wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/integer.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Committer:
wolfSSL
Date:
Tue Aug 22 10:48:22 2017 +0000
Revision:
13:f67a6c6013ca
wolfSSL3.12.0 with TLS1.3

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 13:f67a6c6013ca 1 /* integer.c
wolfSSL 13:f67a6c6013ca 2 *
wolfSSL 13:f67a6c6013ca 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 13:f67a6c6013ca 4 *
wolfSSL 13:f67a6c6013ca 5 * This file is part of wolfSSL.
wolfSSL 13:f67a6c6013ca 6 *
wolfSSL 13:f67a6c6013ca 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 13:f67a6c6013ca 8 * it under the terms of the GNU General Public License as published by
wolfSSL 13:f67a6c6013ca 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 13:f67a6c6013ca 10 * (at your option) any later version.
wolfSSL 13:f67a6c6013ca 11 *
wolfSSL 13:f67a6c6013ca 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 13:f67a6c6013ca 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 13:f67a6c6013ca 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 13:f67a6c6013ca 15 * GNU General Public License for more details.
wolfSSL 13:f67a6c6013ca 16 *
wolfSSL 13:f67a6c6013ca 17 * You should have received a copy of the GNU General Public License
wolfSSL 13:f67a6c6013ca 18 * along with this program; if not, write to the Free Software
wolfSSL 13:f67a6c6013ca 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 13:f67a6c6013ca 20 */
wolfSSL 13:f67a6c6013ca 21
wolfSSL 13:f67a6c6013ca 22
wolfSSL 13:f67a6c6013ca 23
wolfSSL 13:f67a6c6013ca 24 /*
wolfSSL 13:f67a6c6013ca 25 * Based on public domain LibTomMath 0.38 by Tom St Denis, tomstdenis@iahu.ca,
wolfSSL 13:f67a6c6013ca 26 * http://math.libtomcrypt.com
wolfSSL 13:f67a6c6013ca 27 */
wolfSSL 13:f67a6c6013ca 28
wolfSSL 13:f67a6c6013ca 29
wolfSSL 13:f67a6c6013ca 30 #ifdef HAVE_CONFIG_H
wolfSSL 13:f67a6c6013ca 31 #include <config.h>
wolfSSL 13:f67a6c6013ca 32 #endif
wolfSSL 13:f67a6c6013ca 33
wolfSSL 13:f67a6c6013ca 34 /* in case user set USE_FAST_MATH there */
wolfSSL 13:f67a6c6013ca 35 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 13:f67a6c6013ca 36
wolfSSL 13:f67a6c6013ca 37 #ifdef NO_INLINE
wolfSSL 13:f67a6c6013ca 38 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 13:f67a6c6013ca 39 #else
wolfSSL 13:f67a6c6013ca 40 #define WOLFSSL_MISC_INCLUDED
wolfSSL 13:f67a6c6013ca 41 #include <wolfcrypt/src/misc.c>
wolfSSL 13:f67a6c6013ca 42 #endif
wolfSSL 13:f67a6c6013ca 43
wolfSSL 13:f67a6c6013ca 44 #ifndef NO_BIG_INT
wolfSSL 13:f67a6c6013ca 45
wolfSSL 13:f67a6c6013ca 46 #ifndef USE_FAST_MATH
wolfSSL 13:f67a6c6013ca 47
wolfSSL 13:f67a6c6013ca 48 #include <wolfssl/wolfcrypt/integer.h>
wolfSSL 13:f67a6c6013ca 49
wolfSSL 13:f67a6c6013ca 50 #if defined(FREESCALE_LTC_TFM)
wolfSSL 13:f67a6c6013ca 51 #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
wolfSSL 13:f67a6c6013ca 52 #endif
wolfSSL 13:f67a6c6013ca 53 #ifdef WOLFSSL_DEBUG_MATH
wolfSSL 13:f67a6c6013ca 54 #include <stdio.h>
wolfSSL 13:f67a6c6013ca 55 #endif
wolfSSL 13:f67a6c6013ca 56
wolfSSL 13:f67a6c6013ca 57 #ifndef NO_WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 58 #ifndef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 59 #define WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 60 #endif
wolfSSL 13:f67a6c6013ca 61 #endif
wolfSSL 13:f67a6c6013ca 62
wolfSSL 13:f67a6c6013ca 63 #ifdef SHOW_GEN
wolfSSL 13:f67a6c6013ca 64 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 13:f67a6c6013ca 65 #if MQX_USE_IO_OLD
wolfSSL 13:f67a6c6013ca 66 #include <fio.h>
wolfSSL 13:f67a6c6013ca 67 #else
wolfSSL 13:f67a6c6013ca 68 #include <nio.h>
wolfSSL 13:f67a6c6013ca 69 #endif
wolfSSL 13:f67a6c6013ca 70 #else
wolfSSL 13:f67a6c6013ca 71 #include <stdio.h>
wolfSSL 13:f67a6c6013ca 72 #endif
wolfSSL 13:f67a6c6013ca 73 #endif
wolfSSL 13:f67a6c6013ca 74
wolfSSL 13:f67a6c6013ca 75 /* reverse an array, used for radix code */
wolfSSL 13:f67a6c6013ca 76 static void
wolfSSL 13:f67a6c6013ca 77 bn_reverse (unsigned char *s, int len)
wolfSSL 13:f67a6c6013ca 78 {
wolfSSL 13:f67a6c6013ca 79 int ix, iy;
wolfSSL 13:f67a6c6013ca 80 unsigned char t;
wolfSSL 13:f67a6c6013ca 81
wolfSSL 13:f67a6c6013ca 82 ix = 0;
wolfSSL 13:f67a6c6013ca 83 iy = len - 1;
wolfSSL 13:f67a6c6013ca 84 while (ix < iy) {
wolfSSL 13:f67a6c6013ca 85 t = s[ix];
wolfSSL 13:f67a6c6013ca 86 s[ix] = s[iy];
wolfSSL 13:f67a6c6013ca 87 s[iy] = t;
wolfSSL 13:f67a6c6013ca 88 ++ix;
wolfSSL 13:f67a6c6013ca 89 --iy;
wolfSSL 13:f67a6c6013ca 90 }
wolfSSL 13:f67a6c6013ca 91 }
wolfSSL 13:f67a6c6013ca 92
wolfSSL 13:f67a6c6013ca 93 /* math settings check */
wolfSSL 13:f67a6c6013ca 94 word32 CheckRunTimeSettings(void)
wolfSSL 13:f67a6c6013ca 95 {
wolfSSL 13:f67a6c6013ca 96 return CTC_SETTINGS;
wolfSSL 13:f67a6c6013ca 97 }
wolfSSL 13:f67a6c6013ca 98
wolfSSL 13:f67a6c6013ca 99
wolfSSL 13:f67a6c6013ca 100 /* handle up to 6 inits */
wolfSSL 13:f67a6c6013ca 101 int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e,
wolfSSL 13:f67a6c6013ca 102 mp_int* f)
wolfSSL 13:f67a6c6013ca 103 {
wolfSSL 13:f67a6c6013ca 104 int res = MP_OKAY;
wolfSSL 13:f67a6c6013ca 105
wolfSSL 13:f67a6c6013ca 106 if (a) XMEMSET(a, 0, sizeof(mp_int));
wolfSSL 13:f67a6c6013ca 107 if (b) XMEMSET(b, 0, sizeof(mp_int));
wolfSSL 13:f67a6c6013ca 108 if (c) XMEMSET(c, 0, sizeof(mp_int));
wolfSSL 13:f67a6c6013ca 109 if (d) XMEMSET(d, 0, sizeof(mp_int));
wolfSSL 13:f67a6c6013ca 110 if (e) XMEMSET(e, 0, sizeof(mp_int));
wolfSSL 13:f67a6c6013ca 111 if (f) XMEMSET(f, 0, sizeof(mp_int));
wolfSSL 13:f67a6c6013ca 112
wolfSSL 13:f67a6c6013ca 113 if (a && ((res = mp_init(a)) != MP_OKAY))
wolfSSL 13:f67a6c6013ca 114 return res;
wolfSSL 13:f67a6c6013ca 115
wolfSSL 13:f67a6c6013ca 116 if (b && ((res = mp_init(b)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 117 mp_clear(a);
wolfSSL 13:f67a6c6013ca 118 return res;
wolfSSL 13:f67a6c6013ca 119 }
wolfSSL 13:f67a6c6013ca 120
wolfSSL 13:f67a6c6013ca 121 if (c && ((res = mp_init(c)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 122 mp_clear(a); mp_clear(b);
wolfSSL 13:f67a6c6013ca 123 return res;
wolfSSL 13:f67a6c6013ca 124 }
wolfSSL 13:f67a6c6013ca 125
wolfSSL 13:f67a6c6013ca 126 if (d && ((res = mp_init(d)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 127 mp_clear(a); mp_clear(b); mp_clear(c);
