2 * Multi-precision integer library
4 * Copyright (C) 2006-2010, Brainspark B.V.
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 * This MPI implementation is based on:
28 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
29 * http://www.stillhq.com/extracted/gnupg-api/mpi/
30 * http://math.libtomcrypt.com/files/tommath.pdf
40 #define ciL ((int) sizeof(t_int)) /* chars in limb */
41 #define biL (ciL << 3) /* bits in limb */
42 #define biH (ciL << 2) /* half limb size */
45 * Convert between bits/chars and number of limbs
47 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
48 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
51 * Initialize one or more mpi
53 void mpi_init( mpi *X, ... )
65 X = va_arg( args, mpi* );
72 * Unallocate one or more mpi
74 void mpi_free( mpi *X, ... )
84 memset( X->p, 0, X->n * ciL );
92 X = va_arg( args, mpi* );
99 * Enlarge to the specified number of limbs
101 int mpi_grow( mpi *X, int nblimbs )
107 if( ( p = (t_int *) malloc( nblimbs * ciL ) ) == NULL )
110 memset( p, 0, nblimbs * ciL );
114 memcpy( p, X->p, X->n * ciL );
115 memset( X->p, 0, X->n * ciL );
127 * Copy the contents of Y into X
129 int mpi_copy( mpi *X, const mpi *Y )
136 for( i = Y->n - 1; i > 0; i-- )
143 MPI_CHK( mpi_grow( X, i ) );
145 memset( X->p, 0, X->n * ciL );
146 memcpy( X->p, Y->p, i * ciL );
154 * Swap the contents of X and Y
156 void mpi_swap( mpi *X, mpi *Y )
160 memcpy( &T, X, sizeof( mpi ) );
161 memcpy( X, Y, sizeof( mpi ) );
162 memcpy( Y, &T, sizeof( mpi ) );
166 * Set value from integer
168 int mpi_lset( mpi *X, int z )
172 MPI_CHK( mpi_grow( X, 1 ) );
173 memset( X->p, 0, X->n * ciL );
175 X->p[0] = ( z < 0 ) ? -z : z;
176 X->s = ( z < 0 ) ? -1 : 1;
184 * Return the number of least significant bits
186 int mpi_lsb( const mpi *X )
190 for( i = 0; i < X->n; i++ )
191 for( j = 0; j < (int) biL; j++, count++ )
192 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
199 * Return the number of most significant bits
201 int mpi_msb( const mpi *X )
205 for( i = X->n - 1; i > 0; i-- )
209 for( j = biL - 1; j >= 0; j-- )
210 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
213 return( ( i * biL ) + j + 1 );
217 * Return the total size in bytes
219 int mpi_size( const mpi *X )
221 return( ( mpi_msb( X ) + 7 ) >> 3 );
225 * Convert an ASCII character to digit value
227 static int mpi_get_digit( t_int *d, int radix, char c )
231 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
232 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
233 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
235 if( *d >= (t_int) radix )
236 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
242 * Import from an ASCII string
244 int mpi_read_string( mpi *X, int radix, const char *s )
246 int ret, i, j, n, slen;
250 if( radix < 2 || radix > 16 )
251 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
253 mpi_init( &T, NULL );
259 n = BITS_TO_LIMBS( slen << 2 );
261 MPI_CHK( mpi_grow( X, n ) );
262 MPI_CHK( mpi_lset( X, 0 ) );
264 for( i = slen - 1, j = 0; i >= 0; i--, j++ )
266 if( i == 0 && s[i] == '-' )
272 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
273 X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
278 MPI_CHK( mpi_lset( X, 0 ) );
280 for( i = 0; i < slen; i++ )
282 if( i == 0 && s[i] == '-' )
288 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
289 MPI_CHK( mpi_mul_int( &T, X, radix ) );
293 MPI_CHK( mpi_add_int( X, &T, d ) );
297 MPI_CHK( mpi_sub_int( X, &T, d ) );
304 mpi_free( &T, NULL );
310 * Helper to write the digits high-order first
312 static int mpi_write_hlp( mpi *X, int radix, char **p )
317 if( radix < 2 || radix > 16 )
318 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
320 MPI_CHK( mpi_mod_int( &r, X, radix ) );
321 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
323 if( mpi_cmp_int( X, 0 ) != 0 )
324 MPI_CHK( mpi_write_hlp( X, radix, p ) );
327 *(*p)++ = (char)( r + 0x30 );
329 *(*p)++ = (char)( r + 0x37 );
337 * Export into an ASCII string
