/src/wolfssl-heapmath/wolfcrypt/src/integer.c
Line | Count | Source |
1 | | /* integer.c |
2 | | * |
3 | | * Copyright (C) 2006-2025 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 3 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | #include <wolfssl/wolfcrypt/libwolfssl_sources.h> |
23 | | |
24 | | /* |
25 | | * Based on public domain LibTomMath 0.38 by Tom St Denis, tomstdenis@iahu.ca, |
26 | | * http://math.libtomcrypt.com |
27 | | */ |
28 | | |
29 | | #ifndef NO_BIG_INT |
30 | | |
31 | | #if !defined(USE_FAST_MATH) && defined(USE_INTEGER_HEAP_MATH) |
32 | | |
33 | | #ifndef WOLFSSL_SP_MATH |
34 | | |
35 | | #ifdef NO_INLINE |
36 | | #include <wolfssl/wolfcrypt/misc.h> |
37 | | #else |
38 | | #define WOLFSSL_MISC_INCLUDED |
39 | | #include <wolfcrypt/src/misc.c> |
40 | | #endif |
41 | | |
42 | | #include <wolfssl/wolfcrypt/wolfmath.h> |
43 | | |
44 | | #if defined(FREESCALE_LTC_TFM) |
45 | | #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h> |
46 | | #endif |
47 | | #ifdef WOLFSSL_DEBUG_MATH |
48 | | #include <stdio.h> |
49 | | #endif |
50 | | |
51 | | #ifdef SHOW_GEN |
52 | | #ifndef NO_STDIO_FILESYSTEM |
53 | | #include <stdio.h> |
54 | | #endif |
55 | | #endif |
56 | | |
57 | | #if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) |
58 | | #ifdef __cplusplus |
59 | | extern "C" { |
60 | | #endif |
61 | | WOLFSSL_LOCAL int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, |
62 | | mp_int* res); |
63 | | WOLFSSL_LOCAL int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, |
64 | | mp_int* res); |
65 | | WOLFSSL_LOCAL int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, |
66 | | mp_int* res); |
67 | | WOLFSSL_LOCAL int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, |
68 | | mp_int* res); |
69 | | WOLFSSL_LOCAL int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, |
70 | | mp_int* res); |
71 | | #ifdef __cplusplus |
72 | | } /* extern "C" */ |
73 | | #endif |
74 | | #endif |
75 | | |
76 | | /* reverse an array, used for radix code */ |
77 | | static void |
78 | | bn_reverse (unsigned char *s, int len) |
79 | 17.0k | { |
80 | 17.0k | int ix, iy; |
81 | 17.0k | unsigned char t; |
82 | | |
83 | 17.0k | ix = 0; |
84 | 17.0k | iy = len - 1; |
85 | 664k | while (ix < iy) { |
86 | 647k | t = s[ix]; |
87 | 647k | s[ix] = s[iy]; |
88 | 647k | s[iy] = t; |
89 | 647k | ++ix; |
90 | 647k | --iy; |
91 | 647k | } |
92 | 17.0k | } |
93 | | |
94 | | /* math settings check */ |
95 | | word32 CheckRunTimeSettings(void) |
96 | 0 | { |
97 | 0 | return CTC_SETTINGS; |
98 | 0 | } |
99 | | |
100 | | |
101 | | /* handle up to 6 inits */ |
102 | | int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, |
103 | | mp_int* f) |
104 | 472k | { |
105 | 472k | int res = MP_OKAY; |
106 | | |
107 | 472k | if (a) XMEMSET(a, 0, sizeof(mp_int)); |
108 | 472k | if (b) XMEMSET(b, 0, sizeof(mp_int)); |
109 | 472k | if (c) XMEMSET(c, 0, sizeof(mp_int)); |
110 | 472k | if (d) XMEMSET(d, 0, sizeof(mp_int)); |
111 | 472k | if (e) XMEMSET(e, 0, sizeof(mp_int)); |
112 | 472k | if (f) XMEMSET(f, 0, sizeof(mp_int)); |
113 | | |
114 | 472k | if (a && ((res = mp_init(a)) != MP_OKAY)) |
115 | 0 | return res; |
116 | | |
117 | 472k | if (b && ((res = mp_init(b)) != MP_OKAY)) { |
118 | 0 | mp_clear(a); |
119 | 0 | return res; |
120 | 0 | } |
121 | | |
122 | 472k | if (c && ((res = mp_init(c)) != MP_OKAY)) { |
123 | 0 | mp_clear(a); mp_clear(b); |
124 | 0 | return res; |
125 | 0 | } |
126 | | |
127 | 472k | if (d && ((res = mp_init(d)) != MP_OKAY)) { |
128 | 0 | mp_clear(a); mp_clear(b); mp_clear(c); |
129 | 0 | return res; |
130 | 0 | } |
131 | | |
132 | 472k | if (e && ((res = mp_init(e)) != MP_OKAY)) { |
133 | 0 | mp_clear(a); mp_clear(b); mp_clear(c); mp_clear(d); |
134 | 0 | return res; |
135 | 0 | } |
136 | | |
137 | 472k | if (f && ((res = mp_init(f)) != MP_OKAY)) { |
138 | 0 | mp_clear(a); mp_clear(b); mp_clear(c); mp_clear(d); mp_clear(e); |
139 | 0 | return res; |
140 | 0 | } |
141 | | |
142 | 472k | return res; |
143 | 472k | } |
144 | | |
145 | | |
146 | | /* init a new mp_int */ |
147 | | int mp_init (mp_int * a) |
148 | 121M | { |
149 | | /* Safeguard against passing in a null pointer */ |
150 | 121M | if (a == NULL) |
151 | 0 | return MP_VAL; |
152 | | |
153 | | /* defer allocation until mp_grow */ |
154 | 121M | a->dp = NULL; |
155 | | |
156 | | /* set the used to zero, allocated digits to the default precision |
157 | | * and sign to positive */ |
158 | 121M | a->used = 0; |
159 | 121M | a->alloc = 0; |
160 | 121M | a->sign = MP_ZPOS; |
161 | | #ifdef HAVE_WOLF_BIGINT |
162 | | wc_bigint_init(&a->raw); |
163 | | #endif |
164 | | |
165 | 121M | return MP_OKAY; |
166 | 121M | } |
167 | | |
168 | | |
169 | | /* clear one (frees) */ |
170 | | void mp_clear (mp_int * a) |
171 | 126M | { |
172 | | #ifdef HAVE_FIPS |
173 | | mp_forcezero(a); |
174 | | #else |
175 | 126M | int i; |
176 | | |
177 | 126M | if (a == NULL) |
178 | 0 | return; |
179 | | |
180 | | /* only do anything if a hasn't been freed previously */ |
181 | 126M | #ifndef HAVE_WOLF_BIGINT |
182 | | /* When HAVE_WOLF_BIGINT then mp_free -> wc_bigint_free needs to be called |
183 | | * because a->raw->buf may be allocated even when a->dp == NULL. This is the |
184 | | * case for when a zero is loaded into the mp_int. */ |
185 | 126M | if (a->dp != NULL) |
186 | 11.2M | #endif |
187 | 11.2M | { |
188 | | /* first zero the digits */ |
189 | 238M | for (i = 0; i < a->used; i++) { |
190 | 226M | a->dp[i] = 0; |
191 | 226M | } |
192 | | |
193 | | /* free ram */ |
194 | 11.2M | mp_free(a); |
195 | | |
196 | | /* reset members to make debugging easier */ |
197 | 11.2M | a->alloc = a->used = 0; |
198 | 11.2M | a->sign = MP_ZPOS; |
199 | 11.2M | } |
200 | 126M | #endif |
201 | 126M | } |
202 | | |
203 | | void mp_free (mp_int * a) |
204 | 14.1M | { |
205 | | /* only do anything if a hasn't been freed previously */ |
206 | 14.1M | if (a->dp != NULL) { |
207 | | /* free ram */ |
208 | 11.2M | XFREE(a->dp, 0, DYNAMIC_TYPE_BIGINT); |
209 | 11.2M | a->dp = NULL; |
210 | 11.2M | } |
211 | | |
212 | | #ifdef HAVE_WOLF_BIGINT |
213 | | wc_bigint_free(&a->raw); |
214 | | #endif |
215 | 14.1M | } |
216 | | |
217 | | void mp_forcezero(mp_int * a) |
218 | 6.71k | { |
219 | 6.71k | if (a == NULL) |
220 | 0 | return; |
221 | | |
222 | | /* only do anything if a hasn't been freed previously */ |
223 | 6.71k | if (a->dp != NULL) { |
224 | | /* force zero the used digits */ |
225 | 3.00k | ForceZero(a->dp, a->used * sizeof(mp_digit)); |
226 | | #ifdef HAVE_WOLF_BIGINT |
227 | | wc_bigint_zero(&a->raw); |
228 | | #endif |
229 | | /* free ram */ |
230 | 3.00k | mp_free(a); |
231 | | |
232 | | /* reset members to make debugging easier */ |
233 | 3.00k | a->alloc = a->used = 0; |
234 | 3.00k | a->sign = MP_ZPOS; |
235 | 3.00k | } |
236 | | |
237 | 6.71k | a->sign = MP_ZPOS; |
238 | 6.71k | a->used = 0; |
239 | 6.71k | } |
240 | | |
241 | | |
242 | | /* get the size for an unsigned equivalent */ |
243 | | int mp_unsigned_bin_size (const mp_int * a) |
244 | 25.1k | { |
245 | 25.1k | int size = mp_count_bits (a); |
246 | 25.1k | return (size / 8 + ((size & 7) != 0 ? 1 : 0)); |
247 | 25.1k | } |
248 | | |
249 | | |
250 | | /* returns the number of bits in an int */ |
251 | | int mp_count_bits (const mp_int * a) |
252 | 1.50M | { |
253 | 1.50M | int r; |
254 | 1.50M | mp_digit q; |
255 | | |
256 | | /* shortcut */ |
257 | 1.50M | if (a->used == 0) { |
258 | 4.58k | return 0; |
259 | 4.58k | } |
260 | | |
261 | | /* get number of digits and add that */ |
262 | 1.50M | r = (a->used - 1) * DIGIT_BIT; |
263 | | |
264 | | /* take the last digit and count the bits in it */ |
265 | 1.50M | q = a->dp[a->used - 1]; |
266 | 39.3M | while (q > ((mp_digit) 0)) { |
267 | 37.8M | ++r; |
268 | 37.8M | q >>= ((mp_digit) 1); |
269 | 37.8M | } |
270 | 1.50M | return r; |
271 | 1.50M | } |
272 | | |
273 | | |
274 | | int mp_leading_bit (mp_int * a) |
275 | 3.67k | { |
276 | 3.67k | int c = mp_count_bits(a); |
277 | | |
278 | 3.67k | if (c == 0) return 0; |
279 | 3.66k | return (c % 8) == 0; |
280 | 3.67k | } |
281 | | |
282 | | int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b) |
283 | 9.29k | { |
284 | 9.29k | int res = 0; |
285 | 161k | while (mp_iszero(t) == MP_NO) { |
286 | 152k | #ifndef MP_8BIT |
287 | 152k | b[x++] = (unsigned char) (t->dp[0] & 255); |
288 | | #else |
289 | | b[x++] = (unsigned char) (t->dp[0] | ((t->dp[1] & 0x01) << 7)); |
290 | | #endif |
291 | 152k | if ((res = mp_div_2d (t, 8, t, NULL)) != MP_OKAY) { |
292 | 0 | return res; |
293 | 0 | } |
294 | 152k | res = x; |
295 | 152k | } |
296 | 9.29k | return res; |
297 | 9.29k | } |
298 | | |
299 | | /* store in unsigned [big endian] format */ |
300 | | int mp_to_unsigned_bin (const mp_int * a, unsigned char *b) |
301 | 9.82k | { |
302 | 9.82k | int x, res; |
303 | 9.82k | mp_int t; |
304 | | |
305 | 9.82k | if ((res = mp_init_copy (&t, a)) != MP_OKAY) { |
306 | 527 | return res; |
307 | 527 | } |
308 | | |
309 | 9.29k | x = mp_to_unsigned_bin_at_pos(0, &t, b); |
310 | 9.29k | if (x < 0) { |
311 | 0 | mp_clear(&t); |
312 | 0 | return x; |
313 | 0 | } |
314 | | |
315 | 9.29k | bn_reverse (b, x); |
316 | 9.29k | mp_clear (&t); |
317 | 9.29k | return res; |
318 | 9.29k | } |
319 | | |
320 | | int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c) |
321 | 6.33k | { |
322 | 6.33k | int i, len; |
323 | | |
324 | 6.33k | len = mp_unsigned_bin_size(a); |
325 | | |
326 | 6.33k | if (len > c) { |
327 | 54 | return MP_VAL; |
328 | 54 | } |
329 | | |
330 | | /* pad front w/ zeros to match length */ |
331 | 34.9M | for (i = 0; i < c - len; i++) { |
332 | 34.9M | b[i] = 0x00; |
333 | 34.9M | } |
334 | 6.28k | return mp_to_unsigned_bin(a, b + i); |
335 | 6.33k | } |
336 | | |
337 | | /* creates "a" then copies b into it */ |
338 | | int mp_init_copy (mp_int * a, const mp_int * b) |
339 | 313k | { |
340 | 313k | int res; |
341 | | |
342 | 313k | if ((res = mp_init_size (a, b->used)) != MP_OKAY) { |
343 | 829 | return res; |
344 | 829 | } |
345 | | |
346 | 312k | if((res = mp_copy (b, a)) != MP_OKAY) { |
347 | 0 | mp_clear(a); |
348 | 0 | } |
349 | | |
350 | 312k | return res; |
351 | 313k | } |
352 | | |
353 | | |
354 | | /* copy, b = a */ |
355 | | int mp_copy (const mp_int * a, mp_int * b) |
356 | 124M | { |
357 | 124M | int res, n; |
358 | | |
359 | | /* Safeguard against passing in a null pointer */ |
360 | 124M | if (a == NULL || b == NULL) |
361 | 0 | return MP_VAL; |
362 | | |
363 | | /* if dst == src do nothing */ |
364 | 124M | if (a == b) { |
365 | 118M | return MP_OKAY; |
366 | 118M | } |
367 | | |
368 | | /* grow dest */ |
369 | 5.46M | if (b->alloc < a->used || b->alloc == 0) { |
370 | 2.84M | if ((res = mp_grow (b, a->used)) != MP_OKAY) { |
371 | 517 | return res; |
372 | 517 | } |
373 | 2.84M | } |
374 | | |
375 | | /* zero b and copy the parameters over */ |
376 | 5.46M | { |
377 | 5.46M | mp_digit *tmpa, *tmpb; |
378 | | |
379 | | /* pointer aliases */ |
380 | | |
381 | | /* source */ |
382 | 5.46M | tmpa = a->dp; |
383 | | |
384 | | /* destination */ |
385 | 5.46M | tmpb = b->dp; |
386 | | |
387 | | /* copy all the digits */ |
388 | 94.6M | for (n = 0; n < a->used; n++) { |
389 | 89.1M | *tmpb++ = *tmpa++; |
390 | 89.1M | } |
391 | | |
392 | | /* clear high digits */ |
393 | 5.47M | for (; n < b->used && b->dp; n++) { |
394 | 6.93k | *tmpb++ = 0; |
395 | 6.93k | } |
396 | 5.46M | } |
397 | | |
398 | | /* copy used count and sign */ |
399 | 5.46M | b->used = a->used; |
400 | 5.46M | b->sign = a->sign; |
401 | 5.46M | return MP_OKAY; |
402 | 5.46M | } |
403 | | |
404 | | |
405 | | /* grow as required */ |
406 | | int mp_grow (mp_int * a, int size) |
407 | 9.14M | { |
408 | 9.14M | mp_digit *tmp; |
409 | | |
410 | | /* if the alloc size is smaller alloc more ram */ |
411 | 9.14M | if ((a->alloc < size) || (size == 0) || (a->alloc == 0)) { |
412 | | /* ensure there are always at least MP_PREC digits extra on top */ |
413 | 8.96M | size += (MP_PREC * 2) - (size % MP_PREC); |
414 | | |
415 | | /* reallocate the array a->dp |
416 | | * |
417 | | * We store the return in a temporary variable |
418 | | * in case the operation failed we don't want |
419 | | * to overwrite the dp member of a. |
420 | | */ |
421 | 8.96M | tmp = (mp_digit *)XREALLOC (a->dp, sizeof (mp_digit) * size, NULL, |
422 | 8.96M | DYNAMIC_TYPE_BIGINT); |
423 | 8.96M | if (tmp == NULL) { |
424 | | /* reallocation failed but "a" is still valid [can be freed] */ |
425 | 2.01k | return MP_MEM; |
426 | 2.01k | } |
427 | | |
428 | | /* reallocation succeeded so set a->dp */ |
429 | 8.96M | a->dp = tmp; |
430 | | |
431 | | /* zero excess digits */ |
432 | 8.96M | XMEMSET(&a->dp[a->alloc], 0, sizeof (mp_digit) * (size - a->alloc)); |
433 | 8.96M | a->alloc = size; |
434 | 8.96M | } |
435 | 186k | else if (a->dp == NULL) { |
436 | | /* opportunistic sanity check for null a->dp with nonzero a->alloc */ |
437 | 0 | return MP_VAL; |
438 | 0 | } |
439 | 9.14M | return MP_OKAY; |
440 | 9.14M | } |
441 | | |
442 | | |
443 | | /* shift right by a certain bit count (store quotient in c, optional |
444 | | remainder in d) */ |
445 | | int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d) |
446 | 115M | { |
447 | 115M | int D, res; |
448 | 115M | mp_int t; |
449 | | |
450 | | |
451 | | /* if the shift count is <= 0 then we do no work */ |
452 | 115M | if (b <= 0) { |
453 | 416 | res = mp_copy (a, c); |
454 | 416 | if (d != NULL) { |
455 | 4 | mp_zero (d); |
456 | 4 | } |
457 | 416 | return res; |
458 | 416 | } |
459 | | |
460 | 115M | if ((res = mp_init (&t)) != MP_OKAY) { |
461 | 0 | return res; |
462 | 0 | } |
463 | | |
464 | | /* get the remainder */ |
465 | 115M | if (d != NULL) { |
466 | 1.51M | if ((res = mp_mod_2d (a, b, &t)) != MP_OKAY) { |
467 | 12 | mp_clear (&t); |
468 | 12 | return res; |
469 | 12 | } |
470 | 1.51M | } |
471 | | |
472 | | /* copy */ |
473 | 115M | if ((res = mp_copy (a, c)) != MP_OKAY) { |
474 | 10 | mp_clear (&t); |
475 | 10 | return res; |
476 | 10 | } |
477 | | |
478 | | /* shift by as many digits in the bit count */ |
479 | 115M | if (b >= (int)DIGIT_BIT) { |
480 | 679k | mp_rshd (c, b / DIGIT_BIT); |
481 | 679k | } |
482 | | |
483 | | /* shift any bit count < DIGIT_BIT */ |
484 | 115M | D = (b % DIGIT_BIT); |
485 | 115M | if (D != 0) { |
486 | 115M | mp_rshb(c, D); |
487 | 115M | } |
488 | 115M | mp_clamp (c); |
489 | 115M | if (d != NULL) { |
490 | 1.51M | mp_exch (&t, d); |
491 | 1.51M | } |
492 | 115M | mp_clear (&t); |
493 | 115M | return MP_OKAY; |
494 | 115M | } |
495 | | |
496 | | |
497 | | /* set to zero */ |
498 | | void mp_zero (mp_int * a) |
499 | 1.00M | { |
500 | 1.00M | int n; |
501 | 1.00M | mp_digit *tmp; |
502 | | |
503 | 1.00M | if (a == NULL) |
504 | 0 | return; |
505 | | |
506 | 1.00M | a->sign = MP_ZPOS; |
507 | 1.00M | a->used = 0; |
508 | | |
509 | 1.00M | tmp = a->dp; |
510 | 6.92M | for (n = 0; tmp != NULL && n < a->alloc; n++) { |
511 | 5.92M | *tmp++ = 0; |
512 | 5.92M | } |
513 | 1.00M | } |
514 | | |
515 | | |
516 | | /* trim unused digits |
517 | | * |
518 | | * This is used to ensure that leading zero digits are |
519 | | * trimmed and the leading "used" digit will be non-zero |
520 | | * Typically very fast. Also fixes the sign if there |
521 | | * are no more leading digits |
522 | | */ |
523 | | void mp_clamp (mp_int * a) |
524 | 383M | { |
525 | | /* decrease used while the most significant digit is |
526 | | * zero. |
527 | | */ |
528 | 498M | while (a->used > 0 && a->dp[a->used - 1] == 0) { |
529 | 115M | --(a->used); |
530 | 115M | } |
531 | | |
532 | | /* reset the sign flag if used == 0 */ |
533 | 383M | if (a->used == 0) { |
534 | 2.53M | a->sign = MP_ZPOS; |
535 | 2.53M | } |
536 | 383M | } |
537 | | |
538 | | |
539 | | /* swap the elements of two integers, for cases where you can't simply swap the |
540 | | * mp_int pointers around |
541 | | */ |
542 | | int mp_exch (mp_int * a, mp_int * b) |
543 | 6.01M | { |
544 | 6.01M | mp_int t; |
545 | | |
546 | 6.01M | t = *a; |
547 | 6.01M | *a = *b; |
548 | 6.01M | *b = t; |
549 | 6.01M | return MP_OKAY; |
550 | 6.01M | } |
551 | | |
552 | | int mp_cond_swap_ct_ex (mp_int * a, mp_int * b, int c, int m, mp_int * t) |
553 | 2.21M | { |
554 | 2.21M | (void)c; |
555 | 2.21M | (void)t; |
556 | 2.21M | if (m == 1) |
557 | 519k | mp_exch(a, b); |
558 | 2.21M | return MP_OKAY; |
559 | 2.21M | } |
560 | | |
561 | | int mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m) |
562 | 0 | { |
563 | 0 | (void)c; |
564 | 0 | if (m == 1) |
565 | 0 | mp_exch(a, b); |
566 | 0 | return MP_OKAY; |
567 | 0 | } |
568 | | |
569 | | |
570 | | /* shift right a certain number of bits */ |
571 | | void mp_rshb (mp_int *c, int x) |
572 | 115M | { |
573 | 115M | mp_digit *tmpc, mask, shift; |
574 | 115M | mp_digit r, rr; |
575 | 115M | mp_digit D = x; |
576 | | |
577 | | /* shifting by a negative number not supported, and shifting by |
578 | | * zero changes nothing. |
579 | | */ |
580 | 115M | if (x <= 0) return; |
581 | | |
582 | | /* shift digits first if needed */ |
583 | 115M | if (x >= DIGIT_BIT) { |
584 | 83 | mp_rshd(c, x / DIGIT_BIT); |
585 | | /* recalculate number of bits to shift */ |
586 | 83 | D = x % DIGIT_BIT; |
587 | | /* check if any more shifting needed */ |
588 | 83 | if (D == 0) return; |
589 | 83 | } |
590 | | |
591 | | /* zero shifted is always zero */ |
592 | 115M | if (mp_iszero(c)) return; |
593 | | |
594 | | /* mask */ |
595 | 115M | mask = (((mp_digit)1) << D) - 1; |
596 | | |
597 | | /* shift for lsb */ |
598 | 115M | shift = DIGIT_BIT - D; |
599 | | |
600 | | /* alias */ |
601 | 115M | tmpc = c->dp + (c->used - 1); |
602 | | |
603 | | /* carry */ |
604 | 115M | r = 0; |
605 | 1.10G | for (x = c->used - 1; x >= 0; x--) { |
606 | | /* get the lower bits of this word in a temp */ |
607 | 986M | rr = *tmpc & mask; |
608 | | |
609 | | /* shift the current word and mix in the carry bits from previous word */ |
610 | 986M | *tmpc = (*tmpc >> D) | (r << shift); |
611 | 986M | --tmpc; |
612 | | |
613 | | /* set the carry to the carry bits of the current word found above */ |
614 | 986M | r = rr; |
615 | 986M | } |
616 | 115M | mp_clamp(c); |
617 | 115M | } |
618 | | |
619 | | |
620 | | /* shift right a certain amount of digits */ |
621 | | void mp_rshd (mp_int * a, int b) |
622 | 1.19M | { |
623 | 1.19M | int x; |
624 | | |
625 | | /* if b <= 0 then ignore it */ |
626 | 1.19M | if (b <= 0) { |
627 | 1 | return; |
628 | 1 | } |
629 | | |
630 | | /* if b > used then simply zero it and return */ |
631 | 1.19M | if (a->used <= b) { |
632 | 56.0k | mp_zero (a); |
633 | 56.0k | return; |
634 | 56.0k | } |
635 | | |
636 | 1.13M | { |
637 | 1.13M | mp_digit *bottom, *top; |
638 | | |
639 | | /* shift the digits down */ |
640 | | |
641 | | /* bottom */ |
642 | 1.13M | bottom = a->dp; |
643 | | |
644 | | /* top [offset into digits] */ |
645 | 1.13M | top = a->dp + b; |
646 | | |
647 | | /* this is implemented as a sliding window where |
648 | | * the window is b-digits long and digits from |
649 | | * the top of the window are copied to the bottom |
650 | | * |
651 | | * e.g. |
652 | | |
653 | | b-2 | b-1 | b0 | b1 | b2 | ... | bb | ----> |
654 | | /\ | ----> |
655 | | \-------------------/ ----> |
656 | | */ |
657 | 40.1M | for (x = 0; x < (a->used - b); x++) { |
658 | 38.9M | *bottom++ = *top++; |
659 | 38.9M | } |
660 | | |
661 | | /* zero the top digits */ |
662 | 46.9M | for (; x < a->used; x++) { |
663 | 45.7M | *bottom++ = 0; |
664 | 45.7M | } |
665 | 1.13M | } |
666 | | |
667 | | /* remove excess digits */ |
668 | 1.13M | a->used -= b; |
669 | 1.13M | } |
670 | | |
671 | | |
672 | | /* calc a value mod 2**b */ |
673 | | int mp_mod_2d (mp_int * a, int b, mp_int * c) |
674 | 1.77M | { |
675 | 1.77M | int x, res, bmax; |
676 | | |
677 | | /* if b is <= 0 then zero the int */ |
678 | 1.77M | if (b <= 0) { |
679 | 3 | mp_zero (c); |
680 | 3 | return MP_OKAY; |
681 | 3 | } |
682 | | |
683 | | /* if the modulus is larger than the value than return */ |
684 | 1.77M | if (a->sign == MP_ZPOS && b >= (int) (a->used * DIGIT_BIT)) { |
685 | 68.3k | res = mp_copy (a, c); |
686 | 68.3k | return res; |
687 | 68.3k | } |
688 | | |
689 | | /* copy */ |
690 | 1.70M | if ((res = mp_copy (a, c)) != MP_OKAY) { |
691 | 8 | return res; |
692 | 8 | } |
693 | | |
694 | | /* calculate number of digits in mod value */ |
695 | 1.70M | bmax = (b / DIGIT_BIT) + ((b % DIGIT_BIT) == 0 ? 0 : 1); |
696 | | /* zero digits above the last digit of the modulus */ |
697 | 25.2M | for (x = bmax; x < c->used; x++) { |
698 | 23.5M | c->dp[x] = 0; |
699 | 23.5M | } |
700 | | |
701 | 1.70M | if (c->sign == MP_NEG) { |
702 | 0 | mp_digit carry = 0; |
703 | | |
704 | | /* grow result to size of modulus */ |
705 | 0 | if ((res = mp_grow(c, bmax)) != MP_OKAY) { |
706 | 0 | return res; |
707 | 0 | } |
708 | | /* negate value */ |
709 | 0 | for (x = 0; x < c->used; x++) { |
710 | 0 | mp_digit next = c->dp[x] > 0; |
711 | 0 | c->dp[x] = ((mp_digit)0 - c->dp[x] - carry) & MP_MASK; |
712 | 0 | carry |= next; |
713 | 0 | } |
714 | 0 | for (; x < bmax; x++) { |
715 | 0 | c->dp[x] = ((mp_digit)0 - carry) & MP_MASK; |
716 | 0 | } |
717 | 0 | c->used = bmax; |
718 | 0 | c->sign = MP_ZPOS; |
719 | 0 | } |
720 | | |
721 | | /* clear the digit that is not completely outside/inside the modulus */ |
722 | 1.70M | x = DIGIT_BIT - (b % DIGIT_BIT); |
723 | 1.70M | if (x != DIGIT_BIT) { |
724 | 1.38M | c->dp[bmax - 1] &= |
725 | 1.38M | ((mp_digit)~((mp_digit)0)) >> (x + ((sizeof(mp_digit)*8) - DIGIT_BIT)); |
726 | 1.38M | } |
727 | 1.70M | mp_clamp (c); |
728 | 1.70M | return MP_OKAY; |
729 | 1.70M | } |
730 | | |
731 | | |
732 | | /* reads a unsigned char array, assumes the msb is stored first [big endian] */ |
733 | | int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c) |
734 | 37.6k | { |
735 | 37.6k | int res; |
736 | 37.6k | int digits_needed; |
737 | | |
738 | 21.1M | while (c > 0 && b[0] == 0) { |
739 | 21.1M | c--; |
740 | 21.1M | b++; |
741 | 21.1M | } |
742 | | |
743 | 37.6k | digits_needed = ((c * CHAR_BIT) + DIGIT_BIT - 1) / DIGIT_BIT; |
744 | | |
745 | | /* make sure there are enough digits available */ |
746 | 37.6k | if (a->alloc < digits_needed) { |
747 | 9.09k | if ((res = mp_grow(a, digits_needed)) != MP_OKAY) { |
748 | 120 | return res; |
749 | 120 | } |
750 | 9.09k | } |
751 | | |
752 | | /* zero the int */ |
753 | 37.4k | mp_zero (a); |
754 | | |
755 | | /* read the bytes in */ |
756 | 886k | while (c-- > 0) { |
