2 * Multi-precision integer library
4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
7 * Joined copyright on original XySSL code with: Christophe Devine
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 * This MPI implementation is based on:
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
27 * http://www.stillhq.com/extracted/gnupg-api/mpi/
28 * http://math.libtomcrypt.com/files/tommath.pdf
31 /* $Cambridge: exim/src/src/pdkim/bignum.c,v 1.3 2009/12/07 13:05:07 tom Exp $ */
41 #define ciL ((int) sizeof(t_int)) /* chars in limb */
42 #define biL (ciL << 3) /* bits in limb */
43 #define biH (ciL << 2) /* half limb size */
46 * Convert between bits/chars and number of limbs
48 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
49 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
52 * Initialize one or more mpi
54 void mpi_init( mpi *X, ... )
66 X = va_arg( args, mpi* );
73 * Unallocate one or more mpi
75 void mpi_free( mpi *X, ... )
85 memset( X->p, 0, X->n * ciL );
93 X = va_arg( args, mpi* );
100 * Enlarge to the specified number of limbs
102 int mpi_grow( mpi *X, int nblimbs )
108 if( ( p = (t_int *) malloc( nblimbs * ciL ) ) == NULL )
111 memset( p, 0, nblimbs * ciL );
115 memcpy( p, X->p, X->n * ciL );
116 memset( X->p, 0, X->n * ciL );
128 * Copy the contents of Y into X
130 int mpi_copy( mpi *X, mpi *Y )
137 for( i = Y->n - 1; i > 0; i-- )
144 MPI_CHK( mpi_grow( X, i ) );
146 memset( X->p, 0, X->n * ciL );
147 memcpy( X->p, Y->p, i * ciL );
155 * Swap the contents of X and Y
157 void mpi_swap( mpi *X, mpi *Y )
161 memcpy( &T, X, sizeof( mpi ) );
162 memcpy( X, Y, sizeof( mpi ) );
163 memcpy( Y, &T, sizeof( mpi ) );
167 * Set value from integer
169 int mpi_lset( mpi *X, int z )
173 MPI_CHK( mpi_grow( X, 1 ) );
174 memset( X->p, 0, X->n * ciL );
176 X->p[0] = ( z < 0 ) ? -z : z;
177 X->s = ( z < 0 ) ? -1 : 1;
185 * Return the number of least significant bits
187 int mpi_lsb( mpi *X )
191 for( i = 0; i < X->n; i++ )
192 for( j = 0; j < (int) biL; j++, count++ )
193 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
200 * Return the number of most significant bits
202 int mpi_msb( mpi *X )
206 for( i = X->n - 1; i > 0; i-- )
210 for( j = biL - 1; j >= 0; j-- )
211 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
214 return( ( i * biL ) + j + 1 );
218 * Return the total size in bytes
220 int mpi_size( mpi *X )
222 return( ( mpi_msb( X ) + 7 ) >> 3 );
226 * Convert an ASCII character to digit value
228 static int mpi_get_digit( t_int *d, int radix, char c )
232 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
233 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
234 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
236 if( *d >= (t_int) radix )
237 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
243 * Import from an ASCII string
245 int mpi_read_string( mpi *X, int radix, char *s )
251 if( radix < 2 || radix > 16 )
252 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
254 mpi_init( &T, NULL );
258 n = BITS_TO_LIMBS( strlen( s ) << 2 );
260 MPI_CHK( mpi_grow( X, n ) );
261 MPI_CHK( mpi_lset( X, 0 ) );
263 for( i = strlen( s ) - 1, j = 0; i >= 0; i--, j++ )
265 if( i == 0 && s[i] == '-' )
271 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
272 X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
277 MPI_CHK( mpi_lset( X, 0 ) );
279 for( i = 0; i < (int) strlen( s ); i++ )
281 if( i == 0 && s[i] == '-' )
287 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
288 MPI_CHK( mpi_mul_int( &T, X, radix ) );
292 MPI_CHK( mpi_add_int( X, &T, d ) );
296 MPI_CHK( mpi_sub_int( X, &T, d ) );
303 mpi_free( &T, NULL );
309 * Helper to write the digits high-order first
311 static int mpi_write_hlp( mpi *X, int radix, char **p )
316 if( radix < 2 || radix > 16 )
317 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
319 MPI_CHK( mpi_mod_int( &r, X, radix ) );
320 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
322 if( mpi_cmp_int( X, 0 ) != 0 )
323 MPI_CHK( mpi_write_hlp( X, radix, p ) );
