/src/wolfssl/wolfcrypt/src/wolfmath.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* wolfmath.c |
2 | | * |
3 | | * Copyright (C) 2006-2022 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 2 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | |
23 | | /* common functions for either math library */ |
24 | | |
25 | | #ifdef HAVE_CONFIG_H |
26 | | #include <config.h> |
27 | | #endif |
28 | | |
29 | | /* in case user set USE_FAST_MATH there */ |
30 | | #include <wolfssl/wolfcrypt/settings.h> |
31 | | |
32 | | #include <wolfssl/wolfcrypt/integer.h> |
33 | | |
34 | | #include <wolfssl/wolfcrypt/error-crypt.h> |
35 | | #include <wolfssl/wolfcrypt/logging.h> |
36 | | |
37 | | #if defined(USE_FAST_MATH) || !defined(NO_BIG_INT) |
38 | | |
39 | | #ifdef WOLFSSL_ASYNC_CRYPT |
40 | | #include <wolfssl/wolfcrypt/async.h> |
41 | | #endif |
42 | | |
43 | | #ifdef NO_INLINE |
44 | | #include <wolfssl/wolfcrypt/misc.h> |
45 | | #else |
46 | | #define WOLFSSL_MISC_INCLUDED |
47 | | #include <wolfcrypt/src/misc.c> |
48 | | #endif |
49 | | |
50 | | |
51 | | #if !defined(WC_NO_CACHE_RESISTANT) && \ |
52 | | ((defined(HAVE_ECC) && defined(ECC_TIMING_RESISTANT)) || \ |
53 | | (defined(USE_FAST_MATH) && defined(TFM_TIMING_RESISTANT))) |
54 | | |
55 | | /* all off / all on pointer addresses for constant calculations */ |
56 | | /* ecc.c uses same table */ |
57 | | const wc_ptr_t wc_off_on_addr[2] = |
58 | | { |
59 | | #if defined(WC_64BIT_CPU) |
60 | | W64LIT(0x0000000000000000), |
61 | | W64LIT(0xffffffffffffffff) |
62 | | #elif defined(WC_16BIT_CPU) |
63 | | 0x0000U, |
64 | | 0xffffU |
65 | | #else |
66 | | /* 32 bit */ |
67 | | 0x00000000U, |
68 | | 0xffffffffU |
69 | | #endif |
70 | | }; |
71 | | #endif |
72 | | |
73 | | |
74 | | /* reverse an array, used for radix code */ |
75 | | void mp_reverse (unsigned char *s, int len) |
76 | 0 | { |
77 | 0 | int ix, iy; |
78 | 0 | unsigned char t; |
79 | |
|
80 | 0 | if (s == NULL) |
81 | 0 | return; |
82 | | |
83 | 0 | ix = 0; |
84 | 0 | iy = len - 1; |
85 | 0 | while (ix < iy) { |
86 | 0 | t = s[ix]; |
87 | 0 | s[ix] = s[iy]; |
88 | 0 | s[iy] = t; |
89 | 0 | ++ix; |
90 | 0 | --iy; |
91 | 0 | } |
92 | 0 | } |
93 | | |
94 | | int get_digit_count(const mp_int* a) |
95 | 1.20k | { |
96 | 1.20k | if (a == NULL) |
97 | 0 | return 0; |
98 | | |
99 | 1.20k | return a->used; |
100 | 1.20k | } |
101 | | |
102 | | mp_digit get_digit(const mp_int* a, int n) |
103 | 35.0k | { |
104 | 35.0k | if (a == NULL) |
105 | 0 | return 0; |
106 | | |
107 | 35.0k | return (n >= a->used || n < 0) ? 0 : a->dp[n]; |
108 | 35.0k | } |
109 | | |
110 | | #if defined(HAVE_ECC) || defined(WOLFSSL_MP_COND_COPY) |
111 | | /* Conditionally copy a into b. Performed in constant time. |
112 | | * |
113 | | * a MP integer to copy. |
114 | | * copy On 1, copy a into b. on 0 leave b unchanged. |
115 | | * b MP integer to copy into. |
116 | | * returns BAD_FUNC_ARG when a or b is NULL, MEMORY_E when growing b fails and |
117 | | * MP_OKAY otherwise. |
118 | | */ |
119 | | int mp_cond_copy(mp_int* a, int copy, mp_int* b) |
