1 /* $Cambridge: exim/src/src/pdkim/bignum.c,v 1.1.2.1 2009/02/24 13:13:47 tom Exp $ */
3 * Multi-precision integer library
5 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
7 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 * This MPI implementation is based on:
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
27 * http://www.stillhq.com/extracted/gnupg-api/mpi/
28 * http://math.libtomcrypt.com/files/tommath.pdf
38 #define ciL ((int) sizeof(t_int)) /* chars in limb */
39 #define biL (ciL << 3) /* bits in limb */
40 #define biH (ciL << 2) /* half limb size */
43 * Convert between bits/chars and number of limbs
45 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
46 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
49 * Initialize one or more mpi
51 void mpi_init( mpi *X, ... )
63 X = va_arg( args, mpi* );
70 * Unallocate one or more mpi
72 void mpi_free( mpi *X, ... )
82 memset( X->p, 0, X->n * ciL );
90 X = va_arg( args, mpi* );
97 * Enlarge to the specified number of limbs
99 int mpi_grow( mpi *X, int nblimbs )
105 if( ( p = (t_int *) malloc( nblimbs * ciL ) ) == NULL )
108 memset( p, 0, nblimbs * ciL );
112 memcpy( p, X->p, X->n * ciL );
113 memset( X->p, 0, X->n * ciL );
125 * Copy the contents of Y into X
127 int mpi_copy( mpi *X, mpi *Y )
134 for( i = Y->n - 1; i > 0; i-- )
141 MPI_CHK( mpi_grow( X, i ) );
143 memset( X->p, 0, X->n * ciL );
144 memcpy( X->p, Y->p, i * ciL );
152 * Swap the contents of X and Y
154 void mpi_swap( mpi *X, mpi *Y )
158 memcpy( &T, X, sizeof( mpi ) );
159 memcpy( X, Y, sizeof( mpi ) );
160 memcpy( Y, &T, sizeof( mpi ) );
164 * Set value from integer
166 int mpi_lset( mpi *X, int z )
170 MPI_CHK( mpi_grow( X, 1 ) );
171 memset( X->p, 0, X->n * ciL );
173 X->p[0] = ( z < 0 ) ? -z : z;
174 X->s = ( z < 0 ) ? -1 : 1;
182 * Return the number of least significant bits
184 int mpi_lsb( mpi *X )
188 for( i = 0; i < X->n; i++ )
189 for( j = 0; j < (int) biL; j++, count++ )
190 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
197 * Return the number of most significant bits
199 int mpi_msb( mpi *X )
203 for( i = X->n - 1; i > 0; i-- )
207 for( j = biL - 1; j >= 0; j-- )
208 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
211 return( ( i * biL ) + j + 1 );
215 * Return the total size in bytes
217 int mpi_size( mpi *X )
219 return( ( mpi_msb( X ) + 7 ) >> 3 );
223 * Convert an ASCII character to digit value
225 static int mpi_get_digit( t_int *d, int radix, char c )
229 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
230 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
231 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
233 if( *d >= (t_int) radix )
234 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
240 * Import from an ASCII string
242 int mpi_read_string( mpi *X, int radix, char *s )
248 if( radix < 2 || radix > 16 )
249 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
251 mpi_init( &T, NULL );
255 n = BITS_TO_LIMBS( strlen( s ) << 2 );
257 MPI_CHK( mpi_grow( X, n ) );
258 MPI_CHK( mpi_lset( X, 0 ) );
260 for( i = strlen( s ) - 1, j = 0; i >= 0; i--, j++ )
262 if( i == 0 && s[i] == '-' )
268 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
269 X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
274 MPI_CHK( mpi_lset( X, 0 ) );
276 for( i = 0; i < (int) strlen( s ); i++ )
278 if( i == 0 && s[i] == '-' )
284 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
285 MPI_CHK( mpi_mul_int( &T, X, radix ) );
286 MPI_CHK( mpi_add_int( X, &T, d ) );
292 mpi_free( &T, NULL );
298 * Helper to write the digits high-order first
