP_OKAY) {
- return err;
- }
- /* set 2**s * r = n1 */
- fp_copy(n1, r);
- /* count the number of least significant bits
- * which are zero
- */
- s = fp_cnt_lsb(r);
- /* now divide n - 1 by 2**s */
- fp_div_2d (r, s, r, NULL);
- /* compute y = b**r mod a */
- fp_zero(y);
- #if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
- defined(WOLFSSL_HAVE_SP_DH)
- #ifndef WOLFSSL_SP_NO_2048
- if (fp_count_bits(a) == 1024)
- sp_ModExp_1024(b, r, a, y);
- else if (fp_count_bits(a) == 2048)
- sp_ModExp_2048(b, r, a, y);
- else
- #endif
- #ifndef WOLFSSL_SP_NO_3072
- if (fp_count_bits(a) == 1536)
- sp_ModExp_1536(b, r, a, y);
- else if (fp_count_bits(a) == 3072)
- sp_ModExp_3072(b, r, a, y);
- else
- #endif
- #ifdef WOLFSSL_SP_4096
- if (fp_count_bits(a) == 4096)
- sp_ModExp_4096(b, r, a, y);
- else
- #endif
- #endif
- fp_exptmod(b, r, a, y);
- /* if y != 1 and y != n1 do */
- if (fp_cmp_d (y, 1) != FP_EQ && fp_cmp (y, n1) != FP_EQ) {
- j = 1;
- /* while j <= s-1 and y != n1 */
- while ((j <= (s - 1)) && fp_cmp (y, n1) != FP_EQ) {
- fp_sqrmod (y, a, y);
- /* if y == 1 then composite */
- if (fp_cmp_d (y, 1) == FP_EQ) {
- return FP_OKAY;
- }
- ++j;
- }
- /* if y != n1 then composite */
- if (fp_cmp (y, n1) != FP_EQ) {
- return FP_OKAY;
- }
- }
- /* probably prime now */
- *result = FP_YES;
- return FP_OKAY;
- }
- static int fp_prime_miller_rabin(fp_int * a, fp_int * b, int *result)
- {
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int n1[1], y[1], r[1];
- #else
- fp_int *n1, *y, *r;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- n1 = (fp_int*)XMALLOC(sizeof(fp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
- if (n1 == NULL) {
- return FP_MEM;
- }
- y = &n1[1]; r = &n1[2];
- #endif
- fp_init(n1);
- fp_init(y);
- fp_init(r);
- err = fp_prime_miller_rabin_ex(a, b, result, n1, y, r);
- fp_clear(n1);
- fp_clear(y);
- fp_clear(r);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(n1, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* a few primes */
- static const fp_digit primes[FP_PRIME_SIZE] = {
- 0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
- 0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
- 0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
- 0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, 0x0083,
- 0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD,
- 0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF,
- 0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107,
- 0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137,
- 0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167,
- 0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199,
- 0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9,
- 0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7,
- 0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239,
- 0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265,
- 0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293,
- 0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF,
- 0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301,
- 0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B,
- 0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371,
- 0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD,
- 0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5,
- 0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419,
- 0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449,
- 0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B,
- 0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7,
- 0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503,
