luna - wolfssl/wolfcrypt/src/port/Espressif/esp32

   1/* esp32_mp.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22/*
  23 * See ESP32 Technical Reference Manual - RSA Accelerator Chapter
  24 *
  25 * esp_mp_exptmod()  Large Number Modular Exponentiation Z = X^Y mod M
  26 * esp_mp_mulmod()   Large Number Modular Multiplication Z = X * Y mod M
  27 * esp_mp_mul()      Large Number Multiplication         Z = X * Y
  28 *
  29 * The ESP32 RSA Accelerator supports operand lengths of:
  30 * N in {512, 1024, 1536, 2048, 2560, 3072, 3584, 4096} bits. The bit length
  31 * of arguments Z, X, Y , M, and r can be any one from the N set, but all
  32 * numbers in a calculation must be of the same length.
  33 *
  34 * The bit length of M' is always 32.
  35 *
  36 * Also, beware: "we have uint32_t == unsigned long for both Xtensa and RISC-V"
  37 * see https://github.com/espressif/esp-idf/issues/9511#issuecomment-1207342464
  38 */
  39
  40#ifdef HAVE_CONFIG_H
  41    #include <config.h>
  42#endif
  43
  44/* Reminder: user_settings.h is needed and included from settings.h
  45 * Be sure to define WOLFSSL_USER_SETTINGS, typically in CMakeLists.txt */
  46#include <wolfssl/wolfcrypt/settings.h>
  47
  48#if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */
  49#include "sdkconfig.h" /* programmatically generated from sdkconfig */
  50#include <wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h>
  51#include <wolfssl/wolfcrypt/logging.h>
  52
  53#if !defined(NO_RSA) || defined(HAVE_ECC)
  54
  55#if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) && \
  56   !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI)
  57
  58#ifdef NO_INLINE
  59    #include <wolfssl/wolfcrypt/misc.h>
  60#else
  61    #define WOLFSSL_MISC_INCLUDED
  62    #include <wolfcrypt/src/misc.c>
  63#endif
  64#include <wolfssl/wolfcrypt/wolfmath.h>
  65
  66#ifndef SINGLE_THREADED
  67    /* Espressif freeRTOS */
  68    #include <freertos/semphr.h>
  69#endif
  70
  71#define ESP_HW_RSAMIN_BIT           512
  72#define ESP_HW_RSAMAX_BIT           4096
  73#if defined(CONFIG_IDF_TARGET_ESP32)
  74    /* See 24.3.2 Large Number Modular Exponentiation:
  75     *     esp32_technical_reference_manual_en.pdf
  76     * The RSA Accelerator supports specific operand lengths of N
  77     * {512, 1024, 1536, 2048, 2560, 3072, 3584, 4096} bits
  78     *
  79     * 24.3.4 Large Number Multiplication
  80     * The length of Z is twice that of X and Y . Therefore, the RSA Accelerator
  81     * supports large-number multiplication with only four operand lengths of
  82     * N in {512, 1024, 1536, 2048} */
  83    #define ESP_HW_MOD_RSAMAX_BITS      4096
  84    #define ESP_HW_MULTI_RSAMAX_BITS    2048
  85#elif defined(CONFIG_IDF_TARGET_ESP32S2)
  86    /* See 18.3.1 Large Number Modular Exponentiation
  87     *     esp32-s2_technical_reference_manual_en.pdf
  88     * RSA Accelerator supports operands of length N = (32 * x),
  89     * where x in {1, 2, 3, . . . , 128}. The bit lengths of arguments
  90     * Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
  91     * must be of the same length. 32 * 128 = 4096 */
  92    #define ESP_HW_MOD_RSAMAX_BITS      4096
  93    #define ESP_HW_MULTI_RSAMAX_BITS    2048
  94#elif defined(CONFIG_IDF_TARGET_ESP32S3)
  95    /* See 20.3.1 Large Number Modular Exponentiation
  96     *     esp32-s3_technical_reference_manual_en.pdf
  97     * RSA Accelerator supports operands of length N = (32 * x),
  98     * where x in {1, 2, 3, . . . , 128}. The bit lengths of arguments
  99     * Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
 100     * must be of the same length. 32 * 128 = 4096 */
 101    #define ESP_HW_MOD_RSAMAX_BITS      4096
 102    #define ESP_HW_MULTI_RSAMAX_BITS    2048
 103#elif defined(CONFIG_IDF_TARGET_ESP32C3)
 104    /* See 20.3.1 Large Number Modular Exponentiation
 105     *     esp32-c3_technical_reference_manual_en.pdf
 106     * RSA Accelerator supports operands of length N = (32 * x),
 107     * where x in {1, 2, 3, . . . , 96}. The bit lengths of arguments
 108     * Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
 109     * must be of the same length. 32 * 96 = 3072 */
 110    #define ESP_HW_MOD_RSAMAX_BITS      3072
 111    /* The length of result Z is twice that of operand X and operand Y.
 112     * Therefore, the RSA accelerator only supports large-number multiplication
 113     * with operand length N = 32 * x, where x in {1, 2, 3, . . . , 48}.
 114     * 32 * (96/2) = 32 * (48/2) = 1536 */
 115    #define ESP_HW_MULTI_RSAMAX_BITS    1536
 116#elif defined(CONFIG_IDF_TARGET_ESP32C6)
 117    /* See 22.3.1 Large-number Modular Exponentiation
 118     *   esp32-c6_technical_reference_manual_en.pdf
 119     * The RSA accelerator supports operands of length N = (32 * x),
 120     * where x in {1, 2, 3, . . . , 96}. The bit lengths of arguments
 121     * Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
 122     * must be of the same length. 32 * 96 = 3072 */
 123    #define ESP_HW_MOD_RSAMAX_BITS      3072
 124    /* The length of result Z is twice that of operand X and operand Y.
 125     * Therefore, the RSA accelerator only supports large-number multiplication
 126     * with operand length N = 32 * x, where x in {1, 2, 3, . . . , 48}.
 127     * 32 * (96/2) = 32 * (48/2) = 1536 */
 128    #define ESP_HW_MULTI_RSAMAX_BITS    1536
 129#else
 130    /* No HW on ESP8266, but then we'll not even use this lib.
 131     * Other ESP32 devices not implemented: */
 132    #define ESP_HW_MOD_RSAMAX_BITS      0
 133    #define ESP_HW_MULTI_RSAMAX_BITS    0
 134#endif
 135
 136/* (s+(4-1))/ 4    */
 137#define BYTE_TO_WORDS(s)            (((s+3)>>2))
 138
 139/* (s+(32-1))/ 8/ 4*/
 140#define BITS_TO_WORDS(s)            (((s+31)>>3)>>2)
 141
 142#define BITS_IN_ONE_WORD            32
 143
 144/* Some minimum operand sizes, fall back to SW if too small: */
 145#ifndef ESP_RSA_MULM_BITS
 146    #define ESP_RSA_MULM_BITS 16
 147#endif
 148
 149#ifndef ESP_RSA_EXPT_XBITS
 150    #define ESP_RSA_EXPT_XBITS 8
 151#endif
 152
 153#ifndef ESP_RSA_EXPT_YBITS
 154    #define ESP_RSA_EXPT_YBITS 8
 155#endif
 156
 157/* RSA math calculation timeout */
 158#ifndef ESP_RSA_TIMEOUT_CNT
 159    #define ESP_RSA_TIMEOUT_CNT 0x5000000
 160#endif
 161#define ESP_TIMEOUT(cnt)         (cnt >= ESP_RSA_TIMEOUT_CNT)
 162
 163/* Hardware Ready Timeout */
 164#ifndef ESP_RSA_WAIT_TIMEOUT_CNT
 165    #define ESP_RSA_WAIT_TIMEOUT_CNT 0x20
 166#endif
 167#define ESP_WAIT_TIMEOUT(cnt)    (cnt >= ESP_RSA_WAIT_TIMEOUT_CNT)
 168
 169#if defined(CONFIG_IDF_TARGET_ESP32C3)
 170    #include <soc/system_reg.h>
 171    #include <soc/hwcrypto_reg.h>
 172#elif defined(CONFIG_IDF_TARGET_ESP32C6)
 173    #include <soc/pcr_reg.h>
 174#elif defined(CONFIG_IDF_TARGET_ESP32S2)
 175    #include <soc/system_reg.h>
 176    #include <soc/hwcrypto_reg.h>
 177#endif
 178
 179static const char* const TAG = "wolfssl_esp32_mp";
 180
 181#ifdef DEBUG_WOLFSSL
 182    static int hw_validation = 0; /* validating HW and SW? (prevent HW call) */
 183    #define SET_HW_VALIDATION {hw_validation = 1;}
 184    #define CLR_HW_VALIDATION {hw_validation = 0;}
 185    #define IS_HW_VALIDATION (hw_validation == 1)
 186    #undef WOLFSSL_HW_METRICS
 187
 188    /* usage metrics always on during debug */
 189    #define WOLFSSL_HW_METRICS
 190#endif
 191
 192/* For esp_mp_exptmod and esp_mp_mulmod we need a variety of calculated helper
 193** values to properly setup the hardware. See esp_mp_montgomery_init() */
 194struct esp_mp_helper
 195{
 196    MATH_INT_T r_inv; /* result of calculated Montgomery helper */
 197    word32 exp;
 198    word32 Xs;  /* how many bits in X operand  */
 199    word32 Ys;  /* how many bits in Y operand  */
 200    word32 Ms;  /* how many bits in M operand  */
 201    word32 Rs;  /* how many bits in R_inv calc */
 202    word32 maxWords_sz; /* maximum words expected */
 203    word32 hwWords_sz;
 204    mp_digit mp; /* result of calculated Montgomery M' helper */
 205#ifdef DEBUG_WOLFSSL
 206    mp_digit mp2; /* optional compare to alternate Montgomery calc */
 207#endif
 208};
 209
 210static portMUX_TYPE wc_rsa_reg_lock = portMUX_INITIALIZER_UNLOCKED;
 211
 212/* usage metrics can be turned on independently of debugging */
 213#ifdef WOLFSSL_HW_METRICS
 214        static unsigned long esp_mp_max_used = 0;
 215
 216        static unsigned long esp_mp_max_timeout = 0; /* Calc duration */
 217        static unsigned long esp_mp_max_wait_timeout; /* HW wait duration */
 218
 219    /* HW Multiplication Metrics */
 220    #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
 221        static unsigned long esp_mp_mul_usage_ct = 0;
 222        static unsigned long esp_mp_mul_error_ct = 0;
 223        static unsigned long esp_mp_mul_tiny_ct = 0;
 224        static unsigned long esp_mp_mul_max_exceeded_ct = 0;
 225    #endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */
 226
 227    /* HW Modular Multiplication Metrics */
 228    #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD
 229        static unsigned long esp_mp_mulmod_small_x_ct = 0;
 230        static unsigned long esp_mp_mulmod_small_y_ct = 0;
 231        static unsigned long esp_mp_mulmod_max_exceeded_ct = 0;
 232        static unsigned long esp_mp_mulmod_usage_ct = 0;
 233        static unsigned long esp_mp_mulmod_fallback_ct = 0;
 234        static unsigned long esp_mp_mulmod_even_mod_ct = 0;
 235        static unsigned long esp_mp_mulmod_error_ct = 0;
 236     #endif
 237
 238    /* HW Modular Exponentiation Metrics */
 239    #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD
 240        static unsigned long esp_mp_exptmod_usage_ct = 0;
 241        static unsigned long esp_mp_exptmod_error_ct = 0;
 242        static unsigned long esp_mp_exptmod_max_exceeded_ct = 0;
 243        static unsigned long esp_mp_exptmod_fallback_ct = 0;
 244    #endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
 245#endif /* WOLFSSL_HW_METRICS */
 246
 247/* mutex */
 248#ifdef SINGLE_THREADED
 249    /* Although freeRTOS is multithreaded, if we know we'll only be in
 250     * a single thread for wolfSSL, we can avoid the complexity of mutexes. */
 251    static int single_thread_locked = 0;
 252#else
 253    static wolfSSL_Mutex mp_mutex;
 254    static int espmp_CryptHwMutexInit = 0;
 255#endif
 256
 257#ifdef DEBUG_WOLFSSL
 258    /* when debugging, we'll double-check the mutex with call depth */
 259    #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD
 260        static int esp_mp_exptmod_depth_counter = 0;
 261    #endif /* NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
 262#endif /* DEBUG_WOLFSSL */
 263
 264/*
 265* check if the HW is ready before accessing it
 266*
 267* See 24.3.1 Initialization of ESP32 Technical Reference Manual
 268*   esp32_technical_reference_manual_en.pdf
 269*
 270* The RSA Accelerator is activated by enabling the corresponding peripheral
 271* clock, and by clearing the DPORT_RSA_PD bit in the DPORT_RSA_PD_CTRL_REG
 272* register. This releases the RSA Accelerator from reset.
 273*
 274* See esp_mp_hw_lock().
 275*
 276* Note we'll also keep track locally if the lock was called at all.
 277* For instance, fallback to SW for very small operand and we won't lock HW.
 278*
 279* When the RSA Accelerator is released from reset, the register RSA_CLEAN_REG
 280* reads 0 and an initialization process begins. Hardware initializes the four
 281* memory blocks by setting them to 0. After initialization is complete,
 282* RSA_CLEAN_REG reads 1. For this reason, software should query RSA_CLEAN_REG
 283* after being released from reset, and before writing to any RSA Accelerator
 284* memory blocks or registers for the first time.
 285*/
 286static int esp_mp_hw_wait_clean(void)
 287{
 288    int ret = MP_OKAY;
 289    word32 timeout = 0;
 290
 291#if defined(CONFIG_IDF_TARGET_ESP32)
 292    /* RSA_CLEAN_REG is now called RSA_QUERY_CLEAN_REG.
 293    ** hwcrypto_reg.h maintains RSA_CLEAN_REG for backwards compatibility:
 294    ** so this block _might_ not be needed in some circumstances. */
 295    ESP_EM__PRE_MP_HW_WAIT_CLEAN
 296
 297    /* wait until ready,
 298    ** or timeout counter exceeds ESP_RSA_TIMEOUT_CNT in user_settings */
 299    while(!ESP_TIMEOUT(++timeout) && DPORT_REG_READ(RSA_CLEAN_REG) == 0) {
 300        /*  wait. expected delay 1 to 2 uS  */
 301        ESP_EM__MP_HW_WAIT_CLEAN
 302    }
 303#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
 304    ESP_EM__PRE_MP_HW_WAIT_CLEAN
 305    while (!ESP_TIMEOUT(++timeout) &&
 306        DPORT_REG_READ(RSA_QUERY_CLEAN_REG) != 1) {
 307        /*  wait. expected delay 1 to 2 uS  */
 308        ESP_EM__MP_HW_WAIT_CLEAN
 309    }
 310#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
 311    ESP_EM__PRE_MP_HW_WAIT_CLEAN
 312    while (!ESP_TIMEOUT(++timeout) &&
 313            DPORT_REG_READ(RSA_QUERY_CLEAN_REG) != 1) {
 314        /*  wait. expected delay 1 to 2 uS  */
 315        ESP_EM__MP_HW_WAIT_CLEAN
 316    }
 317#else
 318    /* no HW timeout if we don't know the platform. assumes no HW */
 319#endif
 320
 321#if defined(WOLFSSL_HW_METRICS)
 322    /* The wait timeout is separate from the overall max calc timeout. */
 323    if (timeout > esp_mp_max_wait_timeout) {
 324        esp_mp_max_wait_timeout = timeout;
 325    }
 326    /* Also see if the overall timeout has been increased. */
 327    if (timeout > esp_mp_max_timeout) {
 328        esp_mp_max_timeout = timeout;
 329    }
 330#endif
 331
 332    if (ESP_TIMEOUT(timeout)) {
 333        /* This is highly unusual and will likely only occur in multi-threaded
 334         * application. wolfSSL ctx is not thread safe. */
 335    #ifndef SINGLE_THREADED
 336        ESP_LOGI(TAG, "Consider #define SINGLE_THREADED. See docs");
 337    #endif
 338        ESP_LOGE(TAG, "esp_mp_hw_wait_clean waiting HW ready timed out.");
 339        ret = WC_HW_WAIT_E; /* hardware is busy, MP_HW_BUSY; */
 340    }
 341    return ret;
 342}
 343
 344/*
 345** esp_mp_hw_islocked() - detect if we've locked the HW for use.
 346**
 347** WARNING: this does *not* detect separate calls to the
 348**          periph_module_disable() and periph_module_enable().
 349*/
 350static int esp_mp_hw_islocked(void)
 351{
 352    int ret = FALSE;
 353#ifdef SINGLE_THREADED
 354    if (single_thread_locked == FALSE) {
 355        /* not in use */
 356        ESP_LOGV(TAG, "SINGLE_THREADED esp_mp_hw_islocked = false");
 357    }
 358    else {
 359        ESP_LOGV(TAG, "SINGLE_THREADED esp_mp_hw_islocked = true");
 360        ret = TRUE;
 361    }
 362#else
 363    TaskHandle_t mutexHolder = xSemaphoreGetMutexHolder(mp_mutex);
 364    if (mutexHolder == NULL) {
 365        /* Mutex is not in use */
 366        ESP_LOGV(TAG, "multi-threaded esp_mp_hw_islocked = false");
 367    }
 368    else {
 369        ESP_LOGV(TAG, "multi-threaded esp_mp_hw_islocked = true");
 370        ret = TRUE;
 371    }
 372#endif
 373    return ret;
 374}
 375
 376/*
 377* esp_mp_hw_lock()
 378*
 379* Lock HW engine.
 380* This should be called before using engine.
 381*
 382* Returns 0 (ESP_OK) if the HW lock was initialized and mutex lock.
 383*
 384* See Chapter 24:
 385*   esp32_technical_reference_manual_en.pdf
 386*
 387* The RSA Accelerator is activated by enabling the corresponding peripheral
 388* clock, and by clearing the DPORT_RSA_PD bit in the DPORT_RSA_PD_CTRL_REG
 389* register. This releases the RSA Accelerator from reset.
 390*
 391* When the RSA Accelerator is released from reset, the register RSA_CLEAN_REG
 392* reads 0 and an initialization process begins. Hardware initializes the four
 393* memory blocks by setting them to 0. After initialization is complete,
 394* RSA_CLEAN_REG reads 1. For this reason, software should query RSA_CLEAN_REG
 395* after being released from reset, and before writing to any RSA Accelerator
 396* memory blocks or registers for the first time.