300 static int mpi_write_hlp( mpi *X, int radix, char **p )
305 if( radix < 2 || radix > 16 )
306 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
308 MPI_CHK( mpi_mod_int( &r, X, radix ) );
309 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
311 if( mpi_cmp_int( X, 0 ) != 0 )
312 MPI_CHK( mpi_write_hlp( X, radix, p ) );
315 *(*p)++ = (char)( r + 0x30 );
317 *(*p)++ = (char)( r + 0x37 );
325 * Export into an ASCII string
327 int mpi_write_string( mpi *X, int radix, char *s, int *slen )
333 if( radix < 2 || radix > 16 )
334 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
337 if( radix >= 4 ) n >>= 1;
338 if( radix >= 16 ) n >>= 1;
344 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
348 mpi_init( &T, NULL );
357 for( i = X->n - 1, k = 0; i >= 0; i-- )
359 for( j = ciL - 1; j >= 0; j-- )
361 c = ( X->p[i] >> (j << 3) ) & 0xFF;
363 if( c == 0 && k == 0 && (i + j) != 0 )
366 p += sprintf( p, "%02X", c );
373 MPI_CHK( mpi_copy( &T, X ) );
374 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
382 mpi_free( &T, NULL );
388 * Read X from an opened file
390 int mpi_read_file( mpi *X, int radix, FILE *fin )
397 memset( s, 0, sizeof( s ) );
398 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
399 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
402 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
403 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
407 if( mpi_get_digit( &d, radix, *p ) != 0 )
410 return( mpi_read_string( X, radix, p + 1 ) );
414 * Write X into an opened file (or stdout if fout == NULL)
416 int mpi_write_file( char *p, mpi *X, int radix, FILE *fout )
427 MPI_CHK( mpi_write_string( X, radix, s, (int *) &n ) );
429 if( p == NULL ) p = "";
438 if( fwrite( p, 1, plen, fout ) != plen ||
439 fwrite( s, 1, slen, fout ) != slen )
440 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
443 printf( "%s%s", p, s );
451 * Import X from unsigned binary data, big endian
453 int mpi_read_binary( mpi *X, unsigned char *buf, int buflen )
457 for( n = 0; n < buflen; n++ )
461 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
462 MPI_CHK( mpi_lset( X, 0 ) );
464 for( i = buflen - 1, j = 0; i >= n; i--, j++ )
465 X->p[j / ciL] |= ((t_int) buf[i]) << ((j % ciL) << 3);
473 * Export X into unsigned binary data, big endian
475 int mpi_write_binary( mpi *X, unsigned char *buf, int buflen )
482 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
484 memset( buf, 0, buflen );
486 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
487 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
493 * Left-shift: X <<= count
495 int mpi_shift_l( mpi *X, int count )
501 t1 = count & (biL - 1);
503 i = mpi_msb( X ) + count;
505 if( X->n * (int) biL < i )
506 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
511 * shift by count / limb_size
515 for( i = X->n - 1; i >= v0; i-- )
516 X->p[i] = X->p[i - v0];
523 * shift by count % limb_size
527 for( i = v0; i < X->n; i++ )
529 r1 = X->p[i] >> (biL - t1);
542 * Right-shift: X >>= count
544 int mpi_shift_r( mpi *X, int count )
550 v1 = count & (biL - 1);
553 * shift by count / limb_size
557 for( i = 0; i < X->n - v0; i++ )
558 X->p[i] = X->p[i + v0];
560 for( ; i < X->n; i++ )
565 * shift by count % limb_size
569 for( i = X->n - 1; i >= 0; i-- )
571 r1 = X->p[i] << (biL - v1);
582 * Compare unsigned values
584 int mpi_cmp_abs( mpi *X, mpi *Y )
588 for( i = X->n - 1; i >= 0; i-- )
592 for( j = Y->n - 1; j >= 0; j-- )
599 if( i > j ) return( 1 );
600 if( j > i ) return( -1 );
604 if( X->p[i] > Y->p[i] ) return( 1 );
605 if( X->p[i] < Y->p[i] ) return( -1 );
612 * Compare signed values