wolfSSL 13:f67a6c6013ca 128 return res;
wolfSSL 13:f67a6c6013ca 129 }
wolfSSL 13:f67a6c6013ca 130
wolfSSL 13:f67a6c6013ca 131 if (e && ((res = mp_init(e)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 132 mp_clear(a); mp_clear(b); mp_clear(c); mp_clear(d);
wolfSSL 13:f67a6c6013ca 133 return res;
wolfSSL 13:f67a6c6013ca 134 }
wolfSSL 13:f67a6c6013ca 135
wolfSSL 13:f67a6c6013ca 136 if (f && ((res = mp_init(f)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 137 mp_clear(a); mp_clear(b); mp_clear(c); mp_clear(d); mp_clear(e);
wolfSSL 13:f67a6c6013ca 138 return res;
wolfSSL 13:f67a6c6013ca 139 }
wolfSSL 13:f67a6c6013ca 140
wolfSSL 13:f67a6c6013ca 141 return res;
wolfSSL 13:f67a6c6013ca 142 }
wolfSSL 13:f67a6c6013ca 143
wolfSSL 13:f67a6c6013ca 144
wolfSSL 13:f67a6c6013ca 145 /* init a new mp_int */
wolfSSL 13:f67a6c6013ca 146 int mp_init (mp_int * a)
wolfSSL 13:f67a6c6013ca 147 {
wolfSSL 13:f67a6c6013ca 148 /* Safeguard against passing in a null pointer */
wolfSSL 13:f67a6c6013ca 149 if (a == NULL)
wolfSSL 13:f67a6c6013ca 150 return MP_VAL;
wolfSSL 13:f67a6c6013ca 151
wolfSSL 13:f67a6c6013ca 152 /* defer allocation until mp_grow */
wolfSSL 13:f67a6c6013ca 153 a->dp = NULL;
wolfSSL 13:f67a6c6013ca 154
wolfSSL 13:f67a6c6013ca 155 /* set the used to zero, allocated digits to the default precision
wolfSSL 13:f67a6c6013ca 156 * and sign to positive */
wolfSSL 13:f67a6c6013ca 157 a->used = 0;
wolfSSL 13:f67a6c6013ca 158 a->alloc = 0;
wolfSSL 13:f67a6c6013ca 159 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 160 #ifdef HAVE_WOLF_BIGINT
wolfSSL 13:f67a6c6013ca 161 wc_bigint_init(&a->raw);
wolfSSL 13:f67a6c6013ca 162 #endif
wolfSSL 13:f67a6c6013ca 163
wolfSSL 13:f67a6c6013ca 164 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 165 }
wolfSSL 13:f67a6c6013ca 166
wolfSSL 13:f67a6c6013ca 167
wolfSSL 13:f67a6c6013ca 168 /* clear one (frees) */
wolfSSL 13:f67a6c6013ca 169 void mp_clear (mp_int * a)
wolfSSL 13:f67a6c6013ca 170 {
wolfSSL 13:f67a6c6013ca 171 int i;
wolfSSL 13:f67a6c6013ca 172
wolfSSL 13:f67a6c6013ca 173 if (a == NULL)
wolfSSL 13:f67a6c6013ca 174 return;
wolfSSL 13:f67a6c6013ca 175
wolfSSL 13:f67a6c6013ca 176 /* only do anything if a hasn't been freed previously */
wolfSSL 13:f67a6c6013ca 177 if (a->dp != NULL) {
wolfSSL 13:f67a6c6013ca 178 /* first zero the digits */
wolfSSL 13:f67a6c6013ca 179 for (i = 0; i < a->used; i++) {
wolfSSL 13:f67a6c6013ca 180 a->dp[i] = 0;
wolfSSL 13:f67a6c6013ca 181 }
wolfSSL 13:f67a6c6013ca 182
wolfSSL 13:f67a6c6013ca 183 /* free ram */
wolfSSL 13:f67a6c6013ca 184 mp_free(a);
wolfSSL 13:f67a6c6013ca 185
wolfSSL 13:f67a6c6013ca 186 /* reset members to make debugging easier */
wolfSSL 13:f67a6c6013ca 187 a->alloc = a->used = 0;
wolfSSL 13:f67a6c6013ca 188 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 189 }
wolfSSL 13:f67a6c6013ca 190 }
wolfSSL 13:f67a6c6013ca 191
wolfSSL 13:f67a6c6013ca 192 void mp_free (mp_int * a)
wolfSSL 13:f67a6c6013ca 193 {
wolfSSL 13:f67a6c6013ca 194 /* only do anything if a hasn't been freed previously */
wolfSSL 13:f67a6c6013ca 195 if (a->dp != NULL) {
wolfSSL 13:f67a6c6013ca 196 /* free ram */
wolfSSL 13:f67a6c6013ca 197 XFREE(a->dp, 0, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 198 a->dp = NULL;
wolfSSL 13:f67a6c6013ca 199 }
wolfSSL 13:f67a6c6013ca 200
wolfSSL 13:f67a6c6013ca 201 #ifdef HAVE_WOLF_BIGINT
wolfSSL 13:f67a6c6013ca 202 wc_bigint_free(&a->raw);
wolfSSL 13:f67a6c6013ca 203 #endif
wolfSSL 13:f67a6c6013ca 204 }
wolfSSL 13:f67a6c6013ca 205
wolfSSL 13:f67a6c6013ca 206 void mp_forcezero(mp_int * a)
wolfSSL 13:f67a6c6013ca 207 {
wolfSSL 13:f67a6c6013ca 208 if (a == NULL)
wolfSSL 13:f67a6c6013ca 209 return;
wolfSSL 13:f67a6c6013ca 210
wolfSSL 13:f67a6c6013ca 211 /* only do anything if a hasn't been freed previously */
wolfSSL 13:f67a6c6013ca 212 if (a->dp != NULL) {
wolfSSL 13:f67a6c6013ca 213 /* force zero the used digits */
wolfSSL 13:f67a6c6013ca 214 ForceZero(a->dp, a->used * sizeof(mp_digit));
wolfSSL 13:f67a6c6013ca 215 #ifdef HAVE_WOLF_BIGINT
wolfSSL 13:f67a6c6013ca 216 wc_bigint_zero(&a->raw);
wolfSSL 13:f67a6c6013ca 217 #endif
wolfSSL 13:f67a6c6013ca 218 /* free ram */
wolfSSL 13:f67a6c6013ca 219 mp_free(a);
wolfSSL 13:f67a6c6013ca 220
wolfSSL 13:f67a6c6013ca 221 /* reset members to make debugging easier */
wolfSSL 13:f67a6c6013ca 222 a->alloc = a->used = 0;
wolfSSL 13:f67a6c6013ca 223 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 224 }
wolfSSL 13:f67a6c6013ca 225
wolfSSL 13:f67a6c6013ca 226 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 227 a->used = 0;
wolfSSL 13:f67a6c6013ca 228 }
wolfSSL 13:f67a6c6013ca 229
wolfSSL 13:f67a6c6013ca 230
wolfSSL 13:f67a6c6013ca 231 /* get the size for an unsigned equivalent */
wolfSSL 13:f67a6c6013ca 232 int mp_unsigned_bin_size (mp_int * a)
wolfSSL 13:f67a6c6013ca 233 {
wolfSSL 13:f67a6c6013ca 234 int size = mp_count_bits (a);
wolfSSL 13:f67a6c6013ca 235 return (size / 8 + ((size & 7) != 0 ? 1 : 0));
wolfSSL 13:f67a6c6013ca 236 }
wolfSSL 13:f67a6c6013ca 237
wolfSSL 13:f67a6c6013ca 238
wolfSSL 13:f67a6c6013ca 239 /* returns the number of bits in an int */
wolfSSL 13:f67a6c6013ca 240 int mp_count_bits (mp_int * a)
wolfSSL 13:f67a6c6013ca 241 {
wolfSSL 13:f67a6c6013ca 242 int r;
wolfSSL 13:f67a6c6013ca 243 mp_digit q;
wolfSSL 13:f67a6c6013ca 244
wolfSSL 13:f67a6c6013ca 245 /* shortcut */
wolfSSL 13:f67a6c6013ca 246 if (a->used == 0) {
wolfSSL 13:f67a6c6013ca 247 return 0;
wolfSSL 13:f67a6c6013ca 248 }
wolfSSL 13:f67a6c6013ca 249
wolfSSL 13:f67a6c6013ca 250 /* get number of digits and add that */
wolfSSL 13:f67a6c6013ca 251 r = (a->used - 1) * DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 252
wolfSSL 13:f67a6c6013ca 253 /* take the last digit and count the bits in it */
wolfSSL 13:f67a6c6013ca 254 q = a->dp[a->used - 1];
wolfSSL 13:f67a6c6013ca 255 while (q > ((mp_digit) 0)) {
wolfSSL 13:f67a6c6013ca 256 ++r;
wolfSSL 13:f67a6c6013ca 257 q >>= ((mp_digit) 1);
wolfSSL 13:f67a6c6013ca 258 }
wolfSSL 13:f67a6c6013ca 259 return r;
wolfSSL 13:f67a6c6013ca 260 }
wolfSSL 13:f67a6c6013ca 261
wolfSSL 13:f67a6c6013ca 262
wolfSSL 13:f67a6c6013ca 263 int mp_leading_bit (mp_int * a)
wolfSSL 13:f67a6c6013ca 264 {
wolfSSL 13:f67a6c6013ca 265 int bit = 0;