757 | 849k | if ((res = mp_mul_2d (a, 8, a)) != MP_OKAY) { |
758 | 4 | return res; |
759 | 4 | } |
760 | | |
761 | 849k | #ifndef MP_8BIT |
762 | 849k | a->dp[0] |= *b++; |
763 | 849k | if (a->used == 0) |
764 | 36.5k | a->used = 1; |
765 | | #else |
766 | | a->dp[0] = (*b & MP_MASK); |
767 | | a->dp[1] |= ((*b++ >> 7U) & 1); |
768 | | if (a->used == 0) |
769 | | a->used = 2; |
770 | | #endif |
771 | 849k | } |
772 | 37.4k | mp_clamp (a); |
773 | 37.4k | return MP_OKAY; |
774 | 37.4k | } |
775 | | |
776 | | |
777 | | /* shift left by a certain bit count */ |
778 | | int mp_mul_2d (mp_int * a, int b, mp_int * c) |
779 | 1.71M | { |
780 | 1.71M | mp_digit d; |
781 | 1.71M | int res; |
782 | | |
783 | | /* copy */ |
784 | 1.71M | if (a != c) { |
785 | 411 | if ((res = mp_copy (a, c)) != MP_OKAY) { |
786 | 1 | return res; |
787 | 1 | } |
788 | 411 | } |
789 | | |
790 | 1.71M | if (c->alloc < (int)(c->used + b/DIGIT_BIT + 1)) { |
791 | 299k | if ((res = mp_grow (c, c->used + b / DIGIT_BIT + 1)) != MP_OKAY) { |
792 | 54 | return res; |
793 | 54 | } |
794 | 299k | } |
795 | | |
796 | | /* shift by as many digits in the bit count */ |
797 | 1.71M | if (b >= (int)DIGIT_BIT) { |
798 | 520k | if ((res = mp_lshd (c, b / DIGIT_BIT)) != MP_OKAY) { |
799 | 0 | return res; |
800 | 0 | } |
801 | 520k | } |
802 | | |
803 | | /* shift any bit count < DIGIT_BIT */ |
804 | 1.71M | d = (mp_digit) (b % DIGIT_BIT); |
805 | 1.71M | if (d != 0) { |
806 | 1.43M | mp_digit *tmpc, shift, mask, r, rr; |
807 | 1.43M | int x; |
808 | | |
809 | | /* bitmask for carries */ |
810 | 1.43M | mask = (((mp_digit)1) << d) - 1; |
811 | | |
812 | | /* shift for msbs */ |
813 | 1.43M | shift = DIGIT_BIT - d; |
814 | | |
815 | | /* alias */ |
816 | 1.43M | tmpc = c->dp; |
817 | | |
818 | | /* carry */ |
819 | 1.43M | r = 0; |
820 | 11.9M | for (x = 0; x < c->used; x++) { |
821 | | /* get the higher bits of the current word */ |
822 | 10.4M | rr = (*tmpc >> shift) & mask; |
823 | | |
824 | | /* shift the current word and OR in the carry */ |
825 | 10.4M | *tmpc = (mp_digit)(((*tmpc << d) | r) & MP_MASK); |
826 | 10.4M | ++tmpc; |
827 | | |
828 | | /* set the carry to the carry bits of the current word */ |
829 | 10.4M | r = rr; |
830 | 10.4M | } |
831 | | |
832 | | /* set final carry */ |
833 | 1.43M | if (r != 0) { |
834 | 258k | c->dp[(c->used)++] = r; |
835 | 258k | } |
836 | 1.43M | } |
837 | 1.71M | mp_clamp (c); |
838 | 1.71M | return MP_OKAY; |
839 | 1.71M | } |
840 | | |
841 | | |
842 | | /* shift left a certain amount of digits */ |
843 | | int mp_lshd (mp_int * a, int b) |
844 | 521k | { |
845 | 521k | int x, res; |
846 | | |
847 | | /* if its less than zero return */ |
848 | 521k | if (b <= 0) { |
849 | 0 | return MP_OKAY; |
850 | 0 | } |
851 | | |
852 | | /* grow to fit the new digits */ |
853 | 521k | if (a->alloc < a->used + b) { |
854 | 0 | if ((res = mp_grow (a, a->used + b)) != MP_OKAY) { |
855 | 0 | return res; |
856 | 0 | } |
857 | 0 | } |
858 | | |
859 | 521k | { |
860 | 521k | mp_digit *top, *bottom; |
861 | | |
862 | | /* increment the used by the shift amount then copy upwards */ |
863 | 521k | a->used += b; |
864 | | |
865 | | /* top */ |
866 | 521k | top = a->dp + a->used - 1; |
867 | | |
868 | | /* base */ |
869 | 521k | bottom = a->dp + a->used - 1 - b; |
870 | | |
871 | | /* much like mp_rshd this is implemented using a sliding window |
872 | | * except the window goes the other way around. Copying from |
873 | | * the bottom to the top. see bn_mp_rshd.c for more info. |
874 | | */ |
875 | 1.97M | for (x = a->used - 1; x >= b; x--) { |
876 | 1.45M | *top-- = *bottom--; |
877 | 1.45M | } |
878 | | |
879 | | /* zero the lower digits */ |
880 | 521k | top = a->dp; |
881 | 2.11M | for (x = 0; x < b; x++) { |
882 | 1.59M | *top++ = 0; |
883 | 1.59M | } |
884 | 521k | } |
885 | 521k | return MP_OKAY; |
886 | 521k | } |
887 | | |
888 | | |
889 | | /* this is a shell function that calls either the normal or Montgomery |
890 | | * exptmod functions. Originally the call to the montgomery code was |
891 | | * embedded in the normal function but that wasted a lot of stack space |
892 | | * for nothing (since 99% of the time the Montgomery code would be called) |
893 | | */ |
894 | | #if defined(FREESCALE_LTC_TFM) |
895 | | int wolfcrypt_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y) |
896 | | #else |
897 | | int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y) /* //NOLINT(misc-no-recursion) */ |
898 | | #endif |
899 | 80.2k | { |
900 | 80.2k | int dr; |
901 | | |
902 | | /* modulus P must be positive */ |
903 | 80.2k | if (mp_iszero(P) || P->sign == MP_NEG) { |
904 | 82 | return MP_VAL; |
905 | 82 | } |
906 | 80.1k | if (mp_isone(P)) { |
907 | 40 | return mp_set(Y, 0); |
908 | 40 | } |
909 | 80.1k | if (mp_iszero(X)) { |
910 | 689 | return mp_set(Y, 1); |
911 | 689 | } |
912 | 79.4k | if (mp_iszero(G)) { |
913 | 43 | return mp_set(Y, 0); |
914 | 43 | } |
915 | | |
916 | | /* if exponent X is negative we have to recurse */ |
917 | 79.4k | if (X->sign == MP_NEG) { |
918 | 73 | #ifdef BN_MP_INVMOD_C |
919 | 73 | mp_int tmpG, tmpX; |
920 | 73 | int err; |
921 | | |
922 | | /* first compute 1/G mod P */ |
923 | 73 | if ((err = mp_init(&tmpG)) != MP_OKAY) { |
924 | 0 | return err; |
925 | 0 | } |
926 | 73 | if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) { |
927 | 19 | mp_clear(&tmpG); |
928 | 19 | return err; |
929 | 19 | } |
930 | | |
931 | | /* now get |X| */ |
932 | 54 | if ((err = mp_init(&tmpX)) != MP_OKAY) { |
933 | 0 | mp_clear(&tmpG); |
934 | 0 | return err; |
935 | 0 | } |
936 | 54 | if ((err = mp_abs(X, &tmpX)) != MP_OKAY) { |
937 | 1 | mp_clear(&tmpG); |
938 | 1 | mp_clear(&tmpX); |
939 | 1 | return err; |
940 | 1 | } |
941 | | |
942 | | /* and now compute (1/G)**|X| instead of G**X [X < 0] */ |
943 | 53 | err = mp_exptmod(&tmpG, &tmpX, P, Y); |
944 | 53 | mp_clear(&tmpG); |
945 | 53 | mp_clear(&tmpX); |
946 | 53 | return err; |
947 | | #else |
948 | | /* no invmod */ |
949 | | return MP_VAL; |
950 | | #endif |
951 | 54 | } |
952 | | |
953 | 79.3k | #ifdef BN_MP_EXPTMOD_BASE_2 |
954 | 79.3k | if (G->used == 1 && G->dp[0] == 2 && mp_isodd(P) == MP_YES) { |
955 | 735 | return mp_exptmod_base_2(X, P, Y); |
956 | 735 | } |
957 | 78.6k | #endif |
958 | | |
959 | | /* modified diminished radix reduction */ |
960 | 78.6k | #if defined(BN_MP_REDUCE_IS_2K_L_C) && defined(BN_MP_REDUCE_2K_L_C) && \ |
961 | 78.6k | defined(BN_S_MP_EXPTMOD_C) |
962 | 78.6k | if (mp_reduce_is_2k_l(P) == MP_YES) { |
963 | 4.93k | return s_mp_exptmod(G, X, P, Y, 1); |
964 | 4.93k | } |
965 | 73.6k | #endif |
966 | | |
967 | 73.6k | #ifdef BN_MP_DR_IS_MODULUS_C |
968 | | /* is it a DR modulus? */ |
969 | 73.6k | dr = mp_dr_is_modulus(P); |
970 | | #else |
971 | | /* default to no */ |
972 | | dr = 0; |
973 | | #endif |
974 | | |
975 | 73.6k | (void)dr; |
976 | | |
977 | 73.6k | #ifdef BN_MP_REDUCE_IS_2K_C |
978 | | /* if not, is it a unrestricted DR modulus? */ |
979 | 73.6k | if (dr == 0) { |
980 | 73.6k | dr = mp_reduce_is_2k(P) << 1; |
981 | 73.6k | } |
982 | 73.6k | #endif |
983 | | |
984 | | /* if the modulus is odd use the montgomery method, or use other known */ |
985 | 73.6k | #ifdef BN_MP_EXPTMOD_FAST_C |
986 | 73.6k | if (mp_isodd (P) == MP_YES || dr != 0) { |
987 | 73.3k | return mp_exptmod_fast (G, X, P, Y, dr); |
988 | 73.3k | } else { |
989 | 346 | #endif |
990 | 346 | #ifdef BN_S_MP_EXPTMOD_C |
991 | | /* otherwise use the generic Barrett reduction technique */ |
992 | 346 | return s_mp_exptmod (G, X, P, Y, 0); |
993 | | #else |
994 | | /* no exptmod for evens */ |
995 | | return MP_VAL; |
996 | | #endif |
997 | 346 | #ifdef BN_MP_EXPTMOD_FAST_C |
998 | 346 | } |
999 | 73.6k | #endif |
1000 | 73.6k | } |
1001 | | |
1002 | | int mp_exptmod_ex (mp_int * G, mp_int * X, int digits, mp_int * P, mp_int * Y) |
1003 | 59 | { |
1004 | 59 | (void)digits; |
1005 | 59 | return mp_exptmod(G, X, P, Y); |
1006 | 59 | } |
1007 | | |
1008 | | /* b = |a| |
1009 | | * |
1010 | | * Simple function copies the input and fixes the sign to positive |
1011 | | */ |
1012 | | int mp_abs (mp_int * a, mp_int * b) |
1013 | 847k | { |
1014 | 847k | int res; |
1015 | | |
1016 | | /* copy a to b */ |
1017 | 847k | if (a != b) { |
1018 | 847k | if ((res = mp_copy (a, b)) != MP_OKAY) { |
1019 | 113 | return res; |
1020 | 113 | } |
1021 | 847k | } |
1022 | | |
1023 | | /* force the sign of b to positive */ |
1024 | 847k | b->sign = MP_ZPOS; |
1025 | | |
1026 | 847k | return MP_OKAY; |
1027 | 847k | } |
1028 | | |
1029 | | |
1030 | | /* hac 14.61, pp608 */ |
1031 | | #if defined(FREESCALE_LTC_TFM) |
1032 | | int wolfcrypt_mp_invmod(mp_int * a, mp_int * b, mp_int * c) |
1033 | | #else |
1034 | | int mp_invmod (mp_int * a, mp_int * b, mp_int * c) |
1035 | | #endif |
1036 | 5.04k | { |
1037 | | /* b cannot be negative or zero, and can not divide by 0 (1/a mod b) */ |
1038 | 5.04k | if (b->sign == MP_NEG || mp_iszero(b) == MP_YES || mp_iszero(a) == MP_YES) { |
1039 | 34 | return MP_VAL; |
1040 | 34 | } |
1041 | | |
1042 | 5.00k | #ifdef BN_FAST_MP_INVMOD_C |
1043 | | /* if the modulus is odd we can use a faster routine instead */ |
1044 | 5.00k | if ((mp_isodd(b) == MP_YES) && (mp_cmp_d(b, 1) != MP_EQ)) { |
1045 | 4.78k | return fast_mp_invmod (a, b, c); |
1046 | 4.78k | } |
1047 | 222 | #endif |
1048 | | |
1049 | 222 | #ifdef BN_MP_INVMOD_SLOW_C |
1050 | 222 | return mp_invmod_slow(a, b, c); |
1051 | | #else |
1052 | | return MP_VAL; |
1053 | | #endif |
1054 | 5.00k | } |
1055 | | |
1056 | | |
1057 | | /* computes the modular inverse via binary extended euclidean algorithm, |
1058 | | * that is c = 1/a mod b |
1059 | | * |
1060 | | * Based on slow invmod except this is optimized for the case where b is |
1061 | | * odd as per HAC Note 14.64 on pp. 610 |
1062 | | */ |
1063 | | int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c) |
1064 | 4.78k | { |
1065 | 4.78k | mp_int x, y, u, v, B, D; |
1066 | 4.78k | int res, loop_check = 0; |
1067 | | |
1068 | | /* 2. [modified] b must be odd */ |
1069 | 4.78k | if (mp_iseven (b) == MP_YES) { |
1070 | 0 | return MP_VAL; |
1071 | 0 | } |
1072 | | |
1073 | | /* init all our temps */ |
1074 | 4.78k | if ((res = mp_init_multi(&x, &y, &u, &v, &B, &D)) != MP_OKAY) { |
1075 | 0 | return res; |
1076 | 0 | } |
1077 | | |
1078 | | /* x == modulus, y == value to invert */ |
1079 | 4.78k | if ((res = mp_copy (b, &x)) != MP_OKAY) { |
1080 | 7 | goto LBL_ERR; |
1081 | 7 | } |
1082 | | |
1083 | | /* we need y = |a| */ |
1084 | 4.77k | if ((res = mp_mod (a, b, &y)) != MP_OKAY) { |
1085 | 3 | goto LBL_ERR; |
1086 | 3 | } |
1087 | | |
1088 | 4.77k | if (mp_iszero (&y) == MP_YES) { |
1089 | | /* invmod doesn't exist for this a and b */ |
1090 | 7 | res = MP_VAL; |
1091 | 7 | goto LBL_ERR; |
1092 | 7 | } |
1093 | | |
1094 | | /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */ |
1095 | 4.76k | if ((res = mp_copy (&x, &u)) != MP_OKAY) { |
1096 | 3 | goto LBL_ERR; |
1097 | 3 | } |
1098 | 4.76k | if ((res = mp_copy (&y, &v)) != MP_OKAY) { |
1099 | 3 | goto LBL_ERR; |
1100 | 3 | } |
1101 | 4.76k | if ((res = mp_set (&D, 1)) != MP_OKAY) { |
1102 | 4 | goto LBL_ERR; |
1103 | 4 | } |
1104 | | |
1105 | 868k | top: |
1106 | | /* 4. while u is even do */ |
1107 | 1.83M | while (mp_iseven (&u) == MP_YES) { |
1108 | | /* 4.1 u = u/2 */ |
1109 | 966k | if ((res = mp_div_2 (&u, &u)) != MP_OKAY) { |
1110 | 0 | goto LBL_ERR; |
1111 | 0 | } |
1112 | | /* 4.2 if B is odd then */ |
1113 | 966k | if (mp_isodd (&B) == MP_YES) { |
1114 | 569k | if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) { |
1115 | 3 | goto LBL_ERR; |
1116 | 3 | } |
1117 | 569k | } |
1118 | | /* B = B/2 */ |
1119 | 966k | if ((res = mp_div_2 (&B, &B)) != MP_OKAY) { |
1120 | 0 | goto LBL_ERR; |
1121 | 0 | } |
1122 | 966k | } |
1123 | | |
1124 | | /* 5. while v is even do */ |
1125 | 1.62M | while (mp_iseven (&v) == MP_YES) { |
1126 | | /* 5.1 v = v/2 */ |
1127 | 761k | if ((res = mp_div_2 (&v, &v)) != MP_OKAY) { |
1128 | 0 | goto LBL_ERR; |
1129 | 0 | } |
1130 | | /* 5.2 if D is odd then */ |
1131 | 761k | if (mp_isodd (&D) == MP_YES) { |
1132 | | /* D = (D-x)/2 */ |
1133 | 452k | if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) { |
1134 | 3 | goto LBL_ERR; |
1135 | 3 | } |
1136 | 452k | } |
1137 | | /* D = D/2 */ |
1138 | 761k | if ((res = mp_div_2 (&D, &D)) != MP_OKAY) { |
1139 | 0 | goto LBL_ERR; |
1140 | 0 | } |
1141 | 761k | } |
1142 | | |
1143 | | /* 6. if u >= v then */ |
1144 | 868k | if (mp_cmp (&u, &v) != MP_LT) { |
1145 | | /* u = u - v, B = B - D */ |
1146 | 541k | if ((res = mp_sub (&u, &v, &u)) != MP_OKAY) { |
1147 | 0 | goto LBL_ERR; |
1148 | 0 | } |
1149 | | |
1150 | 541k | if ((res = mp_sub (&B, &D, &B)) != MP_OKAY) { |
1151 | 3 | goto LBL_ERR; |
1152 | 3 | } |
1153 | 541k | } else { |
1154 | | /* v - v - u, D = D - B */ |
1155 | 326k | if ((res = mp_sub (&v, &u, &v)) != MP_OKAY) { |
1156 | 0 | goto LBL_ERR; |
1157 | 0 | } |
1158 | | |
1159 | 326k | if ((res = mp_sub (&D, &B, &D)) != MP_OKAY) { |
1160 | 3 | goto LBL_ERR; |
1161 | 3 | } |
1162 | 326k | } |
1163 | | |
1164 | | /* if not zero goto step 4 */ |
1165 | 868k | if (mp_iszero (&u) == MP_NO) { |
1166 | 863k | if (++loop_check > MAX_INVMOD_SZ) { |
1167 | 7 | res = MP_VAL; |
1168 | 7 | goto LBL_ERR; |
1169 | 7 | } |
1170 | 863k | goto top; |
1171 | 863k | } |
1172 | | |
1173 | | /* now a = C, b = D, gcd == g*v */ |
1174 | | |
1175 | | /* if v != 1 then there is no inverse */ |
1176 | 4.73k | if (mp_cmp_d (&v, 1) != MP_EQ) { |
1177 | 18 | res = MP_VAL; |
1178 | 18 | goto LBL_ERR; |
1179 | 18 | } |
1180 | | |
1181 | | /* b is now the inverse */ |
1182 | 8.14k | while (D.sign == MP_NEG) { |
1183 | 3.42k | if ((res = mp_add (&D, b, &D)) != MP_OKAY) { |
1184 | 0 | goto LBL_ERR; |
1185 | 0 | } |
1186 | 3.42k | } |
1187 | | /* too big */ |
1188 | 4.73k | while (mp_cmp_mag(&D, b) != MP_LT) { |
1189 | 13 | if ((res = mp_sub(&D, b, &D)) != MP_OKAY) { |
1190 | 0 | goto LBL_ERR; |
1191 | 0 | } |
1192 | 13 | } |
1193 | 4.72k | mp_exch (&D, c); |
1194 | 4.72k | res = MP_OKAY; |
1195 | | |
1196 | 4.78k | LBL_ERR:mp_clear(&x); |
1197 | 4.78k | mp_clear(&y); |
1198 | 4.78k | mp_clear(&u); |
1199 | 4.78k | mp_clear(&v); |
1200 | 4.78k | mp_clear(&B); |
1201 | 4.78k | mp_clear(&D); |
1202 | 4.78k | return res; |
1203 | 4.72k | } |
1204 | | |
1205 | | |
1206 | | /* hac 14.61, pp608 */ |
1207 | | int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c) |
1208 | 222 | { |
1209 | 222 | mp_int x, y, u, v, A, B, C, D; |
1210 | 222 | int res; |
1211 | | |
1212 | | /* b cannot be negative */ |
1213 | 222 | if (b->sign == MP_NEG || mp_iszero(b) == MP_YES) { |
1214 | 0 | return MP_VAL; |
1215 | 0 | } |
1216 | | |
1217 | | /* init temps */ |
1218 | 222 | if ((res = mp_init_multi(&x, &y, &u, &v, |
1219 | 222 | &A, &B)) != MP_OKAY) { |
1220 | 0 | return res; |
1221 | 0 | } |
1222 | | |
1223 | | /* init rest of tmps temps */ |
1224 | 222 | if ((res = mp_init_multi(&C, &D, 0, 0, 0, 0)) != MP_OKAY) { |
1225 | 0 | mp_clear(&x); |
1226 | 0 | mp_clear(&y); |
1227 | 0 | mp_clear(&u); |
1228 | 0 | mp_clear(&v); |
1229 | 0 | mp_clear(&A); |
1230 | 0 | mp_clear(&B); |
1231 | 0 | return res; |
1232 | 0 | } |
1233 | | |
1234 | | /* x = a, y = b */ |
1235 | 222 | if ((res = mp_mod(a, b, &x)) != MP_OKAY) { |
1236 | 4 | goto LBL_ERR; |
1237 | 4 | } |
1238 | | |
1239 | 218 | if (mp_iszero (&x) == MP_YES) { |
1240 | | /* invmod doesn't exist for this a and b */ |
1241 | 10 | res = MP_VAL; |
1242 | 10 | goto LBL_ERR; |
1243 | 10 | } |
1244 | | |
1245 | 208 | if (mp_isone(&x)) { |
1246 | 13 | res = mp_set(c, 1); |
1247 | 13 | goto LBL_ERR; |
1248 | 13 | } |
1249 | 195 | if ((res = mp_copy (b, &y)) != MP_OKAY) { |
1250 | 3 | goto LBL_ERR; |
1251 | 3 | } |
1252 | | |
1253 | | /* 2. [modified] if x,y are both even then return an error! */ |
1254 | 192 | if (mp_iseven (&x) == MP_YES && mp_iseven (&y) == MP_YES) { |
1255 | 16 | res = MP_VAL; |
1256 | 16 | goto LBL_ERR; |
1257 | 16 | } |
1258 | | |
1259 | | /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */ |
1260 | 176 | if ((res = mp_copy (&x, &u)) != MP_OKAY) { |
1261 | 1 | goto LBL_ERR; |
1262 | 1 | } |
1263 | 175 | if ((res = mp_copy (&y, &v)) != MP_OKAY) { |
1264 | 1 | goto LBL_ERR; |
1265 | 1 | } |
1266 | 174 | if ((res = mp_set (&A, 1)) != MP_OKAY) { |
1267 | 1 | goto LBL_ERR; |
1268 | 1 | } |
1269 | 173 | if ((res = mp_set (&D, 1)) != MP_OKAY) { |
1270 | 1 | goto LBL_ERR; |
1271 | 1 | } |
1272 | | |
1273 | 110k | top: |
1274 | | /* 4. while u is even do */ |
1275 | 194k | while (mp_iseven (&u) == MP_YES) { |
1276 | | /* 4.1 u = u/2 */ |
1277 | 83.2k | if ((res = mp_div_2 (&u, &u)) != MP_OKAY) { |
1278 | 0 | goto LBL_ERR; |
1279 | 0 | } |
1280 | | /* 4.2 if A or B is odd then */ |
1281 | 83.2k | if (mp_isodd (&A) == MP_YES || mp_isodd (&B) == MP_YES) { |
1282 | | /* A = (A+y)/2, B = (B-x)/2 */ |
1283 | 41.6k | if ((res = mp_add (&A, &y, &A)) != MP_OKAY) { |
1284 | 1 | goto LBL_ERR; |
1285 | 1 | } |
1286 | 41.6k | if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) { |
1287 | 0 | goto LBL_ERR; |
1288 | 0 | } |
1289 | 41.6k | } |
1290 | | /* A = A/2, B = B/2 */ |
1291 | 83.2k | if ((res = mp_div_2 (&A, &A)) != MP_OKAY) { |
1292 | 0 | goto LBL_ERR; |
1293 | 0 | } |
1294 | 83.2k | if ((res = mp_div_2 (&B, &B)) != MP_OKAY) { |
1295 | 0 | goto LBL_ERR; |
1296 | 0 | } |
1297 | 83.2k | } |
1298 | | |
1299 | | /* 5. while v is even do */ |
1300 | 260k | while (mp_iseven (&v) == MP_YES) { |
1301 | | /* 5.1 v = v/2 */ |
1302 | 149k | if ((res = mp_div_2 (&v, &v)) != MP_OKAY) { |
1303 | 0 | goto LBL_ERR; |
1304 | 0 | } |
1305 | | /* 5.2 if C or D is odd then */ |
1306 | 149k | if (mp_isodd (&C) == MP_YES || mp_isodd (&D) == MP_YES) { |
1307 | | /* C = (C+y)/2, D = (D-x)/2 */ |
1308 | 81.1k | if ((res = mp_add (&C, &y, &C)) != MP_OKAY) { |
1309 | 1 | goto LBL_ERR; |
1310 | 1 | } |
1311 | 81.1k | if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) { |
1312 | 1 | goto LBL_ERR; |
1313 | 1 | } |
1314 | 81.1k | } |
1315 | | /* C = C/2, D = D/2 */ |
1316 | 149k | if ((res = mp_div_2 (&C, &C)) != MP_OKAY) { |
1317 | 0 | goto LBL_ERR; |
1318 | 0 | } |
1319 | 149k | if ((res = mp_div_2 (&D, &D)) != MP_OKAY) { |
1320 | 0 | goto LBL_ERR; |
1321 | 0 | } |
1322 | 149k | } |
1323 | | |
1324 | | /* 6. if u >= v then */ |
1325 | 110k | if (mp_cmp (&u, &v) != MP_LT) { |
1326 | | /* u = u - v, A = A - C, B = B - D */ |
1327 | 41.9k | if ((res = mp_sub (&u, &v, &u)) != MP_OKAY) { |
1328 | 0 | goto LBL_ERR; |
1329 | 0 | } |
1330 | | |
1331 | 41.9k | if ((res = mp_sub (&A, &C, &A)) != MP_OKAY) { |
1332 | 1 | goto LBL_ERR; |
1333 | 1 | } |
1334 | | |
1335 | 41.9k | if ((res = mp_sub (&B, &D, &B)) != MP_OKAY) { |
1336 | 1 | goto LBL_ERR; |
1337 | 1 | } |
1338 | 68.8k | } else { |
1339 | | /* v - v - u, C = C - A, D = D - B */ |
1340 | 68.8k | if ((res = mp_sub (&v, &u, &v)) != MP_OKAY) { |
1341 | 0 | goto LBL_ERR; |
1342 | 0 | } |
1343 | | |
1344 | 68.8k | if ((res = mp_sub (&C, &A, &C)) != MP_OKAY) { |
1345 | 0 | goto LBL_ERR; |
1346 | 0 | } |
1347 | | |
1348 | 68.8k | if ((res = mp_sub (&D, &B, &D)) != MP_OKAY) { |
1349 | 1 | goto LBL_ERR; |
1350 | 1 | } |
1351 | 68.8k | } |
1352 | | |
1353 | | /* if not zero goto step 4 */ |
1354 | 110k | if (mp_iszero (&u) == MP_NO) |
1355 | 110k | goto top; |
1356 | | |
1357 | | /* now a = C, b = D, gcd == g*v */ |
1358 | | |
1359 | | /* if v != 1 then there is no inverse */ |
1360 | 166 | if (mp_cmp_d (&v, 1) != MP_EQ) { |
1361 | 22 | res = MP_VAL; |
1362 | 22 | goto LBL_ERR; |
1363 | 22 | } |
1364 | | |
1365 | | /* if its too low */ |
1366 | 181 | while (mp_cmp_d(&C, 0) == MP_LT) { |
1367 | 37 | if ((res = mp_add(&C, b, &C)) != MP_OKAY) { |
1368 | 0 | goto LBL_ERR; |
1369 | 0 | } |
1370 | 37 | } |
1371 | | |
1372 | | /* too big */ |
1373 | 173 | while (mp_cmp_mag(&C, b) != MP_LT) { |
1374 | 29 | if ((res = mp_sub(&C, b, &C)) != MP_OKAY) { |
1375 | 0 | goto LBL_ERR; |
1376 | 0 | } |
1377 | 29 | } |
1378 | | |
1379 | | /* C is now the inverse */ |
1380 | 144 | mp_exch (&C, c); |
1381 | 144 | res = MP_OKAY; |
1382 | 222 | LBL_ERR:mp_clear(&x); |
1383 | 222 | mp_clear(&y); |
1384 | 222 | mp_clear(&u); |
1385 | 222 | mp_clear(&v); |
1386 | 222 | mp_clear(&A); |
1387 | 222 | mp_clear(&B); |
1388 | 222 | mp_clear(&C); |
1389 | 222 | mp_clear(&D); |
1390 | 222 | return res; |
1391 | 144 | } |
1392 | | |
1393 | | |
1394 | | /* compare magnitude of two ints (unsigned) */ |
1395 | | int mp_cmp_mag (mp_int * a, mp_int * b) |
1396 | 140M | { |
1397 | 140M | int n; |
1398 | 140M | mp_digit *tmpa, *tmpb; |
1399 | | |
1400 | | /* compare based on # of non-zero digits */ |
1401 | 140M | if (a->used > b->used) { |
1402 | 2.48M | return MP_GT; |
1403 | 2.48M | } |
1404 | | |
1405 | 137M | if (a->used < b->used) { |
1406 | 2.96M | return MP_LT; |
1407 | 2.96M | } |
1408 | | |
1409 | 134M | if (a->used == 0) |
1410 | 111k | return MP_EQ; |
1411 | | |
1412 | | /* alias for a */ |
1413 | 134M | tmpa = a->dp + (a->used - 1); |
1414 | | |
1415 | | /* alias for b */ |
1416 | 134M | tmpb = b->dp + (a->used - 1); |
1417 | | |
1418 | | /* compare based on digits */ |
1419 | 141M | for (n = 0; n < a->used; ++n, --tmpa, --tmpb) { |
1420 | 140M | if (*tmpa > *tmpb) { |
1421 | 74.5M | return MP_GT; |
1422 | 74.5M | } |
1423 | | |
1424 | 66.3M | if (*tmpa < *tmpb) { |
1425 | 59.8M | return MP_LT; |
1426 | 59.8M | } |
1427 | 66.3M | } |
1428 | 472k | return MP_EQ; |
1429 | 134M | } |
1430 | | |
1431 | | |
1432 | | /* compare two ints (signed)*/ |
1433 | | int mp_cmp (mp_int * a, mp_int * b) |
1434 | 69.9M | { |
1435 | | /* compare based on sign */ |
1436 | 69.9M | if (a->sign != b->sign) { |
1437 | 308 | if (a->sign == MP_NEG) { |
1438 | 266 | return MP_LT; |
1439 | 266 | } else { |
1440 | 42 | return MP_GT; |
1441 | 42 | } |
1442 | 308 | } |
1443 | | |
1444 | | /* compare digits */ |
1445 | 69.9M | if (a->sign == MP_NEG) { |
1446 | | /* if negative compare opposite direction */ |
1447 | 598 | return mp_cmp_mag(b, a); |
1448 | 69.9M | } else { |
1449 | 69.9M | return mp_cmp_mag(a, b); |
1450 | 69.9M | } |
1451 | 69.9M | } |
1452 | | |
1453 | | |
1454 | | /* compare a digit */ |
1455 | | int mp_cmp_d(mp_int * a, mp_digit b) |
1456 | 2.47M | { |
1457 | | /* special case for zero*/ |
1458 | 2.47M | if (a->used == 0 && b == 0) |
1459 | 1.43k | return MP_EQ; |
1460 | | |
1461 | | /* compare based on sign */ |
1462 | 2.46M | if ((b && a->used == 0) || a->sign == MP_NEG) { |
1463 | 9.08k | return MP_LT; |
1464 | 9.08k | } |