614 int mpi_cmp_mpi( mpi *X, mpi *Y )
618 for( i = X->n - 1; i >= 0; i-- )
622 for( j = Y->n - 1; j >= 0; j-- )
629 if( i > j ) return( X->s );
630 if( j > i ) return( -X->s );
632 if( X->s > 0 && Y->s < 0 ) return( 1 );
633 if( Y->s > 0 && X->s < 0 ) return( -1 );
637 if( X->p[i] > Y->p[i] ) return( X->s );
638 if( X->p[i] < Y->p[i] ) return( -X->s );
645 * Compare signed values
647 int mpi_cmp_int( mpi *X, int z )
652 *p = ( z < 0 ) ? -z : z;
653 Y.s = ( z < 0 ) ? -1 : 1;
657 return( mpi_cmp_mpi( X, &Y ) );
661 * Unsigned addition: X = |A| + |B| (HAC 14.7)
663 int mpi_add_abs( mpi *X, mpi *A, mpi *B )
670 mpi *T = A; A = X; B = T;
674 MPI_CHK( mpi_copy( X, A ) );
676 for( j = B->n - 1; j >= 0; j-- )
680 MPI_CHK( mpi_grow( X, j + 1 ) );
682 o = B->p; p = X->p; c = 0;
684 for( i = 0; i <= j; i++, o++, p++ )
686 *p += c; c = ( *p < c );
687 *p += *o; c += ( *p < *o );
694 MPI_CHK( mpi_grow( X, i + 1 ) );
698 *p += c; c = ( *p < c ); i++;
707 * Helper for mpi substraction
709 static void mpi_sub_hlp( int n, t_int *s, t_int *d )
714 for( i = c = 0; i < n; i++, s++, d++ )
716 z = ( *d < c ); *d -= c;
717 c = ( *d < *s ) + z; *d -= *s;
722 z = ( *d < c ); *d -= c;
728 * Unsigned substraction: X = |A| - |B| (HAC 14.9)
730 int mpi_sub_abs( mpi *X, mpi *A, mpi *B )
735 if( mpi_cmp_abs( A, B ) < 0 )
736 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
738 mpi_init( &TB, NULL );
742 MPI_CHK( mpi_copy( &TB, B ) );
747 MPI_CHK( mpi_copy( X, A ) );
751 for( n = B->n - 1; n >= 0; n-- )
755 mpi_sub_hlp( n + 1, B->p, X->p );
759 mpi_free( &TB, NULL );
765 * Signed addition: X = A + B
767 int mpi_add_mpi( mpi *X, mpi *A, mpi *B )
771 if( A->s * B->s < 0 )
773 if( mpi_cmp_abs( A, B ) >= 0 )
775 MPI_CHK( mpi_sub_abs( X, A, B ) );
780 MPI_CHK( mpi_sub_abs( X, B, A ) );
786 MPI_CHK( mpi_add_abs( X, A, B ) );
796 * Signed substraction: X = A - B
798 int mpi_sub_mpi( mpi *X, mpi *A, mpi *B )
802 if( A->s * B->s > 0 )
804 if( mpi_cmp_abs( A, B ) >= 0 )
806 MPI_CHK( mpi_sub_abs( X, A, B ) );
811 MPI_CHK( mpi_sub_abs( X, B, A ) );
817 MPI_CHK( mpi_add_abs( X, A, B ) );
827 * Signed addition: X = A + b
829 int mpi_add_int( mpi *X, mpi *A, int b )
834 p[0] = ( b < 0 ) ? -b : b;
835 _B.s = ( b < 0 ) ? -1 : 1;
839 return( mpi_add_mpi( X, A, &_B ) );
843 * Signed substraction: X = A - b
845 int mpi_sub_int( mpi *X, mpi *A, int b )
850 p[0] = ( b < 0 ) ? -b : b;
851 _B.s = ( b < 0 ) ? -1 : 1;
855 return( mpi_sub_mpi( X, A, &_B ) );
859 * Helper for mpi multiplication
861 static void mpi_mul_hlp( int i, t_int *s, t_int *d, t_int b )
865 #if defined(MULADDC_HUIT)
866 for( ; i >= 8; i -= 8 )
880 for( ; i >= 16; i -= 16 )
883 MULADDC_CORE MULADDC_CORE
884 MULADDC_CORE MULADDC_CORE
885 MULADDC_CORE MULADDC_CORE
886 MULADDC_CORE MULADDC_CORE
888 MULADDC_CORE MULADDC_CORE
889 MULADDC_CORE MULADDC_CORE
890 MULADDC_CORE MULADDC_CORE
891 MULADDC_CORE MULADDC_CORE
895 for( ; i >= 8; i -= 8 )
898 MULADDC_CORE MULADDC_CORE
899 MULADDC_CORE MULADDC_CORE
901 MULADDC_CORE MULADDC_CORE
902 MULADDC_CORE MULADDC_CORE
917 *d += c; c = ( *d < c ); d++;
923 * Baseline multiplication: X = A * B (HAC 14.12)
925 int mpi_mul_mpi( mpi *X, mpi *A, mpi *B )
930 mpi_init( &TA, &TB, NULL );
932 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
933 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
935 for( i = A->n - 1; i >= 0; i-- )
939 for( j = B->n - 1; j >= 0; j-- )
943 MPI_CHK( mpi_grow( X, i + j + 2 ) );
944 MPI_CHK( mpi_lset( X, 0 ) );
946 for( i++; j >= 0; j-- )
947 mpi_mul_hlp( i, A->p, X->p + j, B->p[j] );
953 mpi_free( &TB, &TA, NULL );
959 * Baseline multiplication: X = A * b
