From 66f88a9d22db7928df8edccab710ce2487491fa9 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 8 Feb 2023 17:11:13 +0100 Subject: [PATCH 01/20] Extract Secp224r1 from the prototype Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 195 +++++++++++++++++++++++---- library/ecp_invasive.h | 3 +- tests/suites/test_suite_ecp.function | 3 +- 3 files changed, 174 insertions(+), 27 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 1a027d6aa..d42f093cf 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4575,6 +4575,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) static int ecp_mod_p224(mbedtls_mpi *); +static int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) static int ecp_mod_p256(mbedtls_mpi *); @@ -4951,6 +4952,176 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn) #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + +/* + * The reader is advised to first understand ecp_mod_p192() since the same + * general structure is used here, but with additional complications: + * (1) chunks of 32 bits, and (2) subtractions. + */ + +/* + * For these primes, we need to handle data in chunks of 32 bits. + * This makes it more complicated if we use 64 bits limbs in MPI, + * which prevents us from using a uniform access method as for p192. + * + * So, we define a mini abstraction layer to access 32 bit chunks, + * load them in 'cur' for work, and store them back from 'cur' when done. + * + * While at it, also define the size of N in terms of 32-bit chunks. + */ +#define LOAD32 cur = A(i); + +#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ + +#define MAX32 Nn +#define A(j) Np[j] +#define STORE32 Np[i] = cur; +#define STORE0 Np[i] = 0; + +#else /* 64 bit */ + +#define MAX32 Nn * 2 +#define A(j) (j) % 2 ? (uint32_t) (Np[(j) / 2] >> 32) : \ + (uint32_t) (Np[(j) / 2]) +#define STORE32 \ + if (i % 2) { \ + Np[i/2] &= 0x00000000FFFFFFFF; \ + Np[i/2] |= (uint64_t) (cur) << 32; \ + } else { \ + Np[i/2] &= 0xFFFFFFFF00000000; \ + Np[i/2] |= (uint32_t) cur; \ + } + +#define STORE0 \ + if (i % 2) { \ + Np[i/2] &= 0x00000000FFFFFFFF; \ + } else { \ + Np[i/2] &= 0xFFFFFFFF00000000; \ + } + +#endif + +static inline int8_t extract_carry(int64_t cur) +{ + return (int8_t) (cur >> 32); +} + +#define ADD(j) cur += A(j) +#define SUB(j) cur -= A(j) + +#define ADD_CARRY(cc) cur += (cc) +#define SUB_CARRY(cc) cur -= (cc) + +#define ADD_LAST ADD_CARRY(last_c) +#define SUB_LAST SUB_CARRY(last_c) + +/* + * Helpers for the main 'loop' + */ +#define INIT(b) \ + int8_t c = 0, last_c; \ + int64_t cur; \ + size_t i = 0; \ + LOAD32; + +#define NEXT \ + c = extract_carry(cur); \ + STORE32; i++; LOAD32; \ + ADD_CARRY(c); + +#define RESET \ + c = extract_carry(cur); \ + last_c = c; \ + STORE32; i = 0; LOAD32; \ + c = 0; \ + +#define LAST \ + c = extract_carry(cur); \ + STORE32; i++; \ + if (c != 0) \ + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; \ + while (i < MAX32) { STORE0; i++; } + +#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) + +/* + * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) + */ +static int ecp_mod_p224(mbedtls_mpi *N) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t expected_width = 2 * ((224 + biL - 1) / biL); + MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); + ret = ecp_mod_p224_raw(N->p, expected_width); +cleanup: + return ret; +} + +static int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) +{ + if (Nn != 2 * ((224 + biL - 1) / biL)) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + + INIT(224); + + SUB( 7); SUB(11); NEXT; // A0 += -A7 - A11 + SUB( 8); SUB(12); NEXT; // A1 += -A8 - A12 + SUB( 9); SUB(13); NEXT; // A2 += -A9 - A13 + SUB(10); ADD( 7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 + SUB(11); ADD( 8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 + SUB(12); ADD( 9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 + SUB(13); ADD(10); // A6 += -A13 + A10 + + RESET; + + SUB_LAST; NEXT; // A0 + NEXT; // A1 + NEXT; // A2 + ADD_LAST; NEXT; // A3 + NEXT; // A4 + NEXT; // A5 + // A6 + + RESET; + + SUB_LAST; NEXT; // A0 + NEXT; // A1 + NEXT; // A2 + ADD_LAST; NEXT; // A3 + NEXT; // A4 + NEXT; // A5 + // A6 + + LAST; + + return 0; +} + +#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ + +#undef LOAD32 +#undef MAX32 +#undef A +#undef STORE32 +#undef STORE0 +#undef ADD +#undef SUB +#undef ADD_CARRY +#undef SUB_CARRY +#undef ADD_LAST +#undef SUB_LAST +#undef INIT +#undef NEXT +#undef RESET +#undef LAST + +#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || + MBEDTLS_ECP_DP_SECP256R1_ENABLED || + MBEDTLS_ECP_DP_SECP384R1_ENABLED */ + +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ + defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) /* * The reader is advised to first understand ecp_mod_p192() since the same * general structure is used here, but with additional complications: @@ -5071,27 +5242,6 @@ void mbedtls_ecp_fix_negative(mbedtls_mpi *N, signed char c, size_t bits) N->p[bits / 8 / sizeof(mbedtls_mpi_uint)] += msw; } -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) -/* - * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) - */ -static int ecp_mod_p224(mbedtls_mpi *N) -{ - INIT(224); - - SUB(7); SUB(11); NEXT; // A0 += -A7 - A11 - SUB(8); SUB(12); NEXT; // A1 += -A8 - A12 - SUB(9); SUB(13); NEXT; // A2 += -A9 - A13 - SUB(10); ADD(7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 - SUB(11); ADD(8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 - SUB(12); ADD(9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 - SUB(13); ADD(10); LAST; // A6 += -A13 + A10 - -cleanup: - return ret; -} -#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ - #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) /* * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3) @@ -5186,8 +5336,7 @@ cleanup: #undef NEXT #undef LAST -#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED || - MBEDTLS_ECP_DP_SECP256R1_ENABLED || +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED || MBEDTLS_ECP_DP_SECP384R1_ENABLED */ #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 3d1321c52..19d516f9b 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -32,8 +32,7 @@ #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_C) -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ - defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) /* Preconditions: * - bits is a multiple of 64 or is 224 diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 4e74d9b8e..a38720c34 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -8,8 +8,7 @@ #include "bignum_mod_raw_invasive.h" #if defined(MBEDTLS_TEST_HOOKS) && \ - (defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ - defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ + (defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)) #define HAVE_FIX_NEGATIVE #endif From e14b5bdba71e49002b71d2644b8e98e7b1cf6737 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 8 Feb 2023 17:23:03 +0100 Subject: [PATCH 02/20] Change the ecp_mod_p224_raw to be testable Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 6 ++++-- library/ecp_invasive.h | 7 +++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index d42f093cf..a4b49ae20 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4575,7 +4575,8 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) static int ecp_mod_p224(mbedtls_mpi *); -static int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); +MBEDTLS_STATIC_TESTABLE +int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) static int ecp_mod_p256(mbedtls_mpi *); @@ -5057,7 +5058,8 @@ cleanup: return ret; } -static int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) +MBEDTLS_STATIC_TESTABLE +int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) { if (Nn != 2 * ((224 + biL - 1) / biL)) { return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 19d516f9b..2669aec42 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -94,6 +94,13 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) + +MBEDTLS_STATIC_TESTABLE +int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); + +#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ + #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) /** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5) From aef0f2de9ffc8629151f6a011abe98482b2c7670 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 14 Feb 2023 18:18:37 +0100 Subject: [PATCH 03/20] Fix limb size calculation Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index a4b49ae20..e1e3537e7 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5051,7 +5051,7 @@ static inline int8_t extract_carry(int64_t cur) static int ecp_mod_p224(mbedtls_mpi *N) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t expected_width = 2 * ((224 + biL - 1) / biL); + size_t expected_width = 2 * 224 / biL; MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); ret = ecp_mod_p224_raw(N->p, expected_width); cleanup: @@ -5061,7 +5061,7 @@ cleanup: MBEDTLS_STATIC_TESTABLE int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) { - if (Nn != 2 * ((224 + biL - 1) / biL)) { + if (Nn != 2 * 224 / biL) { return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } From 7c8d706f4e3d3433fe87f671ffd3b65e41575726 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 14 Feb 2023 18:25:23 +0100 Subject: [PATCH 04/20] Use a common function to calculate the number of hex digits Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/bignum_common.