wolfSSL 13:f67a6c6013ca 266 mp_int t;
wolfSSL 13:f67a6c6013ca 267
wolfSSL 13:f67a6c6013ca 268 if (mp_init_copy(&t, a) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 269 return 0;
wolfSSL 13:f67a6c6013ca 270
wolfSSL 13:f67a6c6013ca 271 while (mp_iszero(&t) == MP_NO) {
wolfSSL 13:f67a6c6013ca 272 #ifndef MP_8BIT
wolfSSL 13:f67a6c6013ca 273 bit = (t.dp[0] & 0x80) != 0;
wolfSSL 13:f67a6c6013ca 274 #else
wolfSSL 13:f67a6c6013ca 275 bit = (t.dp[0] | ((t.dp[1] & 0x01) << 7)) & 0x80 != 0;
wolfSSL 13:f67a6c6013ca 276 #endif
wolfSSL 13:f67a6c6013ca 277 if (mp_div_2d (&t, 8, &t, NULL) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 278 break;
wolfSSL 13:f67a6c6013ca 279 }
wolfSSL 13:f67a6c6013ca 280 mp_clear(&t);
wolfSSL 13:f67a6c6013ca 281 return bit;
wolfSSL 13:f67a6c6013ca 282 }
wolfSSL 13:f67a6c6013ca 283
wolfSSL 13:f67a6c6013ca 284 int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b)
wolfSSL 13:f67a6c6013ca 285 {
wolfSSL 13:f67a6c6013ca 286 int res = 0;
wolfSSL 13:f67a6c6013ca 287 while (mp_iszero(t) == MP_NO) {
wolfSSL 13:f67a6c6013ca 288 #ifndef MP_8BIT
wolfSSL 13:f67a6c6013ca 289 b[x++] = (unsigned char) (t->dp[0] & 255);
wolfSSL 13:f67a6c6013ca 290 #else
wolfSSL 13:f67a6c6013ca 291 b[x++] = (unsigned char) (t->dp[0] | ((t->dp[1] & 0x01) << 7));
wolfSSL 13:f67a6c6013ca 292 #endif
wolfSSL 13:f67a6c6013ca 293 if ((res = mp_div_2d (t, 8, t, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 294 return res;
wolfSSL 13:f67a6c6013ca 295 }
wolfSSL 13:f67a6c6013ca 296 res = x;
wolfSSL 13:f67a6c6013ca 297 }
wolfSSL 13:f67a6c6013ca 298 return res;
wolfSSL 13:f67a6c6013ca 299 }
wolfSSL 13:f67a6c6013ca 300
wolfSSL 13:f67a6c6013ca 301 /* store in unsigned [big endian] format */
wolfSSL 13:f67a6c6013ca 302 int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
wolfSSL 13:f67a6c6013ca 303 {
wolfSSL 13:f67a6c6013ca 304 int x, res;
wolfSSL 13:f67a6c6013ca 305 mp_int t;
wolfSSL 13:f67a6c6013ca 306
wolfSSL 13:f67a6c6013ca 307 if ((res = mp_init_copy (&t, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 308 return res;
wolfSSL 13:f67a6c6013ca 309 }
wolfSSL 13:f67a6c6013ca 310
wolfSSL 13:f67a6c6013ca 311 x = mp_to_unsigned_bin_at_pos(0, &t, b);
wolfSSL 13:f67a6c6013ca 312 if (x < 0) {
wolfSSL 13:f67a6c6013ca 313 mp_clear(&t);
wolfSSL 13:f67a6c6013ca 314 return x;
wolfSSL 13:f67a6c6013ca 315 }
wolfSSL 13:f67a6c6013ca 316
wolfSSL 13:f67a6c6013ca 317 bn_reverse (b, x);
wolfSSL 13:f67a6c6013ca 318 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 319 return res;
wolfSSL 13:f67a6c6013ca 320 }
wolfSSL 13:f67a6c6013ca 321
wolfSSL 13:f67a6c6013ca 322
wolfSSL 13:f67a6c6013ca 323 /* creates "a" then copies b into it */
wolfSSL 13:f67a6c6013ca 324 int mp_init_copy (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 325 {
wolfSSL 13:f67a6c6013ca 326 int res;
wolfSSL 13:f67a6c6013ca 327
wolfSSL 13:f67a6c6013ca 328 if ((res = mp_init (a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 329 return res;
wolfSSL 13:f67a6c6013ca 330 }
wolfSSL 13:f67a6c6013ca 331 return mp_copy (b, a);
wolfSSL 13:f67a6c6013ca 332 }
wolfSSL 13:f67a6c6013ca 333
wolfSSL 13:f67a6c6013ca 334
wolfSSL 13:f67a6c6013ca 335 /* copy, b = a */
wolfSSL 13:f67a6c6013ca 336 int mp_copy (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 337 {
wolfSSL 13:f67a6c6013ca 338 int res, n;
wolfSSL 13:f67a6c6013ca 339
wolfSSL 13:f67a6c6013ca 340 /* Safeguard against passing in a null pointer */
wolfSSL 13:f67a6c6013ca 341 if (a == NULL || b == NULL)
wolfSSL 13:f67a6c6013ca 342 return MP_VAL;
wolfSSL 13:f67a6c6013ca 343
wolfSSL 13:f67a6c6013ca 344 /* if dst == src do nothing */
wolfSSL 13:f67a6c6013ca 345 if (a == b) {
wolfSSL 13:f67a6c6013ca 346 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 347 }
wolfSSL 13:f67a6c6013ca 348
wolfSSL 13:f67a6c6013ca 349 /* grow dest */
wolfSSL 13:f67a6c6013ca 350 if (b->alloc < a->used || b->alloc == 0) {
wolfSSL 13:f67a6c6013ca 351 if ((res = mp_grow (b, a->used)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 352 return res;
wolfSSL 13:f67a6c6013ca 353 }
wolfSSL 13:f67a6c6013ca 354 }
wolfSSL 13:f67a6c6013ca 355
wolfSSL 13:f67a6c6013ca 356 /* zero b and copy the parameters over */
wolfSSL 13:f67a6c6013ca 357 {
wolfSSL 13:f67a6c6013ca 358 mp_digit *tmpa, *tmpb;
wolfSSL 13:f67a6c6013ca 359
wolfSSL 13:f67a6c6013ca 360 /* pointer aliases */
wolfSSL 13:f67a6c6013ca 361
wolfSSL 13:f67a6c6013ca 362 /* source */
wolfSSL 13:f67a6c6013ca 363 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 364
wolfSSL 13:f67a6c6013ca 365 /* destination */
wolfSSL 13:f67a6c6013ca 366 tmpb = b->dp;
wolfSSL 13:f67a6c6013ca 367
wolfSSL 13:f67a6c6013ca 368 /* copy all the digits */
wolfSSL 13:f67a6c6013ca 369 for (n = 0; n < a->used; n++) {
wolfSSL 13:f67a6c6013ca 370 *tmpb++ = *tmpa++;
wolfSSL 13:f67a6c6013ca 371 }
wolfSSL 13:f67a6c6013ca 372
wolfSSL 13:f67a6c6013ca 373 /* clear high digits */
wolfSSL 13:f67a6c6013ca 374 for (; n < b->used && b->dp; n++) {
wolfSSL 13:f67a6c6013ca 375 *tmpb++ = 0;
wolfSSL 13:f67a6c6013ca 376 }
wolfSSL 13:f67a6c6013ca 377 }
wolfSSL 13:f67a6c6013ca 378
wolfSSL 13:f67a6c6013ca 379 /* copy used count and sign */
wolfSSL 13:f67a6c6013ca 380 b->used = a->used;
wolfSSL 13:f67a6c6013ca 381 b->sign = a->sign;
wolfSSL 13:f67a6c6013ca 382 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 383 }
wolfSSL 13:f67a6c6013ca 384
wolfSSL 13:f67a6c6013ca 385
wolfSSL 13:f67a6c6013ca 386 /* grow as required */
wolfSSL 13:f67a6c6013ca 387 int mp_grow (mp_int * a, int size)
wolfSSL 13:f67a6c6013ca 388 {
wolfSSL 13:f67a6c6013ca 389 int i;
wolfSSL 13:f67a6c6013ca 390 mp_digit *tmp;
wolfSSL 13:f67a6c6013ca 391
wolfSSL 13:f67a6c6013ca 392 /* if the alloc size is smaller alloc more ram */
wolfSSL 13:f67a6c6013ca 393 if (a->alloc < size || size == 0) {
wolfSSL 13:f67a6c6013ca 394 /* ensure there are always at least MP_PREC digits extra on top */
wolfSSL 13:f67a6c6013ca 395 size += (MP_PREC * 2) - (size % MP_PREC);
wolfSSL 13:f67a6c6013ca 396
wolfSSL 13:f67a6c6013ca 397 /* reallocate the array a->dp
wolfSSL 13:f67a6c6013ca 398 *
wolfSSL 13:f67a6c6013ca 399 * We store the return in a temporary variable
wolfSSL 13:f67a6c6013ca 400 * in case the operation failed we don't want
wolfSSL 13:f67a6c6013ca 401 * to overwrite the dp member of a.