961 int mpi_mul_int( mpi *X, mpi *A, t_int b )
971 return( mpi_mul_mpi( X, A, &_B ) );
975 * Division by mpi: A = Q * B + R (HAC 14.20)
977 int mpi_div_mpi( mpi *Q, mpi *R, mpi *A, mpi *B )
982 if( mpi_cmp_int( B, 0 ) == 0 )
983 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
985 mpi_init( &X, &Y, &Z, &T1, &T2, NULL );
987 if( mpi_cmp_abs( A, B ) < 0 )
989 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
990 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
994 MPI_CHK( mpi_copy( &X, A ) );
995 MPI_CHK( mpi_copy( &Y, B ) );
998 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
999 MPI_CHK( mpi_lset( &Z, 0 ) );
1000 MPI_CHK( mpi_grow( &T1, 2 ) );
1001 MPI_CHK( mpi_grow( &T2, 3 ) );
1003 k = mpi_msb( &Y ) % biL;
1004 if( k < (int) biL - 1 )
1007 MPI_CHK( mpi_shift_l( &X, k ) );
1008 MPI_CHK( mpi_shift_l( &Y, k ) );
1014 mpi_shift_l( &Y, biL * (n - t) );
1016 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1019 mpi_sub_mpi( &X, &X, &Y );
1021 mpi_shift_r( &Y, biL * (n - t) );
1023 for( i = n; i > t ; i-- )
1025 if( X.p[i] >= Y.p[t] )
1026 Z.p[i - t - 1] = ~0;
1029 #if defined(POLARSSL_HAVE_LONGLONG)
1032 r = (t_dbl) X.p[i] << biL;
1033 r |= (t_dbl) X.p[i - 1];
1035 if( r > ((t_dbl) 1 << biL) - 1)
1036 r = ((t_dbl) 1 << biL) - 1;
1038 Z.p[i - t - 1] = (t_int) r;
1041 * __udiv_qrnnd_c, from gmp/longlong.h
1043 t_int q0, q1, r0, r1;
1047 d0 = ( d << biH ) >> biH;
1051 r1 = X.p[i] - d1 * q1;
1053 r1 |= ( X.p[i - 1] >> biH );
1059 while( r1 >= d && r1 < m )
1067 r0 |= ( X.p[i - 1] << biH ) >> biH;
1073 while( r0 >= d && r0 < m )
1078 Z.p[i - t - 1] = ( q1 << biH ) | q0;
1087 MPI_CHK( mpi_lset( &T1, 0 ) );
1088 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1090 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1092 MPI_CHK( mpi_lset( &T2, 0 ) );
1093 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1094 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1097 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1099 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1100 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1101 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1103 if( mpi_cmp_int( &X, 0 ) < 0 )
1105 MPI_CHK( mpi_copy( &T1, &Y ) );
1106 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1107 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1120 mpi_shift_r( &X, k );
1124 if( mpi_cmp_int( R, 0 ) == 0 )
1130 mpi_free( &X, &Y, &Z, &T1, &T2, NULL );
1136 * Division by int: A = Q * b + R
1138 * Returns 0 if successful
1139 * 1 if memory allocation failed
1140 * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
1142 int mpi_div_int( mpi *Q, mpi *R, mpi *A, int b )
1147 p[0] = ( b < 0 ) ? -b : b;
1148 _B.s = ( b < 0 ) ? -1 : 1;
1152 return( mpi_div_mpi( Q, R, A, &_B ) );
1156 * Modulo: R = A mod B
1158 int mpi_mod_mpi( mpi *R, mpi *A, mpi *B )
1162 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1164 while( mpi_cmp_int( R, 0 ) < 0 )
1165 MPI_CHK( mpi_add_mpi( R, R, B ) );
1167 while( mpi_cmp_mpi( R, B ) >= 0 )
1168 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1176 * Modulo: r = A mod b
1178 int mpi_mod_int( t_int *r, mpi *A, int b )
1184 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1190 * handle trivial cases
1207 for( i = A->n - 1, y = 0; i >= 0; i-- )
1210 y = ( y << biH ) | ( x >> biH );
1215 y = ( y << biH ) | ( x >> biH );
1226 * Fast Montgomery initialization (thanks to Tom St Denis)
1228 static void mpi_montg_init( t_int *mm, mpi *N )
1230 t_int x, m0 = N->p[0];
1233 x += ( ( m0 + 2 ) & 4 ) << 1;
1234 x *= ( 2 - ( m0 * x ) );
1236 if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
