Coverage Report

Created: 2023-02-22 06:39

/src/wolfssl/wolfcrypt/src/wolfmath.c
Line
Count
Source (jump to first uncovered line)
1
/* wolfmath.c
2
 *
3
 * Copyright (C) 2006-2022 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 2 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
23
/* common functions for either math library */
24
25
#ifdef HAVE_CONFIG_H
26
    #include <config.h>
27
#endif
28
29
/* in case user set USE_FAST_MATH there */
30
#include <wolfssl/wolfcrypt/settings.h>
31
32
#include <wolfssl/wolfcrypt/integer.h>
33
34
#include <wolfssl/wolfcrypt/error-crypt.h>
35
#include <wolfssl/wolfcrypt/logging.h>
36
37
#if defined(USE_FAST_MATH) || !defined(NO_BIG_INT)
38
39
#ifdef WOLFSSL_ASYNC_CRYPT
40
    #include <wolfssl/wolfcrypt/async.h>
41
#endif
42
43
#ifdef NO_INLINE
44
    #include <wolfssl/wolfcrypt/misc.h>
45
#else
46
    #define WOLFSSL_MISC_INCLUDED
47
    #include <wolfcrypt/src/misc.c>
48
#endif
49
50
51
#if !defined(WC_NO_CACHE_RESISTANT) && \
52
    ((defined(HAVE_ECC) && defined(ECC_TIMING_RESISTANT)) || \
53
     (defined(USE_FAST_MATH) && defined(TFM_TIMING_RESISTANT)))
54
55
    /* all off / all on pointer addresses for constant calculations */
56
    /* ecc.c uses same table */
57
    const wc_ptr_t wc_off_on_addr[2] =
58
    {
59
    #if defined(WC_64BIT_CPU)
60
        W64LIT(0x0000000000000000),
61
        W64LIT(0xffffffffffffffff)
62
    #elif defined(WC_16BIT_CPU)
63
        0x0000U,
64
        0xffffU
65
    #else
66
        /* 32 bit */
67
        0x00000000U,
68
        0xffffffffU
69
    #endif
70
    };
71
#endif
72
73
74
/* reverse an array, used for radix code */
75
void mp_reverse (unsigned char *s, int len)
76
0
{
77
0
    int ix, iy;
78
0
    unsigned char t;
79
80
0
    if (s == NULL)
81
0
        return;
82
83
0
    ix = 0;
84
0
    iy = len - 1;
85
0
    while (ix < iy) {
86
0
        t = s[ix];
87
0
        s[ix] = s[iy];
88
0
        s[iy] = t;
89
0
        ++ix;
90
0
        --iy;
91
0
    }
92
0
}
93
94
int get_digit_count(const mp_int* a)
95
1.20k
{
96
1.20k
    if (a == NULL)
97
0
        return 0;
98
99
1.20k
    return a->used;
100
1.20k
}
101
102
mp_digit get_digit(const mp_int* a, int n)
103
35.0k
{
104
35.0k
    if (a == NULL)
105
0
        return 0;
106
107
35.0k
    return (n >= a->used || n < 0) ? 0 : a->dp[n];
108
35.0k
}
109
110
#if defined(HAVE_ECC) || defined(WOLFSSL_MP_COND_COPY)
111
/* Conditionally copy a into b. Performed in constant time.
112
 *
113
 * a     MP integer to copy.
114
 * copy  On 1, copy a into b. on 0 leave b unchanged.
115
 * b     MP integer to copy into.
116
 * returns BAD_FUNC_ARG when a or b is NULL, MEMORY_E when growing b fails and
117
 *         MP_OKAY otherwise.
118
 */
119
int mp_cond_copy(mp_int* a, int copy, mp_int* b)
120
3.27k
{
121
3.27k
    int err = MP_OKAY;
122
3.27k
    int i;
123
#if defined(SP_WORD_SIZE) && SP_WORD_SIZE == 8
124
    unsigned int mask = (unsigned int)0 - copy;
125
#else
126
3.27k
    mp_digit mask = (mp_digit)0 - copy;
127
3.27k
#endif
128
129
3.27k
    if (a == NULL || b == NULL)
130
0
        err = BAD_FUNC_ARG;
131
132
    /* Ensure b has enough space to copy a into */
133
3.27k
    if (err == MP_OKAY)
134
3.27k
        err = mp_grow(b, a->used + 1);
135
3.27k
    if (err == MP_OKAY) {
136
        /* When mask 0, b is unchanged2
137
         * When mask all set, b ^ b ^ a = a
138
         */
139
        /* Conditionaly copy all digits and then number of used diigits.
140
         * get_digit() returns 0 when index greater than available digit.
