/rust/registry/src/index.crates.io-6f17d22bba15001f/ring-0.17.8/crypto/limbs/limbs.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright 2016-2017 Brian Smith. |
2 | | * |
3 | | * Permission to use, copy, modify, and/or distribute this software for any |
4 | | * purpose with or without fee is hereby granted, provided that the above |
5 | | * copyright notice and this permission notice appear in all copies. |
6 | | * |
7 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES |
8 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY |
10 | | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 | | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 | | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
14 | | |
15 | | #include "limbs.h" |
16 | | |
17 | | #include "../internal.h" |
18 | | #include "../fipsmodule/bn/internal.h" |
19 | | #include "limbs.inl" |
20 | | |
21 | | |
22 | | /* XXX: We assume that the conversion from |Carry| to |Limb| is constant-time, |
23 | | * but we haven't verified that assumption. TODO: Fix it so we don't need to |
24 | | * make that assumption. */ |
25 | | |
26 | | /* Returns 0xfff..f if |a| is all zero limbs, and zero otherwise. |num_limbs| |
27 | | * may be zero. */ |
28 | 0 | Limb LIMBS_are_zero(const Limb a[], size_t num_limbs) { |
29 | 0 | Limb is_zero = CONSTTIME_TRUE_W; |
30 | 0 | for (size_t i = 0; i < num_limbs; ++i) { |
31 | 0 | is_zero = constant_time_select_w(is_zero, constant_time_is_zero_w(a[i]), |
32 | 0 | is_zero); |
33 | 0 | } |
34 | 0 | return is_zero; |
35 | 0 | } |
36 | | |
37 | | /* Returns 0xffff..f if |a == b|, and zero otherwise. |num_limbs| may be zero. */ |
38 | 0 | Limb LIMBS_equal(const Limb a[], const Limb b[], size_t num_limbs) { |
39 | 0 | Limb eq = CONSTTIME_TRUE_W; |
40 | 0 | for (size_t i = 0; i < num_limbs; ++i) { |
41 | 0 | eq = constant_time_select_w(eq, constant_time_eq_w(a[i], b[i]), eq); |
42 | 0 | } |
43 | 0 | return eq; |
44 | 0 | } |
45 | | |
46 | | /* Returns 0xffff..f if |a == b|, and zero otherwise. |num_limbs| may be zero. */ |
47 | 0 | Limb LIMBS_equal_limb(const Limb a[], Limb b, size_t num_limbs) { |
48 | 0 | if (num_limbs == 0) { |
49 | 0 | return constant_time_is_zero_w(b); |
50 | 0 | } |
51 | 0 | debug_assert_nonsecret(num_limbs >= 1); |
52 | 0 | Limb lo_equal = constant_time_eq_w(a[0], b); |
53 | 0 | Limb hi_zero = LIMBS_are_zero(&a[1], num_limbs - 1); |
54 | 0 | return constant_time_select_w(lo_equal, hi_zero, 0); |
55 | 0 | } |
56 | | |
57 | | /* Returns 0xfff..f if |a| is all zero limbs, and zero otherwise. |
58 | | * |num_limbs| may be zero. */ |
59 | 0 | Limb LIMBS_are_even(const Limb a[], size_t num_limbs) { |
60 | 0 | Limb lo; |
61 | 0 | if (num_limbs == 0) { |
62 | 0 | lo = 0; |
63 | 0 | } else { |
64 | 0 | lo = a[0]; |
65 | 0 | } |
66 | 0 | return constant_time_is_zero_w(lo & 1); |
67 | 0 | } |
68 | | |
69 | | /* Returns 0xffff...f if |a| is less than |b|, and zero otherwise. */ |
