TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2db440d2f170c737b93b97e77bd6345d8b0d05ad / . / library / bignum.c
blob: 975b6f8b42faf7d2e0f91d58a57cdfef18b5ae35 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * Multi-precision integer library
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]6 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]22
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]23/*
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]24 * The following sources were referenced in the design of this Multi-precision
25 * Integer library:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]26 *
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]27 * [1] Handbook of Applied Cryptography - 1997
28 * Menezes, van Oorschot and Vanstone
29 *
30 * [2] Multi-Precision Math
31 * Tom St Denis
32 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
33 *
34 * [3] GNU Multi-Precision Arithmetic Library
35 * https://gmplib.org/manual/index.html
36 *
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]37 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]39#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]40#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]41#else
42#include POLARSSL_CONFIG_FILE
43#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]45#if defined(POLARSSL_BIGNUM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]47#include "polarssl/bignum.h"
48#include "polarssl/bn_mul.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]50#include <string.h>
51
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#if defined(POLARSSL_PLATFORM_C)
53#include "polarssl/platform.h"
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]54#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]55#include <stdio.h>
56#include <stdlib.h>
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]57#define polarssl_printf printf
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]58#define polarssl_malloc malloc
59#define polarssl_free free
60#endif
61
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]62/* Implementation that should never be optimized out by the compiler */
63static void polarssl_zeroize( void *v, size_t n ) {
64 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
65}
66
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]67#define ciL (sizeof(t_uint)) /* chars in limb */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68#define biL (ciL << 3) /* bits in limb */
69#define biH (ciL << 2) /* half limb size */
70
Manuel Pégourié-Gonnardfa647a72015-10-05 15:23:11 +0100[diff] [blame]71#define MPI_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
72
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]73/*
74 * Convert between bits/chars and number of limbs
Manuel Pégourié-Gonnard59efb6a2015-09-28 13:48:04 +0200[diff] [blame]75 * Divide first in order to avoid potential overflows
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]76 */
Manuel Pégourié-Gonnard59efb6a2015-09-28 13:48:04 +0200[diff] [blame]77#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) )
78#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]79
80/*
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]81 * Initialize one MPI
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]82 */
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]83void mpi_init( mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]84{
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]85 if( X == NULL )
86 return;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]88 X->s = 1;
89 X->n = 0;
90 X->p = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91}
92
93/*
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]94 * Unallocate one MPI
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95 */
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]96void mpi_free( mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]97{
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]98 if( X == NULL )
99 return;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]100
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]101 if( X->p != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]102 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]103 polarssl_zeroize( X->p, X->n * ciL );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]104 polarssl_free( X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]105 }
106
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]107 X->s = 1;
108 X->n = 0;
109 X->p = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110}
111
112/*
113 * Enlarge to the specified number of limbs
114 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]115int mpi_grow( mpi *X, size_t nblimbs )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]116{
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]117 t_uint *p;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]118
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]119 if( nblimbs > POLARSSL_MPI_MAX_LIMBS )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]120 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]121
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]122 if( X->n < nblimbs )
123 {
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500[diff] [blame]124 if( ( p = polarssl_malloc( nblimbs * ciL ) ) == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]125 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]126
127 memset( p, 0, nblimbs * ciL );
128
129 if( X->p != NULL )
130 {
131 memcpy( p, X->p, X->n * ciL );
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]132 polarssl_zeroize( X->p, X->n * ciL );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]133 polarssl_free( X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]134 }
135
136 X->n = nblimbs;
137 X->p = p;
138 }
139
140 return( 0 );
141}
142
143/*
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]144 * Resize down as much as possible,
145 * while keeping at least the specified number of limbs
146 */
147int mpi_shrink( mpi *X, size_t nblimbs )
148{
149 t_uint *p;
150 size_t i;
151
152 /* Actually resize up in this case */
153 if( X->n <= nblimbs )
154 return( mpi_grow( X, nblimbs ) );
155
156 for( i = X->n - 1; i > 0; i-- )
157 if( X->p[i] != 0 )
158 break;
159 i++;
160
161 if( i < nblimbs )
162 i = nblimbs;
163
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500[diff] [blame]164 if( ( p = polarssl_malloc( i * ciL ) ) == NULL )
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]165 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
166
167 memset( p, 0, i * ciL );
168
169 if( X->p != NULL )
170 {
171 memcpy( p, X->p, i * ciL );
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]172 polarssl_zeroize( X->p, X->n * ciL );
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]173 polarssl_free( X->p );
174 }
175
176 X->n = i;
177 X->p = p;
178
179 return( 0 );
180}
181
182/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183 * Copy the contents of Y into X
184 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]185int mpi_copy( mpi *X, const mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]187 int ret;
188 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189
190 if( X == Y )
191 return( 0 );
192
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200[diff] [blame]193 if( Y->p == NULL )
194 {
195 mpi_free( X );
196 return( 0 );
197 }
198
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]199 for( i = Y->n - 1; i > 0; i-- )
200 if( Y->p[i] != 0 )
201 break;
202 i++;
203
204 X->s = Y->s;
205
206 MPI_CHK( mpi_grow( X, i ) );
207
208 memset( X->p, 0, X->n * ciL );
209 memcpy( X->p, Y->p, i * ciL );
210
211cleanup:
212
213 return( ret );
214}
215
216/*
217 * Swap the contents of X and Y
218 */
219void mpi_swap( mpi *X, mpi *Y )
220{
221 mpi T;
222
223 memcpy( &T, X, sizeof( mpi ) );
224 memcpy( X, Y, sizeof( mpi ) );
225 memcpy( Y, &T, sizeof( mpi ) );
226}
227
228/*
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]229 * Conditionally assign X = Y, without leaking information
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]230 * about whether the assignment was made or not.
231 * (Leaking information about the respective sizes of X and Y is ok however.)
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]232 */
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]233int mpi_safe_cond_assign( mpi *X, const mpi *Y, unsigned char assign )
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]234{
235 int ret = 0;
236 size_t i;
237
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]238 /* make sure assign is 0 or 1 in a time-constant manner */
239 assign = (assign | (unsigned char)-assign) >> 7;
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]240
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]241 MPI_CHK( mpi_grow( X, Y->n ) );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]242
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]243 X->s = X->s * ( 1 - assign ) + Y->s * assign;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]244
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]245 for( i = 0; i < Y->n; i++ )
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]246 X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]247
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]248 for( ; i < X->n; i++ )
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]249 X->p[i] *= ( 1 - assign );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]250
251cleanup:
252 return( ret );
253}
254
255/*
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]256 * Conditionally swap X and Y, without leaking information
257 * about whether the swap was made or not.
258 * Here it is not ok to simply swap the pointers, which whould lead to
259 * different memory access patterns when X and Y are used afterwards.