1465 | | |
1466 | | /* compare based on magnitude */ |
1467 | 2.45M | if (a->used > 1) { |
1468 | 1.67M | return MP_GT; |
1469 | 1.67M | } |
1470 | | |
1471 | | /* compare the only digit of a to b */ |
1472 | 785k | if (a->dp[0] > b) { |
1473 | 297k | return MP_GT; |
1474 | 487k | } else if (a->dp[0] < b) { |
1475 | 3.21k | return MP_LT; |
1476 | 484k | } else { |
1477 | 484k | return MP_EQ; |
1478 | 484k | } |
1479 | 785k | } |
1480 | | |
1481 | | |
1482 | | /* set to a digit */ |
1483 | | int mp_set (mp_int * a, mp_digit b) |
1484 | 543k | { |
1485 | 543k | int res; |
1486 | 543k | mp_zero (a); |
1487 | 543k | res = mp_grow (a, 1); |
1488 | 543k | if (res == MP_OKAY) { |
1489 | 543k | a->dp[0] = (mp_digit)(b & MP_MASK); |
1490 | 543k | a->used = (a->dp[0] != 0) ? 1 : 0; |
1491 | 543k | } |
1492 | 543k | return res; |
1493 | 543k | } |
1494 | | |
1495 | | /* check if a bit is set */ |
1496 | | int mp_is_bit_set (mp_int *a, mp_digit b) |
1497 | 108 | { |
1498 | 108 | mp_digit i = b / DIGIT_BIT; /* word index */ |
1499 | 108 | mp_digit s = b % DIGIT_BIT; /* bit index */ |
1500 | | |
1501 | 108 | if ((mp_digit)a->used <= i) { |
1502 | | /* no words available at that bit count */ |
1503 | 95 | return 0; |
1504 | 95 | } |
1505 | | |
1506 | | /* get word and shift bit to check down to index 0 */ |
1507 | 13 | return (int)((a->dp[i] >> s) & (mp_digit)1); |
1508 | 108 | } |
1509 | | |
1510 | | /* c = a mod b, 0 <= c < b */ |
1511 | | #if defined(FREESCALE_LTC_TFM) |
1512 | | int wolfcrypt_mp_mod(mp_int * a, mp_int * b, mp_int * c) |
1513 | | #else |
1514 | | int mp_mod (mp_int * a, mp_int * b, mp_int * c) |
1515 | | #endif |
1516 | 1.08M | { |
1517 | 1.08M | mp_int t; |
1518 | 1.08M | int res; |
1519 | | |
1520 | 1.08M | if ((res = mp_init_size (&t, b->used)) != MP_OKAY) { |
1521 | 56 | return res; |
1522 | 56 | } |
1523 | | |
1524 | 1.08M | if ((res = mp_div (a, b, NULL, &t)) != MP_OKAY) { |
1525 | 240 | mp_clear (&t); |
1526 | 240 | return res; |
1527 | 240 | } |
1528 | | |
1529 | 1.08M | if ((mp_iszero(&t) != MP_NO) || (t.sign == b->sign)) { |
1530 | 1.08M | res = MP_OKAY; |
1531 | 1.08M | mp_exch (&t, c); |
1532 | 1.08M | } else { |
1533 | 1.26k | res = mp_add (b, &t, c); |
1534 | 1.26k | } |
1535 | | |
1536 | 1.08M | mp_clear (&t); |
1537 | 1.08M | return res; |
1538 | 1.08M | } |
1539 | | |
1540 | | |
1541 | | /* slower bit-bang division... also smaller */ |
1542 | | int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d) |
1543 | 1.08M | { |
1544 | 1.08M | mp_int ta, tb, tq, q; |
1545 | 1.08M | int res, n, n2; |
1546 | | |
1547 | | /* is divisor zero ? */ |
1548 | 1.08M | if (mp_iszero (b) == MP_YES) { |
1549 | 47 | return MP_VAL; |
1550 | 47 | } |
1551 | | |
1552 | | /* if a < b then q=0, r = a */ |
1553 | 1.08M | if (mp_cmp_mag (a, b) == MP_LT) { |
1554 | 658k | if (d != NULL) { |
1555 | 658k | res = mp_copy (a, d); |
1556 | 658k | } else { |
1557 | 13 | res = MP_OKAY; |
1558 | 13 | } |
1559 | 658k | if (c != NULL) { |
1560 | 15 | mp_zero (c); |
1561 | 15 | } |
1562 | 658k | return res; |
1563 | 658k | } |
1564 | | |
1565 | | /* init our temps */ |
1566 | 423k | if ((res = mp_init_multi(&ta, &tb, &tq, &q, 0, 0)) != MP_OKAY) { |
1567 | 0 | return res; |
1568 | 0 | } |
1569 | | |
1570 | 423k | if ((res = mp_set(&tq, 1)) != MP_OKAY) { |
1571 | 30 | return res; |
1572 | 30 | } |
1573 | 423k | n = mp_count_bits(a) - mp_count_bits(b); |
1574 | 423k | if (((res = mp_abs(a, &ta)) != MP_OKAY) || |
1575 | 423k | ((res = mp_abs(b, &tb)) != MP_OKAY) || |
1576 | 423k | ((res = mp_mul_2d(&tb, n, &tb)) != MP_OKAY) || |
1577 | 423k | ((res = mp_mul_2d(&tq, n, &tq)) != MP_OKAY)) { |
1578 | 157 | goto LBL_ERR; |
1579 | 157 | } |
1580 | | |
1581 | 57.2M | while (n-- >= 0) { |
1582 | 56.8M | if (mp_cmp(&tb, &ta) != MP_GT) { |
1583 | 28.5M | if (((res = mp_sub(&ta, &tb, &ta)) != MP_OKAY) || |
1584 | 28.5M | ((res = mp_add(&q, &tq, &q)) != MP_OKAY)) { |
1585 | 18 | goto LBL_ERR; |
1586 | 18 | } |
1587 | 28.5M | } |
1588 | 56.8M | if (((res = mp_div_2d(&tb, 1, &tb, NULL)) != MP_OKAY) || |
1589 | 56.8M | ((res = mp_div_2d(&tq, 1, &tq, NULL)) != MP_OKAY)) { |
1590 | 0 | goto LBL_ERR; |
1591 | 0 | } |
1592 | 56.8M | } |
1593 | | |
1594 | | /* now q == quotient and ta == remainder */ |
1595 | 423k | n = a->sign; |
1596 | 423k | n2 = (a->sign == b->sign ? MP_ZPOS : MP_NEG); |
1597 | 423k | if (c != NULL) { |
1598 | 614 | mp_exch(c, &q); |
1599 | 614 | c->sign = (mp_iszero(c) == MP_YES) ? MP_ZPOS : n2; |
1600 | 614 | } |
1601 | 423k | if (d != NULL) { |
1602 | 422k | mp_exch(d, &ta); |
1603 | 422k | d->sign = (mp_iszero(d) == MP_YES) ? MP_ZPOS : n; |
1604 | 422k | } |
1605 | 423k | LBL_ERR: |
1606 | 423k | mp_clear(&ta); |
1607 | 423k | mp_clear(&tb); |
1608 | 423k | mp_clear(&tq); |
1609 | 423k | mp_clear(&q); |
1610 | 423k | return res; |
1611 | 423k | } |
1612 | | |
1613 | | |
1614 | | /* b = a/2 */ |
1615 | | int mp_div_2(mp_int * a, mp_int * b) |
1616 | 5.59M | { |
1617 | 5.59M | int x, res, oldused; |
1618 | | |
1619 | | /* copy */ |
1620 | 5.59M | if (b->alloc < a->used) { |
1621 | 0 | if ((res = mp_grow (b, a->used)) != MP_OKAY) { |
1622 | 0 | return res; |
1623 | 0 | } |
1624 | 0 | } |
1625 | | |
1626 | 5.59M | oldused = b->used; |
1627 | 5.59M | b->used = a->used; |
1628 | 5.59M | { |
1629 | 5.59M | mp_digit r, rr, *tmpa, *tmpb; |
1630 | | |
1631 | | /* source alias */ |
1632 | 5.59M | tmpa = a->dp + b->used - 1; |
1633 | | |
1634 | | /* dest alias */ |
1635 | 5.59M | tmpb = b->dp + b->used - 1; |
1636 | | |
1637 | | /* carry */ |
1638 | 5.59M | r = 0; |
1639 | 91.3M | for (x = b->used - 1; x >= 0; x--) { |
1640 | | /* get the carry for the next iteration */ |
1641 | 85.7M | rr = *tmpa & 1; |
1642 | | |
1643 | | /* shift the current digit, add in carry and store */ |
1644 | 85.7M | *tmpb-- = (*tmpa-- >> 1) | (r << (DIGIT_BIT - 1)); |
1645 | | |
1646 | | /* forward carry to next iteration */ |
1647 | 85.7M | r = rr; |
1648 | 85.7M | } |
1649 | | |
1650 | | /* zero excess digits */ |
1651 | 5.59M | tmpb = b->dp + b->used; |
1652 | 5.59M | for (x = b->used; x < oldused; x++) { |
1653 | 6 | *tmpb++ = 0; |
1654 | 6 | } |
1655 | 5.59M | } |
1656 | 5.59M | b->sign = a->sign; |
1657 | 5.59M | mp_clamp (b); |
1658 | 5.59M | return MP_OKAY; |
1659 | 5.59M | } |
1660 | | |
1661 | | /* c = a / 2 (mod b) - constant time (a < b and positive) */ |
1662 | | int mp_div_2_mod_ct(mp_int *a, mp_int *b, mp_int *c) |
1663 | 1.43M | { |
1664 | 1.43M | int res; |
1665 | | |
1666 | 1.43M | if (mp_isodd(a)) { |
1667 | 704k | res = mp_add(a, b, c); |
1668 | 704k | if (res == MP_OKAY) { |
1669 | 704k | res = mp_div_2(c, c); |
1670 | 704k | } |
1671 | 704k | } |
1672 | 735k | else { |
1673 | 735k | res = mp_div_2(a, c); |
1674 | 735k | } |
1675 | | |
1676 | 1.43M | return res; |
1677 | 1.43M | } |
1678 | | |
1679 | | |
1680 | | /* high level addition (handles signs) */ |
1681 | | int mp_add (mp_int * a, mp_int * b, mp_int * c) |
1682 | 39.4M | { |
1683 | 39.4M | int sa, sb, res; |
1684 | | |
1685 | | /* get sign of both inputs */ |
1686 | 39.4M | sa = a->sign; |
1687 | 39.4M | sb = b->sign; |
1688 | | |
1689 | | /* handle two cases, not four */ |
1690 | 39.4M | if (sa == sb) { |
1691 | | /* both positive or both negative */ |
1692 | | /* add their magnitudes, copy the sign */ |
1693 | 35.7M | c->sign = sa; |
1694 | 35.7M | res = s_mp_add (a, b, c); |
1695 | 35.7M | } else { |
1696 | | /* one positive, the other negative */ |
1697 | | /* subtract the one with the greater magnitude from */ |
1698 | | /* the one of the lesser magnitude. The result gets */ |
1699 | | /* the sign of the one with the greater magnitude. */ |
1700 | 3.75M | if (mp_cmp_mag (a, b) == MP_LT) { |
1701 | 3.74M | c->sign = sb; |
1702 | 3.74M | res = s_mp_sub (b, a, c); |
1703 | 3.74M | } else { |
1704 | 11.6k | c->sign = sa; |
1705 | 11.6k | res = s_mp_sub (a, b, c); |
1706 | 11.6k | } |
1707 | 3.75M | } |
1708 | 39.4M | return res; |
1709 | 39.4M | } |
1710 | | |
1711 | | |
1712 | | /* low level addition, based on HAC pp.594, Algorithm 14.7 */ |
1713 | | int s_mp_add (mp_int * a, mp_int * b, mp_int * c) |
1714 | 38.4M | { |
1715 | 38.4M | mp_int *x; |
1716 | 38.4M | int olduse, res, min_ab, max_ab; |
1717 | | |
1718 | | /* find sizes, we let |a| <= |b| which means we have to sort |
1719 | | * them. "x" will point to the input with the most digits |
1720 | | */ |
1721 | 38.4M | if (a->used > b->used) { |
1722 | 24.2M | min_ab = b->used; |
1723 | 24.2M | max_ab = a->used; |
1724 | 24.2M | x = a; |
1725 | 24.2M | } else { |
1726 | 14.2M | min_ab = a->used; |
1727 | 14.2M | max_ab = b->used; |
1728 | 14.2M | x = b; |
1729 | 14.2M | } |
1730 | | |
1731 | | /* init result */ |
1732 | 38.4M | if (c->dp == NULL || c->alloc < max_ab + 1) { |
1733 | 431k | if ((res = mp_grow (c, max_ab + 1)) != MP_OKAY) { |
1734 | 43 | return res; |
1735 | 43 | } |
1736 | 431k | } |
1737 | | |
1738 | | /* get old used digit count and set new one */ |
1739 | 38.4M | olduse = c->used; |
1740 | 38.4M | c->used = max_ab + 1; |
1741 | | |
1742 | 38.4M | { |
1743 | 38.4M | mp_digit u, *tmpa, *tmpb, *tmpc; |
1744 | 38.4M | int i; |
1745 | | |
1746 | | /* alias for digit pointers */ |
1747 | | |
1748 | | /* first input */ |
1749 | 38.4M | tmpa = a->dp; |
1750 | | |
1751 | | /* second input */ |
1752 | 38.4M | tmpb = b->dp; |
1753 | | |
1754 | | /* destination */ |
1755 | 38.4M | tmpc = c->dp; |
1756 | | |
1757 | | /* sanity-check dp pointers. */ |
1758 | 38.4M | if ((min_ab > 0) && |
1759 | 37.7M | ((tmpa == NULL) || (tmpb == NULL) || (tmpc == NULL))) |
1760 | 0 | { |
1761 | 0 | return MP_VAL; |
1762 | 0 | } |
1763 | | |
1764 | | /* zero the carry */ |
1765 | 38.4M | u = 0; |
1766 | 265M | for (i = 0; i < min_ab; i++) { |
1767 | | /* Compute the sum at one digit, T[i] = A[i] + B[i] + U */ |
1768 | 227M | *tmpc = *tmpa++ + *tmpb++ + u; |
1769 | | |
1770 | | /* U = carry bit of T[i] */ |
1771 | 227M | u = *tmpc >> ((mp_digit)DIGIT_BIT); |
1772 | | |
1773 | | /* take away carry bit from T[i] */ |
1774 | 227M | *tmpc++ &= MP_MASK; |
1775 | 227M | } |
1776 | | |
1777 | | /* now copy higher words if any, that is in A+B |
1778 | | * if A or B has more digits add those in |
1779 | | */ |
1780 | 38.4M | if (min_ab != max_ab) { |
1781 | 167M | for (; i < max_ab; i++) { |
1782 | | /* T[i] = X[i] + U */ |
1783 | 142M | *tmpc = x->dp[i] + u; |
1784 | | |
1785 | | /* U = carry bit of T[i] */ |
1786 | 142M | u = *tmpc >> ((mp_digit)DIGIT_BIT); |
1787 | | |
1788 | | /* take away carry bit from T[i] */ |
1789 | 142M | *tmpc++ &= MP_MASK; |
1790 | 142M | } |
1791 | 25.2M | } |
1792 | | |
1793 | | /* add carry */ |
1794 | 38.4M | *tmpc++ = u; |
1795 | | |
1796 | | /* clear digits above olduse */ |
1797 | 38.6M | for (i = c->used; i < olduse; i++) { |
1798 | 150k | *tmpc++ = 0; |
1799 | 150k | } |
1800 | 38.4M | } |
1801 | | |
1802 | 0 | mp_clamp (c); |
1803 | 38.4M | return MP_OKAY; |
1804 | 38.4M | } |
1805 | | |
1806 | | |
1807 | | /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */ |
1808 | | int s_mp_sub (mp_int * a, mp_int * b, mp_int * c) |
1809 | 52.5M | { |
1810 | 52.5M | int olduse, res, min_b, max_a; |
1811 | | |
1812 | | /* find sizes */ |
1813 | 52.5M | min_b = b->used; |
1814 | 52.5M | max_a = a->used; |
1815 | | |
1816 | | /* init result */ |
1817 | 52.5M | if (c->alloc < max_a) { |
1818 | 1.45M | if ((res = mp_grow (c, max_a)) != MP_OKAY) { |
1819 | 22 | return res; |
1820 | 22 | } |
1821 | 1.45M | } |
1822 | | |
1823 | | /* sanity check on destination */ |
1824 | 52.5M | if (c->dp == NULL) |
1825 | 179 | return MP_VAL; |
1826 | | |
1827 | 52.5M | olduse = c->used; |
1828 | 52.5M | c->used = max_a; |
1829 | | |
1830 | 52.5M | { |
1831 | 52.5M | mp_digit u, *tmpa, *tmpb, *tmpc; |
1832 | 52.5M | int i; |
1833 | | |
1834 | | /* alias for digit pointers */ |
1835 | 52.5M | tmpa = a->dp; |
1836 | 52.5M | tmpb = b->dp; |
1837 | 52.5M | tmpc = c->dp; |
1838 | | |
1839 | | /* sanity-check dp pointers from a and b. */ |
1840 | 52.5M | if ((min_b > 0) && |
1841 | 52.2M | ((tmpa == NULL) || (tmpb == NULL))) |
1842 | 0 | { |
1843 | 0 | return MP_VAL; |
1844 | 0 | } |
1845 | | |
1846 | | /* set carry to zero */ |
1847 | 52.5M | u = 0; |
1848 | 1.05G | for (i = 0; i < min_b; i++) { |
1849 | | /* T[i] = A[i] - B[i] - U */ |
1850 | 1.00G | *tmpc = *tmpa++ - *tmpb++ - u; |
1851 | | |
1852 | | /* U = carry bit of T[i] |
1853 | | * Note this saves performing an AND operation since |
1854 | | * if a carry does occur it will propagate all the way to the |
1855 | | * MSB. As a result a single shift is enough to get the carry |
1856 | | */ |
1857 | 1.00G | u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1)); |
1858 | | |
1859 | | /* Clear carry from T[i] */ |
1860 | 1.00G | *tmpc++ &= MP_MASK; |
1861 | 1.00G | } |
1862 | | |
1863 | | /* now copy higher words if any, e.g. if A has more digits than B */ |
1864 | 68.3M | for (; i < max_a; i++) { |
1865 | | /* T[i] = A[i] - U */ |
1866 | 15.8M | *tmpc = *tmpa++ - u; |
1867 | | |
1868 | | /* U = carry bit of T[i] */ |
1869 | 15.8M | u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1)); |
1870 | | |
1871 | | /* Clear carry from T[i] */ |
1872 | 15.8M | *tmpc++ &= MP_MASK; |
1873 | 15.8M | } |
1874 | | |
1875 | | /* clear digits above used (since we may not have grown result above) */ |
1876 | 52.5M | for (i = c->used; i < olduse; i++) { |
1877 | 9.68k | *tmpc++ = 0; |
1878 | 9.68k | } |
1879 | 52.5M | } |
1880 | | |
1881 | 0 | mp_clamp (c); |
1882 | 52.5M | return MP_OKAY; |
1883 | 52.5M | } |
1884 | | |
1885 | | |
1886 | | /* high level subtraction (handles signs) */ |
1887 | | int mp_sub (mp_int * a, mp_int * b, mp_int * c) |
1888 | 44.1M | { |
1889 | 44.1M | int sa, sb, res; |
1890 | | |
1891 | 44.1M | sa = a->sign; |
1892 | 44.1M | sb = b->sign; |
1893 | | |
1894 | 44.1M | if (sa != sb) { |
1895 | | /* subtract a negative from a positive, OR */ |
1896 | | /* subtract a positive from a negative. */ |
1897 | | /* In either case, ADD their magnitudes, */ |
1898 | | /* and use the sign of the first number. */ |
1899 | 1.24M | c->sign = sa; |
1900 | 1.24M | res = s_mp_add (a, b, c); |
1901 | 42.9M | } else { |
1902 | | /* subtract a positive from a positive, OR */ |
1903 | | /* subtract a negative from a negative. */ |
1904 | | /* First, take the difference between their */ |
1905 | | /* magnitudes, then... */ |
1906 | 42.9M | if (mp_cmp_mag (a, b) != MP_LT) { |
1907 | | /* Copy the sign from the first */ |
1908 | 38.6M | c->sign = sa; |
1909 | | /* The first has a larger or equal magnitude */ |
1910 | 38.6M | res = s_mp_sub (a, b, c); |
1911 | 38.6M | } else { |
1912 | | /* The result has the *opposite* sign from */ |
1913 | | /* the first number. */ |
1914 | 4.29M | c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS; |
1915 | | /* The second has a larger magnitude */ |
1916 | 4.29M | res = s_mp_sub (b, a, c); |
1917 | 4.29M | } |
1918 | 42.9M | } |
1919 | 44.1M | return res; |
1920 | 44.1M | } |
1921 | | |
1922 | | |
1923 | | /* determines if reduce_2k_l can be used */ |
1924 | | int mp_reduce_is_2k_l(mp_int *a) |
1925 | 78.6k | { |
1926 | 78.6k | int ix, iy; |
1927 | | |
1928 | 78.6k | if (a->used == 0) { |
1929 | 0 | return MP_NO; |
1930 | 78.6k | } else if (a->used == 1) { |
1931 | 4.83k | return MP_YES; |
1932 | 73.7k | } else if (a->used > 1) { |
1933 | | /* if more than half of the digits are -1 we're sold */ |
1934 | 369k | for (iy = ix = 0; ix < a->used; ix++) { |
1935 | 295k | if (a->dp[ix] == MP_MASK) { |
1936 | 63.8k | ++iy; |
1937 | 63.8k | } |
1938 | 295k | } |
1939 | 73.7k | return (iy >= (a->used/2)) ? MP_YES : MP_NO; |
1940 | | |
1941 | 73.7k | } |
1942 | 0 | return MP_NO; |
1943 | 78.6k | } |
1944 | | |
1945 | | |
1946 | | /* determines if mp_reduce_2k can be used */ |
1947 | | int mp_reduce_is_2k(mp_int *a) |
1948 | 73.6k | { |
1949 | 73.6k | int ix, iy, iw; |
1950 | 73.6k | mp_digit iz; |
1951 | | |
1952 | 73.6k | if (a->used == 0) { |
1953 | 0 | return MP_NO; |
1954 | 73.6k | } else if (a->used == 1) { |
1955 | 0 | return MP_YES; |
1956 | 73.6k | } else if (a->used > 1) { |
1957 | 73.6k | iy = mp_count_bits(a); |
1958 | 73.6k | iz = 1; |
1959 | 73.6k | iw = 1; |
1960 | | |
1961 | | /* Test every bit from the second digit up, must be 1 */ |
1962 | 92.9k | for (ix = DIGIT_BIT; ix < iy; ix++) { |
1963 | 91.6k | if ((a->dp[iw] & iz) == 0) { |
1964 | 72.4k | return MP_NO; |
1965 | 72.4k | } |
1966 | 19.2k | iz <<= 1; |
1967 | 19.2k | if (iz > (mp_digit)MP_MASK) { |
1968 | 102 | ++iw; |
1969 | 102 | iz = 1; |
1970 | 102 | } |
1971 | 19.2k | } |
1972 | 73.6k | } |
1973 | 1.24k | return MP_YES; |
1974 | 73.6k | } |
1975 | | |
1976 | | |
1977 | | /* determines if a number is a valid DR modulus */ |
1978 | | int mp_dr_is_modulus(mp_int *a) |
1979 | 73.6k | { |
1980 | 73.6k | int ix; |
1981 | | |
1982 | | /* must be at least two digits */ |
1983 | 73.6k | if (a->used < 2) { |
1984 | 0 | return 0; |
1985 | 0 | } |
1986 | | |
1987 | | /* must be of the form b**k - a [a <= b] so all |
1988 | | * but the first digit must be equal to -1 (mod b). |
1989 | | */ |
1990 | 73.7k | for (ix = 1; ix < a->used; ix++) { |
1991 | 73.7k | if (a->dp[ix] != MP_MASK) { |
1992 | 73.6k | return 0; |
1993 | 73.6k | } |
1994 | 73.7k | } |
1995 | 0 | return 1; |
1996 | 73.6k | } |
1997 | | |
1998 | | /* computes Y == G**X mod P, HAC pp.616, Algorithm 14.85 |
1999 | | * |
2000 | | * Uses a left-to-right k-ary sliding window to compute the modular |
2001 | | * exponentiation. |
2002 | | * The value of k changes based on the size of the exponent. |
2003 | | * |
2004 | | * Uses Montgomery or Diminished Radix reduction [whichever appropriate] |
2005 | | */ |
2006 | | |
2007 | | #ifdef MP_LOW_MEM |
2008 | | #define TAB_SIZE 32 |
2009 | | #else |
2010 | | #define TAB_SIZE 256 |
2011 | | #endif |
2012 | | |
2013 | | int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, |
2014 | | int redmode) |
2015 | 73.3k | { |
2016 | 73.3k | mp_int res; |
2017 | 73.3k | mp_digit buf, mp; |
2018 | 73.3k | int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize; |
2019 | 73.3k | WC_DECLARE_VAR(M, mp_int, TAB_SIZE, 0); |
2020 | | /* use a pointer to the reduction algorithm. This allows us to use |
2021 | | * one of many reduction algorithms without modding the guts of |
2022 | | * the code with if statements everywhere. |
2023 | | */ |
2024 | 73.3k | int (*redux)(mp_int*,mp_int*,mp_digit) = NULL; |
2025 | | |
2026 | 73.3k | WC_ALLOC_VAR_EX(M, mp_int, TAB_SIZE, NULL, DYNAMIC_TYPE_BIGINT, |
2027 | 73.3k | return MP_MEM); |
2028 | | |
2029 | | /* find window size */ |
2030 | 73.3k | x = mp_count_bits (X); |
2031 | 73.3k | if (x <= 7) { |
2032 | 62.5k | winsize = 2; |
2033 | 62.5k | } else if (x <= 36) { |
2034 | 104 | winsize = 3; |
2035 | 10.6k | } else if (x <= 140) { |
2036 | 9.21k | winsize = 4; |
2037 | 9.21k | } else if (x <= 450) { |
2038 | 830 | winsize = 5; |
2039 | 830 | } else if (x <= 1303) { |
2040 | 592 | winsize = 6; |
2041 | 592 | } else if (x <= 3529) { |
2042 | 17 | winsize = 7; |
2043 | 17 | } else { |
2044 | 17 | winsize = 8; |
2045 | 17 | } |
2046 | | |
2047 | 73.3k | #ifdef MP_LOW_MEM |
2048 | 73.3k | if (winsize > 5) { |
2049 | 626 | winsize = 5; |
2050 | 626 | } |
2051 | 73.3k | #endif |
2052 | | |
2053 | | /* init M array */ |
2054 | | /* init first cell */ |
2055 | 73.3k | if ((err = mp_init_size(&M[1], P->alloc)) != MP_OKAY) { |
2056 | 4 | WC_FREE_VAR_EX(M, NULL, DYNAMIC_TYPE_BIGINT); |
2057 | | |
2058 | 4 | return err; |
2059 | 4 | } |
2060 | | |
2061 | | /* now init the second half of the array */ |
2062 | 295k | for (x = 1<<(winsize-1); x < (1 << winsize); x++) { |
2063 | 222k | if ((err = mp_init_size(&M[x], P->alloc)) != MP_OKAY) { |
2064 | 67 | for (y = 1<<(winsize-1); y < x; y++) { |
2065 | 51 | mp_clear (&M[y]); |
2066 | 51 | } |
2067 | 16 | mp_clear(&M[1]); |
2068 | | |
2069 | 16 | WC_FREE_VAR_EX(M, NULL, DYNAMIC_TYPE_BIGINT); |
2070 | | |
2071 | 16 | return err; |
2072 | 16 | } |
2073 | 222k | } |
2074 | | |
2075 | | /* determine and setup reduction code */ |
2076 | 73.3k | if (redmode == 0) { |
2077 | 72.0k | #ifdef BN_MP_MONTGOMERY_SETUP_C |
2078 | | /* now setup montgomery */ |
2079 | 72.0k | if ((err = mp_montgomery_setup (P, &mp)) != MP_OKAY) { |
2080 | 7 | goto LBL_M; |
2081 | 7 | } |
2082 | | #else |
2083 | | err = MP_VAL; |
2084 | | goto LBL_M; |
2085 | | #endif |
2086 | | |
2087 | | /* automatically pick the comba one if available (saves quite a few |
2088 | | calls/ifs) */ |
2089 | 72.0k | #ifdef BN_FAST_MP_MONTGOMERY_REDUCE_C |
2090 | 72.0k | if (((P->used * 2 + 1) < (int)MP_WARRAY) && |
2091 | 72.0k | P->used < (1L << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { |
2092 | 72.0k | redux = fast_mp_montgomery_reduce; |
2093 | 72.0k | } else |
2094 | 0 | #endif |
2095 | 0 | { |
2096 | 0 | #ifdef BN_MP_MONTGOMERY_REDUCE_C |
2097 | | /* use slower baseline Montgomery method */ |
2098 | 0 | redux = mp_montgomery_reduce; |
2099 | 0 | #endif |
2100 | 0 | } |
2101 | 72.0k | } else if (redmode == 1) { |
2102 | 0 | #if defined(BN_MP_DR_SETUP_C) && defined(BN_MP_DR_REDUCE_C) |
2103 | | /* setup DR reduction for moduli of the form B**k - b */ |
2104 | 0 | mp_dr_setup(P, &mp); |
2105 | 0 | redux = mp_dr_reduce; |
2106 | 0 | #endif |
2107 | 1.23k | } else { |
2108 | 1.23k | #if defined(BN_MP_REDUCE_2K_SETUP_C) && defined(BN_MP_REDUCE_2K_C) |
2109 | | /* setup DR reduction for moduli of the form 2**k - b */ |
2110 | 1.23k | if ((err = mp_reduce_2k_setup(P, &mp)) != MP_OKAY) { |
2111 | 1 | goto LBL_M; |
2112 | 1 | } |
2113 | | /* mp of zero is not usable */ |
2114 | 1.23k | if (mp != 0) { |
2115 | 1.23k | redux = mp_reduce_2k; |
2116 | 1.23k | } |
2117 | 1.23k | #endif |
2118 | 1.23k | } |
2119 | | |
2120 | 73.3k | if (redux == NULL) { |
2121 | 0 | err = MP_VAL; |
2122 | 0 | goto LBL_M; |
2123 | 0 | } |
2124 | | |
2125 | | /* setup result */ |
2126 | 73.3k | if ((err = mp_init_size (&res, P->alloc)) != MP_OKAY) { |
2127 | 1 | goto LBL_M; |
2128 | 1 | } |
2129 | | |
2130 | | /* create M table |
2131 | | * |
2132 | | |
2133 | | * |
2134 | | * The first half of the table is not computed though accept for M[0] and M[1] |
2135 | | */ |
2136 | | |
2137 | 73.3k | if (redmode == 0) { |
2138 | 72.0k | #ifdef BN_MP_MONTGOMERY_CALC_NORMALIZATION_C |
2139 | | /* now we need R mod m */ |
2140 | 72.0k | if ((err = mp_montgomery_calc_normalization (&res, P)) != MP_OKAY) { |
2141 | 0 | goto LBL_RES; |
2142 | 0 | } |
2143 | | |
2144 | | /* now set M[1] to G * R mod m */ |