wolfSSL 13:f67a6c6013ca 402 */
wolfSSL 13:f67a6c6013ca 403 tmp = OPT_CAST(mp_digit) XREALLOC (a->dp, sizeof (mp_digit) * size, NULL,
wolfSSL 13:f67a6c6013ca 404 DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 405 if (tmp == NULL) {
wolfSSL 13:f67a6c6013ca 406 /* reallocation failed but "a" is still valid [can be freed] */
wolfSSL 13:f67a6c6013ca 407 return MP_MEM;
wolfSSL 13:f67a6c6013ca 408 }
wolfSSL 13:f67a6c6013ca 409
wolfSSL 13:f67a6c6013ca 410 /* reallocation succeeded so set a->dp */
wolfSSL 13:f67a6c6013ca 411 a->dp = tmp;
wolfSSL 13:f67a6c6013ca 412
wolfSSL 13:f67a6c6013ca 413 /* zero excess digits */
wolfSSL 13:f67a6c6013ca 414 i = a->alloc;
wolfSSL 13:f67a6c6013ca 415 a->alloc = size;
wolfSSL 13:f67a6c6013ca 416 for (; i < a->alloc; i++) {
wolfSSL 13:f67a6c6013ca 417 a->dp[i] = 0;
wolfSSL 13:f67a6c6013ca 418 }
wolfSSL 13:f67a6c6013ca 419 }
wolfSSL 13:f67a6c6013ca 420 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 421 }
wolfSSL 13:f67a6c6013ca 422
wolfSSL 13:f67a6c6013ca 423
wolfSSL 13:f67a6c6013ca 424 /* shift right by a certain bit count (store quotient in c, optional
wolfSSL 13:f67a6c6013ca 425 remainder in d) */
wolfSSL 13:f67a6c6013ca 426 int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d)
wolfSSL 13:f67a6c6013ca 427 {
wolfSSL 13:f67a6c6013ca 428 int D, res;
wolfSSL 13:f67a6c6013ca 429 mp_int t;
wolfSSL 13:f67a6c6013ca 430
wolfSSL 13:f67a6c6013ca 431
wolfSSL 13:f67a6c6013ca 432 /* if the shift count is <= 0 then we do no work */
wolfSSL 13:f67a6c6013ca 433 if (b <= 0) {
wolfSSL 13:f67a6c6013ca 434 res = mp_copy (a, c);
wolfSSL 13:f67a6c6013ca 435 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 436 mp_zero (d);
wolfSSL 13:f67a6c6013ca 437 }
wolfSSL 13:f67a6c6013ca 438 return res;
wolfSSL 13:f67a6c6013ca 439 }
wolfSSL 13:f67a6c6013ca 440
wolfSSL 13:f67a6c6013ca 441 if ((res = mp_init (&t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 442 return res;
wolfSSL 13:f67a6c6013ca 443 }
wolfSSL 13:f67a6c6013ca 444
wolfSSL 13:f67a6c6013ca 445 /* get the remainder */
wolfSSL 13:f67a6c6013ca 446 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 447 if ((res = mp_mod_2d (a, b, &t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 448 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 449 return res;
wolfSSL 13:f67a6c6013ca 450 }
wolfSSL 13:f67a6c6013ca 451 }
wolfSSL 13:f67a6c6013ca 452
wolfSSL 13:f67a6c6013ca 453 /* copy */
wolfSSL 13:f67a6c6013ca 454 if ((res = mp_copy (a, c)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 455 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 456 return res;
wolfSSL 13:f67a6c6013ca 457 }
wolfSSL 13:f67a6c6013ca 458
wolfSSL 13:f67a6c6013ca 459 /* shift by as many digits in the bit count */
wolfSSL 13:f67a6c6013ca 460 if (b >= (int)DIGIT_BIT) {
wolfSSL 13:f67a6c6013ca 461 mp_rshd (c, b / DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 462 }
wolfSSL 13:f67a6c6013ca 463
wolfSSL 13:f67a6c6013ca 464 /* shift any bit count < DIGIT_BIT */
wolfSSL 13:f67a6c6013ca 465 D = (b % DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 466 if (D != 0) {
wolfSSL 13:f67a6c6013ca 467 mp_rshb(c, D);
wolfSSL 13:f67a6c6013ca 468 }
wolfSSL 13:f67a6c6013ca 469 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 470 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 471 mp_exch (&t, d);
wolfSSL 13:f67a6c6013ca 472 }
wolfSSL 13:f67a6c6013ca 473 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 474 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 475 }
wolfSSL 13:f67a6c6013ca 476
wolfSSL 13:f67a6c6013ca 477
wolfSSL 13:f67a6c6013ca 478 /* set to zero */
wolfSSL 13:f67a6c6013ca 479 void mp_zero (mp_int * a)
wolfSSL 13:f67a6c6013ca 480 {
wolfSSL 13:f67a6c6013ca 481 int n;
wolfSSL 13:f67a6c6013ca 482 mp_digit *tmp;
wolfSSL 13:f67a6c6013ca 483
wolfSSL 13:f67a6c6013ca 484 if (a == NULL)
wolfSSL 13:f67a6c6013ca 485 return;
wolfSSL 13:f67a6c6013ca 486
wolfSSL 13:f67a6c6013ca 487 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 488 a->used = 0;
wolfSSL 13:f67a6c6013ca 489
wolfSSL 13:f67a6c6013ca 490 tmp = a->dp;
wolfSSL 13:f67a6c6013ca 491 for (n = 0; n < a->alloc; n++) {
wolfSSL 13:f67a6c6013ca 492 *tmp++ = 0;
wolfSSL 13:f67a6c6013ca 493 }
wolfSSL 13:f67a6c6013ca 494 }
wolfSSL 13:f67a6c6013ca 495
wolfSSL 13:f67a6c6013ca 496
wolfSSL 13:f67a6c6013ca 497 /* trim unused digits
wolfSSL 13:f67a6c6013ca 498 *
wolfSSL 13:f67a6c6013ca 499 * This is used to ensure that leading zero digits are
wolfSSL 13:f67a6c6013ca 500 * trimmed and the leading "used" digit will be non-zero
wolfSSL 13:f67a6c6013ca 501 * Typically very fast. Also fixes the sign if there
wolfSSL 13:f67a6c6013ca 502 * are no more leading digits
wolfSSL 13:f67a6c6013ca 503 */
wolfSSL 13:f67a6c6013ca 504 void mp_clamp (mp_int * a)
wolfSSL 13:f67a6c6013ca 505 {
wolfSSL 13:f67a6c6013ca 506 /* decrease used while the most significant digit is
wolfSSL 13:f67a6c6013ca 507 * zero.
wolfSSL 13:f67a6c6013ca 508 */
wolfSSL 13:f67a6c6013ca 509 while (a->used > 0 && a->dp[a->used - 1] == 0) {
wolfSSL 13:f67a6c6013ca 510 --(a->used);
wolfSSL 13:f67a6c6013ca 511 }
wolfSSL 13:f67a6c6013ca 512
wolfSSL 13:f67a6c6013ca 513 /* reset the sign flag if used == 0 */
wolfSSL 13:f67a6c6013ca 514 if (a->used == 0) {
wolfSSL 13:f67a6c6013ca 515 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 516 }
wolfSSL 13:f67a6c6013ca 517 }
wolfSSL 13:f67a6c6013ca 518
wolfSSL 13:f67a6c6013ca 519
wolfSSL 13:f67a6c6013ca 520 /* swap the elements of two integers, for cases where you can't simply swap the
wolfSSL 13:f67a6c6013ca 521 * mp_int pointers around
wolfSSL 13:f67a6c6013ca 522 */
wolfSSL 13:f67a6c6013ca 523 void mp_exch (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 524 {
wolfSSL 13:f67a6c6013ca 525 mp_int t;
wolfSSL 13:f67a6c6013ca 526
wolfSSL 13:f67a6c6013ca 527 t = *a;
wolfSSL 13:f67a6c6013ca 528 *a = *b;
wolfSSL 13:f67a6c6013ca 529 *b = t;
wolfSSL 13:f67a6c6013ca 530 }
wolfSSL 13:f67a6c6013ca 531
wolfSSL 13:f67a6c6013ca 532
wolfSSL 13:f67a6c6013ca 533 /* shift right a certain number of bits */
wolfSSL 13:f67a6c6013ca 534 void mp_rshb (mp_int *c, int x)
wolfSSL 13:f67a6c6013ca 535 {
wolfSSL 13:f67a6c6013ca 536 mp_digit *tmpc, mask, shift;
wolfSSL 13:f67a6c6013ca 537 mp_digit r, rr;
wolfSSL 13:f67a6c6013ca 538 mp_digit D = x;
wolfSSL 13:f67a6c6013ca 539
wolfSSL 13:f67a6c6013ca 540 /* mask */
wolfSSL 13:f67a6c6013ca 541 mask = (((mp_digit)1) << D) - 1;
wolfSSL 13:f67a6c6013ca 542
wolfSSL 13:f67a6c6013ca 543 /* shift for lsb */
wolfSSL 13:f67a6c6013ca 544 shift = DIGIT_BIT - D;
wolfSSL 13:f67a6c6013ca 545
wolfSSL 13:f67a6c6013ca 546 /* alias */
wolfSSL 13:f67a6c6013ca 547 tmpc = c->dp + (c->used - 1);
wolfSSL 13:f67a6c6013ca 548
wolfSSL 13:f67a6c6013ca 549 /* carry */
wolfSSL 13:f67a6c6013ca 550 r = 0;
wolfSSL 13:f67a6c6013ca 551 for (x = c->used - 1; x >= 0; x--) {
wolfSSL 13:f67a6c6013ca 552 /* get the lower bits of this word in a temp */
wolfSSL 13:f67a6c6013ca 553 rr = *tmpc & mask;
wolfSSL 13:f67a6c6013ca 554
wolfSSL 13:f67a6c6013ca 555 /* shift the current word and mix in the carry bits from previous word */
wolfSSL 13:f67a6c6013ca 556 *tmpc = (*tmpc >> D) | (r << shift);
wolfSSL 13:f67a6c6013ca 557 --tmpc;
wolfSSL 13:f67a6c6013ca 558
wolfSSL 13:f67a6c6013ca 559 /* set the carry to the carry bits of the current word found above */
wolfSSL 13:f67a6c6013ca 560 r = rr;
wolfSSL 13:f67a6c6013ca 561 }
wolfSSL 13:f67a6c6013ca 562 mp_clamp(c);
wolfSSL 13:f67a6c6013ca 563 }
wolfSSL 13:f67a6c6013ca 564
wolfSSL 13:f67a6c6013ca 565
wolfSSL 13:f67a6c6013ca 566 /* shift right a certain amount of digits */
wolfSSL 13:f67a6c6013ca 567 void mp_rshd (mp_int * a, int b)
wolfSSL 13:f67a6c6013ca 568 {
wolfSSL 13:f67a6c6013ca 569 int x;
wolfSSL 13:f67a6c6013ca 570
wolfSSL 13:f67a6c6013ca 571 /* if b <= 0 then ignore it */
wolfSSL 13:f67a6c6013ca 572 if (b <= 0) {
wolfSSL 13:f67a6c6013ca 573 return;
wolfSSL 13:f67a6c6013ca 574 }
wolfSSL 13:f67a6c6013ca 575
wolfSSL 13:f67a6c6013ca 576 /* if b > used then simply zero it and return */
wolfSSL 13:f67a6c6013ca 577 if (a->used <= b) {
wolfSSL 13:f67a6c6013ca 578 mp_zero (a);
wolfSSL 13:f67a6c6013ca 579 return;
wolfSSL 13:f67a6c6013ca 580 }
wolfSSL 13:f67a6c6013ca 581
wolfSSL 13:f67a6c6013ca 582 {
wolfSSL 13:f67a6c6013ca 583 mp_digit *bottom, *top;
wolfSSL 13:f67a6c6013ca 584
wolfSSL 13:f67a6c6013ca 585 /* shift the digits down */
wolfSSL 13:f67a6c6013ca 586
wolfSSL 13:f67a6c6013ca 587 /* bottom */
wolfSSL 13:f67a6c6013ca 588 bottom = a->dp;
wolfSSL 13:f67a6c6013ca 589
wolfSSL 13:f67a6c6013ca 590 /* top [offset into digits] */
wolfSSL 13:f67a6c6013ca 591 top = a->dp + b;
wolfSSL 13:f67a6c6013ca 592
wolfSSL 13:f67a6c6013ca 593 /* this is implemented as a sliding window where
wolfSSL 13:f67a6c6013ca 594 * the window is b-digits long and digits from
wolfSSL 13:f67a6c6013ca 595 * the top of the window are copied to the bottom
wolfSSL 13:f67a6c6013ca 596 *
wolfSSL 13:f67a6c6013ca 597 * e.g.