260 */
261int mpi_safe_cond_swap( mpi *X, mpi *Y, unsigned char swap )
262{
263 int ret, s;
264 size_t i;
265 t_uint tmp;
266
267 if( X == Y )
268 return( 0 );
269
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]270 /* make sure swap is 0 or 1 in a time-constant manner */
271 swap = (swap | (unsigned char)-swap) >> 7;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]272
273 MPI_CHK( mpi_grow( X, Y->n ) );
274 MPI_CHK( mpi_grow( Y, X->n ) );
275
276 s = X->s;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]277 X->s = X->s * ( 1 - swap ) + Y->s * swap;
278 Y->s = Y->s * ( 1 - swap ) + s * swap;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]279
280
281 for( i = 0; i < X->n; i++ )
282 {
283 tmp = X->p[i];
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]284 X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
285 Y->p[i] = Y->p[i] * ( 1 - swap ) + tmp * swap;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]286 }
287
288cleanup:
289 return( ret );
290}
291
292/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]293 * Set value from integer
294 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]295int mpi_lset( mpi *X, t_sint z )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]296{
297 int ret;
298
299 MPI_CHK( mpi_grow( X, 1 ) );
300 memset( X->p, 0, X->n * ciL );
301
302 X->p[0] = ( z < 0 ) ? -z : z;
303 X->s = ( z < 0 ) ? -1 : 1;
304
305cleanup:
306
307 return( ret );
308}
309
310/*
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]311 * Get a specific bit
312 */
Paul Bakker6b906e52012-05-08 12:01:43 +0000[diff] [blame]313int mpi_get_bit( const mpi *X, size_t pos )
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]314{
315 if( X->n * biL <= pos )
316 return( 0 );
317
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]318 return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]319}
320
321/*
322 * Set a bit to a specific value of 0 or 1
323 */
324int mpi_set_bit( mpi *X, size_t pos, unsigned char val )
325{
326 int ret = 0;
327 size_t off = pos / biL;
328 size_t idx = pos % biL;
329
330 if( val != 0 && val != 1 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]331 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]332
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]333 if( X->n * biL <= pos )
334 {
335 if( val == 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]336 return( 0 );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]337
338 MPI_CHK( mpi_grow( X, off + 1 ) );
339 }
340
Manuel Pégourié-Gonnard9a4a5ac2013-12-04 18:05:29 +0100[diff] [blame]341 X->p[off] &= ~( (t_uint) 0x01 << idx );
342 X->p[off] |= (t_uint) val << idx;
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]343
344cleanup:
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]345
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]346 return( ret );
347}
348
349/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350 * Return the number of least significant bits
351 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]352size_t mpi_lsb( const mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]354 size_t i, j, count = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356 for( i = 0; i < X->n; i++ )
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]357 for( j = 0; j < biL; j++, count++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
359 return( count );
360
361 return( 0 );
362}
363
364/*
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]365 * Count leading zero bits in a given integer
366 */
367static size_t int_clz( const t_uint x )
368{
369 size_t j;
370 t_uint mask = (t_uint) 1 << (biL - 1);
371
372 for( j = 0; j < biL; j++ )
373 {
374 if( x & mask ) break;
375
376 mask >>= 1;
377 }
378
379 return j;
380}
381
382/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383 * Return the number of most significant bits
384 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]385size_t mpi_msb( const mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]387 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]388
Manuel Pégourié-Gonnard770b5e12015-04-29 17:02:01 +0200[diff] [blame]389 if( X->n == 0 )
390 return( 0 );
391
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 for( i = X->n - 1; i > 0; i-- )
393 if( X->p[i] != 0 )
394 break;
395
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]396 j = biL - int_clz( X->p[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]398 return( ( i * biL ) + j );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399}
400
401/*
402 * Return the total size in bytes
403 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]404size_t mpi_size( const mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405{
406 return( ( mpi_msb( X ) + 7 ) >> 3 );
407}
408
409/*
410 * Convert an ASCII character to digit value
411 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]412static int mpi_get_digit( t_uint *d, int radix, char c )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]413{
414 *d = 255;
415
416 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
417 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
418 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
419
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]420 if( *d >= (t_uint) radix )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]421 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423 return( 0 );
424}
425
426/*
427 * Import from an ASCII string
428 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]429int mpi_read_string( mpi *X, int radix, const char *s )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]430{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]431 int ret;
432 size_t i, j, slen, n;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]433 t_uint d;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434 mpi T;
435
436 if( radix < 2 || radix > 16 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]437 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]439 mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]441 slen = strlen( s );
442
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 if( radix == 16 )
444 {
Manuel Pégourié-Gonnardfa647a72015-10-05 15:23:11 +0100[diff] [blame]445 if( slen > MPI_SIZE_T_MAX >> 2 )
Manuel Pégourié-Gonnard59efb6a2015-09-28 13:48:04 +0200[diff] [blame]446 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
447
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]448 n = BITS_TO_LIMBS( slen << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449
450 MPI_CHK( mpi_grow( X, n ) );
451 MPI_CHK( mpi_lset( X, 0 ) );
452
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]453 for( i = slen, j = 0; i > 0; i--, j++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]454 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]455 if( i == 1 && s[i - 1] == '-' )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]456 {
457 X->s = -1;
458 break;
459 }
460
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]461 MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 }
464 }
465 else
466 {
467 MPI_CHK( mpi_lset( X, 0 ) );
468
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]469 for( i = 0; i < slen; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 {
471 if( i == 0 && s[i] == '-' )
472 {
473 X->s = -1;
474 continue;
475 }
476
477 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
478 MPI_CHK( mpi_mul_int( &T, X, radix ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]479
480 if( X->s == 1 )
481 {
482 MPI_CHK( mpi_add_int( X, &T, d ) );
483 }
484 else
485 {
486 MPI_CHK( mpi_sub_int( X, &T, d ) );
487 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488 }
489 }
490
491cleanup:
492
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]493 mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]494
495 return( ret );
496}
497
498/*
499 * Helper to write the digits high-order first
500 */
501static int mpi_write_hlp( mpi *X, int radix, char **p )
502{
503 int ret;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]504 t_uint r;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505
506 if( radix < 2 || radix > 16 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]507 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508
509 MPI_CHK( mpi_mod_int( &r, X, radix ) );
510 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
511
512 if( mpi_cmp_int( X, 0 ) != 0 )
513 MPI_CHK( mpi_write_hlp( X, radix, p ) );
514
515 if( r < 10 )
516 *(*p)++ = (char)( r + 0x30 );
517 else
518 *(*p)++ = (char)( r + 0x37 );
519
520cleanup:
521
522 return( ret );
523}
524
525/*
526 * Export into an ASCII string
527 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]528int mpi_write_string( const mpi *X, int radix, char *s, size_t *slen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]529{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]530 int ret = 0;
531 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532 char *p;
533 mpi T;
534
535 if( radix < 2 || radix > 16 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]536 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]537
538 n = mpi_msb( X );
539 if( radix >= 4 ) n >>= 1;
540 if( radix >= 16 ) n >>= 1;
541 n += 3;
542
543 if( *slen < n )
544 {
545 *slen = n;
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]546 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547 }
548
549 p = s;
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]550 mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551
552 if( X->s == -1 )
553 *p++ = '-';
554
555 if( radix == 16 )
556 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]557 int c;
558 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]560 for( i = X->n, k = 0; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]562 for( j = ciL; j > 0; j-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]564 c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
Paul Bakker6c343d72014-07-10 14:36:19 +0200[diff] [blame]566 if( c == 0 && k == 0 && ( i + j ) != 2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 continue;
568
Paul Bakker98fe5ea2012-10-24 11:17:48 +0000[diff] [blame]569 *(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakkerd2c167e2012-10-30 07:49:19 +0000[diff] [blame]570 *(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 k = 1;
572 }
573 }
574 }
575 else
576 {
577 MPI_CHK( mpi_copy( &T, X ) );
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]578
579 if( T.s == -1 )
580 T.s = 1;
581
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
583 }
584
585 *p++ = '\0';
586 *slen = p - s;
587
588cleanup:
589
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]590 mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
592 return( ret );
593}
594
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]595#if defined(POLARSSL_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596/*
597 * Read X from an opened file
598 */
599int mpi_read_file( mpi *X, int radix, FILE *fin )
600{
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]601 t_uint d;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]602 size_t slen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]603 char *p;
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]604 /*
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]605 * Buffer should have space for (short) label and decimal formatted MPI,
606 * newline characters and '\0'
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]607 */
Paul Bakker5531c6d2012-09-26 19:20:46 +0000[diff] [blame]608 char s[ POLARSSL_MPI_RW_BUFFER_SIZE ];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609
610 memset( s, 0, sizeof( s ) );
611 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]612 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
614 slen = strlen( s );
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]615 if( slen == sizeof( s ) - 2 )
616 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
617
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
619 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
620
621 p = s + slen;
622 while( --p >= s )
623 if( mpi_get_digit( &d, radix, *p ) != 0 )
624 break;
625
626 return( mpi_read_string( X, radix, p + 1 ) );
627}
628
629/*