- 0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529,
- 0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F,
- 0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3,
- 0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7,
- 0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623,
- 0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653
- };
- int fp_isprime_ex(fp_int *a, int t, int* result)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int b[1];
- #else
- fp_int *b;
- #endif
- fp_digit d;
- int r, res;
- if (t <= 0 || t > FP_PRIME_SIZE) {
- *result = FP_NO;
- return FP_VAL;
- }
- if (fp_isone(a)) {
- *result = FP_NO;
- return FP_OKAY;
- }
- /* check against primes table */
- for (r = 0; r < FP_PRIME_SIZE; r++) {
- if (fp_cmp_d(a, primes[r]) == FP_EQ) {
- *result = FP_YES;
- return FP_OKAY;
- }
- }
- /* do trial division */
- for (r = 0; r < FP_PRIME_SIZE; r++) {
- res = fp_mod_d(a, primes[r], &d);
- if (res != MP_OKAY || d == 0) {
- *result = FP_NO;
- return FP_OKAY;
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- b = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (b == NULL)
- return FP_MEM;
- #endif
- /* now do 't' miller rabins */
- fp_init(b);
- for (r = 0; r < t; r++) {
- fp_set(b, primes[r]);
- fp_prime_miller_rabin(a, b, &res);
- if (res == FP_NO) {
- *result = FP_NO;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- }
- *result = FP_YES;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- int mp_prime_is_prime_ex(mp_int* a, int t, int* result, WC_RNG* rng)
- {
- int ret = FP_YES;
- fp_digit d;
- int i;
- if (a == NULL || result == NULL || rng == NULL)
- return FP_VAL;
- if (fp_isone(a)) {
- *result = FP_NO;
- return FP_OKAY;
- }
- /* check against primes table */
- for (i = 0; i < FP_PRIME_SIZE; i++) {
- if (fp_cmp_d(a, primes[i]) == FP_EQ) {
- *result = FP_YES;
- return FP_OKAY;
- }
- }
- /* do trial division */
- for (i = 0; i < FP_PRIME_SIZE; i++) {
- if (fp_mod_d(a, primes[i], &d) == MP_OKAY) {
- if (d == 0) {
- *result = FP_NO;
- return FP_OKAY;
- }
- }
- else
- return FP_VAL;
- }
- #ifndef WC_NO_RNG
- /* now do a miller rabin with up to t random numbers, this should
- * give a (1/4)^t chance of a false prime. */
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int b[1], c[1], n1[1], y[1], r[1];
- byte base[FP_MAX_PRIME_SIZE];
- #else
- fp_int *b, *c, *n1, *y, *r;
- byte* base;
- #endif
- word32 baseSz;
- int err;
- baseSz = fp_count_bits(a);
- /* The base size is the number of bits / 8. One is added if the number
- * of bits isn't an even 8. */
- baseSz = (baseSz / 8) + ((baseSz % 8) ? 1 : 0);
- #ifndef WOLFSSL_SMALL_STACK
- if (baseSz > sizeof(base))
- return FP_MEM;
- #else
- base = (byte*)XMALLOC(baseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (base == NULL)
- return FP_MEM;
- b = (fp_int*)XMALLOC(sizeof(fp_int) * 5, NULL, DYNAMIC_TYPE_BIGINT);
- if (b == NULL) {
- return FP_MEM;
- }
- c = &b[1]; n1 = &b[2]; y= &b[3]; r = &b[4];
- #endif
- fp_init(b);
- fp_init(c);
- fp_init(n1);
- fp_init(y);
- fp_init(r);
- err = fp_sub_d(a, 2, c);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
- XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- while (t > 0) {
- if ((err = wc_RNG_GenerateBlock(rng, base, baseSz)) != 0) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
- XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- err = fp_read_unsigned_bin(b, base, baseSz);
- if (err != FP_OKAY) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
- XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return err;
- }