wolfSSL 13:f67a6c6013ca 598
wolfSSL 13:f67a6c6013ca 599 b-2 | b-1 | b0 | b1 | b2 | ... | bb | ---->
wolfSSL 13:f67a6c6013ca 600 /\ | ---->
wolfSSL 13:f67a6c6013ca 601 \-------------------/ ---->
wolfSSL 13:f67a6c6013ca 602 */
wolfSSL 13:f67a6c6013ca 603 for (x = 0; x < (a->used - b); x++) {
wolfSSL 13:f67a6c6013ca 604 *bottom++ = *top++;
wolfSSL 13:f67a6c6013ca 605 }
wolfSSL 13:f67a6c6013ca 606
wolfSSL 13:f67a6c6013ca 607 /* zero the top digits */
wolfSSL 13:f67a6c6013ca 608 for (; x < a->used; x++) {
wolfSSL 13:f67a6c6013ca 609 *bottom++ = 0;
wolfSSL 13:f67a6c6013ca 610 }
wolfSSL 13:f67a6c6013ca 611 }
wolfSSL 13:f67a6c6013ca 612
wolfSSL 13:f67a6c6013ca 613 /* remove excess digits */
wolfSSL 13:f67a6c6013ca 614 a->used -= b;
wolfSSL 13:f67a6c6013ca 615 }
wolfSSL 13:f67a6c6013ca 616
wolfSSL 13:f67a6c6013ca 617
wolfSSL 13:f67a6c6013ca 618 /* calc a value mod 2**b */
wolfSSL 13:f67a6c6013ca 619 int mp_mod_2d (mp_int * a, int b, mp_int * c)
wolfSSL 13:f67a6c6013ca 620 {
wolfSSL 13:f67a6c6013ca 621 int x, res;
wolfSSL 13:f67a6c6013ca 622
wolfSSL 13:f67a6c6013ca 623 /* if b is <= 0 then zero the int */
wolfSSL 13:f67a6c6013ca 624 if (b <= 0) {
wolfSSL 13:f67a6c6013ca 625 mp_zero (c);
wolfSSL 13:f67a6c6013ca 626 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 627 }
wolfSSL 13:f67a6c6013ca 628
wolfSSL 13:f67a6c6013ca 629 /* if the modulus is larger than the value than return */
wolfSSL 13:f67a6c6013ca 630 if (b >= (int) (a->used * DIGIT_BIT)) {
wolfSSL 13:f67a6c6013ca 631 res = mp_copy (a, c);
wolfSSL 13:f67a6c6013ca 632 return res;
wolfSSL 13:f67a6c6013ca 633 }
wolfSSL 13:f67a6c6013ca 634
wolfSSL 13:f67a6c6013ca 635 /* copy */
wolfSSL 13:f67a6c6013ca 636 if ((res = mp_copy (a, c)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 637 return res;
wolfSSL 13:f67a6c6013ca 638 }
wolfSSL 13:f67a6c6013ca 639
wolfSSL 13:f67a6c6013ca 640 /* zero digits above the last digit of the modulus */
wolfSSL 13:f67a6c6013ca 641 for (x = (b / DIGIT_BIT) + ((b % DIGIT_BIT) == 0 ? 0 : 1); x < c->used; x++) {
wolfSSL 13:f67a6c6013ca 642 c->dp[x] = 0;
wolfSSL 13:f67a6c6013ca 643 }
wolfSSL 13:f67a6c6013ca 644 /* clear the digit that is not completely outside/inside the modulus */
wolfSSL 13:f67a6c6013ca 645 c->dp[b / DIGIT_BIT] &= (mp_digit) ((((mp_digit) 1) <<
wolfSSL 13:f67a6c6013ca 646 (((mp_digit) b) % DIGIT_BIT)) - ((mp_digit) 1));
wolfSSL 13:f67a6c6013ca 647 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 648 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 649 }
wolfSSL 13:f67a6c6013ca 650
wolfSSL 13:f67a6c6013ca 651
wolfSSL 13:f67a6c6013ca 652 /* reads a unsigned char array, assumes the msb is stored first [big endian] */
wolfSSL 13:f67a6c6013ca 653 int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c)
wolfSSL 13:f67a6c6013ca 654 {
wolfSSL 13:f67a6c6013ca 655 int res;
wolfSSL 13:f67a6c6013ca 656
wolfSSL 13:f67a6c6013ca 657 /* make sure there are at least two digits */
wolfSSL 13:f67a6c6013ca 658 if (a->alloc < 2) {
wolfSSL 13:f67a6c6013ca 659 if ((res = mp_grow(a, 2)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 660 return res;
wolfSSL 13:f67a6c6013ca 661 }
wolfSSL 13:f67a6c6013ca 662 }
wolfSSL 13:f67a6c6013ca 663
wolfSSL 13:f67a6c6013ca 664 /* zero the int */
wolfSSL 13:f67a6c6013ca 665 mp_zero (a);
wolfSSL 13:f67a6c6013ca 666
wolfSSL 13:f67a6c6013ca 667 /* read the bytes in */
wolfSSL 13:f67a6c6013ca 668 while (c-- > 0) {
wolfSSL 13:f67a6c6013ca 669 if ((res = mp_mul_2d (a, 8, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 670 return res;
wolfSSL 13:f67a6c6013ca 671 }
wolfSSL 13:f67a6c6013ca 672
wolfSSL 13:f67a6c6013ca 673 #ifndef MP_8BIT
wolfSSL 13:f67a6c6013ca 674 a->dp[0] |= *b++;
wolfSSL 13:f67a6c6013ca 675 a->used += 1;
wolfSSL 13:f67a6c6013ca 676 #else
wolfSSL 13:f67a6c6013ca 677 a->dp[0] = (*b & MP_MASK);
wolfSSL 13:f67a6c6013ca 678 a->dp[1] |= ((*b++ >> 7U) & 1);
wolfSSL 13:f67a6c6013ca 679 a->used += 2;
wolfSSL 13:f67a6c6013ca 680 #endif
wolfSSL 13:f67a6c6013ca 681 }
wolfSSL 13:f67a6c6013ca 682 mp_clamp (a);
wolfSSL 13:f67a6c6013ca 683 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 684 }
wolfSSL 13:f67a6c6013ca 685
wolfSSL 13:f67a6c6013ca 686
wolfSSL 13:f67a6c6013ca 687 /* shift left by a certain bit count */
wolfSSL 13:f67a6c6013ca 688 int mp_mul_2d (mp_int * a, int b, mp_int * c)
wolfSSL 13:f67a6c6013ca 689 {
wolfSSL 13:f67a6c6013ca 690 mp_digit d;
wolfSSL 13:f67a6c6013ca 691 int res;
wolfSSL 13:f67a6c6013ca 692
wolfSSL 13:f67a6c6013ca 693 /* copy */
wolfSSL 13:f67a6c6013ca 694 if (a != c) {
wolfSSL 13:f67a6c6013ca 695 if ((res = mp_copy (a, c)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 696 return res;
wolfSSL 13:f67a6c6013ca 697 }
wolfSSL 13:f67a6c6013ca 698 }
wolfSSL 13:f67a6c6013ca 699
wolfSSL 13:f67a6c6013ca 700 if (c->alloc < (int)(c->used + b/DIGIT_BIT + 1)) {
wolfSSL 13:f67a6c6013ca 701 if ((res = mp_grow (c, c->used + b / DIGIT_BIT + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 702 return res;
wolfSSL 13:f67a6c6013ca 703 }
wolfSSL 13:f67a6c6013ca 704 }
wolfSSL 13:f67a6c6013ca 705
wolfSSL 13:f67a6c6013ca 706 /* shift by as many digits in the bit count */
wolfSSL 13:f67a6c6013ca 707 if (b >= (int)DIGIT_BIT) {
wolfSSL 13:f67a6c6013ca 708 if ((res = mp_lshd (c, b / DIGIT_BIT)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 709 return res;
wolfSSL 13:f67a6c6013ca 710 }
wolfSSL 13:f67a6c6013ca 711 }
wolfSSL 13:f67a6c6013ca 712
wolfSSL 13:f67a6c6013ca 713 /* shift any bit count < DIGIT_BIT */
wolfSSL 13:f67a6c6013ca 714 d = (mp_digit) (b % DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 715 if (d != 0) {
wolfSSL 13:f67a6c6013ca 716 mp_digit *tmpc, shift, mask, r, rr;
wolfSSL 13:f67a6c6013ca 717 int x;
wolfSSL 13:f67a6c6013ca 718
wolfSSL 13:f67a6c6013ca 719 /* bitmask for carries */
wolfSSL 13:f67a6c6013ca 720 mask = (((mp_digit)1) << d) - 1;
wolfSSL 13:f67a6c6013ca 721
wolfSSL 13:f67a6c6013ca 722 /* shift for msbs */
wolfSSL 13:f67a6c6013ca 723 shift = DIGIT_BIT - d;
wolfSSL 13:f67a6c6013ca 724
wolfSSL 13:f67a6c6013ca 725 /* alias */
wolfSSL 13:f67a6c6013ca 726 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 727
wolfSSL 13:f67a6c6013ca 728 /* carry */
wolfSSL 13:f67a6c6013ca 729 r = 0;
wolfSSL 13:f67a6c6013ca 730 for (x = 0; x < c->used; x++) {
wolfSSL 13:f67a6c6013ca 731 /* get the higher bits of the current word */
wolfSSL 13:f67a6c6013ca 732 rr = (*tmpc >> shift) & mask;
wolfSSL 13:f67a6c6013ca 733
wolfSSL 13:f67a6c6013ca 734 /* shift the current word and OR in the carry */
wolfSSL 13:f67a6c6013ca 735 *tmpc = (mp_digit)(((*tmpc << d) | r) & MP_MASK);
wolfSSL 13:f67a6c6013ca 736 ++tmpc;
wolfSSL 13:f67a6c6013ca 737
wolfSSL 13:f67a6c6013ca 738 /* set the carry to the carry bits of the current word */
wolfSSL 13:f67a6c6013ca 739 r = rr;
wolfSSL 13:f67a6c6013ca 740 }
wolfSSL 13:f67a6c6013ca 741
wolfSSL 13:f67a6c6013ca 742 /* set final carry */
wolfSSL 13:f67a6c6013ca 743 if (r != 0) {
wolfSSL 13:f67a6c6013ca 744 c->dp[(c->used)++] = r;
wolfSSL 13:f67a6c6013ca 745 }
wolfSSL 13:f67a6c6013ca 746 }
wolfSSL 13:f67a6c6013ca 747 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 748 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 749 }
wolfSSL 13:f67a6c6013ca 750
wolfSSL 13:f67a6c6013ca 751
wolfSSL 13:f67a6c6013ca 752 /* shift left a certain amount of digits */
wolfSSL 13:f67a6c6013ca 753 int mp_lshd (mp_int * a, int b)
wolfSSL 13:f67a6c6013ca 754 {
wolfSSL 13:f67a6c6013ca 755 int x, res;
wolfSSL 13:f67a6c6013ca 756
wolfSSL 13:f67a6c6013ca 757 /* if its less than zero return */
wolfSSL 13:f67a6c6013ca 758 if (b <= 0) {
wolfSSL 13:f67a6c6013ca 759 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 760 }
wolfSSL 13:f67a6c6013ca 761
wolfSSL 13:f67a6c6013ca 762 /* grow to fit the new digits */
wolfSSL 13:f67a6c6013ca 763 if (a->alloc < a->used + b) {
wolfSSL 13:f67a6c6013ca 764 if ((res = mp_grow (a, a->used + b)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 765 return res;
wolfSSL 13:f67a6c6013ca 766 }
wolfSSL 13:f67a6c6013ca 767 }
wolfSSL 13:f67a6c6013ca 768
wolfSSL 13:f67a6c6013ca 769 {
wolfSSL 13:f67a6c6013ca 770 mp_digit *top, *bottom;
wolfSSL 13:f67a6c6013ca 771
wolfSSL 13:f67a6c6013ca 772 /* increment the used by the shift amount then copy upwards */
wolfSSL 13:f67a6c6013ca 773 a->used += b;
wolfSSL 13:f67a6c6013ca 774
wolfSSL 13:f67a6c6013ca 775 /* top */
wolfSSL 13:f67a6c6013ca 776 top = a->dp + a->used - 1;
wolfSSL 13:f67a6c6013ca 777
wolfSSL 13:f67a6c6013ca 778 /* base */
wolfSSL 13:f67a6c6013ca 779 bottom = a->dp + a->used - 1 - b;
wolfSSL 13:f67a6c6013ca 780
wolfSSL 13:f67a6c6013ca 781 /* much like mp_rshd this is implemented using a sliding window
wolfSSL 13:f67a6c6013ca 782 * except the window goes the other way around. Copying from
wolfSSL 13:f67a6c6013ca 783 * the bottom to the top. see bn_mp_rshd.c for more info.