120 | 3.27k | { |
121 | 3.27k | int err = MP_OKAY; |
122 | 3.27k | int i; |
123 | | #if defined(SP_WORD_SIZE) && SP_WORD_SIZE == 8 |
124 | | unsigned int mask = (unsigned int)0 - copy; |
125 | | #else |
126 | 3.27k | mp_digit mask = (mp_digit)0 - copy; |
127 | 3.27k | #endif |
128 | | |
129 | 3.27k | if (a == NULL || b == NULL) |
130 | 0 | err = BAD_FUNC_ARG; |
131 | | |
132 | | /* Ensure b has enough space to copy a into */ |
133 | 3.27k | if (err == MP_OKAY) |
134 | 3.27k | err = mp_grow(b, a->used + 1); |
135 | 3.27k | if (err == MP_OKAY) { |
136 | | /* When mask 0, b is unchanged2 |
137 | | * When mask all set, b ^ b ^ a = a |
138 | | */ |
139 | | /* Conditionaly copy all digits and then number of used diigits. |
140 | | * get_digit() returns 0 when index greater than available digit. |
141 | | */ |
142 | 18.7k | for (i = 0; i < a->used; i++) { |
143 | 15.4k | b->dp[i] ^= (get_digit(a, i) ^ get_digit(b, i)) & mask; |
144 | 15.4k | } |
145 | 5.28k | for (; i < b->used; i++) { |
146 | 2.00k | b->dp[i] ^= (get_digit(a, i) ^ get_digit(b, i)) & mask; |
147 | 2.00k | } |
148 | 3.27k | b->used ^= (a->used ^ b->used) & (int)mask; |
149 | 3.27k | #if (!defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL)) || \ |
150 | 3.27k | defined(WOLFSSL_SP_INT_NEGATIVE) |
151 | 3.27k | b->sign ^= (a->sign ^ b->sign) & (int)mask; |
152 | 3.27k | #endif |
153 | 3.27k | } |
154 | | |
155 | 3.27k | return err; |
156 | 3.27k | } |
157 | | #endif |
158 | | |
159 | | #ifndef WC_NO_RNG |
160 | | int get_rand_digit(WC_RNG* rng, mp_digit* d) |
161 | 0 | { |
162 | 0 | return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit)); |
163 | 0 | } |
164 | | |
165 | | #if defined(WC_RSA_BLINDING) || defined(WOLFCRYPT_HAVE_SAKKE) |
166 | | int mp_rand(mp_int* a, int digits, WC_RNG* rng) |
167 | 0 | { |
168 | 0 | int ret = 0; |
169 | 0 | int cnt = digits * sizeof(mp_digit); |
170 | | #ifdef USE_INTEGER_HEAP_MATH |
171 | | int i; |
172 | | #endif |
173 | |
|
174 | 0 | if (rng == NULL) { |
175 | 0 | ret = MISSING_RNG_E; |
176 | 0 | } |
177 | 0 | else if (a == NULL || digits == 0) { |
178 | 0 | ret = BAD_FUNC_ARG; |
179 | 0 | } |
180 | |
|
181 | | #ifdef USE_INTEGER_HEAP_MATH |
182 | | /* allocate space for digits */ |
183 | | if (ret == MP_OKAY) { |
184 | | ret = mp_set_bit(a, digits * DIGIT_BIT - 1); |
185 | | } |
186 | | #else |
187 | 0 | #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL) |
188 | 0 | if ((ret == MP_OKAY) && (digits > a->size)) |
189 | | #else |
190 | | if ((ret == MP_OKAY) && (digits > FP_SIZE)) |
191 | | #endif |
192 | 0 | { |
193 | 0 | ret = BAD_FUNC_ARG; |
194 | 0 | } |
195 | 0 | if (ret == MP_OKAY) { |
196 | 0 | a->used = digits; |
197 | 0 | } |
198 | 0 | #endif |
199 | | /* fill the data with random bytes */ |
200 | 0 | if (ret == MP_OKAY) { |
201 | 0 | ret = wc_RNG_GenerateBlock(rng, (byte*)a->dp, cnt); |
202 | 0 | } |
203 | 0 | if (ret == MP_OKAY) { |
204 | | #ifdef USE_INTEGER_HEAP_MATH |
205 | | /* Mask down each digit to only bits used */ |
206 | | for (i = 0; i < a->used; i++) { |
207 | | a->dp[i] &= MP_MASK; |