630 * Write X into an opened file (or stdout if fout == NULL)
631 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]632int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]634 int ret;
635 size_t n, slen, plen;
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]636 /*
Paul Bakker5531c6d2012-09-26 19:20:46 +0000[diff] [blame]637 * Buffer should have space for (short) label and decimal formatted MPI,
638 * newline characters and '\0'
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]639 */
Paul Bakker5531c6d2012-09-26 19:20:46 +0000[diff] [blame]640 char s[ POLARSSL_MPI_RW_BUFFER_SIZE ];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 n = sizeof( s );
643 memset( s, 0, n );
644 n -= 2;
645
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]646 MPI_CHK( mpi_write_string( X, radix, s, (size_t *) &n ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647
648 if( p == NULL ) p = "";
649
650 plen = strlen( p );
651 slen = strlen( s );
652 s[slen++] = '\r';
653 s[slen++] = '\n';
654
655 if( fout != NULL )
656 {
657 if( fwrite( p, 1, plen, fout ) != plen ||
658 fwrite( s, 1, slen, fout ) != slen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]659 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660 }
661 else
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]662 polarssl_printf( "%s%s", p, s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663
664cleanup:
665
666 return( ret );
667}
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]668#endif /* POLARSSL_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669
670/*
671 * Import X from unsigned binary data, big endian
672 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]673int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]675 int ret;
676 size_t i, j, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677
678 for( n = 0; n < buflen; n++ )
679 if( buf[n] != 0 )
680 break;
681
682 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
683 MPI_CHK( mpi_lset( X, 0 ) );
684
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]685 for( i = buflen, j = 0; i > n; i--, j++ )
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]686 X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687
688cleanup:
689
690 return( ret );
691}
692
693/*
694 * Export X into unsigned binary data, big endian
695 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]696int mpi_write_binary( const mpi *X, unsigned char *buf, size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]698 size_t i, j, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699
700 n = mpi_size( X );
701
702 if( buflen < n )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]703 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704
705 memset( buf, 0, buflen );
706
707 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
708 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
709
710 return( 0 );
711}
712
713/*
714 * Left-shift: X <<= count
715 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]716int mpi_shift_l( mpi *X, size_t count )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]718 int ret;
719 size_t i, v0, t1;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]720 t_uint r0 = 0, r1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
722 v0 = count / (biL );
723 t1 = count & (biL - 1);
724
725 i = mpi_msb( X ) + count;
726
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]727 if( X->n * biL < i )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
729
730 ret = 0;
731
732 /*
733 * shift by count / limb_size
734 */
735 if( v0 > 0 )
736 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]737 for( i = X->n; i > v0; i-- )
738 X->p[i - 1] = X->p[i - v0 - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]739
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]740 for( ; i > 0; i-- )
741 X->p[i - 1] = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]742 }
743
744 /*
745 * shift by count % limb_size
746 */
747 if( t1 > 0 )
748 {
749 for( i = v0; i < X->n; i++ )
750 {
751 r1 = X->p[i] >> (biL - t1);
752 X->p[i] <<= t1;
753 X->p[i] |= r0;
754 r0 = r1;
755 }
756 }
757
758cleanup:
759
760 return( ret );
761}
762
763/*
764 * Right-shift: X >>= count
765 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]766int mpi_shift_r( mpi *X, size_t count )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]768 size_t i, v0, v1;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]769 t_uint r0 = 0, r1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770
771 v0 = count / biL;
772 v1 = count & (biL - 1);
773
Manuel Pégourié-Gonnarde44ec102012-11-17 12:42:51 +0100[diff] [blame]774 if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
775 return mpi_lset( X, 0 );
776
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777 /*
778 * shift by count / limb_size
779 */
780 if( v0 > 0 )
781 {
782 for( i = 0; i < X->n - v0; i++ )
783 X->p[i] = X->p[i + v0];
784
785 for( ; i < X->n; i++ )
786 X->p[i] = 0;
787 }
788
789 /*
790 * shift by count % limb_size
791 */
792 if( v1 > 0 )
793 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]794 for( i = X->n; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]796 r1 = X->p[i - 1] << (biL - v1);
797 X->p[i - 1] >>= v1;
798 X->p[i - 1] |= r0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799 r0 = r1;
800 }
801 }
802
803 return( 0 );
804}
805
806/*
807 * Compare unsigned values
808 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]809int mpi_cmp_abs( const mpi *X, const mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]810{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]811 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]813 for( i = X->n; i > 0; i-- )
814 if( X->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]815 break;
816
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]817 for( j = Y->n; j > 0; j-- )
818 if( Y->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819 break;
820
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]821 if( i == 0 && j == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 return( 0 );
823
824 if( i > j ) return( 1 );
825 if( j > i ) return( -1 );
826
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]827 for( ; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]829 if( X->p[i - 1] > Y->p[i - 1] ) return( 1 );
830 if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831 }
832
833 return( 0 );
834}
835
836/*
837 * Compare signed values
838 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]839int mpi_cmp_mpi( const mpi *X, const mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]841 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]843 for( i = X->n; i > 0; i-- )
844 if( X->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]845 break;
846
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]847 for( j = Y->n; j > 0; j-- )
848 if( Y->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]849 break;
850
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]851 if( i == 0 && j == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852 return( 0 );
853
854 if( i > j ) return( X->s );
Paul Bakker0c8f73b2012-03-22 14:08:57 +0000[diff] [blame]855 if( j > i ) return( -Y->s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]856
857 if( X->s > 0 && Y->s < 0 ) return( 1 );
858 if( Y->s > 0 && X->s < 0 ) return( -1 );
859
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]860 for( ; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]861 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]862 if( X->p[i - 1] > Y->p[i - 1] ) return( X->s );
863 if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864 }
865
866 return( 0 );
867}
868
869/*
870 * Compare signed values
871 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]872int mpi_cmp_int( const mpi *X, t_sint z )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873{
874 mpi Y;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]875 t_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]876
877 *p = ( z < 0 ) ? -z : z;
878 Y.s = ( z < 0 ) ? -1 : 1;
879 Y.n = 1;
880 Y.p = p;
881
882 return( mpi_cmp_mpi( X, &Y ) );
883}
884
885/*
886 * Unsigned addition: X = |A| + |B| (HAC 14.7)
887 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]888int mpi_add_abs( mpi *X, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]889{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]890 int ret;
891 size_t i, j;
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]892 mpi_uint *o, *p, c, tmp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]893
894 if( X == B )
895 {
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]896 const mpi *T = A; A = X; B = T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]897 }
898
899 if( X != A )
900 MPI_CHK( mpi_copy( X, A ) );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]901
Paul Bakkerf7ca7b92009-06-20 10:31:06 +0000[diff] [blame]902 /*
903 * X should always be positive as a result of unsigned additions.
904 */
905 X->s = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]906
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]907 for( j = B->n; j > 0; j-- )
908 if( B->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]909 break;
910
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]911 MPI_CHK( mpi_grow( X, j ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]912
913 o = B->p; p = X->p; c = 0;
914
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]915 /*
916 * tmp is used because it might happen that p == o
917 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]918 for( i = 0; i < j; i++, o++, p++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919 {
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]920 tmp= *o;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]921 *p += c; c = ( *p < c );
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]922 *p += tmp; c += ( *p < tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923 }
924
925 while( c != 0 )
926 {
927 if( i >= X->n )
928 {
929 MPI_CHK( mpi_grow( X, i + 1 ) );
930 p = X->p + i;
931 }
932
Paul Bakker2d319fd2012-09-16 21:34:26 +0000[diff] [blame]933 *p += c; c = ( *p < c ); i++; p++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]934 }
935
936cleanup:
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]937<<<<<<< HEAD
Janos Follath2b806fa2015-10-25 14:24:10 +0100[diff] [blame]938 if( &TB == B )
939 {
940 mpi_free( &TB );
941 }
Janos Follath2db440d2015-10-30 17:43:11 +0100[diff] [blame^]942=======
943>>>>>>> 6c9226809370... Improved on the previous fix and added a test case to cover both types
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944
945 return( ret );
946}
947
948/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]949 * Helper for mpi subtraction
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]951static void mpi_sub_hlp( size_t n, t_uint *s, t_uint *d )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]952{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]953 size_t i;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]954 t_uint c, z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
956 for( i = c = 0; i < n; i++, s++, d++ )
957 {
958 z = ( *d < c ); *d -= c;
959 c = ( *d < *s ) + z; *d -= *s;
960 }
961
962 while( c != 0 )
963 {
964 z = ( *d < c ); *d -= c;
965 c = z; i++; d++;
966 }
967}
968
969/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]970 * Unsigned subtraction: X = |A| - |B| (HAC 14.9)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]972int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]973{
974 mpi TB;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]975 int ret;
976 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]977
978 if( mpi_cmp_abs( A, B ) < 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]979 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]981 mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982
983 if( X == B )
984 {
985 MPI_CHK( mpi_copy( &TB, B ) );
986 B = &TB;
987 }
988
989 if( X != A )
990 MPI_CHK( mpi_copy( X, A ) );
991
Paul Bakker1ef7a532009-06-20 10:50:55 +0000[diff] [blame]992 /*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]993 * X should always be positive as a result of unsigned subtractions.