141
         */
142
18.7k
        for (i = 0; i < a->used; i++) {
143
15.4k
            b->dp[i] ^= (get_digit(a, i) ^ get_digit(b, i)) & mask;
144
15.4k
        }
145
5.28k
        for (; i < b->used; i++) {
146
2.00k
            b->dp[i] ^= (get_digit(a, i) ^ get_digit(b, i)) & mask;
147
2.00k
        }
148
3.27k
        b->used ^= (a->used ^ b->used) & (int)mask;
149
3.27k
#if (!defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL)) || \
150
3.27k
    defined(WOLFSSL_SP_INT_NEGATIVE)
151
3.27k
        b->sign ^= (a->sign ^ b->sign) & (int)mask;
152
3.27k
#endif
153
3.27k
    }
154
155
3.27k
    return err;
156
3.27k
}
157
#endif
158
159
#ifndef WC_NO_RNG
160
int get_rand_digit(WC_RNG* rng, mp_digit* d)
161
0
{
162
0
    return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit));
163
0
}
164
165
#if defined(WC_RSA_BLINDING) || defined(WOLFCRYPT_HAVE_SAKKE)
166
int mp_rand(mp_int* a, int digits, WC_RNG* rng)
167
0
{
168
0
    int ret = 0;
169
0
    int cnt = digits * sizeof(mp_digit);
170
#ifdef USE_INTEGER_HEAP_MATH
171
    int i;
172
#endif
173
174
0
    if (rng == NULL) {
175
0
        ret = MISSING_RNG_E;
176
0
    }
177
0
    else if (a == NULL || digits == 0) {
178
0
        ret = BAD_FUNC_ARG;
179
0
    }
180
181
#ifdef USE_INTEGER_HEAP_MATH
182
    /* allocate space for digits */
183
    if (ret == MP_OKAY) {
184
        ret = mp_set_bit(a, digits * DIGIT_BIT - 1);
185
    }
186
#else
187
0
#if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
188
0
    if ((ret == MP_OKAY) && (digits > a->size))
189
#else
190
    if ((ret == MP_OKAY) && (digits > FP_SIZE))
191
#endif
192
0
    {
193
0
        ret = BAD_FUNC_ARG;
194
0
    }
195
0
    if (ret == MP_OKAY) {
196
0
        a->used = digits;
197
0
    }
198
0
#endif
199
    /* fill the data with random bytes */
200
0
    if (ret == MP_OKAY) {
201
0
        ret = wc_RNG_GenerateBlock(rng, (byte*)a->dp, cnt);
202
0
    }
203
0
    if (ret == MP_OKAY) {
204
#ifdef USE_INTEGER_HEAP_MATH
205
        /* Mask down each digit to only bits used */
206
        for (i = 0; i < a->used; i++) {
207
            a->dp[i] &= MP_MASK;
208
        }
209
#endif
210
        /* ensure top digit is not zero */
211
0
        while ((ret == MP_OKAY) && (a->dp[a->used - 1] == 0)) {
212
0
            ret = get_rand_digit(rng, &a->dp[a->used - 1]);
213
#ifdef USE_INTEGER_HEAP_MATH
214
            a->dp[a->used - 1] &= MP_MASK;
215
#endif
216
0
        }
217
0
    }
218
219
0
    return ret;
220
0
}
221
#endif /* WC_RSA_BLINDING || WOLFCRYPT_HAVE_SAKKE */
222
#endif
223
224
#if defined(HAVE_ECC) || defined(WOLFSSL_EXPORT_INT)
225
/* export an mp_int as unsigned char or hex string
226
 * encType is WC_TYPE_UNSIGNED_BIN or WC_TYPE_HEX_STR
227
 * return MP_OKAY on success */
228
int wc_export_int(mp_int* mp, byte* buf, word32* len, word32 keySz,
229
    int encType)
230
0
{
231
0
    int err;
232
233
0
    if (mp == NULL || buf == NULL || len == NULL)
234
0
        return BAD_FUNC_ARG;
235
236
0
    if (encType == WC_TYPE_HEX_STR) {
237
        /* for WC_TYPE_HEX_STR the keySz is not used.
238
         * The size is computed via mp_radix_size and checked with len input */
239
0
    #ifdef WC_MP_TO_RADIX
240
0
        int size = 0;
241
0
        err = mp_radix_size(mp, MP_RADIX_HEX, &size);
242
0
        if (err == MP_OKAY) {
243
            /* make sure we can fit result */
244
0
            if (*len < (word32)size) {
245
0
                *len = (word32)size;
246
0
                return BUFFER_E;
247
0
            }
248
0
            *len = (word32)size;
249
0
            err = mp_tohex(mp, (char*)buf);
250
0
        }
251
    #else
252
        err = NOT_COMPILED_IN;
253
    #endif
254
0
    }
255
0
    else {
256
        /* for WC_TYPE_UNSIGNED_BIN keySz is used to zero pad.
