mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-28 19:21:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make length of output explicit in mpi_mul_hlp()

Browse Source 
The helper `mpi_mul_hlp()` performs a multiply-accumulate
operation `d += s * b`, where `d,b` are MPIs and `b` is a scalar.

Previously, only the length of `s` was specified, while `d` was
assumed to be 0-terminated of unspecified length.

This was leveraged at the end of the core multiplication steps
computingg the first `limb(s)` limbs of `d + s*b`: Namely, the
routine would keep on adding the current carry to `d` until none
was left. This can, in theory, run for an arbitrarily long time
if `d` has a tail of `0xFF`s, and hence the assumption of
`0`-termination.

This solution is both fragile and insecure -- the latter because
the carry-loop depends on the result of the multiplication.

This commit changes the signature of `mpi_mul_hlp()` to receive
the length of the output buffer, which must be greater or equal
to the length of the input buffer.

It is _not_ assumed that the output buffer is strictly larger
than the input buffer -- instead, the routine will simply return
any carry that's left. This will be useful in some applications
of this function. It is the responsibility of the caller to either
size the output appropriately so that no carry will be left, or
to handle the carry.

NOTE: The commit leaves the library in a state where it cannot
      be compiled since the call-sites of mpi_mul_hlp() have
      not yet been adjusted. This will be done in the subsequent
      commits.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit is contained in:
Hanno Becker 2022-04-06 06:12:09 +01:00
parent e7f14a3090
commit defe56928e
1 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
library/bignum.c
View File

@ -1373,17 +1373,17 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
*
* Add \p b * \p s to \p d.
*
* \param i The number of limbs of \p s.
* \param[in,out] d The bignum to add to.
* \param d_len The number of limbs of \p d. This must be
* at least \p s_len.
* \param s_len The number of limbs of \p s.
* \param[in] s A bignum to multiply, of size \p i.
* It may overlap with \p d, but only if
* \p d <= \p s.
* Its leading limb must not be \c 0.
* \param[in,out] d The bignum to add to.
* It must be sufficiently large to store the
* result of the multiplication. This means
* \p i + 1 limbs if \p d[\p i - 1] started as 0 and \p b
* is not known a priori.
* \param b A scalar to multiply.
*
* \return c The carry at the end of the operation.
*/
static
#if defined(__APPLE__) && defined(__arm__)
@ -1393,29 +1393,31 @@ static
*/
__attribute__ ((noinline))
#endif
void mpi_mul_hlp( size_t i,
const mbedtls_mpi_uint *s,
mbedtls_mpi_uint *d,
mbedtls_mpi_uint b )
mbedtls_mpi_uint mpi_mul_hlp( mbedtls_mpi_uint *d, size_t d_len ,
const mbedtls_mpi_uint *s, size_t s_len,
mbedtls_mpi_uint b )
{
mbedtls_mpi_uint c = 0; /* carry */
/* Remember the excess of d over s for later */
d_len -= s_len;
#if defined(MULADDC_HUIT)
for( ; i >= 8; i -= 8 )
for( ; s_len >= 8; s_len -= 8 )
{
MULADDC_INIT
MULADDC_HUIT
MULADDC_STOP
}
for( ; i > 0; i-- )
for( ; s_len > 0; s_len-- )
{
MULADDC_INIT
MULADDC_CORE
MULADDC_STOP
}
#else /* MULADDC_HUIT */
for( ; i >= 16; i -= 16 )
for( ; s_len >= 16; s_len -= 16 )
{
MULADDC_INIT
MULADDC_CORE MULADDC_CORE
@ -1430,7 +1432,7 @@ void mpi_mul_hlp( size_t i,
MULADDC_STOP
}
for( ; i >= 8; i -= 8 )
for( ; s_len >= 8; s_len -= 8 )
{
MULADDC_INIT
MULADDC_CORE MULADDC_CORE
@ -1441,7 +1443,7 @@ void mpi_mul_hlp( size_t i,
MULADDC_STOP
}
for( ; i > 0; i-- )
for( ; s_len > 0; s_len-- )
{
MULADDC_INIT
MULADDC_CORE
@ -1449,10 +1451,12 @@ void mpi_mul_hlp( size_t i,
}
#endif /* MULADDC_HUIT */
while( c != 0 )
while( d_len-- )
{
*d += c; c = ( *d < c ); d++;
}
return( c );
}
/*