Paul Bakker1ef7a532009-06-20 10:50:55 +0000[diff] [blame]994 */
995 X->s = 1;
996
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997 ret = 0;
998
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]999 for( n = B->n; n > 0; n-- )
1000 if( B->p[n - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 break;
1002
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1003 mpi_sub_hlp( n, B->p, X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004
1005cleanup:
1006
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1007 mpi_free( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
1009 return( ret );
1010}
1011
1012/*
1013 * Signed addition: X = A + B
1014 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1015int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1016{
1017 int ret, s = A->s;
1018
1019 if( A->s * B->s < 0 )
1020 {
1021 if( mpi_cmp_abs( A, B ) >= 0 )
1022 {
1023 MPI_CHK( mpi_sub_abs( X, A, B ) );
1024 X->s = s;
1025 }
1026 else
1027 {
1028 MPI_CHK( mpi_sub_abs( X, B, A ) );
1029 X->s = -s;
1030 }
1031 }
1032 else
1033 {
1034 MPI_CHK( mpi_add_abs( X, A, B ) );
1035 X->s = s;
1036 }
1037
1038cleanup:
1039
1040 return( ret );
1041}
1042
1043/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1044 * Signed subtraction: X = A - B
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1046int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047{
1048 int ret, s = A->s;
1049
1050 if( A->s * B->s > 0 )
1051 {
1052 if( mpi_cmp_abs( A, B ) >= 0 )
1053 {
1054 MPI_CHK( mpi_sub_abs( X, A, B ) );
1055 X->s = s;
1056 }
1057 else
1058 {
1059 MPI_CHK( mpi_sub_abs( X, B, A ) );
1060 X->s = -s;
1061 }
1062 }
1063 else
1064 {
1065 MPI_CHK( mpi_add_abs( X, A, B ) );
1066 X->s = s;
1067 }
1068
1069cleanup:
1070
1071 return( ret );
1072}
1073
1074/*
1075 * Signed addition: X = A + b
1076 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1077int mpi_add_int( mpi *X, const mpi *A, t_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1078{
1079 mpi _B;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1080 t_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
1082 p[0] = ( b < 0 ) ? -b : b;
1083 _B.s = ( b < 0 ) ? -1 : 1;
1084 _B.n = 1;
1085 _B.p = p;
1086
1087 return( mpi_add_mpi( X, A, &_B ) );
1088}
1089
1090/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1091 * Signed subtraction: X = A - b
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1092 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1093int mpi_sub_int( mpi *X, const mpi *A, t_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094{
1095 mpi _B;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1096 t_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097
1098 p[0] = ( b < 0 ) ? -b : b;
1099 _B.s = ( b < 0 ) ? -1 : 1;
1100 _B.n = 1;
1101 _B.p = p;
1102
1103 return( mpi_sub_mpi( X, A, &_B ) );
1104}
1105
1106/*
1107 * Helper for mpi multiplication
Paul Bakkerfc4f46f2013-06-24 19:23:56 +0200[diff] [blame]1108 */
1109static
1110#if defined(__APPLE__) && defined(__arm__)
1111/*
1112 * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
1113 * appears to need this to prevent bad ARM code generation at -O3.
1114 */
1115__attribute__ ((noinline))
1116#endif
1117void mpi_mul_hlp( size_t i, t_uint *s, t_uint *d, t_uint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1118{
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1119 t_uint c = 0, t = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1120
1121#if defined(MULADDC_HUIT)
1122 for( ; i >= 8; i -= 8 )
1123 {
1124 MULADDC_INIT
1125 MULADDC_HUIT
1126 MULADDC_STOP
1127 }
1128
1129 for( ; i > 0; i-- )
1130 {
1131 MULADDC_INIT
1132 MULADDC_CORE
1133 MULADDC_STOP
1134 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1135#else /* MULADDC_HUIT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136 for( ; i >= 16; i -= 16 )
1137 {
1138 MULADDC_INIT
1139 MULADDC_CORE MULADDC_CORE
1140 MULADDC_CORE MULADDC_CORE
1141 MULADDC_CORE MULADDC_CORE
1142 MULADDC_CORE MULADDC_CORE
1143
1144 MULADDC_CORE MULADDC_CORE
1145 MULADDC_CORE MULADDC_CORE
1146 MULADDC_CORE MULADDC_CORE
1147 MULADDC_CORE MULADDC_CORE
1148 MULADDC_STOP
1149 }
1150
1151 for( ; i >= 8; i -= 8 )
1152 {
1153 MULADDC_INIT
1154 MULADDC_CORE MULADDC_CORE
1155 MULADDC_CORE MULADDC_CORE
1156
1157 MULADDC_CORE MULADDC_CORE
1158 MULADDC_CORE MULADDC_CORE
1159 MULADDC_STOP
1160 }
1161
1162 for( ; i > 0; i-- )
1163 {
1164 MULADDC_INIT
1165 MULADDC_CORE
1166 MULADDC_STOP
1167 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1168#endif /* MULADDC_HUIT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1169
1170 t++;
1171
1172 do {
1173 *d += c; c = ( *d < c ); d++;
1174 }
1175 while( c != 0 );
1176}
1177
1178/*
1179 * Baseline multiplication: X = A * B (HAC 14.12)
1180 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1181int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1182{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1183 int ret;
1184 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185 mpi TA, TB;
1186
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1187 mpi_init( &TA ); mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1188
1189 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
1190 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
1191
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1192 for( i = A->n; i > 0; i-- )
1193 if( A->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1194 break;
1195
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1196 for( j = B->n; j > 0; j-- )
1197 if( B->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1198 break;
1199
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1200 MPI_CHK( mpi_grow( X, i + j ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1201 MPI_CHK( mpi_lset( X, 0 ) );
1202
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1203 for( i++; j > 0; j-- )
1204 mpi_mul_hlp( i - 1, A->p, X->p + j - 1, B->p[j - 1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205
1206 X->s = A->s * B->s;
1207
1208cleanup:
1209
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1210 mpi_free( &TB ); mpi_free( &TA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1211
1212 return( ret );
1213}
1214
1215/*
1216 * Baseline multiplication: X = A * b
1217 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1218int mpi_mul_int( mpi *X, const mpi *A, t_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1219{
1220 mpi _B;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1221 t_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1222
1223 _B.s = 1;
1224 _B.n = 1;
1225 _B.p = p;
1226 p[0] = b;
1227
1228 return( mpi_mul_mpi( X, A, &_B ) );
1229}
1230
1231/*
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1232 * Unsigned integer divide - double t_uint, dividend, u1/u0, and t_uint
1233 * divisor, d
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1234 */
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1235static t_uint int_div_int( t_uint u1, t_uint u0, t_uint d, t_uint *r )
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1236{
1237#if defined(POLARSSL_HAVE_UDBL)
1238 t_udbl dividend, quotient;
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1239#else
Simon Butcherd7fe6fb2016-01-03 22:39:18 +0000[diff] [blame]1240 const t_uint radix = (t_uint) 1 << biH;
1241 const t_uint uint_halfword_mask = ( (t_uint) 1 << biH ) - 1;
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1242 t_uint d0, d1, q0, q1, rAX, r0, quotient;
1243 t_uint u0_msw, u0_lsw;
Simon Butcherd7fe6fb2016-01-03 22:39:18 +0000[diff] [blame]1244 size_t s;
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1245#endif
1246
1247 /*
1248 * Check for overflow
1249 */
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1250 if( 0 == d || u1 >= d )
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1251 {
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1252 if ( r != NULL ) *r = ~0;
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1253
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1254 return ( ~0 );
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1255 }
1256
1257#if defined(POLARSSL_HAVE_UDBL)
1258 dividend = (t_udbl) u1 << biL;
1259 dividend |= (t_udbl) u0;
1260 quotient = dividend / d;
1261 if( quotient > ( (t_udbl) 1 << biL ) - 1 )
1262 quotient = ( (t_udbl) 1 << biL ) - 1;
1263
1264 if( r != NULL )
Simon Butcherd7fe6fb2016-01-03 22:39:18 +0000[diff] [blame]1265 *r = (t_uint)( dividend - (quotient * d ) );
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1266