339 int mpi_write_string( const mpi *X, int radix, char *s, int *slen )
345 if( radix < 2 || radix > 16 )
346 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
349 if( radix >= 4 ) n >>= 1;
350 if( radix >= 16 ) n >>= 1;
356 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
360 mpi_init( &T, NULL );
369 for( i = X->n - 1, k = 0; i >= 0; i-- )
371 for( j = ciL - 1; j >= 0; j-- )
373 c = ( X->p[i] >> (j << 3) ) & 0xFF;
375 if( c == 0 && k == 0 && (i + j) != 0 )
378 p += sprintf( p, "%02X", c );
385 MPI_CHK( mpi_copy( &T, X ) );
390 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
398 mpi_free( &T, NULL );
404 * Read X from an opened file
406 int mpi_read_file( mpi *X, int radix, FILE *fin )
413 memset( s, 0, sizeof( s ) );
414 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
415 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
418 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
419 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
423 if( mpi_get_digit( &d, radix, *p ) != 0 )
426 return( mpi_read_string( X, radix, p + 1 ) );
430 * Write X into an opened file (or stdout if fout == NULL)
432 int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout )
443 MPI_CHK( mpi_write_string( X, radix, s, (int *) &n ) );
445 if( p == NULL ) p = "";
454 if( fwrite( p, 1, plen, fout ) != plen ||
455 fwrite( s, 1, slen, fout ) != slen )
456 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
459 printf( "%s%s", p, s );
467 * Import X from unsigned binary data, big endian
469 int mpi_read_binary( mpi *X, const unsigned char *buf, int buflen )
473 for( n = 0; n < buflen; n++ )
477 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
478 MPI_CHK( mpi_lset( X, 0 ) );
480 for( i = buflen - 1, j = 0; i >= n; i--, j++ )
481 X->p[j / ciL] |= ((t_int) buf[i]) << ((j % ciL) << 3);
489 * Export X into unsigned binary data, big endian
491 int mpi_write_binary( const mpi *X, unsigned char *buf, int buflen )
498 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
500 memset( buf, 0, buflen );
502 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
503 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
509 * Left-shift: X <<= count
511 int mpi_shift_l( mpi *X, int count )
517 t1 = count & (biL - 1);
519 i = mpi_msb( X ) + count;
521 if( X->n * (int) biL < i )
522 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
527 * shift by count / limb_size
531 for( i = X->n - 1; i >= v0; i-- )
532 X->p[i] = X->p[i - v0];
539 * shift by count % limb_size
543 for( i = v0; i < X->n; i++ )
545 r1 = X->p[i] >> (biL - t1);
558 * Right-shift: X >>= count
560 int mpi_shift_r( mpi *X, int count )
566 v1 = count & (biL - 1);
569 * shift by count / limb_size
573 for( i = 0; i < X->n - v0; i++ )
574 X->p[i] = X->p[i + v0];
576 for( ; i < X->n; i++ )
581 * shift by count % limb_size
585 for( i = X->n - 1; i >= 0; i-- )
587 r1 = X->p[i] << (biL - v1);
598 * Compare unsigned values
600 int mpi_cmp_abs( const mpi *X, const mpi *Y )
604 for( i = X->n - 1; i >= 0; i-- )
608 for( j = Y->n - 1; j >= 0; j-- )
615 if( i > j ) return( 1 );
616 if( j > i ) return( -1 );
620 if( X->p[i] > Y->p[i] ) return( 1 );
621 if( X->p[i] < Y->p[i] ) return( -1 );
628 * Compare signed values
630 int mpi_cmp_mpi( const mpi *X, const mpi *Y )
634 for( i = X->n - 1; i >= 0; i-- )
638 for( j = Y->n - 1; j >= 0; j-- )
645 if( i > j ) return( X->s );
646 if( j > i ) return( -X->s );
648 if( X->s > 0 && Y->s < 0 ) return( 1 );
649 if( Y->s > 0 && X->s < 0 ) return( -1 );
653 if( X->p[i] > Y->p[i] ) return( X->s );
654 if( X->p[i] < Y->p[i] ) return( -X->s );
661 * Compare signed values
663 int mpi_cmp_int( const mpi *X, int z )
668 *p = ( z < 0 ) ? -z : z;
669 Y.s = ( z < 0 ) ? -1 : 1;
673 return( mpi_cmp_mpi( X, &Y ) );
677 * Unsigned addition: X = |A| + |B| (HAC 14.7)
679 int mpi_add_abs( mpi *X, const mpi *A, const mpi *B )
686 const mpi *T = A; A = X; B = T;
690 MPI_CHK( mpi_copy( X, A ) );
693 * X should always be positive as a result of unsigned additions.