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 242217554..5319ec68b 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -74,6 +74,10 @@ def combination_pairs(values: List[T]) -> List[Tuple[T, T]]: """Return all pair combinations from input values.""" return [(x, y) for x in values for y in values] +def hex_digits_for_limb(limbs: int, bits_in_limb: int) -> int: + """ Retrun the hex digits need for a number of limbs. """ + return 2 * (limbs * bits_in_limb // 8) + class OperationCommon(test_data_generation.BaseTest): """Common features for bignum binary operations. @@ -138,7 +142,7 @@ class OperationCommon(test_data_generation.BaseTest): @property def hex_digits(self) -> int: - return 2 * (self.limbs * self.bits_in_limb // 8) + return hex_digits_for_limb(self.limbs, self.bits_in_limb) def format_arg(self, val: str) -> str: if self.input_style not in self.input_styles: From f65a059a642f024bf7c61d553455f72b5d488a7c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 14 Feb 2023 18:26:36 +0100 Subject: [PATCH 05/20] Add test generation for ecp_mod_p224_raw Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 49 ++++++++++++++++++++++++++++ tests/suites/test_suite_ecp.function | 43 ++++++++++++++++++++++++ 2 files changed, 92 insertions(+) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 6370d258a..da0ae3741 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -76,6 +76,55 @@ class EcpP192R1Raw(bignum_common.ModOperationCommon, def is_valid(self) -> bool: return True +class EcpP224R1Raw(bignum_common.ModOperationCommon, + EcpTarget): + """Test cases for ecp quasi_reduction().""" + symbol = "-" + test_function = "ecp_mod_p224_raw" + test_name = "ecp_mod_p224_raw" + input_style = "arch_split" + arity = 1 + + moduli = ["ffffffffffffffffffffffffffffffff000000000000000000000001"] # type: List[str] + + input_values = [ + "0", "1", + + # First 8 number generated by random.getrandbits(448) - seed(2,2) + ("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337" + "15ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"), + ("cdbd47d364be8049a372db8f6e405d93ffed9235288bc781ae662675" + "94c9c9500925e4749b575bd13653f8dd9b1f282e4067c3584ee207f8"), + ("defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd12" + "8b4f2fc15f3f57ebf30b94fa82523e86feac7eb7dc38f519b91751da"), + ("2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a6" + "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"), + ("8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0829a48d4" + "22fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"), + ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561867e5e15" + "bc01bfce6a27e0dfcbf8754472154e76e4c11ab2fec3f6b32e8d4b8a"), + ("a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26" + "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"), + ("74667bffe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e" + "80371eb97f81375eecc1cb6347733e847d718d733ff98ff387c56473"), + + # Next 2 number generated by random.getrandbits(224) + "eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a", + "f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f258ebdbfe3" + ] + + @property + def arg_a(self) -> str: + hex_digits = bignum_common.hex_digits_for_limb(448 // self.bits_in_limb, self.bits_in_limb) + return super().format_arg('{:x}'.format(self.int_a)).zfill(hex_digits) + + def result(self) -> List[str]: + result = self.int_a % self.int_n + return [self.format_result(result)] + + @property + def is_valid(self) -> bool: + return True class EcpP521R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index a38720c34..40bcd1793 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1344,6 +1344,49 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */ +void ecp_mod_p224_raw(char *input_N, + char *input_X, + char *result) +{ + mbedtls_mpi_uint *X = NULL; + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *res = NULL; + size_t limbs_X; + size_t limbs_N; + size_t limbs_res; + + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init(&m); + + TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0); + TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0); + TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0); + + size_t limbs = limbs_N; + size_t bytes = limbs * sizeof(mbedtls_mpi_uint); + + TEST_EQUAL(limbs_X, 