326 *(*p)++ = (char)( r + 0x30 );
328 *(*p)++ = (char)( r + 0x37 );
336 * Export into an ASCII string
338 int mpi_write_string( mpi *X, int radix, char *s, int *slen )
344 if( radix < 2 || radix > 16 )
345 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
348 if( radix >= 4 ) n >>= 1;
349 if( radix >= 16 ) n >>= 1;
355 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
359 mpi_init( &T, NULL );
368 for( i = X->n - 1, k = 0; i >= 0; i-- )
370 for( j = ciL - 1; j >= 0; j-- )
372 c = ( X->p[i] >> (j << 3) ) & 0xFF;
374 if( c == 0 && k == 0 && (i + j) != 0 )
377 p += sprintf( p, "%02X", c );
384 MPI_CHK( mpi_copy( &T, X ) );
389 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
397 mpi_free( &T, NULL );
403 * Read X from an opened file
405 int mpi_read_file( mpi *X, int radix, FILE *fin )
412 memset( s, 0, sizeof( s ) );
413 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
414 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
417 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
418 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
422 if( mpi_get_digit( &d, radix, *p ) != 0 )
425 return( mpi_read_string( X, radix, p + 1 ) );
429 * Write X into an opened file (or stdout if fout == NULL)
431 int mpi_write_file( const char *p, mpi *X, int radix, FILE *fout )
442 MPI_CHK( mpi_write_string( X, radix, s, (int *) &n ) );
444 if( p == NULL ) p = "";
453 if( fwrite( p, 1, plen, fout ) != plen ||
454 fwrite( s, 1, slen, fout ) != slen )
455 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
458 printf( "%s%s", p, s );
466 * Import X from unsigned binary data, big endian
468 int mpi_read_binary( mpi *X, unsigned char *buf, int buflen )
472 for( n = 0; n < buflen; n++ )
476 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
477 MPI_CHK( mpi_lset( X, 0 ) );
479 for( i = buflen - 1, j = 0; i >= n; i--, j++ )
480 X->p[j / ciL] |= ((t_int) buf[i]) << ((j % ciL) << 3);
488 * Export X into unsigned binary data, big endian
490 int mpi_write_binary( mpi *X, unsigned char *buf, int buflen )
497 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
499 memset( buf, 0, buflen );
501 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
502 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
508 * Left-shift: X <<= count
510 int mpi_shift_l( mpi *X, int count )
516 t1 = count & (biL - 1);
518 i = mpi_msb( X ) + count;
520 if( X->n * (int) biL < i )
521 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
526 * shift by count / limb_size
530 for( i = X->n - 1; i >= v0; i-- )
531 X->p[i] = X->p[i - v0];
538 * shift by count % limb_size
542 for( i = v0; i < X->n; i++ )
544 r1 = X->p[i] >> (biL - t1);
557 * Right-shift: X >>= count
559 int mpi_shift_r( mpi *X, int count )
565 v1 = count & (biL - 1);
568 * shift by count / limb_size
572 for( i = 0; i < X->n - v0; i++ )
573 X->p[i] = X->p[i + v0];
575 for( ; i < X->n; i++ )
580 * shift by count % limb_size
584 for( i = X->n - 1; i >= 0; i-- )
586 r1 = X->p[i] << (biL - v1);
597 * Compare unsigned values
599 int mpi_cmp_abs( mpi *X, mpi *Y )
603 for( i = X->n - 1; i >= 0; i-- )
607 for( j = Y->n - 1; j >= 0; j-- )
614 if( i > j ) return( 1 );
615 if( j > i ) return( -1 );
619 if( X->p[i] > Y->p[i] ) return( 1 );
620 if( X->p[i] < Y->p[i] ) return( -1 );
627 * Compare signed values
629 int mpi_cmp_mpi( mpi *X, mpi *Y )
633 for( i = X->n - 1; i >= 0; i-- )
637 for( j = Y->n - 1; j >= 0; j-- )
644 if( i > j ) return( X->s );
645 if( j > i ) return( -X->s );
647 if( X->s > 0 && Y->s < 0 ) return( 1 );
648 if( Y->s > 0 && X->s < 0 ) return( -1 );
652 if( X->p[i] > Y->p[i] ) return( X->s );
653 if( X->p[i] < Y->p[i] ) return( -X->s );
660 * Compare signed values
662 int mpi_cmp_int( mpi *X, int z )
667 *p = ( z < 0 ) ? -z : z;
668 Y.s = ( z < 0 ) ? -1 : 1;
672 return( mpi_cmp_mpi( X, &Y ) );
676 * Unsigned addition: X = |A| + |B| (HAC 14.7)
678 int mpi_add_abs( mpi *X, mpi *A, mpi *B )
685 mpi *T = A; A = X; B = T;
689 MPI_CHK( mpi_copy( X, A ) );
692 * X should always be positive as a result of unsigned additions.