697 for( j = B->n - 1; j >= 0; j-- )
701 MPI_CHK( mpi_grow( X, j + 1 ) );
703 o = B->p; p = X->p; c = 0;
705 for( i = 0; i <= j; i++, o++, p++ )
707 *p += c; c = ( *p < c );
708 *p += *o; c += ( *p < *o );
715 MPI_CHK( mpi_grow( X, i + 1 ) );
719 *p += c; c = ( *p < c ); i++;
728 * Helper for mpi substraction
730 static void mpi_sub_hlp( int n, t_int *s, t_int *d )
735 for( i = c = 0; i < n; i++, s++, d++ )
737 z = ( *d < c ); *d -= c;
738 c = ( *d < *s ) + z; *d -= *s;
743 z = ( *d < c ); *d -= c;
749 * Unsigned substraction: X = |A| - |B| (HAC 14.9)
751 int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B )
756 if( mpi_cmp_abs( A, B ) < 0 )
757 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
759 mpi_init( &TB, NULL );
763 MPI_CHK( mpi_copy( &TB, B ) );
768 MPI_CHK( mpi_copy( X, A ) );
771 * X should always be positive as a result of unsigned substractions.
777 for( n = B->n - 1; n >= 0; n-- )
781 mpi_sub_hlp( n + 1, B->p, X->p );
785 mpi_free( &TB, NULL );
791 * Signed addition: X = A + B
793 int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B )
797 if( A->s * B->s < 0 )
799 if( mpi_cmp_abs( A, B ) >= 0 )
801 MPI_CHK( mpi_sub_abs( X, A, B ) );
806 MPI_CHK( mpi_sub_abs( X, B, A ) );
812 MPI_CHK( mpi_add_abs( X, A, B ) );
822 * Signed substraction: X = A - B
824 int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B )
828 if( A->s * B->s > 0 )
830 if( mpi_cmp_abs( A, B ) >= 0 )
832 MPI_CHK( mpi_sub_abs( X, A, B ) );
837 MPI_CHK( mpi_sub_abs( X, B, A ) );
843 MPI_CHK( mpi_add_abs( X, A, B ) );
853 * Signed addition: X = A + b
855 int mpi_add_int( mpi *X, const mpi *A, int b )
860 p[0] = ( b < 0 ) ? -b : b;
861 _B.s = ( b < 0 ) ? -1 : 1;
865 return( mpi_add_mpi( X, A, &_B ) );
869 * Signed substraction: X = A - b
871 int mpi_sub_int( mpi *X, const mpi *A, int b )
876 p[0] = ( b < 0 ) ? -b : b;
877 _B.s = ( b < 0 ) ? -1 : 1;
881 return( mpi_sub_mpi( X, A, &_B ) );
885 * Helper for mpi multiplication
887 static void mpi_mul_hlp( int i, t_int *s, t_int *d, t_int b )
891 #if defined(MULADDC_HUIT)
892 for( ; i >= 8; i -= 8 )
906 for( ; i >= 16; i -= 16 )
909 MULADDC_CORE MULADDC_CORE
910 MULADDC_CORE MULADDC_CORE
911 MULADDC_CORE MULADDC_CORE
912 MULADDC_CORE MULADDC_CORE
914 MULADDC_CORE MULADDC_CORE
915 MULADDC_CORE MULADDC_CORE
916 MULADDC_CORE MULADDC_CORE
917 MULADDC_CORE MULADDC_CORE
921 for( ; i >= 8; i -= 8 )
924 MULADDC_CORE MULADDC_CORE
925 MULADDC_CORE MULADDC_CORE
927 MULADDC_CORE MULADDC_CORE
928 MULADDC_CORE MULADDC_CORE
943 *d += c; c = ( *d < c ); d++;
949 * Baseline multiplication: X = A * B (HAC 14.12)
951 int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B )
956 mpi_init( &TA, &TB, NULL );
958 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
959 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
961 for( i = A->n - 1; i >= 0; i-- )
965 for( j = B->n - 1; j >= 0; j-- )
969 MPI_CHK( mpi_grow( X, i + j + 2 ) );
970 MPI_CHK( mpi_lset( X, 0 ) );
972 for( i++; j >= 0; j-- )
973 mpi_mul_hlp( i, A->p, X->p + j, B->p[j] );
979 mpi_free( &TB, &TA, NULL );
985 * Baseline multiplication: X = A * b
987 int mpi_mul_int( mpi *X, const mpi *A, t_int b )
997 return( mpi_mul_mpi( X, A, &_B ) );
1001 * Division by mpi: A = Q * B + R (HAC 14.20)
1003 int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
1005 int ret, i, n, t, k;
1006 mpi X, Y, Z, T1, T2;
1008 if( mpi_cmp_int( B, 0 ) == 0 )