70 | 0 | Limb LIMBS_less_than(const Limb a[], const Limb b[], size_t num_limbs) { |
71 | 0 | debug_assert_nonsecret(num_limbs >= 1); |
72 | | /* There are lots of ways to implement this. It is implemented this way to |
73 | | * be consistent with |LIMBS_limbs_reduce_once| and other code that makes such |
74 | | * comparisons as part of doing conditional reductions. */ |
75 | 0 | Limb dummy; |
76 | 0 | Carry borrow = limb_sub(&dummy, a[0], b[0]); |
77 | 0 | for (size_t i = 1; i < num_limbs; ++i) { |
78 | 0 | borrow = limb_sbb(&dummy, a[i], b[i], borrow); |
79 | 0 | } |
80 | 0 | return constant_time_is_nonzero_w(borrow); |
81 | 0 | } |
82 | | |
83 | 0 | Limb LIMBS_less_than_limb(const Limb a[], Limb b, size_t num_limbs) { |
84 | 0 | debug_assert_nonsecret(num_limbs >= 1); |
85 | |
|
86 | 0 | Limb dummy; |
87 | 0 | Limb lo = constant_time_is_nonzero_w(limb_sub(&dummy, a[0], b)); |
88 | 0 | Limb hi = LIMBS_are_zero(&a[1], num_limbs - 1); |
89 | 0 | return constant_time_select_w(lo, hi, lo); |
90 | 0 | } |
91 | | |
92 | | /* if (r >= m) { r -= m; } */ |
93 | 0 | void LIMBS_reduce_once(Limb r[], const Limb m[], size_t num_limbs) { |
94 | 0 | debug_assert_nonsecret(num_limbs >= 1); |
95 | | /* This could be done more efficiently if we had |num_limbs| of extra space |
96 | | * available, by storing |r - m| and then doing a conditional copy of either |
97 | | * |r| or |r - m|. But, in order to operate in constant space, with an eye |
98 | | * towards this function being used in RSA in the future, we do things a |
99 | | * slightly less efficient way. */ |
100 | 0 | Limb lt = LIMBS_less_than(r, m, num_limbs); |
101 | 0 | Carry borrow = |
102 | 0 | limb_sub(&r[0], r[0], constant_time_select_w(lt, 0, m[0])); |
103 | 0 | for (size_t i = 1; i < num_limbs; ++i) { |
104 | | /* XXX: This is probably particularly inefficient because the operations in |
105 | | * constant_time_select affect the carry flag, so there will likely be |
106 | | * loads and stores of |borrow|. */ |
107 | 0 | borrow = |
108 | 0 | limb_sbb(&r[i], r[i], constant_time_select_w(lt, 0, m[i]), borrow); |
109 | 0 | } |
110 | 0 | dev_assert_secret(borrow == 0); |
111 | 0 | } |
112 | | |
113 | | void LIMBS_add_mod(Limb r[], const Limb a[], const Limb b[], const Limb m[], |
114 | 0 | size_t num_limbs) { |
115 | 0 | Limb overflow1 = |
116 | 0 | constant_time_is_nonzero_w(limbs_add(r, a, b, num_limbs)); |
117 | 0 | Limb overflow2 = ~LIMBS_less_than(r, m, num_limbs); |
118 | 0 | Limb overflow = overflow1 | overflow2; |
119 | 0 | Carry borrow = limb_sub(&r[0], r[0], m[0] & overflow); |
120 | 0 | for (size_t i = 1; i < num_limbs; ++i) { |
121 | 0 | borrow = limb_sbb(&r[i], r[i], m[i] & overflow, borrow); |
122 | 0 | } |
123 | 0 | } |
124 | | |
125 | | void LIMBS_sub_mod(Limb r[], const Limb a[], const Limb b[], const Limb m[], |
126 | 0 | size_t num_limbs) { |
127 | 0 | Limb underflow = |