 397*/
 398static int esp_mp_hw_lock(void)
 399{
 400    int ret = ESP_OK;
 401
 402    ESP_LOGV(TAG, "enter esp_mp_hw_lock");
 403#ifdef SINGLE_THREADED
 404    single_thread_locked = TRUE;
 405#else
 406    if (espmp_CryptHwMutexInit == ESP_OK) {
 407        ret = esp_CryptHwMutexInit(&mp_mutex);
 408        if (ret == ESP_OK) {
 409            /* flag esp mp as initialized */
 410            espmp_CryptHwMutexInit = TRUE;
 411        }
 412        else {
 413            ESP_LOGE(TAG, "mp mutex initialization failed.");
 414        }
 415    }
 416    else {
 417        /* mp_mutex has already been initialized */
 418    }
 419
 420    /* Set our mutex to indicate the HW is in use */
 421    if (ret == ESP_OK) {
 422        /* lock hardware; there should be exactly one instance
 423         * of esp_CryptHwMutexLock(&mp_mutex ...) in code  */
 424
 425        ret = esp_CryptHwMutexLock(&mp_mutex, ESP_MP_HW_LOCK_MAX_DELAY);
 426        if (ret != ESP_OK) {
 427            ESP_LOGE(TAG, "mp engine lock failed.");
 428            ret = WC_HW_WAIT_E; /* caller is expected to fall back to SW */
 429        }
 430   }
 431#endif /* not SINGLE_THREADED */
 432
 433#if defined(CONFIG_IDF_TARGET_ESP32)
 434    /* Enable RSA hardware */
 435    if (ret == ESP_OK) {
 436        periph_module_enable(PERIPH_RSA_MODULE);
 437        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 438        {
 439            /* clear bit to enable hardware operation; (set to disable) */
 440            DPORT_REG_CLR_BIT(DPORT_RSA_PD_CTRL_REG, DPORT_RSA_PD);
 441            ESP_EM__POST_SP_MP_HW_LOCK
 442
 443        }
 444        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 445    }
 446#elif defined(CONFIG_IDF_TARGET_ESP32C3)
 447    /* Activate the RSA accelerator. See 20.3 of ESP32-C3 technical manual.
 448     * periph_module_enable doesn't seem to be documented and in private folder
 449     * with v5 release. Maybe it will be deprecated?
 450     *
 451     * The ESP32-C3 RSA Accelerator is activated by:
 452     * setting the SYSTEM_CRYPTO_RSA_CLK_EN bit in the SYSTEM_PERIP_CLK_EN1_REG
 453     * register and:
 454     * clearing the SYSTEM_RSA_MEM_PD bit in the SYSTEM_RSA_PD_CTRL_REG reg.
 455     * This releases the RSA Accelerator from reset.*/
 456    if (ret == ESP_OK) {
 457        periph_module_enable(PERIPH_RSA_MODULE);
 458        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 459        {
 460            DPORT_REG_SET_BIT((volatile void *)(SYSTEM_PERIP_CLK_EN1_REG),
 461                                                SYSTEM_CRYPTO_RSA_CLK_EN );
 462            DPORT_REG_CLR_BIT((volatile void *)(SYSTEM_RSA_PD_CTRL_REG),
 463                                                SYSTEM_RSA_MEM_PD );
 464        }
 465        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 466    }
 467#elif defined(CONFIG_IDF_TARGET_ESP32C6)
 468    /* See: 21.3 Functional Description
 469     *
 470     * The RSA accelerator is activated on the ESP32-C6 by:
 471     *   setting  the PCR_RSA_CLK_EN bit
 472     *      and
 473     *   clearing the PCR_RSA_RST_EN bit
 474     * in the PCR_RSA_CONF_REG register.
 475     *
 476     * Additionally, users also need to clear PCR_DS_RST_EN bit to
 477     * reset Digital Signature (DS).*/
 478    if (ret == ESP_OK) {
 479        periph_module_enable(PERIPH_RSA_MODULE);
 480        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 481        {
 482            /* TODO: When implementing DS (Digital Signature HW), need to
 483             * check if it is in use before disabling: */
 484            DPORT_REG_CLR_BIT((volatile void *)(PCR_DS_CONF_REG),
 485                                                PCR_DS_RST_EN );
 486
 487            DPORT_REG_SET_BIT((volatile void *)(PCR_RSA_CONF_REG),
 488                                                PCR_RSA_CLK_EN );
 489            DPORT_REG_CLR_BIT((volatile void *)(PCR_RSA_CONF_REG),
 490                                                PCR_RSA_RST_EN );
 491        }
 492        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 493    }
 494#elif defined(CONFIG_IDF_TARGET_ESP32S2)
 495    /* Activate the RSA accelerator. See 18.3 of ESP32-S2 technical manual.
 496     * periph_module_enable doesn't seem to be documented and in private folder
 497     * with v5 release. Maybe it will be deprecated? */
 498    if (ret == ESP_OK) {
 499        periph_module_enable(PERIPH_RSA_MODULE);
 500        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 501        {
 502            /* Note these names are different from those in the documentation!
 503             *
 504             * Documentation lists the same names as the ESP32-C3:
 505             *
 506             * DPORT_REG_SET_BIT((volatile void *)(SYSTEM_PERIP_CLK_EN1_REG),
 507             *                   SYSTEM_CRYPTO_RSA_CLK_EN );
 508             * DPORT_REG_CLR_BIT((volatile void *)(SYSTEM_RSA_PD_CTRL_REG),
 509             *                   SYSTEM_RSA_MEM_PD );
 510             *
 511             * However, in the sytem_reg.h, the names below were found:
 512             */
 513            DPORT_REG_SET_BIT((volatile void *)(DPORT_CPU_PERIP_CLK_EN1_REG),
 514                                                DPORT_CRYPTO_RSA_CLK_EN );
 515            DPORT_REG_CLR_BIT((volatile void *)(DPORT_RSA_PD_CTRL_REG),
 516                                                DPORT_RSA_MEM_PD );
 517        }
 518        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 519    }
 520#elif defined(CONFIG_IDF_TARGET_ESP32S3)
 521    /* Activate the RSA accelerator. See 20.3 of ESP32-S3 technical manual.
 522     * periph_module_enable doesn't seem to be documented and in private folder
 523     * with v5 release. Maybe it will be deprecated? */
 524    if (ret == ESP_OK) {
 525        periph_module_enable(PERIPH_RSA_MODULE);
 526        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 527        {
 528            /* clear bit to enable hardware operation; (set to disable) */
 529            DPORT_REG_CLR_BIT(SYSTEM_RSA_PD_CTRL_REG, SYSTEM_RSA_MEM_PD);
 530        }
 531        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 532    }
 533#else
 534    /* when unknown or not implemented, assume there's no HW to lock */
 535#endif
 536
 537    /* reminder: wait until RSA_CLEAN_REG reads 1
 538    **   see esp_mp_hw_wait_clean() */
 539    ESP_LOGV(TAG, "leave esp_mp_hw_lock");
 540    return ret;
 541}
 542
 543/*
 544**  Release RSA HW engine
 545*/
 546static int esp_mp_hw_unlock(void)
 547{
 548    int ret = MP_OKAY;
 549    if (esp_mp_hw_islocked()) {
 550
 551#if defined(CONFIG_IDF_TARGET_ESP32)
 552        /* set bit to disabled hardware operation; (clear to enable) */
 553        DPORT_REG_SET_BIT(DPORT_RSA_PD_CTRL_REG, DPORT_RSA_PD);
 554
 555        /* Disable RSA hardware */
 556        periph_module_disable(PERIPH_RSA_MODULE);
 557#elif defined(CONFIG_IDF_TARGET_ESP32C3)
 558        /* Deactivate the RSA accelerator.
 559         * See 20.3 of ESP32-C3 technical manual.
 560         * periph_module_enable doesn't seem to be documented and in private
 561         * folder with v5 release. Maybe it will be deprecated?
 562         * The ESP32-C3 RSA Accelerator is activated by:
 563         * setting the SYSTEM_CRYPTO_RSA_CLK_EN bit
 564         *      in the SYSTEM_PERIP_CLK_EN1_REG register and:
 565         * clearing the SYSTEM_RSA_MEM_PD bit
 566         *      in the SYSTEM_RSA_PD_CTRL_REG reg.
 567         * This releases the RSA Accelerator from reset.*/
 568        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 569        {
 570            DPORT_REG_CLR_BIT(
 571                 (volatile void *)(DR_REG_RSA_BASE + SYSTEM_CRYPTO_RSA_CLK_EN),
 572                                   SYSTEM_PERIP_CLK_EN1_REG);
 573            DPORT_REG_SET_BIT(
 574                (volatile void *)(DR_REG_RSA_BASE + SYSTEM_RSA_MEM_PD),
 575                                  SYSTEM_RSA_PD_CTRL_REG);
 576        }
 577        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 578#elif defined(CONFIG_IDF_TARGET_ESP32C6)
 579        /* TODO: When implementing DS (Digital Signature HW), need to
 580         * notify RSA HW is available. */
 581
 582        portENTER_CRITICAL_SAFE(&wc_rsa_reg_lock);
 583        {
 584            DPORT_REG_SET_BIT((volatile void *)(PCR_RSA_CONF_REG),
 585                                                PCR_RSA_RST_EN);
 586            DPORT_REG_CLR_BIT((volatile void *)(PCR_RSA_CONF_REG),
 587                                                PCR_RSA_CLK_EN);
 588        }
 589        portEXIT_CRITICAL_SAFE(&wc_rsa_reg_lock);
 590
 591#elif defined(CONFIG_IDF_TARGET_ESP32S2)
 592        /* Deactivate the RSA accelerator.
 593         * See 20.3 of ESP32-S3 technical manual.
 594         * periph_module_enable doesn't seem to be documented and is
 595         * in private folder with v5 release. Maybe it will be deprecated? */
 596        DPORT_REG_SET_BIT(DPORT_RSA_PD_CTRL_REG, DPORT_RSA_MEM_PD);
 597        periph_module_disable(PERIPH_RSA_MODULE);
 598
 599#elif defined(CONFIG_IDF_TARGET_ESP32S3)
 600        /* Deactivate the RSA accelerator.
 601         * See 20.3 of ESP32-S3 technical manual.
 602         * periph_module_enable doesn't seem to be documented and is
 603         * in private folder with v5 release. Maybe it will be deprecated? */
 604        DPORT_REG_SET_BIT(SYSTEM_RSA_PD_CTRL_REG, SYSTEM_RSA_MEM_PD);
 605        periph_module_disable(PERIPH_RSA_MODULE);
 606#else
 607        /* unknown platform, assume no HW to unlock  */
 608        ESP_LOGW(TAG, "Warning: esp_mp_hw_unlock called for unknown target");
 609#endif  /* per-SoC unlock */
 610
 611#if defined(SINGLE_THREADED)
 612        single_thread_locked = FALSE;
 613#else
 614        esp_CryptHwMutexUnLock(&mp_mutex);
 615#endif /* SINGLE_THREADED */
 616
 617        ESP_LOGV(TAG, "exit esp_mp_hw_unlock");
 618    }
 619    else {
 620#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
 621        ESP_LOGW(TAG, "Warning: esp_mp_hw_unlock called when not locked.");
 622#endif
 623    }
 624
 625    return ret;
 626}
 627
 628/* Only mulmod and mulexp_mod HW accelerator need Montgomery math prep: M' */
 629#if !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD) \
 630      || \
 631    !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD)
 632
 633static int esp_calc_Mdash(MATH_INT_T *M, word32 k, mp_digit* md)
 634{
 635    int ret = MP_OKAY;
 636    ESP_LOGV(TAG, "\nBegin esp_calc_Mdash \n");
 637
 638#ifdef USE_ALT_MPRIME
 639    /* M' = M^(-1) mod b; b = 2^32 */
 640
 641    /* Call Large Number Modular Exponentiation
 642     *
 643     *    Z = X^Y mod M
 644     *
 645     *    mp_exptmod notation: Y = (G ^ X) mod P
 646     *
 647     *    G is our parameter: M
 648     */
 649    MATH_INT_T X[1] = { };
 650    MATH_INT_T P[1] = { };
 651    MATH_INT_T Y[1] = { };
 652    word32 Xs;
 653
 654    ESP_LOGV(TAG, "\nBegin esp_calc_Mdash USE_ALT_MPRIME\n");
 655
 656    mp_init(X);
 657    mp_init(P);
 658    mp_init(Y);
 659
 660    /* MATH_INT_T value of (-1) */
 661    X->dp[0] = 1;
 662    X->sign = MP_NEG;
 663    X->used = 1;
 664
 665    Xs = mp_count_bits(X);
 666
 667    /* MATH_INT_T value of 2^32 */
 668    P->dp[1] = 1;
 669    P->used = 2;
 670
 671    /* this fails due to even P number; ((b & 1) == 0) in fp_montgomery_setup()
 672     * called from _fp_exptmod_ct, called from fp_exptmod */
 673    ret = mp_exptmod(M, X, P, Y);
 674
 675    *md = Y->dp[0];
 676    ESP_LOGI(TAG, "esp_calc_Mdash %u", *md);
 677#else
 678    /* this is based on an article by Cetin Kaya Koc,
 679     * A New Algorithm for Inversion: mod p^k, June 28 2017 */
 680    int i;
 681    int xi;
 682    int b0 = 1;
 683    int bi;
 684    word32  N = 0;
 685    word32  x;
 686    ESP_LOGV(TAG, "\nBegin esp_calc_Mdash\n");
 687
 688    N = M->dp[0];
 689    bi = b0;
 690    x  = 0;
 691
 692    for (i = 0; i < k; i++) {
 693        xi = bi % 2;
 694        if (xi < 0) {
 695            xi *= -1;
 696        }
 697        bi = (bi - N * xi) / 2;
 698        x |= (xi << i);
 699    }
 700    /* 2's complement */
 701    *md = ~x + 1;
 702#endif
 703
 704    ESP_LOGV(TAG, "\nEnd esp_calc_Mdash \n");
 705    return ret;
 706}
 707#endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_[MULMOD/EXPTMOD] for M' */
 708
 709/* the result may need to have extra bytes zeroed or used length adjusted */
 710static int esp_clean_result(MATH_INT_T* Z, int used_padding)
 711{
 712    int ret = MP_OKAY;
 713    uint16_t this_extra;
 714
 715/* TODO remove this section if MP_SIZE accepted into sp_int.h
 716** See https://github.com/wolfSSL/wolfssl/pull/6565 */
 717    uint16_t dp_length = 0; (void) dp_length;
 718#ifdef USE_FAST_MATH
 719    #undef MP_SIZE
 720    #define MP_SIZE FP_SIZE
 721    dp_length = FP_SIZE;
 722#else
 723    #undef MP_SIZE
 724    #define MP_SIZE 128
 725    dp_length = SP_INT_DIGITS;
 726#endif
 727/* TODO end */
 728
 729    this_extra = Z->used;
 730    if (this_extra > MP_SIZE) {
 731        ESP_LOGW(TAG, "Warning (Z->used: %d) > (MP_SIZE: %d); adjusting...",
 732                                Z->used,        MP_SIZE);
 733        this_extra = MP_SIZE;
 734    }
 735
 736    while (Z->dp[this_extra] > 0 && (this_extra < MP_SIZE)) {
 737        ESP_LOGV(TAG, "Adjust! %d", this_extra);
 738        Z->dp[this_extra] = 0;
 739        this_extra++;
 740    }
 741
 742    /* trim any trailing zeros and adjust z.used size */
 743    if (Z->used > 0) {
 744        ESP_LOGV(TAG, "ZTrim: Z->used = %d", Z->used);
 745        for (size_t i = Z->used; i > 0; i--) {
 746            if (Z->dp[i - 1] == 0) {
 747                /* last element in zero based array */
 748                Z->used = i - 1;
 749            }
 750            else {
 751                break; /* if not zero, nothing else to do */
 752            }
 753        }
 754        ESP_LOGV(TAG, "New Z->used = %d", Z->used);
 755    }
 756    else {
 757        ESP_LOGV(TAG, "no z-trim needed");
 758    }
 759
 760#if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
 761    if (Z->sign != 0) {
 762        mp_setneg(Z); /* any value other than zero is assumed negative */
 763    }
 764#endif
 765
 766    /* a result of 1 is interesting */
 767    if ((Z->dp[0] == 1) && (Z->used == 1)) {
 768        /*
 769         * When the exponent is 0: In this case, the result of the modular
 770         * exponentiation operation will always be 1, regardless of the value
 771         * of the base.
 772         *
 773         * When the base is 1: If the base is equal to 1, then the result of
 774         * the modular exponentiation operation will always be 1, regardless
 775         * of the value of the exponent.
 776         *
 777         * When the exponent is equal to the totient of the modulus: If the
 778         * exponent is equal to the totient of the modulus, and the base is
 779         * relatively prime to the modulus, then the result of the modular
 780         * exponentiation operation will be 1.
