montgomery: Enforce maximum limb length with a runtime check.

Further clarify the memory safety.
briansmith · Dec 6, 2023 · 1068786 · 1068786
1 parent 034ac09
commit 1068786
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 13 deletions.
diff --git a/src/arithmetic.rs b/src/arithmetic.rs
@@ -20,8 +20,4 @@ pub mod bigint;
 pub mod montgomery;
 
 mod n0;
-
-#[allow(dead_code)]
-const BIGINT_MODULUS_MAX_LIMBS: usize = 8192 / crate::limb::LIMB_BITS;
-
 pub use constant::limbs_from_hex;
diff --git a/src/arithmetic/bigint.rs b/src/arithmetic/bigint.rs
@@ -94,7 +94,7 @@ fn from_montgomery_amm<M>(limbs: BoxedLimbs<M>, m: &Modulus<M>) -> Elem<M, Unenc
     debug_assert_eq!(limbs.len(), m.limbs().len());
 
     let mut limbs = limbs;
-    let mut one = [0; MODULUS_MAX_LIMBS];
+    let mut one = [0; MAX_LIMBS];
     one[0] = 1;
     let one = &one[..m.limbs().len()];
     limbs_mont_mul(&mut limbs, one, m.limbs(), m.n0(), m.cpu_features()).unwrap();
@@ -187,7 +187,7 @@ pub fn elem_reduced<Larger, Smaller>(
     // `limbs_from_mont_in_place` requires this.
     assert_eq!(a.limbs.len(), m.limbs().len() * 2);
 
-    let mut tmp = [0; MODULUS_MAX_LIMBS];
+    let mut tmp = [0; MAX_LIMBS];
     let tmp = &mut tmp[..a.limbs.len()];
     tmp.copy_from_slice(&a.limbs);
 

diff --git a/src/arithmetic/bigint/modulus.rs b/src/arithmetic/bigint/modulus.rs
@@ -21,7 +21,7 @@ use crate::{
 };
 use core::marker::PhantomData;
 
-pub const MODULUS_MAX_LIMBS: usize = super::super::BIGINT_MODULUS_MAX_LIMBS;
+pub const MODULUS_MAX_LIMBS: usize = montgomery::MAX_LIMBS;
 
 /// The modulus *m* for a ring ℤ/mℤ, along with the precomputed values needed
 /// for efficient Montgomery multiplication modulo *m*. The value must be odd
@@ -89,7 +89,7 @@ impl<M> OwnedModulus<M> {
         cpu_features: cpu::Features,
     ) -> Result<Self, error::KeyRejected> {
         let n = BoxedLimbs::positive_minimal_width_from_be_bytes(input)?;
-        if n.len() > MODULUS_MAX_LIMBS {
+        if n.len() > montgomery::MAX_LIMBS {
             return Err(error::KeyRejected::too_large());
         }
         if n.len() < montgomery::MIN_LIMBS {

diff --git a/src/arithmetic/montgomery.rs b/src/arithmetic/montgomery.rs
@@ -119,6 +119,12 @@ use crate::{bssl, c, limb::Limb};
 /// same.
 pub const MIN_LIMBS: usize = 4;
 
+/// Many functions, including assembly functions, will stack allocate
+/// `n * MAX_LIMBS` (for some `n`) limbs to store temporary values. Reduce the
+/// chance of stack overflows by limiting these functions according to the
+/// maximum size of modulus we wish to support.
+pub const MAX_LIMBS: usize = 8192 / crate::limb::LIMB_BITS;
+
 #[inline(always)]
 unsafe fn mul_mont(
     r: *mut Limb,
@@ -128,7 +134,7 @@ unsafe fn mul_mont(
     n0: &N0,
     _: cpu::Features,
 ) -> Result<(), error::Unspecified> {
-    if m.len() < MIN_LIMBS {
+    if m.len() < MIN_LIMBS || m.len() > MAX_LIMBS {
         return Err(error::Unspecified);
     }
     bn_mul_mont(r, a, b, m.as_ptr(), n0, m.len());
@@ -159,7 +165,7 @@ prefixed_export! {
         // Nothing aliases `n`
         let n = unsafe { core::slice::from_raw_parts(n, num_limbs) };
 
-        let mut tmp = [0; 2 * super::BIGINT_MODULUS_MAX_LIMBS];
+        let mut tmp = [0; 2 * MAX_LIMBS];
         let tmp = &mut tmp[..(2 * num_limbs)];
         {
             let a: &[Limb] = unsafe { core::slice::from_raw_parts(a, num_limbs) };
@@ -326,7 +332,7 @@ mod tests {
         ];
 
         for (i, (r_input, a, w, expected_retval, expected_r)) in TEST_CASES.iter().enumerate() {
-            let mut r = [0; super::super::BIGINT_MODULUS_MAX_LIMBS];
+            let mut r = [0; MAX_LIMBS];
             let r = {
                 let r = &mut r[..r_input.len()];
                 r.copy_from_slice(r_input);

diff --git a/src/ec/suite_b/ops.rs b/src/ec/suite_b/ops.rs
@@ -12,7 +12,12 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-use crate::{arithmetic::limbs_from_hex, arithmetic::montgomery::*, error, limb::*};
+use crate::{
+    arithmetic::limbs_from_hex,
+    arithmetic::montgomery::{Encoding, ProductEncoding, Unencoded, R, RR},
+    error,
+    limb::*,
+};
 use core::marker::PhantomData;
 
 pub use self::elem::*;

diff --git a/src/ec/suite_b/ops/elem.rs b/src/ec/suite_b/ops/elem.rs
@@ -15,7 +15,7 @@
 use crate::{
     arithmetic::{
         limbs_from_hex,
-        montgomery::{Encoding, ProductEncoding},
+        montgomery::{self, Encoding, ProductEncoding},
     },
     limb::{Limb, LIMB_BITS},
 };
@@ -129,3 +129,6 @@ pub fn unary_op_from_binary_op_assign<M, E: Encoding>(
 }
 
 pub const MAX_LIMBS: usize = (384 + (LIMB_BITS - 1)) / LIMB_BITS;
+
+#[allow(clippy::assertions_on_constants)]
+const _MAX_LIMBS_IS_LESS_THAN_MAX_LIMBS: () = assert!(MAX_LIMBS <= montgomery::MAX_LIMBS);