SP C: fix corner case of P256 and P384 mont red

2022-01-19 14:22:04 +10:00 · 2022-01-19 14:22:04 +10:00 · c06ba390cd
parent e11d484746
commit c06ba390cd
2 changed files with 82 additions and 18 deletions
--- a/wolfcrypt/src/sp_c32.c
+++ b/wolfcrypt/src/sp_c32.c
@ -21212,7 +21212,7 @@ static void sp_256_mont_reduce_9(sp_digit* a, const sp_digit* m, sp_digit mp)
        a[i + 8] += -(am >> 8) + ((am << 24) & 0x1fffffff);
        a[i + 9] += am >> 5;

-        a[i+1] += a[i] >> 29;
+        a[i + 1] += a[i] >> 29;
    }
    am = a[8] & 0xffffff;
    a[8 + 3] += (am << 9) & 0x1fffffff;
@ -21232,6 +21232,15 @@ static void sp_256_mont_reduce_9(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[7] = (a[15] >> 24) + ((a[16] << 5) & 0x1fffffff);
    a[8] = (a[16] >> 24) +  (a[17] << 5);

+    a[1] += a[0] >> 29; a[0] &= 0x1fffffff;
+    a[2] += a[1] >> 29; a[1] &= 0x1fffffff;
+    a[3] += a[2] >> 29; a[2] &= 0x1fffffff;
+    a[4] += a[3] >> 29; a[3] &= 0x1fffffff;
+    a[5] += a[4] >> 29; a[4] &= 0x1fffffff;
+    a[6] += a[5] >> 29; a[5] &= 0x1fffffff;
+    a[7] += a[6] >> 29; a[6] &= 0x1fffffff;
+    a[8] += a[7] >> 29; a[7] &= 0x1fffffff;
+
    /* Get the bit over, if any. */
    am = a[8] >> 24;
    /* Create mask. */
@ -21247,7 +21256,14 @@ static void sp_256_mont_reduce_9(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[7] -= 0x1fe00000 & am;
    a[8] -= 0x00ffffff & am;

-    sp_256_norm_9(a);
+    a[1] += a[0] >> 29; a[0] &= 0x1fffffff;
+    a[2] += a[1] >> 29; a[1] &= 0x1fffffff;
+    a[3] += a[2] >> 29; a[2] &= 0x1fffffff;
+    a[4] += a[3] >> 29; a[3] &= 0x1fffffff;
+    a[5] += a[4] >> 29; a[4] &= 0x1fffffff;
+    a[6] += a[5] >> 29; a[5] &= 0x1fffffff;
+    a[7] += a[6] >> 29; a[6] &= 0x1fffffff;
+    a[8] += a[7] >> 29; a[7] &= 0x1fffffff;
 }

 /* Multiply two Montgomery form numbers mod the modulus (prime).
@ -28396,7 +28412,7 @@ static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
        a[i + 14] += (am << 20) & 0x3ffffff;
        a[i + 15] += am >> 6;

-        a[i+1] += a[i] >> 26;
+        a[i +  1] += a[i] >> 26;
    }
    am = (a[14] * 0x1) & 0xfffff;
    a[14 +  1] += (am << 6) & 0x3ffffff;
@ -28424,6 +28440,21 @@ static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[13] = (a[27] >> 20) + ((a[28] << 6) & 0x3ffffff);
    a[14] = (a[14 + 14] >> 20) +  (a[29] << 6);

+    a[1] += a[0] >> 26; a[0] &= 0x3ffffff;
+    a[2] += a[1] >> 26; a[1] &= 0x3ffffff;
+    a[3] += a[2] >> 26; a[2] &= 0x3ffffff;
+    a[4] += a[3] >> 26; a[3] &= 0x3ffffff;
+    a[5] += a[4] >> 26; a[4] &= 0x3ffffff;
+    a[6] += a[5] >> 26; a[5] &= 0x3ffffff;
+    a[7] += a[6] >> 26; a[6] &= 0x3ffffff;
+    a[8] += a[7] >> 26; a[7] &= 0x3ffffff;
+    a[9] += a[8] >> 26; a[8] &= 0x3ffffff;
+    a[10] += a[9] >> 26; a[9] &= 0x3ffffff;
+    a[11] += a[10] >> 26; a[10] &= 0x3ffffff;
+    a[12] += a[11] >> 26; a[11] &= 0x3ffffff;
+    a[13] += a[12] >> 26; a[12] &= 0x3ffffff;
+    a[14] += a[13] >> 26; a[13] &= 0x3ffffff;
+
    /* Get the bit over, if any. */
    am = a[14] >> 20;
    /* Create mask. */
@ -28445,7 +28476,20 @@ static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[13] -= 0x03ffffff & am;
    a[14] -= 0x000fffff & am;

-    sp_384_norm_15(a);
+    a[1] += a[0] >> 26; a[0] &= 0x3ffffff;
+    a[2] += a[1] >> 26; a[1] &= 0x3ffffff;
+    a[3] += a[2] >> 26; a[2] &= 0x3ffffff;
+    a[4] += a[3] >> 26; a[3] &= 0x3ffffff;
+    a[5] += a[4] >> 26; a[4] &= 0x3ffffff;
+    a[6] += a[5] >> 26; a[5] &= 0x3ffffff;
+    a[7] += a[6] >> 26; a[6] &= 0x3ffffff;
+    a[8] += a[7] >> 26; a[7] &= 0x3ffffff;
+    a[9] += a[8] >> 26; a[8] &= 0x3ffffff;
+    a[10] += a[9] >> 26; a[9] &= 0x3ffffff;
+    a[11] += a[10] >> 26; a[10] &= 0x3ffffff;
+    a[12] += a[11] >> 26; a[11] &= 0x3ffffff;
+    a[13] += a[12] >> 26; a[12] &= 0x3ffffff;
+    a[14] += a[13] >> 26; a[13] &= 0x3ffffff;
 }