1267 return (t_uint) quotient;
1268#else
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1269
1270 /*
1271 * Algorithm D, Section 4.3.1 - The Art of Computer Programming
1272 * Vol. 2 - Seminumerical Algorithms, Knuth
1273 */
1274
1275 /*
1276 * Normalize the divisor, d, and dividend, u0, u1
1277 */
1278 s = int_clz( d );
1279 d = d << s;
1280
1281 u1 = u1 << s;
Simon Butcherd7fe6fb2016-01-03 22:39:18 +0000[diff] [blame]1282 u1 |= ( u0 >> ( biL - s ) ) & ( -(t_sint)s >> ( biL - 1 ) );
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1283 u0 = u0 << s;
1284
1285 d1 = d >> biH;
Simon Butcherd7fe6fb2016-01-03 22:39:18 +0000[diff] [blame]1286 d0 = d & uint_halfword_mask;
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1287
1288 u0_msw = u0 >> biH;
Simon Butcherd7fe6fb2016-01-03 22:39:18 +0000[diff] [blame]1289 u0_lsw = u0 & uint_halfword_mask;
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1290
1291 /*
1292 * Find the first quotient and remainder
1293 */
1294 q1 = u1 / d1;
1295 r0 = u1 - d1 * q1;
1296
1297 while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
1298 {
1299 q1 -= 1;
1300 r0 += d1;
1301
1302 if ( r0 >= radix ) break;
1303 }
1304
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1305 rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1306 q0 = rAX / d1;
1307 r0 = rAX - q0 * d1;
1308
1309 while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
1310 {
1311 q0 -= 1;
1312 r0 += d1;
1313
1314 if ( r0 >= radix ) break;
1315 }
1316
1317 if (r != NULL)
Simon Butcher14400c82016-01-02 00:08:13 +0000[diff] [blame]1318 *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1319
1320 quotient = q1 * radix + q0;
1321
1322 return quotient;
1323#endif
1324}
1325
1326/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327 * Division by mpi: A = Q * B + R (HAC 14.20)
1328 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1329int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1331 int ret;
1332 size_t i, n, t, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 mpi X, Y, Z, T1, T2;
1334
1335 if( mpi_cmp_int( B, 0 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1336 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1338 mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z );
1339 mpi_init( &T1 ); mpi_init( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
1341 if( mpi_cmp_abs( A, B ) < 0 )
1342 {
1343 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
1344 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
1345 return( 0 );
1346 }
1347
1348 MPI_CHK( mpi_copy( &X, A ) );
1349 MPI_CHK( mpi_copy( &Y, B ) );
1350 X.s = Y.s = 1;
1351
1352 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
1353 MPI_CHK( mpi_lset( &Z, 0 ) );
1354 MPI_CHK( mpi_grow( &T1, 2 ) );
1355 MPI_CHK( mpi_grow( &T2, 3 ) );
1356
1357 k = mpi_msb( &Y ) % biL;
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]1358 if( k < biL - 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1359 {
1360 k = biL - 1 - k;
1361 MPI_CHK( mpi_shift_l( &X, k ) );
1362 MPI_CHK( mpi_shift_l( &Y, k ) );
1363 }
1364 else k = 0;
1365
1366 n = X.n - 1;
1367 t = Y.n - 1;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1368 MPI_CHK( mpi_shift_l( &Y, biL * ( n - t ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1369
1370 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1371 {
1372 Z.p[n - t]++;
Paul Bakker6ea1a952013-12-31 11:16:03 +0100[diff] [blame]1373 MPI_CHK( mpi_sub_mpi( &X, &X, &Y ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1374 }
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1375 MPI_CHK( mpi_shift_r( &Y, biL * ( n - t ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1376
1377 for( i = n; i > t ; i-- )
1378 {
1379 if( X.p[i] >= Y.p[t] )
1380 Z.p[i - t - 1] = ~0;
1381 else
1382 {
Simon Butchere4ed3472015-12-22 15:26:57 +0000[diff] [blame]1383 Z.p[i - t - 1] = int_div_int( X.p[i], X.p[i - 1], Y.p[t], NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1384 }
1385
1386 Z.p[i - t - 1]++;
1387 do
1388 {
1389 Z.p[i - t - 1]--;
1390
1391 MPI_CHK( mpi_lset( &T1, 0 ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1392 T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1393 T1.p[1] = Y.p[t];
1394 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1395
1396 MPI_CHK( mpi_lset( &T2, 0 ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1397 T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
1398 T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1399 T2.p[2] = X.p[i];
1400 }
1401 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1402
1403 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1404 MPI_CHK( mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1406
1407 if( mpi_cmp_int( &X, 0 ) < 0 )
1408 {
1409 MPI_CHK( mpi_copy( &T1, &Y ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1410 MPI_CHK( mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1411 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1412 Z.p[i - t - 1]--;
1413 }
1414 }
1415
1416 if( Q != NULL )
1417 {
Paul Bakker6ea1a952013-12-31 11:16:03 +0100[diff] [blame]1418 MPI_CHK( mpi_copy( Q, &Z ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1419 Q->s = A->s * B->s;
1420 }
1421
1422 if( R != NULL )
1423 {
Paul Bakker6ea1a952013-12-31 11:16:03 +0100[diff] [blame]1424 MPI_CHK( mpi_shift_r( &X, k ) );
Paul Bakkerf02c5642012-11-13 10:25:21 +0000[diff] [blame]1425 X.s = A->s;
Paul Bakker6ea1a952013-12-31 11:16:03 +0100[diff] [blame]1426 MPI_CHK( mpi_copy( R, &X ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1428 if( mpi_cmp_int( R, 0 ) == 0 )
1429 R->s = 1;
1430 }
1431
1432cleanup:
1433
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1434 mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z );
1435 mpi_free( &T1 ); mpi_free( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1436
1437 return( ret );
1438}
1439
1440/*
1441 * Division by int: A = Q * b + R
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1442 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1443int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1444{
1445 mpi _B;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1446 t_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1447
1448 p[0] = ( b < 0 ) ? -b : b;
1449 _B.s = ( b < 0 ) ? -1 : 1;
1450 _B.n = 1;
1451 _B.p = p;
1452
1453 return( mpi_div_mpi( Q, R, A, &_B ) );
1454}
1455
1456/*
1457 * Modulo: R = A mod B
1458 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1459int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1460{
1461 int ret;
1462
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1463 if( mpi_cmp_int( B, 0 ) < 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]1464 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1465
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1466 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1467
1468 while( mpi_cmp_int( R, 0 ) < 0 )
1469 MPI_CHK( mpi_add_mpi( R, R, B ) );
1470
1471 while( mpi_cmp_mpi( R, B ) >= 0 )
1472 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1473
1474cleanup:
1475
1476 return( ret );
1477}
1478
1479/*
1480 * Modulo: r = A mod b
1481 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1482int mpi_mod_int( t_uint *r, const mpi *A, t_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1484 size_t i;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1485 t_uint x, y, z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486
1487 if( b == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1488 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1489
1490 if( b < 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]1491 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1492
1493 /*
1494 * handle trivial cases
1495 */
1496 if( b == 1 )
1497 {
1498 *r = 0;
1499 return( 0 );
1500 }
1501
1502 if( b == 2 )
1503 {
1504 *r = A->p[0] & 1;
1505 return( 0 );
1506 }
1507
1508 /*
1509 * general case
1510 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1511 for( i = A->n, y = 0; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1512 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1513 x = A->p[i - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1514 y = ( y << biH ) | ( x >> biH );
1515 z = y / b;
1516 y -= z * b;
1517
1518 x <<= biH;
1519 y = ( y << biH ) | ( x >> biH );
1520 z = y / b;
1521 y -= z * b;
1522 }
1523
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1524 /*
1525 * If A is negative, then the current y represents a negative value.
1526 * Flipping it to the positive side.