wolfSSL 13:f67a6c6013ca 784 */
wolfSSL 13:f67a6c6013ca 785 for (x = a->used - 1; x >= b; x--) {
wolfSSL 13:f67a6c6013ca 786 *top-- = *bottom--;
wolfSSL 13:f67a6c6013ca 787 }
wolfSSL 13:f67a6c6013ca 788
wolfSSL 13:f67a6c6013ca 789 /* zero the lower digits */
wolfSSL 13:f67a6c6013ca 790 top = a->dp;
wolfSSL 13:f67a6c6013ca 791 for (x = 0; x < b; x++) {
wolfSSL 13:f67a6c6013ca 792 *top++ = 0;
wolfSSL 13:f67a6c6013ca 793 }
wolfSSL 13:f67a6c6013ca 794 }
wolfSSL 13:f67a6c6013ca 795 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 796 }
wolfSSL 13:f67a6c6013ca 797
wolfSSL 13:f67a6c6013ca 798
wolfSSL 13:f67a6c6013ca 799 /* this is a shell function that calls either the normal or Montgomery
wolfSSL 13:f67a6c6013ca 800 * exptmod functions. Originally the call to the montgomery code was
wolfSSL 13:f67a6c6013ca 801 * embedded in the normal function but that wasted a lot of stack space
wolfSSL 13:f67a6c6013ca 802 * for nothing (since 99% of the time the Montgomery code would be called)
wolfSSL 13:f67a6c6013ca 803 */
wolfSSL 13:f67a6c6013ca 804 #if defined(FREESCALE_LTC_TFM)
wolfSSL 13:f67a6c6013ca 805 int wolfcrypt_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
wolfSSL 13:f67a6c6013ca 806 #else
wolfSSL 13:f67a6c6013ca 807 int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
wolfSSL 13:f67a6c6013ca 808 #endif
wolfSSL 13:f67a6c6013ca 809 {
wolfSSL 13:f67a6c6013ca 810 int dr;
wolfSSL 13:f67a6c6013ca 811
wolfSSL 13:f67a6c6013ca 812 /* modulus P must be positive */
wolfSSL 13:f67a6c6013ca 813 if (P->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 814 return MP_VAL;
wolfSSL 13:f67a6c6013ca 815 }
wolfSSL 13:f67a6c6013ca 816
wolfSSL 13:f67a6c6013ca 817 /* if exponent X is negative we have to recurse */
wolfSSL 13:f67a6c6013ca 818 if (X->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 819 #ifdef BN_MP_INVMOD_C
wolfSSL 13:f67a6c6013ca 820 mp_int tmpG, tmpX;
wolfSSL 13:f67a6c6013ca 821 int err;
wolfSSL 13:f67a6c6013ca 822
wolfSSL 13:f67a6c6013ca 823 /* first compute 1/G mod P */
wolfSSL 13:f67a6c6013ca 824 if ((err = mp_init(&tmpG)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 825 return err;
wolfSSL 13:f67a6c6013ca 826 }
wolfSSL 13:f67a6c6013ca 827 if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 828 mp_clear(&tmpG);
wolfSSL 13:f67a6c6013ca 829 return err;
wolfSSL 13:f67a6c6013ca 830 }
wolfSSL 13:f67a6c6013ca 831
wolfSSL 13:f67a6c6013ca 832 /* now get |X| */
wolfSSL 13:f67a6c6013ca 833 if ((err = mp_init(&tmpX)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 834 mp_clear(&tmpG);
wolfSSL 13:f67a6c6013ca 835 return err;
wolfSSL 13:f67a6c6013ca 836 }
wolfSSL 13:f67a6c6013ca 837 if ((err = mp_abs(X, &tmpX)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 838 mp_clear(&tmpG);
wolfSSL 13:f67a6c6013ca 839 mp_clear(&tmpX);
wolfSSL 13:f67a6c6013ca 840 return err;
wolfSSL 13:f67a6c6013ca 841 }
wolfSSL 13:f67a6c6013ca 842
wolfSSL 13:f67a6c6013ca 843 /* and now compute (1/G)**|X| instead of G**X [X < 0] */
wolfSSL 13:f67a6c6013ca 844 err = mp_exptmod(&tmpG, &tmpX, P, Y);
wolfSSL 13:f67a6c6013ca 845 mp_clear(&tmpG);
wolfSSL 13:f67a6c6013ca 846 mp_clear(&tmpX);
wolfSSL 13:f67a6c6013ca 847 return err;
wolfSSL 13:f67a6c6013ca 848 #else
wolfSSL 13:f67a6c6013ca 849 /* no invmod */
wolfSSL 13:f67a6c6013ca 850 return MP_VAL;
wolfSSL 13:f67a6c6013ca 851 #endif
wolfSSL 13:f67a6c6013ca 852 }
wolfSSL 13:f67a6c6013ca 853
wolfSSL 13:f67a6c6013ca 854 /* modified diminished radix reduction */
wolfSSL 13:f67a6c6013ca 855 #if defined(BN_MP_REDUCE_IS_2K_L_C) && defined(BN_MP_REDUCE_2K_L_C) && \
wolfSSL 13:f67a6c6013ca 856 defined(BN_S_MP_EXPTMOD_C)
wolfSSL 13:f67a6c6013ca 857 if (mp_reduce_is_2k_l(P) == MP_YES) {
wolfSSL 13:f67a6c6013ca 858 return s_mp_exptmod(G, X, P, Y, 1);
wolfSSL 13:f67a6c6013ca 859 }
wolfSSL 13:f67a6c6013ca 860 #endif
wolfSSL 13:f67a6c6013ca 861
wolfSSL 13:f67a6c6013ca 862 #ifdef BN_MP_DR_IS_MODULUS_C
wolfSSL 13:f67a6c6013ca 863 /* is it a DR modulus? */
wolfSSL 13:f67a6c6013ca 864 dr = mp_dr_is_modulus(P);
wolfSSL 13:f67a6c6013ca 865 #else
wolfSSL 13:f67a6c6013ca 866 /* default to no */
wolfSSL 13:f67a6c6013ca 867 dr = 0;
wolfSSL 13:f67a6c6013ca 868 #endif
wolfSSL 13:f67a6c6013ca 869
wolfSSL 13:f67a6c6013ca 870 #ifdef BN_MP_REDUCE_IS_2K_C
wolfSSL 13:f67a6c6013ca 871 /* if not, is it a unrestricted DR modulus? */
wolfSSL 13:f67a6c6013ca 872 if (dr == 0) {
wolfSSL 13:f67a6c6013ca 873 dr = mp_reduce_is_2k(P) << 1;
wolfSSL 13:f67a6c6013ca 874 }
wolfSSL 13:f67a6c6013ca 875 #endif
wolfSSL 13:f67a6c6013ca 876
wolfSSL 13:f67a6c6013ca 877 /* if the modulus is odd or dr != 0 use the montgomery method */
wolfSSL 13:f67a6c6013ca 878 #ifdef BN_MP_EXPTMOD_FAST_C
wolfSSL 13:f67a6c6013ca 879 if (mp_isodd (P) == MP_YES || dr != 0) {
wolfSSL 13:f67a6c6013ca 880 return mp_exptmod_fast (G, X, P, Y, dr);
wolfSSL 13:f67a6c6013ca 881 } else {
wolfSSL 13:f67a6c6013ca 882 #endif
wolfSSL 13:f67a6c6013ca 883 #ifdef BN_S_MP_EXPTMOD_C
wolfSSL 13:f67a6c6013ca 884 /* otherwise use the generic Barrett reduction technique */
wolfSSL 13:f67a6c6013ca 885 return s_mp_exptmod (G, X, P, Y, 0);
wolfSSL 13:f67a6c6013ca 886 #else
wolfSSL 13:f67a6c6013ca 887 /* no exptmod for evens */
wolfSSL 13:f67a6c6013ca 888 return MP_VAL;
wolfSSL 13:f67a6c6013ca 889 #endif
wolfSSL 13:f67a6c6013ca 890 #ifdef BN_MP_EXPTMOD_FAST_C
wolfSSL 13:f67a6c6013ca 891 }
wolfSSL 13:f67a6c6013ca 892 #endif
wolfSSL 13:f67a6c6013ca 893 }
wolfSSL 13:f67a6c6013ca 894
wolfSSL 13:f67a6c6013ca 895
wolfSSL 13:f67a6c6013ca 896 /* b = |a|
wolfSSL 13:f67a6c6013ca 897 *
wolfSSL 13:f67a6c6013ca 898 * Simple function copies the input and fixes the sign to positive
wolfSSL 13:f67a6c6013ca 899 */
wolfSSL 13:f67a6c6013ca 900 int mp_abs (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 901 {
wolfSSL 13:f67a6c6013ca 902 int res;
wolfSSL 13:f67a6c6013ca 903
wolfSSL 13:f67a6c6013ca 904 /* copy a to b */
wolfSSL 13:f67a6c6013ca 905 if (a != b) {
wolfSSL 13:f67a6c6013ca 906 if ((res = mp_copy (a, b)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 907 return res;
wolfSSL 13:f67a6c6013ca 908 }
wolfSSL 13:f67a6c6013ca 909 }
wolfSSL 13:f67a6c6013ca 910
wolfSSL 13:f67a6c6013ca 911 /* force the sign of b to positive */
wolfSSL 13:f67a6c6013ca 912 b->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 913
wolfSSL 13:f67a6c6013ca 914 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 915 }
wolfSSL 13:f67a6c6013ca 916
wolfSSL 13:f67a6c6013ca 917
wolfSSL 13:f67a6c6013ca 918 /* hac 14.61, pp608 */
wolfSSL 13:f67a6c6013ca 919 #if defined(FREESCALE_LTC_TFM)
wolfSSL 13:f67a6c6013ca 920 int wolfcrypt_mp_invmod(mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 921 #else
wolfSSL 13:f67a6c6013ca 922 int mp_invmod (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 923 #endif
wolfSSL 13:f67a6c6013ca 924 {
wolfSSL 13:f67a6c6013ca 925 /* b cannot be negative */
wolfSSL 13:f67a6c6013ca 926 if (b->sign == MP_NEG || mp_iszero(b) == MP_YES) {
wolfSSL 13:f67a6c6013ca 927 return MP_VAL;
wolfSSL 13:f67a6c6013ca 928 }
wolfSSL 13:f67a6c6013ca 929
wolfSSL 13:f67a6c6013ca 930 #ifdef BN_FAST_MP_INVMOD_C
wolfSSL 13:f67a6c6013ca 931 /* if the modulus is odd we can use a faster routine instead */
wolfSSL 13:f67a6c6013ca 932 if (mp_isodd (b) == MP_YES) {
wolfSSL 13:f67a6c6013ca 933 return fast_mp_invmod (a, b, c);
wolfSSL 13:f67a6c6013ca 934 }