208 | | } |
209 | | #endif |
210 | | /* ensure top digit is not zero */ |
211 | 0 | while ((ret == MP_OKAY) && (a->dp[a->used - 1] == 0)) { |
212 | 0 | ret = get_rand_digit(rng, &a->dp[a->used - 1]); |
213 | | #ifdef USE_INTEGER_HEAP_MATH |
214 | | a->dp[a->used - 1] &= MP_MASK; |
215 | | #endif |
216 | 0 | } |
217 | 0 | } |
218 | |
|
219 | 0 | return ret; |
220 | 0 | } |
221 | | #endif /* WC_RSA_BLINDING || WOLFCRYPT_HAVE_SAKKE */ |
222 | | #endif |
223 | | |
224 | | #if defined(HAVE_ECC) || defined(WOLFSSL_EXPORT_INT) |
225 | | /* export an mp_int as unsigned char or hex string |
226 | | * encType is WC_TYPE_UNSIGNED_BIN or WC_TYPE_HEX_STR |
227 | | * return MP_OKAY on success */ |
228 | | int wc_export_int(mp_int* mp, byte* buf, word32* len, word32 keySz, |
229 | | int encType) |
230 | 0 | { |
231 | 0 | int err; |
232 | |
|
233 | 0 | if (mp == NULL || buf == NULL || len == NULL) |
234 | 0 | return BAD_FUNC_ARG; |
235 | | |
236 | 0 | if (encType == WC_TYPE_HEX_STR) { |
237 | | /* for WC_TYPE_HEX_STR the keySz is not used. |
238 | | * The size is computed via mp_radix_size and checked with len input */ |
239 | 0 | #ifdef WC_MP_TO_RADIX |
240 | 0 | int size = 0; |
241 | 0 | err = mp_radix_size(mp, MP_RADIX_HEX, &size); |
242 | 0 | if (err == MP_OKAY) { |
243 | | /* make sure we can fit result */ |
244 | 0 | if (*len < (word32)size) { |
245 | 0 | *len = (word32)size; |
246 | 0 | return BUFFER_E; |
247 | 0 | } |
248 | 0 | *len = (word32)size; |
249 | 0 | err = mp_tohex(mp, (char*)buf); |
250 | 0 | } |
251 | | #else |
252 | | err = NOT_COMPILED_IN; |
253 | | #endif |
254 | 0 | } |
255 | 0 | else { |
256 | | /* for WC_TYPE_UNSIGNED_BIN keySz is used to zero pad. |
257 | | * The key size is always returned as the size */ |
258 | 0 | if (*len < keySz) { |
259 | 0 | *len = keySz; |
260 | 0 | return BUFFER_E; |
261 | 0 | } |
262 | 0 | *len = keySz; |
263 | 0 | XMEMSET(buf, 0, *len); |
264 | 0 | err = mp_to_unsigned_bin(mp, buf + (keySz - mp_unsigned_bin_size(mp))); |
265 | 0 | } |
266 | | |
267 | 0 | return err; |
268 | 0 | } |
269 | | #endif |
270 | | |
271 | | |
272 | | #ifdef HAVE_WOLF_BIGINT |
273 | | void wc_bigint_init(WC_BIGINT* a) |
274 | | { |
275 | | if (a != NULL) { |
276 | | a->buf = NULL; |
277 | | a->len = 0; |
278 | | a->heap = NULL; |
279 | | } |
280 | | } |
281 | | |
282 | | int wc_bigint_alloc(WC_BIGINT* a, word32 sz) |
283 | | { |
284 | | int err = MP_OKAY; |
285 | | |
286 | | if (a == NULL) |
287 | | return BAD_FUNC_ARG; |
288 | | |
289 | | if (sz > 0) { |
290 | | if (a->buf && sz > a->len) { |
291 | | wc_bigint_free(a); |
292 | | } |
293 | | if (a->buf == NULL) { |
294 | | a->buf = (byte*)XMALLOC(sz, a->heap, DYNAMIC_TYPE_WOLF_BIGINT); |
295 | | if (a->buf == NULL) { |
296 | | err = MP_MEM; |
297 | | } |
298 | | } |
299 | | else { |
300 | | XMEMSET(a->buf, 0, sz); |
301 | | } |
302 | | } |
303 | | a->len = sz; |
304 | | |
305 | | return err; |
306 | | } |
307 | | |
308 | | /* assumes input is big endian format */ |
309 | | int wc_bigint_from_unsigned_bin(WC_BIGINT* a, const byte* in, word32 inlen) |
