bigint: Stop using BoxedLimbs in PrivateExponent.

When constructing a `PrivateExponent` we enforce that the exponent is appropriately-sized for its associated modulus; this check is relied on in RSA private key construction for key component consistency checks. However, once the `PrivateExponent` is constructed there is no reason to relate its value to the modulus. Doing so has inhibited us from using some test vectors that are in the BoringSSL test suite. Further this usage blocks encapsulating `BoxedLimbs` into its own submodule.
briansmith · Sep 12, 2023 · 68a3b14 · 68a3b14
1 parent f462f28
commit 68a3b14
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 15 deletions.
diff --git a/src/arithmetic/bigint.rs b/src/arithmetic/bigint.rs
@@ -170,6 +170,10 @@ impl<M> BoxedLimbs<M> {
             m: PhantomData,
         }
     }
+
+    fn into_limbs(self) -> Box<[Limb]> {
+        self.limbs
+    }
 }
 
 /// A modulus *s* that is smaller than another modulus *l* so every element of
@@ -534,7 +538,7 @@ pub(crate) fn elem_exp_vartime<M>(
 #[cfg(not(target_arch = "x86_64"))]
 pub fn elem_exp_consttime<M>(
     base: Elem<M, R>,
-    exponent: &PrivateExponent<M>,
+    exponent: &PrivateExponent,
     m: &Modulus<M>,
 ) -> Result<Elem<M, Unencoded>, error::Unspecified> {
     use crate::limb::Window;
@@ -629,7 +633,7 @@ pub fn elem_inverse_consttime<M: Prime>(
 #[cfg(target_arch = "x86_64")]
 pub fn elem_exp_consttime<M>(
     base: Elem<M, R>,
-    exponent: &PrivateExponent<M>,
+    exponent: &PrivateExponent,
     m: &Modulus<M>,
 ) -> Result<Elem<M, Unencoded>, error::Unspecified> {
     // Pretty much all the math here requires CPU feature detection to have

diff --git a/src/arithmetic/bigint/private_exponent.rs b/src/arithmetic/bigint/private_exponent.rs
@@ -13,17 +13,16 @@
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 use super::{elem_add, elem_sub, limb, BoxedLimbs, Limb, LimbMask, Modulus, Prime};
-
 use crate::error;
+use alloc::boxed::Box;
 
-// `M` represents the prime modulus for which the exponent is in the interval
-// [1, `m` - 1).
-pub struct PrivateExponent<M> {
-    limbs: BoxedLimbs<M>,
+pub struct PrivateExponent {
+    limbs: Box<[Limb]>,
 }
 
-impl<M> PrivateExponent<M> {
-    pub fn from_be_bytes_padded(
+impl PrivateExponent {
+    // `p` is the modulus for which the exponent is in the interval [1, `p` - 1).
+    pub fn from_be_bytes_padded<M>(
         input: untrusted::Input,
         p: &Modulus<M>,
     ) -> Result<Self, error::Unspecified> {
@@ -41,22 +40,22 @@ impl<M> PrivateExponent<M> {
             return Err(error::Unspecified);
         }
 
-        Ok(Self { limbs: dP })
+        Ok(Self {
+            limbs: dP.into_limbs(),
+        })
     }
 
     #[inline]
     pub(super) fn limbs(&self) -> &[Limb] {
         &self.limbs
     }
-}
 
-impl<M: Prime> PrivateExponent<M> {
     // Returns `p - 2`.
-    pub(super) fn for_flt(p: &Modulus<M>) -> Self {
+    pub(super) fn for_flt<P: Prime>(p: &Modulus<P>) -> Self {
         let two = elem_add(p.one(), p.one(), p);
         let p_minus_2 = elem_sub(p.zero(), &two, p);
         Self {
-            limbs: p_minus_2.limbs,
+            limbs: p_minus_2.limbs.into_limbs(),
         }
     }
 }
diff --git a/src/rsa/keypair.rs b/src/rsa/keypair.rs
@@ -462,7 +462,7 @@ impl signature::KeyPair for KeyPair {
 
 struct PrivatePrime<M: Prime> {
     modulus: bigint::Modulus<M>,
-    exponent: bigint::PrivateExponent<M>,
+    exponent: bigint::PrivateExponent,
 }
 
 impl<M: Prime> PrivatePrime<M> {