2145 | 72.0k | if ((err = mp_mulmod (G, &res, P, &M[1])) != MP_OKAY) { |
2146 | 8 | goto LBL_RES; |
2147 | 8 | } |
2148 | | #else |
2149 | | err = MP_VAL; |
2150 | | goto LBL_RES; |
2151 | | #endif |
2152 | 72.0k | } else { |
2153 | 1.23k | if ((err = mp_set(&res, 1)) != MP_OKAY) { |
2154 | 0 | goto LBL_RES; |
2155 | 0 | } |
2156 | 1.23k | if ((err = mp_mod(G, P, &M[1])) != MP_OKAY) { |
2157 | 6 | goto LBL_RES; |
2158 | 6 | } |
2159 | 1.23k | } |
2160 | | |
2161 | | /* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times*/ |
2162 | 73.2k | if ((err = mp_copy (&M[1], &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) { |
2163 | 0 | goto LBL_RES; |
2164 | 0 | } |
2165 | | |
2166 | 169k | for (x = 0; x < (winsize - 1); x++) { |
2167 | 96.0k | if ((err = mp_sqr (&M[(mp_digit)(1 << (winsize - 1))], |
2168 | 96.0k | &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) { |
2169 | 3 | goto LBL_RES; |
2170 | 3 | } |
2171 | 96.0k | if ((err = redux (&M[(mp_digit)(1 << (winsize - 1))], P, mp)) != MP_OKAY) { |
2172 | 3 | goto LBL_RES; |
2173 | 3 | } |
2174 | 96.0k | } |
2175 | | |
2176 | | /* create upper table */ |
2177 | 222k | for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) { |
2178 | 148k | if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) { |
2179 | 3 | goto LBL_RES; |
2180 | 3 | } |
2181 | 148k | if ((err = redux (&M[x], P, mp)) != MP_OKAY) { |
2182 | 4 | goto LBL_RES; |
2183 | 4 | } |
2184 | 148k | } |
2185 | | |
2186 | | /* set initial mode and bit cnt */ |
2187 | 73.2k | mode = 0; |
2188 | 73.2k | bitcnt = 1; |
2189 | 73.2k | buf = 0; |
2190 | 73.2k | digidx = X->used - 1; |
2191 | 73.2k | bitcpy = 0; |
2192 | 73.2k | bitbuf = 0; |
2193 | | |
2194 | 5.67M | for (;;) { |
2195 | | /* grab next digit as required */ |
2196 | 5.67M | if (--bitcnt == 0) { |
2197 | | /* if digidx == -1 we are out of digits so break */ |
2198 | 166k | if (digidx == -1) { |
2199 | 73.2k | break; |
2200 | 73.2k | } |
2201 | | /* read next digit and reset bitcnt */ |
2202 | 93.3k | buf = X->dp[digidx--]; |
2203 | 93.3k | bitcnt = (int)DIGIT_BIT; |
2204 | 93.3k | } |
2205 | | |
2206 | | /* grab the next msb from the exponent */ |
2207 | 5.60M | y = (int)(buf >> (DIGIT_BIT - 1)) & 1; |
2208 | 5.60M | buf <<= (mp_digit)1; |
2209 | | |
2210 | | /* if the bit is zero and mode == 0 then we ignore it |
2211 | | * These represent the leading zero bits before the first 1 bit |
2212 | | * in the exponent. Technically this opt is not required but it |
2213 | | * does lower the # of trivial squaring/reductions used |
2214 | | */ |
2215 | 5.60M | if (mode == 0 && y == 0) { |
2216 | 4.01M | continue; |
2217 | 4.01M | } |
2218 | | |
2219 | | /* if the bit is zero and mode == 1 then we square */ |
2220 | 1.58M | if (mode == 1 && y == 0) { |
2221 | 258k | if ((err = mp_sqr (&res, &res)) != MP_OKAY) { |
2222 | 1 | goto LBL_RES; |
2223 | 1 | } |
2224 | 258k | if ((err = redux (&res, P, mp)) != MP_OKAY) { |
2225 | 4 | goto LBL_RES; |
2226 | 4 | } |
2227 | 258k | continue; |
2228 | 258k | } |
2229 | | |
2230 | | /* else we add it to the window */ |
2231 | 1.32M | bitbuf |= (y << (winsize - ++bitcpy)); |
2232 | 1.32M | mode = 2; |
2233 | | |
2234 | 1.32M | if (bitcpy == winsize) { |
2235 | | /* ok window is filled so square as required and multiply */ |
2236 | | /* square first */ |
2237 | 1.63M | for (x = 0; x < winsize; x++) { |
2238 | 1.30M | if ((err = mp_sqr (&res, &res)) != MP_OKAY) { |
2239 | 3 | goto LBL_RES; |
2240 | 3 | } |
2241 | 1.30M | if ((err = redux (&res, P, mp)) != MP_OKAY) { |
2242 | 4 | goto LBL_RES; |
2243 | 4 | } |
2244 | 1.30M | } |
2245 | | |
2246 | | /* then multiply */ |
2247 | 326k | if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) { |
2248 | 3 | goto LBL_RES; |
2249 | 3 | } |
2250 | 326k | if ((err = redux (&res, P, mp)) != MP_OKAY) { |
2251 | 4 | goto LBL_RES; |
2252 | 4 | } |
2253 | | |
2254 | | /* empty window and reset */ |
2255 | 326k | bitcpy = 0; |
2256 | 326k | bitbuf = 0; |
2257 | 326k | mode = 1; |
2258 | 326k | } |
2259 | 1.32M | } |
2260 | | |
2261 | | /* if bits remain then square/multiply */ |
2262 | 73.2k | if (mode == 2 && bitcpy > 0) { |
2263 | | /* square then multiply if the bit is set */ |
2264 | 24.9k | for (x = 0; x < bitcpy; x++) { |
2265 | 15.7k | if ((err = mp_sqr (&res, &res)) != MP_OKAY) { |
2266 | 1 | goto LBL_RES; |
2267 | 1 | } |
2268 | 15.7k | if ((err = redux (&res, P, mp)) != MP_OKAY) { |
2269 | 1 | goto LBL_RES; |
2270 | 1 | } |
2271 | | |
2272 | | /* get next bit of the window */ |
2273 | 15.7k | bitbuf <<= 1; |
2274 | 15.7k | if ((bitbuf & (1 << winsize)) != 0) { |
2275 | | /* then multiply */ |
2276 | 14.9k | if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) { |
2277 | 1 | goto LBL_RES; |
2278 | 1 | } |
2279 | 14.9k | if ((err = redux (&res, P, mp)) != MP_OKAY) { |
2280 | 1 | goto LBL_RES; |
2281 | 1 | } |
2282 | 14.9k | } |
2283 | 15.7k | } |
2284 | 9.18k | } |
2285 | | |
2286 | 73.2k | if (redmode == 0) { |
2287 | | /* fixup result if Montgomery reduction is used |
2288 | | * recall that any value in a Montgomery system is |
2289 | | * actually multiplied by R mod n. So we have |
2290 | | * to reduce one more time to cancel out the factor |
2291 | | * of R. |
2292 | | */ |
2293 | 72.0k | if ((err = redux(&res, P, mp)) != MP_OKAY) { |
2294 | 1 | goto LBL_RES; |
2295 | 1 | } |
2296 | 72.0k | } |
2297 | | |
2298 | | /* swap res with Y */ |
2299 | 73.2k | mp_exch (&res, Y); |
2300 | 73.2k | err = MP_OKAY; |
2301 | 73.3k | LBL_RES:mp_clear (&res); |
2302 | 73.3k | LBL_M: |
2303 | 73.3k | mp_clear(&M[1]); |
2304 | 295k | for (x = 1<<(winsize-1); x < (1 << winsize); x++) { |
2305 | 222k | mp_clear (&M[x]); |
2306 | 222k | } |
2307 | | |
2308 | 73.3k | WC_FREE_VAR_EX(M, NULL, DYNAMIC_TYPE_BIGINT); |
2309 | | |
2310 | 73.3k | return err; |
2311 | 73.3k | } |
2312 | | |
2313 | | #ifdef BN_MP_EXPTMOD_BASE_2 |
2314 | | #if DIGIT_BIT < 16 |
2315 | | #define WINSIZE 3 |
2316 | | #elif DIGIT_BIT < 32 |
2317 | | #define WINSIZE 4 |
2318 | | #elif DIGIT_BIT < 64 |
2319 | 293k | #define WINSIZE 5 |
2320 | | #elif DIGIT_BIT < 128 |
2321 | | #define WINSIZE 6 |
2322 | | #endif |
2323 | | int mp_exptmod_base_2(mp_int * X, mp_int * P, mp_int * Y) |
2324 | 737 | { |
2325 | 737 | mp_digit buf, mp; |
2326 | 737 | int err = MP_OKAY, bitbuf, bitcpy, bitcnt, digidx, x, y; |
2327 | 737 | mp_int res[1]; |
2328 | 737 | int (*redux)(mp_int*,mp_int*,mp_digit) = NULL; |
2329 | | |
2330 | | /* automatically pick the comba one if available (saves quite a few |
2331 | | calls/ifs) */ |
2332 | 737 | #ifdef BN_FAST_MP_MONTGOMERY_REDUCE_C |
2333 | 737 | if (((P->used * 2 + 1) < (int)MP_WARRAY) && |
2334 | 737 | P->used < (1L << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { |
2335 | 737 | redux = fast_mp_montgomery_reduce; |
2336 | 737 | } else |
2337 | 0 | #endif |
2338 | 0 | #ifdef BN_MP_MONTGOMERY_REDUCE_C |
2339 | 0 | { |
2340 | | /* use slower baseline Montgomery method */ |
2341 | 0 | redux = mp_montgomery_reduce; |
2342 | 0 | } |
2343 | 737 | #endif |
2344 | | |
2345 | 737 | if (redux == NULL) { |
2346 | 0 | return MP_VAL; |
2347 | 0 | } |
2348 | | |
2349 | | /* now setup montgomery */ |
2350 | 737 | if ((err = mp_montgomery_setup(P, &mp)) != MP_OKAY) { |
2351 | 1 | goto LBL_M; |
2352 | 1 | } |
2353 | | |
2354 | | /* setup result */ |
2355 | 736 | if ((err = mp_init(res)) != MP_OKAY) { |
2356 | 0 | goto LBL_M; |
2357 | 0 | } |
2358 | | |
2359 | | /* now we need R mod m */ |
2360 | 736 | if ((err = mp_montgomery_calc_normalization(res, P)) != MP_OKAY) { |
2361 | 2 | goto LBL_RES; |
2362 | 2 | } |
2363 | | |
2364 | | /* Get the top bits left over after taking WINSIZE bits starting at the |
2365 | | * least-significant. |
2366 | | */ |
2367 | 734 | digidx = X->used - 1; |
2368 | 734 | bitcpy = (X->used * DIGIT_BIT) % WINSIZE; |
2369 | 734 | if (bitcpy > 0) { |
2370 | 0 | bitcnt = (int)DIGIT_BIT - bitcpy; |
2371 | 0 | buf = X->dp[digidx--]; |
2372 | 0 | bitbuf = (int)(buf >> bitcnt); |
2373 | | /* Multiply montgomery representation of 1 by 2 ^ top */ |
2374 | 0 | err = mp_mul_2d(res, bitbuf, res); |
2375 | 0 | if (err != MP_OKAY) { |
2376 | 0 | goto LBL_RES; |
2377 | 0 | } |
2378 | 0 | err = mp_mod(res, P, res); |
2379 | 0 | if (err != MP_OKAY) { |
2380 | 0 | goto LBL_RES; |
2381 | 0 | } |
2382 | | /* Move out bits used */ |
2383 | 0 | buf <<= bitcpy; |
2384 | 0 | bitcnt++; |
2385 | 0 | } |
2386 | 734 | else { |
2387 | 734 | bitcnt = 1; |
2388 | 734 | buf = 0; |
2389 | 734 | } |
2390 | | |
2391 | | /* empty window and reset */ |
2392 | 734 | bitbuf = 0; |
2393 | 734 | bitcpy = 0; |
2394 | | |
2395 | 92.2k | for (;;) { |
2396 | | /* grab next digit as required */ |
2397 | 92.2k | if (--bitcnt == 0) { |
2398 | | /* if digidx == -1 we are out of digits so break */ |
2399 | 2.25k | if (digidx == -1) { |
2400 | 718 | break; |
2401 | 718 | } |
2402 | | /* read next digit and reset bitcnt */ |
2403 | 1.53k | buf = X->dp[digidx--]; |
2404 | 1.53k | bitcnt = (int)DIGIT_BIT; |
2405 | 1.53k | } |
2406 | | |
2407 | | /* grab the next msb from the exponent */ |
2408 | 91.5k | y = (int)(buf >> (DIGIT_BIT - 1)) & 1; |
2409 | 91.5k | buf <<= (mp_digit)1; |
2410 | | /* add bit to the window */ |
2411 | 91.5k | bitbuf |= (y << (WINSIZE - ++bitcpy)); |
2412 | | |
2413 | 91.5k | if (bitcpy == WINSIZE) { |
2414 | | /* ok window is filled so square as required and multiply */ |
2415 | | /* square first */ |
2416 | 109k | for (x = 0; x < WINSIZE; x++) { |
2417 | 91.4k | err = mp_sqr(res, res); |
2418 | 91.4k | if (err != MP_OKAY) { |
2419 | 7 | goto LBL_RES; |
2420 | 7 | } |
2421 | 91.4k | err = (*redux)(res, P, mp); |
2422 | 91.4k | if (err != MP_OKAY) { |
2423 | 6 | goto LBL_RES; |
2424 | 6 | } |
2425 | 91.4k | } |
2426 | | |
2427 | | /* then multiply by 2^bitbuf */ |
2428 | 18.2k | err = mp_mul_2d(res, bitbuf, res); |
2429 | 18.2k | if (err != MP_OKAY) { |
2430 | 0 | goto LBL_RES; |
2431 | 0 | } |
2432 | 18.2k | err = mp_mod(res, P, res); |
2433 | 18.2k | if (err != MP_OKAY) { |
2434 | 3 | goto LBL_RES; |
2435 | 3 | } |
2436 | | |
2437 | | /* empty window and reset */ |
2438 | 18.2k | bitcpy = 0; |
2439 | 18.2k | bitbuf = 0; |
2440 | 18.2k | } |
2441 | 91.5k | } |
2442 | | |
2443 | | /* fixup result if Montgomery reduction is used |
2444 | | * recall that any value in a Montgomery system is |
2445 | | * actually multiplied by R mod n. So we have |
2446 | | * to reduce one more time to cancel out the factor |
2447 | | * of R. |
2448 | | */ |
2449 | 718 | err = (*redux)(res, P, mp); |
2450 | 718 | if (err != MP_OKAY) { |
2451 | 0 | goto LBL_RES; |
2452 | 0 | } |
2453 | | |
2454 | | /* swap res with Y */ |
2455 | 718 | err = mp_copy(res, Y); |
2456 | | |
2457 | 736 | LBL_RES:mp_clear (res); |
2458 | 737 | LBL_M: |
2459 | 737 | return err; |
2460 | 736 | } |
2461 | | |
2462 | | #undef WINSIZE |
2463 | | #endif /* BN_MP_EXPTMOD_BASE_2 */ |
2464 | | |
2465 | | |
2466 | | /* setups the montgomery reduction stuff */ |
2467 | | int mp_montgomery_setup (mp_int * n, mp_digit * rho) |
2468 | 78.5k | { |
2469 | 78.5k | mp_digit x, b; |
2470 | | |
2471 | | /* fast inversion mod 2**k |
2472 | | * |
2473 | | * Based on the fact that |
2474 | | * |
2475 | | * XA = 1 (mod 2**n) => (X(2-XA)) A = 1 (mod 2**2n) |
2476 | | * => 2*X*A - X*X*A*A = 1 |
2477 | | * => 2*(1) - (1) = 1 |
2478 | | */ |
2479 | 78.5k | b = n->dp[0]; |
2480 | | |
2481 | 78.5k | if ((b & 1) == 0) { |
2482 | 12 | return MP_VAL; |
2483 | 12 | } |
2484 | | |
2485 | 78.5k | x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */ |
2486 | 78.5k | x *= 2 - b * x; /* here x*a==1 mod 2**8 */ |
2487 | 78.5k | #if !defined(MP_8BIT) |
2488 | 78.5k | x *= 2 - b * x; /* here x*a==1 mod 2**16 */ |
2489 | 78.5k | #endif |
2490 | 78.5k | #if defined(MP_64BIT) || !(defined(MP_8BIT) || defined(MP_16BIT)) |
2491 | 78.5k | x *= 2 - b * x; /* here x*a==1 mod 2**32 */ |
2492 | 78.5k | #endif |
2493 | 78.5k | #ifdef MP_64BIT |
2494 | 78.5k | x *= 2 - b * x; /* here x*a==1 mod 2**64 */ |
2495 | 78.5k | #endif |
2496 | | |
2497 | | /* rho = -1/m mod b */ |
2498 | | /* TAO, switched mp_word casts to mp_digit to shut up compiler */ |
2499 | 78.5k | *rho = (mp_digit)((((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK); |
2500 | | |
2501 | 78.5k | return MP_OKAY; |
2502 | 78.5k | } |
2503 | | |
2504 | | |
2505 | | /* computes xR**-1 == x (mod N) via Montgomery Reduction |
2506 | | * |
2507 | | * This is an optimized implementation of montgomery_reduce |
2508 | | * which uses the comba method to quickly calculate the columns of the |
2509 | | * reduction. |
2510 | | * |
2511 | | * Based on Algorithm 14.32 on pp.601 of HAC. |
2512 | | */ |
2513 | | int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho) |
2514 | 19.3M | { |
2515 | 19.3M | int ix, res, olduse; |
2516 | | /* uses dynamic memory and slower */ |
2517 | 19.3M | WC_DECLARE_VAR(W, mp_word, MP_WARRAY, 0); |
2518 | | |
2519 | | /* get old used count */ |
2520 | 19.3M | olduse = x->used; |
2521 | | |
2522 | | /* grow a as required */ |
2523 | 19.3M | if (x->alloc < n->used + 1) { |
2524 | 9.87k | if ((res = mp_grow (x, n->used + 1)) != MP_OKAY) { |
2525 | 3 | return res; |
2526 | 3 | } |
2527 | 9.87k | } |
2528 | | |
2529 | 19.3M | WC_ALLOC_VAR_EX(W, mp_word, (n->used*2+2), NULL, DYNAMIC_TYPE_BIGINT, |
2530 | 19.3M | return MP_MEM); |
2531 | | |
2532 | 19.3M | XMEMSET(W, 0, sizeof(mp_word) * (n->used * 2 + 2)); |
2533 | | |
2534 | | /* first we have to get the digits of the input into |
2535 | | * an array of double precision words W[...] |
2536 | | */ |
2537 | 19.3M | { |
2538 | 19.3M | mp_word *_W; |
2539 | 19.3M | mp_digit *tmpx; |
2540 | | |
2541 | | /* alias for the W[] array */ |
2542 | 19.3M | _W = W; |
2543 | | |
2544 | | /* alias for the digits of x*/ |
2545 | 19.3M | tmpx = x->dp; |
2546 | | |
2547 | | /* copy the digits of a into W[0..a->used-1] */ |
2548 | 230M | for (ix = 0; ix < x->used; ix++) { |
2549 | 211M | *_W++ = *tmpx++; |
2550 | 211M | } |
2551 | 19.3M | } |
2552 | | |
2553 | | /* now we proceed to zero successive digits |
2554 | | * from the least significant upwards |
2555 | | */ |
2556 | 134M | for (ix = 0; ix < n->used; ix++) { |
2557 | | /* mu = ai * m' mod b |
2558 | | * |
2559 | | * We avoid a double precision multiplication (which isn't required) |
2560 | | * by casting the value down to a mp_digit. Note this requires |
2561 | | * that W[ix-1] have the carry cleared (see after the inner loop) |
2562 | | */ |
2563 | 114M | mp_digit mu; |
2564 | 114M | mu = (mp_digit) (((W[ix] & MP_MASK) * rho) & MP_MASK); |
2565 | | |
2566 | | /* a = a + mu * m * b**i |
2567 | | * |
2568 | | * This is computed in place and on the fly. The multiplication |
2569 | | * by b**i is handled by offsetting which columns the results |
2570 | | * are added to. |
2571 | | * |
2572 | | * Note the comba method normally doesn't handle carries in the |
2573 | | * inner loop In this case we fix the carry from the previous |
2574 | | * column since the Montgomery reduction requires digits of the |
2575 | | * result (so far) [see above] to work. This is |
2576 | | * handled by fixing up one carry after the inner loop. The |
2577 | | * carry fixups are done in order so after these loops the |
2578 | | * first m->used words of W[] have the carries fixed |
2579 | | */ |
2580 | 114M | { |
2581 | 114M | int iy; |
2582 | 114M | mp_digit *tmpn; |
2583 | 114M | mp_word *_W; |
2584 | | |
2585 | | /* alias for the digits of the modulus */ |
2586 | 114M | tmpn = n->dp; |
2587 | | |
2588 | | /* Alias for the columns set by an offset of ix */ |
2589 | 114M | _W = W + ix; |
2590 | | |
2591 | | /* inner loop */ |
2592 | 2.15G | for (iy = 0; iy < n->used; iy++) { |
2593 | 2.03G | *_W++ += ((mp_word)mu) * ((mp_word)*tmpn++); |
2594 | 2.03G | } |
2595 | 114M | } |
2596 | | |
2597 | | /* now fix carry for next digit, W[ix+1] */ |
2598 | 114M | W[ix + 1] += W[ix] >> ((mp_word) DIGIT_BIT); |
2599 | 114M | } |
2600 | | |
2601 | | /* now we have to propagate the carries and |
2602 | | * shift the words downward [all those least |
2603 | | * significant digits we zeroed]. |
2604 | | */ |
2605 | 19.3M | { |
2606 | 19.3M | mp_digit *tmpx; |
2607 | 19.3M | mp_word *_W, *_W1; |
2608 | | |
2609 | | /* nox fix rest of carries */ |
2610 | | |
2611 | | /* alias for current word */ |
2612 | 19.3M | _W1 = W + ix; |
2613 | | |
2614 | | /* alias for next word, where the carry goes */ |
2615 | 19.3M | _W = W + ++ix; |
2616 | | |
2617 | 153M | for (; ix <= n->used * 2 + 1; ix++) { |
2618 | 134M | *_W++ += *_W1++ >> ((mp_word) DIGIT_BIT); |
2619 | 134M | } |
2620 | | |
2621 | | /* copy out, A = A/b**n |
2622 | | * |
2623 | | * The result is A/b**n but instead of converting from an |
2624 | | * array of mp_word to mp_digit than calling mp_rshd |
2625 | | * we just copy them in the right order |
2626 | | */ |
2627 | | |
2628 | | /* alias for destination word */ |
2629 | 19.3M | tmpx = x->dp; |
2630 | | |
2631 | | /* alias for shifted double precision result */ |
2632 | 19.3M | _W = W + n->used; |
2633 | | |
2634 | 153M | for (ix = 0; ix < n->used + 1; ix++) { |
2635 | 134M | *tmpx++ = (mp_digit)(*_W++ & ((mp_word) MP_MASK)); |
2636 | 134M | } |
2637 | | |
2638 | | /* zero olduse digits, if the input a was larger than |
2639 | | * m->used+1 we'll have to clear the digits |
2640 | | */ |
2641 | 99.2M | for (; ix < olduse; ix++) { |
2642 | 79.8M | *tmpx++ = 0; |
2643 | 79.8M | } |
2644 | 19.3M | } |
2645 | | |
2646 | | /* set the max used and clamp */ |
2647 | 19.3M | x->used = n->used + 1; |
2648 | 19.3M | mp_clamp (x); |
2649 | | |
2650 | 19.3M | WC_FREE_VAR_EX(W, NULL, DYNAMIC_TYPE_BIGINT); |
2651 | | |
2652 | | /* if A >= m then A = A - m */ |
2653 | 19.3M | if (mp_cmp_mag (x, n) != MP_LT) { |
2654 | 211k | return s_mp_sub (x, n, x); |
2655 | 211k | } |
2656 | 19.1M | return MP_OKAY; |
2657 | 19.3M | } |
2658 | | |
2659 | | |
2660 | | /* computes xR**-1 == x (mod N) via Montgomery Reduction */ |
2661 | | int mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho) |
2662 | 17.1M | { |
2663 | 17.1M | int ix, res, digs; |
2664 | 17.1M | mp_digit mu; |
2665 | | |
2666 | | /* can the fast reduction [comba] method be used? |
2667 | | * |
2668 | | * Note that unlike in mul you're safely allowed *less* |
2669 | | * than the available columns [255 per default] since carries |
2670 | | * are fixed up in the inner loop. |
2671 | | */ |
2672 | 17.1M | digs = n->used * 2 + 1; |
2673 | 17.1M | if ((digs < (int)MP_WARRAY) && |
2674 | 17.1M | n->used < |
2675 | 17.1M | (1L << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { |
2676 | 17.1M | return fast_mp_montgomery_reduce (x, n, rho); |
2677 | 17.1M | } |
2678 | | |
2679 | | /* grow the input as required */ |
2680 | 0 | if (x->alloc < digs) { |
2681 | 0 | if ((res = mp_grow (x, digs)) != MP_OKAY) { |
2682 | 0 | return res; |
2683 | 0 | } |
2684 | 0 | } |
2685 | 0 | x->used = digs; |
2686 | |
|
2687 | 0 | for (ix = 0; ix < n->used; ix++) { |
2688 | | /* mu = ai * rho mod b |
2689 | | * |
2690 | | * The value of rho must be precalculated via |
2691 | | * montgomery_setup() such that |
2692 | | * it equals -1/n0 mod b this allows the |
2693 | | * following inner loop to reduce the |
2694 | | * input one digit at a time |
2695 | | */ |
2696 | 0 | mu = (mp_digit) (((mp_word)x->dp[ix]) * ((mp_word)rho) & MP_MASK); |
2697 | | |
2698 | | /* a = a + mu * m * b**i */ |
2699 | 0 | { |
2700 | 0 | int iy; |
2701 | 0 | mp_digit *tmpn, *tmpx, u; |
2702 | 0 | mp_word r; |
2703 | | |
2704 | | /* alias for digits of the modulus */ |
2705 | 0 | tmpn = n->dp; |
2706 | | |
2707 | | /* alias for the digits of x [the input] */ |
2708 | 0 | tmpx = x->dp + ix; |
2709 | | |
2710 | | /* set the carry to zero */ |
2711 | 0 | u = 0; |
2712 | | |
2713 | | /* Multiply and add in place */ |
2714 | 0 | for (iy = 0; iy < n->used; iy++) { |
2715 | | /* compute product and sum */ |
2716 | 0 | r = ((mp_word)mu) * ((mp_word)*tmpn++) + |
2717 | 0 | ((mp_word) u) + ((mp_word) * tmpx); |
2718 | | |
2719 | | /* get carry */ |
2720 | 0 | u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
2721 | | |
2722 | | /* fix digit */ |
2723 | 0 | *tmpx++ = (mp_digit)(r & ((mp_word) MP_MASK)); |
2724 | 0 | } |
2725 | | /* At this point the ix'th digit of x should be zero */ |
2726 | | |
2727 | | |
2728 | | /* propagate carries upwards as required*/ |
2729 | 0 | while (u) { |
2730 | 0 | *tmpx += u; |
2731 | 0 | u = *tmpx >> DIGIT_BIT; |
2732 | 0 | *tmpx++ &= MP_MASK; |
2733 | 0 | } |
2734 | 0 | } |
2735 | 0 | } |
2736 | | |
2737 | | /* at this point the n.used'th least |
2738 | | * significant digits of x are all zero |
2739 | | * which means we can shift x to the |
2740 | | * right by n.used digits and the |
2741 | | * residue is unchanged. |
2742 | | */ |
2743 | | |
2744 | | /* x = x/b**n.used */ |
2745 | 0 | mp_clamp(x); |
2746 | 0 | mp_rshd (x, n->used); |
2747 | | |
2748 | | /* if x >= n then x = x - n */ |
2749 | 0 | if (mp_cmp_mag (x, n) != MP_LT) { |
2750 | 0 | return s_mp_sub (x, n, x); |
2751 | 0 | } |
2752 | | |
2753 | 0 | return MP_OKAY; |
2754 | 0 | } |
2755 | | |
2756 | | |
2757 | | /* determines the setup value */ |
2758 | | void mp_dr_setup(mp_int *a, mp_digit *d) |
2759 | 0 | { |
2760 | | /* the casts are required if DIGIT_BIT is one less than |
2761 | | * the number of bits in a mp_digit [e.g. DIGIT_BIT==31] |
2762 | | */ |
2763 | 0 | *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) - |
2764 | 0 | ((mp_word)a->dp[0])); |
2765 | 0 | } |
2766 | | |
2767 | | |
2768 | | /* reduce "x" in place modulo "n" using the Diminished Radix algorithm. |
2769 | | * |
2770 | | * Based on algorithm from the paper |
2771 | | * |
2772 | | * "Generating Efficient Primes for Discrete Log Cryptosystems" |
2773 | | * Chae Hoon Lim, Pil Joong Lee, |
2774 | | * POSTECH Information Research Laboratories |
2775 | | * |
2776 | | * The modulus must be of a special format [see manual] |
2777 | | * |
2778 | | * Has been modified to use algorithm 7.10 from the LTM book instead |
2779 | | * |
2780 | | * Input x must be in the range 0 <= x <= (n-1)**2 |
2781 | | */ |
2782 | | int mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k) |
2783 | 0 | { |
2784 | 0 | int err, i, m; |
2785 | 0 | mp_word r; |
2786 | 0 | mp_digit mu, *tmpx1, *tmpx2; |
2787 | | |
2788 | | /* m = digits in modulus */ |
2789 | 0 | m = n->used; |
2790 | | |
2791 | | /* ensure that "x" has at least 2m digits */ |
2792 | 0 | if (x->alloc < m + m) { |
2793 | 0 | if ((err = mp_grow (x, m + m)) != MP_OKAY) { |
2794 | 0 | return err; |