1527 */
1528 if( A->s < 0 && y != 0 )
1529 y = b - y;
1530
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531 *r = y;
1532
1533 return( 0 );
1534}
1535
1536/*
1537 * Fast Montgomery initialization (thanks to Tom St Denis)
1538 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1539static void mpi_montg_init( t_uint *mm, const mpi *N )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1540{
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1541 t_uint x, m0 = N->p[0];
Manuel Pégourié-Gonnardfdf3f0e2014-03-11 13:47:05 +0100[diff] [blame]1542 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543
1544 x = m0;
1545 x += ( ( m0 + 2 ) & 4 ) << 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1546
Manuel Pégourié-Gonnardfdf3f0e2014-03-11 13:47:05 +0100[diff] [blame]1547 for( i = biL; i >= 8; i /= 2 )
1548 x *= ( 2 - ( m0 * x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549
1550 *mm = ~x + 1;
1551}
1552
1553/*
1554 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1555 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1556static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_uint mm,
1557 const mpi *T )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1559 size_t i, n, m;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1560 t_uint u0, u1, *d;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561
1562 memset( T->p, 0, T->n * ciL );
1563
1564 d = T->p;
1565 n = N->n;
1566 m = ( B->n < n ) ? B->n : n;
1567
1568 for( i = 0; i < n; i++ )
1569 {
1570 /*
1571 * T = (T + u0*B + u1*N) / 2^biL
1572 */
1573 u0 = A->p[i];
1574 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1575
1576 mpi_mul_hlp( m, B->p, d, u0 );
1577 mpi_mul_hlp( n, N->p, d, u1 );
1578
1579 *d++ = u0; d[n + 1] = 0;
1580 }
1581
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1582 memcpy( A->p, d, ( n + 1 ) * ciL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1583
1584 if( mpi_cmp_abs( A, N ) >= 0 )
1585 mpi_sub_hlp( n, N->p, A->p );
1586 else
1587 /* prevent timing attacks */
1588 mpi_sub_hlp( n, A->p, T->p );
1589}
1590
1591/*
1592 * Montgomery reduction: A = A * R^-1 mod N
1593 */
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1594static void mpi_montred( mpi *A, const mpi *N, t_uint mm, const mpi *T )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1595{
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1596 t_uint z = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1597 mpi U;
1598
Paul Bakker8ddb6452013-02-27 14:56:33 +0100[diff] [blame]1599 U.n = U.s = (int) z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1600 U.p = &z;
1601
1602 mpi_montmul( A, &U, N, mm, T );
1603}
1604
1605/*
1606 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1607 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1608int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1609{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1610 int ret;
1611 size_t wbits, wsize, one = 1;
1612 size_t i, j, nblimbs;
1613 size_t bufsize, nbits;
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1614 t_uint ei, mm, state;
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1615 mpi RR, T, W[ 2 << POLARSSL_MPI_WINDOW_SIZE ], Apos;
1616 int neg;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1617
1618 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1619 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1620
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1621 if( mpi_cmp_int( E, 0 ) < 0 )
1622 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1623
1624 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625 * Init temps and window size
1626 */
1627 mpi_montg_init( &mm, N );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1628 mpi_init( &RR ); mpi_init( &T );
Manuel Pégourié-Gonnardfd6a1912014-01-18 19:05:23 +0100[diff] [blame]1629 mpi_init( &Apos );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1630 memset( W, 0, sizeof( W ) );
1631
1632 i = mpi_msb( E );
1633
1634 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1635 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1636
Paul Bakkerb6d5f082011-11-25 11:52:11 +0000[diff] [blame]1637 if( wsize > POLARSSL_MPI_WINDOW_SIZE )
1638 wsize = POLARSSL_MPI_WINDOW_SIZE;
1639
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1640 j = N->n + 1;
1641 MPI_CHK( mpi_grow( X, j ) );
1642 MPI_CHK( mpi_grow( &W[1], j ) );
1643 MPI_CHK( mpi_grow( &T, j * 2 ) );
1644
1645 /*
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1646 * Compensate for negative A (and correct at the end)
1647 */
1648 neg = ( A->s == -1 );
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1649 if( neg )
1650 {
1651 MPI_CHK( mpi_copy( &Apos, A ) );
1652 Apos.s = 1;
1653 A = &Apos;
1654 }
1655
1656 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1657 * If 1st call, pre-compute R^2 mod N
1658 */
1659 if( _RR == NULL || _RR->p == NULL )
1660 {
1661 MPI_CHK( mpi_lset( &RR, 1 ) );
1662 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1663 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1664
1665 if( _RR != NULL )
1666 memcpy( _RR, &RR, sizeof( mpi ) );
1667 }
1668 else
1669 memcpy( &RR, _RR, sizeof( mpi ) );
1670
1671 /*
1672 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1673 */
1674 if( mpi_cmp_mpi( A, N ) >= 0 )
Paul Bakkerc2024f42014-01-23 20:38:35 +0100[diff] [blame]1675 MPI_CHK( mpi_mod_mpi( &W[1], A, N ) );
1676 else
1677 MPI_CHK( mpi_copy( &W[1], A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678
1679 mpi_montmul( &W[1], &RR, N, mm, &T );
1680
1681 /*
1682 * X = R^2 * R^-1 mod N = R mod N
1683 */
1684 MPI_CHK( mpi_copy( X, &RR ) );
1685 mpi_montred( X, N, mm, &T );
1686
1687 if( wsize > 1 )
1688 {
1689 /*
1690 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1691 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1692 j = one << ( wsize - 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1693
1694 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1695 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1696
1697 for( i = 0; i < wsize - 1; i++ )
1698 mpi_montmul( &W[j], &W[j], N, mm, &T );
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]1699
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700 /*
1701 * W[i] = W[i - 1] * W[1]
1702 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1703 for( i = j + 1; i < ( one << wsize ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1704 {
1705 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1706 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1707
1708 mpi_montmul( &W[i], &W[1], N, mm, &T );
1709 }
1710 }
1711
1712 nblimbs = E->n;
1713 bufsize = 0;
1714 nbits = 0;
1715 wbits = 0;
1716 state = 0;
1717
1718 while( 1 )
1719 {
1720 if( bufsize == 0 )
1721 {
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]1722 if( nblimbs == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723 break;
1724
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]1725 nblimbs--;
1726
Paul Bakkera755ca12011-04-24 09:11:17 +0000[diff] [blame]1727 bufsize = sizeof( t_uint ) << 3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1728 }
1729
1730 bufsize--;
1731
1732 ei = (E->p[nblimbs] >> bufsize) & 1;
1733
1734 /*
1735 * skip leading 0s
1736 */
1737 if( ei == 0 && state == 0 )
1738 continue;
1739
1740 if( ei == 0 && state == 1 )
1741 {
1742 /*
1743 * out of window, square X
1744 */
1745 mpi_montmul( X, X, N, mm, &T );
1746 continue;
1747 }
1748
1749 /*
1750 * add ei to current window
1751 */
1752 state = 2;
1753
1754 nbits++;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1755 wbits |= ( ei << ( wsize - nbits ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756
1757 if( nbits == wsize )
1758 {
1759 /*
1760 * X = X^wsize R^-1 mod N
1761 */
1762 for( i = 0; i < wsize; i++ )
1763 mpi_montmul( X, X, N, mm, &T );
1764
1765 /*
1766 * X = X * W[wbits] R^-1 mod N
1767 */
1768 mpi_montmul( X, &W[wbits], N, mm, &T );
1769
1770 state--;
1771 nbits = 0;
1772 wbits = 0;
1773 }
1774 }
1775
1776 /*
1777 * process the remaining bits
1778 */
1779 for( i = 0; i < nbits; i++ )
1780 {
1781 mpi_montmul( X, X, N, mm, &T );
1782
1783 wbits <<= 1;
1784
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1785 if( ( wbits & ( one << wsize ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786 mpi_montmul( X, &W[1], N, mm, &T );
1787 }
1788
1789 /*
1790 * X = A^E * R * R^-1 mod N = A^E mod N
1791 */
1792 mpi_montred( X, N, mm, &T );
1793
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1794 if( neg )
1795 {
1796 X->s = -1;
Paul Bakkerc2024f42014-01-23 20:38:35 +0100[diff] [blame]1797 MPI_CHK( mpi_add_mpi( X, N, X ) );
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1798 }
1799
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1800cleanup:
1801
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1802 for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1803 mpi_free( &W[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1805 mpi_free( &W[1] ); mpi_free( &T ); mpi_free( &Apos );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1806
Paul Bakker75a28602014-03-31 12:08:17 +0200[diff] [blame]1807 if( _RR == NULL || _RR->p == NULL )
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1808 mpi_free( &RR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
1810 return( ret );
1811}
1812
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813/*
1814 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1815 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1816int mpi_gcd( mpi *G, const mpi *A, const mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1818 int ret;
1819 size_t lz, lzt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 mpi TG, TA, TB;
1821
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1822 mpi_init( &TG ); mpi_init( &TA ); mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824 MPI_CHK( mpi_copy( &TA, A ) );
1825 MPI_CHK( mpi_copy( &TB, B ) );
1826
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]1827 lz = mpi_lsb( &TA );
1828 lzt = mpi_lsb( &TB );
1829
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1830 if( lzt < lz )
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]1831 lz = lzt;
1832
1833 MPI_CHK( mpi_shift_r( &TA, lz ) );
1834 MPI_CHK( mpi_shift_r( &TB, lz ) );
1835
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 TA.s = TB.s = 1;
1837
1838 while( mpi_cmp_int( &TA, 0 ) != 0 )
1839 {
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]1840 MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
1841 MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842
1843 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1844 {
1845 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1846 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1847 }
1848 else
1849 {
1850 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1851 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1852 }
1853 }
1854
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]1855 MPI_CHK( mpi_shift_l( &TB, lz ) );
1856 MPI_CHK( mpi_copy( G, &TB ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857
1858cleanup:
1859
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1860 mpi_free( &TG ); mpi_free( &TA ); mpi_free( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861
1862 return( ret );
1863}
1864
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]1865/*
1866 * Fill X with size bytes of random.
1867 *
1868 * Use a temporary bytes representation to make sure the result is the same
Paul Bakkerc37b0ac2014-05-01 14:19:23 +0200[diff] [blame]1869 * regardless of the platform endianness (useful when f_rng is actually
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]1870 * deterministic, eg for tests).
