This function has specific code to handle carries and it's not clear how
to exercises that code through the modinv function, so well, that's what
unit tests are for.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is consistent with the general rules documented at the top of the
file:
- when computing GCD(A, N), there is no modular arithmetic, so the
output can alias any of the inputs;
- when computing a modular inverse, N is the modulus, so it can't be
aliased by any of the outputs (we'll use it for modular operations
over the entire course of the function's execution).
But since this function has two modes of operations with different
aliasing rules (G can alias N only if I == NULL), I think it should
really be stated explicitly.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is a direct translation of sict_mi2() from
https://github.com/mpg/cryptohack/blob/main/ct-pres.py
which was presented in the book club's special session.
This commit only includes two test cases which is very little. Most of
the test cases will be generated by Python modules that belong to the
framework. However we can't have the framework generate those before we
have the corresponding test function in the consuming branches. So,
extended tests are coming as a 2nd step, after the test function has
been merged.
(The test cases in .misc should stay, as they can be convenient when
working on the test function.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Without this, it's not at all obvious that turning on MBEDTLS_TEST_HOOKS
doesn't change the functional behavior of the code.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Unfortunately compilers aren't good at analyzing whether variables are
analyzed on all code paths, and it is better to initialize to the
safe-path values.
Signed-off-by: Janos Follath <janos.follath@arm.com>
A + B + 1 is not a good way to get a number that's neither A nor B.
This can be a problem for example if values later are changed to
A = 0 and B = -1.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The new test hooks allow to check whether there was an unsafe call of an
optionally safe function in the codepath. For the sake of simplicity the
MBEDTLS_MPI_IS_* macros are reused for signalling safe/unsafe codepaths
here too.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The allocated size can be significantly larger than the actual size. In
the unsafe case we can use the actual size and gain some performance.
Signed-off-by: Janos Follath <janos.follath@arm.com>
It is easier to read if the parameter controlling constant timeness with
respect to a parameter is next to that parameter.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The complexity of having functions whose security properties depend on a
runtime argument can be dangerous. Limit risk by isolating such code in
small functions with limited scope.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The complexity of having functions whose security properties depend on a
runtime argument can be dangerous. Limit misuse by making any such
functions local.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Attempt to partially solve the performance regression in 3.6.0 without
adding too much code size.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Use of volatile is more an internal implementation detail (ensuring
const-time) than part of the contract (the caller doesn't care about
volatile as such).
Signed-off-by: Janos Follath <janos.follath@arm.com>
We need the pointer, A, to be volatile, to ensure the reads happen. bits
does not need to be volatile.
Signed-off-by: Janos Follath <janos.follath@arm.com>