2795 | 0 | } |
2796 | 0 | } |
2797 | | |
2798 | | /* top of loop, this is where the code resumes if |
2799 | | * another reduction pass is required. |
2800 | | */ |
2801 | 0 | top: |
2802 | | /* aliases for digits */ |
2803 | | /* alias for lower half of x */ |
2804 | 0 | tmpx1 = x->dp; |
2805 | | |
2806 | | /* alias for upper half of x, or x/B**m */ |
2807 | 0 | tmpx2 = x->dp + m; |
2808 | | |
2809 | | /* set carry to zero */ |
2810 | 0 | mu = 0; |
2811 | | |
2812 | | /* compute (x mod B**m) + k * [x/B**m] inline and inplace */ |
2813 | 0 | for (i = 0; i < m; i++) { |
2814 | 0 | r = ((mp_word)*tmpx2++) * ((mp_word)k) + *tmpx1 + mu; |
2815 | 0 | *tmpx1++ = (mp_digit)(r & MP_MASK); |
2816 | 0 | mu = (mp_digit)(r >> ((mp_word)DIGIT_BIT)); |
2817 | 0 | } |
2818 | | |
2819 | | /* set final carry */ |
2820 | 0 | *tmpx1++ = mu; |
2821 | | |
2822 | | /* zero words above m */ |
2823 | 0 | for (i = m + 1; i < x->used; i++) { |
2824 | 0 | *tmpx1++ = 0; |
2825 | 0 | } |
2826 | | |
2827 | | /* clamp, sub and return */ |
2828 | 0 | mp_clamp (x); |
2829 | | |
2830 | | /* if x >= n then subtract and reduce again |
2831 | | * Each successive "recursion" makes the input smaller and smaller. |
2832 | | */ |
2833 | 0 | if (mp_cmp_mag (x, n) != MP_LT) { |
2834 | 0 | if ((err = s_mp_sub(x, n, x)) != MP_OKAY) { |
2835 | 0 | return err; |
2836 | 0 | } |
2837 | 0 | goto top; |
2838 | 0 | } |
2839 | 0 | return MP_OKAY; |
2840 | 0 | } |
2841 | | |
2842 | | |
2843 | | /* reduces a modulo n where n is of the form 2**p - d */ |
2844 | | int mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d) |
2845 | 113k | { |
2846 | 113k | mp_int q; |
2847 | 113k | int p, res; |
2848 | | |
2849 | 113k | if ((res = mp_init(&q)) != MP_OKAY) { |
2850 | 0 | return res; |
2851 | 0 | } |
2852 | | |
2853 | 113k | p = mp_count_bits(n); |
2854 | 324k | top: |
2855 | | /* q = a/2**p, a = a mod 2**p */ |
2856 | 324k | if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) { |
2857 | 3 | goto ERR; |
2858 | 3 | } |
2859 | | |
2860 | 324k | if (d != 1) { |
2861 | | /* q = q * d */ |
2862 | 324k | if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) { |
2863 | 0 | goto ERR; |
2864 | 0 | } |
2865 | 324k | } |
2866 | | |
2867 | | /* a = a + q */ |
2868 | 324k | if ((res = s_mp_add(a, &q, a)) != MP_OKAY) { |
2869 | 0 | goto ERR; |
2870 | 0 | } |
2871 | | |
2872 | 324k | if (mp_cmp_mag(a, n) != MP_LT) { |
2873 | 211k | if ((res = s_mp_sub(a, n, a)) != MP_OKAY) { |
2874 | 0 | goto ERR; |
2875 | 0 | } |
2876 | 211k | goto top; |
2877 | 211k | } |
2878 | | |
2879 | 113k | ERR: |
2880 | 113k | mp_clear(&q); |
2881 | 113k | return res; |
2882 | 324k | } |
2883 | | |
2884 | | |
2885 | | /* determines the setup value */ |
2886 | | int mp_reduce_2k_setup(mp_int *a, mp_digit *d) |
2887 | 1.23k | { |
2888 | 1.23k | int res, p; |
2889 | 1.23k | mp_int tmp; |
2890 | | |
2891 | 1.23k | if ((res = mp_init(&tmp)) != MP_OKAY) { |
2892 | 0 | return res; |
2893 | 0 | } |
2894 | | |
2895 | 1.23k | p = mp_count_bits(a); |
2896 | 1.23k | if ((res = mp_2expt(&tmp, p)) != MP_OKAY) { |
2897 | 1 | mp_clear(&tmp); |
2898 | 1 | return res; |
2899 | 1 | } |
2900 | | |
2901 | 1.23k | if ((res = s_mp_sub(&tmp, a, &tmp)) != MP_OKAY) { |
2902 | 0 | mp_clear(&tmp); |
2903 | 0 | return res; |
2904 | 0 | } |
2905 | | |
2906 | 1.23k | *d = tmp.dp[0]; |
2907 | 1.23k | mp_clear(&tmp); |
2908 | 1.23k | return MP_OKAY; |
2909 | 1.23k | } |
2910 | | |
2911 | | |
2912 | | /* set the b bit of a */ |
2913 | | int mp_set_bit (mp_int * a, int b) |
2914 | 85.2k | { |
2915 | 85.2k | int i = b / DIGIT_BIT, res; |
2916 | | |
2917 | | /* |
2918 | | * Require: |
2919 | | * bit index b >= 0 |
2920 | | * a->alloc == a->used == 0 if a->dp == NULL |
2921 | | */ |
2922 | 85.2k | if (b < 0 || (a->dp == NULL && (a->alloc != 0 || a->used != 0))) |
2923 | 0 | return MP_VAL; |
2924 | | |
2925 | 85.2k | if (a->dp == NULL || a->used < (int)(i + 1)) { |
2926 | | /* grow a to accommodate the single bit */ |
2927 | 85.1k | if ((res = mp_grow (a, i + 1)) != MP_OKAY) { |
2928 | 16 | return res; |
2929 | 16 | } |
2930 | | |
2931 | | /* set the used count of where the bit will go */ |
2932 | 85.1k | a->used = (int)(i + 1); |
2933 | 85.1k | } |
2934 | | |
2935 | | /* put the single bit in its place */ |
2936 | 85.1k | a->dp[i] |= ((mp_digit)1) << (b % DIGIT_BIT); |
2937 | | |
2938 | 85.1k | return MP_OKAY; |
2939 | 85.2k | } |
2940 | | |
2941 | | /* computes a = 2**b |
2942 | | * |
2943 | | * Simple algorithm which zeros the int, set the required bit |
2944 | | */ |
2945 | | int mp_2expt (mp_int * a, int b) |
2946 | 85.1k | { |
2947 | | /* zero a as per default */ |
2948 | 85.1k | mp_zero (a); |
2949 | | |
2950 | 85.1k | return mp_set_bit(a, b); |
2951 | 85.1k | } |
2952 | | |
2953 | | /* multiply by a digit */ |
2954 | | int mp_mul_d (mp_int * a, mp_digit b, mp_int * c) |
2955 | 4.47M | { |
2956 | 4.47M | mp_digit u, *tmpa, *tmpc; |
2957 | 4.47M | mp_word r; |
2958 | 4.47M | int ix, res, olduse; |
2959 | | |
2960 | | /* make sure c is big enough to hold a*b */ |
2961 | 4.47M | if (c->dp == NULL || c->alloc < a->used + 1) { |
2962 | 70.9k | if ((res = mp_grow (c, a->used + 1)) != MP_OKAY) { |
2963 | 815 | return res; |
2964 | 815 | } |
2965 | 70.9k | } |
2966 | | |
2967 | | /* get the original destinations used count */ |
2968 | 4.47M | olduse = c->used; |
2969 | | |
2970 | | /* set the sign */ |
2971 | 4.47M | c->sign = a->sign; |
2972 | | |
2973 | | /* alias for a->dp [source] */ |
2974 | 4.47M | tmpa = a->dp; |
2975 | | |
2976 | | /* alias for c->dp [dest] */ |
2977 | 4.47M | tmpc = c->dp; |
2978 | | |
2979 | | /* zero carry */ |
2980 | 4.47M | u = 0; |
2981 | | |
2982 | | /* compute columns */ |
2983 | 1.41G | for (ix = 0; ix < a->used; ix++) { |
2984 | | /* compute product and carry sum for this term */ |
2985 | 1.40G | r = ((mp_word) u) + ((mp_word)*tmpa++) * ((mp_word)b); |
2986 | | |
2987 | | /* mask off higher bits to get a single digit */ |
2988 | 1.40G | *tmpc++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
2989 | | |
2990 | | /* send carry into next iteration */ |
2991 | 1.40G | u = (mp_digit) (r >> ((mp_word) DIGIT_BIT)); |
2992 | 1.40G | } |
2993 | | |
2994 | | /* store final carry [if any] and increment ix offset */ |
2995 | 4.47M | *tmpc++ = u; |
2996 | 4.47M | ++ix; |
2997 | | |
2998 | | /* now zero digits above the top */ |
2999 | 4.47M | while (ix++ < olduse) { |
3000 | 1 | *tmpc++ = 0; |
3001 | 1 | } |
3002 | | |
3003 | | /* set used count */ |
3004 | 4.47M | c->used = a->used + 1; |
3005 | 4.47M | mp_clamp(c); |
3006 | | |
3007 | 4.47M | return MP_OKAY; |
3008 | 4.47M | } |
3009 | | |
3010 | | |
3011 | | /* d = a * b (mod c) */ |
3012 | | #if defined(FREESCALE_LTC_TFM) |
3013 | | int wolfcrypt_mp_mulmod(mp_int *a, mp_int *b, mp_int *c, mp_int *d) |
3014 | | #else |
3015 | | int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d) |
3016 | | #endif |
3017 | 245k | { |
3018 | 245k | int res; |
3019 | 245k | mp_int t; |
3020 | | |
3021 | 245k | if ((res = mp_init_size (&t, c->used)) != MP_OKAY) { |
3022 | 22 | return res; |
3023 | 22 | } |
3024 | | |
3025 | 245k | res = mp_mul (a, b, &t); |
3026 | 245k | if (res == MP_OKAY) { |
3027 | 245k | res = mp_mod (&t, c, d); |
3028 | 245k | } |
3029 | | |
3030 | 245k | mp_clear (&t); |
3031 | 245k | return res; |
3032 | 245k | } |
3033 | | |
3034 | | |
3035 | | /* d = a - b (mod c) */ |
3036 | | int mp_submod(mp_int* a, mp_int* b, mp_int* c, mp_int* d) |
3037 | 763k | { |
3038 | 763k | int res; |
3039 | 763k | mp_int t; |
3040 | | |
3041 | 763k | if ((res = mp_init (&t)) != MP_OKAY) { |
3042 | 0 | return res; |
3043 | 0 | } |
3044 | | |
3045 | 763k | res = mp_sub (a, b, &t); |
3046 | 763k | if (res == MP_OKAY) { |
3047 | 763k | res = mp_mod (&t, c, d); |
3048 | 763k | } |
3049 | | |
3050 | 763k | mp_clear (&t); |
3051 | | |
3052 | 763k | return res; |
3053 | 763k | } |
3054 | | |
3055 | | /* d = a + b (mod c) */ |
3056 | | int mp_addmod(mp_int* a, mp_int* b, mp_int* c, mp_int* d) |
3057 | 935 | { |
3058 | 935 | int res; |
3059 | 935 | mp_int t; |
3060 | | |
3061 | 935 | if ((res = mp_init (&t)) != MP_OKAY) { |
3062 | 0 | return res; |
3063 | 0 | } |
3064 | | |
3065 | 935 | res = mp_add (a, b, &t); |
3066 | 935 | if (res == MP_OKAY) { |
3067 | 931 | res = mp_mod (&t, c, d); |
3068 | 931 | } |
3069 | | |
3070 | 935 | mp_clear (&t); |
3071 | | |
3072 | 935 | return res; |
3073 | 935 | } |
3074 | | |
3075 | | /* d = a - b (mod c) - a < c and b < c and positive */ |
3076 | | int mp_submod_ct(mp_int* a, mp_int* b, mp_int* c, mp_int* d) |
3077 | 8.27M | { |
3078 | 8.27M | int res; |
3079 | 8.27M | mp_int t; |
3080 | 8.27M | mp_int* r = d; |
3081 | | |
3082 | 8.27M | if (c == d) { |
3083 | 0 | r = &t; |
3084 | |
|
3085 | 0 | if ((res = mp_init (r)) != MP_OKAY) { |
3086 | 0 | return res; |
3087 | 0 | } |
3088 | 0 | } |
3089 | | |
3090 | 8.27M | res = mp_sub (a, b, r); |
3091 | 8.27M | if (res == MP_OKAY) { |
3092 | 8.27M | if (mp_isneg (r)) { |
3093 | 3.71M | res = mp_add (r, c, d); |
3094 | 4.55M | } else if (c == d) { |
3095 | 0 | res = mp_copy (r, d); |
3096 | 0 | } |
3097 | 8.27M | } |
3098 | | |
3099 | 8.27M | if (c == d) { |
3100 | 0 | mp_clear (r); |
3101 | 0 | } |
3102 | | |
3103 | 8.27M | return res; |
3104 | 8.27M | } |
3105 | | |
3106 | | /* d = a + b (mod c) - a < c and b < c and positive */ |
3107 | | int mp_addmod_ct(mp_int* a, mp_int* b, mp_int* c, mp_int* d) |
3108 | 6.38M | { |
3109 | 6.38M | int res; |
3110 | 6.38M | mp_int t; |
3111 | 6.38M | mp_int* r = d; |
3112 | | |
3113 | 6.38M | if (c == d) { |
3114 | 2 | r = &t; |
3115 | | |
3116 | 2 | if ((res = mp_init (r)) != MP_OKAY) { |
3117 | 0 | return res; |
3118 | 0 | } |
3119 | 2 | } |
3120 | | |
3121 | 6.38M | res = mp_add (a, b, r); |
3122 | 6.38M | if (res == MP_OKAY) { |
3123 | 6.38M | if (mp_cmp (r, c) != MP_LT) { |
3124 | 3.12M | res = mp_sub (r, c, d); |
3125 | 3.26M | } else if (c == d) { |
3126 | 1 | res = mp_copy (r, d); |
3127 | 1 | } |
3128 | 6.38M | } |
3129 | | |
3130 | 6.38M | if (c == d) { |
3131 | 2 | mp_clear (r); |
3132 | 2 | } |
3133 | | |
3134 | 6.38M | return res; |
3135 | 6.38M | } |
3136 | | |
3137 | | /* computes b = a*a */ |
3138 | | int mp_sqr (mp_int * a, mp_int * b) |
3139 | 8.40M | { |
3140 | 8.40M | int res; |
3141 | | |
3142 | 8.40M | { |
3143 | 8.40M | #ifdef BN_FAST_S_MP_SQR_C |
3144 | | /* can we use the fast comba multiplier? */ |
3145 | 8.40M | if ((a->used * 2 + 1) < (int)MP_WARRAY && |
3146 | 8.40M | a->used < |
3147 | 8.40M | (1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) { |
3148 | 8.24M | res = fast_s_mp_sqr (a, b); |
3149 | 8.24M | } else |
3150 | 159k | #endif |
3151 | 159k | #ifdef BN_S_MP_SQR_C |
3152 | 159k | res = s_mp_sqr (a, b); |
3153 | | #else |
3154 | | res = MP_VAL; |
3155 | | #endif |
3156 | 8.40M | } |
3157 | 8.40M | b->sign = MP_ZPOS; |
3158 | 8.40M | return res; |
3159 | 8.40M | } |
3160 | | |
3161 | | |
3162 | | /* high level multiplication (handles sign) */ |
3163 | | #if defined(FREESCALE_LTC_TFM) |
3164 | | int wolfcrypt_mp_mul(mp_int *a, mp_int *b, mp_int *c) |
3165 | | #else |
3166 | | int mp_mul (mp_int * a, mp_int * b, mp_int * c) |
3167 | | #endif |
3168 | 12.9M | { |
3169 | 12.9M | int res, neg; |
3170 | 12.9M | neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; |
3171 | | |
3172 | 12.9M | { |
3173 | 12.9M | #ifdef BN_FAST_S_MP_MUL_DIGS_C |
3174 | | /* can we use the fast multiplier? |
3175 | | * |
3176 | | * The fast multiplier can be used if the output will |
3177 | | * have less than MP_WARRAY digits and the number of |
3178 | | * digits won't affect carry propagation |
3179 | | */ |
3180 | 12.9M | int digs = a->used + b->used + 1; |
3181 | | |
3182 | 12.9M | if ((digs < (int)MP_WARRAY) && |
3183 | 12.9M | MIN(a->used, b->used) <= |
3184 | 12.9M | (1L << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { |
3185 | 12.9M | res = fast_s_mp_mul_digs (a, b, c, digs); |
3186 | 12.9M | } else |
3187 | 1 | #endif |
3188 | 1 | #ifdef BN_S_MP_MUL_DIGS_C |
3189 | 1 | res = s_mp_mul (a, b, c); /* uses s_mp_mul_digs */ |
3190 | | #else |
3191 | | res = MP_VAL; |
3192 | | #endif |
3193 | | |
3194 | 12.9M | } |
3195 | 12.9M | c->sign = (c->used > 0) ? neg : MP_ZPOS; |
3196 | 12.9M | return res; |
3197 | 12.9M | } |
3198 | | |
3199 | | |
3200 | | /* b = a*2 */ |
3201 | | int mp_mul_2(mp_int * a, mp_int * b) |
3202 | 1.72M | { |
3203 | 1.72M | int x, res, oldused; |
3204 | | |
3205 | | /* grow to accommodate result */ |
3206 | 1.72M | if (b->alloc < a->used + 1) { |
3207 | 20 | if ((res = mp_grow (b, a->used + 1)) != MP_OKAY) { |
3208 | 3 | return res; |
3209 | 3 | } |
3210 | 20 | } |
3211 | | |
3212 | 1.72M | oldused = b->used; |
3213 | 1.72M | b->used = a->used; |
3214 | | |
3215 | 1.72M | { |
3216 | 1.72M | mp_digit r, rr, *tmpa, *tmpb; |
3217 | | |
3218 | | /* alias for source */ |
3219 | 1.72M | tmpa = a->dp; |
3220 | | |
3221 | | /* alias for dest */ |
3222 | 1.72M | tmpb = b->dp; |
3223 | | |
3224 | | /* carry */ |
3225 | 1.72M | r = 0; |
3226 | 6.12M | for (x = 0; x < a->used; x++) { |
3227 | | |
3228 | | /* get what will be the *next* carry bit from the |
3229 | | * MSB of the current digit |
3230 | | */ |
3231 | 4.39M | rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1)); |
3232 | | |
3233 | | /* now shift up this digit, add in the carry [from the previous] */ |
3234 | 4.39M | *tmpb++ = (mp_digit)(((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK); |
3235 | | |
3236 | | /* copy the carry that would be from the source |
3237 | | * digit into the next iteration |
3238 | | */ |
3239 | 4.39M | r = rr; |
3240 | 4.39M | } |
3241 | | |
3242 | | /* new leading digit? */ |
3243 | 1.72M | if (r != 0) { |
3244 | | /* add a MSB which is always 1 at this point */ |
3245 | 14.3k | *tmpb = 1; |
3246 | 14.3k | ++(b->used); |
3247 | 14.3k | } |
3248 | | |
3249 | | /* now zero any excess digits on the destination |
3250 | | * that we didn't write to |
3251 | | */ |
3252 | 1.72M | tmpb = b->dp + b->used; |
3253 | 1.72M | for (x = b->used; x < oldused; x++) { |
3254 | 0 | *tmpb++ = 0; |
3255 | 0 | } |
3256 | 1.72M | } |
3257 | 1.72M | b->sign = a->sign; |
3258 | 1.72M | return MP_OKAY; |
3259 | 1.72M | } |
3260 | | |
3261 | | |
3262 | | /* divide by three (based on routine from MPI and the GMP manual) */ |
3263 | | int mp_div_3 (mp_int * a, mp_int *c, mp_digit * d) |
3264 | 7.49k | { |
3265 | 7.49k | mp_int q; |
3266 | 7.49k | mp_word w, t; |
3267 | 7.49k | mp_digit b; |
3268 | 7.49k | int res, ix; |
3269 | | |
3270 | | /* b = 2**DIGIT_BIT / 3 */ |
3271 | 7.49k | b = (mp_digit) ( (((mp_word)1) << ((mp_word)DIGIT_BIT)) / ((mp_word)3) ); |
3272 | | |
3273 | 7.49k | if ((res = mp_init_size(&q, a->used)) != MP_OKAY) { |
3274 | 12 | return res; |
3275 | 12 | } |
3276 | | |
3277 | 7.48k | q.used = a->used; |
3278 | 7.48k | q.sign = a->sign; |
3279 | 7.48k | w = 0; |
3280 | | |
3281 | 7.48k | if (a->used == 0) |
3282 | 2 | return MP_VAL; |
3283 | | |
3284 | 57.1k | for (ix = a->used - 1; ix >= 0; ix--) { |
3285 | 49.6k | w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]); |
3286 | | |
3287 | 49.6k | if (w >= 3) { |
3288 | | /* multiply w by [1/3] */ |
3289 | 49.5k | t = (w * ((mp_word)b)) >> ((mp_word)DIGIT_BIT); |
3290 | | |
3291 | | /* now subtract 3 * [w/3] from w, to get the remainder */ |
3292 | 49.5k | w -= t+t+t; |
3293 | | |
3294 | | /* fixup the remainder as required since |
3295 | | * the optimization is not exact. |
3296 | | */ |
3297 | 80.0k | while (w >= 3) { |
3298 | 30.5k | t += 1; |
3299 | 30.5k | w -= 3; |
3300 | 30.5k | } |
3301 | 49.5k | } else { |
3302 | 122 | t = 0; |
3303 | 122 | } |
3304 | 49.6k | q.dp[ix] = (mp_digit)t; |
3305 | 49.6k | } |
3306 | | |
3307 | | /* [optional] store the remainder */ |
3308 | 7.47k | if (d != NULL) { |
3309 | 7.47k | *d = (mp_digit)w; |
3310 | 7.47k | } |
3311 | | |
3312 | | /* [optional] store the quotient */ |
3313 | 7.47k | if (c != NULL) { |
3314 | 2.16k | mp_clamp(&q); |
3315 | 2.16k | mp_exch(&q, c); |
3316 | 2.16k | } |
3317 | 7.47k | mp_clear(&q); |
3318 | | |
3319 | 7.47k | return res; |
3320 | 7.48k | } |
3321 | | |
3322 | | |
3323 | | /* init an mp_init for a given size */ |
3324 | | int mp_init_size (mp_int * a, int size) |
3325 | 4.49M | { |
3326 | | /* pad size so there are always extra digits */ |
3327 | 4.49M | size += (MP_PREC * 2) - (size % MP_PREC); |
3328 | | |
3329 | | /* alloc mem */ |
3330 | 4.49M | a->dp = (mp_digit *)XMALLOC (sizeof (mp_digit) * size, NULL, |
3331 | 4.49M | DYNAMIC_TYPE_BIGINT); |
3332 | 4.49M | if (a->dp == NULL) { |
3333 | 7.97k | return MP_MEM; |
3334 | 7.97k | } |
3335 | | |
3336 | | /* set the members */ |
3337 | 4.48M | a->used = 0; |
3338 | 4.48M | a->alloc = size; |
3339 | 4.48M | a->sign = MP_ZPOS; |
3340 | | #ifdef HAVE_WOLF_BIGINT |
3341 | | wc_bigint_init(&a->raw); |
3342 | | #endif |
3343 | | |
3344 | | /* zero the digits */ |
3345 | 4.48M | XMEMSET(a->dp, 0, sizeof (mp_digit) * size); |
3346 | | |
3347 | 4.48M | return MP_OKAY; |
3348 | 4.49M | } |
3349 | | |
3350 | | |
3351 | | /* the list of squaring... |
3352 | | * you do like mult except the offset of the tmpx [one that |
3353 | | * starts closer to zero] can't equal the offset of tmpy. |
3354 | | * So basically you set up iy like before then you min it with |
3355 | | * (ty-tx) so that it never happens. You double all those |
3356 | | * you add in the inner loop |
3357 | | |
3358 | | After that loop you do the squares and add them in. |
3359 | | */ |
3360 | | |
3361 | | int fast_s_mp_sqr (mp_int * a, mp_int * b) |
3362 | 8.24M | { |
3363 | 8.24M | int olduse, res, pa, ix, iz; |
3364 | | /* uses dynamic memory and slower */ |
3365 | 8.24M | WC_DECLARE_VAR(W, mp_digit, MP_WARRAY, 0); |
3366 | 8.24M | mp_digit *tmpx; |
3367 | 8.24M | mp_word W1; |
3368 | | |
3369 | | /* grow the destination as required */ |
3370 | 8.24M | pa = a->used + a->used; |
3371 | 8.24M | if (b->alloc < pa) { |
3372 | 1.73M | if ((res = mp_grow (b, pa)) != MP_OKAY) { |
3373 | 37 | return res; |
3374 | 37 | } |
3375 | 1.73M | } |
3376 | | |
3377 | 8.24M | if (pa > (int)MP_WARRAY) |
3378 | 0 | return MP_RANGE; /* TAO range check */ |
3379 | | |
3380 | 8.24M | if (pa == 0) { |
3381 | | /* Nothing to do. Zero result and return. */ |
3382 | 98.8k | mp_zero(b); |
3383 | 98.8k | return MP_OKAY; |
3384 | 98.8k | } |
3385 | | |
3386 | 8.14M | WC_ALLOC_VAR_EX(W, mp_digit, pa, NULL, DYNAMIC_TYPE_BIGINT, |
3387 | 8.14M | return MP_MEM); |
3388 | | |
3389 | | /* number of output digits to produce */ |
3390 | 8.14M | W1 = 0; |
3391 | 103M | for (ix = 0; ix < pa; ix++) { |
3392 | 95.5M | int tx, ty, iy; |
3393 | 95.5M | mp_word _W; |
3394 | 95.5M | mp_digit *tmpy; |
3395 | | |
3396 | | /* clear counter */ |
3397 | 95.5M | _W = 0; |
3398 | | |
3399 | | /* get offsets into the two bignums */ |
3400 | 95.5M | ty = MIN(a->used-1, ix); |
3401 | 95.5M | tx = ix - ty; |
3402 | | |
3403 | | /* setup temp aliases */ |
3404 | 95.5M | tmpx = a->dp + tx; |
3405 | 95.5M | tmpy = a->dp + ty; |
3406 | | |
3407 | | /* this is the number of times the loop will iterate, essentially |
3408 | | while (tx++ < a->used && ty-- >= 0) { ... } |
3409 | | */ |
3410 | 95.5M | iy = MIN(a->used-tx, ty+1); |
3411 | | |
3412 | | /* now for squaring tx can never equal ty |
3413 | | * we halve the distance since they approach at a rate of 2x |
3414 | | * and we have to round because odd cases need to be executed |
3415 | | */ |
3416 | 95.5M | iy = MIN(iy, (ty-tx+1)>>1); |
3417 | | |
3418 | | /* execute loop */ |
3419 | 421M | for (iz = 0; iz < iy; iz++) { |
3420 | 325M | _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--); |
3421 | 325M | } |
3422 | | |
3423 | | /* double the inner product and add carry */ |
3424 | 95.5M | _W = _W + _W + W1; |
3425 | | |
3426 | | /* even columns have the square term in them */ |
3427 | 95.5M | if ((ix&1) == 0) { |
3428 | 47.7M | _W += ((mp_word)a->dp[ix>>1])*((mp_word)a->dp[ix>>1]); |
3429 | 47.7M | } |
3430 | | |
3431 | | /* store it */ |
3432 | 95.5M | W[ix] = (mp_digit)(_W & MP_MASK); |
3433 | | |
3434 | | /* make next carry */ |
3435 | 95.5M | W1 = _W >> ((mp_word)DIGIT_BIT); |
3436 | 95.5M | } |
3437 | | |
3438 | | /* setup dest */ |
3439 | 8.14M | olduse = b->used; |
3440 | 8.14M | b->used = a->used+a->used; |
3441 | | |
3442 | 8.14M | { |
3443 | 8.14M | mp_digit *tmpb; |
3444 | 8.14M | tmpb = b->dp; |
3445 | 103M | for (ix = 0; ix < pa; ix++) { |
3446 | 95.5M | *tmpb++ = (mp_digit)(W[ix] & MP_MASK); |
3447 | 95.5M | } |
3448 | | |
3449 | | /* clear unused digits [that existed in the old copy of c] */ |
3450 | 8.21M | for (; ix < olduse; ix++) { |
3451 | 70.3k | *tmpb++ = 0; |
3452 | 70.3k | } |
3453 | 8.14M | } |
3454 | 8.14M | mp_clamp (b); |
3455 | | |
3456 | 8.14M | WC_FREE_VAR_EX(W, NULL, DYNAMIC_TYPE_BIGINT); |
3457 | | |
3458 | 8.14M | return MP_OKAY; |
3459 | 8.14M | } |
3460 | | |
3461 | | |
3462 | | /* Fast (comba) multiplier |
3463 | | * |
3464 | | * This is the fast column-array [comba] multiplier. It is |
3465 | | * designed to compute the columns of the product first |
3466 | | * then handle the carries afterwards. This has the effect |
3467 | | * of making the nested loops that compute the columns very |
3468 | | * simple and schedulable on super-scalar processors. |
3469 | | * |
3470 | | * This has been modified to produce a variable number of |
3471 | | * digits of output so if say only a half-product is required |
3472 | | * you don't have to compute the upper half (a feature |
3473 | | * required for fast Barrett reduction). |
3474 | | * |
3475 | | * Based on Algorithm 14.12 on pp.595 of HAC. |
3476 | | * |
3477 | | */ |
3478 | | int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) |
3479 | 13.2M | { |
3480 | 13.2M | int olduse, res, pa, ix, iz; |
3481 | | /* uses dynamic memory and slower */ |
3482 | 13.2M | WC_DECLARE_VAR(W, mp_digit, MP_WARRAY, 0); |
3483 | 13.2M | mp_word _W; |
3484 | | |
3485 | | /* grow the destination as required */ |
3486 | 13.2M | if (c->alloc < digs) { |
3487 | 1.56M | if ((res = mp_grow (c, digs)) != MP_OKAY) { |
3488 | 20 | return res; |
3489 | 20 | } |
3490 | 1.56M | } |
3491 | | |
3492 | | /* number of output digits to produce */ |
3493 | 13.2M | pa = MIN(digs, a->used + b->used); |
3494 | 13.2M | if (pa > (int)MP_WARRAY) |
3495 | 0 | return MP_RANGE; /* TAO range check */ |
3496 | | |
3497 | 13.2M | if (pa == 0) { |
3498 | | /* Nothing to do. Zero result and return. */ |
3499 | 41.1k | mp_zero(c); |
3500 | 41.1k | return MP_OKAY; |
3501 | 41.1k | } |