 /* Multiply two Montgomery form numbers mod the modulus (prime).
--- a/wolfcrypt/src/sp_c64.c
+++ b/wolfcrypt/src/sp_c64.c
@ -22567,23 +22567,23 @@ static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
        /* Fifth word of modulus word */
        t = am; t *= 0x0ffffffff0000L;

-        a[i+1] += (am << 44) & 0xfffffffffffffL;
-        a[i+2] += am >> 8;
-        a[i+3] += (am << 36) & 0xfffffffffffffL;
-        a[i+4] += (am >> 16) + (t & 0xfffffffffffffL);
-        a[i+5] +=  t >> 52;
+        a[i + 1] += (am << 44) & 0xfffffffffffffL;
+        a[i + 2] += am >> 8;
+        a[i + 3] += (am << 36) & 0xfffffffffffffL;
+        a[i + 4] += (am >> 16) + (t & 0xfffffffffffffL);
+        a[i + 5] +=  t >> 52;

-        a[i+1] += a[i] >> 52;
+        a[i + 1] += a[i] >> 52;
    }
    am = a[4] & 0xffffffffffff;
    /* Fifth word of modulus word */
    t = am; t *= 0x0ffffffff0000L;

-    a[4+1] += (am << 44) & 0xfffffffffffffL;
-    a[4+2] += am >> 8;
-    a[4+3] += (am << 36) & 0xfffffffffffffL;
-    a[4+4] += (am >> 16) + (t & 0xfffffffffffffL);
-    a[4+5] +=  t >> 52;
+    a[4 + 1] += (am << 44) & 0xfffffffffffffL;
+    a[4 + 2] += am >> 8;
+    a[4 + 3] += (am << 36) & 0xfffffffffffffL;
+    a[4 + 4] += (am >> 16) + (t & 0xfffffffffffffL);
+    a[4 + 5] +=  t >> 52;

    a[0] = (a[4] >> 48) + ((a[5] << 4) & 0xfffffffffffffL);
    a[1] = (a[5] >> 48) + ((a[6] << 4) & 0xfffffffffffffL);
@ -22591,6 +22591,11 @@ static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[3] = (a[7] >> 48) + ((a[8] << 4) & 0xfffffffffffffL);
    a[4] = (a[8] >> 48) +  (a[9] << 4);

+    a[1] += a[0] >> 52; a[0] &= 0xfffffffffffffL;
+    a[2] += a[1] >> 52; a[1] &= 0xfffffffffffffL;
+    a[3] += a[2] >> 52; a[2] &= 0xfffffffffffffL;
+    a[4] += a[3] >> 52; a[3] &= 0xfffffffffffffL;
+
    /* Get the bit over, if any. */
    am = a[4] >> 48;
    /* Create mask. */
@ -22602,7 +22607,10 @@ static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[3] -= 0x0000001000000000L & am;
    a[4] -= 0x0000ffffffff0000L & am;

-    sp_256_norm_5(a);
+    a[1] += a[0] >> 52; a[0] &= 0xfffffffffffffL;
+    a[2] += a[1] >> 52; a[1] &= 0xfffffffffffffL;
+    a[3] += a[2] >> 52; a[2] &= 0xfffffffffffffL;
+    a[4] += a[3] >> 52; a[3] &= 0xfffffffffffffL;
 }

 /* Multiply two Montgomery form numbers mod the modulus (prime).
@ -29281,7 +29289,7 @@ static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
        a[i + 6] += (am << 54) & 0x7fffffffffffffL;
        a[i + 7] += am >> 1;

-        a[i+1] += a[i] >> 55;
+        a[i + 1] += a[i] >> 55;
    }
    am = (a[6] * 0x100000001) & 0x3fffffffffffff;
    a[6 + 0] += (am << 32) & 0x7fffffffffffffL;
@ -29299,6 +29307,13 @@ static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[5] = (a[11] >> 54) + ((a[12] << 1) & 0x7fffffffffffffL);
    a[6] = (a[12] >> 54) +  (a[13] << 1);

+    a[1] += a[0] >> 55; a[0] &= 0x7fffffffffffffL;
+    a[2] += a[1] >> 55; a[1] &= 0x7fffffffffffffL;
+    a[3] += a[2] >> 55; a[2] &= 0x7fffffffffffffL;
+    a[4] += a[3] >> 55; a[3] &= 0x7fffffffffffffL;
+    a[5] += a[4] >> 55; a[4] &= 0x7fffffffffffffL;
+    a[6] += a[5] >> 55; a[5] &= 0x7fffffffffffffL;
+
    /* Get the bit over, if any. */
    am = a[6] >> 54;
    /* Create mask. */
@ -29312,7 +29327,12 @@ static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
    a[5] -= 0x007fffffffffffffL & am;
    a[6] -= 0x003fffffffffffffL & am;

-    sp_384_norm_7(a);
+    a[1] += a[0] >> 55; a[0] &= 0x7fffffffffffffL;
+    a[2] += a[1] >> 55; a[1] &= 0x7fffffffffffffL;
+    a[3] += a[2] >> 55; a[2] &= 0x7fffffffffffffL;
+    a[4] += a[3] >> 55; a[3] &= 0x7fffffffffffffL;
+    a[5] += a[4] >> 55; a[4] &= 0x7fffffffffffffL;
+    a[6] += a[5] >> 55; a[5] &= 0x7fffffffffffffL;
 }

 /* Multiply two Montgomery form numbers mod the modulus (prime).