1871 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1872int mpi_fill_random( mpi *X, size_t size,
1873 int (*f_rng)(void *, unsigned char *, size_t),
1874 void *p_rng )
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]1875{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1876 int ret;
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]1877 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1878
1879 if( size > POLARSSL_MPI_MAX_SIZE )
1880 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]1881
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]1882 MPI_CHK( f_rng( p_rng, buf, size ) );
1883 MPI_CHK( mpi_read_binary( X, buf, size ) );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]1884
1885cleanup:
1886 return( ret );
1887}
1888
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889/*
1890 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1891 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1892int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893{
1894 int ret;
1895 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1896
1897 if( mpi_cmp_int( N, 0 ) <= 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1898 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1899
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1900 mpi_init( &TA ); mpi_init( &TU ); mpi_init( &U1 ); mpi_init( &U2 );
1901 mpi_init( &G ); mpi_init( &TB ); mpi_init( &TV );
1902 mpi_init( &V1 ); mpi_init( &V2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903
1904 MPI_CHK( mpi_gcd( &G, A, N ) );
1905
1906 if( mpi_cmp_int( &G, 1 ) != 0 )
1907 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1908 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909 goto cleanup;
1910 }
1911
1912 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1913 MPI_CHK( mpi_copy( &TU, &TA ) );
1914 MPI_CHK( mpi_copy( &TB, N ) );
1915 MPI_CHK( mpi_copy( &TV, N ) );
1916
1917 MPI_CHK( mpi_lset( &U1, 1 ) );
1918 MPI_CHK( mpi_lset( &U2, 0 ) );
1919 MPI_CHK( mpi_lset( &V1, 0 ) );
1920 MPI_CHK( mpi_lset( &V2, 1 ) );
1921
1922 do
1923 {
1924 while( ( TU.p[0] & 1 ) == 0 )
1925 {
1926 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1927
1928 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1929 {
1930 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1931 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1932 }
1933
1934 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1935 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1936 }
1937
1938 while( ( TV.p[0] & 1 ) == 0 )
1939 {
1940 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1941
1942 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1943 {
1944 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1945 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1946 }
1947
1948 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1949 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1950 }
1951
1952 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1953 {
1954 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1955 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1956 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1957 }
1958 else
1959 {
1960 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1961 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1962 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1963 }
1964 }
1965 while( mpi_cmp_int( &TU, 0 ) != 0 );
1966
1967 while( mpi_cmp_int( &V1, 0 ) < 0 )
1968 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1969
1970 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1971 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1972
1973 MPI_CHK( mpi_copy( X, &V1 ) );
1974
1975cleanup:
1976
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]1977 mpi_free( &TA ); mpi_free( &TU ); mpi_free( &U1 ); mpi_free( &U2 );
1978 mpi_free( &G ); mpi_free( &TB ); mpi_free( &TV );
1979 mpi_free( &V1 ); mpi_free( &V2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1980
1981 return( ret );
1982}
1983
Paul Bakkerd9374b02012-11-02 11:02:58 +0000[diff] [blame]1984#if defined(POLARSSL_GENPRIME)
1985
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986static const int small_prime[] =
1987{
1988 3, 5, 7, 11, 13, 17, 19, 23,
1989 29, 31, 37, 41, 43, 47, 53, 59,
1990 61, 67, 71, 73, 79, 83, 89, 97,
1991 101, 103, 107, 109, 113, 127, 131, 137,
1992 139, 149, 151, 157, 163, 167, 173, 179,
1993 181, 191, 193, 197, 199, 211, 223, 227,
1994 229, 233, 239, 241, 251, 257, 263, 269,
1995 271, 277, 281, 283, 293, 307, 311, 313,
1996 317, 331, 337, 347, 349, 353, 359, 367,
1997 373, 379, 383, 389, 397, 401, 409, 419,
1998 421, 431, 433, 439, 443, 449, 457, 461,
1999 463, 467, 479, 487, 491, 499, 503, 509,
2000 521, 523, 541, 547, 557, 563, 569, 571,
2001 577, 587, 593, 599, 601, 607, 613, 617,
2002 619, 631, 641, 643, 647, 653, 659, 661,
2003 673, 677, 683, 691, 701, 709, 719, 727,
2004 733, 739, 743, 751, 757, 761, 769, 773,
2005 787, 797, 809, 811, 821, 823, 827, 829,
2006 839, 853, 857, 859, 863, 877, 881, 883,
2007 887, 907, 911, 919, 929, 937, 941, 947,
2008 953, 967, 971, 977, 983, 991, 997, -103
2009};
2010
2011/*
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2012 * Small divisors test (X must be positive)
2013 *
2014 * Return values:
2015 * 0: no small factor (possible prime, more tests needed)
2016 * 1: certain prime
2017 * POLARSSL_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
2018 * other negative: error
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019 */
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2020static int mpi_check_small_factors( const mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021{
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2022 int ret = 0;
2023 size_t i;
2024 t_uint r;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026 if( ( X->p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2027 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028
2029 for( i = 0; small_prime[i] > 0; i++ )
2030 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2032 return( 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033
2034 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
2035
2036 if( r == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2037 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 }
2039
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2040cleanup:
2041 return( ret );
2042}
2043
2044/*
2045 * Miller-Rabin pseudo-primality test (HAC 4.24)
2046 */
2047static int mpi_miller_rabin( const mpi *X,
2048 int (*f_rng)(void *, unsigned char *, size_t),
2049 void *p_rng )
2050{
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2051 int ret, count;
2052 size_t i, j, k, n, s;
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2053 mpi W, R, T, A, RR;
2054
2055 mpi_init( &W ); mpi_init( &R ); mpi_init( &T ); mpi_init( &A );
2056 mpi_init( &RR );
2057
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2058 /*
2059 * W = |X| - 1
2060 * R = W >> lsb( W )
2061 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
Paul Bakker41d13f42010-03-16 21:26:36 +0000[diff] [blame]2063 s = mpi_lsb( &W );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2064 MPI_CHK( mpi_copy( &R, &W ) );
2065 MPI_CHK( mpi_shift_r( &R, s ) );
2066
2067 i = mpi_msb( X );
2068 /*
2069 * HAC, table 4.4
2070 */
2071 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
2072 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
2073 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
2074
2075 for( i = 0; i < n; i++ )
2076 {
2077 /*
2078 * pick a random A, 1 < A < |X| - 1
2079 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2080
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2081 count = 0;
2082 do {
2083 MPI_CHK( mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
2084
2085 j = mpi_msb( &A );
2086 k = mpi_msb( &W );
2087 if (j > k) {
2088 MPI_CHK( mpi_shift_r( &A, j - k ) );
2089 }
2090
2091 if (count++ > 30) {
2092 return POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
2093 }
2094
2095 } while ( (mpi_cmp_mpi( &A, &W ) >= 0) ||
2096 (mpi_cmp_int( &A, 1 ) <= 0) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2097
2098 /*
2099 * A = A^R mod |X|
2100 */
2101 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
2102
2103 if( mpi_cmp_mpi( &A, &W ) == 0 ||
2104 mpi_cmp_int( &A, 1 ) == 0 )
2105 continue;
2106
2107 j = 1;
2108 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
2109 {
2110 /*
2111 * A = A * A mod |X|
2112 */
2113 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
2114 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
2115
2116 if( mpi_cmp_int( &A, 1 ) == 0 )
2117 break;
2118
2119 j++;
2120 }
2121
2122 /*
2123 * not prime if A != |X| - 1 or A == 1
2124 */
2125 if( mpi_cmp_mpi( &A, &W ) != 0 ||
2126 mpi_cmp_int( &A, 1 ) == 0 )
2127 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2128 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2129 break;
2130 }
2131 }
2132
2133cleanup:
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2134 mpi_free( &W ); mpi_free( &R ); mpi_free( &T ); mpi_free( &A );
2135 mpi_free( &RR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2136
2137 return( ret );
2138}
2139
2140/*
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2141 * Pseudo-primality test: small factors, then Miller-Rabin
2142 */
Paul Bakker45f457d2013-11-25 14:26:52 +0100[diff] [blame]2143int mpi_is_prime( mpi *X,
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2144 int (*f_rng)(void *, unsigned char *, size_t),
2145 void *p_rng )
2146{
2147 int ret;
Manuel Pégourié-Gonnard7f4ed672014-10-14 20:56:02 +0200[diff] [blame]2148 mpi XX;
2149
2150 XX.s = 1;
2151 XX.n = X->n;
2152 XX.p = X->p;
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2153
2154 if( mpi_cmp_int( &XX, 0 ) == 0 ||
2155 mpi_cmp_int( &XX, 1 ) == 0 )
2156 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
2157
2158 if( mpi_cmp_int( &XX, 2 ) == 0 )
2159 return( 0 );
2160
2161 if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
2162 {
2163 if( ret == 1 )
2164 return( 0 );
2165
2166 return( ret );
2167 }
2168
2169 return( mpi_miller_rabin( &XX, f_rng, p_rng ) );
2170}
2171
2172/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173 * Prime number generation
2174 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2175int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2176 int (*f_rng)(void *, unsigned char *, size_t),
2177 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2179 int ret;
2180 size_t k, n;
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2181 t_uint r;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182 mpi Y;
2183
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]2184 if( nbits < 3 || nbits > POLARSSL_MPI_MAX_BITS )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2185 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2187 mpi_init( &Y );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188
2189 n = BITS_TO_LIMBS( nbits );
2190
Paul Bakker901c6562012-04-20 13:25:38 +0000[diff] [blame]2191 MPI_CHK( mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192
2193 k = mpi_msb( X );
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2194 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2196 mpi_set_bit( X, nbits-1, 1 );
2197
2198 X->p[0] |= 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199
2200 if( dh_flag == 0 )
2201 {
2202 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
2203 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2204 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205 goto cleanup;
2206
2207 MPI_CHK( mpi_add_int( X, X, 2 ) );
2208 }
2209 }
2210 else
2211 {
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2212 /*
2213 * An necessary condition for Y and X = 2Y + 1 to be prime
2214 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
2215 * Make sure it is satisfied, while keeping X = 3 mod 4
2216 */
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2217
2218 X->p[0] |= 2;
2219
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2220 MPI_CHK( mpi_mod_int( &r, X, 3 ) );
2221 if( r == 0 )
2222 MPI_CHK( mpi_add_int( X, X, 8 ) );
2223 else if( r == 1 )
2224 MPI_CHK( mpi_add_int( X, X, 4 ) );
2225
2226 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
2227 MPI_CHK( mpi_copy( &Y, X ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2228 MPI_CHK( mpi_shift_r( &Y, 1 ) );
2229
2230 while( 1 )
2231 {
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2232 /*
2233 * First, check small factors for X and Y
2234 * before doing Miller-Rabin on any of them
2235 */
2236 if( ( ret = mpi_check_small_factors( X ) ) == 0 &&
2237 ( ret = mpi_check_small_factors( &Y ) ) == 0 &&
2238 ( ret = mpi_miller_rabin( X, f_rng, p_rng ) ) == 0 &&
2239 ( ret = mpi_miller_rabin( &Y, f_rng, p_rng ) ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2240 {
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2241 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2242 }
2243
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2244 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245 goto cleanup;
2246
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2247 /*
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2248 * Next candidates. We want to preserve Y = (X-1) / 2 and
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2249 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
2250 * so up Y by 6 and X by 12.