448 / biL); + TEST_EQUAL(limbs_res, limbs); + + TEST_EQUAL(mbedtls_mpi_mod_modulus_setup( + &m, N, limbs, + MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0); + + TEST_EQUAL(ecp_mod_p224_raw(X, limbs_X), 0); + TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 224); + mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m); + ASSERT_COMPARE(X, bytes, res, bytes); + +exit: + mbedtls_free(X); + mbedtls_free(res); + + mbedtls_mpi_mod_modulus_free(&m); + mbedtls_free(N); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */ void ecp_mod_p521_raw(char *input_N, char *input_X, From a835d20cde0c08bd20640cf08e4069d13f329c01 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 23 Feb 2023 17:38:00 +0100 Subject: [PATCH 06/20] Add documentation Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 10 +++++----- library/ecp_invasive.h | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index e1e3537e7..54fd26b57 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5077,20 +5077,20 @@ int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) RESET; - SUB_LAST; NEXT; // A0 + /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */ + SUB_LAST; NEXT; // A0 += -last_c NEXT; // A1 NEXT; // A2 - ADD_LAST; NEXT; // A3 + ADD_LAST; NEXT; // A3 += last_c NEXT; // A4 NEXT; // A5 // A6 - RESET; - SUB_LAST; NEXT; // A0 + SUB_LAST; NEXT; // A0 += -last_c NEXT; // A1 NEXT; // A2 - ADD_LAST; NEXT; // A3 + ADD_LAST; NEXT; // A3 += last_c NEXT; // A4 NEXT; // A5 // A6 diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 2669aec42..ff11876c8 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -96,6 +96,21 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) +/** Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) + * + * \param[in,out] Np The address of the MPI to be converted. + * Must have exact limb size that stores a 448-bit MPI + * (double the bitlength of the modulus). + * Upon return holds the reduced value which is + * in range `0 <= X < 2 * N` (where N is the modulus). + * The bitlength of the reduced value is the same as + * that of the modulus (224 bits). + * \param[in] Nn The length of \p Nn in limbs. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p Nn is not the limb + * size that sores a 448-bit MPI. + */ MBEDTLS_STATIC_TESTABLE int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); From 98791e778153bdf2a940f8370d047aba22a6e34d Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 27 Feb 2023 15:59:34 +0100 Subject: [PATCH 07/20] Add more test cases for P224 testing Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index da0ae3741..4f529d15c 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -90,6 +90,21 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, input_values = [ "0", "1", + # Modulus - 1 + "ffffffffffffffffffffffffffffffff000000000000000000000000", + + # Maximum canonical P224 multiplication result + ("ffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + + # Generate an overflow during reduction + ("00000000000000000000000000010000000070000000002000001000" + "FFFFFFFFFFFF9FFFFFFFFFE00000EFFF000070000000002000001003"), + + # Generate an underflow during reduction + ("00000001000000000000000000000000000000000000000000000000" + "00000000000DC0000000000000000001000000010000000100000003"), + # First 8 number generated by random.getrandbits(448) - seed(2,2) ("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337" "15ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"), From 73e855327370372d0d1619126700d542d1ac1cfb Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 27 Feb 2023 16:05:53 +0100 Subject: [PATCH 08/20] Add comments to illustrate the second round of carry reduction is unnecessary The first round of carry reduction can not generate a carry thus the secound round is not needed. The comments illustrating when the carry is 1. The reduction is simmetric so the case when the carry is -1 is similar. The illustration is trying to calculate the input value starting with setting the carry to 1 before the second round of the carry reduction. It calculates backwords and tries to determine the value range of each word. It ends up with a contradiction that A10 must have the value of 0 and UINT32_MAX. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 51 +++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 54fd26b57..fd7701afa 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5070,22 +5070,49 @@ int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) SUB( 7); SUB(11); NEXT; // A0 += -A7 - A11 SUB( 8); SUB(12); NEXT; // A1 += -A8 - A12 SUB( 9); SUB(13); NEXT; // A2 += -A9 - A13 - SUB(10); ADD( 7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 - SUB(11); ADD( 8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 - SUB(12); ADD( 9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 - SUB(13); ADD(10); // A6 += -A13 + A10 + // 2^32 + MAX32 = 2 * MAX32 + 1 = A3 + A7 - A10 + c + // A3 = MAX32, A7 = MAX32, A10 = 0, c = 1 + SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 + // 2^32 + MAX32 = 2 * MAX32 + 1 = A4 + A8 - A11 + c + // A4 = MAX32, A8 = MAX32, A11 = 0, c = 1 + SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 + // 2^32 + MAX32 = 2 * MAX32 + 1 = A5 + A9 - A12 + c + // A5 = MAX32, A9 = MAX32, A12 = 0, c = 1 + SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 + // 2^32 + MAX32 = 2 * MAX32 + 1 = A6 + A10 - A13 + c + // A6 = MAX32, A10 = MAX32, A13 = 0, c = 1 + SUB( 13 ); ADD( 10 ); // A6 += -A13 + A10 + // A6 = MAX32, c = 1 + // c =1 RESET; + // c = 0 - /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */ - SUB_LAST; NEXT; // A0 += -last_c - NEXT; // A1 - NEXT; // A2 - ADD_LAST; NEXT; // A3 += last_c - NEXT; // A4 - NEXT; // A5 - // A6 + // Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry + + // last_c = 1, c = 0, A0 anything + SUB_LAST; NEXT; // A0 + // last_c = 1, c anything, A1 anything + NEXT; // A1 + // last_c = 1, c = -1, A2 > 0 + // last_c = 1, c = 0, A2 anything + // last_c = 1, c = 1 -> can't be because SUB_LAST + NEXT; // A2 + // 1a. last_c = 1, c = 0, A3 = MAX32 + // 1b. last_c = 1, c = -1, A3 = MAX32 -> cancel/ no carry + // 2. last_c = -1, c = 1, A3 = MAX32 -> cancel/ no carry + ADD_LAST; + // c = 1, A4 = MAX32 + NEXT; // A3 + // c = 1, A5 = MAX32 + NEXT; // A4 + // c = 1, A6 = MAX32 + NEXT; // A5 + // A6 + + // c = 1 RESET; + // last_c = 1 SUB_LAST; NEXT; // A0 += -last_c NEXT; // A1 From bf506361c4f0068c2e5ceae2f38e21f8744fb3e8 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 27 Feb 2023 16:33:30 +0100 Subject: [PATCH 09/20] Revert the illustration and remove unnecessary code This reverts commit 73e855327370372d0d1619126700d542d1ac1cfb. Removes the second round of carry reduction from p224. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 46 +++++--------------------------------------- 1 file changed, 5 insertions(+), 41 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index fd7701afa..545ff04ea 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5070,50 +5070,14 @@ int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) SUB( 7); SUB(11); NEXT; // A0 += -A7 - A11 SUB( 8); SUB(12); NEXT; // A1 += -A8 - A12 SUB( 9); SUB(13); NEXT; // A2 += -A9 - A13 - // 2^32 + MAX32 = 2 * MAX32 + 1 = A3 + A7 - A10 + c - // A3 = MAX32, A7 = MAX32, A10 = 0, c = 1 - SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11 - // 2^32 + MAX32 = 2 * MAX32 + 1 = A4 + A8 - A11 + c - // A4 = MAX32, A8 = MAX32, A11 = 0, c = 1 - SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12 - // 2^32 + MAX32 = 2 * MAX32 + 1 = A5 + A9 - A12 + c - // A5 = MAX32, A9 = MAX32, A12 = 0, c = 1 - SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13 - // 2^32 + MAX32 = 2 * MAX32 + 1 = A6 + A10 - A13 + c - // A6 = MAX32, A10 = MAX32, A13 = 0, c = 1 - SUB( 13 ); ADD( 10 ); // A6 += -A13 + A10 - // A6 = MAX32, c = 1 + SUB(10); ADD( 7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 + SUB(11); ADD( 8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 + SUB(12); ADD( 9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 + SUB(13); ADD(10); // A6 += -A13 + A10 - // c =1 RESET; - // c = 0 - - // Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry - - // last_c = 1, c = 0, A0 anything - SUB_LAST; NEXT; // A0 - // last_c = 1, c anything, A1 anything - NEXT; // A1 - // last_c = 1, c = -1, A2 > 0 - // last_c = 1, c = 0, A2 anything - // last_c = 1, c = 1 -> can't be because SUB_LAST - NEXT; // A2 - // 1a. last_c = 1, c = 0, A3 = MAX32 - // 1b. last_c = 1, c = -1, A3 = MAX32 -> cancel/ no carry - // 2. last_c = -1, c = 1, A3 = MAX32 -> cancel/ no carry - ADD_LAST; - // c = 1, A4 = MAX32 - NEXT; // A3 - // c = 1, A5 = MAX32 - NEXT; // A4 - // c = 1, A6 = MAX32 - NEXT; // A5 - // A6 - - // c = 1 - RESET; - // last_c = 1 + /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */ SUB_LAST; NEXT; // A0 += -last_c NEXT; // A1 NEXT; // A2 From 804cfd32eacab0b7638c4ecc905f8474d38a5641 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 27 Feb 2023 16:50:09 +0100 Subject: [PATCH 10/20] Follow the naming convention Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 6 +++--- library/ecp_invasive.h | 2 +- tests/suites/test_suite_ecp.function | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 545ff04ea..8a90e8027 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4576,7 +4576,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) static int ecp_mod_p224(mbedtls_mpi *); MBEDTLS_STATIC_TESTABLE -int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); +int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) static int ecp_mod_p256(mbedtls_mpi *); @@ -5053,13 +5053,13 @@ static int ecp_mod_p224(mbedtls_mpi *N) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t expected_width = 2 * 224 / biL; MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); - ret = ecp_mod_p224_raw(N->p, expected_width); + ret = mbedtls_ecp_mod_p224_raw(N->p, expected_width); cleanup: return ret; } MBEDTLS_STATIC_TESTABLE -int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) +int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) { if (Nn != 2 * 224 / biL) { return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index ff11876c8..8ea6ece9a 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -112,7 +112,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); * size that sores a 448-bit MPI. */ MBEDTLS_STATIC_TESTABLE -int ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); +int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 40bcd1793..726ca4695 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1373,7 +1373,7 @@ void ecp_mod_p224_raw(char *input_N, &m, N, limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0); - TEST_EQUAL(ecp_mod_p224_raw(X, limbs_X), 0); + TEST_EQUAL(mbedtls_ecp_mod_p224_raw(X, limbs_X), 0); TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 224); mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m); ASSERT_COMPARE(X, bytes, res, bytes); From 5afb80e00ad97a957399bcdb20899f5b89c82ca3 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 27 Feb 2023 17:00:34 +0100 Subject: [PATCH 11/20] Fix coding style issues Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 8a90e8027..977f140d7 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4982,8 +4982,10 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn) #else /* 64 bit */ #define MAX32 Nn * 2 -#define A(j) (j) % 2 ? (uint32_t) (Np[(j) / 2] >> 32) : \ - (uint32_t) (Np[(j) / 2]) +#define A(j) \ + (j) % 2 ? \ + (uint32_t) (Np[(j) / 2] >> 32) : \ + (uint32_t) (Np[(j) / 2]) #define STORE32 \ if (i % 2) { \ Np[i/2] &= 0x00000000FFFFFFFF; \ @@ -5067,23 +5069,23 @@ int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) INIT(224); - SUB( 7); SUB(11); NEXT; // A0 += -A7 - A11 - SUB( 8); SUB(12); NEXT; // A1 += -A8 - A12 - SUB( 9); SUB(13); NEXT; // A2 += -A9 - A13 - SUB(10); ADD( 7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 - SUB(11); ADD( 8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 - SUB(12); ADD( 9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 + SUB(7); SUB(11); NEXT; // A0 += -A7 - A11 + SUB(8); SUB(12); NEXT; // A1 += -A8 - A12 + SUB(9); SUB(13); NEXT; // A2 += -A9 - A13 + SUB(10); ADD(7); ADD(11); NEXT; // A3 += -A10 + A7 + A11 + SUB(11); ADD(8); ADD(12); NEXT; // A4 += -A11 + A8 + A12 + SUB(12); ADD(9); ADD(13); NEXT; // A5 += -A12 + A9 + A13 SUB(13); ADD(10); // A6 += -A13 + A10 RESET; /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */ SUB_LAST; NEXT; // A0 += -last_c - NEXT; // A1 - NEXT; // A2 + ; NEXT; // A1 + ; NEXT; // A2 ADD_LAST; NEXT; // A3 += last_c - NEXT; // A4 - NEXT; // A5 + ; NEXT; // A4 + ; NEXT; // A5 // A6 LAST; From 08a94953e1fe7f82050c7a9ddff6939719d7de9a Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 28 Feb 2023 18:40:57 +0100 Subject: [PATCH 12/20] Apply naming convention for p224 Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 30 +++++++++++++++--------------- library/ecp_invasive.h | 22 +++++++++++----------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 977f140d7..ee211af2f 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4974,32 +4974,32 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn) #if defined(MBEDTLS_HAVE_INT32) /* 32 bit */ -#define MAX32 Nn -#define A(j) Np[j] -#define STORE32 Np[i] = cur; -#define STORE0 Np[i] = 0; +#define MAX32 X_limbs +#define A(j) X[j] +#define STORE32 X[i] = cur; +#define STORE0 X[i] = 0; #else /* 64 bit */ -#define MAX32 Nn * 2 +#define MAX32 X_limbs * 2 #define A(j) \ (j) % 2 ? \ - (uint32_t) (Np[(j) / 2] >> 32) : \ - (uint32_t) (Np[(j) / 2]) + (uint32_t) (X[(j) / 2] >> 32) : \ + (uint32_t) (X[(j) / 2]) #define STORE32 \ if (i % 2) { \ - Np[i/2] &= 0x00000000FFFFFFFF; \ - Np[i/2] |= (uint64_t) (cur) << 32; \ + X[i/2] &= 