696 for( j = B->n - 1; j >= 0; j-- )
700 MPI_CHK( mpi_grow( X, j + 1 ) );
702 o = B->p; p = X->p; c = 0;
704 for( i = 0; i <= j; i++, o++, p++ )
706 *p += c; c = ( *p < c );
707 *p += *o; c += ( *p < *o );
714 MPI_CHK( mpi_grow( X, i + 1 ) );
718 *p += c; c = ( *p < c ); i++;
727 * Helper for mpi substraction
729 static void mpi_sub_hlp( int n, t_int *s, t_int *d )
734 for( i = c = 0; i < n; i++, s++, d++ )
736 z = ( *d < c ); *d -= c;
737 c = ( *d < *s ) + z; *d -= *s;
742 z = ( *d < c ); *d -= c;
748 * Unsigned substraction: X = |A| - |B| (HAC 14.9)
750 int mpi_sub_abs( mpi *X, mpi *A, mpi *B )
755 if( mpi_cmp_abs( A, B ) < 0 )
756 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
758 mpi_init( &TB, NULL );
762 MPI_CHK( mpi_copy( &TB, B ) );
767 MPI_CHK( mpi_copy( X, A ) );
770 * X should always be positive as a result of unsigned substractions.
776 for( n = B->n - 1; n >= 0; n-- )
780 mpi_sub_hlp( n + 1, B->p, X->p );
784 mpi_free( &TB, NULL );
790 * Signed addition: X = A + B
792 int mpi_add_mpi( mpi *X, mpi *A, mpi *B )
796 if( A->s * B->s < 0 )
798 if( mpi_cmp_abs( A, B ) >= 0 )
800 MPI_CHK( mpi_sub_abs( X, A, B ) );
805 MPI_CHK( mpi_sub_abs( X, B, A ) );
811 MPI_CHK( mpi_add_abs( X, A, B ) );
821 * Signed substraction: X = A - B
823 int mpi_sub_mpi( mpi *X, mpi *A, mpi *B )
827 if( A->s * B->s > 0 )
829 if( mpi_cmp_abs( A, B ) >= 0 )
831 MPI_CHK( mpi_sub_abs( X, A, B ) );
836 MPI_CHK( mpi_sub_abs( X, B, A ) );
842 MPI_CHK( mpi_add_abs( X, A, B ) );
852 * Signed addition: X = A + b
854 int mpi_add_int( mpi *X, mpi *A, int b )
859 p[0] = ( b < 0 ) ? -b : b;
860 _B.s = ( b < 0 ) ? -1 : 1;
864 return( mpi_add_mpi( X, A, &_B ) );
868 * Signed substraction: X = A - b
870 int mpi_sub_int( mpi *X, mpi *A, int b )
875 p[0] = ( b < 0 ) ? -b : b;
876 _B.s = ( b < 0 ) ? -1 : 1;
880 return( mpi_sub_mpi( X, A, &_B ) );
884 * Helper for mpi multiplication
886 static void mpi_mul_hlp( int i, t_int *s, t_int *d, t_int b )
890 #if defined(MULADDC_HUIT)
891 for( ; i >= 8; i -= 8 )
905 for( ; i >= 16; i -= 16 )
908 MULADDC_CORE MULADDC_CORE
909 MULADDC_CORE MULADDC_CORE
910 MULADDC_CORE MULADDC_CORE
911 MULADDC_CORE MULADDC_CORE
913 MULADDC_CORE MULADDC_CORE
914 MULADDC_CORE MULADDC_CORE
915 MULADDC_CORE MULADDC_CORE
916 MULADDC_CORE MULADDC_CORE
920 for( ; i >= 8; i -= 8 )
923 MULADDC_CORE MULADDC_CORE
924 MULADDC_CORE MULADDC_CORE
926 MULADDC_CORE MULADDC_CORE
927 MULADDC_CORE MULADDC_CORE
942 *d += c; c = ( *d < c ); d++;
948 * Baseline multiplication: X = A * B (HAC 14.12)
950 int mpi_mul_mpi( mpi *X, mpi *A, mpi *B )
955 mpi_init( &TA, &TB, NULL );
957 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
958 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
960 for( i = A->n - 1; i >= 0; i-- )
964 for( j = B->n - 1; j >= 0; j-- )
968 MPI_CHK( mpi_grow( X, i + j + 2 ) );
969 MPI_CHK( mpi_lset( X, 0 ) );
971 for( i++; j >= 0; j-- )
972 mpi_mul_hlp( i, A->p, X->p + j, B->p[j] );
978 mpi_free( &TB, &TA, NULL );
984 * Baseline multiplication: X = A * b
986 int mpi_mul_int( mpi *X, mpi *A, t_int b )
996 return( mpi_mul_mpi( X, A, &_B ) );
1000 * Division by mpi: A = Q * B + R (HAC 14.20)
1002 int mpi_div_mpi( mpi *Q, mpi *R, mpi *A, mpi *B )
1004 int ret, i, n, t, k;
1005 mpi X, Y, Z, T1, T2;
1007 if( mpi_cmp_int( B, 0 ) == 0 )