128 | 0 | constant_time_is_nonzero_w(limbs_sub(r, a, b, num_limbs)); |
129 | 0 | Carry carry = limb_add(&r[0], r[0], m[0] & underflow); |
130 | 0 | for (size_t i = 1; i < num_limbs; ++i) { |
131 | 0 | carry = limb_adc(&r[i], r[i], m[i] & underflow, carry); |
132 | 0 | } |
133 | 0 | } |
134 | | |
135 | 0 | void LIMBS_shl_mod(Limb r[], const Limb a[], const Limb m[], size_t num_limbs) { |
136 | 0 | Limb overflow1 = |
137 | 0 | constant_time_is_nonzero_w(a[num_limbs - 1] & LIMB_HIGH_BIT); |
138 | 0 | Limb carry = 0; |
139 | 0 | for (size_t i = 0; i < num_limbs; ++i) { |
140 | 0 | Limb limb = a[i]; |
141 | 0 | Limb new_carry = limb >> (LIMB_BITS - 1); |
142 | 0 | r[i] = (limb << 1) | carry; |
143 | 0 | carry = new_carry; |
144 | 0 | } |
145 | 0 | Limb overflow2 = ~LIMBS_less_than(r, m, num_limbs); |
146 | 0 | Limb overflow = overflow1 | overflow2; |
147 | 0 | Carry borrow = limb_sub(&r[0], r[0], m[0] & overflow); |
148 | 0 | for (size_t i = 1; i < num_limbs; ++i) { |
149 | 0 | borrow = limb_sbb(&r[i], r[i], m[i] & overflow, borrow); |
150 | 0 | } |
151 | 0 | } |
152 | | |
153 | | int LIMBS_select_512_32(Limb r[], const Limb table[], size_t num_limbs, |
154 | 0 | crypto_word_t index) { |
155 | 0 | if (num_limbs % (512 / LIMB_BITS) != 0) { |
156 | 0 | return 0; |
157 | 0 | } |
158 | 0 | limbs_select(r, table, num_limbs, 32, index); |
159 | 0 | return 1; |
160 | 0 | } |
161 | | |
162 | | static const Limb FIVE_BITS_MASK = 0x1f; |
163 | | |
164 | 0 | crypto_word_t LIMBS_window5_split_window(Limb lower_limb, Limb higher_limb, size_t index_within_word) { |
165 | 0 | Limb high_bits = (higher_limb << (LIMB_BITS - index_within_word)) |
166 | 0 | & FIVE_BITS_MASK; |
167 | | // There are no bits outside the window above |index_within_word| (if there |
168 | | // were then this wouldn't be a split window), so we don't need to mask |
169 | | // |low_bits|. |
170 | 0 | Limb low_bits = lower_limb >> index_within_word; |
171 | 0 | return low_bits | high_bits; |
172 | 0 | } |
173 | | |
174 | 0 | crypto_word_t LIMBS_window5_unsplit_window(Limb limb, size_t index_within_word) { |
175 | 0 | return (limb >> index_within_word) & FIVE_BITS_MASK; |
176 | 0 | } |
177 | | |
178 | 0 | Limb LIMB_shr(Limb a, size_t shift) { |
179 | 0 | return a >> shift; |
180 | 0 | } |
181 | | |
182 | 0 | Limb limbs_mul_add_limb(Limb r[], const Limb a[], Limb b, size_t num_limbs) { |
183 | 0 | Limb carried = 0; |
184 | 0 | for (size_t i = 0; i < num_limbs; ++i) { |
185 | 0 | Limb lo; |
186 | 0 | Limb hi; |
187 | 0 | bn_umult_lohi(&lo, &hi, a[i], b); |
188 | 0 | Limb tmp; |
189 | 0 | Carry c = limb_add(&tmp, lo, carried); |
190 | 0 | c = limb_adc(&carried, hi, 0, c); |
191 | 0 | dev_assert_secret(c == 0); |
192 | 0 | c = limb_add(&r[i], r[i], tmp); |
193 | 0 | c = limb_adc(&carried, carried, 0, c); |
194 | | // (A * B) + C + D never carries. |
195 | 0 | dev_assert_secret(c == 0); |
196 | 0 | } |
197 | 0 | return carried; |
198 | 0 | } |