 781         */
 782        ESP_LOGV(TAG, "Z->dp[0] == 1");
 783    }
 784
 785    return ret;
 786}
 787
 788/* Start HW process. Reg is SoC-specific register. */
 789static int process_start(u_int32_t reg)
 790{
 791    int ret = MP_OKAY;
 792    /* see 3.16 "software needs to always use the "volatile"
 793    ** attribute when accessing registers in these two address spaces. */
 794    DPORT_REG_WRITE((volatile word32*)reg, 1);
 795    ESP_EM__POST_PROCESS_START;
 796
 797    return ret;
 798}
 799
 800/* wait until RSA math register indicates operation completed */
 801static int wait_until_done(word32 reg)
 802{
 803    int ret = MP_OKAY;
 804    word32 timeout = 0;
 805
 806    /* wait until done && not timeout */
 807    ESP_EM__MP_HW_WAIT_DONE;
 808    while (!ESP_TIMEOUT(++timeout) && DPORT_REG_READ(reg) != 1) {
 809        asm volatile("nop"); /* wait */
 810    }
 811    ESP_EM__DPORT_FIFO_READ;
 812
 813#if defined(CONFIG_IDF_TARGET_ESP32C6)
 814    /* Write 1 or 0 to the RSA_INT_ENA_REG register to
 815     * enable or disable the interrupt function. */
 816    DPORT_REG_WRITE(RSA_INT_CLR_REG, 1); /* write 1 to clear */
 817    DPORT_REG_WRITE(RSA_INT_ENA_REG, 0); /* disable */
 818
 819#elif defined(CONFIG_IDF_TARGET_ESP32C3)
 820    /* not currently clearing / disable on C3 */
 821    DPORT_REG_WRITE(RSA_INTERRUPT_REG, 1);
 822
 823#else
 824    /* clear interrupt */
 825    DPORT_REG_WRITE(RSA_INTERRUPT_REG, 1);
 826
 827#endif
 828
 829#if defined(WOLFSSL_HW_METRICS)
 830    if (timeout > esp_mp_max_timeout) {
 831        esp_mp_max_timeout = timeout;
 832    }
 833#endif
 834
 835    if (ESP_TIMEOUT(timeout)) {
 836        ESP_LOGE(TAG, "rsa operation timed out.");
 837        ret = WC_HW_E; /* MP_HW_ERROR; */
 838    }
 839
 840    return ret;
 841}
 842
 843/* read data from memory into mp_init          */
 844static int esp_memblock_to_mpint(const word32 mem_address,
 845                                 MATH_INT_T* mp,
 846                                 word32 numwords)
 847{
 848    int ret = MP_OKAY;
 849#ifdef USE_ESP_DPORT_ACCESS_READ_BUFFER
 850    esp_dport_access_read_buffer((word32*)mp->dp, mem_address, numwords);
 851#else
 852    ESP_EM__PRE_DPORT_READ;
 853    DPORT_INTERRUPT_DISABLE();
 854    ESP_EM__READ_NON_FIFO_REG;
 855    for (volatile word32 i = 0;  i < numwords; ++i) {
 856        ESP_EM__3_16;
 857        mp->dp[i] = DPORT_SEQUENCE_REG_READ(
 858                        (volatile word32)(mem_address + i * 4));
 859    }
 860    DPORT_INTERRUPT_RESTORE();
 861#endif
 862    mp->used = numwords;
 863
 864#if defined(ESP_VERIFY_MEMBLOCK)
 865    ret = XMEMCMP((const word32 *)mem_address, /* HW reg memory */
 866                  (const word32 *)&mp->dp,     /* our dp value  */
 867                  numwords * sizeof(word32));
 868
 869    if (ret != ESP_OK) {
 870        ESP_LOGW(TAG, "Validation Failure esp_memblock_to_mpint.\n"
 871                      "Reading %u Words at Address =  0x%08x",
 872                       (int)(numwords * sizeof(word32)),
 873                       (unsigned int)mem_address);
 874        ESP_LOGI(TAG, "Trying again... ");
 875        esp_dport_access_read_buffer((word32*)mp->dp, mem_address, numwords);
 876        mp->used = numwords;
 877        if (0 != XMEMCMP((const void *)mem_address,
 878                         (const void *)&mp->dp,
 879                         numwords * sizeof(word32))) {
 880            ESP_LOGE(TAG, "Validation Failure esp_memblock_to_mpint "
 881                           "a second time. Giving up.");
 882            ret = MP_VAL;
 883        }
 884        else {
 885            ESP_LOGI(TAG, "Successfully re-read after Validation Failure.");
 886            ret = MP_VAL;
 887        }
 888    }
 889#endif
 890    return ret;
 891}
 892
 893#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
 894/* Write 0x00 to [wordSz] words of register memory starting at mem_address */
 895#if defined(CONFIG_IDF_TARGET_ESP32)
 896/* only the classic has memblock clear due to slightly different data layout */
 897static int esp_zero_memblock(u_int32_t mem_address, int wordSz)
 898{
 899    int ret = MP_OKAY;
 900
 901    ESP_EM__PRE_DPORT_WRITE;
 902    DPORT_INTERRUPT_DISABLE();
 903    for (int i=0; i < wordSz; i++) {
 904        DPORT_REG_WRITE(
 905            (volatile u_int32_t *)(mem_address + (i * sizeof(word32))),
 906            (u_int32_t)(0) /* zero memory blocks [wordSz] words long */
 907        );
 908    }
 909    DPORT_INTERRUPT_RESTORE();
 910    return ret;
 911}
 912#endif /* CONFIG_IDF_TARGET_ESP32 */
 913#endif /* not NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */
 914
 915/* write MATH_INT_T mp value (dp[]) into memory block */
 916static int esp_mpint_to_memblock(u_int32_t mem_address,
 917                                 const MATH_INT_T* mp,
 918                                 const word32 bits,
 919                                 const word32 hwords)
 920{
 921    int ret = MP_OKAY;
 922
 923    /* init */
 924    word32 i; /* memory offset counter */
 925    word32 len; /* actual number of words to write to register */
 926
 927    len = (bits / 8 + ((bits & 7) != 0 ? 1 : 0));
 928    len = (len + sizeof(word32)-1) / sizeof(word32);
 929
 930    /* write */
 931    ESP_EM__PRE_DPORT_WRITE;
 932    DPORT_INTERRUPT_DISABLE();
 933    for (i=0; i < hwords; i++) {
 934        if (i < len) {
 935            /* write our data */
 936            ESP_LOGV(TAG, "Write i = %d value.", i);
 937            DPORT_REG_WRITE(
 938                (volatile u_int32_t*)(mem_address + (i * sizeof(word32))),
 939                mp->dp[i]
 940            ); /* DPORT_REG_WRITE */
 941        }
 942        else {
 943            /* write zeros */
 944            /* TODO we may be able to skip zero in certain circumstances */
 945            if (i == 0) {
 946                ESP_LOGV(TAG, "esp_mpint_to_memblock zero?");
 947            }
 948            ESP_LOGV(TAG, "Write i = %d value = zero.", i);
 949            DPORT_REG_WRITE(
 950                (volatile u_int32_t*)(mem_address + (i * sizeof(word32))),
 951                (u_int32_t)0 /* writing 4 bytes of zero */
 952            ); /* DPORT_REG_WRITE */
 953        }
 954    }
 955    DPORT_INTERRUPT_RESTORE();
 956
 957    /* optional re-read verify */
 958#if defined(ESP_VERIFY_MEMBLOCK)
 959    len = XMEMCMP((const void *)mem_address, /* HW reg memory */
 960                  (const void *)&mp->dp,     /* our dp value  */
 961                  hwords * sizeof(word32)
 962                 );
 963    if (len != 0) {
 964        ESP_LOGE(TAG, "esp_mpint_to_memblock compare fails at %d", len);
 965    #ifdef DEBUG_WOLFSSL
 966        esp_show_mp("mp", (MATH_INT_T*)mp);
 967    #endif
 968        ret = MP_VAL;
 969    }
 970#endif
 971    return ret;
 972}
 973
 974/* return needed HW words.
 975 * supported words length
 976 *  words    : { 16,   32,  48,    64,   80,   96,  112,  128}
 977 *  bits     : {512, 1024, 1536, 2048, 2560, 3072, 3584, 4096}
 978 */
 979static word32 words2hwords(word32 wd)
 980{
 981    const word32 bit_shift  = 4;
 982
 983    return (((wd + 0xf) >> bit_shift) << bit_shift);
 984}
 985
 986/* count the number of words is needed for bits */
 987static word32 bits2words(word32 bits)
 988{
 989    /* 32 bits */
 990    const word32 d = sizeof(word32) * WOLFSSL_BIT_SIZE;
 991
 992    return ((bits + (d - 1)) / d);
 993}
 994
 995/* exptmod and mulmod helpers as needed */
 996#if !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD) \
 997      ||  \
 998    !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD)
 999/* rinv and M' only used for mulmod and mulexp_mod */
1000
1001/* get rinv */
1002static int esp_get_rinv(MATH_INT_T *rinv, MATH_INT_T *M, word32 exp)
1003{
1004#ifdef DEBUG_WOLFSSL
1005    MATH_INT_T rinv2[1];
1006    MATH_INT_T M2[1];
1007    int reti = MP_OKAY;
1008#endif
1009    int ret = MP_OKAY;
1010
1011    ESP_LOGV(TAG, "\nBegin esp_get_rinv \n");
1012#ifdef DEBUG_WOLFSSL
1013    mp_copy(M, M2); /* copy (src = M) to (dst = M2) */
1014    mp_copy(rinv, rinv2); /* copy (src = M) to (dst = M2) */
1015#endif
1016
1017    /* 2^(exp)
1018     *
1019     * rinv will have all zeros with a 1 in last word.
1020     * e.g. exp=2048 will have a 1 in dp[0x40] = dp[64]
1021     * this is the 65'th element (zero based)
1022     * Value for used = 0x41 = 65
1023     **/
1024    ret = mp_2expt(rinv, exp);
1025    if (ret == MP_OKAY) {
1026        ret = mp_mod(rinv, M, rinv);
1027    }
1028    else {
1029        ESP_LOGE(TAG, "failed to calculate mp_2expt()");
1030    }
1031
1032    /* r_inv = R^2 mod M(=P) */
1033    if (ret == MP_OKAY) {
1034        ESP_LOGV(TAG, "esp_get_rinv compute success");
1035    }
1036    else {
1037        ESP_LOGE(TAG, "failed to calculate mp_mod()");
1038    }
1039
1040#ifdef DEBUG_WOLFSSL
1041    if (ret == MP_OKAY) {
1042
1043        /* computes a = B**n mod b without division or multiplication useful for
1044        * normalizing numbers in a Montgomery system. */
1045        reti = mp_montgomery_calc_normalization(rinv2, M2);
1046        if (reti == MP_OKAY) {
1047            ESP_LOGV(TAG, "mp_montgomery_calc_normalization = %d", reti);
1048        }
1049        else {
1050            ESP_LOGW(TAG, "Error Montgomery calc M2 result = %d", reti);
1051        }
1052    }
1053#endif
1054
1055    ESP_LOGV(TAG, "\nEnd esp_get_rinv \n");
1056    return ret;
1057}
1058#endif /* ! xEXPTMOD || ! xMULMOD for rinv */
1059
1060/* during debug, we'll compare HW to SW results */
1061int esp_hw_validation_active(void)
1062{
1063#ifdef DEBUG_WOLFSSL
1064    return IS_HW_VALIDATION;
1065#else
1066    return 0; /* we're never validating when not debugging */
1067#endif
1068}
1069
1070/* useful during debugging and error display,
1071 * we can show all the mp helper calc values */
1072int esp_show_mph(struct esp_mp_helper* mph)
1073{
1074    int ret = MP_OKAY;
1075
1076    if (mph == NULL) {
1077        /* if a bad mp helper passed, we cannot use HW */
1078        ESP_LOGE(TAG, "ERROR: Bad esp_mp_helper for esp_show_mph");
1079        return MP_VAL;
1080    }
1081
1082    if (mph->Xs != 0)
1083        ESP_LOGI(TAG, "Xs %d", mph->Xs);
1084    if (mph->Ys != 0)
1085        ESP_LOGI(TAG, "Ys %d", mph->Ys);
1086    if (mph->Ms != 0)
1087        ESP_LOGI(TAG, "Ms %d", mph->Ms);
1088    if (mph->Rs != 0)
1089        ESP_LOGI(TAG, "Rs %d", mph->Rs);
1090    if (mph->maxWords_sz != 0)
1091        ESP_LOGI(TAG, "maxWords_sz %d", mph->maxWords_sz);
1092    if (mph->hwWords_sz != 0)
1093        ESP_LOGI(TAG, "hwWords_sz %d", mph->hwWords_sz);
1094    if (mph->mp != 0)
1095        ESP_LOGI(TAG, "mp %d", mph->mp);
1096#ifdef DEBUG_WOLFSSL
1097    if (mph->mp2 != 0)
1098        ESP_LOGI(TAG, "mp2 %d", mph->mp2);
1099#endif
1100    if (mph->r_inv.used != 0)
1101        esp_show_mp("r_inv", &(mph->r_inv));
1102    return ret;
1103}
1104
1105#if !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD) \
1106      ||  \
1107    !defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD)
1108/* only when using exptmod or mulmod, we have some helper functions. */
1109
1110/* given X, Y, M - setup mp hardware and other helper values.*/
1111int esp_mp_montgomery_init(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M,
1112                           struct esp_mp_helper* mph)
1113{
1114    int ret = MP_OKAY;
1115    int exp;
1116
1117    if (mph == NULL) {
1118        /* if a bad mp helper passed, we cannot use HW */
1119        ESP_LOGE(TAG, "ERROR: Bad esp_mp_helper, falling back to SW");
1120        return MP_HW_FALLBACK;
1121    }
1122    if ((X == NULL) || (Y == NULL) || (M == NULL) ) {
1123        /* if a bad operand passed, we cannot use HW */
1124        ESP_LOGE(TAG, "ERROR: Bad Montgomery operand, falling back to SW");
1125        return MP_HW_FALLBACK;
1126    }
1127    XMEMSET(mph, 0, sizeof(struct esp_mp_helper));
1128    mph->Xs = mp_count_bits(X); /* X's = the number of bits needed */
1129
1130#if (ESP_PROHIBIT_SMALL_X == TRUE)
1131    /* optionally prohibit small X.
1132    ** note this is very common in ECC: [1] * [Y] mod [M] */
1133    if ((X->used == 1) && (X->dp[1] < (1 << 8))) {
1134    #ifdef WOLFSSL_HW_METRICS
1135        esp_mp_mulmod_small_x_ct++;
1136    #endif
1137        ESP_LOGW(TAG, "esp_mp_montgomery_init MP_HW_FALLBACK Xs = %d",
1138                       mph->Xs);
1139        ret = MP_HW_FALLBACK;
1140    }
1141#endif
1142
1143    /* prohibit small Y */
1144    if (ret == MP_OKAY) {
1145        mph->Ys = mp_count_bits(Y); /* init Y's to pass to Montgomery init */
1146
1147        if (mph->Xs <= ESP_RSA_EXPT_XBITS) {
1148            /* hard floor 8 bits, problematic in some older ESP32 chips */
1149            #ifdef WOLFSSL_HW_METRICS
1150            {
1151                /* track how many times we fall back */
1152                esp_mp_mulmod_small_x_ct++;
1153            }
1154            #endif
1155            ESP_LOGV(TAG,
1156                "esp_mp_montgomery_init MP_HW_FALLBACK Xs = %d",
1157                mph->Xs);
1158            ret = MP_HW_FALLBACK; /* fall back to software calc at exit */
1159        } /* mph->Xs <= ESP_RSA_EXPT_XBITS */
1160        else {
1161            if (mph->Ys <= ESP_RSA_EXPT_YBITS) {
1162            /* hard floor 8 bits, problematic in some older ESP32 chips */
1163            #ifdef WOLFSSL_HW_METRICS
1164            {
1165                /* track how many times we fall back */
1166                esp_mp_mulmod_small_y_ct++;
1167            }
1168            #endif
1169            ESP_LOGV(TAG,
1170                "esp_mp_montgomery_init MP_HW_FALLBACK Ys = %d",
1171                mph->Ys);
1172            ret = MP_HW_FALLBACK; /* fall back to software calc at exit */
1173            } /* Ys <= ESP_RSA_EXPT_YBITS */
1174            else {
1175                /* X and Y size ok, continue... */
1176                mph->Ms = mp_count_bits(M);
1177                /* maximum bits and words for writing to HW */
1178                mph->maxWords_sz = bits2words(max(mph->Xs,
1179                                                  max(mph->Ys, mph->Ms)));
1180                mph->hwWords_sz  = words2hwords(mph->maxWords_sz);
1181
1182                if ((mph->hwWords_sz << 5) > ESP_HW_RSAMAX_BIT) {
1183            #if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS) || \
1184                defined(WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS)
1185                    ESP_LOGW(TAG, "Warning: hwWords_sz = %d (%d bits)"
1186                                  " exceeds HW maximum bits (%d), "
1187                                  " falling back to SW.",
1188                        mph->hwWords_sz,
1189                        mph->hwWords_sz << 5,
1190                        ESP_HW_RSAMAX_BIT);
1191            #endif
1192                    /* The fallback error code is expected to be handled by
1193                     * caller to perform software instead. */
1194                    ret = MP_HW_FALLBACK;
1195                } /* hwWords_sz check  */
1196            } /* X and Y size ok */
1197        } /* X size check */
1198    } /* Prior operation ok */
1199
1200    ESP_LOGV(TAG, "hwWords_sz = %d", mph->hwWords_sz);
1201
1202    /* calculate r_inv = R^2 mode M
1203    *    where: R = b^n, and b = 2^32
1204    *    accordingly R^2 = 2^(n*32*2)
1205    */
1206#if defined(CONFIG_IDF_TARGET_ESP32)
1207    exp = mph->hwWords_sz << 6;
1208#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
1209    exp = mph->maxWords_sz * BITS_IN_ONE_WORD * 2;
1210#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
1211    exp = mph->maxWords_sz * BITS_IN_ONE_WORD * 2;
1212#else
1213    exp = 0; /* no HW, no Montgomery HW init */
1214#endif
1215
1216    if (ret == MP_OKAY && (M != NULL)) {
1217        ret = mp_init((mp_int*)&(mph->r_inv));
1218        if (ret == MP_OKAY) {
1219            ret = esp_get_rinv( (mp_int*)&(mph->r_inv), M, exp);
1220            if (ret == MP_OKAY) {
1221                mph->Rs = mp_count_bits((mp_int*)&(mph->r_inv));
1222            }
1223            else {
1224                ESP_LOGE(TAG, "calculate r_inv failed.");
1225                ret = MP_VAL;
1226            } /* esp_get_rinv check */
1227        } /* mp_init success */
1228        else {
1229            ESP_LOGE(TAG, "calculate r_inv failed mp_init.");
1230            ret = MP_MEM;
1231        } /* mp_init check */
1232    } /* calculate r_inv */
1233
1234    /* if we were successful in r_inv, next get M' */
1235    if (ret == MP_OKAY) {
1236#ifdef DEBUG_WOLFSSL
1237        ret = mp_montgomery_setup(M, &(mph->mp2) );
1238#endif
1239        /* calc M' */
1240        /* if Pm is odd, uses mp_montgomery_setup() */
1241        ret = esp_calc_Mdash(M, 32/* bits */, &(mph->mp));
1242        if (ret != MP_OKAY) {
1243            ESP_LOGE(TAG, "failed esp_calc_Mdash()");
1244        }
1245    }
1246
1247#ifdef DEBUG_WOLFSSL
1248    if (ret == MP_OKAY) {
1249        if (mph->mp == mph->mp2) {
1250            ESP_LOGV(TAG, "M' match esp_calc_Mdash vs mp_montgomery_setup "
1251                          "= %ul  !", mph->mp);
1252        }
1253        else {
1254            ESP_LOGW(TAG,
1255                     "\n\n"
1256                     "M' MISMATCH esp_calc_Mdash = 0x%08x = %d \n"
1257                     "vs mp_montgomery_setup     = 0x%08x = %d \n\n",
1258                     mph->mp,
1259                     mph->mp,
1260                     mph->mp2,
1261                     mph->mp2);
1262            mph->mp = mph->mp2;
1263        }
1264    }
1265    else {
1266    #if 0
1267        esp_show_mp("X", X);
1268        esp_show_mp("Y", Y);
1269        esp_show_mp("M", M);
1270        esp_show_mph(mph);
1271    #endif
1272
1273        if (ret == MP_HW_FALLBACK) {
1274            ESP_LOGV(TAG, "esp_mp_montgomery_init exit falling back.");
1275
1276        }
1277        else {
1278            ESP_LOGE(TAG, "esp_mp_montgomery_init failed: return code = %d",
1279                           ret);
1280        }
1281    }
1282#endif
1283
1284    return ret;
1285} /* esp_mp_montgomery_init */
1286
1287#endif /* ! NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_[EXPTMOD|MULMOD] */
1288
1289#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
1290/* Large Number Multiplication
1291 *
1292 * See 24.3.3 of the ESP32 Technical Reference Manual
1293 *
1294 * Z = X * Y;  */
1295int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
1296{
1297/* During debug, we may be validating against SW result. */
1298#ifdef DEBUG_WOLFSSL
1299    /* create a place to store copies to perform duplicate operations.