wolfSSL 13:f67a6c6013ca 935 #endif
wolfSSL 13:f67a6c6013ca 936
wolfSSL 13:f67a6c6013ca 937 #ifdef BN_MP_INVMOD_SLOW_C
wolfSSL 13:f67a6c6013ca 938 return mp_invmod_slow(a, b, c);
wolfSSL 13:f67a6c6013ca 939 #endif
wolfSSL 13:f67a6c6013ca 940 }
wolfSSL 13:f67a6c6013ca 941
wolfSSL 13:f67a6c6013ca 942
wolfSSL 13:f67a6c6013ca 943 /* computes the modular inverse via binary extended euclidean algorithm,
wolfSSL 13:f67a6c6013ca 944 * that is c = 1/a mod b
wolfSSL 13:f67a6c6013ca 945 *
wolfSSL 13:f67a6c6013ca 946 * Based on slow invmod except this is optimized for the case where b is
wolfSSL 13:f67a6c6013ca 947 * odd as per HAC Note 14.64 on pp. 610
wolfSSL 13:f67a6c6013ca 948 */
wolfSSL 13:f67a6c6013ca 949 int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 950 {
wolfSSL 13:f67a6c6013ca 951 mp_int x, y, u, v, B, D;
wolfSSL 13:f67a6c6013ca 952 int res, neg, loop_check = 0;
wolfSSL 13:f67a6c6013ca 953
wolfSSL 13:f67a6c6013ca 954 /* 2. [modified] b must be odd */
wolfSSL 13:f67a6c6013ca 955 if (mp_iseven (b) == MP_YES) {
wolfSSL 13:f67a6c6013ca 956 return MP_VAL;
wolfSSL 13:f67a6c6013ca 957 }
wolfSSL 13:f67a6c6013ca 958
wolfSSL 13:f67a6c6013ca 959 /* init all our temps */
wolfSSL 13:f67a6c6013ca 960 if ((res = mp_init_multi(&x, &y, &u, &v, &B, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 961 return res;
wolfSSL 13:f67a6c6013ca 962 }
wolfSSL 13:f67a6c6013ca 963
wolfSSL 13:f67a6c6013ca 964 /* x == modulus, y == value to invert */
wolfSSL 13:f67a6c6013ca 965 if ((res = mp_copy (b, &x)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 966 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 967 }
wolfSSL 13:f67a6c6013ca 968
wolfSSL 13:f67a6c6013ca 969 /* we need y = |a| */
wolfSSL 13:f67a6c6013ca 970 if ((res = mp_mod (a, b, &y)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 971 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 972 }
wolfSSL 13:f67a6c6013ca 973
wolfSSL 13:f67a6c6013ca 974 /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
wolfSSL 13:f67a6c6013ca 975 if ((res = mp_copy (&x, &u)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 976 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 977 }
wolfSSL 13:f67a6c6013ca 978 if ((res = mp_copy (&y, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 979 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 980 }
wolfSSL 13:f67a6c6013ca 981 if ((res = mp_set (&D, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 982 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 983 }
wolfSSL 13:f67a6c6013ca 984
wolfSSL 13:f67a6c6013ca 985 top:
wolfSSL 13:f67a6c6013ca 986 /* 4. while u is even do */
wolfSSL 13:f67a6c6013ca 987 while (mp_iseven (&u) == MP_YES) {
wolfSSL 13:f67a6c6013ca 988 /* 4.1 u = u/2 */
wolfSSL 13:f67a6c6013ca 989 if ((res = mp_div_2 (&u, &u)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 990 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 991 }
wolfSSL 13:f67a6c6013ca 992 /* 4.2 if B is odd then */
wolfSSL 13:f67a6c6013ca 993 if (mp_isodd (&B) == MP_YES) {
wolfSSL 13:f67a6c6013ca 994 if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 995 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 996 }
wolfSSL 13:f67a6c6013ca 997 }
wolfSSL 13:f67a6c6013ca 998 /* B = B/2 */
wolfSSL 13:f67a6c6013ca 999 if ((res = mp_div_2 (&B, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1000 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1001 }
wolfSSL 13:f67a6c6013ca 1002 }
wolfSSL 13:f67a6c6013ca 1003
wolfSSL 13:f67a6c6013ca 1004 /* 5. while v is even do */
wolfSSL 13:f67a6c6013ca 1005 while (mp_iseven (&v) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1006 /* 5.1 v = v/2 */
wolfSSL 13:f67a6c6013ca 1007 if ((res = mp_div_2 (&v, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1008 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1009 }
wolfSSL 13:f67a6c6013ca 1010 /* 5.2 if D is odd then */
wolfSSL 13:f67a6c6013ca 1011 if (mp_isodd (&D) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1012 /* D = (D-x)/2 */
wolfSSL 13:f67a6c6013ca 1013 if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1014 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1015 }
wolfSSL 13:f67a6c6013ca 1016 }
wolfSSL 13:f67a6c6013ca 1017 /* D = D/2 */
wolfSSL 13:f67a6c6013ca 1018 if ((res = mp_div_2 (&D, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1019 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1020 }
wolfSSL 13:f67a6c6013ca 1021 }
wolfSSL 13:f67a6c6013ca 1022
wolfSSL 13:f67a6c6013ca 1023 /* 6. if u >= v then */
wolfSSL 13:f67a6c6013ca 1024 if (mp_cmp (&u, &v) != MP_LT) {
wolfSSL 13:f67a6c6013ca 1025 /* u = u - v, B = B - D */
wolfSSL 13:f67a6c6013ca 1026 if ((res = mp_sub (&u, &v, &u)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1027 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1028 }
wolfSSL 13:f67a6c6013ca 1029
wolfSSL 13:f67a6c6013ca 1030 if ((res = mp_sub (&B, &D, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1031 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1032 }
wolfSSL 13:f67a6c6013ca 1033 } else {
wolfSSL 13:f67a6c6013ca 1034 /* v - v - u, D = D - B */
wolfSSL 13:f67a6c6013ca 1035 if ((res = mp_sub (&v, &u, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1036 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1037 }
wolfSSL 13:f67a6c6013ca 1038
wolfSSL 13:f67a6c6013ca 1039 if ((res = mp_sub (&D, &B, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1040 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1041 }
wolfSSL 13:f67a6c6013ca 1042 }
wolfSSL 13:f67a6c6013ca 1043
wolfSSL 13:f67a6c6013ca 1044 /* if not zero goto step 4 */
wolfSSL 13:f67a6c6013ca 1045 if (mp_iszero (&u) == MP_NO) {
wolfSSL 13:f67a6c6013ca 1046 if (++loop_check > 4096) {
wolfSSL 13:f67a6c6013ca 1047 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 1048 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1049 }
wolfSSL 13:f67a6c6013ca 1050 goto top;
wolfSSL 13:f67a6c6013ca 1051 }
wolfSSL 13:f67a6c6013ca 1052
wolfSSL 13:f67a6c6013ca 1053 /* now a = C, b = D, gcd == g*v */
wolfSSL 13:f67a6c6013ca 1054
wolfSSL 13:f67a6c6013ca 1055 /* if v != 1 then there is no inverse */
wolfSSL 13:f67a6c6013ca 1056 if (mp_cmp_d (&v, 1) != MP_EQ) {
wolfSSL 13:f67a6c6013ca 1057 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 1058 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1059 }
wolfSSL 13:f67a6c6013ca 1060
wolfSSL 13:f67a6c6013ca 1061 /* b is now the inverse */
wolfSSL 13:f67a6c6013ca 1062 neg = a->sign;
wolfSSL 13:f67a6c6013ca 1063 while (D.sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 1064 if ((res = mp_add (&D, b, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1065 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1066 }
wolfSSL 13:f67a6c6013ca 1067 }
wolfSSL 13:f67a6c6013ca 1068 /* too big */
wolfSSL 13:f67a6c6013ca 1069 while (mp_cmp_mag(&D, b) != MP_LT) {
wolfSSL 13:f67a6c6013ca 1070 if ((res = mp_sub(&D, b, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1071 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1072 }
wolfSSL 13:f67a6c6013ca 1073 }
wolfSSL 13:f67a6c6013ca 1074 mp_exch (&D, c);
wolfSSL 13:f67a6c6013ca 1075 c->sign = neg;
wolfSSL 13:f67a6c6013ca 1076 res = MP_OKAY;
wolfSSL 13:f67a6c6013ca 1077
wolfSSL 13:f67a6c6013ca 1078 LBL_ERR:mp_clear(&x);
wolfSSL 13:f67a6c6013ca 1079 mp_clear(&y);
wolfSSL 13:f67a6c6013ca 1080 mp_clear(&u);