257
         * The key size is always returned as the size */
258
0
        if (*len < keySz) {
259
0
            *len = keySz;
260
0
            return BUFFER_E;
261
0
        }
262
0
        *len = keySz;
263
0
        XMEMSET(buf, 0, *len);
264
0
        err = mp_to_unsigned_bin(mp, buf + (keySz - mp_unsigned_bin_size(mp)));
265
0
    }
266
267
0
    return err;
268
0
}
269
#endif
270
271
272
#ifdef HAVE_WOLF_BIGINT
273
void wc_bigint_init(WC_BIGINT* a)
274
{
275
    if (a != NULL) {
276
        a->buf = NULL;
277
        a->len = 0;
278
        a->heap = NULL;
279
    }
280
}
281
282
int wc_bigint_alloc(WC_BIGINT* a, word32 sz)
283
{
284
    int err = MP_OKAY;
285
286
    if (a == NULL)
287
        return BAD_FUNC_ARG;
288
289
    if (sz > 0) {
290
        if (a->buf && sz > a->len) {
291
            wc_bigint_free(a);
292
        }
293
        if (a->buf == NULL) {
294
            a->buf = (byte*)XMALLOC(sz, a->heap, DYNAMIC_TYPE_WOLF_BIGINT);
295
            if (a->buf == NULL) {
296
                err = MP_MEM;
297
            }
298
        }
299
        else {
300
            XMEMSET(a->buf, 0, sz);
301
        }
302
    }
303
    a->len = sz;
304
305
    return err;
306
}
307
308
/* assumes input is big endian format */
309
int wc_bigint_from_unsigned_bin(WC_BIGINT* a, const byte* in, word32 inlen)
310
{
311
    int err;
312
313
    if (a == NULL || in == NULL || inlen == 0)
314
        return BAD_FUNC_ARG;
315
316
    err = wc_bigint_alloc(a, inlen);
317
    if (err == 0) {
318
        XMEMCPY(a->buf, in, inlen);
319
    }
320
321
    return err;
322
}
323
324
int wc_bigint_to_unsigned_bin(WC_BIGINT* a, byte* out, word32* outlen)
325
{
326
    word32 sz;
327
328
    if (a == NULL || out == NULL || outlen == NULL || *outlen == 0)
329
        return BAD_FUNC_ARG;
330
331
    /* trim to fit into output buffer */
332
    sz = a->len;
333
    if (a->len > *outlen) {
334
        WOLFSSL_MSG("wc_bigint_export: Truncating output");
335
        sz = *outlen;
336
    }
337
338
    if (a->buf) {
339
        XMEMCPY(out, a->buf, sz);
340
    }
341
342
    *outlen = sz;
343
344
    return MP_OKAY;
345
}
346
347
void wc_bigint_zero(WC_BIGINT* a)
348
{
349
    if (a && a->buf) {
350
        ForceZero(a->buf, a->len);
351
    }
352
}
353
354
void wc_bigint_free(WC_BIGINT* a)
355
{
356
    if (a) {
357
        if (a->buf) {
358
          XFREE(a->buf, a->heap, DYNAMIC_TYPE_WOLF_BIGINT);
359
        }
360
        a->buf = NULL;
361
        a->len = 0;
362
    }
363
}
364
365
/* sz: make sure the buffer is at least that size and zero padded.
366
 *     A `sz == 0` will use the size of `src`.
367
 *     The calculated sz is stored into dst->len in `wc_bigint_alloc`.
368
 */
369
int wc_mp_to_bigint_sz(mp_int* src, WC_BIGINT* dst, word32 sz)
370
{
371
    int err;
372
    word32 x, y;
373
374
    if (src == NULL || dst == NULL)
375
        return BAD_FUNC_ARG;
376
377
    /* get size of source */
378
    x = mp_unsigned_bin_size(src);
379
    if (sz < x)
380
        sz = x;
381
382
    /* make sure destination is allocated and large enough */
383
    err = wc_bigint_alloc(dst, sz);
384
    if (err == MP_OKAY && sz > 0) {
385
        /* leading zero pad */
386
        y = sz - x;
387
        XMEMSET(dst->buf, 0, y);
388
389
        /* export src as unsigned bin to destination buf */
390
        err = mp_to_unsigned_bin(src, dst->buf + y);
391
    }
392
393
    return err;
394
}
395
396
int wc_mp_to_bigint(mp_int* src, WC_BIGINT* dst)
397
{
398
    if (src == NULL || dst == NULL)
399
        return BAD_FUNC_ARG;
400
401
    return wc_mp_to_bigint_sz(src, dst, 0);
402
}
403
404
int wc_bigint_to_mp(WC_BIGINT* src, mp_int* dst)
405
{
406
    int err;
407
408
    if (src == NULL || dst == NULL)
409
        return BAD_FUNC_ARG;
410
411
    if (src->buf == NULL)
412
        return BAD_FUNC_ARG;
413
414
    err = mp_read_unsigned_bin(dst, src->buf, src->len);
415
    wc_bigint_free(src);
416
417
    return err;
418
}
419
#endif /* HAVE_WOLF_BIGINT */
420
421
#endif /* USE_FAST_MATH || !NO_BIG_INT */