3502 | | |
3503 | 13.1M | WC_ALLOC_VAR_EX(W, mp_digit, pa, NULL, DYNAMIC_TYPE_BIGINT, |
3504 | 13.1M | return MP_MEM); |
3505 | | |
3506 | | /* clear the carry */ |
3507 | 13.1M | _W = 0; |
3508 | 175M | for (ix = 0; ix < pa; ix++) { |
3509 | 161M | int tx, ty; |
3510 | 161M | int iy; |
3511 | 161M | mp_digit *tmpx, *tmpy; |
3512 | | |
3513 | 161M | if ((a->used > 0) && (b->used > 0)) { |
3514 | | /* get offsets into the two bignums */ |
3515 | 160M | ty = MIN(b->used-1, ix); |
3516 | 160M | tx = ix - ty; |
3517 | | |
3518 | | /* setup temp aliases */ |
3519 | 160M | tmpx = a->dp + tx; |
3520 | 160M | tmpy = b->dp + ty; |
3521 | | |
3522 | | /* this is the number of times the loop will iterate, essentially |
3523 | | while (tx++ < a->used && ty-- >= 0) { ... } |
3524 | | */ |
3525 | 160M | iy = MIN(a->used-tx, ty+1); |
3526 | | |
3527 | | /* execute loop */ |
3528 | 2.24G | for (iz = 0; iz < iy; ++iz) { |
3529 | 2.07G | _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--); |
3530 | | |
3531 | 2.07G | } |
3532 | 160M | } |
3533 | | |
3534 | | /* store term */ |
3535 | 161M | W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK); |
3536 | | |
3537 | | /* make next carry */ |
3538 | 161M | _W = _W >> ((mp_word)DIGIT_BIT); |
3539 | 161M | } |
3540 | | |
3541 | | /* setup dest */ |
3542 | 13.1M | olduse = c->used; |
3543 | 13.1M | c->used = pa; |
3544 | | |
3545 | 13.1M | { |
3546 | 13.1M | mp_digit *tmpc; |
3547 | 13.1M | tmpc = c->dp; |
3548 | 175M | for (ix = 0; ix < pa; ix++) { /* JRB, +1 could read uninitialized data */ |
3549 | | /* now extract the previous digit [below the carry] */ |
3550 | 161M | *tmpc++ = W[ix]; |
3551 | 161M | } |
3552 | | |
3553 | | /* clear unused digits [that existed in the old copy of c] */ |
3554 | 13.1M | for (; ix < olduse; ix++) { |
3555 | 2 | *tmpc++ = 0; |
3556 | 2 | } |
3557 | 13.1M | } |
3558 | 13.1M | mp_clamp (c); |
3559 | | |
3560 | 13.1M | WC_FREE_VAR_EX(W, NULL, DYNAMIC_TYPE_BIGINT); |
3561 | | |
3562 | 13.1M | return MP_OKAY; |
3563 | 13.1M | } |
3564 | | |
3565 | | |
3566 | | /* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */ |
3567 | | int s_mp_sqr (mp_int * a, mp_int * b) |
3568 | 159k | { |
3569 | 159k | mp_int t; |
3570 | 159k | int res, ix, iy, pa; |
3571 | 159k | mp_word r; |
3572 | 159k | mp_digit u, tmpx, *tmpt; |
3573 | | |
3574 | 159k | pa = a->used; |
3575 | 159k | if ((res = mp_init_size (&t, 2*pa + 1)) != MP_OKAY) { |
3576 | 1 | return res; |
3577 | 1 | } |
3578 | | |
3579 | | /* default used is maximum possible size */ |
3580 | 159k | t.used = 2*pa + 1; |
3581 | | |
3582 | 22.6M | for (ix = 0; ix < pa; ix++) { |
3583 | | /* first calculate the digit at 2*ix */ |
3584 | | /* calculate double precision result */ |
3585 | 22.5M | r = ((mp_word) t.dp[2*ix]) + |
3586 | 22.5M | ((mp_word)a->dp[ix])*((mp_word)a->dp[ix]); |
3587 | | |
3588 | | /* store lower part in result */ |
3589 | 22.5M | t.dp[ix+ix] = (mp_digit) (r & ((mp_word) MP_MASK)); |
3590 | | |
3591 | | /* get the carry */ |
3592 | 22.5M | u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
3593 | | |
3594 | | /* left hand side of A[ix] * A[iy] */ |
3595 | 22.5M | tmpx = a->dp[ix]; |
3596 | | |
3597 | | /* alias for where to store the results */ |
3598 | 22.5M | tmpt = t.dp + (2*ix + 1); |
3599 | | |
3600 | 1.61G | for (iy = ix + 1; iy < pa; iy++) { |
3601 | | /* first calculate the product */ |
3602 | 1.59G | r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]); |
3603 | | |
3604 | | /* now calculate the double precision result, note we use |
3605 | | * addition instead of *2 since it's easier to optimize |
3606 | | */ |
3607 | 1.59G | r = ((mp_word) *tmpt) + r + r + ((mp_word) u); |
3608 | | |
3609 | | /* store lower part */ |
3610 | 1.59G | *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
3611 | | |
3612 | | /* get carry */ |
3613 | 1.59G | u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
3614 | 1.59G | } |
3615 | | /* propagate upwards */ |
3616 | 44.6M | while (u != ((mp_digit) 0)) { |
3617 | 22.0M | r = ((mp_word) *tmpt) + ((mp_word) u); |
3618 | 22.0M | *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
3619 | 22.0M | u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
3620 | 22.0M | } |
3621 | 22.5M | } |
3622 | | |
3623 | 159k | mp_clamp (&t); |
3624 | 159k | mp_exch (&t, b); |
3625 | 159k | mp_clear (&t); |
3626 | 159k | return MP_OKAY; |
3627 | 159k | } |
3628 | | |
3629 | | |
3630 | | /* multiplies |a| * |b| and only computes up to digs digits of result |
3631 | | * HAC pp. 595, Algorithm 14.12 Modified so you can control how |
3632 | | * many digits of output are created. |
3633 | | */ |
3634 | | int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) |
3635 | 257k | { |
3636 | 257k | mp_int t; |
3637 | 257k | int res, pa, pb, ix, iy; |
3638 | 257k | mp_digit u; |
3639 | 257k | mp_word r; |
3640 | 257k | mp_digit tmpx, *tmpt, *tmpy; |
3641 | | |
3642 | | /* can we use the fast multiplier? */ |
3643 | 257k | if ((digs < (int)MP_WARRAY) && |
3644 | 257k | MIN (a->used, b->used) < |
3645 | 257k | (1L << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { |
3646 | 257k | return fast_s_mp_mul_digs (a, b, c, digs); |
3647 | 257k | } |
3648 | | |
3649 | 1 | if ((res = mp_init_size (&t, digs)) != MP_OKAY) { |
3650 | 0 | return res; |
3651 | 0 | } |
3652 | 1 | t.used = digs; |
3653 | | |
3654 | | /* compute the digits of the product directly */ |
3655 | 1 | pa = a->used; |
3656 | 1.38k | for (ix = 0; ix < pa; ix++) { |
3657 | | /* set the carry to zero */ |
3658 | 1.38k | u = 0; |
3659 | | |
3660 | | /* limit ourselves to making digs digits of output */ |
3661 | 1.38k | pb = MIN (b->used, digs - ix); |
3662 | | |
3663 | | /* setup some aliases */ |
3664 | | /* copy of the digit from a used within the nested loop */ |
3665 | 1.38k | tmpx = a->dp[ix]; |
3666 | | |
3667 | | /* an alias for the destination shifted ix places */ |
3668 | 1.38k | tmpt = t.dp + ix; |
3669 | | |
3670 | | /* an alias for the digits of b */ |
3671 | 1.38k | tmpy = b->dp; |
3672 | | |
3673 | | /* compute the columns of the output and propagate the carry */ |
3674 | 4.14k | for (iy = 0; iy < pb; iy++) { |
3675 | | /* compute the column as a mp_word */ |
3676 | 2.76k | r = ((mp_word)*tmpt) + |
3677 | 2.76k | ((mp_word)tmpx) * ((mp_word)*tmpy++) + |
3678 | 2.76k | ((mp_word) u); |
3679 | | |
3680 | | /* the new column is the lower part of the result */ |
3681 | 2.76k | *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
3682 | | |
3683 | | /* get the carry word from the result */ |
3684 | 2.76k | u = (mp_digit) (r >> ((mp_word) DIGIT_BIT)); |
3685 | 2.76k | } |
3686 | | /* set carry if it is placed below digs */ |
3687 | 1.38k | if (ix + iy < digs) { |
3688 | 1.38k | *tmpt = u; |
3689 | 1.38k | } |
3690 | 1.38k | } |
3691 | | |
3692 | 1 | mp_clamp (&t); |
3693 | 1 | mp_exch (&t, c); |
3694 | | |
3695 | 1 | mp_clear (&t); |
3696 | 1 | return MP_OKAY; |
3697 | 1 | } |
3698 | | |
3699 | | |
3700 | | /* |
3701 | | * shifts with subtractions when the result is greater than b. |
3702 | | * |
3703 | | * The method is slightly modified to shift B unconditionally up to just under |
3704 | | * the leading bit of b. This saves a lot of multiple precision shifting. |
3705 | | */ |
3706 | | int mp_montgomery_calc_normalization (mp_int * a, mp_int * b) |
3707 | 78.6k | { |
3708 | 78.6k | int x, bits, res; |
3709 | | |
3710 | | /* how many bits of last digit does b use */ |
3711 | 78.6k | bits = mp_count_bits (b) % DIGIT_BIT; |
3712 | | |
3713 | 78.6k | if (b->used > 1) { |
3714 | 78.5k | if ((res = mp_2expt (a, (b->used - 1) * DIGIT_BIT + bits - 1)) |
3715 | 78.5k | != MP_OKAY) { |
3716 | 10 | return res; |
3717 | 10 | } |
3718 | 78.5k | } else { |
3719 | 91 | if ((res = mp_set(a, 1)) != MP_OKAY) { |
3720 | 3 | return res; |
3721 | 3 | } |
3722 | 88 | bits = 1; |
3723 | 88 | } |
3724 | | |
3725 | | /* now compute C = A * B mod b */ |
3726 | 1.80M | for (x = bits - 1; x < (int)DIGIT_BIT; x++) { |
3727 | 1.72M | if ((res = mp_mul_2 (a, a)) != MP_OKAY) { |
3728 | 3 | return res; |
3729 | 3 | } |
3730 | 1.72M | if (mp_cmp_mag (a, b) != MP_LT) { |
3731 | 298k | if ((res = s_mp_sub (a, b, a)) != MP_OKAY) { |
3732 | 0 | return res; |
3733 | 0 | } |
3734 | 298k | } |
3735 | 1.72M | } |
3736 | | |
3737 | 78.6k | return MP_OKAY; |
3738 | 78.6k | } |
3739 | | |
3740 | | |
3741 | | #ifdef MP_LOW_MEM |
3742 | | #define TAB_SIZE 32 |
3743 | | #else |
3744 | | #define TAB_SIZE 256 |
3745 | | #endif |
3746 | | |
3747 | | int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode) |
3748 | 5.28k | { |
3749 | 5.28k | mp_int M[TAB_SIZE], res, mu; |
3750 | 5.28k | mp_digit buf; |
3751 | 5.28k | int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize; |
3752 | 5.28k | int (*redux)(mp_int*,mp_int*,mp_int*); |
3753 | | |
3754 | | /* find window size */ |
3755 | 5.28k | x = mp_count_bits (X); |
3756 | 5.28k | if (x <= 7) { |
3757 | 147 | winsize = 2; |
3758 | 5.13k | } else if (x <= 36) { |
3759 | 4.38k | winsize = 3; |
3760 | 4.38k | } else if (x <= 140) { |
3761 | 524 | winsize = 4; |
3762 | 524 | } else if (x <= 450) { |
3763 | 150 | winsize = 5; |
3764 | 150 | } else if (x <= 1303) { |
3765 | 26 | winsize = 6; |
3766 | 50 | } else if (x <= 3529) { |
3767 | 24 | winsize = 7; |
3768 | 26 | } else { |
3769 | 26 | winsize = 8; |
3770 | 26 | } |
3771 | | |
3772 | 5.28k | #ifdef MP_LOW_MEM |
3773 | 5.28k | if (winsize > 5) { |
3774 | 76 | winsize = 5; |
3775 | 76 | } |
3776 | 5.28k | #endif |
3777 | | |
3778 | | /* init M array */ |
3779 | | /* init first cell */ |
3780 | 5.28k | if ((err = mp_init(&M[1])) != MP_OKAY) { |
3781 | 0 | return err; |
3782 | 0 | } |
3783 | | |
3784 | | /* now init the second half of the array */ |
3785 | 30.9k | for (x = 1<<(winsize-1); x < (1 << winsize); x++) { |
3786 | 25.6k | if ((err = mp_init(&M[x])) != MP_OKAY) { |
3787 | 0 | for (y = 1<<(winsize-1); y < x; y++) { |
3788 | 0 | mp_clear (&M[y]); |
3789 | 0 | } |
3790 | 0 | mp_clear(&M[1]); |
3791 | 0 | return err; |
3792 | 0 | } |
3793 | 25.6k | } |
3794 | | |
3795 | | /* create mu, used for Barrett reduction */ |
3796 | 5.28k | if ((err = mp_init (&mu)) != MP_OKAY) { |
3797 | 0 | goto LBL_M; |
3798 | 0 | } |
3799 | | |
3800 | 5.28k | if (redmode == 0) { |
3801 | 346 | if ((err = mp_reduce_setup (&mu, P)) != MP_OKAY) { |
3802 | 7 | goto LBL_MU; |
3803 | 7 | } |
3804 | 339 | redux = mp_reduce; |
3805 | 4.93k | } else { |
3806 | 4.93k | if ((err = mp_reduce_2k_setup_l (P, &mu)) != MP_OKAY) { |
3807 | 2 | goto LBL_MU; |
3808 | 2 | } |
3809 | 4.93k | redux = mp_reduce_2k_l; |
3810 | 4.93k | } |
3811 | | |
3812 | | /* create M table |
3813 | | * |
3814 | | * The M table contains powers of the base, |
3815 | | * e.g. M[x] = G**x mod P |
3816 | | * |
3817 | | * The first half of the table is not |
3818 | | * computed though accept for M[0] and M[1] |
3819 | | */ |
3820 | 5.27k | if ((err = mp_mod (G, P, &M[1])) != MP_OKAY) { |
3821 | 6 | goto LBL_MU; |
3822 | 6 | } |
3823 | | |
3824 | | /* compute the value at M[1<<(winsize-1)] by squaring |
3825 | | * M[1] (winsize-1) times |
3826 | | */ |
3827 | 5.26k | if ((err = mp_copy (&M[1], &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) { |
3828 | 1 | goto LBL_MU; |
3829 | 1 | } |
3830 | | |
3831 | 16.5k | for (x = 0; x < (winsize - 1); x++) { |
3832 | | /* square it */ |
3833 | 11.3k | if ((err = mp_sqr (&M[(mp_digit)(1 << (winsize - 1))], |
3834 | 11.3k | &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) { |
3835 | 3 | goto LBL_MU; |
3836 | 3 | } |
3837 | | |
3838 | | /* reduce modulo P */ |
3839 | 11.3k | if ((err = redux (&M[(mp_digit)(1 << (winsize - 1))], P, &mu)) != MP_OKAY) { |
3840 | 17 | goto LBL_MU; |
3841 | 17 | } |
3842 | 11.3k | } |
3843 | | |
3844 | | /* create upper table, that is M[x] = M[x-1] * M[1] (mod P) |
3845 | | * for x = (2**(winsize - 1) + 1) to (2**winsize - 1) |
3846 | | */ |
3847 | 25.3k | for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) { |
3848 | 20.1k | if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) { |
3849 | 5 | goto LBL_MU; |
3850 | 5 | } |
3851 | 20.1k | if ((err = redux (&M[x], P, &mu)) != MP_OKAY) { |
3852 | 6 | goto LBL_MU; |
3853 | 6 | } |
3854 | 20.1k | } |
3855 | | |
3856 | | /* setup result */ |
3857 | 5.23k | if ((err = mp_init (&res)) != MP_OKAY) { |
3858 | 0 | goto LBL_MU; |
3859 | 0 | } |
3860 | 5.23k | if ((err = mp_set (&res, 1)) != MP_OKAY) { |
3861 | 2 | goto LBL_MU; |
3862 | 2 | } |
3863 | | |
3864 | | /* set initial mode and bit cnt */ |
3865 | 5.23k | mode = 0; |
3866 | 5.23k | bitcnt = 1; |
3867 | 5.23k | buf = 0; |
3868 | 5.23k | digidx = X->used - 1; |
3869 | 5.23k | bitcpy = 0; |
3870 | 5.23k | bitbuf = 0; |
3871 | | |
3872 | 624k | for (;;) { |
3873 | | /* grab next digit as required */ |
3874 | 624k | if (--bitcnt == 0) { |
3875 | | /* if digidx == -1 we are out of digits */ |
3876 | 15.5k | if (digidx == -1) { |
3877 | 5.22k | break; |
3878 | 5.22k | } |
3879 | | /* read next digit and reset the bitcnt */ |
3880 | 10.3k | buf = X->dp[digidx--]; |
3881 | 10.3k | bitcnt = (int) DIGIT_BIT; |
3882 | 10.3k | } |
3883 | | |
3884 | | /* grab the next msb from the exponent */ |
3885 | 618k | y = (int)(buf >> (mp_digit)(DIGIT_BIT - 1)) & 1; |
3886 | 618k | buf <<= (mp_digit)1; |
3887 | | |
3888 | | /* if the bit is zero and mode == 0 then we ignore it |
3889 | | * These represent the leading zero bits before the first 1 bit |
3890 | | * in the exponent. Technically this opt is not required but it |
3891 | | * does lower the # of trivial squaring/reductions used |
3892 | | */ |
3893 | 618k | if (mode == 0 && y == 0) { |
3894 | 220k | continue; |
3895 | 220k | } |
3896 | | |
3897 | | /* if the bit is zero and mode == 1 then we square */ |
3898 | 398k | if (mode == 1 && y == 0) { |
3899 | 72.9k | if ((err = mp_sqr (&res, &res)) != MP_OKAY) { |
3900 | 1 | goto LBL_RES; |
3901 | 1 | } |
3902 | 72.9k | if ((err = redux (&res, P, &mu)) != MP_OKAY) { |
3903 | 3 | goto LBL_RES; |
3904 | 3 | } |
3905 | 72.9k | continue; |
3906 | 72.9k | } |
3907 | | |
3908 | | /* else we add it to the window */ |
3909 | 325k | bitbuf |= (y << (winsize - ++bitcpy)); |
3910 | 325k | mode = 2; |
3911 | | |
3912 | 325k | if (bitcpy == winsize) { |
3913 | | /* ok window is filled so square as required and multiply */ |
3914 | | /* square first */ |
3915 | 389k | for (x = 0; x < winsize; x++) { |
3916 | 317k | if ((err = mp_sqr (&res, &res)) != MP_OKAY) { |
3917 | 4 | goto LBL_RES; |
3918 | 4 | } |
3919 | 317k | if ((err = redux (&res, P, &mu)) != MP_OKAY) { |
3920 | 5 | goto LBL_RES; |
3921 | 5 | } |
3922 | 317k | } |
3923 | | |
3924 | | /* then multiply */ |
3925 | 71.1k | if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) { |
3926 | 0 | goto LBL_RES; |
3927 | 0 | } |
3928 | 71.1k | if ((err = redux (&res, P, &mu)) != MP_OKAY) { |
3929 | 1 | goto LBL_RES; |
3930 | 1 | } |
3931 | | |
3932 | | /* empty window and reset */ |
3933 | 71.1k | bitcpy = 0; |
3934 | 71.1k | bitbuf = 0; |
3935 | 71.1k | mode = 1; |
3936 | 71.1k | } |
3937 | 325k | } |
3938 | | |
3939 | | /* if bits remain then square/multiply */ |
3940 | 5.22k | if (mode == 2 && bitcpy > 0) { |
3941 | | /* square then multiply if the bit is set */ |
3942 | 11.6k | for (x = 0; x < bitcpy; x++) { |
3943 | 7.05k | if ((err = mp_sqr (&res, &res)) != MP_OKAY) { |
3944 | 1 | goto LBL_RES; |
3945 | 1 | } |
3946 | 7.04k | if ((err = redux (&res, P, &mu)) != MP_OKAY) { |
3947 | 1 | goto LBL_RES; |
3948 | 1 | } |
3949 | | |
3950 | 7.04k | bitbuf <<= 1; |
3951 | 7.04k | if ((bitbuf & (1 << winsize)) != 0) { |
3952 | | /* then multiply */ |
3953 | 6.61k | if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) { |
3954 | 1 | goto LBL_RES; |
3955 | 1 | } |
3956 | 6.61k | if ((err = redux (&res, P, &mu)) != MP_OKAY) { |
3957 | 1 | goto LBL_RES; |
3958 | 1 | } |
3959 | 6.61k | } |
3960 | 7.04k | } |
3961 | 4.64k | } |
3962 | | |
3963 | 5.21k | mp_exch (&res, Y); |
3964 | 5.21k | err = MP_OKAY; |
3965 | 5.23k | LBL_RES:mp_clear (&res); |
3966 | 5.28k | LBL_MU:mp_clear (&mu); |
3967 | 5.28k | LBL_M: |
3968 | 5.28k | mp_clear(&M[1]); |
3969 | 30.9k | for (x = 1<<(winsize-1); x < (1 << winsize); x++) { |
3970 | 25.6k | mp_clear (&M[x]); |
3971 | 25.6k | } |
3972 | 5.28k | return err; |
3973 | 5.28k | } |
3974 | | |
3975 | | |
3976 | | /* pre-calculate the value required for Barrett reduction |
3977 | | * For a given modulus "b" it calculates the value required in "a" |
3978 | | */ |
3979 | | int mp_reduce_setup (mp_int * a, mp_int * b) |
3980 | 346 | { |
3981 | 346 | int res; |
3982 | | |
3983 | 346 | if ((res = mp_2expt (a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) { |
3984 | 1 | return res; |
3985 | 1 | } |
3986 | 345 | return mp_div (a, b, a, NULL); |
3987 | 346 | } |
3988 | | |
3989 | | |
3990 | | /* reduces x mod m, assumes 0 < x < m**2, mu is |
3991 | | * precomputed via mp_reduce_setup. |
3992 | | * From HAC pp.604 Algorithm 14.42 |
3993 | | */ |
3994 | | int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) |
3995 | 257k | { |
3996 | 257k | mp_int q; |
3997 | 257k | int res, um = m->used; |
3998 | | |
3999 | | /* q = x */ |
4000 | 257k | if ((res = mp_init_copy (&q, x)) != MP_OKAY) { |
4001 | 1 | return res; |
4002 | 1 | } |
4003 | | |
4004 | | /* q1 = x / b**(k-1) */ |
4005 | 257k | mp_rshd (&q, um - 1); |
4006 | | |
4007 | | /* according to HAC this optimization is ok */ |
4008 | 257k | if (((mp_word) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) { |
4009 | 0 | if ((res = mp_mul (&q, mu, &q)) != MP_OKAY) { |
4010 | 0 | goto CLEANUP; |
4011 | 0 | } |
4012 | 257k | } else { |
4013 | 257k | #ifdef BN_S_MP_MUL_HIGH_DIGS_C |
4014 | 257k | if ((res = s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) { |
4015 | 4 | goto CLEANUP; |
4016 | 4 | } |
4017 | | #elif defined(BN_FAST_S_MP_MUL_HIGH_DIGS_C) |
4018 | | if ((res = fast_s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) { |
4019 | | goto CLEANUP; |
4020 | | } |
4021 | | #else |
4022 | | { |
4023 | | res = MP_VAL; |
4024 | | goto CLEANUP; |
4025 | | } |
4026 | | #endif |
4027 | 257k | } |
4028 | | |
4029 | | /* q3 = q2 / b**(k+1) */ |
4030 | 257k | mp_rshd (&q, um + 1); |
4031 | | |
4032 | | /* x = x mod b**(k+1), quick (no division) */ |
4033 | 257k | if ((res = mp_mod_2d (x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) { |
4034 | 0 | goto CLEANUP; |
4035 | 0 | } |
4036 | | |
4037 | | /* q = q * m mod b**(k+1), quick (no division) */ |
4038 | 257k | if ((res = s_mp_mul_digs (&q, m, &q, um + 1)) != MP_OKAY) { |
4039 | 3 | goto CLEANUP; |
4040 | 3 | } |
4041 | | |
4042 | | /* x = x - q */ |
4043 | 257k | if ((res = mp_sub (x, &q, x)) != MP_OKAY) { |
4044 | 0 | goto CLEANUP; |
4045 | 0 | } |
4046 | | |
4047 | | /* If x < 0, add b**(k+1) to it */ |
4048 | 257k | if (mp_cmp_d (x, 0) == MP_LT) { |
4049 | 882 | if ((res = mp_set (&q, 1)) != MP_OKAY) |
4050 | 0 | goto CLEANUP; |
4051 | 882 | if ((res = mp_lshd (&q, um + 1)) != MP_OKAY) |
4052 | 0 | goto CLEANUP; |
4053 | 882 | if ((res = mp_add (x, &q, x)) != MP_OKAY) |
4054 | 0 | goto CLEANUP; |
4055 | 882 | } |
4056 | | |
4057 | | /* Back off if it's too big */ |
4058 | 4.28M | while (mp_cmp (x, m) != MP_LT) { |
4059 | 4.02M | if ((res = s_mp_sub (x, m, x)) != MP_OKAY) { |
4060 | 0 | goto CLEANUP; |
4061 | 0 | } |
4062 | 4.02M | } |
4063 | | |
4064 | 257k | CLEANUP: |
4065 | 257k | mp_clear (&q); |
4066 | | |
4067 | 257k | return res; |
4068 | 257k | } |
4069 | | |
4070 | | |
4071 | | /* reduces a modulo n where n is of the form 2**p - d |
4072 | | This differs from reduce_2k since "d" can be larger |
4073 | | than a single digit. |
4074 | | */ |
4075 | | int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d) |
4076 | 249k | { |
4077 | 249k | mp_int q; |
4078 | 249k | int p, res; |
4079 | | |
4080 | 249k | if ((res = mp_init(&q)) != MP_OKAY) { |
4081 | 0 | return res; |
4082 | 0 | } |
4083 | | |
4084 | 249k | p = mp_count_bits(n); |
4085 | 1.19M | top: |
4086 | | /* q = a/2**p, a = a mod 2**p */ |
4087 | 1.19M | if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) { |
4088 | 19 | goto ERR; |
4089 | 19 | } |
4090 | | |
4091 | | /* q = q * d */ |
4092 | 1.19M | if ((res = mp_mul(&q, d, &q)) != MP_OKAY) { |
4093 | 7 | goto ERR; |
4094 | 7 | } |
4095 | | |
4096 | | /* a = a + q */ |
4097 | 1.19M | if ((res = s_mp_add(a, &q, a)) != MP_OKAY) { |
4098 | 0 | goto ERR; |
4099 | 0 | } |
4100 | | |
4101 | 1.19M | if (mp_cmp_mag(a, n) != MP_LT) { |
4102 | 941k | if ((res = s_mp_sub(a, n, a)) != MP_OKAY) { |
4103 | 0 | goto ERR; |
4104 | 0 | } |
4105 | 941k | goto top; |
4106 | 941k | } |
4107 | | |
4108 | 249k | ERR: |
4109 | 249k | mp_clear(&q); |
4110 | 249k | return res; |
4111 | 1.19M | } |
4112 | | |
4113 | | |
4114 | | /* determines the setup value */ |
4115 | | int mp_reduce_2k_setup_l(mp_int *a, mp_int *d) |
4116 | 4.93k | { |
4117 | 4.93k | int res; |
4118 | 4.93k | mp_int tmp; |
4119 | | |
4120 | 4.93k | if ((res = mp_init(&tmp)) != MP_OKAY) { |
4121 | 0 | return res; |
4122 | 0 | } |
4123 | | |
4124 | 4.93k | if ((res = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) { |
4125 | 2 | goto ERR; |
4126 | 2 | } |
4127 | | |
4128 | 4.93k | if ((res = s_mp_sub(&tmp, a, d)) != MP_OKAY) { |
4129 | 0 | goto ERR; |
4130 | 0 | } |
4131 | | |
4132 | 4.93k | ERR: |
4133 | 4.93k | mp_clear(&tmp); |
4134 | 4.93k | return res; |
4135 | 4.93k | } |
4136 | | |
4137 | | |
4138 | | /* multiplies |a| * |b| and does not compute the lower digs digits |
4139 | | * [meant to get the higher part of the product] |
4140 | | */ |
4141 | | int s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) |
4142 | 257k | { |
4143 | 257k | mp_int t; |
4144 | 257k | int res, pa, pb, ix, iy; |
4145 | 257k | mp_digit u; |
4146 | 257k | mp_word r; |
4147 | 257k | mp_digit tmpx, *tmpt, *tmpy; |
4148 | | |
4149 | | /* can we use the fast multiplier? */ |
4150 | 257k | #ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C |
4151 | 257k | if (((a->used + b->used + 1) < (int)MP_WARRAY) |
4152 | 257k | && MIN (a->used, b->used) < |
4153 | 257k | (1L << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) { |
4154 | 257k | return fast_s_mp_mul_high_digs (a, b, c, digs); |
4155 | 257k | } |
4156 | 0 | #endif |
4157 | | |
4158 | 0 | if ((res = mp_init_size (&t, a->used + b->used + 1)) != MP_OKAY) { |
4159 | 0 | return res; |
4160 | 0 | } |
4161 | 0 | t.used = a->used + b->used + 1; |
4162 | |
|
4163 | 0 | pa = a->used; |
4164 | 0 | pb = b->used; |
4165 | 0 | for (ix = 0; ix < pa && a->dp; ix++) { |