1008 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1010 mpi_init( &X, &Y, &Z, &T1, &T2, NULL );
1012 if( mpi_cmp_abs( A, B ) < 0 )
1014 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
1015 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
1019 MPI_CHK( mpi_copy( &X, A ) );
1020 MPI_CHK( mpi_copy( &Y, B ) );
1023 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
1024 MPI_CHK( mpi_lset( &Z, 0 ) );
1025 MPI_CHK( mpi_grow( &T1, 2 ) );
1026 MPI_CHK( mpi_grow( &T2, 3 ) );
1028 k = mpi_msb( &Y ) % biL;
1029 if( k < (int) biL - 1 )
1032 MPI_CHK( mpi_shift_l( &X, k ) );
1033 MPI_CHK( mpi_shift_l( &Y, k ) );
1039 mpi_shift_l( &Y, biL * (n - t) );
1041 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1044 mpi_sub_mpi( &X, &X, &Y );
1046 mpi_shift_r( &Y, biL * (n - t) );
1048 for( i = n; i > t ; i-- )
1050 if( X.p[i] >= Y.p[t] )
1051 Z.p[i - t - 1] = ~0;
1054 #if defined(POLARSSL_HAVE_LONGLONG)
1057 r = (t_dbl) X.p[i] << biL;
1058 r |= (t_dbl) X.p[i - 1];
1060 if( r > ((t_dbl) 1 << biL) - 1)
1061 r = ((t_dbl) 1 << biL) - 1;
1063 Z.p[i - t - 1] = (t_int) r;
1066 * __udiv_qrnnd_c, from gmp/longlong.h
1068 t_int q0, q1, r0, r1;
1072 d0 = ( d << biH ) >> biH;
1076 r1 = X.p[i] - d1 * q1;
1078 r1 |= ( X.p[i - 1] >> biH );
1084 while( r1 >= d && r1 < m )
1092 r0 |= ( X.p[i - 1] << biH ) >> biH;
1098 while( r0 >= d && r0 < m )
1103 Z.p[i - t - 1] = ( q1 << biH ) | q0;
1112 MPI_CHK( mpi_lset( &T1, 0 ) );
1113 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1115 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1117 MPI_CHK( mpi_lset( &T2, 0 ) );
1118 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1119 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1122 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1124 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1125 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1126 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1128 if( mpi_cmp_int( &X, 0 ) < 0 )
1130 MPI_CHK( mpi_copy( &T1, &Y ) );
1131 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1132 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1145 mpi_shift_r( &X, k );
1149 if( mpi_cmp_int( R, 0 ) == 0 )
1155 mpi_free( &X, &Y, &Z, &T1, &T2, NULL );
1161 * Division by int: A = Q * b + R
1163 * Returns 0 if successful
1164 * 1 if memory allocation failed
1165 * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
1167 int mpi_div_int( mpi *Q, mpi *R, mpi *A, int b )
1172 p[0] = ( b < 0 ) ? -b : b;
1173 _B.s = ( b < 0 ) ? -1 : 1;
1177 return( mpi_div_mpi( Q, R, A, &_B ) );
1181 * Modulo: R = A mod B
1183 int mpi_mod_mpi( mpi *R, mpi *A, mpi *B )
1187 if( mpi_cmp_int( B, 0 ) < 0 )
1188 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1190 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1192 while( mpi_cmp_int( R, 0 ) < 0 )
1193 MPI_CHK( mpi_add_mpi( R, R, B ) );
1195 while( mpi_cmp_mpi( R, B ) >= 0 )
1196 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1204 * Modulo: r = A mod b
1206 int mpi_mod_int( t_int *r, mpi *A, int b )
1212 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1215 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1218 * handle trivial cases
1235 for( i = A->n - 1, y = 0; i >= 0; i-- )
1238 y = ( y << biH ) | ( x >> biH );
1243 y = ( y << biH ) | ( x >> biH );
1249 * If A is negative, then the current y represents a negative value.