310 | | { |
311 | | int err; |
312 | | |
313 | | if (a == NULL || in == NULL || inlen == 0) |
314 | | return BAD_FUNC_ARG; |
315 | | |
316 | | err = wc_bigint_alloc(a, inlen); |
317 | | if (err == 0) { |
318 | | XMEMCPY(a->buf, in, inlen); |
319 | | } |
320 | | |
321 | | return err; |
322 | | } |
323 | | |
324 | | int wc_bigint_to_unsigned_bin(WC_BIGINT* a, byte* out, word32* outlen) |
325 | | { |
326 | | word32 sz; |
327 | | |
328 | | if (a == NULL || out == NULL || outlen == NULL || *outlen == 0) |
329 | | return BAD_FUNC_ARG; |
330 | | |
331 | | /* trim to fit into output buffer */ |
332 | | sz = a->len; |
333 | | if (a->len > *outlen) { |
334 | | WOLFSSL_MSG("wc_bigint_export: Truncating output"); |
335 | | sz = *outlen; |
336 | | } |
337 | | |
338 | | if (a->buf) { |
339 | | XMEMCPY(out, a->buf, sz); |
340 | | } |
341 | | |
342 | | *outlen = sz; |
343 | | |
344 | | return MP_OKAY; |
345 | | } |
346 | | |
347 | | void wc_bigint_zero(WC_BIGINT* a) |
348 | | { |
349 | | if (a && a->buf) { |
350 | | ForceZero(a->buf, a->len); |
351 | | } |
352 | | } |
353 | | |
354 | | void wc_bigint_free(WC_BIGINT* a) |
355 | | { |
356 | | if (a) { |
357 | | if (a->buf) { |
358 | | XFREE(a->buf, a->heap, DYNAMIC_TYPE_WOLF_BIGINT); |
359 | | } |
360 | | a->buf = NULL; |
361 | | a->len = 0; |
362 | | } |
363 | | } |
364 | | |
365 | | /* sz: make sure the buffer is at least that size and zero padded. |
366 | | * A `sz == 0` will use the size of `src`. |
367 | | * The calculated sz is stored into dst->len in `wc_bigint_alloc`. |
368 | | */ |
369 | | int wc_mp_to_bigint_sz(mp_int* src, WC_BIGINT* dst, word32 sz) |
370 | | { |
371 | | int err; |
372 | | word32 x, y; |
373 | | |
374 | | if (src == NULL || dst == NULL) |
375 | | return BAD_FUNC_ARG; |
376 | | |
377 | | /* get size of source */ |
378 | | x = mp_unsigned_bin_size(src); |
379 | | if (sz < x) |
380 | | sz = x; |
381 | | |
382 | | /* make sure destination is allocated and large enough */ |
383 | | err = wc_bigint_alloc(dst, sz); |
384 | | if (err == MP_OKAY && sz > 0) { |
385 | | /* leading zero pad */ |
386 | | y = sz - x; |
387 | | XMEMSET(dst->buf, 0, y); |
388 | | |
389 | | /* export src as unsigned bin to destination buf */ |
390 | | err = mp_to_unsigned_bin(src, dst->buf + y); |
391 | | } |
392 | | |
393 | | return err; |
394 | | } |
395 | | |
396 | | int wc_mp_to_bigint(mp_int* src, WC_BIGINT* dst) |
397 | | { |
398 | | if (src == NULL || dst == NULL) |
399 | | return BAD_FUNC_ARG; |
400 | | |
401 | | return wc_mp_to_bigint_sz(src, dst, 0); |
402 | | } |
403 | | |
404 | | int wc_bigint_to_mp(WC_BIGINT* src, mp_int* dst) |
405 | | { |
406 | | int err; |
407 | | |
408 | | if (src == NULL || dst == NULL) |
409 | | return BAD_FUNC_ARG; |
410 | | |
411 | | if (src->buf == NULL) |
412 | | return BAD_FUNC_ARG; |
413 | | |
414 | | err = mp_read_unsigned_bin(dst, src->buf, src->len); |
415 | | wc_bigint_free(src); |
416 | | |
417 | | return err; |
418 | | } |
419 | | #endif /* HAVE_WOLF_BIGINT */ |
420 | | |
421 | | #endif /* USE_FAST_MATH || !NO_BIG_INT */ |