wolfcrypt/src/port/arm/armv8-32-curve25519.S and wolfcrypt/src/port/arm/armv8-32-curve25519_c.c: fix MPI overflow in L_curve25519_inv_8, similar to fix in #10536 (efabd1844a).

This commit is contained in:
Daniel Pouzzner
2026-06-04 14:12:01 -05:00
parent 1f0f29cf30
commit 99bf36bb61
2 changed files with 78 additions and 8 deletions
+39 -4
View File
@@ -3677,6 +3677,33 @@ L_curve25519_inv_8:
ldr r1, [sp, #160]
ldr r0, [sp, #160]
bl fe_mul_op
# Ensure result is less than modulus
ldr r0, [sp, #160]
ldm r0, {r4, r5, r6, r7, r8, r9, r10, r11}
adds r2, r4, #19
adcs r2, r5, #0
adcs r2, r6, #0
adcs r2, r7, #0
adcs r2, r8, #0
adcs r2, r9, #0
adcs r2, r10, #0
adc r2, r11, #0
asr r2, r2, #31
and r2, r2, #19
adds r4, r4, r2
adcs r5, r5, #0
adcs r6, r6, #0
adcs r7, r7, #0
adcs r8, r8, #0
adcs r9, r9, #0
adcs r10, r10, #0
adc r11, r11, #0
#if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
bic r11, r11, #0x80000000
#else
bfc r11, #31, #1
#endif
stm r0, {r4, r5, r6, r7, r8, r9, r10, r11}
mov r0, #0
add sp, sp, #0xbc
pop {r4, r5, r6, r7, r8, r9, r10, r11, pc}
@@ -3959,21 +3986,29 @@ L_curve25519_inv_8:
# Ensure result is less than modulus
ldr r0, [sp, #176]
ldm r0, {r4, r5, r6, r7, r8, r9, r10, r11}
mov r2, #19
and r2, r2, r11, asr #31
adds r2, r4, #19
adcs r2, r5, #0
adcs r2, r6, #0
adcs r2, r7, #0
adcs r2, r8, #0
adcs r2, r9, #0
adcs r2, r10, #0
adc r2, r11, #0
asr r2, r2, #31
and r2, r2, #19
adds r4, r4, r2
adcs r5, r5, #0
adcs r6, r6, #0
adcs r7, r7, #0
adcs r8, r8, #0
adcs r9, r9, #0
adcs r10, r10, #0
adc r11, r11, #0
#if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
bic r11, r11, #0x80000000
#else
bfc r11, #31, #1
#endif
adcs r10, r10, #0
adc r11, r11, #0
stm r0, {r4, r5, r6, r7, r8, r9, r10, r11}
mov r0, #0
add sp, sp, #0xc0
+39 -4
View File
@@ -4082,6 +4082,33 @@ WC_OMIT_FRAME_POINTER int curve25519(byte* r, const byte* n, const byte* a)
"ldr r1, [sp, #160]\n\t"
"ldr r0, [sp, #160]\n\t"
"bl fe_mul_op\n\t"
/* Ensure result is less than modulus */
"ldr %[r], [sp, #160]\n\t"
"ldm %[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
"adds %[a], r4, #19\n\t"
"adcs %[a], r5, #0\n\t"
"adcs %[a], r6, #0\n\t"
"adcs %[a], r7, #0\n\t"
"adcs %[a], r8, #0\n\t"
"adcs %[a], r9, #0\n\t"
"adcs %[a], r10, #0\n\t"
"adc %[a], r11, #0\n\t"
"asr %[a], %[a], #31\n\t"
"and %[a], %[a], #19\n\t"
"adds r4, r4, %[a]\n\t"
"adcs r5, r5, #0\n\t"
"adcs r6, r6, #0\n\t"
"adcs r7, r7, #0\n\t"
"adcs r8, r8, #0\n\t"
"adcs r9, r9, #0\n\t"
"adcs r10, r10, #0\n\t"
"adc r11, r11, #0\n\t"
#if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
"bic r11, r11, #0x80000000\n\t"
#else
"bfc r11, #31, #1\n\t"
#endif
"stm %[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
"mov r0, #0\n\t"
"add sp, sp, #0xbc\n\t"
#ifndef WOLFSSL_NO_VAR_ASSIGN_REG
@@ -4392,21 +4419,29 @@ WC_OMIT_FRAME_POINTER int curve25519(byte* r, const byte* n, const byte* a)
/* Ensure result is less than modulus */
"ldr %[r], [sp, #176]\n\t"
"ldm %[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
"mov %[a], #19\n\t"
"and %[a], %[a], r11, asr #31\n\t"
"adds %[a], r4, #19\n\t"
"adcs %[a], r5, #0\n\t"
"adcs %[a], r6, #0\n\t"
"adcs %[a], r7, #0\n\t"
"adcs %[a], r8, #0\n\t"
"adcs %[a], r9, #0\n\t"
"adcs %[a], r10, #0\n\t"
"adc %[a], r11, #0\n\t"
"asr %[a], %[a], #31\n\t"
"and %[a], %[a], #19\n\t"
"adds r4, r4, %[a]\n\t"
"adcs r5, r5, #0\n\t"
"adcs r6, r6, #0\n\t"
"adcs r7, r7, #0\n\t"
"adcs r8, r8, #0\n\t"
"adcs r9, r9, #0\n\t"
"adcs r10, r10, #0\n\t"
"adc r11, r11, #0\n\t"
#if defined(WOLFSSL_ARM_ARCH) && (WOLFSSL_ARM_ARCH < 7)
"bic r11, r11, #0x80000000\n\t"
#else
"bfc r11, #31, #1\n\t"
#endif
"adcs r10, r10, #0\n\t"
"adc r11, r11, #0\n\t"
"stm %[r], {r4, r5, r6, r7, r8, r9, r10, r11}\n\t"
"mov r0, #0\n\t"
"add sp, sp, #0xc0\n\t"