1009 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1011 mpi_init( &X, &Y, &Z, &T1, &T2, NULL );
1013 if( mpi_cmp_abs( A, B ) < 0 )
1015 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
1016 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
1020 MPI_CHK( mpi_copy( &X, A ) );
1021 MPI_CHK( mpi_copy( &Y, B ) );
1024 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
1025 MPI_CHK( mpi_lset( &Z, 0 ) );
1026 MPI_CHK( mpi_grow( &T1, 2 ) );
1027 MPI_CHK( mpi_grow( &T2, 3 ) );
1029 k = mpi_msb( &Y ) % biL;
1030 if( k < (int) biL - 1 )
1033 MPI_CHK( mpi_shift_l( &X, k ) );
1034 MPI_CHK( mpi_shift_l( &Y, k ) );
1040 mpi_shift_l( &Y, biL * (n - t) );
1042 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1045 mpi_sub_mpi( &X, &X, &Y );
1047 mpi_shift_r( &Y, biL * (n - t) );
1049 for( i = n; i > t ; i-- )
1051 if( X.p[i] >= Y.p[t] )
1052 Z.p[i - t - 1] = ~0;
1055 #if defined(POLARSSL_HAVE_LONGLONG)
1058 r = (t_dbl) X.p[i] << biL;
1059 r |= (t_dbl) X.p[i - 1];
1061 if( r > ((t_dbl) 1 << biL) - 1)
1062 r = ((t_dbl) 1 << biL) - 1;
1064 Z.p[i - t - 1] = (t_int) r;
1067 * __udiv_qrnnd_c, from gmp/longlong.h
1069 t_int q0, q1, r0, r1;
1073 d0 = ( d << biH ) >> biH;
1077 r1 = X.p[i] - d1 * q1;
1079 r1 |= ( X.p[i - 1] >> biH );
1085 while( r1 >= d && r1 < m )
1093 r0 |= ( X.p[i - 1] << biH ) >> biH;
1099 while( r0 >= d && r0 < m )
1104 Z.p[i - t - 1] = ( q1 << biH ) | q0;
1113 MPI_CHK( mpi_lset( &T1, 0 ) );
1114 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1116 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1118 MPI_CHK( mpi_lset( &T2, 0 ) );
1119 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1120 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1123 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1125 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1126 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1127 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1129 if( mpi_cmp_int( &X, 0 ) < 0 )
1131 MPI_CHK( mpi_copy( &T1, &Y ) );
1132 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1133 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1146 mpi_shift_r( &X, k );
1150 if( mpi_cmp_int( R, 0 ) == 0 )
1156 mpi_free( &X, &Y, &Z, &T1, &T2, NULL );
1162 * Division by int: A = Q * b + R
1164 * Returns 0 if successful
1165 * 1 if memory allocation failed
1166 * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
1168 int mpi_div_int( mpi *Q, mpi *R, const mpi *A, int b )
1173 p[0] = ( b < 0 ) ? -b : b;
1174 _B.s = ( b < 0 ) ? -1 : 1;
1178 return( mpi_div_mpi( Q, R, A, &_B ) );
1182 * Modulo: R = A mod B
1184 int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B )
1188 if( mpi_cmp_int( B, 0 ) < 0 )
1189 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1191 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1193 while( mpi_cmp_int( R, 0 ) < 0 )
1194 MPI_CHK( mpi_add_mpi( R, R, B ) );
1196 while( mpi_cmp_mpi( R, B ) >= 0 )
1197 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1205 * Modulo: r = A mod b
1207 int mpi_mod_int( t_int *r, const mpi *A, int b )
1213 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1216 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1219 * handle trivial cases
1236 for( i = A->n - 1, y = 0; i >= 0; i-- )
1239 y = ( y << biH ) | ( x >> biH );
1244 y = ( y << biH ) | ( x >> biH );
1250 * If A is negative, then the current y represents a negative value.