1237 if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
1238 if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
1244 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1246 static void mpi_montmul( mpi *A, mpi *B, mpi *N, t_int mm, mpi *T )
1251 memset( T->p, 0, T->n * ciL );
1255 m = ( B->n < n ) ? B->n : n;
1257 for( i = 0; i < n; i++ )
1260 * T = (T + u0*B + u1*N) / 2^biL
1263 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1265 mpi_mul_hlp( m, B->p, d, u0 );
1266 mpi_mul_hlp( n, N->p, d, u1 );
1268 *d++ = u0; d[n + 1] = 0;
1271 memcpy( A->p, d, (n + 1) * ciL );
1273 if( mpi_cmp_abs( A, N ) >= 0 )
1274 mpi_sub_hlp( n, N->p, A->p );
1276 /* prevent timing attacks */
1277 mpi_sub_hlp( n, A->p, T->p );
1281 * Montgomery reduction: A = A * R^-1 mod N
1283 static void mpi_montred( mpi *A, mpi *N, t_int mm, mpi *T )
1291 mpi_montmul( A, &U, N, mm, T );
1295 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1297 int mpi_exp_mod( mpi *X, mpi *A, mpi *E, mpi *N, mpi *_RR )
1299 int ret, i, j, wsize, wbits;
1300 int bufsize, nblimbs, nbits;
1301 t_int ei, mm, state;
1304 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
1305 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1308 * Init temps and window size
1310 mpi_montg_init( &mm, N );
1311 mpi_init( &RR, &T, NULL );
1312 memset( W, 0, sizeof( W ) );
1316 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1317 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1320 MPI_CHK( mpi_grow( X, j ) );
1321 MPI_CHK( mpi_grow( &W[1], j ) );
1322 MPI_CHK( mpi_grow( &T, j * 2 ) );
1325 * If 1st call, pre-compute R^2 mod N
1327 if( _RR == NULL || _RR->p == NULL )
1329 MPI_CHK( mpi_lset( &RR, 1 ) );
1330 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1331 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1334 memcpy( _RR, &RR, sizeof( mpi ) );
1337 memcpy( &RR, _RR, sizeof( mpi ) );
1340 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1342 if( mpi_cmp_mpi( A, N ) >= 0 )
1343 mpi_mod_mpi( &W[1], A, N );
1344 else mpi_copy( &W[1], A );
1346 mpi_montmul( &W[1], &RR, N, mm, &T );
1349 * X = R^2 * R^-1 mod N = R mod N
1351 MPI_CHK( mpi_copy( X, &RR ) );
1352 mpi_montred( X, N, mm, &T );
1357 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1359 j = 1 << (wsize - 1);
1361 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1362 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1364 for( i = 0; i < wsize - 1; i++ )
1365 mpi_montmul( &W[j], &W[j], N, mm, &T );
1368 * W[i] = W[i - 1] * W[1]
1370 for( i = j + 1; i < (1 << wsize); i++ )
1372 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1373 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1375 mpi_montmul( &W[i], &W[1], N, mm, &T );
1389 if( nblimbs-- == 0 )
1392 bufsize = sizeof( t_int ) << 3;
1397 ei = (E->p[nblimbs] >> bufsize) & 1;
1402 if( ei == 0 && state == 0 )
1405 if( ei == 0 && state == 1 )
1408 * out of window, square X
1410 mpi_montmul( X, X, N, mm, &T );
1415 * add ei to current window
1420 wbits |= (ei << (wsize - nbits));
1422 if( nbits == wsize )
1425 * X = X^wsize R^-1 mod N
1427 for( i = 0; i < wsize; i++ )
1428 mpi_montmul( X, X, N, mm, &T );
1431 * X = X * W[wbits] R^-1 mod N
1433 mpi_montmul( X, &W[wbits], N, mm, &T );
1442 * process the remaining bits
1444 for( i = 0; i < nbits; i++ )
1446 mpi_montmul( X, X, N, mm, &T );
1450 if( (wbits & (1 << wsize)) != 0 )
1451 mpi_montmul( X, &W[1], N, mm, &T );
1455 * X = A^E * R * R^-1 mod N = A^E mod N
1457 mpi_montred( X, N, mm, &T );
1461 for( i = (1 << (wsize - 1)); i < (1 << wsize); i++ )
1462 mpi_free( &W[i], NULL );