1300    ** copies needed as some operations overwrite operands: e.g. X = X * Y */
1301    MATH_INT_T X2[1];
1302    MATH_INT_T Y2[1];
1303    MATH_INT_T Z2[1];
1304    MATH_INT_T PEEK[1];
1305#endif
1306
1307    int ret = MP_OKAY; /* assume success until proven wrong */
1308    int mp_mul_lock_called = FALSE; /* May fall back to SW; track if locked */
1309
1310    /* we don't use the mph helper for mp_mul, so we'll calculate locally: */
1311    word32 Xs;
1312    word32 Ys;
1313    word32 Zs;
1314    word32 maxWords_sz = 0;
1315    word32 hwWords_sz = 0;
1316    word32 resultWords_sz = 0;
1317
1318#if defined(CONFIG_IDF_TARGET_ESP32)
1319    word32 left_pad_offset = 0;
1320#endif
1321
1322/* if we are supporting negative numbers, check that first since operands
1323 * may be later modified (e.g. Z = Z * X) */
1324#if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
1325    /* neg check: X*Y becomes negative */
1326    int res_sign;
1327
1328    /* aka (X->sign == Y->sign) ? MP_ZPOS : MP_NEG; , but with mp_isneg(): */
1329    res_sign = (mp_isneg(X) == mp_isneg(Y)) ? MP_ZPOS : MP_NEG;
1330    if (res_sign) {
1331        /* Negative numbers are relatively infrequent.
1332         * May be interesting during verbose debugging: */
1333        ESP_LOGV(TAG, "mp_isneg(X) = %d; mp_isneg(Y) = %d; neg = %d ",
1334                       mp_isneg(X),      mp_isneg(Y),           res_sign);
1335    }
1336#endif
1337
1338#ifdef WOLFSSL_HW_METRICS
1339    esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used : esp_mp_max_used;
1340    esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used : esp_mp_max_used;
1341#endif
1342
1343    /* if either operand is zero, there's nothing to do.
1344     * Y checked first, as it was observed to be zero during
1345     * wolfcrypt tests more often than X */
1346    if (mp_iszero(Y) || mp_iszero(X)) {
1347        mp_forcezero(Z);
1348        return MP_OKAY;
1349    }
1350
1351#ifdef DEBUG_WOLFSSL
1352    /* The caller should have checked if the call was for a SW validation.
1353     * During debug, we'll return an error. */
1354    if (esp_hw_validation_active()) {
1355        return MP_HW_VALIDATION_ACTIVE;
1356    }
1357
1358    /* these occur many times during RSA calcs */
1359    if (X == Z) {
1360        ESP_LOGV(TAG, "mp_mul X == Z");
1361    }
1362    if (Y == Z) {
1363        ESP_LOGV(TAG, "mp_mul Y == Z");
1364    }
1365
1366    mp_init(X2);
1367    mp_init(Y2);
1368    mp_init(Z2);
1369
1370    mp_copy(X, X2); /* copy (src = X) to (dst = X2) */
1371    mp_copy(Y, Y2); /* copy (src = Y) to (dst = Y2) */
1372    mp_copy(Z, Z2); /* copy (src = Z) to (dst = Z2) */
1373
1374    if (IS_HW_VALIDATION) {
1375        ESP_LOGE(TAG, "Caller must not try HW when validation active.");
1376    }
1377    else {
1378        SET_HW_VALIDATION; /* force next mp_mul to SW for compare */
1379        mp_mul(X2, Y2, Z2);
1380        CLR_HW_VALIDATION;
1381    }
1382#endif /* DEBUG_WOLFSSL */
1383
1384    Xs = mp_count_bits(X);
1385    Ys = mp_count_bits(Y);
1386    Zs = Xs + Ys;
1387
1388    /* RSA Accelerator only supports Large Number Multiplication
1389     * with certain operand lengths N = (32 * x); See above. */
1390    if (Xs > ESP_HW_MULTI_RSAMAX_BITS) {
1391#if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS)
1392        ESP_LOGW(TAG, "mp-mul X %d bits exceeds max bit length (%d)",
1393                        Xs, ESP_HW_MULTI_RSAMAX_BITS);
1394#endif
1395        esp_mp_mul_max_exceeded_ct++;
1396        return MP_HW_FALLBACK;
1397    }
1398    if (Ys > ESP_HW_MULTI_RSAMAX_BITS) {
1399#if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS)
1400        ESP_LOGW(TAG, "mp-mul Y %d bits exceeds max bit length (%d)",
1401                        Ys, ESP_HW_MULTI_RSAMAX_BITS);
1402#endif
1403        esp_mp_mul_max_exceeded_ct++;
1404        return MP_HW_FALLBACK;
1405    }
1406
1407    /* sizeof(mp_digit) is typically 4 bytes.
1408     * If the total Zs fits into a 4 * 8 = 32 bit word, just do regular math: */
1409    if (Zs <= sizeof(mp_digit) * 8) {
1410        Z->dp[0] = X->dp[0] * Y->dp[0];
1411        Z->used = 1;
1412#if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
1413        Z->sign = res_sign; /* See above mp_isneg() for negative detection */
1414#endif
1415#if defined(WOLFSSL_HW_METRICS)
1416        esp_mp_mul_tiny_ct++;
1417#endif
1418        return MP_OKAY;
1419    }
1420
1421    if (ret == MP_OKAY) {
1422        /* maximum bits and words for writing to HW */
1423        maxWords_sz = bits2words(max(Xs, Ys));
1424        hwWords_sz  = words2hwords(maxWords_sz);
1425
1426        resultWords_sz = bits2words(Xs + Ys);
1427
1428        /* Final parameter sanity check */
1429        if ( (hwWords_sz << 5) > ESP_HW_MULTI_RSAMAX_BITS) {
1430    #if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS)
1431            ESP_LOGW(TAG, "mp-mul exceeds max bit length (%d)",
1432                           ESP_HW_MULTI_RSAMAX_BITS);
1433    #endif
1434    #if defined(WOLFSSL_HW_METRICS)
1435            esp_mp_mul_max_exceeded_ct++;
1436    #endif
1437            return MP_HW_FALLBACK; /*  Fallback to use SW */
1438        }
1439    }
1440
1441    /* If no initial exit, proceed to hardware multiplication calculations: */
1442#if defined(CONFIG_IDF_TARGET_ESP32)
1443    /* assumed to be regular ESP32 Xtensa here */
1444
1445    /*Steps to use HW in the following order:
1446    * 1. wait until clean HW engine
1447    * 2. Write(2*N/512bits - 1 + 8) to MULT_MODE_REG
1448    * 3. Write X and Y to memory blocks
1449    *    need to write data to each memory block only according to the length
1450    *    of the number.
1451    * 4. Write 1  to MUL_START_REG
1452    * 5. Wait for the first operation to be done.
1453    *      Poll INTERRUPT_REG until it reads 1.
1454    *      (Or until the INTER interrupt is generated.)
1455    * 6. Write 1 to RSA_INTERRUPT_REG to clear the interrupt.
1456    * 7. Read the Z from RSA_Z_MEM
1457    * 8. Write 1 to RSA_INTERUPT_REG to clear the interrupt.
1458    * 9. Release the HW engine
1459    */
1460
1461    /* Y (left-extend)
1462     * Accelerator supports large-number multiplication with only
1463     * four operand lengths of N in {512, 1024, 1536, 2048} */
1464    left_pad_offset = maxWords_sz << 2;
1465    if (left_pad_offset <= 512 >> 3) {
1466        left_pad_offset = 512 >> 3; /* 64 bytes (16 words) */
1467    }
1468    else {
1469        if (left_pad_offset <= 1024 >> 3) {
1470            left_pad_offset = 1024 >> 3; /* 128 bytes = 32 words */
1471        }
1472        else {
1473            if (left_pad_offset <= 1536 >> 3) {
1474                left_pad_offset = 1536 >> 3; /* 192 bytes = 48 words */
1475            }
1476            else {
1477                if (left_pad_offset <= 2048 >> 3) {
1478                    left_pad_offset = 2048 >> 3; /* 256 bytes = 64 words */
1479                }
1480                else {
1481                    ret = MP_VAL;
1482                    ESP_LOGE(TAG, "Unsupported operand length: %d",
1483                                   hwWords_sz);
1484                }
1485            }
1486        }
1487    }
1488
1489    /* lock HW for use, enable peripheral clock */
1490    if (ret == MP_OKAY) {
1491        mp_mul_lock_called = TRUE; /* we'll not try to unlock
1492                                    * unless we locked it here. */
1493        #ifdef WOLFSSL_HW_METRICS
1494        {
1495            /* Only track max values when using HW */
1496            esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used :
1497                                                            esp_mp_max_used;
1498            esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used :
1499                                                            esp_mp_max_used;
1500        }
1501        #endif
1502
1503        ret = esp_mp_hw_lock();
1504    }
1505
1506    if (ret == MP_OKAY) {
1507        ret = esp_mp_hw_wait_clean();
1508    }
1509
1510    if (ret == MP_OKAY) {
1511        /* step.1  (2*N/512) => N/256. 512 bits => 16 words */
1512        /* Write 2*N/512 - 1 + 8  */
1513
1514        DPORT_REG_WRITE(RSA_MULT_MODE_REG,
1515                        (2 * left_pad_offset * 8 / 512) - 1 + 8);
1516
1517        /* step.2 write X into memory */
1518        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
1519                              X,
1520                              Xs,
1521                              hwWords_sz);
1522
1523        /* write zeros from RSA_MEM_Z_BLOCK_BASE to left_pad_offset - 1 */
1524        esp_zero_memblock(RSA_MEM_Z_BLOCK_BASE,
1525                          (left_pad_offset - 1) / sizeof(int));
1526
1527        /* write the left-padded Y value into Z */
1528        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE + (left_pad_offset),
1529                              Y,
1530                              Ys,
1531                              hwWords_sz);
1532
1533    #ifdef DEBUG_WOLFSSL
1534        /* save value to peek at the result stored in RSA_MEM_Z_BLOCK_BASE */
1535        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE,
1536                              PEEK,
1537                              128);
1538    #endif
1539
1540        /* step.3 start process                           */
1541        process_start(RSA_MULT_START_REG);
1542
1543        /* step.4,5 wait until done                       */
1544        ret = wait_until_done(RSA_INTERRUPT_REG);
1545
1546        /* step.6 read the result form MEM_Z              */
1547        if (ret == MP_OKAY) {
1548            esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, Z, resultWords_sz);
1549        }
1550#ifndef DEBUG_WOLFSSL
1551        else {
1552            ESP_LOGE(TAG, "ERROR: wait_until_done failed in esp32_mp");
1553        }
1554#endif
1555    } /* end of processing */
1556#elif defined(CONFIG_IDF_TARGET_ESP32C3)
1557    /* Unlike the ESP32 that is limited to only four operand lengths,
1558     * the ESP32-C3 The RSA Accelerator supports large-number modular
1559     * multiplication with operands of 128 different lengths.
1560     *
1561     * X & Y must be represented by the same number of bits. Must be
1562     * enough to represent the larger one. */
1563
1564    /* Figure out how many words we need to
1565     * represent each operand & the result. */
1566
1567    /* Make sure we are within capabilities of hardware. */
1568    if ((hwWords_sz * BITS_IN_ONE_WORD) > ESP_HW_MULTI_RSAMAX_BITS) {
1569#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
1570        ESP_LOGW(TAG, "exceeds max bit length(%d)",
1571                       ESP_HW_MULTI_RSAMAX_BITS);
1572#endif
1573        ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
1574    }
1575    if ((hwWords_sz * BITS_IN_ONE_WORD * 2) > ESP_HW_RSAMAX_BIT) {
1576#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
1577        ESP_LOGW(TAG, "result exceeds max bit length(%d) * 2",
1578                       ESP_HW_RSAMAX_BIT );
1579#endif
1580        ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
1581    }
1582
1583    /* Steps to perform large number multiplication. Calculates Z = X * Y.
1584     *  The number of bits in the operands (X, Y) is N. N can be 32x, where
1585     *  x = {1,2,3,...64}, so the maximum number of bits in X and Y is 2048.
1586     * See 20.3.3 of ESP32-S3 technical manual
1587     *  1. Lock the hardware so no-one else uses it and wait until it is ready.
1588     *  2. Enable/disable interrupt that signals completion
1589     *       -- we don't use the interrupt.
1590     *  3. Write number of words required for result to the RSA_MODE_REG
1591     *     (now called RSA_LENGTH_REG).
1592     *     Number of words required for the result is 2 * words for operand - 1
1593     *  4. Load X, Y operands to memory blocks.
1594     *     Note the Y value must be written to as right aligned.
1595     *  5. Start the operation by writing 1 to RSA_MULT_START_REG,
1596     *     then wait for it to complete by monitoring RSA_IDLE_REG
1597     *     (which is now called RSA_QUERY_INTERRUPT_REG).
1598     *  6. Read the result out.
1599     *  7. Release the hardware lock so others can use it.
1600     *  x. Clear the interrupt flag, if you used it (we don't). */
1601
1602    /* 1. lock HW for use & wait until it is ready. */
1603    /* lock HW for use, enable peripheral clock */
1604    if (ret == MP_OKAY) {
1605        mp_mul_lock_called = TRUE; /* Do not try to unlock unless we locked */
1606        #ifdef WOLFSSL_HW_METRICS
1607        {
1608            /* Only track max values when using HW */
1609            esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used :
1610                                                            esp_mp_max_used;
1611            esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used :
1612                                                            esp_mp_max_used;
1613        }
1614        #endif
1615
1616        ret = esp_mp_hw_lock();
1617    }  /* the only thing we expect is success or busy */
1618    if (ret == MP_OKAY) {
1619        ret = esp_mp_hw_wait_clean();
1620    }
1621
1622    /* HW multiply */
1623    if (ret == MP_OKAY) {
1624        /* 2. Disable completion interrupt signal; we don't use.
1625        **    0 => no interrupt; 1 => interrupt on completion. */
1626        DPORT_REG_WRITE(RSA_INTERRUPT_REG, 0);
1627
1628        /* 3. Write number of words required for result. */
1629        DPORT_REG_WRITE(RSA_LENGTH_REG, (hwWords_sz * 2 - 1));
1630
1631        /* 4. Load X, Y operands. Maximum is 64 words (64*8*4 = 2048 bits) */
1632        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
1633                              X,
1634                              Xs,
1635                              hwWords_sz);
1636        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE + hwWords_sz * 4,
1637                              Y,
1638                              Ys,
1639                              hwWords_sz);
1640
1641        /* 5. Start operation and wait until it completes. */
1642        process_start(RSA_MULT_START_REG);
1643        ret = wait_until_done(RSA_QUERY_INTERRUPT_REG);
1644    }
1645    if (ret == MP_OKAY) {
1646        /* 6. read the result form MEM_Z              */
1647        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, Z, resultWords_sz);
1648    }
1649#elif defined(CONFIG_IDF_TARGET_ESP32C6)
1650    /* Unlike the ESP32 that is limited to only four operand lengths,
1651     * the ESP32-C6 The RSA Accelerator supports large-number modular
1652     * multiplication with operands of 96 different lengths. (1 .. 96 words)
1653     *
1654     * X & Y must be represented by the same number of bits. Must be
1655     * enough to represent the larger one.
1656     *
1657     * Multiplication is limited to 48 different lengths (1 .. 48 words) */
1658
1659    /* Figure out how many words we need to
1660     * represent each operand & the result. */
1661
1662    /* Make sure we are within capabilities of hardware. */
1663
1664    if ((hwWords_sz * BITS_IN_ONE_WORD) > ESP_HW_MULTI_RSAMAX_BITS) {
1665#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
1666        ESP_LOGW(TAG, "RSA mul result hwWords_sz %d exceeds max bit length %d",
1667                       hwWords_sz, ESP_HW_MULTI_RSAMAX_BITS);
1668#endif
1669        ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
1670    }
1671    if ((hwWords_sz * BITS_IN_ONE_WORD * 2) > ESP_HW_RSAMAX_BIT) {
1672#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
1673        ESP_LOGW(TAG, "RSA max result hwWords_sz %d exceeds max bit length %d",
1674                       hwWords_sz, ESP_HW_RSAMAX_BIT );
1675#endif
1676        ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
1677    }
1678
1679    /* Steps to perform large number multiplication. Calculates Z = X * Y.
1680     * The number of bits in the operands (X, Y) is N.