- if (fp_cmp_d(b, 2) != FP_GT || fp_cmp(b, c) != FP_LT) {
- continue;
- }
- fp_prime_miller_rabin_ex(a, b, &ret, n1, y, r);
- if (ret == FP_NO)
- break;
- fp_zero(b);
- t--;
- }
- fp_clear(n1);
- fp_clear(y);
- fp_clear(r);
- fp_clear(b);
- fp_clear(c);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
- XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- }
- #else
- (void)t;
- #endif /* !WC_NO_RNG */
- *result = ret;
- return FP_OKAY;
- }
- #endif /* !NO_RSA || !NO_DSA || !NO_DH || WOLFSSL_KEY_GEN */
- #ifdef WOLFSSL_KEY_GEN
- static int fp_gcd(fp_int *a, fp_int *b, fp_int *c);
- static int fp_lcm(fp_int *a, fp_int *b, fp_int *c);
- static int fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap);
- int mp_gcd(fp_int *a, fp_int *b, fp_int *c)
- {
- return fp_gcd(a, b, c);
- }
- int mp_lcm(fp_int *a, fp_int *b, fp_int *c)
- {
- return fp_lcm(a, b, c);
- }
- int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap)
- {
- int err;
- err = fp_randprime(N, len, rng, heap);
- switch(err) {
- case FP_VAL:
- return MP_VAL;
- case FP_MEM:
- return MP_MEM;
- default:
- break;
- }
- return MP_OKAY;
- }
- int mp_exch (mp_int * a, mp_int * b)
- {
- return fp_exch(a, b);
- }
- int fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap)
- {
- static const int USE_BBS = 1;
- int err, type;
- int isPrime = FP_YES;
- /* Assume the candidate is probably prime and then test until
- * it is proven composite. */
- byte* buf;
- (void)heap;
- /* get type */
- if (len < 0) {
- type = USE_BBS;
- len = -len;
- } else {
- type = 0;
- }
- /* allow sizes between 2 and 512 bytes for a prime size */
- if (len < 2 || len > 512) {
- return FP_VAL;
- }
- /* allocate buffer to work with */
- buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (buf == NULL) {
- return FP_MEM;
- }
- XMEMSET(buf, 0, len);
- do {
- #ifdef SHOW_GEN
- printf(".");
- fflush(stdout);
- #endif
- /* generate value */
- err = wc_RNG_GenerateBlock(rng, buf, len);
- if (err != 0) {
- XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER);
- return FP_VAL;
- }
- /* munge bits */
- buf[0] |= 0x80 | 0x40;
- buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
- /* load value */
- err = fp_read_unsigned_bin(N, buf, len);
- if (err != 0) {
- XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER);
- return err;
- }
- /* test */
- /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
- * of a 1024-bit candidate being a false positive, when it is our
- * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
- * Using 8 because we've always used 8 */
- mp_prime_is_prime_ex(N, 8, &isPrime, rng);
- } while (isPrime == FP_NO);
- XMEMSET(buf, 0, len);
- XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER);
- return FP_OKAY;
- }
- /* c = [a, b] */
- int fp_lcm(fp_int *a, fp_int *b, fp_int *c)
- {
- int err;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[2];
- #else
- fp_int *t;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL) {
- return FP_MEM;
- }
- #endif
- fp_init(&t[0]);
- fp_init(&t[1]);
- err = fp_gcd(a, b, &t[0]);
- if (err == FP_OKAY) {
- if (fp_cmp_mag(a, b) == FP_GT) {
- err = fp_div(a, &t[0], &t[1], NULL);
- if (err == FP_OKAY)
- err = fp_mul(b, &t[1], c);
- } else {
- err = fp_div(b, &t[0], &t[1], NULL);
- if (err == FP_OKAY)
- err = fp_mul(a, &t[1], c);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return err;
- }
- /* c = (a, b) */
- int fp_gcd(fp_int *a, fp_int *b, fp_int *c)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int u[1], v[1], r[1];
- #else
- fp_int *u, *v, *r;
- #endif
- /* either zero than gcd is the largest */
- if (fp_iszero (a) == FP_YES && fp_iszero (b) == FP_NO) {
