We are looking at the exponent at limb granularity and therefore
exponent bits can't go below 32.
The `mpi_` prefix is also removed as it is better not to have prefix at
all than to have just a partial. (Full prefix would be overly long and
would hurt readability.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
The test cases aim to mirror the legacy function, but needed the some
cases to be removed because:
- Null representation is not valid in core
- There are no negative numbers in core
- Bignum core doesn't do parameter checking and there are no promises for
even N
The _size variant of the test has been removed as bignum core doesn't do
parameter checking and there is no promises for inputs that are larger
than MBEDTLS_MPI_MAX_SIZE.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Now that we have a function that calls
mbedtls_mpi_core_ct_uint_table_lookup(), the compiler won't complain if
we make it static.
Signed-off-by: Janos Follath <janos.follath@arm.com>
On platforms with size_t different from int, mismatch between size_t and
mpi_uint can cause incorrect results or complaints from the compiler.
Signed-off-by: Janos Follath <janos.follath@arm.com>
mpi_core_exp_mod: Cast local variable explicitly
Signed-off-by: Janos Follath <janos.follath@arm.com>
- external errors are now checked in the specified point. If the
same error happens in another line, then this is not valid and
the test fails
- fixed some inconsistency in which injected error codes were not
taken from the data file. Now all the expected error code are
read from the data file
- added a couple of defines to shrink the code
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
As for ecjpake_setup(), now the test function can handle:
- "external" errors, through parameters set by the data file
- "internal" ones, through enums which inject ad-hoc failures
Similarly also ecjpake_rounds() can handle both type of errors,
but right now there's no erroneous case in the associated ".data"
file.
In both cases, after an error the current test is terminated.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
In this way, in case of error, it is not possible to continue using
the same psa_pake_operation_t without reinitializing it.
This should make the PSA pake's behavior closer to what expected by
the specification
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The table size was set before the configured window size bound was
applied which lead to out of bounds access when the configured window
size bound is less.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The window size starts giving diminishing returns around 6 on most
platforms and highly unlikely to be more than 31 in practical use cases.
Still, compilers and static analysers might complain about this and
better to be pedantic.
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
With small exponents (for example, when doing RSA-1024 with CRT, each
prime is 512 bits and we'll use wsize = 5 which may be smaller that the
maximum - or even worse when doing public RSA operations which typically
have a 16-bit exponent so we'll use wsize = 1) the usage of W will have
pre-computed values, then empty space, then the accumulator at the very
end.
Move X next to the precomputed values to make accesses more efficient
and intuitive.
Signed-off-by: Janos Follath <janos.follath@arm.com>