1681     * N can be 32x, where x = {1,2,3,...64},
1682     * so the maximum number of bits in the X and Y is 2048.
1683     * See 20.3.3 of ESP32-S3 technical manual
1684     *  1. Lock the hardware so no-one else uses it and wait until it is ready.
1685     *  2. Enable/disable interrupt that signals completion
1686     *     -- we don't use the interrupt.
1687     *  3. Write number of words required for result to the RSA_MODE_REG
1688     *     (now called RSA_LENGTH_REG).
1689     *     Number of words required for the result is 2 * words for operand - 1
1690     *  4. Load X, Y operands to memory blocks.
1691     *     Note the Y value must be written to right aligned.
1692     *  5. Start the operation by writing 1 to RSA_MULT_START_REG,
1693     *     then wait for it to complete by monitoring RSA_IDLE_REG
1694     *     (which is now called RSA_QUERY_INTERRUPT_REG).
1695     *  6. Read the result out.
1696     *  7. Release the hardware lock so others can use it.
1697     *  x. Clear the interrupt flag, if you used it (we don't). */
1698
1699    /* 1. lock HW for use & wait until it is ready. */
1700    /* lock HW for use, enable peripheral clock */
1701    if (ret == MP_OKAY) {
1702        mp_mul_lock_called = TRUE; /* Do not try to unlock unless we locked */
1703        #ifdef WOLFSSL_HW_METRICS
1704        {
1705            /* Only track max values when using HW */
1706            esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used :
1707                                                            esp_mp_max_used;
1708            esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used :
1709                                                            esp_mp_max_used;
1710        }
1711        #endif
1712
1713        ret = esp_mp_hw_lock();
1714    } /* the only thing we expect is success or busy */
1715
1716    if (ret == MP_OKAY) {
1717        ret = esp_mp_hw_wait_clean();
1718    }
1719
1720    /* HW multiply */
1721    if (ret == MP_OKAY) {
1722        /* 1. Disable completion interrupt signal; we don't use.
1723         * Write 1 (enable) or 0 (disable) to the RSA_INT_ENA_REG register.
1724         *    0 => no interrupt; 1 => interrupt on completion. */
1725        DPORT_REG_WRITE(RSA_INT_ENA_REG, 0);
1726        /* 2. Write number of words required for result. */
1727        /* see 21.3.3 Write (/N16 - 1) to the RSA_MODE_REG register */
1728        DPORT_REG_WRITE(RSA_MODE_REG, (hwWords_sz * 2 - 1));
1729
1730        /* 3. Write Xi and Yi for {0, 1, . . . , n - 1} to memory blocks
1731         * RSA_X_MEM and RSA_Z_MEM
1732         * Maximum is 64 words (64*8*4 = 2048 bits) */
1733        esp_mpint_to_memblock(RSA_X_MEM,
1734                              X,
1735                              Xs,
1736                              hwWords_sz);
1737        esp_mpint_to_memblock(RSA_Z_MEM + hwWords_sz * 4,
1738                              Y,
1739                              Ys,
1740                              hwWords_sz);
1741
1742        /* 4. Write 1 to the RSA_SET_START_MULT register */
1743        ret = process_start(RSA_SET_START_MULT_REG);
1744
1745    }
1746    /* 5. Wait for the completion of computation, which happens when the
1747        * content of RSA_QUERY_IDLE becomes 1 or the RSA interrupt occurs. */
1748    if (ret == MP_OKAY) {
1749        ret = wait_until_done(RSA_QUERY_IDLE_REG);
1750    }
1751
1752    if (ret == MP_OKAY) {
1753        /* 6. read the result from MEM_Z */
1754        esp_memblock_to_mpint(RSA_Z_MEM, Z, resultWords_sz);
1755    }
1756    /* end ESP32-C6 */
1757
1758#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
1759    /* Unlike the ESP32 that is limited to only four operand lengths,
1760     * the ESP32-S3 The RSA Accelerator supports large-number modular
1761     * multiplication with operands of 128 different lengths.
1762     *
1763     * X & Y must be represented by the same number of bits. Must be
1764     * enough to represent the larger one. */
1765
1766    /* Figure out how many words we need to
1767     * represent each operand & the result. */
1768
1769    /* Make sure we are within capabilities of hardware. */
1770    if ((hwWords_sz * BITS_IN_ONE_WORD) > ESP_HW_MULTI_RSAMAX_BITS) {
1771#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
1772        ESP_LOGW(TAG, "exceeds max bit length(%d)", ESP_HW_MULTI_RSAMAX_BITS);
1773#endif
1774        ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
1775    }
1776    if ((hwWords_sz * BITS_IN_ONE_WORD * 2) > ESP_HW_RSAMAX_BIT) {
1777#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
1778        ESP_LOGW(TAG, "result exceeds max bit length(%d)", ESP_HW_RSAMAX_BIT );
1779#endif
1780        ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
1781    }
1782
1783    /* Steps to perform large number multiplication. Calculates Z = X * Y.
1784     * The number of bits in the operands (X, Y) is N.
1785     * N can be 32x, where x = {1,2,3,...64},
1786     * so the maximum number of bits in the X and Y is 2048.
1787     * See 20.3.3 of ESP32-S3 technical manual
1788     *  1. Lock the hardware so no-one else uses it and wait until it is ready.
1789     *  2. Enable/disable interrupt that signals completion
1790     *     -- we don't use the interrupt.
1791     *  3. Write number of words required for result to the RSA_MODE_REG
1792     *     (now called RSA_LENGTH_REG).
1793     *     Number of words required for the result is 2 * words for operand - 1
1794     *  4. Load X, Y operands to memory blocks.
1795     *     Note the Y value must be written to right aligned.
1796     *  5. Start the operation by writing 1 to RSA_MULT_START_REG,
1797     *     then wait for it to complete by monitoring RSA_IDLE_REG
1798     *     (which is now called RSA_QUERY_INTERRUPT_REG).
1799     *  6. Read the result out.
1800     *  7. Release the hardware lock so others can use it.
1801     *  x. Clear the interrupt flag, if you used it (we don't). */
1802
1803    /* 1. lock HW for use & wait until it is ready. */
1804    if (ret == MP_OKAY) {
1805        mp_mul_lock_called = TRUE; /* Don't try to unlock unless we locked. */
1806        #ifdef WOLFSSL_HW_METRICS
1807        {
1808            /* Only track max values when using HW */
1809            esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used :
1810                                                            esp_mp_max_used;
1811            esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used :
1812                                                            esp_mp_max_used;
1813        }
1814        #endif
1815
1816        ret = esp_mp_hw_lock();
1817    } /* the only thing we expect is success or busy */
1818    if (ret == MP_OKAY) {
1819        ret = esp_mp_hw_wait_clean();
1820    }
1821
1822    /* HW multiply */
1823    if (ret == MP_OKAY) {
1824        /* 2. Disable completion interrupt signal; we don't use.
1825        **    0 => no interrupt; 1 => interrupt on completion. */
1826        DPORT_REG_WRITE(RSA_INTERRUPT_REG, 0);
1827
1828        /* 3. Write number of words required for result. */
1829        DPORT_REG_WRITE(RSA_LENGTH_REG, (hwWords_sz * 2 - 1));
1830
1831        /* 4. Load X, Y operands. Maximum is 64 words (64*8*4 = 2048 bits) */
1832        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
1833                              X,
1834                              Xs,
1835                              hwWords_sz);
1836        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE + hwWords_sz * 4,
1837                              Y,
1838                              Ys,
1839                              hwWords_sz);
1840
1841        /* 5. Start operation and wait until it completes. */
1842        process_start(RSA_MULT_START_REG);
1843        ret = wait_until_done(RSA_QUERY_INTERRUPT_REG);
1844    }
1845    if (ret == MP_OKAY) {
1846        /* 6. read the result form MEM_Z              */
1847        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, Z, resultWords_sz);
1848    }
1849
1850    /*
1851    ** end if CONFIG_IDF_TARGET_ESP32S3
1852    */
1853#else
1854    ret = MP_HW_FALLBACK;
1855#endif /* target HW calcs*/
1856
1857    /* common exit for all chipset types */
1858
1859    /* step.7 clear and release HW                    */
1860    if (mp_mul_lock_called) {
1861        ret = esp_mp_hw_unlock();
1862    }
1863    else {
1864        ESP_LOGV(TAG, "Lock not called");
1865    }
1866
1867#if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
1868    if (ret == MP_OKAY) {
1869        if (!mp_iszero(Z) && res_sign) {
1870            /* for non-zero negative numbers, set negative flag for our result:
1871             *   Z->sign = FP_NEG */
1872            ESP_LOGV(TAG, "Setting Z to negative result!");
1873            mp_setneg(Z);
1874        }
1875        else {
1876            Z->sign = MP_ZPOS;
1877        }
1878    }
1879#endif
1880
1881    if (ret == MP_OKAY) {
1882        /* never clean the result for anything other than success, as we may
1883         * fall back to SW and we don't want to muck up operand values. */
1884        esp_clean_result(Z, 0);
1885    }
1886
1887#ifdef DEBUG_WOLFSSL
1888    if (mp_cmp(X, X2) != 0) {
1889        /* this may be interesting when operands change (e.g. z=x*z mode m) */
1890        /* ESP_LOGE(TAG, "mp_mul X vs X2 mismatch!"); */
1891    }
1892    if (mp_cmp(Y, Y2) != 0) {
1893        /* this may be interesting when operands change (e.g. z=y*z mode m) */
1894        /* ESP_LOGE(TAG, "mp_mul Y vs Y2 mismatch!"); */
1895    }
1896    if (mp_cmp(Z, Z2) != 0) {
1897        int found_z_used = Z->used;
1898
1899        ESP_LOGE(TAG, "mp_mul Z vs Z2 mismatch!");
1900        ESP_LOGI(TAG, "Xs            = %d", Xs);
1901        ESP_LOGI(TAG, "Ys            = %d", Ys);
1902        ESP_LOGI(TAG, "Zs            = %d", Zs);
1903        ESP_LOGI(TAG, "found_z_used  = %d", found_z_used);
1904        ESP_LOGI(TAG, "z.used        = %d", Z->used);
1905        ESP_LOGI(TAG, "hwWords_sz    = %d", hwWords_sz);
1906        ESP_LOGI(TAG, "maxWords_sz   = %d", maxWords_sz);
1907#if defined(CONFIG_IDF_TARGET_ESP32)
1908        ESP_LOGI(TAG, "left_pad_offset = %d", left_pad_offset);
1909#endif
1910        ESP_LOGI(TAG, "hwWords_sz<<2   = %d", hwWords_sz << 2);
1911        esp_show_mp("X", X2);  /* show X2 copy, as X may have been clobbered */
1912        esp_show_mp("Y", Y2);  /* show Y2 copy, as Y may have been clobbered */
1913        esp_show_mp("Peek Z", PEEK); /* this is the Z before start */
1914        esp_show_mp("Z", Z);   /* this is the HW result */
1915        esp_show_mp("Z2", Z2); /* this is the SW result */
1916    #ifndef NO_RECOVER_SOFTWARE_CALC
1917        ESP_LOGW(TAG, "Recovering mp_mul error with software result");
1918        mp_copy(Z2, Z); /* copy (src = Z2) to (dst = Z) */
1919    #else
1920        ret = MP_VAL;
1921    #endif
1922    }
1923#endif
1924
1925#ifdef WOLFSSL_HW_METRICS
1926    esp_mp_mul_usage_ct++;
1927    esp_mp_max_used = (Z->used > esp_mp_max_used) ? Z->used : esp_mp_max_used;
1928    if (ret != MP_OKAY) {
1929        esp_mp_mul_error_ct++; /* includes fallback */
1930    }
1931#endif
1932
1933    ESP_LOGV(TAG, "\nEnd esp_mp_mul \n");
1934
1935    return ret;
1936} /* esp_mp_mul() */
1937#endif /* Use HW mp_mul: ! NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL*/
1938
1939#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD
1940/* Large Number Modular Multiplication
1941 *
1942 * See 24.3.3 of the ESP32 Technical Reference Manual
1943 *
1944 * Z = X * Y mod M */
1945int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
1946{
1947    struct esp_mp_helper mph[1]; /* we'll save some values in this mp helper */
1948    MATH_INT_T tmpZ[1] = { };
1949#ifdef DEBUG_WOLFSSL
1950    MATH_INT_T X2[1] = { };
1951    MATH_INT_T Y2[1] = { };
1952    MATH_INT_T M2[1] = { };
1953    MATH_INT_T Z2[1] = { };
1954    MATH_INT_T PEEK[1] = { };
1955    (void) PEEK;
1956#endif
1957
1958    int ret = MP_OKAY;
1959    int mulmod_lock_called = FALSE;
1960    word32 zwords = 0;
1961
1962#if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
1963    int negcheck = 0;
1964#endif
1965
1966#ifdef DEBUG_WOLFSSL
1967    int reti = 0; /* interim return value used only during HW==SW validation */
1968#endif
1969
1970#if defined(CONFIG_IDF_TARGET_ESP32)
1971
1972#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
1973    word32 OperandBits;
1974    int WordsForOperand;
1975#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
1976    word32 OperandBits;
1977    int WordsForOperand;
1978#else
1979    ret = MP_HW_FALLBACK;
1980#endif
1981
1982    ESP_LOGV(TAG, "\nBegin esp_mp_mulmod \n");
1983
1984    /* do we have an even moduli? */
1985    if ((M->dp[0] & 1) == 0) {
1986#ifndef NO_ESP_MP_MUL_EVEN_ALT_CALC
1987        /*  Z = X * Y mod M in mixed HW & SW */
1988    #if defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL)
1989        ret = mp_mul(X, Y, tmpZ);     /* SW X * Y */
1990    #else
1991        ret = esp_mp_mul(X, Y, tmpZ); /* HW X * Y */
1992    #endif
1993        if (ret == MP_OKAY) {
1994            /* z = tmpZ mod M, 0 <= Z < M */
1995            ret = mp_mod(tmpZ, M, Z); /* SW mod M */
1996        }
1997        ESP_LOGV(TAG, "alternate mp_mul calc!");
1998        return ret;
1999#else
2000    #ifdef WOLFSSL_HW_METRICS
2001        esp_mp_mulmod_even_mod_ct++;
2002    #endif
2003        ESP_LOGV(TAG, "esp_mp_mulmod does not support even numbers");
2004        ret = MP_HW_FALLBACK; /* let the software figure out what to do */
2005        return ret;
2006#endif /* NO_ESP_MP_MUL_EVEN_ALTERNATE */
2007    } /* even moduli check */
2008
2009#ifdef DEBUG_WOLFSSL
2010    /* we're only validating HW when in debug mode */
2011    if (esp_hw_validation_active()) {
2012        ESP_LOGV(TAG, "MP_HW_VALIDATION_ACTIVE");
2013        return MP_HW_VALIDATION_ACTIVE;
2014    }
2015#endif
2016
2017#ifdef DEBUG_WOLFSSL
2018    if (IS_HW_VALIDATION) {
2019        ESP_LOGE(TAG, "Caller must not try HW when validation active.");
2020    }
2021    else {
2022        /* when validating, save SW in [V]2 for later comparison to HW */
2023        mp_init(X2);
2024        mp_init(Y2);
2025        mp_init(M2);
2026        mp_init(Z2);
2027
2028        mp_copy(X, X2); /* copy (src = X) to (dst = X2) */
2029        mp_copy(Y, Y2); /* copy (src = Y) to (dst = Y2) */
2030        mp_copy(M, M2); /* copy (src = M) to (dst = M2) */
2031        mp_copy(Z, Z2); /* copy (src = Z) to (dst = Z2) */
2032
2033        SET_HW_VALIDATION; /* for the next mulmod to be SW for HW validation */
2034        reti = mp_mulmod(X2, Y2, M2, Z2);
2035        if (reti == 0) {
2036            ESP_LOGV(TAG, "wolfSSL mp_mulmod during validation success");
2037        }
2038        else {
2039            ESP_LOGE(TAG, "wolfSSL mp_mulmod during validation failed");
2040        }
2041        CLR_HW_VALIDATION;
2042    }
2043#endif /* DEBUG_WOLFSSL */
2044
2045    if (ret == MP_OKAY) {
2046
2047        /* neg check: X*Y becomes negative, we'll need adjustment  */
2048    #if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
2049        negcheck = mp_isneg(X) != mp_isneg(Y) ? 1 : 0;
2050    #endif
2051
2052        /* calculate r_inv = R^2 mod M
2053        *    where: R = b^n, and b = 2^32
2054        *    accordingly R^2 = 2^(n*32*2)
2055        */
2056        ret = esp_mp_montgomery_init(X, Y, M, mph);
2057        if (ret == MP_OKAY) {
2058            ESP_LOGV(TAG, "esp_mp_exptmod esp_mp_montgomery_init success.");
2059        }
2060        else {
2061            #ifdef WOLFSSL_HW_METRICS
2062            if (ret == MP_HW_FALLBACK) {
2063                esp_mp_mulmod_fallback_ct++;
2064            }
2065            else {
2066                esp_mp_mulmod_error_ct++;
2067            }
2068            #endif
2069            return ret;
2070        }
2071        zwords = bits2words(min(mph->Ms, mph->Xs + mph->Ys));
2072    }
2073
2074    /* we'll use hardware only for a minimum number of bits */
2075    if (mph->Xs <= ESP_RSA_MULM_BITS || mph->Ys <= ESP_RSA_MULM_BITS) {
2076        #ifdef WOLFSSL_HW_METRICS
2077        {
2078            esp_mp_mulmod_small_y_ct++; /* track how many times we fall back */
2079        }
2080        #endif
2081        ret = MP_HW_FALLBACK;
2082        #ifdef WOLFSSL_DEBUG_ESP_RSA_MULM_BITS
2083        {
2084            ESP_LOGW(TAG, "esp_mp_mulmod falling back for ESP_RSA_MULM_BITS!");
2085        }
2086        #endif
2087    }
2088
2089    /* lock HW for use, enable peripheral clock */
2090    if (ret == MP_OKAY) {
2091        #ifdef WOLFSSL_HW_METRICS
2092        {
2093            /* Only track max values when using HW */
2094            esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used :
2095                                                            esp_mp_max_used;
2096            esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used :
2097                                                            esp_mp_max_used;
2098            esp_mp_max_used = (M->used > esp_mp_max_used) ? M->used :
2099                                                            esp_mp_max_used;
2100        }
2101        #endif
2102
2103        ret = esp_mp_hw_lock();
2104        if (ret == ESP_OK) {
2105            mulmod_lock_called = TRUE; /* Don't try to unlock unless locked */
2106        }
2107        else {
2108            ret = WC_HW_WAIT_E;
2109        }
2110    }
2111
2112#if defined(CONFIG_IDF_TARGET_ESP32)
2113    /* Classic ESP32, non-S3 Xtensa */
2114
2115    /*Steps to use HW in the following order:
2116    * prep:  wait until clean HW engine
2117    *
2118    * 1. Write (N/512bits - 1) to MULT_MODE_REG
2119    * 2. Write X,M(=G, X, P) to memory blocks
2120    *    need to write data to each memory block only according to the length
2121    *    of the number.