1251 * Flipping it to the positive side.
1253 if( A->s < 0 && y != 0 )
1262 * Fast Montgomery initialization (thanks to Tom St Denis)
1264 static void mpi_montg_init( t_int *mm, const mpi *N )
1266 t_int x, m0 = N->p[0];
1269 x += ( ( m0 + 2 ) & 4 ) << 1;
1270 x *= ( 2 - ( m0 * x ) );
1272 if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
1273 if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
1274 if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
1280 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1282 static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_int mm, const mpi *T )
1287 memset( T->p, 0, T->n * ciL );
1291 m = ( B->n < n ) ? B->n : n;
1293 for( i = 0; i < n; i++ )
1296 * T = (T + u0*B + u1*N) / 2^biL
1299 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1301 mpi_mul_hlp( m, B->p, d, u0 );
1302 mpi_mul_hlp( n, N->p, d, u1 );
1304 *d++ = u0; d[n + 1] = 0;
1307 memcpy( A->p, d, (n + 1) * ciL );
1309 if( mpi_cmp_abs( A, N ) >= 0 )
1310 mpi_sub_hlp( n, N->p, A->p );
1312 /* prevent timing attacks */
1313 mpi_sub_hlp( n, A->p, T->p );
1317 * Montgomery reduction: A = A * R^-1 mod N
1319 static void mpi_montred( mpi *A, const mpi *N, t_int mm, const mpi *T )
1327 mpi_montmul( A, &U, N, mm, T );
1331 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1333 int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
1335 int ret, i, j, wsize, wbits;
1336 int bufsize, nblimbs, nbits;
1337 t_int ei, mm, state;
1340 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
1341 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1344 * Init temps and window size
1346 mpi_montg_init( &mm, N );
1347 mpi_init( &RR, &T, NULL );
1348 memset( W, 0, sizeof( W ) );
1352 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1353 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1356 MPI_CHK( mpi_grow( X, j ) );
1357 MPI_CHK( mpi_grow( &W[1], j ) );
1358 MPI_CHK( mpi_grow( &T, j * 2 ) );
1361 * If 1st call, pre-compute R^2 mod N
1363 if( _RR == NULL || _RR->p == NULL )
1365 MPI_CHK( mpi_lset( &RR, 1 ) );
1366 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1367 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1370 memcpy( _RR, &RR, sizeof( mpi ) );
1373 memcpy( &RR, _RR, sizeof( mpi ) );
1376 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1378 if( mpi_cmp_mpi( A, N ) >= 0 )
1379 mpi_mod_mpi( &W[1], A, N );
1380 else mpi_copy( &W[1], A );
1382 mpi_montmul( &W[1], &RR, N, mm, &T );
1385 * X = R^2 * R^-1 mod N = R mod N
1387 MPI_CHK( mpi_copy( X, &RR ) );
1388 mpi_montred( X, N, mm, &T );
1393 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1395 j = 1 << (wsize - 1);
1397 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1398 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1400 for( i = 0; i < wsize - 1; i++ )
1401 mpi_montmul( &W[j], &W[j], N, mm, &T );
1404 * W[i] = W[i - 1] * W[1]
1406 for( i = j + 1; i < (1 << wsize); i++ )
1408 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1409 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1411 mpi_montmul( &W[i], &W[1], N, mm, &T );
1425 if( nblimbs-- == 0 )
1428 bufsize = sizeof( t_int ) << 3;
1433 ei = (E->p[nblimbs] >> bufsize) & 1;
1438 if( ei == 0 && state == 0 )
1441 if( ei == 0 && state == 1 )
1444 * out of window, square X
1446 mpi_montmul( X, X, N, mm, &T );
1451 * add ei to current window
1456 wbits |= (ei << (wsize - nbits));
1458 if( nbits == wsize )
1461 * X = X^wsize R^-1 mod N
1463 for( i = 0; i < wsize; i++ )
1464 mpi_montmul( X, X, N, mm, &T );
1467 * X = X * W[wbits] R^-1 mod N
1469 mpi_montmul( X, &W[wbits], N, mm, &T );
1478 * process the remaining bits
1480 for( i = 0; i < nbits; i++ )
1482 mpi_montmul( X, X, N, mm, &T );
1486 if( (wbits & (1 << wsize)) != 0 )
1487 mpi_montmul( X, &W[1], N, mm, &T );
1491 * X = A^E * R * R^-1 mod N = A^E mod N
