Implement mbedtls_mpi_core_fill_random

[gilles-peskine-arm]

Addresses https://github.com/Mbed-TLS/mbedtls/issues/6239 (only fill_random in core, not yet random or mod).

Also in this PR: introduce a function mbedtls_test_read_mpi_core() to conveniently read a core MPI in unit tests.

Changelog: no (only core bignum stuff).

Backport: TODO (not the new bignum stuff, only the minor changes to existing test framework code and test data).

[gilles-peskine-arm]

pr-merge failing on the internal CI looks like a timeout.

[gilles-peskine-arm]

Rebased to resolve conflicts with Montgomery multiplication (only additions in the same place and changes on consecutive lines, no actual interference).

[tom-cosgrove-arm]

@gilles-peskine-arm this has conflicts and needs-work - do you know when you'll update it?

[gilles-peskine-arm]

I'll update once https://github.com/Mbed-TLS/mbedtls/pull/6450 is merged.

[minosgalanakis]

Looks good to me with one minor question.

I am not quite certain of the interger range the generation is bound to. The assumption is that rng is returning an int, which can be 32 or 64 bits.

int (*f_rng)(void *, unsigned char *, size_t)

I can see that the upper bound is set by and N and used in calculating the bitsize: size_t n_bits = mbedtls_mpi_core_bitlen( N, limbs );

Could we have situations where the rng is generating 32 bit numbers and the platform is 64 bit? Do we need to have test cases specific to different architectures?

[tom-cosgrove-arm]

I am not quite certain of the interger range the generation is bound to. The assumption is that rng is returning an int, which can be 32 or 64 bits.

f_rng returns a standard Mbed TLS return code, i.e. 0 for success else an error number. It just puts random bytes into the buffer it is given. Look in bignum_core.c:mbedtls_mpi_core_fill_random() to see where it is used.

[gilles-peskine-arm]

There's a tech debt item to document f_rng better: https://github.com/Mbed-TLS/mbedtls/issues/5868

[tom-cosgrove-arm]

CI is all good