2122    * 3. Write M' to M_PRIME_REG
2123    * 4. Write 1  to MODEXP_START_REG
2124    * 5. Wait for the first round of the operation to be completed.
2125    *    Poll RSA_INTERRUPT_REG until it reads 1,
2126    *    or until the RSA_INTR interrupt is generated.
2127    *    (Or until the INTER interrupt is generated.)
2128    * 6. Write 1 to RSA_INTERRUPT_REG to clear the interrupt.
2129    * 7. Write Yi (i in [0, n) intersect N) to RSA_X_MEM
2130    *    Users need to write to the memory block only according to the length
2131    *    of the number. Data beyond this length is ignored.
2132    * 8. Write 1 to RSA_MULT_START_REG
2133    * 9. Wait for the second operation to be completed.
2134    *    Poll INTERRUPT_REG until it reads 1.
2135    * 10. Read the Zi (i in [0, n) intersect N) from RSA_Z_MEM
2136    * 11. Write 1 to RSA_INTERUPT_REG to clear the interrupt.
2137    *
2138    * post: Release the HW engine
2139    *
2140    * After the operation, the RSA_MULT_MODE_REG register, and memory blocks
2141    * RSA_M_MEM and RSA_M_PRIME_REG remain unchanged. Users do not need to
2142    * refresh these registers or memory blocks if the values remain the same.
2143    */
2144
2145    if (ret == MP_OKAY) {
2146        /* Prep wait for the engine */
2147        ret = esp_mp_hw_wait_clean();
2148    }
2149
2150    if (ret == MP_OKAY) {
2151        /* step.1
2152         *  Write (N/512bits - 1) to MULT_MODE_REG
2153         *  512 bits => 16 words */
2154        DPORT_REG_WRITE(RSA_MULT_MODE_REG, (mph->hwWords_sz >> 4) - 1);
2155#if defined(DEBUG_WOLFSSL)
2156        ESP_LOGV(TAG, "RSA_MULT_MODE_REG = %d", (mph->hwWords_sz >> 4) - 1);
2157#endif /* DEBUG_WOLFSSL */
2158
2159        /* step.2 write X, M, and r_inv into memory.
2160         * The capacity of each memory block is 128 words.
2161         * The memory blocks use the little endian format for storage, i.e.
2162         * the least significant digit of each number is in lowest address.*/
2163        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
2164                              X, mph->Xs, mph->hwWords_sz);
2165        esp_mpint_to_memblock(RSA_MEM_M_BLOCK_BASE,
2166                              M, mph->Ms, mph->hwWords_sz);
2167        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE,
2168                              &(mph->r_inv), mph->Rs, mph->hwWords_sz);
2169
2170        /* step.3 write M' into memory                   */
2171        /* confirmed that mp2 does not support even modulus.
2172         * indeed we see a failure, but we can predict when modules is odd
2173         * or when mp != mp2[0] */
2174        DPORT_REG_WRITE(RSA_M_DASH_REG, mph->mp);
2175        ESP_EM__3_16;
2176
2177        /* step.4 start process                           */
2178        process_start(RSA_MULT_START_REG);
2179
2180        /* step.5,6 wait until done                       */
2181        wait_until_done(RSA_INTERRUPT_REG);
2182
2183        /* step.7 Y to MEM_X                              */
2184        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
2185                              Y, mph->Ys,
2186                              mph->hwWords_sz);
2187
2188#ifdef DEBUG_WOLFSSL
2189        /* save value to peek at the result stored in RSA_MEM_Z_BLOCK_BASE */
2190        esp_memblock_to_mpint(RSA_MEM_X_BLOCK_BASE,
2191                              PEEK,
2192                              128);
2193        esp_clean_result(PEEK, 0);
2194#endif /* DEBUG_WOLFSSL */
2195
2196        /* step.8 start process                           */
2197        process_start(RSA_MULT_START_REG);
2198
2199        /* step.9,11 wait until done                      */
2200        wait_until_done(RSA_INTERRUPT_REG);
2201
2202        /* step.12 read the result from MEM_Z             */
2203        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, tmpZ, zwords);
2204    } /* step 1 .. 12 */
2205
2206    /* step.13 clear and release HW                   */
2207    if (mulmod_lock_called) {
2208        ret = esp_mp_hw_unlock();
2209    }
2210    else {
2211        ESP_LOGV(TAG, "Lock not called");
2212    }
2213    /* end of ESP32 */
2214
2215#elif defined(CONFIG_IDF_TARGET_ESP32C3)
2216    /* Steps to perform large number modular multiplication.
2217     * Calculates Z = (X * Y) modulo M.
2218     * The number of bits in the operands (X, Y) is N. N can be 32x, where
2219     * x = {1,2,3,...64}, so the maximum number of bits in the X and Y is 2048.
2220     * We must use the same number of words to represent bits in X, Y and M.
2221     * See 20.3.3 of ESP32-C3 technical manual
2222     *  1. Wait until the hardware is ready.
2223     *  2. Enable/disable interrupt that signals completion
2224     *     -- we don't use the interrupt.
2225     *  3. Write the number of words required to represent the operands to the
2226     *     RSA_MODE_REG (now called RSA_LENGTH_REG).
2227     *  4. Write M' value into RSA_M_PRIME_REG (now called RSA_M_DASH_REG).
2228     *  5. Load X, Y, M, r' operands to memory blocks.
2229     *  6. Start the operation by writing 1 to RSA_MOD_MULT_START_REG,
2230     *     then wait for it to complete by monitoring RSA_IDLE_REG
2231     *     (which is now called RSA_QUERY_INTERRUPT_REG).
2232     *  7. Read the result out.
2233     *  8. Release the hardware lock so others can use it.
2234     *  x. Clear the interrupt flag, if you used it (we don't). */
2235
2236    /* 1. Wait until hardware is ready. */
2237    if (ret == MP_OKAY) {
2238        ret = esp_mp_hw_wait_clean();
2239    }
2240
2241    if (ret == MP_OKAY) {
2242        /* 2. Disable completion interrupt signal; we don't use.
2243        **    0 => no interrupt; 1 => interrupt on completion. */
2244        DPORT_REG_WRITE(RSA_INTERRUPT_REG, 0);
2245
2246        /* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
2247        OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
2248        if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
2249    #ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
2250            ESP_LOGW(TAG, "result exceeds max bit length");
2251    #endif
2252            if (mulmod_lock_called) {
2253                esp_mp_hw_unlock();
2254            }
2255            return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
2256        }
2257        WordsForOperand = bits2words(OperandBits);
2258        /* alt inline calc:
2259         * DPORT_REG_WRITE(RSA_MULT_MODE_REG, (mph->hwWords_sz >> 4) - 1); */
2260        DPORT_REG_WRITE(RSA_LENGTH_REG, WordsForOperand - 1);
2261
2262        /* 4. Write M' value into RSA_M_PRIME_REG
2263         *    (now called RSA_M_DASH_REG) */
2264        DPORT_REG_WRITE(RSA_M_DASH_REG, mph->mp);
2265
2266        /* Select acceleration options. */
2267        DPORT_REG_WRITE(RSA_CONSTANT_TIME_REG, 0);
2268
2269        /* 5. Load X, Y, M, r' operands.
2270         * Note RSA_MEM_RB_BLOCK_BASE == RSA_MEM_Z_BLOC_BASE on ESP32s3*/
2271        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
2272                              X,
2273                              mph->Xs,
2274                              mph->hwWords_sz);
2275        esp_mpint_to_memblock(RSA_MEM_Y_BLOCK_BASE,
2276                              Y,
2277                              mph->Ys,
2278                              mph->hwWords_sz);
2279        esp_mpint_to_memblock(RSA_MEM_M_BLOCK_BASE,
2280                              M,
2281                              mph->Ms,
2282                              mph->hwWords_sz);
2283        esp_mpint_to_memblock(RSA_MEM_RB_BLOCK_BASE,
2284                              &(mph->r_inv),
2285                              mph->Rs,
2286                              mph->hwWords_sz);
2287
2288        /* 6. Start operation and wait until it completes. */
2289        process_start(RSA_MOD_MULT_START_REG); /* esp_mp_mulmod */
2290    }
2291
2292    if (ret == MP_OKAY) {
2293        ret = wait_until_done(RSA_QUERY_INTERRUPT_REG);
2294    }
2295
2296    if (ret == MP_OKAY) {
2297        /* 7. read the result from MEM_Z              */
2298        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, tmpZ, zwords);
2299    }
2300
2301    /* 8. clear and release HW                    */
2302    if (mulmod_lock_called) {
2303        ret = esp_mp_hw_unlock();
2304    }
2305    else {
2306        ESP_LOGV(TAG, "Lock not called, esp_mp_hw_unlock skipped");
2307    }
2308    /* end if CONFIG_IDF_TARGET_ESP32C3 */
2309
2310#elif defined(CONFIG_IDF_TARGET_ESP32C6)
2311    /* Steps to perform large number modular multiplication.
2312     * Calculates Z = (X * Y) modulo M.
2313     * The number of bits in the operands (X, Y) is N. N can be 32x,where
2314     * x = {1,2,3,...64}, so the maximum number of bits in  X and Y is 2048.
2315     * We must use the same number of words to represent the bits X, Y and M.
2316     * See 20.3.3 of ESP32-S3 technical manual
2317     *  1. Wait until the hardware is ready.
2318     *  2. Enable/disable interrupt that signals completion
2319     *     -- we don't use the interrupt.
2320     *  3. Write the number of words required to represent the operands to the
2321     *     RSA_MODE_REG (now called RSA_LENGTH_REG).
2322     *  4. Write M' value into RSA_M_PRIME_REG (now called RSA_M_DASH_REG).
2323     *  5. Load X, Y, M, r' operands to memory blocks.
2324     *  6. Start the operation by writing 1 to RSA_MOD_MULT_START_REG,
2325     *     then wait for it to complete by monitoring RSA_IDLE_REG
2326     *     (which is now called RSA_QUERY_INTERRUPT_REG).
2327     *  7. Read the result out.
2328     *  8. Release the hardware lock so others can use it.
2329     *  x. Clear the interrupt flag, if you used it (we don't). */
2330
2331    /* 1. Wait until hardware is ready for esp_mp_mulmod. */
2332    if (ret == MP_OKAY) {
2333        ret = esp_mp_hw_wait_clean();
2334    }
2335    if (ret == MP_OKAY) {
2336        /* 2. Disable completion interrupt signal; we don't use.
2337        **    0 => no interrupt; 1 => interrupt on completion. */
2338        DPORT_REG_WRITE(RSA_INT_ENA_REG, 0);
2339
2340        /* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
2341        OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
2342        if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
2343    #ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
2344            ESP_LOGW(TAG, "mulmod OperandBits = %d "
2345                          "result exceeds max bit length %d",
2346                           OperandBits, ESP_HW_MOD_RSAMAX_BITS);
2347    #endif
2348            if (mulmod_lock_called) {
2349                esp_mp_hw_unlock();
2350            }
2351            return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
2352        }
2353        WordsForOperand = bits2words(OperandBits);
2354        /* alt inline calc:
2355         * DPORT_REG_WRITE(RSA_MULT_MODE_REG, (mph->hwWords_sz >> 4) - 1); */
2356        DPORT_REG_WRITE(RSA_MODE_REG, WordsForOperand - 1);
2357
2358        /* 4. Write M' value into RSA_M_PRIME_REG
2359         *    (now called RSA_M_DASH_REG) */
2360        DPORT_REG_WRITE(RSA_M_PRIME_REG, mph->mp);
2361
2362        /* Select acceleration options. */
2363        DPORT_REG_WRITE(RSA_CONSTANT_TIME_REG, 0);
2364        DPORT_REG_WRITE(RSA_SEARCH_POS_REG, 0); /* or RSA_SEARCH_ENABLE */
2365
2366        /* 5. Load X, Y, M, r' operands.
2367         * Note RSA_MEM_RB_BLOCK_BASE == RSA_M_MEM on ESP32-C6*/
2368        esp_mpint_to_memblock(RSA_X_MEM,
2369                              X,
2370                              mph->Xs,
2371                              mph->hwWords_sz);
2372        esp_mpint_to_memblock(RSA_Y_MEM,
2373                              Y,
2374                              mph->Ys,
2375                              mph->hwWords_sz);
2376        esp_mpint_to_memblock(RSA_M_MEM,
2377                              M,
2378                              mph->Ms,
2379                              mph->hwWords_sz);
2380        esp_mpint_to_memblock(RSA_Z_MEM,
2381                              &(mph->r_inv),
2382                              mph->Rs,
2383                              mph->hwWords_sz);
2384
2385        /* 6. Start operation and wait until it completes. */
2386        process_start(RSA_SET_START_MODMULT_REG); /* reminder: esp_mp_mulmod */
2387    }
2388
2389    /* 5. Wait for the completion of computation, which happens when the
2390     * content of RSA_QUERY_IDLE becomes 1 or the RSA interrupt occurs. */
2391    if (ret == MP_OKAY) {
2392        ret = wait_until_done(RSA_QUERY_IDLE_REG);
2393    }
2394    if (ret == MP_OKAY) {
2395        /* 7. read the result from MEM_Z              */
2396        esp_memblock_to_mpint(RSA_Z_MEM, tmpZ, zwords);
2397    }
2398
2399    /* 8. clear and release HW                    */
2400    if (mulmod_lock_called) {
2401        ret = esp_mp_hw_unlock();
2402    }
2403    else {
2404        ESP_LOGV(TAG, "Lock not called, esp_mp_hw_unlock skipped");
2405    }
2406
2407    /* end if CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 */
2408#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
2409    /* Steps to perform large number modular multiplication.
2410     * Calculates Z = (X * Y) modulo M.
2411     * The number of bits in the operands (X, Y) is N. N can be 32x, where
2412     * x = {1,2,3,...64}, so the maximum number of bits in the X and Y is 2048.
2413     * We must use the same number of words to represent bits in X, Y and M.
2414     * See 20.3.3 of ESP32-S3 technical manual.
2415     *  1. Wait until the hardware is ready.
2416     *  2. Enable/disable interrupt that signals completion
2417     *     -- we don't use the interrupt.
2418     *  3. Write the number of words required to represent the operands to the
2419     *     RSA_MODE_REG (now called RSA_LENGTH_REG).
2420     *  4. Write M' value into RSA_M_PRIME_REG (now called RSA_M_DASH_REG).
2421     *  5. Load X, Y, M, r' operands to memory blocks.
2422     *  6. Start the operation by writing 1 to RSA_MOD_MULT_START_REG,
2423     *     then wait for it to complete by monitoring RSA_IDLE_REG
2424     *     (which is now called RSA_QUERY_INTERRUPT_REG).
2425     *  7. Read the result out.
2426     *  8. Release the hardware lock so others can use it.
2427     *  x. Clear the interrupt flag, if you used it (we don't). */
2428
2429    /* 1. Wait until hardware is ready. */
2430    if (ret == MP_OKAY) {
2431        ret = esp_mp_hw_wait_clean();
2432    }
2433
2434    if (ret == MP_OKAY) {
2435        /* 2. Disable completion interrupt signal; we don't use.
2436        **    0 => no interrupt; 1 => interrupt on completion. */
2437        DPORT_REG_WRITE(RSA_INTERRUPT_REG, 0);
2438
2439        /* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
2440        OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
2441        if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
2442    #ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
2443            ESP_LOGW(TAG, "mp_mulmod OperandBits %d exceeds max bit length %d.",
2444                           OperandBits, ESP_HW_MOD_RSAMAX_BITS);
2445    #endif
2446            if (mulmod_lock_called) {
2447                esp_mp_hw_unlock();
2448            }
2449            return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
2450        }
2451        WordsForOperand = bits2words(OperandBits);
2452        /* alt inline calc:
2453         * DPORT_REG_WRITE(RSA_MULT_MODE_REG, (mph->hwWords_sz >> 4) - 1); */
2454        DPORT_REG_WRITE(RSA_LENGTH_REG, WordsForOperand - 1);
2455
2456        /* 4. Write M' value into RSA_M_PRIME_REG
2457         * (now called RSA_M_DASH_REG) */
2458        DPORT_REG_WRITE(RSA_M_DASH_REG, mph->mp);
2459
2460        /* Select acceleration options. */
2461        DPORT_REG_WRITE(RSA_CONSTANT_TIME_REG, 0);
2462
2463        /* 5. Load X, Y, M, r' operands.