1493 mpi_montred( X, N, mm, &T );
1497 for( i = (1 << (wsize - 1)); i < (1 << wsize); i++ )
1498 mpi_free( &W[i], NULL );
1501 mpi_free( &W[1], &T, NULL );
1502 else mpi_free( &W[1], &T, &RR, NULL );
1508 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1510 int mpi_gcd( mpi *G, const mpi *A, const mpi *B )
1515 mpi_init( &TG, &TA, &TB, NULL );
1517 MPI_CHK( mpi_copy( &TA, A ) );
1518 MPI_CHK( mpi_copy( &TB, B ) );
1520 lz = mpi_lsb( &TA );
1521 lzt = mpi_lsb( &TB );
1526 MPI_CHK( mpi_shift_r( &TA, lz ) );
1527 MPI_CHK( mpi_shift_r( &TB, lz ) );
1531 while( mpi_cmp_int( &TA, 0 ) != 0 )
1533 MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
1534 MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
1536 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1538 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1539 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1543 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1544 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1548 MPI_CHK( mpi_shift_l( &TB, lz ) );
1549 MPI_CHK( mpi_copy( G, &TB ) );
1553 mpi_free( &TB, &TA, &TG, NULL );
1558 #if defined(POLARSSL_GENPRIME)
1561 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1563 int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N )
1566 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1568 if( mpi_cmp_int( N, 0 ) <= 0 )
1569 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1571 mpi_init( &TA, &TU, &U1, &U2, &G,
1572 &TB, &TV, &V1, &V2, NULL );
1574 MPI_CHK( mpi_gcd( &G, A, N ) );
1576 if( mpi_cmp_int( &G, 1 ) != 0 )
1578 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1582 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1583 MPI_CHK( mpi_copy( &TU, &TA ) );
1584 MPI_CHK( mpi_copy( &TB, N ) );
1585 MPI_CHK( mpi_copy( &TV, N ) );
1587 MPI_CHK( mpi_lset( &U1, 1 ) );
1588 MPI_CHK( mpi_lset( &U2, 0 ) );
1589 MPI_CHK( mpi_lset( &V1, 0 ) );
1590 MPI_CHK( mpi_lset( &V2, 1 ) );
1594 while( ( TU.p[0] & 1 ) == 0 )
1596 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1598 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1600 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1601 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1604 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1605 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1608 while( ( TV.p[0] & 1 ) == 0 )
1610 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1612 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1614 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1615 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1618 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1619 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1622 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1624 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1625 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1626 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1630 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1631 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1632 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1635 while( mpi_cmp_int( &TU, 0 ) != 0 );
1637 while( mpi_cmp_int( &V1, 0 ) < 0 )
1638 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1640 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1641 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1643 MPI_CHK( mpi_copy( X, &V1 ) );
1647 mpi_free( &V2, &V1, &TV, &TB, &G,
1648 &U2, &U1, &TU, &TA, NULL );
1653 static const int small_prime[] =
1655 3, 5, 7, 11, 13, 17, 19, 23,
1656 29, 31, 37, 41, 43, 47, 53, 59,
1657 61, 67, 71, 73, 79, 83, 89, 97,
1658 101, 103, 107, 109, 113, 127, 131, 137,
1659 139, 149, 151, 157, 163, 167, 173, 179,
1660 181, 191, 193, 197, 199, 211, 223, 227,
1661 229, 233, 239, 241, 251, 257, 263, 269,