1250 * Flipping it to the positive side.
1252 if( A->s < 0 && y != 0 )
1261 * Fast Montgomery initialization (thanks to Tom St Denis)
1263 static void mpi_montg_init( t_int *mm, mpi *N )
1265 t_int x, m0 = N->p[0];
1268 x += ( ( m0 + 2 ) & 4 ) << 1;
1269 x *= ( 2 - ( m0 * x ) );
1271 if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
1272 if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
1273 if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
1279 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1281 static void mpi_montmul( mpi *A, mpi *B, mpi *N, t_int mm, mpi *T )
1286 memset( T->p, 0, T->n * ciL );
1290 m = ( B->n < n ) ? B->n : n;
1292 for( i = 0; i < n; i++ )
1295 * T = (T + u0*B + u1*N) / 2^biL
1298 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1300 mpi_mul_hlp( m, B->p, d, u0 );
1301 mpi_mul_hlp( n, N->p, d, u1 );
1303 *d++ = u0; d[n + 1] = 0;
1306 memcpy( A->p, d, (n + 1) * ciL );
1308 if( mpi_cmp_abs( A, N ) >= 0 )
1309 mpi_sub_hlp( n, N->p, A->p );
1311 /* prevent timing attacks */
1312 mpi_sub_hlp( n, A->p, T->p );
1316 * Montgomery reduction: A = A * R^-1 mod N
1318 static void mpi_montred( mpi *A, mpi *N, t_int mm, mpi *T )
1326 mpi_montmul( A, &U, N, mm, T );
1330 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1332 int mpi_exp_mod( mpi *X, mpi *A, mpi *E, mpi *N, mpi *_RR )
1334 int ret, i, j, wsize, wbits;
1335 int bufsize, nblimbs, nbits;
1336 t_int ei, mm, state;
1339 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
1340 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1343 * Init temps and window size
1345 mpi_montg_init( &mm, N );
1346 mpi_init( &RR, &T, NULL );
1347 memset( W, 0, sizeof( W ) );
1351 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1352 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1355 MPI_CHK( mpi_grow( X, j ) );
1356 MPI_CHK( mpi_grow( &W[1], j ) );
1357 MPI_CHK( mpi_grow( &T, j * 2 ) );
1360 * If 1st call, pre-compute R^2 mod N
1362 if( _RR == NULL || _RR->p == NULL )
1364 MPI_CHK( mpi_lset( &RR, 1 ) );
1365 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1366 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1369 memcpy( _RR, &RR, sizeof( mpi ) );
1372 memcpy( &RR, _RR, sizeof( mpi ) );
1375 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1377 if( mpi_cmp_mpi( A, N ) >= 0 )
1378 mpi_mod_mpi( &W[1], A, N );
1379 else mpi_copy( &W[1], A );
1381 mpi_montmul( &W[1], &RR, N, mm, &T );
1384 * X = R^2 * R^-1 mod N = R mod N
1386 MPI_CHK( mpi_copy( X, &RR ) );
1387 mpi_montred( X, N, mm, &T );
1392 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1394 j = 1 << (wsize - 1);
1396 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1397 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1399 for( i = 0; i < wsize - 1; i++ )
1400 mpi_montmul( &W[j], &W[j], N, mm, &T );
1403 * W[i] = W[i - 1] * W[1]
1405 for( i = j + 1; i < (1 << wsize); i++ )
1407 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1408 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1410 mpi_montmul( &W[i], &W[1], N, mm, &T );
1424 if( nblimbs-- == 0 )
1427 bufsize = sizeof( t_int ) << 3;
1432 ei = (E->p[nblimbs] >> bufsize) & 1;
1437 if( ei == 0 && state == 0 )
1440 if( ei == 0 && state == 1 )
1443 * out of window, square X
1445 mpi_montmul( X, X, N, mm, &T );
1450 * add ei to current window
1455 wbits |= (ei << (wsize - nbits));
1457 if( nbits == wsize )
1460 * X = X^wsize R^-1 mod N
1462 for( i = 0; i < wsize; i++ )
1463 mpi_montmul( X, X, N, mm, &T );
1466 * X = X * W[wbits] R^-1 mod N
1468 mpi_montmul( X, &W[wbits], N, mm, &T );
1477 * process the remaining bits
1479 for( i = 0; i < nbits; i++ )
1481 mpi_montmul( X, X, N, mm, &T );
1485 if( (wbits & (1 << wsize)) != 0 )
1486 mpi_montmul( X, &W[1], N, mm, &T );
1490 * X = A^E * R * R^-1 mod N = A^E mod N