- fp_abs (b, c);
- return FP_OKAY;
- }
- if (fp_iszero (a) == FP_NO && fp_iszero (b) == FP_YES) {
- fp_abs (a, c);
- return FP_OKAY;
- }
- /* optimized. At this point if a == 0 then
- * b must equal zero too
- */
- if (fp_iszero (a) == FP_YES) {
- fp_zero(c);
- return FP_OKAY;
- }
- #ifdef WOLFSSL_SMALL_STACK
- u = (fp_int*)XMALLOC(sizeof(fp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
- if (u == NULL) {
- return FP_MEM;
- }
- v = &u[1]; r = &u[2];
- #endif
- /* sort inputs */
- if (fp_cmp_mag(a, b) != FP_LT) {
- fp_init_copy(u, a);
- fp_init_copy(v, b);
- } else {
- fp_init_copy(u, b);
- fp_init_copy(v, a);
- }
- u->sign = FP_ZPOS;
- v->sign = FP_ZPOS;
- fp_init(r);
- while (fp_iszero(v) == FP_NO) {
- fp_mod(u, v, r);
- fp_copy(v, u);
- fp_copy(r, v);
- }
- fp_copy(u, c);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(u, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- #endif /* WOLFSSL_KEY_GEN */
- #if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(OPENSSL_EXTRA) || \
- defined(WC_RSA_BLINDING) || !defined(NO_DSA) || \
- (!defined(NO_RSA) && !defined(NO_RSA_BOUNDS_CHECK))
- /* c = a + b */
- int fp_add_d(fp_int *a, fp_digit b, fp_int *c)
- {
- #ifndef WOLFSSL_SMALL_STACK
- fp_int tmp;
- int err;
- fp_init(&tmp);
- fp_set(&tmp, b);
- err = fp_add(a, &tmp, c);
- return err;
- #else
- int i;
- fp_word t = b;
- int err = FP_OKAY;
- fp_copy(a, c);
- for (i = 0; t != 0 && i < FP_SIZE && i < c->used; i++) {
- t += c->dp[i];
- c->dp[i] = (fp_digit)t;
- t >>= DIGIT_BIT;
- }
- if (i == c->used && i < FP_SIZE && t != 0) {
- c->dp[i] = t;
- c->used++;
- }
- if (i == FP_SIZE && t != 0) {
- err = FP_VAL;
- }
- return err;
- #endif
- }
- /* external compatibility */
- int mp_add_d(fp_int *a, fp_digit b, fp_int *c)
- {
- return fp_add_d(a, b, c);
- }
- #endif /* HAVE_ECC || !NO_PWDBASED || OPENSSL_EXTRA || WC_RSA_BLINDING ||
- !NO_DSA || (!NO_RSA && !NO_RSA_BOUNDS_CHECK) */
- #if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) || \
- defined(HAVE_COMP_KEY) || defined(WOLFSSL_DEBUG_MATH) || \
- defined(DEBUG_WOLFSSL) || defined(OPENSSL_EXTRA) || defined(WC_MP_TO_RADIX)
- /* chars used in radix conversions */
- static wcchar fp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
- "abcdefghijklmnopqrstuvwxyz+/";
- #endif
- #if !defined(NO_DSA) || defined(HAVE_ECC)
- #if DIGIT_BIT == 64 || DIGIT_BIT == 32
- static int fp_read_radix_16(fp_int *a, const char *str)
- {
- int i, j, k, neg;
- char ch;
- /* if the leading digit is a
- * minus set the sign to negative.
- */
- if (*str == '-') {
- ++str;
- neg = FP_NEG;
- } else {
- neg = FP_ZPOS;
- }
- j = 0;
- k = 0;
- for (i = (int)(XSTRLEN(str) - 1); i >= 0; i--) {
- ch = str[i];
- if (ch >= '0' && ch <= '9')
- ch -= '0';
- else if (ch >= 'A' && ch <= 'F')
- ch -= 'A' - 10;
- else if (ch >= 'a' && ch <= 'f')
- ch -= 'a' - 10;
- else
- return FP_VAL;
- if (k >= FP_SIZE)
- return FP_VAL;
- a->dp[k] |= ((fp_digit)ch) << j;
- j += 4;
- k += j == DIGIT_BIT;
- j &= DIGIT_BIT - 1;
- }
- a->used = k + 1;
- fp_clamp(a);
- /* set the sign only if a != 0 */
- if (fp_iszero(a) != FP_YES) {
- a->sign = neg;
- }
- return FP_OKAY;
- }
- #endif
- static int fp_read_radix(fp_int *a, const char *str, int radix)
- {
- int y, neg;
- char ch;
- /* set the integer to the default of zero */
- fp_zero (a);
- #if DIGIT_BIT == 64 || DIGIT_BIT == 32
- if (radix == 16)
- return fp_read_radix_16(a, str);
- #endif
- /* make sure the radix is ok */
- if (radix < 2 || radix > 64) {
- return FP_VAL;
- }
- /* if the leading digit is a
- * minus set the sign to negative.