4166 | | /* clear the carry */ |
4167 | 0 | u = 0; |
4168 | | |
4169 | | /* left hand side of A[ix] * B[iy] */ |
4170 | 0 | tmpx = a->dp[ix]; |
4171 | | |
4172 | | /* alias to the address of where the digits will be stored */ |
4173 | 0 | tmpt = &(t.dp[digs]); |
4174 | | |
4175 | | /* alias for where to read the right hand side from */ |
4176 | 0 | tmpy = b->dp + (digs - ix); |
4177 | |
|
4178 | 0 | for (iy = digs - ix; iy < pb; iy++) { |
4179 | | /* calculate the double precision result */ |
4180 | 0 | r = ((mp_word)*tmpt) + |
4181 | 0 | ((mp_word)tmpx) * ((mp_word)*tmpy++) + |
4182 | 0 | ((mp_word) u); |
4183 | | |
4184 | | /* get the lower part */ |
4185 | 0 | *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
4186 | | |
4187 | | /* carry the carry */ |
4188 | 0 | u = (mp_digit) (r >> ((mp_word) DIGIT_BIT)); |
4189 | 0 | } |
4190 | 0 | *tmpt = u; |
4191 | 0 | } |
4192 | 0 | mp_clamp (&t); |
4193 | 0 | mp_exch (&t, c); |
4194 | 0 | mp_clear (&t); |
4195 | 0 | return MP_OKAY; |
4196 | 0 | } |
4197 | | |
4198 | | |
4199 | | /* this is a modified version of fast_s_mul_digs that only produces |
4200 | | * output digits *above* digs. See the comments for fast_s_mul_digs |
4201 | | * to see how it works. |
4202 | | * |
4203 | | * This is used in the Barrett reduction since for one of the multiplications |
4204 | | * only the higher digits were needed. This essentially halves the work. |
4205 | | * |
4206 | | * Based on Algorithm 14.12 on pp.595 of HAC. |
4207 | | */ |
4208 | | int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) |
4209 | 257k | { |
4210 | 257k | int olduse, res, pa, ix, iz; |
4211 | | /* uses dynamic memory and slower */ |
4212 | 257k | WC_DECLARE_VAR(W, mp_digit, MP_WARRAY, 0); |
4213 | 257k | mp_word _W; |
4214 | | |
4215 | 257k | if (a->dp == NULL) { /* JRB, avoid reading uninitialized values */ |
4216 | 0 | return MP_VAL; |
4217 | 0 | } |
4218 | | |
4219 | | /* grow the destination as required */ |
4220 | 257k | pa = a->used + b->used; |
4221 | 257k | if (c->alloc < pa) { |
4222 | 14.7k | if ((res = mp_grow (c, pa)) != MP_OKAY) { |
4223 | 1 | return res; |
4224 | 1 | } |
4225 | 14.7k | } |
4226 | | |
4227 | 257k | if (pa > (int)MP_WARRAY) |
4228 | 0 | return MP_RANGE; /* TAO range check */ |
4229 | | |
4230 | 257k | WC_ALLOC_VAR_EX(W, mp_digit, pa, NULL, DYNAMIC_TYPE_BIGINT, |
4231 | 257k | return MP_MEM); |
4232 | | |
4233 | | /* number of output digits to produce */ |
4234 | 257k | _W = 0; |
4235 | 15.2M | for (ix = digs; ix < pa; ix++) { /* JRB, have a->dp check at top of function*/ |
4236 | 14.9M | int tx, ty, iy; |
4237 | 14.9M | mp_digit *tmpx, *tmpy; |
4238 | | |
4239 | | /* get offsets into the two bignums */ |
4240 | 14.9M | ty = MIN(b->used-1, ix); |
4241 | 14.9M | tx = ix - ty; |
4242 | | |
4243 | | /* setup temp aliases */ |
4244 | 14.9M | tmpx = a->dp + tx; |
4245 | 14.9M | tmpy = b->dp + ty; |
4246 | | |
4247 | | /* this is the number of times the loop will iterate, essentially its |
4248 | | while (tx++ < a->used && ty-- >= 0) { ... } |
4249 | | */ |
4250 | 14.9M | iy = MIN(a->used-tx, ty+1); |
4251 | | |
4252 | | /* execute loop */ |
4253 | 960M | for (iz = 0; iz < iy; iz++) { |
4254 | 945M | _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--); |
4255 | 945M | } |
4256 | | |
4257 | | /* store term */ |
4258 | 14.9M | W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK); |
4259 | | |
4260 | | /* make next carry */ |
4261 | 14.9M | _W = _W >> ((mp_word)DIGIT_BIT); |
4262 | 14.9M | } |
4263 | | |
4264 | | /* setup dest */ |
4265 | 257k | olduse = c->used; |
4266 | 257k | c->used = pa; |
4267 | | |
4268 | 257k | { |
4269 | 257k | mp_digit *tmpc; |
4270 | | |
4271 | 257k | tmpc = c->dp + digs; |
4272 | 15.2M | for (ix = digs; ix < pa; ix++) { /* TAO, <= could potentially overwrite */ |
4273 | | /* now extract the previous digit [below the carry] */ |
4274 | 14.9M | *tmpc++ = W[ix]; |
4275 | 14.9M | } |
4276 | | |
4277 | | /* clear unused digits [that existed in the old copy of c] */ |
4278 | 257k | for (; ix < olduse; ix++) { |
4279 | 0 | *tmpc++ = 0; |
4280 | 0 | } |
4281 | 257k | } |
4282 | 257k | mp_clamp (c); |
4283 | | |
4284 | 257k | WC_FREE_VAR_EX(W, NULL, DYNAMIC_TYPE_BIGINT); |
4285 | | |
4286 | 257k | return MP_OKAY; |
4287 | 257k | } |
4288 | | |
4289 | | |
4290 | | #ifndef MP_SET_CHUNK_BITS |
4291 | 903 | #define MP_SET_CHUNK_BITS 4 |
4292 | | #endif |
4293 | | int mp_set_int (mp_int * a, unsigned long b) |
4294 | 79 | { |
4295 | 79 | int x, res; |
4296 | | |
4297 | | /* use direct mp_set if b is less than mp_digit max */ |
4298 | 79 | if (b < MP_DIGIT_MAX) { |
4299 | 67 | return mp_set (a, (mp_digit)b); |
4300 | 67 | } |
4301 | | |
4302 | 12 | mp_zero (a); |
4303 | | |
4304 | | /* set chunk bits at a time */ |
4305 | 190 | for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) { |
4306 | | /* shift the number up chunk bits */ |
4307 | 179 | if ((res = mp_mul_2d (a, MP_SET_CHUNK_BITS, a)) != MP_OKAY) { |
4308 | 1 | return res; |
4309 | 1 | } |
4310 | | |
4311 | | /* OR in the top bits of the source */ |
4312 | 178 | a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) & |
4313 | 178 | ((1 << MP_SET_CHUNK_BITS) - 1); |
4314 | | |
4315 | | /* shift the source up to the next chunk bits */ |
4316 | 178 | b <<= MP_SET_CHUNK_BITS; |
4317 | | |
4318 | | /* ensure that digits are not clamped off */ |
4319 | 178 | a->used += 1; |
4320 | 178 | } |
4321 | 11 | mp_clamp (a); |
4322 | 11 | return MP_OKAY; |
4323 | 12 | } |
4324 | | |
4325 | | |
4326 | | #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_ECC) || !defined(NO_RSA) || \ |
4327 | | !defined(NO_DSA) | !defined(NO_DH) |
4328 | | |
4329 | | /* c = a * a (mod b) */ |
4330 | | int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c) |
4331 | 19.4k | { |
4332 | 19.4k | int res; |
4333 | 19.4k | mp_int t; |
4334 | | |
4335 | 19.4k | if ((res = mp_init (&t)) != MP_OKAY) { |
4336 | 0 | return res; |
4337 | 0 | } |
4338 | | |
4339 | 19.4k | if ((res = mp_sqr (a, &t)) != MP_OKAY) { |
4340 | 11 | mp_clear (&t); |
4341 | 11 | return res; |
4342 | 11 | } |
4343 | 19.3k | res = mp_mod (&t, b, c); |
4344 | 19.3k | mp_clear (&t); |
4345 | 19.3k | return res; |
4346 | 19.4k | } |
4347 | | |
4348 | | #endif |
4349 | | |
4350 | | |
4351 | | #if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(WOLFSSL_SNIFFER) || \ |
4352 | | defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN) || \ |
4353 | | defined(OPENSSL_EXTRA) || defined(WC_RSA_BLINDING) || \ |
4354 | | (!defined(NO_RSA) && !defined(NO_RSA_BOUNDS_CHECK)) |
4355 | | |
4356 | | /* single digit addition */ |
4357 | | int mp_add_d (mp_int* a, mp_digit b, mp_int* c) /* //NOLINT(misc-no-recursion) */ |
4358 | 4.15M | { |
4359 | 4.15M | int res, ix, oldused; |
4360 | 4.15M | mp_digit *tmpa, *tmpc, mu; |
4361 | | |
4362 | 4.15M | if (b > MP_DIGIT_MAX) return MP_VAL; |
4363 | | |
4364 | | /* grow c as required */ |
4365 | 4.15M | if (c->alloc < a->used + 1) { |
4366 | 74.8k | if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) { |
4367 | 308 | return res; |
4368 | 308 | } |
4369 | 74.8k | } |
4370 | | |
4371 | | /* if a is negative and |a| >= b, call c = |a| - b */ |
4372 | 4.15M | if (a->sign == MP_NEG && (a->used > 1 || a->dp[0] >= b)) { |
4373 | | /* temporarily fix sign of a */ |
4374 | 2 | a->sign = MP_ZPOS; |
4375 | | |
4376 | | /* c = |a| - b */ |
4377 | 2 | res = mp_sub_d(a, b, c); |
4378 | | |
4379 | | /* fix sign */ |
4380 | 2 | a->sign = c->sign = MP_NEG; |
4381 | | |
4382 | | /* clamp */ |
4383 | 2 | mp_clamp(c); |
4384 | | |
4385 | 2 | return res; |
4386 | 2 | } |
4387 | | |
4388 | | /* old number of used digits in c */ |
4389 | 4.15M | oldused = c->used; |
4390 | | |
4391 | | /* source alias */ |
4392 | 4.15M | tmpa = a->dp; |
4393 | | |
4394 | | /* destination alias */ |
4395 | 4.15M | tmpc = c->dp; |
4396 | | |
4397 | 4.15M | if (tmpa == NULL || tmpc == NULL) { |
4398 | 0 | return MP_MEM; |
4399 | 0 | } |
4400 | | |
4401 | | /* if a is positive */ |
4402 | 4.15M | if (a->sign == MP_ZPOS) { |
4403 | | /* add digit, after this we're propagating |
4404 | | * the carry. |
4405 | | */ |
4406 | 4.15M | *tmpc = *tmpa++ + b; |
4407 | 4.15M | mu = *tmpc >> DIGIT_BIT; |
4408 | 4.15M | *tmpc++ &= MP_MASK; |
4409 | | |
4410 | | /* now handle rest of the digits */ |
4411 | 1.40G | for (ix = 1; ix < a->used; ix++) { |
4412 | 1.40G | *tmpc = *tmpa++ + mu; |
4413 | 1.40G | mu = *tmpc >> DIGIT_BIT; |
4414 | 1.40G | *tmpc++ &= MP_MASK; |
4415 | 1.40G | } |
4416 | | /* set final carry */ |
4417 | 4.15M | if (ix < c->alloc) { |
4418 | 4.15M | ix++; |
4419 | 4.15M | *tmpc++ = mu; |
4420 | 4.15M | } |
4421 | | |
4422 | | /* setup size */ |
4423 | 4.15M | c->used = a->used + 1; |
4424 | 4.15M | } else { |
4425 | | /* a was negative and |a| < b */ |
4426 | 4 | c->used = 1; |
4427 | | |
4428 | | /* the result is a single digit */ |
4429 | 4 | if (a->used == 1) { |
4430 | 4 | *tmpc++ = b - a->dp[0]; |
4431 | 4 | } else { |
4432 | 0 | *tmpc++ = b; |
4433 | 0 | } |
4434 | | |
4435 | | /* setup count so the clearing of oldused |
4436 | | * can fall through correctly |
4437 | | */ |
4438 | 4 | ix = 1; |
4439 | 4 | } |
4440 | | |
4441 | | /* sign always positive */ |
4442 | 4.15M | c->sign = MP_ZPOS; |
4443 | | |
4444 | | /* now zero to oldused */ |
4445 | 4.15M | while (ix++ < oldused) { |
4446 | 1 | *tmpc++ = 0; |
4447 | 1 | } |
4448 | 4.15M | mp_clamp(c); |
4449 | | |
4450 | 4.15M | return MP_OKAY; |
4451 | 4.15M | } |
4452 | | |
4453 | | |
4454 | | /* single digit subtraction */ |
4455 | | int mp_sub_d (mp_int * a, mp_digit b, mp_int * c) /* //NOLINT(misc-no-recursion) */ |
4456 | 19.5k | { |
4457 | 19.5k | mp_digit *tmpa, *tmpc, mu; |
4458 | 19.5k | int res, ix, oldused; |
4459 | | |
4460 | 19.5k | if (b > MP_MASK) return MP_VAL; |
4461 | | |
4462 | | /* grow c as required */ |
4463 | 19.5k | if (c->alloc < a->used + 1) { |
4464 | 2.37k | if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) { |
4465 | 1 | return res; |
4466 | 1 | } |
4467 | 2.37k | } |
4468 | | |
4469 | | /* if a is negative just do an unsigned |
4470 | | * addition [with fudged signs] |
4471 | | */ |
4472 | 19.5k | if (a->sign == MP_NEG) { |
4473 | 3 | a->sign = MP_ZPOS; |
4474 | 3 | res = mp_add_d(a, b, c); |
4475 | 3 | a->sign = c->sign = MP_NEG; |
4476 | | |
4477 | | /* clamp */ |
4478 | 3 | mp_clamp(c); |
4479 | | |
4480 | 3 | return res; |
4481 | 3 | } |
4482 | | |
4483 | | /* setup regs */ |
4484 | 19.5k | oldused = c->used; |
4485 | 19.5k | tmpa = a->dp; |
4486 | 19.5k | tmpc = c->dp; |
4487 | | |
4488 | 19.5k | if (tmpa == NULL || tmpc == NULL) { |
4489 | 0 | return MP_MEM; |
4490 | 0 | } |
4491 | | |
4492 | | /* if a <= b simply fix the single digit */ |
4493 | 19.5k | if ((a->used == 1 && a->dp[0] <= b) || a->used == 0) { |
4494 | 669 | if (a->used == 1) { |
4495 | 668 | *tmpc++ = b - *tmpa; |
4496 | 668 | } else { |
4497 | 1 | *tmpc++ = b; |
4498 | 1 | } |
4499 | 669 | ix = 1; |
4500 | | |
4501 | | /* negative/1digit */ |
4502 | 669 | c->sign = MP_NEG; |
4503 | 669 | c->used = 1; |
4504 | 18.8k | } else { |
4505 | | /* positive/size */ |
4506 | 18.8k | c->sign = MP_ZPOS; |
4507 | 18.8k | c->used = a->used; |
4508 | | |
4509 | | /* subtract first digit */ |
4510 | 18.8k | *tmpc = *tmpa++ - b; |
4511 | 18.8k | mu = *tmpc >> (sizeof(mp_digit) * CHAR_BIT - 1); |
4512 | 18.8k | *tmpc++ &= MP_MASK; |
4513 | | |
4514 | | /* handle rest of the digits */ |
4515 | 48.6k | for (ix = 1; ix < a->used; ix++) { |
4516 | 29.7k | *tmpc = *tmpa++ - mu; |
4517 | 29.7k | mu = *tmpc >> (sizeof(mp_digit) * CHAR_BIT - 1); |
4518 | 29.7k | *tmpc++ &= MP_MASK; |
4519 | 29.7k | } |
4520 | 18.8k | } |
4521 | | |
4522 | | /* zero excess digits */ |
4523 | 19.5k | while (ix++ < oldused) { |
4524 | 2 | *tmpc++ = 0; |
4525 | 2 | } |
4526 | 19.5k | mp_clamp(c); |
4527 | 19.5k | return MP_OKAY; |
4528 | 19.5k | } |
4529 | | |
4530 | | #endif /* defined(HAVE_ECC) || !defined(NO_PWDBASED) */ |
4531 | | |
4532 | | |
4533 | | #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) || defined(HAVE_ECC) || \ |
4534 | | defined(DEBUG_WOLFSSL) || !defined(NO_RSA) || !defined(NO_DSA) || \ |
4535 | | !defined(NO_DH) || defined(WC_MP_TO_RADIX) |
4536 | | |
4537 | | static const int lnz[16] = { |
4538 | | 4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0 |
4539 | | }; |
4540 | | |
4541 | | /* Counts the number of lsbs which are zero before the first zero bit */ |
4542 | | int mp_cnt_lsb(mp_int *a) |
4543 | 171k | { |
4544 | 171k | int x; |
4545 | 171k | mp_digit q = 0, qq; |
4546 | | |
4547 | | /* easy out */ |
4548 | 171k | if (mp_iszero(a) == MP_YES) { |
4549 | 421 | return 0; |
4550 | 421 | } |
4551 | | |
4552 | | /* scan lower digits until non-zero */ |
4553 | 172k | for (x = 0; x < a->used && a->dp[x] == 0; x++) {} |
4554 | 171k | if (a->dp) |
4555 | 171k | q = a->dp[x]; |
4556 | 171k | x *= DIGIT_BIT; |
4557 | | |
4558 | | /* now scan this digit until a 1 is found */ |
4559 | 171k | if ((q & 1) == 0) { |
4560 | 192k | do { |
4561 | 192k | qq = q & 15; |
4562 | 192k | x += lnz[qq]; |
4563 | 192k | q >>= 4; |
4564 | 192k | } while (qq == 0); |
4565 | 166k | } |
4566 | 171k | return x; |
4567 | 171k | } |
4568 | | |
4569 | | |
4570 | | |
4571 | | |
4572 | | static int s_is_power_of_two(mp_digit b, int *p) |
4573 | 2.58M | { |
4574 | 2.58M | int x; |
4575 | | |
4576 | | /* fast return if no power of two */ |
4577 | 2.58M | if ((b==0) || (b & (b-1))) { |
4578 | 2.49M | return 0; |
4579 | 2.49M | } |
4580 | | |
4581 | 401k | for (x = 0; x < DIGIT_BIT; x++) { |
4582 | 401k | if (b == (((mp_digit)1)<<x)) { |
4583 | 93.0k | *p = x; |
4584 | 93.0k | return 1; |
4585 | 93.0k | } |
4586 | 401k | } |
4587 | 0 | return 0; |
4588 | 93.0k | } |
4589 | | |
4590 | | /* single digit division (based on routine from MPI) */ |
4591 | | static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) |
4592 | 2.58M | { |
4593 | 2.58M | mp_int q; |
4594 | 2.58M | mp_word w; |
4595 | 2.58M | mp_digit t; |
4596 | 2.58M | int res = MP_OKAY, ix; |
4597 | | |
4598 | | /* cannot divide by zero */ |
4599 | 2.58M | if (b == 0) { |
4600 | 1 | return MP_VAL; |
4601 | 1 | } |
4602 | | |
4603 | | /* quick outs */ |
4604 | 2.58M | if (b == 1 || mp_iszero(a) == MP_YES) { |
4605 | 30 | if (d != NULL) { |
4606 | 30 | *d = 0; |
4607 | 30 | } |
4608 | 30 | if (c != NULL) { |
4609 | 0 | return mp_copy(a, c); |
4610 | 0 | } |
4611 | 30 | return MP_OKAY; |
4612 | 30 | } |
4613 | | |
4614 | | /* power of two ? */ |
4615 | 2.58M | if (s_is_power_of_two(b, &ix) == 1) { |
4616 | 93.0k | if (d != NULL) { |
4617 | 93.0k | *d = a->dp[0] & ((((mp_digit)1)<<ix) - 1); |
4618 | 93.0k | } |
4619 | 93.0k | if (c != NULL) { |
4620 | 87.6k | return mp_div_2d(a, ix, c, NULL); |
4621 | 87.6k | } |
4622 | 5.42k | return MP_OKAY; |
4623 | 93.0k | } |
4624 | | |
4625 | 2.49M | #ifdef BN_MP_DIV_3_C |
4626 | | /* three? */ |
4627 | 2.49M | if (b == 3) { |
4628 | 7.48k | return mp_div_3(a, c, d); |
4629 | 7.48k | } |
4630 | 2.48M | #endif |
4631 | | |
4632 | | /* no easy answer [c'est la vie]. Just division */ |
4633 | 2.48M | if (c != NULL) { |
4634 | 2.19M | if ((res = mp_init_size(&q, a->used)) != MP_OKAY) { |
4635 | 272 | return res; |
4636 | 272 | } |
4637 | | |
4638 | 2.19M | q.used = a->used; |
4639 | 2.19M | q.sign = a->sign; |
4640 | 2.19M | } |
4641 | 283k | else { |
4642 | 283k | if ((res = mp_init(&q)) != MP_OKAY) { |
4643 | 0 | return res; |
4644 | 0 | } |
4645 | 283k | } |
4646 | | |
4647 | 2.48M | w = 0; |
4648 | | |
4649 | 2.48M | if (a->used == 0) |
4650 | 0 | return MP_VAL; |
4651 | | |
4652 | 135M | for (ix = a->used - 1; ix >= 0; ix--) { |
4653 | 133M | w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]); |
4654 | | |
4655 | 133M | if (w >= b) { |
4656 | | #ifdef WOLFSSL_LINUXKM |
4657 | | t = (mp_digit)w; |
4658 | | /* Linux kernel macro for in-place 64 bit integer division. */ |
4659 | | do_div(t, b); |
4660 | | #else |
4661 | 132M | t = (mp_digit)(w / b); |
4662 | 132M | #endif |
4663 | 132M | w -= ((mp_word)t) * ((mp_word)b); |
4664 | 132M | } else { |
4665 | 948k | t = 0; |
4666 | 948k | } |
4667 | 133M | if (c != NULL) |
4668 | 130M | q.dp[ix] = (mp_digit)t; |
4669 | 133M | } |
4670 | | |
4671 | 2.48M | if (d != NULL) { |
4672 | 2.48M | *d = (mp_digit)w; |
4673 | 2.48M | } |
4674 | | |
4675 | 2.48M | if (c != NULL) { |
4676 | 2.19M | mp_clamp(&q); |
4677 | 2.19M | mp_exch(&q, c); |
4678 | 2.19M | } |
4679 | 2.48M | mp_clear(&q); |
4680 | | |
4681 | 2.48M | return res; |
4682 | 2.48M | } |
4683 | | |
4684 | | |
4685 | | int mp_mod_d (mp_int * a, mp_digit b, mp_digit * c) |
4686 | 294k | { |
4687 | 294k | return mp_div_d(a, b, NULL, c); |
4688 | 294k | } |
4689 | | |
4690 | | #endif /* WOLFSSL_KEY_GEN || HAVE_COMP_KEY || HAVE_ECC || DEBUG_WOLFSSL */ |
4691 | | |
4692 | | #if (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)) || !defined(NO_DH) || !defined(NO_DSA) |
4693 | | |
4694 | | const FLASH_QUALIFIER mp_digit ltm_prime_tab[PRIME_SIZE] = { |
4695 | | 0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013, |
4696 | | 0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035, |
4697 | | 0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059, |
4698 | | 0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, |
4699 | | #ifndef MP_8BIT |
4700 | | 0x0083, |
4701 | | 0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD, |
4702 | | 0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF, |
4703 | | 0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107, |
4704 | | 0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137, |
4705 | | |
4706 | | 0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167, |
4707 | | 0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199, |
4708 | | 0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9, |
4709 | | 0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7, |
4710 | | 0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239, |
4711 | | 0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265, |
4712 | | 0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293, |
4713 | | 0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF, |
4714 | | |
4715 | | 0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301, |
4716 | | 0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B, |
4717 | | 0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371, |
4718 | | 0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD, |
4719 | | 0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5, |
4720 | | 0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419, |
4721 | | 0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449, |
4722 | | 0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B, |
4723 | | |
4724 | | 0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7, |
4725 | | 0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503, |
4726 | | 0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529, |
4727 | | 0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F, |
4728 | | 0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3, |
4729 | | 0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7, |
4730 | | 0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623, |
4731 | | 0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653 |
4732 | | #endif |
4733 | | }; |
4734 | | |
4735 | | |
4736 | | /* Miller-Rabin test of "a" to the base of "b" as described in |
4737 | | * HAC pp. 139 Algorithm 4.24 |
4738 | | * |
4739 | | * Sets result to 0 if definitely composite or 1 if probably prime. |
4740 | | * Randomly the chance of error is no more than 1/4 and often |
4741 | | * very much lower. |
4742 | | */ |
4743 | | static int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result) |
4744 | 14.5k | { |
4745 | 14.5k | mp_int n1, y, r; |
4746 | 14.5k | int s, j, err; |
4747 | | |
4748 | | /* default */ |
4749 | 14.5k | *result = MP_NO; |
4750 | | |
4751 | | /* ensure b > 1 */ |
4752 | 14.5k | if (mp_cmp_d(b, 1) != MP_GT) { |
4753 | 0 | return MP_VAL; |
4754 | 0 | } |
4755 | | |
4756 | | /* get n1 = a - 1 */ |
4757 | 14.5k | if ((err = mp_init_copy (&n1, a)) != MP_OKAY) { |
4758 | 1 | return err; |
4759 | 1 | } |
4760 | 14.5k | if ((err = mp_sub_d (&n1, 1, &n1)) != MP_OKAY) { |
4761 | 0 | goto LBL_N1; |
4762 | 0 | } |
4763 | | |
4764 | | /* set 2**s * r = n1 */ |
4765 | 14.5k | if ((err = mp_init_copy (&r, &n1)) != MP_OKAY) { |
4766 | 3 | goto LBL_N1; |
4767 | 3 | } |
4768 | | |
4769 | | /* count the number of least significant bits |
4770 | | * which are zero |
4771 | | */ |
4772 | 14.5k | s = mp_cnt_lsb(&r); |
4773 | | |
4774 | | /* now divide n - 1 by 2**s */ |
4775 | 14.5k | if ((err = mp_div_2d (&r, s, &r, NULL)) != MP_OKAY) { |
4776 | 0 | goto LBL_R; |
4777 | 0 | } |
4778 | | |
4779 | | /* compute y = b**r mod a */ |
4780 | 14.5k | if ((err = mp_init (&y)) != MP_OKAY) { |
4781 | 0 | goto LBL_R; |
4782 | 0 | } |
4783 | | #if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) |
4784 | | #ifndef WOLFSSL_SP_NO_2048 |
4785 | | if (mp_count_bits(a) == 1024 && mp_isodd(a)) |
4786 | | err = sp_ModExp_1024(b, &r, a, &y); |
4787 | | else if (mp_count_bits(a) == 2048 && mp_isodd(a)) |
4788 | | err = sp_ModExp_2048(b, &r, a, &y); |
4789 | | else |
4790 | | #endif |
4791 | | #ifndef WOLFSSL_SP_NO_3072 |
4792 | | if (mp_count_bits(a) == 1536 && mp_isodd(a)) |
4793 | | err = sp_ModExp_1536(b, &r, a, &y); |
4794 | | else if (mp_count_bits(a) == 3072 && mp_isodd(a)) |
4795 | | err = sp_ModExp_3072(b, &r, a, &y); |
4796 | | else |
4797 | | #endif |
4798 | | #ifdef WOLFSSL_SP_4096 |
4799 | | if (mp_count_bits(a) == 4096 && mp_isodd(a)) |
4800 | | err = sp_ModExp_4096(b, &r, a, &y); |
4801 | | else |
4802 | | #endif |
4803 | | #endif |
4804 | 14.5k | err = mp_exptmod (b, &r, a, &y); |
4805 | 14.5k | if (err != MP_OKAY) |
4806 | 8 | goto LBL_Y; |
4807 | | |
4808 | | /* if y != 1 and y != n1 do */ |
4809 | 14.5k | if (mp_cmp_d (&y, 1) != MP_EQ && mp_cmp (&y, &n1) != MP_EQ) { |
4810 | 6.45k | j = 1; |
4811 | | /* while j <= s-1 and y != n1 */ |
4812 | 24.3k | while ((j <= (s - 1)) && mp_cmp (&y, &n1) != MP_EQ) { |
4813 | 17.8k | if ((err = mp_sqrmod (&y, a, &y)) != MP_OKAY) { |
4814 | 1 | goto LBL_Y; |
4815 | 1 | } |
4816 | | |
4817 | | /* if y == 1 then composite */ |
4818 | 17.8k | if (mp_cmp_d (&y, 1) == MP_EQ) { |
4819 | 0 | goto LBL_Y; |
4820 | 0 | } |
4821 | | |
4822 | 17.8k | ++j; |
4823 | 17.8k | } |
4824 | | |
4825 | | /* if y != n1 then composite */ |
4826 | 6.45k | if (mp_cmp (&y, &n1) != MP_EQ) { |