1465 mpi_free( &W[1], &T, NULL );
1466 else mpi_free( &W[1], &T, &RR, NULL );
1472 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1474 int mpi_gcd( mpi *G, mpi *A, mpi *B )
1479 mpi_init( &TG, &TA, &TB, NULL );
1481 MPI_CHK( mpi_lset( &TG, 1 ) );
1482 MPI_CHK( mpi_copy( &TA, A ) );
1483 MPI_CHK( mpi_copy( &TB, B ) );
1487 while( mpi_cmp_int( &TA, 0 ) != 0 )
1489 while( ( TA.p[0] & 1 ) == 0 ) MPI_CHK( mpi_shift_r( &TA, 1 ) );
1490 while( ( TB.p[0] & 1 ) == 0 ) MPI_CHK( mpi_shift_r( &TB, 1 ) );
1492 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1494 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1495 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1499 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1500 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1504 MPI_CHK( mpi_mul_mpi( G, &TG, &TB ) );
1508 mpi_free( &TB, &TA, &TG, NULL );
1514 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1516 int mpi_inv_mod( mpi *X, mpi *A, mpi *N )
1519 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1521 if( mpi_cmp_int( N, 0 ) <= 0 )
1522 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1524 mpi_init( &TA, &TU, &U1, &U2, &G,
1525 &TB, &TV, &V1, &V2, NULL );
1527 MPI_CHK( mpi_gcd( &G, A, N ) );
1529 if( mpi_cmp_int( &G, 1 ) != 0 )
1531 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1535 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1536 MPI_CHK( mpi_copy( &TU, &TA ) );
1537 MPI_CHK( mpi_copy( &TB, N ) );
1538 MPI_CHK( mpi_copy( &TV, N ) );
1540 MPI_CHK( mpi_lset( &U1, 1 ) );
1541 MPI_CHK( mpi_lset( &U2, 0 ) );
1542 MPI_CHK( mpi_lset( &V1, 0 ) );
1543 MPI_CHK( mpi_lset( &V2, 1 ) );
1547 while( ( TU.p[0] & 1 ) == 0 )
1549 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1551 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1553 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1554 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1557 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1558 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1561 while( ( TV.p[0] & 1 ) == 0 )
1563 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1565 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1567 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1568 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1571 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1572 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1575 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1577 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1578 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1579 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1583 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1584 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1585 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1588 while( mpi_cmp_int( &TU, 0 ) != 0 );
1590 while( mpi_cmp_int( &V1, 0 ) < 0 )
1591 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1593 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1594 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1596 MPI_CHK( mpi_copy( X, &V1 ) );
1600 mpi_free( &V2, &V1, &TV, &TB, &G,
1601 &U2, &U1, &TU, &TA, NULL );
1606 static const int small_prime[] =
1608 3, 5, 7, 11, 13, 17, 19, 23,
1609 29, 31, 37, 41, 43, 47, 53, 59,
1610 61, 67, 71, 73, 79, 83, 89, 97,
1611 101, 103, 107, 109, 113, 127, 131, 137,
1612 139, 149, 151, 157, 163, 167, 173, 179,
1613 181, 191, 193, 197, 199, 211, 223, 227,
1614 229, 233, 239, 241, 251, 257, 263, 269,
1615 271, 277, 281, 283, 293, 307, 311, 313,
1616 317, 331, 337, 347, 349, 353, 359, 367,