- */
- if (*str == '-') {
- ++str;
- neg = FP_NEG;
- } else {
- neg = FP_ZPOS;
- }
- /* process each digit of the string */
- while (*str) {
- /* if the radix <= 36 the conversion is case insensitive
- * this allows numbers like 1AB and 1ab to represent the same value
- * [e.g. in hex]
- */
- ch = (char)((radix <= 36) ? XTOUPPER((unsigned char)*str) : *str);
- for (y = 0; y < 64; y++) {
- if (ch == fp_s_rmap[y]) {
- break;
- }
- }
- /* if the char was found in the map
- * and is less than the given radix add it
- * to the number, otherwise exit the loop.
- */
- if (y < radix) {
- int ret = fp_mul_d (a, (fp_digit) radix, a);
- if (ret != FP_OKAY)
- return ret;
- ret = fp_add_d (a, (fp_digit) y, a);
- if (ret != FP_OKAY)
- return ret;
- } else {
- break;
- }
- ++str;
- }
- /* set the sign only if a != 0 */
- if (fp_iszero(a) != FP_YES) {
- a->sign = neg;
- }
- return FP_OKAY;
- }
- /* fast math conversion */
- int mp_read_radix(mp_int *a, const char *str, int radix)
- {
- return fp_read_radix(a, str, radix);
- }
- #endif /* !defined(NO_DSA) || defined(HAVE_ECC) */
- #ifdef HAVE_ECC
- /* fast math conversion */
- int mp_sqr(fp_int *A, fp_int *B)
- {
- return fp_sqr(A, B);
- }
- /* fast math conversion */
- int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
- {
- return fp_montgomery_reduce(a, m, mp);
- }
- int mp_montgomery_reduce_ex(fp_int *a, fp_int *m, fp_digit mp, int ct)
- {
- return fp_montgomery_reduce_ex(a, m, mp, ct);
- }
- /* fast math conversion */
- int mp_montgomery_setup(fp_int *a, fp_digit *rho)
- {
- return fp_montgomery_setup(a, rho);
- }
- int mp_div_2(fp_int * a, fp_int * b)
- {
- fp_div_2(a, b);
- return MP_OKAY;
- }
- /* c = a / 2 (mod b) - constant time (a < b and positive) */
- int mp_div_2_mod_ct(mp_int *a, mp_int *b, mp_int *c)
- {
- return fp_div_2_mod_ct(a, b, c);
- }
- int mp_init_copy(fp_int * a, fp_int * b)
- {
- fp_init_copy(a, b);
- return MP_OKAY;
- }
- #ifdef HAVE_COMP_KEY
- int mp_cnt_lsb(fp_int* a)
- {
- return fp_cnt_lsb(a);
- }
- #endif /* HAVE_COMP_KEY */
- #endif /* HAVE_ECC */
- #if defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DSA) || \
- defined(WOLFSSL_KEY_GEN)
- /* fast math conversion */
- int mp_set(fp_int *a, fp_digit b)
- {
- fp_set(a,b);
- return MP_OKAY;
- }
- #endif
- #ifdef WC_MP_TO_RADIX
- /* returns size of ASCII representation */
- int mp_radix_size (mp_int *a, int radix, int *size)
- {
- int res, digs;
- fp_digit d;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- *size = 0;
- /* special case for binary */
- if (radix == 2) {
- *size = fp_count_bits (a) + (a->sign == FP_NEG ? 1 : 0) + 1;
- return FP_YES;
- }
- /* make sure the radix is in range */
- if (radix < 2 || radix > 64) {
- return FP_VAL;
- }
- if (fp_iszero(a) == MP_YES) {
- *size = 2;
- return FP_OKAY;
- }
- /* digs is the digit count */
- digs = 0;
- /* if it's negative add one for the sign */
- if (a->sign == FP_NEG) {