2464         * Note RSA_MEM_RB_BLOCK_BASE == RSA_MEM_Z_BLOC_BASE on ESP32s3*/
2465        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
2466                              X,
2467                              mph->Xs,
2468                              mph->hwWords_sz);
2469        esp_mpint_to_memblock(RSA_MEM_Y_BLOCK_BASE,
2470                              Y,
2471                              mph->Ys,
2472                              mph->hwWords_sz);
2473        esp_mpint_to_memblock(RSA_MEM_M_BLOCK_BASE,
2474                              M,
2475                              mph->Ms,
2476                              mph->hwWords_sz);
2477        esp_mpint_to_memblock(RSA_MEM_RB_BLOCK_BASE,
2478                              &(mph->r_inv),
2479                              mph->Rs,
2480                              mph->hwWords_sz);
2481
2482        /* 6. Start operation and wait until it completes. */
2483        process_start(RSA_MOD_MULT_START_REG); /* Reminder: esp_mp_mulmod() */
2484        asm volatile("memw");
2485        asm volatile("nop");
2486        asm volatile("nop");
2487        asm volatile("nop");
2488        asm volatile("nop");
2489        asm volatile("nop");
2490        asm volatile("nop");
2491    }
2492
2493    if (ret == MP_OKAY) {
2494        ret = wait_until_done(RSA_QUERY_INTERRUPT_REG);
2495    }
2496
2497    if (ret == MP_OKAY) {
2498        /* 7. read the result from MEM_Z              */
2499        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, tmpZ, zwords);
2500    }
2501
2502    /* 8. clear and release HW                    */
2503    if (mulmod_lock_called) {
2504        ret = esp_mp_hw_unlock();
2505    }
2506    else {
2507        if (ret == MP_HW_FALLBACK) {
2508            ESP_LOGV(TAG, "Lock not called due to no-lock MP_HW_FALLBACK");
2509        }
2510        else {
2511    #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
2512            ESP_LOGW(TAG, "Lock unexpectedly not called for mp_mulmod");
2513    #endif
2514        }
2515    }
2516
2517    /* end if CONFIG_IDF_TARGET_ESP32S3 */
2518#else
2519    /* for all non-supported chipsets, fall back to SW calcs */
2520    ret = MP_HW_FALLBACK;
2521#endif
2522
2523    if (ret == MP_OKAY) {
2524        /* additional steps                               */
2525        /* this is needed for known issue when Z is greater than M */
2526        if (mp_cmp(tmpZ, M) == MP_GT) {
2527            /*  Z -= M  */
2528            mp_sub(tmpZ, M, tmpZ);
2529            ESP_LOGV(TAG, "Z is greater than M");
2530        }
2531    #if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
2532        if (negcheck) {
2533            mp_sub(M, tmpZ, tmpZ);
2534            ESP_LOGV(TAG, "neg check adjustment");
2535        }
2536    #endif
2537        mp_copy(tmpZ, Z); /* copy tmpZ to result Z */
2538
2539        esp_clean_result(Z, 0);
2540    }
2541
2542#ifdef WOLFSSL_HW_METRICS
2543    esp_mp_mulmod_usage_ct++;
2544    if (ret == MP_HW_FALLBACK) {
2545        ESP_LOGV(TAG, "esp_mp_mulmod HW Fallback tick");
2546        esp_mp_mulmod_fallback_ct++;
2547    }
2548#endif
2549
2550#ifdef DEBUG_WOLFSSL
2551    if (ret == MP_HW_FALLBACK) {
2552        ESP_LOGI(TAG, "HW Fallback");
2553    }
2554    else {
2555        if (mp_cmp(X, X2) != 0) {
2556            ESP_LOGV(TAG, "mp_mul X vs X2 mismatch!");
2557        }
2558        if (mp_cmp(Y, Y2) != 0) {
2559            ESP_LOGV(TAG, "mp_mul Y vs Y2 mismatch!");
2560        }
2561
2562        if (mp_cmp(Z, Z2) != 0) {
2563            ESP_LOGE(TAG, "esp_mp_mulmod Z vs Z2 mismatch!");
2564
2565            esp_mp_mulmod_error_ct++;
2566            int found_z_used = Z->used;
2567
2568            ESP_LOGI(TAG, "Xs            = %d", mph->Xs);
2569            ESP_LOGI(TAG, "Ys            = %d", mph->Ys);
2570            ESP_LOGI(TAG, "found_z_used  = %d", found_z_used);
2571            ESP_LOGI(TAG, "z.used        = %d", Z->used);
2572            ESP_LOGI(TAG, "hwWords_sz    = %d", mph->hwWords_sz);
2573            ESP_LOGI(TAG, "maxWords_sz   = %d", mph->maxWords_sz);
2574            ESP_LOGI(TAG, "hwWords_sz<<2   = %d", mph->hwWords_sz << 2);
2575
2576            /* parameters may have been collbered; Show cpied values */
2577            esp_show_mp("X", X2);
2578            esp_show_mp("Y", Y2);
2579            esp_show_mp("M", M2);
2580
2581            ESP_LOGI(TAG, "Xs            = %d", mph->Xs);
2582            ESP_LOGI(TAG, "Ys            = %d", mph->Ys);
2583            ESP_LOGI(TAG, "found_z_used  = %d", found_z_used);
2584            ESP_LOGI(TAG, "z.used        = %d", Z->used);
2585            ESP_LOGI(TAG, "hwWords_sz    = %d", mph->hwWords_sz);
2586            ESP_LOGI(TAG, "maxWords_sz   = %d", mph->maxWords_sz);
2587            ESP_LOGI(TAG, "hwWords_sz<<2   = %d", mph->hwWords_sz << 2);
2588            esp_show_mp("X", X2); /* X2 copy, as X may have been clobbered */
2589            esp_show_mp("Y", Y2); /* Y2 copy, as Y may have been clobbered */
2590            esp_show_mp("M", M2); /* M2 copy, as M may have been clobbered */
2591            esp_show_mp("r_inv", &(mph->r_inv)); /*show r_inv  */
2592            ESP_LOGI(TAG, "mp            = 0x%08x = %u", mph->mp, mph->mp);
2593
2594            if (mph->mp == mph->mp2) {
2595                ESP_LOGI(TAG, "M' match esp_calc_Mdash vs mp_montgomery_setup"
2596                              " = %d  !", mph->mp);
2597            }
2598            else {
2599                ESP_LOGW(TAG,
2600                         "\n\n"
2601                         "M' MISMATCH esp_calc_Mdash = 0x%08x = %d \n"
2602                         "vs mp_montgomery_setup     = 0x%08x = %d \n\n",
2603                         mph->mp,
2604                         mph->mp,
2605                         mph->mp2,
2606                         mph->mp2);
2607                mph->mp = mph->mp2;
2608            }
2609
2610
2611            esp_show_mp("HW Z", Z); /* this is the HW result */
2612            esp_show_mp("SW Z2", Z2); /* this is the SW result */
2613            ESP_LOGI(TAG, "esp_mp_mulmod_usage_ct = %lu tries",
2614                           esp_mp_mulmod_usage_ct);
2615            ESP_LOGI(TAG, "esp_mp_mulmod_error_ct = %lu failures",
2616                           esp_mp_mulmod_error_ct);
2617            ESP_LOGI(TAG, WOLFSSL_ESPIDF_BLANKLINE_MESSAGE);
2618            esp_show_mp("HW Z", Z); /* this is the HW result */
2619            esp_show_mp("SW Z2", Z2); /* this is the SW result */
2620            ESP_LOGI(TAG, "esp_mp_mulmod_usage_ct = %lu tries",
2621                           esp_mp_mulmod_usage_ct);
2622            ESP_LOGI(TAG, "esp_mp_mulmod_error_ct = %lu failures",
2623                           esp_mp_mulmod_error_ct);
2624            ESP_LOGI(TAG, WOLFSSL_ESPIDF_BLANKLINE_MESSAGE);
2625
2626
2627            #ifndef NO_RECOVER_SOFTWARE_CALC
2628            {
2629                ESP_LOGW(TAG, "Recovering mp_mul error with software result");
2630                mp_copy(Z2, Z); /* copy (src = Z2) to (dst = Z) */
2631            }
2632            #else
2633            {
2634                /* If we are not recovering, then we have an error. */
2635                ret = MP_VAL;
2636            }
2637            #endif
2638        }
2639        else {
2640            ESP_LOGV(TAG, "esp_mp_mulmod success!");
2641        }
2642    }
2643
2644#endif /* DEBUG_WOLFSSL */
2645
2646    /* cleanup and exit */
2647    mp_clear(tmpZ);
2648    mp_clear(&(mph->r_inv));
2649
2650    ESP_LOGV(TAG, "\nEnd esp_mp_mulmod \n");
2651    if (ret == MP_OKAY || ret == MP_HW_FALLBACK) {
2652        ESP_LOGV(TAG, "esp_mp_mulmod exit success ");
2653    }
2654    else {
2655        ESP_LOGW(TAG, "esp_mp_mulmod exit failed = %d", ret);
2656    }
2657
2658#ifdef WOLFSSL_HW_METRICS
2659    /* calculate max used after any cleanup */
2660    esp_mp_max_used = (Z->used > esp_mp_max_used) ? Z->used : esp_mp_max_used;
2661#endif
2662    return ret;
2663} /* esp_mp_mulmod */
2664#endif /* Use HW mulmod: ! NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */
2665
2666
2667#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD
2668/* Large Number Modular Exponentiation
2669 *
2670 *    Z = X^Y mod M
2671 *
2672 *  ESP32, Section 24.3.2  esp32_technical_reference_manual_en.pdf
2673 *  ESP32S3, Section 20.3.1, esp32-s3_technical_reference_manual_en.pdf
2674 *
2675 * The operation is based on Montgomery multiplication. Aside from the
2676 * arguments X, Y , and M, two additional ones are needed -r and M'
2677.* These arguments are calculated in advance by software.
2678.*
2679.* The RSA Accelerator supports operand lengths of N in {512, 1024, 1536, 2048,
2680.* 2560, 3072, 3584, 4096} bits on the ESP32 and N in [32, 4096] bits
2681 * on the ESP32s3.
2682.* The bit length of arguments Z, X, Y , M, and r can be any one from
2683 * the N set, but all numbers in a calculation must be of the same length.
2684.* The bit length of M' is always 32.
2685.*
2686 * Z = (X ^ Y) mod M   : Espressif generic notation
2687 * Y = (G ^ X) mod P   : wolfSSL DH reference notation */
2688int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
2689{
2690    /* Danger! Do not initialize any function parameters, not even the result Z.
2691     * Some operations such as (rnd = rnd^e) will wipe out the rnd operand
2692     * value upon initialization.
2693     * (e.g. the address of X and Z could be the same when called) */
2694    struct esp_mp_helper mph[1]; /* we'll save some mp helper data here */
2695    int ret = MP_OKAY;
2696    int exptmod_lock_called = FALSE;
2697
2698#if defined(CONFIG_IDF_TARGET_ESP32)
2699    /* different calc */
2700#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
2701    word32 OperandBits;
2702    word32 WordsForOperand;
2703#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
2704    word32 OperandBits;
2705    word32 WordsForOperand;
2706#else
2707    /* no HW */
2708#endif
2709
2710    ESP_LOGV(TAG, "\nBegin esp_mp_exptmod \n");
2711#ifdef WOLFSSL_HW_METRICS
2712    esp_mp_exptmod_usage_ct++;
2713    esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used : esp_mp_max_used;
2714    esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used : esp_mp_max_used;
2715    esp_mp_max_used = (M->used > esp_mp_max_used) ? M->used : esp_mp_max_used;
2716#endif
2717
2718    if (mp_iszero(M)) {
2719#ifdef DEBUG_WOLFSSL
2720        ESP_LOGI(TAG, "esp_mp_exptmod M is zero!");
2721#endif
2722#ifdef WOLFSSL_HW_METRICS
2723        esp_mp_exptmod_fallback_ct++;
2724#endif
2725        return MP_HW_FALLBACK; /* fall back and let SW decide how to handle */
2726    }
2727
2728    if (mp_isone(M)) {
2729#ifdef DEBUG_WOLFSSL
2730        ESP_LOGI(TAG, "esp_mp_exptmod M is one!");
2731#endif
2732        mp_clear(Z);
2733        return MP_OKAY; /* mod zero is zero */
2734    }
2735
2736    ret = esp_mp_montgomery_init(X, Y, M, mph);
2737
2738    if (ret == MP_OKAY) {
2739        ESP_LOGV(TAG, "esp_mp_exptmod esp_mp_montgomery_init success.");
2740    }
2741    else {
2742#ifdef WOLFSSL_HW_METRICS
2743        if (ret == MP_HW_FALLBACK) {
2744            esp_mp_exptmod_fallback_ct++;
2745        }
2746        else {
2747            esp_mp_exptmod_error_ct++;
2748        }
2749#endif
2750        return ret;
2751    }
2752
2753#ifdef DEBUG_WOLFSSL
2754    if (esp_hw_validation_active()) {
2755        /* recall there's only one HW for all math accelerations */
2756        return MP_HW_VALIDATION_ACTIVE;
2757    }
2758
2759    if (esp_mp_exptmod_depth_counter != 0) {
2760        ESP_LOGE(TAG, "esp_mp_exptmod Depth Counter Error!");
2761    }
2762    esp_mp_exptmod_depth_counter++;
2763#endif
2764
2765 /*
2766 max bits = 0x400 = 1024 bits
27671024 / 8 = 128 bytes
2768 128 / 4 = 32 words (0x20)
2769 */
2770
2771    /* lock and init the HW                           */
2772    if (ret == MP_OKAY) {
2773        exptmod_lock_called = TRUE; /* Don't try to unlock unless we locked */
2774        #ifdef WOLFSSL_HW_METRICS
2775        {
2776            /* Only track max values when using HW */
2777            esp_mp_max_used = (X->used > esp_mp_max_used) ? X->used :
2778                                                            esp_mp_max_used;
2779            esp_mp_max_used = (Y->used > esp_mp_max_used) ? Y->used :
2780                                                            esp_mp_max_used;
2781        }
2782        #endif
2783
2784        ret = esp_mp_hw_lock();
2785        if (ret != MP_OKAY) {
2786            ESP_LOGE(TAG, "esp_mp_hw_lock failed");
2787            #ifdef DEBUG_WOLFSSL
2788                esp_mp_exptmod_depth_counter--;
2789            #endif
2790            return MP_HW_FALLBACK; /* If we can't lock HW, fall back to SW */
2791        }
2792    } /* the only thing we expect is success or busy */
2793
2794#if defined(CONFIG_IDF_TARGET_ESP32)
2795    /* non-ESP32S3 Xtensa (regular ESP32) */
2796
2797    /* Steps to use HW in the following order:
2798    * 1. Write(N/512bits - 1) to MODEXP_MODE_REG
2799    * 2. Write X, Y, M and r_inv to memory blocks
2800    *    need to write data to each memory block only according to the length
2801    *    of the number.
2802    * 3. Write M' to M_PRIME_REG
2803    * 4. Write 1  to MODEXP_START_REG
2804    * 5. Wait for the operation to be done. Poll INTERRUPT_REG until it reads 1.
2805    *    (Or until the INTER interrupt is generated.)
2806    * 6. Read the result Z(=Y) from Z_MEM
2807    * 7. Write 1 to INTERRUPT_REG to clear the interrupt.
2808    */
2809    if (ret == MP_OKAY) {
2810        ret = esp_mp_hw_wait_clean();
2811    #ifdef WOLFSSL_HW_METRICS
2812        if (ret != MP_OKAY) {
2813            esp_mp_exptmod_error_ct++;
2814        }
2815    #endif
2816    }
2817
2818    if (ret == MP_OKAY) {
2819        /* step.1                                         */
2820        ESP_LOGV(TAG,
2821                 "hwWords_sz = %d, num = %d",
2822                 mph->hwWords_sz,
2823                 (mph->hwWords_sz >> 4) - 1
2824                );
2825
2826        DPORT_REG_WRITE(RSA_MODEXP_MODE_REG, (mph->hwWords_sz >> 4) - 1);
2827        /* step.2 write G, X, P, r_inv and M' into memory */
2828        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
2829                              X,
2830                              mph->Xs,
2831                              mph->hwWords_sz);
2832        esp_mpint_to_memblock(RSA_MEM_Y_BLOCK_BASE,
2833                              Y, mph->Ys,
2834                              mph->hwWords_sz);
2835        esp_mpint_to_memblock(RSA_MEM_M_BLOCK_BASE,
2836                              M,
2837                              mph->Ms,
2838                              mph->hwWords_sz);
2839        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE,
2840                              &(mph->r_inv),
2841                              mph->Rs,
2842                              mph->hwWords_sz);
2843
2844        /* step.3 write M' into memory                    */
2845        ESP_LOGV(TAG, "M' = %d", mph->mp);
2846        DPORT_REG_WRITE(RSA_M_DASH_REG, mph->mp);
2847        ESP_EM__3_16;
2848
2849        /* step.4 start process                           */
2850        process_start(RSA_MODEXP_START_REG); /* was RSA_START_MODEXP_REG;
2851                                             * RSA_MODEXP_START_REG in docs? */
2852
2853        /* step.5 wait until done                         */
2854        wait_until_done(RSA_INTERRUPT_REG);
2855        /* step.6 read a result form memory               */
2856        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, Z, BITS_TO_WORDS(mph->Ms));
2857    }
2858
2859    /* step.7 clear and release expt_mod HW               */
2860    if (exptmod_lock_called) {
2861        ret = esp_mp_hw_unlock();
2862    }
2863    else {
2864        ESP_LOGV(TAG, "Lock not called");
2865    }
2866
2867#elif defined(CONFIG_IDF_TARGET_ESP32C3)
2868    OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
2869    if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
2870    #ifdef WOLFSSL_HW_METRICS
2871        ESP_LOGW(TAG, "exptmod operand bits %d exceeds max bit length %d",
2872                       OperandBits, ESP_HW_MOD_RSAMAX_BITS);
2873        esp_mp_mulmod_max_exceeded_ct++;
2874    #endif
2875       if (exptmod_lock_called) {
2876            ret = esp_mp_hw_unlock();
2877        }
2878        ESP_LOGV(TAG, "Return esp_mp_exptmod fallback");
2879
2880        /* HW not capable for this size, return error to fall back to SW: */
2881        return MP_HW_FALLBACK;
2882    }
2883    else {
2884        WordsForOperand = bits2words(OperandBits);
2885    }
2886
2887    /* Steps to perform large number modular exponentiation.
2888     * Calculates Z = (X ^ Y) modulo M.
2889     * The number of bits in the operands (X, Y) is N. N can be 32x,
2890     * where x = {1,2,3,...64}; maximum number of bits in the X and Y is 2048.
2891     * See 20.3.3 of ESP32-S3 technical manual
2892     *  1. Wait until the hardware is ready.
2893     *  2. Enable/disable interrupt that signals completion
2894     *     -- we don't use the interrupt.
2895     *  3. Write (N_bits/32 - 1) to the RSA_MODE_REG
2896     *     (now called RSA_LENGTH_REG).
2897     *     Here N_bits is the maximum number of bits in X, Y and M.
2898     *  4. Write M' value into RSA_M_PRIME_REG (now called RSA_M_DASH_REG).
2899     *  5. Load X, Y, M, r' operands to memory blocks.