4827 | 724 | goto LBL_Y; |
4828 | 724 | } |
4829 | 6.45k | } |
4830 | | |
4831 | | /* probably prime now */ |
4832 | 13.8k | *result = MP_YES; |
4833 | 14.5k | LBL_Y:mp_clear (&y); |
4834 | 14.5k | LBL_R:mp_clear (&r); |
4835 | 14.5k | LBL_N1:mp_clear (&n1); |
4836 | 14.5k | return err; |
4837 | 14.5k | } |
4838 | | |
4839 | | |
4840 | | /* determines if an integers is divisible by one |
4841 | | * of the first PRIME_SIZE primes or not |
4842 | | * |
4843 | | * sets result to 0 if not, 1 if yes |
4844 | | */ |
4845 | | static int mp_prime_is_divisible (mp_int * a, int *result) |
4846 | 5.37k | { |
4847 | 5.37k | int err, ix; |
4848 | 5.37k | mp_digit res; |
4849 | | |
4850 | | /* default to not */ |
4851 | 5.37k | *result = MP_NO; |
4852 | | |
4853 | 295k | for (ix = 0; ix < PRIME_SIZE; ix++) { |
4854 | | /* what is a mod LBL_prime_tab[ix] */ |
4855 | 294k | if ((err = mp_mod_d (a, ltm_prime_tab[ix], &res)) != MP_OKAY) { |
4856 | 1 | return err; |
4857 | 1 | } |
4858 | | |
4859 | | /* is the residue zero? */ |
4860 | 294k | if (res == 0) { |
4861 | 4.44k | *result = MP_YES; |
4862 | 4.44k | return MP_OKAY; |
4863 | 4.44k | } |
4864 | 294k | } |
4865 | | |
4866 | 929 | return MP_OKAY; |
4867 | 5.37k | } |
4868 | | |
4869 | | /* |
4870 | | * Sets result to 1 if probably prime, 0 otherwise |
4871 | | */ |
4872 | | int mp_prime_is_prime (mp_int * a, int t, int *result) |
4873 | 0 | { |
4874 | 0 | mp_int b; |
4875 | 0 | int ix, err, res; |
4876 | | |
4877 | | /* default to no */ |
4878 | 0 | *result = MP_NO; |
4879 | | |
4880 | | /* valid value of t? */ |
4881 | 0 | if (t <= 0 || t > PRIME_SIZE) { |
4882 | 0 | return MP_VAL; |
4883 | 0 | } |
4884 | | |
4885 | 0 | if (mp_isone(a)) { |
4886 | 0 | *result = MP_NO; |
4887 | 0 | return MP_OKAY; |
4888 | 0 | } |
4889 | | |
4890 | | /* is the input equal to one of the primes in the table? */ |
4891 | 0 | for (ix = 0; ix < PRIME_SIZE; ix++) { |
4892 | 0 | if (mp_cmp_d(a, ltm_prime_tab[ix]) == MP_EQ) { |
4893 | 0 | *result = MP_YES; |
4894 | 0 | return MP_OKAY; |
4895 | 0 | } |
4896 | 0 | } |
4897 | | |
4898 | | /* first perform trial division */ |
4899 | 0 | if ((err = mp_prime_is_divisible (a, &res)) != MP_OKAY) { |
4900 | 0 | return err; |
4901 | 0 | } |
4902 | | |
4903 | | /* return if it was trivially divisible */ |
4904 | 0 | if (res == MP_YES) { |
4905 | 0 | return MP_OKAY; |
4906 | 0 | } |
4907 | | |
4908 | | /* now perform the miller-rabin rounds */ |
4909 | 0 | if ((err = mp_init (&b)) != MP_OKAY) { |
4910 | 0 | return err; |
4911 | 0 | } |
4912 | | |
4913 | 0 | for (ix = 0; ix < t; ix++) { |
4914 | | /* set the prime */ |
4915 | 0 | if ((err = mp_set (&b, ltm_prime_tab[ix])) != MP_OKAY) { |
4916 | 0 | goto LBL_B; |
4917 | 0 | } |
4918 | | |
4919 | 0 | if ((err = mp_prime_miller_rabin (a, &b, &res)) != MP_OKAY) { |
4920 | 0 | goto LBL_B; |
4921 | 0 | } |
4922 | | |
4923 | 0 | if (res == MP_NO) { |
4924 | 0 | goto LBL_B; |
4925 | 0 | } |
4926 | 0 | } |
4927 | | |
4928 | | /* passed the test */ |
4929 | 0 | *result = MP_YES; |
4930 | 0 | LBL_B:mp_clear (&b); |
4931 | 0 | return err; |
4932 | 0 | } |
4933 | | |
4934 | | |
4935 | | /* |
4936 | | * Sets result to 1 if probably prime, 0 otherwise |
4937 | | */ |
4938 | | int mp_prime_is_prime_ex (mp_int * a, int t, int *result, WC_RNG *rng) |
4939 | 5.42k | { |
4940 | 5.42k | mp_int b, c; |
4941 | 5.42k | int ix, err, res; |
4942 | 5.42k | byte* base = NULL; |
4943 | 5.42k | word32 bitSz = 0; |
4944 | 5.42k | word32 baseSz = 0; |
4945 | | |
4946 | | /* default to no */ |
4947 | 5.42k | *result = MP_NO; |
4948 | | |
4949 | | /* valid value of t? */ |
4950 | 5.42k | if (t <= 0 || t > PRIME_SIZE) { |
4951 | 0 | return MP_VAL; |
4952 | 0 | } |
4953 | | |
4954 | 5.42k | if (a->sign == MP_NEG) { |
4955 | 6 | return MP_VAL; |
4956 | 6 | } |
4957 | | |
4958 | 5.41k | if (mp_isone(a)) { |
4959 | 10 | *result = MP_NO; |
4960 | 10 | return MP_OKAY; |
4961 | 10 | } |
4962 | | |
4963 | | /* is the input equal to one of the primes in the table? */ |
4964 | 1.38M | for (ix = 0; ix < PRIME_SIZE; ix++) { |
4965 | 1.37M | if (mp_cmp_d(a, ltm_prime_tab[ix]) == MP_EQ) { |
4966 | 33 | *result = MP_YES; |
4967 | 33 | return MP_OKAY; |
4968 | 33 | } |
4969 | 1.37M | } |
4970 | | |
4971 | | /* first perform trial division */ |
4972 | 5.37k | if ((err = mp_prime_is_divisible (a, &res)) != MP_OKAY) { |
4973 | 1 | return err; |
4974 | 1 | } |
4975 | | |
4976 | | /* return if it was trivially divisible */ |
4977 | 5.37k | if (res == MP_YES) { |
4978 | 4.44k | return MP_OKAY; |
4979 | 4.44k | } |
4980 | | |
4981 | | /* now perform the miller-rabin rounds */ |
4982 | 929 | if ((err = mp_init (&b)) != MP_OKAY) { |
4983 | 0 | return err; |
4984 | 0 | } |
4985 | 929 | if ((err = mp_init (&c)) != MP_OKAY) { |
4986 | 0 | mp_clear(&b); |
4987 | 0 | return err; |
4988 | 0 | } |
4989 | | |
4990 | 929 | bitSz = mp_count_bits(a); |
4991 | 929 | baseSz = (bitSz / 8) + ((bitSz % 8) ? 1 : 0); |
4992 | 929 | bitSz %= 8; |
4993 | | |
4994 | 929 | base = (byte*)XMALLOC(baseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
4995 | 929 | if (base == NULL) { |
4996 | 1 | err = MP_MEM; |
4997 | 1 | goto LBL_B; |
4998 | 1 | } |
4999 | | |
5000 | 928 | if ((err = mp_sub_d(a, 2, &c)) != MP_OKAY) { |
5001 | 1 | goto LBL_B; |
5002 | 1 | } |
5003 | | |
5004 | | /* now do a miller rabin with up to t random numbers, this should |
5005 | | * give a (1/4)^t chance of a false prime. */ |
5006 | 19.8k | for (ix = 0; ix < t; ix++) { |
5007 | | /* Set a test candidate. */ |
5008 | 19.6k | if ((err = wc_RNG_GenerateBlock(rng, base, baseSz)) != 0) { |
5009 | 7 | goto LBL_B; |
5010 | 7 | } |
5011 | | |
5012 | | /* Clear bits higher than those in a. */ |
5013 | 19.6k | if (bitSz > 0) { |
5014 | 11.7k | base[0] &= (1 << bitSz) - 1; |
5015 | 11.7k | } |
5016 | | |
5017 | 19.6k | if ((err = mp_read_unsigned_bin(&b, base, baseSz)) != MP_OKAY) { |
5018 | 1 | goto LBL_B; |
5019 | 1 | } |
5020 | | |
5021 | 19.6k | if (mp_cmp_d(&b, 2) != MP_GT || mp_cmp(&b, &c) != MP_LT) { |
5022 | 5.08k | ix--; |
5023 | 5.08k | continue; |
5024 | 5.08k | } |
5025 | | |
5026 | 14.5k | if ((err = mp_prime_miller_rabin (a, &b, &res)) != MP_OKAY) { |
5027 | 13 | goto LBL_B; |
5028 | 13 | } |
5029 | | |
5030 | 14.5k | if (res == MP_NO) { |
5031 | 724 | goto LBL_B; |
5032 | 724 | } |
5033 | 14.5k | } |
5034 | | |
5035 | | /* passed the test */ |
5036 | 182 | *result = MP_YES; |
5037 | 929 | LBL_B:mp_clear (&b); |
5038 | 929 | mp_clear (&c); |
5039 | 929 | XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
5040 | 929 | return err; |
5041 | 182 | } |
5042 | | |
5043 | | #endif /* (WOLFSSL_KEY_GEN && !NO_RSA) || !NO_DH || !NO_DSA */ |
5044 | | |
5045 | | #if defined(WOLFSSL_KEY_GEN) && (!defined(NO_DH) || !defined(NO_DSA)) |
5046 | | |
5047 | | static const int USE_BBS = 1; |
5048 | | |
5049 | | int mp_rand_prime(mp_int* a, int len, WC_RNG* rng, void* heap) |
5050 | 167 | { |
5051 | 167 | int err, res, type; |
5052 | 167 | byte* buf; |
5053 | | |
5054 | 167 | if (a == NULL || rng == NULL) |
5055 | 0 | return MP_VAL; |
5056 | | |
5057 | | /* get type */ |
5058 | 167 | if (len < 0) { |
5059 | 0 | type = USE_BBS; |
5060 | 0 | len = -len; |
5061 | 167 | } else { |
5062 | 167 | type = 0; |
5063 | 167 | } |
5064 | | |
5065 | | /* allow sizes between 2 and 512 bytes for a prime size */ |
5066 | 167 | if (len < 2 || len > 512) { |
5067 | 4 | return MP_VAL; |
5068 | 4 | } |
5069 | | |
5070 | | /* allocate buffer to work with */ |
5071 | 163 | buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA); |
5072 | 163 | if (buf == NULL) { |
5073 | 1 | return MP_MEM; |
5074 | 1 | } |
5075 | 162 | XMEMSET(buf, 0, len); |
5076 | | |
5077 | 5.15k | do { |
5078 | | #ifdef SHOW_GEN |
5079 | | printf("."); |
5080 | | fflush(stdout); |
5081 | | #endif |
5082 | | /* generate value */ |
5083 | 5.15k | err = wc_RNG_GenerateBlock(rng, buf, len); |
5084 | 5.15k | if (err != 0) { |
5085 | 7 | XFREE(buf, heap, DYNAMIC_TYPE_RSA); |
5086 | 7 | return err; |
5087 | 7 | } |
5088 | | |
5089 | | /* munge bits */ |
5090 | 5.14k | buf[0] |= 0x80 | 0x40; |
5091 | 5.14k | buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00); |
5092 | | |
5093 | | /* load value */ |
5094 | 5.14k | if ((err = mp_read_unsigned_bin(a, buf, len)) != MP_OKAY) { |
5095 | 1 | XFREE(buf, heap, DYNAMIC_TYPE_RSA); |
5096 | 1 | return err; |
5097 | 1 | } |
5098 | | |
5099 | | /* test */ |
5100 | | /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance |
5101 | | * of a 1024-bit candidate being a false positive, when it is our |
5102 | | * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.) |
5103 | | * Using 8 because we've always used 8. */ |
5104 | 5.14k | if ((err = mp_prime_is_prime_ex(a, 8, &res, rng)) != MP_OKAY) { |
5105 | 22 | XFREE(buf, heap, DYNAMIC_TYPE_RSA); |
5106 | 22 | return err; |
5107 | 22 | } |
5108 | 5.14k | } while (res == MP_NO); |
5109 | | |
5110 | 132 | XMEMSET(buf, 0, len); |
5111 | 132 | XFREE(buf, heap, DYNAMIC_TYPE_RSA); |
5112 | | |
5113 | 132 | return MP_OKAY; |
5114 | 162 | } |
5115 | | |
5116 | | #endif |
5117 | | |
5118 | | #if defined(WOLFSSL_KEY_GEN) |
5119 | | |
5120 | | /* computes least common multiple as |a*b|/(a, b) */ |
5121 | | int mp_lcm (mp_int * a, mp_int * b, mp_int * c) |
5122 | 298 | { |
5123 | 298 | int res; |
5124 | 298 | mp_int t1, t2; |
5125 | | |
5126 | | /* LCM of 0 and any number is undefined as 0 is not in the set of values |
5127 | | * being used. */ |
5128 | 298 | if (mp_iszero (a) == MP_YES || mp_iszero (b) == MP_YES) { |
5129 | 25 | return MP_VAL; |
5130 | 25 | } |
5131 | | |
5132 | 273 | if ((res = mp_init_multi (&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) { |
5133 | 0 | return res; |
5134 | 0 | } |
5135 | | |
5136 | | /* t1 = get the GCD of the two inputs */ |
5137 | 273 | if ((res = mp_gcd (a, b, &t1)) != MP_OKAY) { |
5138 | 2 | goto LBL_T; |
5139 | 2 | } |
5140 | | |
5141 | | /* divide the smallest by the GCD */ |
5142 | 271 | if (mp_cmp_mag(a, b) == MP_LT) { |
5143 | | /* store quotient in t2 such that t2 * b is the LCM */ |
5144 | 94 | if ((res = mp_div(a, &t1, &t2, NULL)) != MP_OKAY) { |
5145 | 1 | goto LBL_T; |
5146 | 1 | } |
5147 | 93 | res = mp_mul(b, &t2, c); |
5148 | 177 | } else { |
5149 | | /* store quotient in t2 such that t2 * a is the LCM */ |
5150 | 177 | if ((res = mp_div(b, &t1, &t2, NULL)) != MP_OKAY) { |
5151 | 1 | goto LBL_T; |
5152 | 1 | } |
5153 | 176 | res = mp_mul(a, &t2, c); |
5154 | 176 | } |
5155 | | |
5156 | | /* fix the sign to positive */ |
5157 | 269 | c->sign = MP_ZPOS; |
5158 | | |
5159 | 273 | LBL_T: |
5160 | 273 | mp_clear(&t1); |
5161 | 273 | mp_clear(&t2); |
5162 | 273 | return res; |
5163 | 269 | } |
5164 | | |
5165 | | |
5166 | | |
5167 | | /* Greatest Common Divisor using the binary method */ |
5168 | | int mp_gcd (mp_int * a, mp_int * b, mp_int * c) |
5169 | 459 | { |
5170 | 459 | mp_int u, v; |
5171 | 459 | int k, u_lsb, v_lsb, res; |
5172 | | |
5173 | | /* either zero than gcd is the largest */ |
5174 | 459 | if (mp_iszero (a) == MP_YES) { |
5175 | | /* GCD of 0 and 0 is undefined as all integers divide 0. */ |
5176 | 34 | if (mp_iszero (b) == MP_YES) { |
5177 | 15 | return MP_VAL; |
5178 | 15 | } |
5179 | 19 | return mp_abs (b, c); |
5180 | 34 | } |
5181 | 425 | if (mp_iszero (b) == MP_YES) { |
5182 | 11 | return mp_abs (a, c); |
5183 | 11 | } |
5184 | | |
5185 | | /* get copies of a and b we can modify */ |
5186 | 414 | if ((res = mp_init_copy (&u, a)) != MP_OKAY) { |
5187 | 2 | return res; |
5188 | 2 | } |
5189 | | |
5190 | 412 | if ((res = mp_init_copy (&v, b)) != MP_OKAY) { |
5191 | 1 | goto LBL_U; |
5192 | 1 | } |
5193 | | |
5194 | | /* must be positive for the remainder of the algorithm */ |
5195 | 411 | u.sign = v.sign = MP_ZPOS; |
5196 | | |
5197 | | /* B1. Find the common power of two for u and v */ |
5198 | 411 | u_lsb = mp_cnt_lsb(&u); |
5199 | 411 | v_lsb = mp_cnt_lsb(&v); |
5200 | 411 | k = MIN(u_lsb, v_lsb); |
5201 | | |
5202 | 411 | if (k > 0) { |
5203 | | /* divide the power of two out */ |
5204 | 116 | if ((res = mp_div_2d(&u, k, &u, NULL)) != MP_OKAY) { |
5205 | 0 | goto LBL_V; |
5206 | 0 | } |
5207 | | |
5208 | 116 | if ((res = mp_div_2d(&v, k, &v, NULL)) != MP_OKAY) { |
5209 | 0 | goto LBL_V; |
5210 | 0 | } |
5211 | 116 | } |
5212 | | |
5213 | | /* divide any remaining factors of two out */ |
5214 | 411 | if (u_lsb != k) { |
5215 | 147 | if ((res = mp_div_2d(&u, u_lsb - k, &u, NULL)) != MP_OKAY) { |
5216 | 0 | goto LBL_V; |
5217 | 0 | } |
5218 | 147 | } |
5219 | | |
5220 | 411 | if (v_lsb != k) { |
5221 | 159 | if ((res = mp_div_2d(&v, v_lsb - k, &v, NULL)) != MP_OKAY) { |
5222 | 0 | goto LBL_V; |
5223 | 0 | } |
5224 | 159 | } |
5225 | | |
5226 | 147k | while (mp_iszero(&v) == MP_NO) { |
5227 | | /* make sure v is the largest */ |
5228 | 146k | if (mp_cmp_mag(&u, &v) == MP_GT) { |
5229 | | /* swap u and v to make sure v is >= u */ |
5230 | 30.7k | mp_exch(&u, &v); |
5231 | 30.7k | } |
5232 | | |
5233 | | /* subtract smallest from largest */ |
5234 | 146k | if ((res = s_mp_sub(&v, &u, &v)) != MP_OKAY) { |
5235 | 0 | goto LBL_V; |
5236 | 0 | } |
5237 | | |
5238 | | /* Divide out all factors of two */ |
5239 | 146k | if ((res = mp_div_2d(&v, mp_cnt_lsb(&v), &v, NULL)) != MP_OKAY) { |
5240 | 0 | goto LBL_V; |
5241 | 0 | } |
5242 | 146k | } |
5243 | | |
5244 | | /* multiply by 2**k which we divided out at the beginning */ |
5245 | 411 | if ((res = mp_mul_2d (&u, k, c)) != MP_OKAY) { |
5246 | 1 | goto LBL_V; |
5247 | 1 | } |
5248 | 410 | c->sign = MP_ZPOS; |
5249 | 410 | res = MP_OKAY; |
5250 | 411 | LBL_V:mp_clear (&v); |
5251 | 412 | LBL_U:mp_clear (&u); |
5252 | 412 | return res; |
5253 | 411 | } |
5254 | | |
5255 | | #endif /* WOLFSSL_KEY_GEN */ |
5256 | | |
5257 | | |
5258 | | #if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) || \ |
5259 | | defined(HAVE_COMP_KEY) || defined(WOLFSSL_DEBUG_MATH) || \ |
5260 | | defined(DEBUG_WOLFSSL) || defined(OPENSSL_EXTRA) || defined(WC_MP_TO_RADIX) |
5261 | | |
5262 | | /* chars used in radix conversions */ |
5263 | | const char *mp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" |
5264 | | "abcdefghijklmnopqrstuvwxyz+/"; |
5265 | | #endif |
5266 | | |
5267 | | #if !defined(NO_DSA) || defined(HAVE_ECC) || defined(OPENSSL_EXTRA) |
5268 | | /* read a string [ASCII] in a given radix */ |
5269 | | int mp_read_radix (mp_int * a, const char *str, int radix) |
5270 | 72.1k | { |
5271 | 72.1k | int y, res, neg; |
5272 | 72.1k | char ch; |
5273 | | |
5274 | | /* zero the digit bignum */ |
5275 | 72.1k | mp_zero(a); |
5276 | | |
5277 | | /* make sure the radix is ok */ |
5278 | 72.1k | if (radix < MP_RADIX_BIN || radix > MP_RADIX_MAX) { |
5279 | 0 | return MP_VAL; |
5280 | 0 | } |
5281 | | |
5282 | | /* if the leading digit is a |
5283 | | * minus set the sign to negative. |
5284 | | */ |
5285 | 72.1k | if (*str == '-') { |
5286 | 3.54k | ++str; |
5287 | 3.54k | neg = MP_NEG; |
5288 | 68.6k | } else { |
5289 | 68.6k | neg = MP_ZPOS; |
5290 | 68.6k | } |
5291 | | |
5292 | | /* set the integer to the default of zero */ |
5293 | 72.1k | mp_zero (a); |
5294 | | |
5295 | | /* process each digit of the string */ |
5296 | 4.22M | while (*str != '\0') { |
5297 | | /* if the radix <= 36 the conversion is case insensitive |
5298 | | * this allows numbers like 1AB and 1ab to represent the same value |
5299 | | * [e.g. in hex] |
5300 | | */ |
5301 | 4.15M | ch = (radix <= 36) ? (char)XTOUPPER((unsigned char)*str) : *str; |
5302 | 28.6M | for (y = 0; y < 64; y++) { |
5303 | 28.6M | if (ch == mp_s_rmap[y]) { |
5304 | 4.15M | break; |
5305 | 4.15M | } |
5306 | 28.6M | } |
5307 | | |
5308 | | /* if the char was found in the map |
5309 | | * and is less than the given radix add it |
5310 | | * to the number, otherwise exit the loop. |
5311 | | */ |
5312 | 4.15M | if (y < radix) { |
5313 | 4.15M | if ((res = mp_mul_d (a, (mp_digit) radix, a)) != MP_OKAY) { |
5314 | 815 | mp_zero(a); |
5315 | 815 | return res; |
5316 | 815 | } |
5317 | 4.14M | if ((res = mp_add_d (a, (mp_digit) y, a)) != MP_OKAY) { |
5318 | 308 | mp_zero(a); |
5319 | 308 | return res; |
5320 | 308 | } |
5321 | 4.14M | } else { |
5322 | 74 | break; |
5323 | 74 | } |
5324 | 4.14M | ++str; |
5325 | 4.14M | } |
5326 | | |
5327 | | /* Skip whitespace at end of str */ |
5328 | 71.0k | while (CharIsWhiteSpace(*str)) |
5329 | 0 | ++str; |
5330 | | /* if digit in isn't null term, then invalid character was found */ |
5331 | 71.0k | if (*str != '\0') { |
5332 | 74 | mp_zero (a); |
5333 | 74 | return MP_VAL; |
5334 | 74 | } |
5335 | | |
5336 | | /* set the sign only if a != 0 */ |
5337 | 70.9k | if (mp_iszero(a) != MP_YES) { |
5338 | 46.6k | a->sign = neg; |
5339 | 46.6k | } |
5340 | 70.9k | return MP_OKAY; |
5341 | 71.0k | } |
5342 | | #endif /* !defined(NO_DSA) || defined(HAVE_ECC) */ |
5343 | | |
5344 | | #ifdef WC_MP_TO_RADIX |
5345 | | |
5346 | | /* returns size of ASCII representation */ |
5347 | | int mp_radix_size (mp_int *a, int radix, int *size) |
5348 | 10.4k | { |
5349 | 10.4k | int res, digs; |
5350 | 10.4k | mp_int t; |
5351 | 10.4k | mp_digit d; |
5352 | | |
5353 | 10.4k | *size = 0; |
5354 | | |
5355 | | /* special case for binary */ |
5356 | 10.4k | if (radix == MP_RADIX_BIN) { |
5357 | 126 | *size = mp_count_bits(a); |
5358 | 126 | if (*size == 0) |
5359 | 29 | *size = 1; |
5360 | 126 | *size += (a->sign == MP_NEG ? 1 : 0) + 1; /* "-" sign + null term */ |
5361 | 126 | return MP_OKAY; |
5362 | 126 | } |
5363 | | |
5364 | | /* make sure the radix is in range */ |
5365 | 10.3k | if (radix < MP_RADIX_BIN || radix > MP_RADIX_MAX) { |
5366 | 862 | return MP_VAL; |
5367 | 862 | } |
5368 | | |
5369 | 9.50k | if (mp_iszero(a) == MP_YES) { |
5370 | 1.24k | #ifndef WC_DISABLE_RADIX_ZERO_PAD |
5371 | 1.24k | if (radix == 16) |
5372 | 12 | *size = 3; |
5373 | 1.23k | else |
5374 | 1.23k | #endif |
5375 | 1.23k | *size = 2; |
5376 | 1.24k | return MP_OKAY; |
5377 | 1.24k | } |
5378 | | |
5379 | | /* digs is the digit count */ |
5380 | 8.26k | digs = 0; |
5381 | | |
5382 | | /* init a copy of the input */ |
5383 | 8.26k | if ((res = mp_init_copy (&t, a)) != MP_OKAY) { |
5384 | 235 | return res; |
5385 | 235 | } |
5386 | | |
5387 | | /* force temp to positive */ |
5388 | 8.03k | t.sign = MP_ZPOS; |
5389 | | |
5390 | | /* fetch out all of the digits */ |
5391 | 1.14M | while (mp_iszero (&t) == MP_NO) { |
5392 | 1.13M | if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) { |
5393 | 250 | mp_clear (&t); |
5394 | 250 | return res; |
5395 | 250 | } |
5396 | 1.13M | ++digs; |
5397 | 1.13M | } |
5398 | 7.78k | mp_clear (&t); |
5399 | | |
5400 | 7.78k | #ifndef WC_DISABLE_RADIX_ZERO_PAD |
5401 | | /* For hexadecimal output, add zero padding when number of digits is odd */ |
5402 | 7.78k | if ((digs & 1) && (radix == 16)) { |
5403 | 54 | ++digs; |
5404 | 54 | } |
5405 | 7.78k | #endif |
5406 | | |
5407 | | /* if it's negative add one for the sign */ |
5408 | 7.78k | if (a->sign == MP_NEG) { |
5409 | 293 | ++digs; |
5410 | 293 | } |
5411 | | |
5412 | | /* return digs + 1, the 1 is for the NULL byte that would be required. */ |
5413 | 7.78k | *size = digs + 1; |
5414 | 7.78k | return MP_OKAY; |
5415 | 8.03k | } |
5416 | | |
5417 | | /* stores a bignum as a ASCII string in a given radix (2..64) */ |
5418 | | int mp_toradix (mp_int *a, char *str, int radix) |
5419 | 9.14k | { |
5420 | 9.14k | int res, digs; |
5421 | 9.14k | mp_int t; |
5422 | 9.14k | mp_digit d; |
5423 | 9.14k | char *_s = str; |
5424 | | |
5425 | | /* check range of the radix */ |
5426 | 9.14k | if (radix < MP_RADIX_BIN || radix > MP_RADIX_MAX) { |
5427 | 0 | return MP_VAL; |
5428 | 0 | } |
5429 | | |
5430 | | /* quick out if its zero */ |
5431 | 9.14k | if (mp_iszero(a) == MP_YES) { |
5432 | 1.27k | #ifndef WC_DISABLE_RADIX_ZERO_PAD |
5433 | 1.27k | if (radix == 16) { |
5434 | 12 | *str++ = '0'; |
5435 | 12 | } |
5436 | 1.27k | #endif |
5437 | 1.27k | *str++ = '0'; |
5438 | 1.27k | *str = '\0'; |
5439 | 1.27k | return MP_OKAY; |
5440 | 1.27k | } |
5441 | | |
5442 | 7.87k | if ((res = mp_init_copy (&t, a)) != MP_OKAY) { |
5443 | 59 | return res; |
5444 | 59 | } |
5445 | | |
5446 | | /* if it is negative output a - */ |
5447 | 7.81k | if (t.sign == MP_NEG) { |
5448 | 307 | ++_s; |
5449 | 307 | *str++ = '-'; |
5450 | 307 | t.sign = MP_ZPOS; |
5451 | 307 | } |
5452 | | |
5453 | 7.81k | digs = 0; |
5454 | 1.15M | while (mp_iszero (&t) == MP_NO) { |
5455 | 1.14M | if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) { |
5456 | 32 | mp_clear (&t); |
5457 | 32 | return res; |
5458 | 32 | } |
5459 | 1.14M | *str++ = mp_s_rmap[d]; |
5460 | 1.14M | ++digs; |
5461 | 1.14M | } |
5462 | 7.78k | #ifndef WC_DISABLE_RADIX_ZERO_PAD |
5463 | | /* For hexadecimal output, add zero padding when number of digits is odd */ |
5464 | 7.78k | if ((digs & 1) && (radix == 16)) { |
5465 | 49 | *str++ = mp_s_rmap[0]; |
5466 | 49 | ++digs; |
5467 | 49 | } |
5468 | 7.78k | #endif |
5469 | | /* reverse the digits of the string. In this case _s points |
5470 | | * to the first digit [excluding the sign] of the number] |
5471 | | */ |
5472 | 7.78k | bn_reverse ((unsigned char *)_s, digs); |
5473 | | |
5474 | | /* append a NULL so the string is properly terminated */ |
5475 | 7.78k | *str = '\0'; |
5476 | | |
5477 | 7.78k | mp_clear (&t); |
5478 | 7.78k | return MP_OKAY; |
5479 | 7.81k | } |
5480 | | |
5481 | | #ifdef WOLFSSL_DEBUG_MATH |
5482 | | void mp_dump(const char* desc, mp_int* a, byte verbose) |
5483 | | { |
5484 | | char *buffer; |
5485 | | int size = a->alloc; |
5486 | | |
5487 | | buffer = (char*)XMALLOC(size * sizeof(mp_digit) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
5488 | | if (buffer == NULL) { |
5489 | | return; |
5490 | | } |
5491 | | |
5492 | | printf("%s: ptr=%p, used=%d, sign=%d, size=%d, mpd=%d\n", |
5493 | | desc, a, a->used, a->sign, size, (int)sizeof(mp_digit)); |
5494 | | |
5495 | | mp_tohex(a, buffer); |
5496 | | printf(" %s\n ", buffer); |
5497 | | |
5498 | | if (verbose) { |
5499 | | int i; |
5500 | | for(i=0; i<a->alloc * (int)sizeof(mp_digit); i++) { |
5501 | | printf("%02x ", *(((byte*)a->dp) + i)); |
5502 | | } |
5503 | | printf("\n"); |
5504 | | } |
5505 | | |
5506 | | XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
5507 | | } |
5508 | | #endif /* WOLFSSL_DEBUG_MATH */ |
5509 | | |
5510 | | #endif /* WC_MP_TO_RADIX */ |
5511 | | |
5512 | | #endif /* WOLFSSL_SP_MATH */ |
5513 | | |
5514 | | #endif /* !USE_FAST_MATH && USE_INTEGER_HEAP_MATH */ |
5515 | | |
5516 | | #endif /* NO_BIG_INT */ |