1617 373, 379, 383, 389, 397, 401, 409, 419,
1618 421, 431, 433, 439, 443, 449, 457, 461,
1619 463, 467, 479, 487, 491, 499, 503, 509,
1620 521, 523, 541, 547, 557, 563, 569, 571,
1621 577, 587, 593, 599, 601, 607, 613, 617,
1622 619, 631, 641, 643, 647, 653, 659, 661,
1623 673, 677, 683, 691, 701, 709, 719, 727,
1624 733, 739, 743, 751, 757, 761, 769, 773,
1625 787, 797, 809, 811, 821, 823, 827, 829,
1626 839, 853, 857, 859, 863, 877, 881, 883,
1627 887, 907, 911, 919, 929, 937, 941, 947,
1628 953, 967, 971, 977, 983, 991, 997, -103
1632 * Miller-Rabin primality test (HAC 4.24)
1634 int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng )
1636 int ret, i, j, n, s, xs;
1640 if( mpi_cmp_int( X, 0 ) == 0 )
1643 mpi_init( &W, &R, &T, &A, &RR, NULL );
1645 xs = X->s; X->s = 1;
1648 * test trivial factors first
1650 if( ( X->p[0] & 1 ) == 0 )
1651 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1653 for( i = 0; small_prime[i] > 0; i++ )
1657 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
1660 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
1663 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1671 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
1672 MPI_CHK( mpi_copy( &R, &W ) );
1673 MPI_CHK( mpi_shift_r( &R, s ) );
1679 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
1680 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
1681 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
1683 for( i = 0; i < n; i++ )
1686 * pick a random A, 1 < A < |X| - 1
1688 MPI_CHK( mpi_grow( &A, X->n ) );
1690 p = (unsigned char *) A.p;
1691 for( j = 0; j < A.n * ciL; j++ )
1692 *p++ = (unsigned char) f_rng( p_rng );
1694 j = mpi_msb( &A ) - mpi_msb( &W );
1695 MPI_CHK( mpi_shift_r( &A, j + 1 ) );
1701 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
1703 if( mpi_cmp_mpi( &A, &W ) == 0 ||
1704 mpi_cmp_int( &A, 1 ) == 0 )
1708 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
1713 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
1714 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
1716 if( mpi_cmp_int( &A, 1 ) == 0 )
1723 * not prime if A != |X| - 1 or A == 1
1725 if( mpi_cmp_mpi( &A, &W ) != 0 ||
1726 mpi_cmp_int( &A, 1 ) == 0 )
1728 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1737 mpi_free( &RR, &A, &T, &R, &W, NULL );
1743 * Prime number generation
1745 int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
1746 int (*f_rng)(void *), void *p_rng )
1753 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1755 mpi_init( &Y, NULL );
1757 n = BITS_TO_LIMBS( nbits );
1759 MPI_CHK( mpi_grow( X, n ) );
1760 MPI_CHK( mpi_lset( X, 0 ) );
1762 p = (unsigned char *) X->p;
1763 for( k = 0; k < X->n * ciL; k++ )
1764 *p++ = (unsigned char) f_rng( p_rng );
1767 if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
1768 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
1774 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
1776 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1779 MPI_CHK( mpi_add_int( X, X, 2 ) );
1784 MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
1785 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1789 if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
1791 if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
1794 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1798 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1801 MPI_CHK( mpi_add_int( &Y, X, 1 ) );
1802 MPI_CHK( mpi_add_int( X, X, 2 ) );
1803 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1809 mpi_free( &Y, NULL );
git://git.exim.org / users / jgh / exim.git / blob