2900     *  6. Start the operation by writing 1 to RSA_MODEXP_START_REG,
2901     *     then wait for it to complete by monitoring RSA_IDLE_REG
2902     *     (which is now called RSA_QUERY_INTERRUPT_REG).
2903     *  7. Read the result out.
2904     *  8. Release the hardware lock so others can use it.
2905     *  x. Clear the interrupt flag, if you used it (we don't). */
2906
2907    /* 1. Wait until hardware is ready. */
2908    if (ret == MP_OKAY) {
2909        ret = esp_mp_hw_wait_clean();
2910    }
2911
2912    if (ret == MP_OKAY) {
2913        /* 2. Disable completion interrupt signal; we don't use.
2914        **    0 => no interrupt; 1 => interrupt on completion. */
2915        DPORT_REG_WRITE(RSA_INTERRUPT_REG, 0);
2916
2917        /* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
2918        DPORT_REG_WRITE(RSA_LENGTH_REG, WordsForOperand - 1);
2919
2920        /* 4. Write M' value into RSA_M_PRIME_REG
2921         * (now called RSA_M_DASH_REG) */
2922        DPORT_REG_WRITE(RSA_M_DASH_REG, mph->mp);
2923
2924        /* 5. Load X, Y, M, r' operands. */
2925        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
2926                              X,
2927                              mph->Xs,
2928                              mph->hwWords_sz);
2929        esp_mpint_to_memblock(RSA_MEM_Y_BLOCK_BASE,
2930                              Y,
2931                              mph->Ys,
2932                              mph->hwWords_sz);
2933        esp_mpint_to_memblock(RSA_MEM_M_BLOCK_BASE,
2934                              M,
2935                              mph->Ms,
2936                              mph->hwWords_sz);
2937        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE,
2938                              &(mph->r_inv),
2939                              mph->Rs,
2940                              mph->hwWords_sz);
2941
2942        /* 6. Start operation and wait until it completes. */
2943        process_start(RSA_MODEXP_START_REG);
2944        ret = wait_until_done(RSA_QUERY_INTERRUPT_REG);
2945    }
2946
2947    if (MP_OKAY == ret) {
2948        /* 7. read the result form MEM_Z              */
2949        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, Z, BITS_TO_WORDS(mph->Ms));
2950    }
2951
2952    /* 8. clear and release HW                    */
2953    if (exptmod_lock_called) {
2954        ret = esp_mp_hw_unlock();
2955    }
2956    else {
2957        ESP_LOGV(TAG, "Lock not called");
2958    }
2959    /* end if CONFIG_IDF_TARGET_ESP32C3 */
2960
2961#elif defined(CONFIG_IDF_TARGET_ESP32C6)
2962    OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
2963    if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
2964    #ifdef WOLFSSL_HW_METRICS
2965        ESP_LOGW(TAG, "exptmod operand bits %d exceeds max bit length %d",
2966                       OperandBits, ESP_HW_MOD_RSAMAX_BITS);
2967        esp_mp_mulmod_max_exceeded_ct++;
2968    #endif
2969       if (exptmod_lock_called) {
2970            ret = esp_mp_hw_unlock();
2971        }
2972        ESP_LOGV(TAG, "Return esp_mp_exptmod fallback");
2973
2974        /* HW not capable for this size, return error to fall back to SW: */
2975        return MP_HW_FALLBACK;
2976    }
2977    else {
2978        WordsForOperand = bits2words(OperandBits);
2979    }
2980
2981    /* Steps to perform large number modular exponentiation.
2982     * Calculates Z = (X ^ Y) modulo M.
2983     * The number of bits in the operands (X, Y) is N. N can be 32x,
2984     * where x = {1,2,3,...64}; maximum number of bits in the X and Y is 2048.
2985     * See 20.3.3 of ESP32-S3 technical manual
2986     *  1. Wait until the hardware is ready.
2987     *  2. Enable/disable interrupt that signals completion
2988     *     -- we don't use the interrupt.
2989     *  3. Write (N_bits/32 - 1) to the RSA_MODE_REG
2990     *     (now called RSA_LENGTH_REG).
2991     *     Here N_bits is the maximum number of bits in X, Y and M.
2992     *  4. Write M' value into RSA_M_PRIME_REG (now called RSA_M_DASH_REG).
2993     *  5. Load X, Y, M, r' operands to memory blocks.
2994     *  6. Start the operation by writing 1 to RSA_MODEXP_START_REG,
2995     *     then wait for it to complete by monitoring RSA_IDLE_REG
2996     *     (which is now called RSA_QUERY_INTERRUPT_REG).
2997     *  7. Read the result out.
2998     *  8. Release the hardware lock so others can use it.
2999     *  x. Clear the interrupt flag, if you used it (we don't). */
3000
3001    /* 1. Wait until hardware is ready. */
3002    if (ret == MP_OKAY) {
3003        ret = esp_mp_hw_wait_clean();
3004    }
3005
3006    if (ret == MP_OKAY) {
3007        /* 2. Disable completion interrupt signal; we don't use.
3008        **    0 => no interrupt; 1 => interrupt on completion. */
3009        DPORT_REG_WRITE(RSA_INT_ENA_REG, 0);
3010
3011        /* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
3012        DPORT_REG_WRITE(RSA_MODE_REG, WordsForOperand - 1);
3013
3014        /* 4. Write M' value into RSA_M_PRIME_REG  */
3015        DPORT_REG_WRITE(RSA_M_PRIME_REG, mph->mp);
3016
3017        /* 5. Load X, Y, M, r' operands. */
3018        esp_mpint_to_memblock(RSA_X_MEM,
3019                              X,
3020                              mph->Xs,
3021                              mph->hwWords_sz);
3022        esp_mpint_to_memblock(RSA_Y_MEM,
3023                              Y,
3024                              mph->Ys,
3025                              mph->hwWords_sz);
3026        esp_mpint_to_memblock(RSA_M_MEM,
3027                              M,
3028                              mph->Ms,
3029                              mph->hwWords_sz);
3030        esp_mpint_to_memblock(RSA_Z_MEM,
3031                              &(mph->r_inv),
3032                              mph->Rs,
3033                              mph->hwWords_sz);
3034
3035        /* 6. Start operation and wait until it completes. */
3036        /* Write 1 to the RSA_SET_START_MODEXP field of the
3037         * RSA_SET_START_MODEXP_REG register to start computation.*/
3038        process_start(RSA_SET_START_MODEXP_REG);
3039        ret = wait_until_done(RSA_QUERY_IDLE_REG);
3040    }
3041
3042    if (MP_OKAY == ret) {
3043        /* 7. read the result form MEM_Z              */
3044        esp_memblock_to_mpint(RSA_Z_MEM, Z, BITS_TO_WORDS(mph->Ms));
3045    }
3046
3047    /* 8. clear and release HW                    */
3048    #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
3049        ESP_LOGI(TAG, "Unlock esp_mp_exptmod");
3050    #endif
3051    if (exptmod_lock_called) {
3052        ret = esp_mp_hw_unlock();
3053    }
3054    else {
3055    #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
3056        ESP_LOGV(TAG, "Lock not called");
3057    #endif
3058    }
3059    /* end if CONFIG_IDF_TARGET_ESP32C6 */
3060
3061#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
3062    /* Steps to perform large number modular exponentiation.
3063     * Calculates Z = (X ^ Y) modulo M.
3064     * The number of bits in the operands (X, Y) is N. N can be 32x,
3065     * where x = {1,2,3,...64}; the maximum number of bits in X and Y is 2048.
3066     * See 20.3.3 of ESP32-S3 technical manual:
3067     *  1. Wait until the hardware is ready.
3068     *  2. Enable/disable interrupt that signals completion
3069     *     -- we don't use the interrupt.
3070     *  3. Write (N_bits/32 - 1) to the RSA_MODE_REG
3071     *     (now called RSA_LENGTH_REG).
3072     *     Here N_bits is the maximum number of bits in X, Y and M.
3073     *  4. Write M' value into RSA_M_PRIME_REG (now called RSA_M_DASH_REG).
3074     *  5. Load X, Y, M, r' operands to memory blocks.
3075     *  6. Start the operation by writing 1 to RSA_MODEXP_START_REG,
3076     *     then wait for it to complete by monitoring RSA_IDLE_REG
3077     *     (which is now called RSA_QUERY_INTERRUPT_REG).
3078     *  7. Read the result out.
3079     *  8. Release the hardware lock so others can use it.
3080     *  x. Clear the interrupt flag, if you used it (we don't). */
3081
3082    /* 1. Wait until hardware is ready. */
3083    if (ret == MP_OKAY) {
3084        ret = esp_mp_hw_wait_clean();
3085    }
3086
3087    if (ret == MP_OKAY) {
3088        OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
3089        if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
3090    #ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
3091            ESP_LOGW(TAG, "exptmod operand bits %d exceeds max bit length %d",
3092                           OperandBits, ESP_HW_MOD_RSAMAX_BITS);
3093    #endif
3094            ret = MP_HW_FALLBACK; /*  Error: value is not able to be used. */
3095        }
3096        else {
3097            WordsForOperand = bits2words(OperandBits);
3098        }
3099    }
3100
3101    if (ret == MP_OKAY) {
3102        /* 2. Disable completion interrupt signal; we don't use.
3103        **    0 => no interrupt; 1 => interrupt on completion. */
3104        DPORT_REG_WRITE(RSA_INTERRUPT_REG, 0);
3105
3106        /* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
3107        DPORT_REG_WRITE(RSA_LENGTH_REG, WordsForOperand - 1);
3108
3109        /* 4. Write M' value into RSA_M_PRIME_REG
3110         * (now called RSA_M_DASH_REG) */
3111        DPORT_REG_WRITE(RSA_M_DASH_REG, mph->mp);
3112
3113        /* 5. Load X, Y, M, r' operands. */
3114        esp_mpint_to_memblock(RSA_MEM_X_BLOCK_BASE,
3115                              X,
3116                              mph->Xs,
3117                              mph->hwWords_sz);
3118        esp_mpint_to_memblock(RSA_MEM_Y_BLOCK_BASE,
3119                              Y,
3120                              mph->Ys,
3121                              mph->hwWords_sz);
3122        esp_mpint_to_memblock(RSA_MEM_M_BLOCK_BASE,
3123                              M,
3124                              mph->Ms,
3125                              mph->hwWords_sz);
3126        esp_mpint_to_memblock(RSA_MEM_Z_BLOCK_BASE,
3127                              &(mph->r_inv),
3128                              mph->Rs,
3129                              mph->hwWords_sz);
3130
3131        /* 6. Start operation and wait until it completes. */
3132        process_start(RSA_MODEXP_START_REG);
3133        ret = wait_until_done(RSA_QUERY_INTERRUPT_REG);
3134    }
3135
3136    if (MP_OKAY == ret) {
3137        /* 7. read the result form MEM_Z              */
3138        esp_memblock_to_mpint(RSA_MEM_Z_BLOCK_BASE, Z, BITS_TO_WORDS(mph->Ms));
3139    }
3140
3141    /* 8. clear and release HW                    */
3142    if (exptmod_lock_called) {
3143        ret = esp_mp_hw_unlock();
3144    }
3145    else {
3146        ESP_LOGV(TAG, "Lock not called");
3147    }
3148
3149    /* end if CONFIG_IDF_TARGET_ESP32S3 */
3150#else
3151    /* unknown or unsupported targets fall back to SW */
3152    ret = MP_HW_FALLBACK;
3153#endif
3154
3155#ifdef DEBUG_WOLFSSL
3156    if (esp_mp_exptmod_depth_counter != 1) {
3157        ESP_LOGE(TAG, "esp_mp_exptmod exit Depth Counter Error!");
3158    }
3159    esp_mp_exptmod_depth_counter--;
3160#endif
3161
3162    /* never modify the result if we are falling back as the result
3163     * may be the same as one of the operands! */
3164    if (ret == MP_OKAY) {
3165        esp_clean_result(Z, 0);
3166    }
3167#ifdef WOLFSSL_HW_METRICS
3168    esp_mp_max_used = (Z->used > esp_mp_max_used) ? Z->used : esp_mp_max_used;
3169#endif
3170    ESP_LOGV(TAG, "Return esp_mp_exptmod %d", ret);
3171
3172    return ret;
3173} /* esp_mp_exptmod */
3174#endif /* Use HW expmod: ! NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
3175
3176#endif /* WOLFSSL_ESP32_CRYPT_RSA_PRI) &&
3177        * !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */
3178
3179#endif /* !NO_RSA || HAVE_ECC */
3180
3181/* Some optional metrics when using RSA HW Acceleration */
3182#if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) && defined(WOLFSSL_HW_METRICS)
3183int esp_hw_show_mp_metrics(void)
3184{
3185    int ret;
3186#if !defined(NO_ESP32_CRYPT)  &&  defined(HW_MATH_ENABLED)
3187    ret = MP_OKAY;
3188
3189#if defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL)
3190    ESP_LOGI(TAG, "esp_mp_mul HW disabled with "
3191                  "NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL");
3192#else
3193    /* Metrics: esp_mp_mul() */
3194    ESP_LOGI(TAG, WOLFSSL_ESPIDF_BLANKLINE_MESSAGE); /* mul follows */
3195    ESP_LOGI(TAG, "esp_mp_mul HW acceleration enabled.");
3196    ESP_LOGI(TAG, "Number of calls to esp_mp_mul: %lu",
3197                   esp_mp_mul_usage_ct);
3198    ESP_LOGI(TAG, "Number of calls to esp_mp_mul with tiny operands: %lu",
3199                   esp_mp_mul_tiny_ct);
3200    ESP_LOGI(TAG, "Number of calls to esp_mp_mul HW operand exceeded: %lu",
3201                   esp_mp_mul_max_exceeded_ct);
3202    if (esp_mp_mul_error_ct == 0) {
3203        ESP_LOGI(TAG, "Success: no esp_mp_mul() errors.");
3204    }
3205    else {
3206        ESP_LOGW(TAG, "Number of esp_mp_mul failures: %lu",
3207                       esp_mp_mul_error_ct);
3208        ret = MP_VAL;
3209    }
3210#endif
3211
3212#if defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD)
3213    ESP_LOGI(TAG, "esp_mp_mulmod HW disabled with "
3214                  "NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD");
3215#else
3216    /* Metrics: esp_mp_mulmod() */
3217    ESP_LOGI(TAG, WOLFSSL_ESPIDF_BLANKLINE_MESSAGE); /* mulmod follows */
3218
3219    ESP_LOGI(TAG, "esp_mp_mulmod HW acceleration enabled.");
3220    /* Metrics: esp_mp_mulmod() */
3221    ESP_LOGI(TAG, "Number of calls to esp_mp_mulmod: %lu",
3222                   esp_mp_mulmod_usage_ct);
3223    ESP_LOGI(TAG, "Number of calls to esp_mp_mulmod HW operand exceeded: %lu",
3224                   esp_mp_mulmod_max_exceeded_ct);
3225    ESP_LOGI(TAG, "Number of fallback to SW mp_mulmod: %lu",
3226                   esp_mp_mulmod_fallback_ct);
3227
3228    if (esp_mp_mulmod_error_ct == 0) {
3229        ESP_LOGI(TAG, "Success: no esp_mp_mulmod errors.");
3230    }
3231    else {
3232        ESP_LOGW(TAG, "Number of esp_mp_mulmod failures: %lu",
3233                       esp_mp_mulmod_error_ct);
3234        ret = MP_VAL;
3235    }
3236
3237    if (esp_mp_mulmod_even_mod_ct == 0) {
3238        ESP_LOGI(TAG, "Success: no esp_mp_mulmod even mod.");
3239    }
3240    else {
3241        ESP_LOGW(TAG, "Number of esp_mp_mulmod even mod: %lu",
3242                       esp_mp_mulmod_even_mod_ct);
3243    }
3244
3245    if (esp_mp_mulmod_error_ct == 0) {
3246        ESP_LOGI(TAG, "Success: no esp_mp_mulmod small x or y.");
3247    }
3248    else {
3249        ESP_LOGW(TAG, "Number of esp_mp_mulmod small x: %lu",
3250                       esp_mp_mulmod_small_x_ct);
3251        ESP_LOGW(TAG, "Number of esp_mp_mulmod small y: %lu",
3252                       esp_mp_mulmod_small_y_ct);
3253    }
3254#endif /* MULMOD disabled: !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */
3255
3256#if defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD)
3257    ESP_LOGI(TAG, "esp_mp_exptmod HW disabled with "
3258                  "NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD");
3259#else
3260    /* Metrics: sp_mp_exptmod() */
3261    ESP_LOGI(TAG, WOLFSSL_ESPIDF_BLANKLINE_MESSAGE); /* exptmod follows */
3262
3263    ESP_LOGI(TAG, "Number of calls to esp_mp_exptmod: %lu",
3264                   esp_mp_exptmod_usage_ct);
3265    ESP_LOGI(TAG, "Number of calls to esp_mp_exptmod HW operand exceeded: %lu",
3266                   esp_mp_exptmod_max_exceeded_ct);
3267    ESP_LOGI(TAG, "Number of fallback to SW mp_exptmod: %lu",
3268                   esp_mp_exptmod_fallback_ct);
3269    if (esp_mp_exptmod_error_ct == 0) {
3270        ESP_LOGI(TAG, "Success: no esp_mp_exptmod errors.");
3271    }
3272    else {
3273        ESP_LOGW(TAG, "Number of esp_mp_exptmod errors: %lu",
3274                       esp_mp_exptmod_error_ct);
3275        ret = MP_VAL;
3276    }
3277#endif /* EXPTMOD not disabled !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
3278
3279    ESP_LOGI(TAG, "Max N->used: esp_mp_max_used = %lu", esp_mp_max_used);
3280    ESP_LOGI(TAG, "Max hw wait timeout: esp_mp_max_wait_timeout = %lu",
3281                   esp_mp_max_wait_timeout);
3282    ESP_LOGI(TAG, "Max calc timeout: esp_mp_max_timeout = 0x%08lx",
3283                   esp_mp_max_timeout);
3284
3285#else
3286    /* no HW math, no HW math metrics */
3287    ret = ESP_OK;
3288#endif /* HW_MATH_ENABLED */
3289
3290
3291    return ret;
3292}
3293#endif /* WOLFSSL_HW_METRICS */
3294
3295#endif /* WOLFSSL_ESPIDF */