1492 mpi_montred( X, N, mm, &T );
1496 for( i = (1 << (wsize - 1)); i < (1 << wsize); i++ )
1497 mpi_free( &W[i], NULL );
1500 mpi_free( &W[1], &T, NULL );
1501 else mpi_free( &W[1], &T, &RR, NULL );
1507 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1509 int mpi_gcd( mpi *G, mpi *A, mpi *B )
1514 mpi_init( &TG, &TA, &TB, NULL );
1516 MPI_CHK( mpi_copy( &TA, A ) );
1517 MPI_CHK( mpi_copy( &TB, B ) );
1519 lz = mpi_lsb( &TA );
1520 lzt = mpi_lsb( &TB );
1525 MPI_CHK( mpi_shift_r( &TA, lz ) );
1526 MPI_CHK( mpi_shift_r( &TB, lz ) );
1530 while( mpi_cmp_int( &TA, 0 ) != 0 )
1532 MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
1533 MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
1535 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1537 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1538 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1542 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1543 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1547 MPI_CHK( mpi_shift_l( &TB, lz ) );
1548 MPI_CHK( mpi_copy( G, &TB ) );
1552 mpi_free( &TB, &TA, &TG, NULL );
1557 #if defined(POLARSSL_GENPRIME)
1560 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1562 int mpi_inv_mod( mpi *X, mpi *A, mpi *N )
1565 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1567 if( mpi_cmp_int( N, 0 ) <= 0 )
1568 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1570 mpi_init( &TA, &TU, &U1, &U2, &G,
1571 &TB, &TV, &V1, &V2, NULL );
1573 MPI_CHK( mpi_gcd( &G, A, N ) );
1575 if( mpi_cmp_int( &G, 1 ) != 0 )
1577 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1581 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1582 MPI_CHK( mpi_copy( &TU, &TA ) );
1583 MPI_CHK( mpi_copy( &TB, N ) );
1584 MPI_CHK( mpi_copy( &TV, N ) );
1586 MPI_CHK( mpi_lset( &U1, 1 ) );
1587 MPI_CHK( mpi_lset( &U2, 0 ) );
1588 MPI_CHK( mpi_lset( &V1, 0 ) );
1589 MPI_CHK( mpi_lset( &V2, 1 ) );
1593 while( ( TU.p[0] & 1 ) == 0 )
1595 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1597 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1599 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1600 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1603 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1604 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1607 while( ( TV.p[0] & 1 ) == 0 )
1609 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1611 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1613 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1614 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1617 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1618 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1621 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1623 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1624 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1625 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1629 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1630 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1631 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1634 while( mpi_cmp_int( &TU, 0 ) != 0 );
1636 while( mpi_cmp_int( &V1, 0 ) < 0 )
1637 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1639 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1640 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1642 MPI_CHK( mpi_copy( X, &V1 ) );
1646 mpi_free( &V2, &V1, &TV, &TB, &G,
1647 &U2, &U1, &TU, &TA, NULL );
1652 static const int small_prime[] =
1654 3, 5, 7, 11, 13, 17, 19, 23,
1655 29, 31, 37, 41, 43, 47, 53, 59,
1656 61, 67, 71, 73, 79, 83, 89, 97,
1657 101, 103, 107, 109, 113, 127, 131, 137,
1658 139, 149, 151, 157, 163, 167, 173, 179,
1659 181, 191, 193, 197, 199, 211, 223, 227,
1660 229, 233, 239, 241, 251, 257, 263, 269,