0x00000000FFFFFFFF; \ + X[i/2] |= (uint64_t) (cur) << 32; \ } else { \ - Np[i/2] &= 0xFFFFFFFF00000000; \ - Np[i/2] |= (uint32_t) cur; \ + X[i/2] &= 0xFFFFFFFF00000000; \ + X[i/2] |= (uint32_t) cur; \ } #define STORE0 \ if (i % 2) { \ - Np[i/2] &= 0x00000000FFFFFFFF; \ + X[i/2] &= 0x00000000FFFFFFFF; \ } else { \ - Np[i/2] &= 0xFFFFFFFF00000000; \ + X[i/2] &= 0xFFFFFFFF00000000; \ } #endif @@ -5061,9 +5061,9 @@ cleanup: } MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn) +int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs) { - if (Nn != 2 * 224 / biL) { + if (X_limbs != 2 * 224 / biL) { return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 8ea6ece9a..be9b3994c 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -98,21 +98,21 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); /** Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2) * - * \param[in,out] Np The address of the MPI to be converted. - * Must have exact limb size that stores a 448-bit MPI - * (double the bitlength of the modulus). - * Upon return holds the reduced value which is - * in range `0 <= X < 2 * N` (where N is the modulus). - * The bitlength of the reduced value is the same as - * that of the modulus (224 bits). - * \param[in] Nn The length of \p Nn in limbs. + * \param[in,out] X The address of the MPI to be converted. + * Must have exact limb size that stores a 448-bit MPI + * (double the bitlength of the modulus). + * Upon return holds the reduced value which is + * in range `0 <= X < 2 * N` (where N is the modulus). + * The bitlength of the reduced value is the same as + * that of the modulus (224 bits). + * \param[in] X_limbs The length of \p X in limbs. * * \return \c 0 on success. - * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p Nn is not the limb - * size that sores a 448-bit MPI. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the + * limb size that sores a 448-bit MPI. */ MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); +int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ From 620f0dc850dc80adabd129d4641e86d8cbac17e0 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 28 Feb 2023 18:42:33 +0100 Subject: [PATCH 13/20] Fix for 32-bit Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index ee211af2f..6dd7ed3d0 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4976,7 +4976,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn) #define MAX32 X_limbs #define A(j) X[j] -#define STORE32 X[i] = cur; +#define STORE32 X[i] = (mbedtls_mpi_uint) cur; #define STORE0 X[i] = 0; #else /* 64 bit */ From 931fd646ffaf5d3997af37c5d6e485816f34c04c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 1 Mar 2023 16:50:00 +0100 Subject: [PATCH 14/20] Use lower case hex number Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 4f529d15c..e01b80fbc 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -99,11 +99,11 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, # Generate an overflow during reduction ("00000000000000000000000000010000000070000000002000001000" - "FFFFFFFFFFFF9FFFFFFFFFE00000EFFF000070000000002000001003"), + "ffffffffffff9fffffffffe00000efff000070000000002000001003"), # Generate an underflow during reduction ("00000001000000000000000000000000000000000000000000000000" - "00000000000DC0000000000000000001000000010000000100000003"), + "00000000000dc0000000000000000001000000010000000100000003"), # First 8 number generated by random.getrandbits(448) - seed(2,2) ("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337" @@ -140,6 +140,7 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, @property def is_valid(self) -> bool: return True + class EcpP521R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" From aeadc2d731613f9cbc8856a2ad4dc13032f3380d Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 1 Mar 2023 16:53:03 +0100 Subject: [PATCH 15/20] Apply naming convention Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 6dd7ed3d0..8f79880b8 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4576,7 +4576,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) static int ecp_mod_p224(mbedtls_mpi *); MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *Np, size_t Nn); +int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) static int ecp_mod_p256(mbedtls_mpi *); From 5e33e6f5d4005775de638be9fc5ab42572af94a3 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Mar 2023 16:13:42 +0100 Subject: [PATCH 16/20] Remove unnecessary function override Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index e01b80fbc..6440ba05d 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -72,10 +72,6 @@ class EcpP192R1Raw(bignum_common.ModOperationCommon, result = self.int_a % self.int_n return [self.format_result(result)] - @property - def is_valid(self) -> bool: - return True - class EcpP224R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" @@ -137,10 +133,6 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, result = self.int_a % self.int_n return [self.format_result(result)] - @property - def is_valid(self) -> bool: - return True - class EcpP521R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" @@ -227,7 +219,3 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, def result(self) -> List[str]: result = self.int_a % self.int_n return [self.format_result(result)] - - @property - def is_valid(self) -> bool: - return True From d034b3d0d2f2217a31a35ab885a178d235a29929 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Mar 2023 16:15:43 +0100 Subject: [PATCH 17/20] Code style: have two empty lines before and after class definitions Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 6440ba05d..ff31baedc 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -19,11 +19,13 @@ from typing import List from . import test_data_generation from . import bignum_common + class EcpTarget(test_data_generation.BaseTarget): #pylint: disable=abstract-method, too-few-public-methods """Target for ecp test case generation.""" target_basename = 'test_suite_ecp.generated' + class EcpP192R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" @@ -72,6 +74,7 @@ class EcpP192R1Raw(bignum_common.ModOperationCommon, result = self.int_a % self.int_n return [self.format_result(result)] + class EcpP224R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" @@ -133,6 +136,7 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, result = self.int_a % self.int_n return [self.format_result(result)] + class EcpP521R1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ecp quasi_reduction().""" From 97803abd2a85eae144bfdba63229ce0d2e308266 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Mar 2023 16:17:02 +0100 Subject: [PATCH 18/20] Update comment Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 8f79880b8..d0d00e367 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5080,7 +5080,7 @@ int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs) RESET; /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */ - SUB_LAST; NEXT; // A0 += -last_c + SUB_LAST; NEXT; // A0 -= last_c ; NEXT; // A1 ; NEXT; // A2 ADD_LAST; NEXT; // A3 += last_c @@ -5088,6 +5088,9 @@ int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs) ; NEXT; // A5 // A6 + /* The carry reduction cannot generate a carry + * (see commit 73e8553 for details)*/ + LAST; return 0; From 61ef3603ebb23a78dfd5d79509f3a5867c58f1f4 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Mar 2023 16:26:18 +0100 Subject: [PATCH 19/20] Correct the maximum canonical value in tests Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index ff31baedc..556209f46 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -93,8 +93,8 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, "ffffffffffffffffffffffffffffffff000000000000000000000000", # Maximum canonical P224 multiplication result - ("ffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + ("fffffffffffffffffffffffffffffffe000000000000000000000000" + "00000001000000000000000000000000000000000000000000000000"), # Generate an overflow during reduction ("00000000000000000000000000010000000070000000002000001000" From a2ef6a8e386124432f0465be98c1ae93100225a0 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Mar 2023 16:57:25 +0100 Subject: [PATCH 20/20] The is_valid() function is needed to not filter out test cases Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 556209f46..354b23416 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -74,6 +74,10 @@ class EcpP192R1Raw(bignum_common.ModOperationCommon, result = self.int_a % self.int_n return [self.format_result(result)] + @property + def is_valid(self) -> bool: + return True + class EcpP224R1Raw(bignum_common.ModOperationCommon, EcpTarget): @@ -136,6 +140,10 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon, result = self.int_a % self.int_n return [self.format_result(result)] + @property + def is_valid(self) -> bool: + return True + class EcpP521R1Raw(bignum_common.ModOperationCommon, EcpTarget): @@ -223,3 +231,7 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, def result(self) -> List[str]: result = self.int_a % self.int_n return [self.format_result(result)] + + @property + def is_valid(self) -> bool: + return True