- ++digs;
- }
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- /* init a copy of the input */
- fp_init_copy (t, a);
- /* force temp to positive */
- t->sign = FP_ZPOS;
- /* fetch out all of the digits */
- while (fp_iszero (t) == FP_NO) {
- if ((res = fp_div_d (t, (mp_digit) radix, t, &d)) != FP_OKAY) {
- fp_zero (t);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return res;
- }
- ++digs;
- }
- fp_zero (t);
- /* return digs + 1, the 1 is for the NULL byte that would be required. */
- *size = digs + 1;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- /* stores a bignum as a ASCII string in a given radix (2..64) */
- int mp_toradix (mp_int *a, char *str, int radix)
- {
- int res, digs;
- fp_digit d;
- char *_s = str;
- #ifndef WOLFSSL_SMALL_STACK
- fp_int t[1];
- #else
- fp_int *t;
- #endif
- /* check range of the radix */
- if (radix < 2 || radix > 64) {
- return FP_VAL;
- }
- /* quick out if its zero */
- if (fp_iszero(a) == FP_YES) {
- *str++ = '0';
- *str = '\0';
- return FP_OKAY;
- }
- #ifdef WOLFSSL_SMALL_STACK
- t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
- if (t == NULL)
- return FP_MEM;
- #endif
- /* init a copy of the input */
- fp_init_copy (t, a);
- /* if it is negative output a - */
- if (t->sign == FP_NEG) {
- ++_s;
- *str++ = '-';
- t->sign = FP_ZPOS;
- }
- digs = 0;
- while (fp_iszero (t) == FP_NO) {
- if ((res = fp_div_d (t, (fp_digit) radix, t, &d)) != FP_OKAY) {
- fp_zero (t);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return res;
- }
- *str++ = fp_s_rmap[d];
- ++digs;
- }
- #ifndef WC_DISABLE_RADIX_ZERO_PAD
- /* For hexadecimal output, add zero padding when number of digits is odd */
- if ((digs & 1) && (radix == 16)) {
- *str++ = fp_s_rmap[0];
- ++digs;
- }
- #endif
- /* reverse the digits of the string. In this case _s points
- * to the first digit [excluding the sign] of the number]
- */
- fp_reverse ((unsigned char *)_s, digs);
- /* append a NULL so the string is properly terminated */
- *str = '\0';
- fp_zero (t);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
- #endif
- return FP_OKAY;
- }
- #ifdef WOLFSSL_DEBUG_MATH
- void mp_dump(const char* desc, mp_int* a, byte verbose)
- {
- char buffer[FP_SIZE * sizeof(fp_digit) * 2];
- int size;
- #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
- size = a->size;
- #else
- size = FP_SIZE;
- #endif
- printf("%s: ptr=%p, used=%d, sign=%d, size=%d, fpd=%d\n",
- desc, a, a->used, a->sign, size, (int)sizeof(fp_digit));
- mp_tohex(a, buffer);
- printf(" %s\n ", buffer);
- if (verbose) {
- int i;
- for(i=0; i<size * (int)sizeof(fp_digit); i++) {
- printf("%x ", *(((byte*)a->dp) + i));
- }
- printf("\n");
- }
- }
- #endif /* WOLFSSL_DEBUG_MATH */
- #endif /* WC_MP_TO_RADIX */
- int mp_abs(mp_int* a, mp_int* b)
- {
- fp_abs(a, b);
- return FP_OKAY;
- }
- int mp_lshd (mp_int * a, int b)
- {
- return fp_lshd(a, b);
- }
- #endif /* USE_FAST_MATH */
|