2251 */
2252 MPI_CHK( mpi_add_int( X, X, 12 ) );
2253 MPI_CHK( mpi_add_int( &Y, &Y, 6 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2254 }
2255 }
2256
2257cleanup:
2258
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2259 mpi_free( &Y );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260
2261 return( ret );
2262}
2263
Manuel Pégourié-Gonnarddf0142b2013-08-22 18:29:07 +0200[diff] [blame]2264#endif /* POLARSSL_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2265
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2266#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2267
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2268#define GCD_PAIR_COUNT 3
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2269
2270static const int gcd_pairs[GCD_PAIR_COUNT][3] =
2271{
2272 { 693, 609, 21 },
2273 { 1764, 868, 28 },
2274 { 768454923, 542167814, 1 }
2275};
2276
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2277/*
2278 * Checkup routine
2279 */
2280int mpi_self_test( int verbose )
2281{
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2282 int ret, i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2283 mpi A, E, N, X, Y, U, V;
2284
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2285 mpi_init( &A ); mpi_init( &E ); mpi_init( &N ); mpi_init( &X );
2286 mpi_init( &Y ); mpi_init( &U ); mpi_init( &V );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2287
2288 MPI_CHK( mpi_read_string( &A, 16,
2289 "EFE021C2645FD1DC586E69184AF4A31E" \
2290 "D5F53E93B5F123FA41680867BA110131" \
2291 "944FE7952E2517337780CB0DB80E61AA" \
2292 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
2293
2294 MPI_CHK( mpi_read_string( &E, 16,
2295 "B2E7EFD37075B9F03FF989C7C5051C20" \
2296 "34D2A323810251127E7BF8625A4F49A5" \
2297 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
2298 "5B5C25763222FEFCCFC38B832366C29E" ) );
2299
2300 MPI_CHK( mpi_read_string( &N, 16,
2301 "0066A198186C18C10B2F5ED9B522752A" \
2302 "9830B69916E535C8F047518A889A43A5" \
2303 "94B6BED27A168D31D4A52F88925AA8F5" ) );
2304
2305 MPI_CHK( mpi_mul_mpi( &X, &A, &N ) );
2306
2307 MPI_CHK( mpi_read_string( &U, 16,
2308 "602AB7ECA597A3D6B56FF9829A5E8B85" \
2309 "9E857EA95A03512E2BAE7391688D264A" \
2310 "A5663B0341DB9CCFD2C4C5F421FEC814" \
2311 "8001B72E848A38CAE1C65F78E56ABDEF" \
2312 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
2313 "ECF677152EF804370C1A305CAF3B5BF1" \
2314 "30879B56C61DE584A0F53A2447A51E" ) );
2315
2316 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2317 polarssl_printf( " MPI test #1 (mul_mpi): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2318
2319 if( mpi_cmp_mpi( &X, &U ) != 0 )
2320 {
2321 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2322 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2323
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2324 ret = 1;
2325 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2326 }
2327
2328 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2329 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2330
2331 MPI_CHK( mpi_div_mpi( &X, &Y, &A, &N ) );
2332
2333 MPI_CHK( mpi_read_string( &U, 16,
2334 "256567336059E52CAE22925474705F39A94" ) );
2335
2336 MPI_CHK( mpi_read_string( &V, 16,
2337 "6613F26162223DF488E9CD48CC132C7A" \
2338 "0AC93C701B001B092E4E5B9F73BCD27B" \
2339 "9EE50D0657C77F374E903CDFA4C642" ) );
2340
2341 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2342 polarssl_printf( " MPI test #2 (div_mpi): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2343
2344 if( mpi_cmp_mpi( &X, &U ) != 0 ||
2345 mpi_cmp_mpi( &Y, &V ) != 0 )
2346 {
2347 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2348 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2349
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2350 ret = 1;
2351 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2352 }
2353
2354 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2355 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2356
2357 MPI_CHK( mpi_exp_mod( &X, &A, &E, &N, NULL ) );
2358
2359 MPI_CHK( mpi_read_string( &U, 16,
2360 "36E139AEA55215609D2816998ED020BB" \
2361 "BD96C37890F65171D948E9BC7CBAA4D9" \
2362 "325D24D6A3C12710F10A09FA08AB87" ) );
2363
2364 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2365 polarssl_printf( " MPI test #3 (exp_mod): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2366
2367 if( mpi_cmp_mpi( &X, &U ) != 0 )
2368 {
2369 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2370 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2371
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2372 ret = 1;
2373 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2374 }
2375
2376 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2377 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2378
2379 MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
2380
2381 MPI_CHK( mpi_read_string( &U, 16,
2382 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
2383 "C3DBA76456363A10869622EAC2DD84EC" \
2384 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
2385
2386 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2387 polarssl_printf( " MPI test #4 (inv_mod): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2388
2389 if( mpi_cmp_mpi( &X, &U ) != 0 )
2390 {
2391 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2392 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2393
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2394 ret = 1;
2395 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396 }
2397
2398 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2399 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2401 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2402 polarssl_printf( " MPI test #5 (simple gcd): " );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2403
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2404 for( i = 0; i < GCD_PAIR_COUNT; i++ )
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2405 {
2406 MPI_CHK( mpi_lset( &X, gcd_pairs[i][0] ) );
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2407 MPI_CHK( mpi_lset( &Y, gcd_pairs[i][1] ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2408
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2409 MPI_CHK( mpi_gcd( &A, &X, &Y ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2410
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2411 if( mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
2412 {
2413 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2414 polarssl_printf( "failed at %d\n", i );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2415
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2416 ret = 1;
2417 goto cleanup;
2418 }
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2419 }
2420
2421 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2422 polarssl_printf( "passed\n" );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2423
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2424cleanup:
2425
2426 if( ret != 0 && verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2427 polarssl_printf( "Unexpected error, return code = %08X\n", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2428
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2429 mpi_free( &A ); mpi_free( &E ); mpi_free( &N ); mpi_free( &X );
2430 mpi_free( &Y ); mpi_free( &U ); mpi_free( &V );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431
2432 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]2433 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2434
2435 return( ret );
2436}
2437
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2438#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2439
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2440#endif /* POLARSSL_BIGNUM_C */