1662 271, 277, 281, 283, 293, 307, 311, 313,
1663 317, 331, 337, 347, 349, 353, 359, 367,
1664 373, 379, 383, 389, 397, 401, 409, 419,
1665 421, 431, 433, 439, 443, 449, 457, 461,
1666 463, 467, 479, 487, 491, 499, 503, 509,
1667 521, 523, 541, 547, 557, 563, 569, 571,
1668 577, 587, 593, 599, 601, 607, 613, 617,
1669 619, 631, 641, 643, 647, 653, 659, 661,
1670 673, 677, 683, 691, 701, 709, 719, 727,
1671 733, 739, 743, 751, 757, 761, 769, 773,
1672 787, 797, 809, 811, 821, 823, 827, 829,
1673 839, 853, 857, 859, 863, 877, 881, 883,
1674 887, 907, 911, 919, 929, 937, 941, 947,
1675 953, 967, 971, 977, 983, 991, 997, -103
1679 * Miller-Rabin primality test (HAC 4.24)
1681 int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng )
1683 int ret, i, j, n, s, xs;
1687 if( mpi_cmp_int( X, 0 ) == 0 ||
1688 mpi_cmp_int( X, 1 ) == 0 )
1689 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1691 if( mpi_cmp_int( X, 2 ) == 0 )
1694 mpi_init( &W, &R, &T, &A, &RR, NULL );
1696 xs = X->s; X->s = 1;
1699 * test trivial factors first
1701 if( ( X->p[0] & 1 ) == 0 )
1702 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1704 for( i = 0; small_prime[i] > 0; i++ )
1708 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
1711 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
1714 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1721 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
1723 MPI_CHK( mpi_copy( &R, &W ) );
1724 MPI_CHK( mpi_shift_r( &R, s ) );
1730 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
1731 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
1732 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
1734 for( i = 0; i < n; i++ )
1737 * pick a random A, 1 < A < |X| - 1
1739 MPI_CHK( mpi_grow( &A, X->n ) );
1741 p = (unsigned char *) A.p;
1742 for( j = 0; j < A.n * ciL; j++ )
1743 *p++ = (unsigned char) f_rng( p_rng );
1745 j = mpi_msb( &A ) - mpi_msb( &W );
1746 MPI_CHK( mpi_shift_r( &A, j + 1 ) );
1752 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
1754 if( mpi_cmp_mpi( &A, &W ) == 0 ||
1755 mpi_cmp_int( &A, 1 ) == 0 )
1759 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
1764 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
1765 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
1767 if( mpi_cmp_int( &A, 1 ) == 0 )
1774 * not prime if A != |X| - 1 or A == 1
1776 if( mpi_cmp_mpi( &A, &W ) != 0 ||
1777 mpi_cmp_int( &A, 1 ) == 0 )
1779 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1788 mpi_free( &RR, &A, &T, &R, &W, NULL );
1794 * Prime number generation
1796 int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
1797 int (*f_rng)(void *), void *p_rng )
1804 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1806 mpi_init( &Y, NULL );
1808 n = BITS_TO_LIMBS( nbits );
1810 MPI_CHK( mpi_grow( X, n ) );
1811 MPI_CHK( mpi_lset( X, 0 ) );
1813 p = (unsigned char *) X->p;
1814 for( k = 0; k < X->n * ciL; k++ )
1815 *p++ = (unsigned char) f_rng( p_rng );
1818 if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
1819 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
1825 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
1827 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1830 MPI_CHK( mpi_add_int( X, X, 2 ) );
1835 MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
1836 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1840 if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
1842 if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
1845 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1849 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1852 MPI_CHK( mpi_add_int( &Y, X, 1 ) );
1853 MPI_CHK( mpi_add_int( X, X, 2 ) );
1854 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1860 mpi_free( &Y, NULL );
git://git.exim.org / exim.git / blob