From defe56928ea61d06adc0ae13e0599dcf324434fe Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Apr 2022 06:12:09 +0100 Subject: [PATCH] Make length of output explicit in mpi_mul_hlp() The helper `mpi_mul_hlp()` performs a multiply-accumulate operation `d += s * b`, where `d,b` are MPIs and `b` is a scalar. Previously, only the length of `s` was specified, while `d` was assumed to be 0-terminated of unspecified length. This was leveraged at the end of the core multiplication steps computingg the first `limb(s)` limbs of `d + s*b`: Namely, the routine would keep on adding the current carry to `d` until none was left. This can, in theory, run for an arbitrarily long time if `d` has a tail of `0xFF`s, and hence the assumption of `0`-termination. This solution is both fragile and insecure -- the latter because the carry-loop depends on the result of the multiplication. This commit changes the signature of `mpi_mul_hlp()` to receive the length of the output buffer, which must be greater or equal to the length of the input buffer. It is _not_ assumed that the output buffer is strictly larger than the input buffer -- instead, the routine will simply return any carry that's left. This will be useful in some applications of this function. It is the responsibility of the caller to either size the output appropriately so that no carry will be left, or to handle the carry. NOTE: The commit leaves the library in a state where it cannot be compiled since the call-sites of mpi_mul_hlp() have not yet been adjusted. This will be done in the subsequent commits. Signed-off-by: Hanno Becker --- library/bignum.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 22cbffacf..b7b90ec3e 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1373,17 +1373,17 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint * * Add \p b * \p s to \p d. * - * \param i The number of limbs of \p s. + * \param[in,out] d The bignum to add to. + * \param d_len The number of limbs of \p d. This must be + * at least \p s_len. + * \param s_len The number of limbs of \p s. * \param[in] s A bignum to multiply, of size \p i. * It may overlap with \p d, but only if * \p d <= \p s. * Its leading limb must not be \c 0. - * \param[in,out] d The bignum to add to. - * It must be sufficiently large to store the - * result of the multiplication. This means - * \p i + 1 limbs if \p d[\p i - 1] started as 0 and \p b - * is not known a priori. * \param b A scalar to multiply. + * + * \return c The carry at the end of the operation. */ static #if defined(__APPLE__) && defined(__arm__) @@ -1393,29 +1393,31 @@ static */ __attribute__ ((noinline)) #endif -void mpi_mul_hlp( size_t i, - const mbedtls_mpi_uint *s, - mbedtls_mpi_uint *d, - mbedtls_mpi_uint b ) +mbedtls_mpi_uint mpi_mul_hlp( mbedtls_mpi_uint *d, size_t d_len , + const mbedtls_mpi_uint *s, size_t s_len, + mbedtls_mpi_uint b ) { mbedtls_mpi_uint c = 0; /* carry */ + /* Remember the excess of d over s for later */ + d_len -= s_len; + #if defined(MULADDC_HUIT) - for( ; i >= 8; i -= 8 ) + for( ; s_len >= 8; s_len -= 8 ) { MULADDC_INIT MULADDC_HUIT MULADDC_STOP } - for( ; i > 0; i-- ) + for( ; s_len > 0; s_len-- ) { MULADDC_INIT MULADDC_CORE MULADDC_STOP } #else /* MULADDC_HUIT */ - for( ; i >= 16; i -= 16 ) + for( ; s_len >= 16; s_len -= 16 ) { MULADDC_INIT MULADDC_CORE MULADDC_CORE @@ -1430,7 +1432,7 @@ void mpi_mul_hlp( size_t i, MULADDC_STOP } - for( ; i >= 8; i -= 8 ) + for( ; s_len >= 8; s_len -= 8 ) { MULADDC_INIT MULADDC_CORE MULADDC_CORE @@ -1441,7 +1443,7 @@ void mpi_mul_hlp( size_t i, MULADDC_STOP } - for( ; i > 0; i-- ) + for( ; s_len > 0; s_len-- ) { MULADDC_INIT MULADDC_CORE @@ -1449,10 +1451,12 @@ void mpi_mul_hlp( size_t i, } #endif /* MULADDC_HUIT */ - while( c != 0 ) + while( d_len-- ) { *d += c; c = ( *d < c ); d++; } + + return( c ); } /*