1661 271, 277, 281, 283, 293, 307, 311, 313,
1662 317, 331, 337, 347, 349, 353, 359, 367,
1663 373, 379, 383, 389, 397, 401, 409, 419,
1664 421, 431, 433, 439, 443, 449, 457, 461,
1665 463, 467, 479, 487, 491, 499, 503, 509,
1666 521, 523, 541, 547, 557, 563, 569, 571,
1667 577, 587, 593, 599, 601, 607, 613, 617,
1668 619, 631, 641, 643, 647, 653, 659, 661,
1669 673, 677, 683, 691, 701, 709, 719, 727,
1670 733, 739, 743, 751, 757, 761, 769, 773,
1671 787, 797, 809, 811, 821, 823, 827, 829,
1672 839, 853, 857, 859, 863, 877, 881, 883,
1673 887, 907, 911, 919, 929, 937, 941, 947,
1674 953, 967, 971, 977, 983, 991, 997, -103
1678 * Miller-Rabin primality test (HAC 4.24)
1680 int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng )
1682 int ret, i, j, n, s, xs;
1686 if( mpi_cmp_int( X, 0 ) == 0 ||
1687 mpi_cmp_int( X, 1 ) == 0 )
1688 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1690 if( mpi_cmp_int( X, 2 ) == 0 )
1693 mpi_init( &W, &R, &T, &A, &RR, NULL );
1695 xs = X->s; X->s = 1;
1698 * test trivial factors first
1700 if( ( X->p[0] & 1 ) == 0 )
1701 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1703 for( i = 0; small_prime[i] > 0; i++ )
1707 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
1710 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
1713 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1721 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
1722 MPI_CHK( mpi_copy( &R, &W ) );
1723 MPI_CHK( mpi_shift_r( &R, s ) );
1729 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
1730 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
1731 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
1733 for( i = 0; i < n; i++ )
1736 * pick a random A, 1 < A < |X| - 1
1738 MPI_CHK( mpi_grow( &A, X->n ) );
1740 p = (unsigned char *) A.p;
1741 for( j = 0; j < A.n * ciL; j++ )
1742 *p++ = (unsigned char) f_rng( p_rng );
1744 j = mpi_msb( &A ) - mpi_msb( &W );
1745 MPI_CHK( mpi_shift_r( &A, j + 1 ) );
1751 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
1753 if( mpi_cmp_mpi( &A, &W ) == 0 ||
1754 mpi_cmp_int( &A, 1 ) == 0 )
1758 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
1763 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
1764 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
1766 if( mpi_cmp_int( &A, 1 ) == 0 )
1773 * not prime if A != |X| - 1 or A == 1
1775 if( mpi_cmp_mpi( &A, &W ) != 0 ||
1776 mpi_cmp_int( &A, 1 ) == 0 )
1778 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1787 mpi_free( &RR, &A, &T, &R, &W, NULL );
1793 * Prime number generation
1795 int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
1796 int (*f_rng)(void *), void *p_rng )
1803 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1805 mpi_init( &Y, NULL );
1807 n = BITS_TO_LIMBS( nbits );
1809 MPI_CHK( mpi_grow( X, n ) );
1810 MPI_CHK( mpi_lset( X, 0 ) );
1812 p = (unsigned char *) X->p;
1813 for( k = 0; k < X->n * ciL; k++ )
1814 *p++ = (unsigned char) f_rng( p_rng );
1817 if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
1818 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
1824 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
1826 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1829 MPI_CHK( mpi_add_int( X, X, 2 ) );
1834 MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
1835 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1839 if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
1841 if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
1844 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1848 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1851 MPI_CHK( mpi_add_int( &Y, X, 1 ) );
1852 MPI_CHK( mpi_add_int( X, X, 2 ) );
1853 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1859 mpi_free( &Y, NULL );
git://git.exim.org / exim.git / blob