wolfSSL 13:f67a6c6013ca 1081 mp_clear(&v);
wolfSSL 13:f67a6c6013ca 1082 mp_clear(&B);
wolfSSL 13:f67a6c6013ca 1083 mp_clear(&D);
wolfSSL 13:f67a6c6013ca 1084 return res;
wolfSSL 13:f67a6c6013ca 1085 }
wolfSSL 13:f67a6c6013ca 1086
wolfSSL 13:f67a6c6013ca 1087
wolfSSL 13:f67a6c6013ca 1088 /* hac 14.61, pp608 */
wolfSSL 13:f67a6c6013ca 1089 int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1090 {
wolfSSL 13:f67a6c6013ca 1091 mp_int x, y, u, v, A, B, C, D;
wolfSSL 13:f67a6c6013ca 1092 int res;
wolfSSL 13:f67a6c6013ca 1093
wolfSSL 13:f67a6c6013ca 1094 /* b cannot be negative */
wolfSSL 13:f67a6c6013ca 1095 if (b->sign == MP_NEG || mp_iszero(b) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1096 return MP_VAL;
wolfSSL 13:f67a6c6013ca 1097 }
wolfSSL 13:f67a6c6013ca 1098
wolfSSL 13:f67a6c6013ca 1099 /* init temps */
wolfSSL 13:f67a6c6013ca 1100 if ((res = mp_init_multi(&x, &y, &u, &v,
wolfSSL 13:f67a6c6013ca 1101 &A, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1102 return res;
wolfSSL 13:f67a6c6013ca 1103 }
wolfSSL 13:f67a6c6013ca 1104
wolfSSL 13:f67a6c6013ca 1105 /* init rest of tmps temps */
wolfSSL 13:f67a6c6013ca 1106 if ((res = mp_init_multi(&C, &D, 0, 0, 0, 0)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1107 mp_clear(&x);
wolfSSL 13:f67a6c6013ca 1108 mp_clear(&y);
wolfSSL 13:f67a6c6013ca 1109 mp_clear(&u);
wolfSSL 13:f67a6c6013ca 1110 mp_clear(&v);
wolfSSL 13:f67a6c6013ca 1111 mp_clear(&A);
wolfSSL 13:f67a6c6013ca 1112 mp_clear(&B);
wolfSSL 13:f67a6c6013ca 1113 return res;
wolfSSL 13:f67a6c6013ca 1114 }
wolfSSL 13:f67a6c6013ca 1115
wolfSSL 13:f67a6c6013ca 1116 /* x = a, y = b */
wolfSSL 13:f67a6c6013ca 1117 if ((res = mp_mod(a, b, &x)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1118 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1119 }
wolfSSL 13:f67a6c6013ca 1120 if ((res = mp_copy (b, &y)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1121 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1122 }
wolfSSL 13:f67a6c6013ca 1123
wolfSSL 13:f67a6c6013ca 1124 /* 2. [modified] if x,y are both even then return an error! */
wolfSSL 13:f67a6c6013ca 1125 if (mp_iseven (&x) == MP_YES && mp_iseven (&y) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1126 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 1127 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1128 }
wolfSSL 13:f67a6c6013ca 1129
wolfSSL 13:f67a6c6013ca 1130 /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
wolfSSL 13:f67a6c6013ca 1131 if ((res = mp_copy (&x, &u)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1132 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1133 }
wolfSSL 13:f67a6c6013ca 1134 if ((res = mp_copy (&y, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1135 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1136 }
wolfSSL 13:f67a6c6013ca 1137 if ((res = mp_set (&A, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1138 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1139 }
wolfSSL 13:f67a6c6013ca 1140 if ((res = mp_set (&D, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1141 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1142 }
wolfSSL 13:f67a6c6013ca 1143
wolfSSL 13:f67a6c6013ca 1144 top:
wolfSSL 13:f67a6c6013ca 1145 /* 4. while u is even do */
wolfSSL 13:f67a6c6013ca 1146 while (mp_iseven (&u) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1147 /* 4.1 u = u/2 */
wolfSSL 13:f67a6c6013ca 1148 if ((res = mp_div_2 (&u, &u)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1149 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1150 }
wolfSSL 13:f67a6c6013ca 1151 /* 4.2 if A or B is odd then */
wolfSSL 13:f67a6c6013ca 1152 if (mp_isodd (&A) == MP_YES || mp_isodd (&B) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1153 /* A = (A+y)/2, B = (B-x)/2 */
wolfSSL 13:f67a6c6013ca 1154 if ((res = mp_add (&A, &y, &A)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1155 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1156 }
wolfSSL 13:f67a6c6013ca 1157 if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1158 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1159 }
wolfSSL 13:f67a6c6013ca 1160 }
wolfSSL 13:f67a6c6013ca 1161 /* A = A/2, B = B/2 */
wolfSSL 13:f67a6c6013ca 1162 if ((res = mp_div_2 (&A, &A)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1163 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1164 }
wolfSSL 13:f67a6c6013ca 1165 if ((res = mp_div_2 (&B, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1166 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1167 }
wolfSSL 13:f67a6c6013ca 1168 }
wolfSSL 13:f67a6c6013ca 1169
wolfSSL 13:f67a6c6013ca 1170 /* 5. while v is even do */
wolfSSL 13:f67a6c6013ca 1171 while (mp_iseven (&v) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1172 /* 5.1 v = v/2 */
wolfSSL 13:f67a6c6013ca 1173 if ((res = mp_div_2 (&v, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1174 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1175 }
wolfSSL 13:f67a6c6013ca 1176 /* 5.2 if C or D is odd then */
wolfSSL 13:f67a6c6013ca 1177 if (mp_isodd (&C) == MP_YES || mp_isodd (&D) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1178 /* C = (C+y)/2, D = (D-x)/2 */
wolfSSL 13:f67a6c6013ca 1179 if ((res = mp_add (&C, &y, &C)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1180 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1181 }
wolfSSL 13:f67a6c6013ca 1182 if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1183 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1184 }
wolfSSL 13:f67a6c6013ca 1185 }
wolfSSL 13:f67a6c6013ca 1186 /* C = C/2, D = D/2 */
wolfSSL 13:f67a6c6013ca 1187 if ((res = mp_div_2 (&C, &C)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1188 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1189 }
wolfSSL 13:f67a6c6013ca 1190 if ((res = mp_div_2 (&D, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1191 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1192 }
wolfSSL 13:f67a6c6013ca 1193 }
wolfSSL 13:f67a6c6013ca 1194
wolfSSL 13:f67a6c6013ca 1195 /* 6. if u >= v then */
wolfSSL 13:f67a6c6013ca 1196 if (mp_cmp (&u, &v) != MP_LT) {
wolfSSL 13:f67a6c6013ca 1197 /* u = u - v, A = A - C, B = B - D */
wolfSSL 13:f67a6c6013ca 1198 if ((res = mp_sub (&u, &v, &u)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1199 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1200 }
wolfSSL 13:f67a6c6013ca 1201
wolfSSL 13:f67a6c6013ca 1202 if ((res = mp_sub (&A, &C, &A)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1203 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1204 }
wolfSSL 13:f67a6c6013ca 1205
wolfSSL 13:f67a6c6013ca 1206 if ((res = mp_sub (&B, &D, &B)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1207 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1208 }
wolfSSL 13:f67a6c6013ca 1209 } else {
wolfSSL 13:f67a6c6013ca 1210 /* v - v - u, C = C - A, D = D - B */
wolfSSL 13:f67a6c6013ca 1211 if ((res = mp_sub (&v, &u, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1212 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1213 }
wolfSSL 13:f67a6c6013ca 1214
wolfSSL 13:f67a6c6013ca 1215 if ((res = mp_sub (&C, &A, &C)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1216 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1217 }
wolfSSL 13:f67a6c6013ca 1218
wolfSSL 13:f67a6c6013ca 1219 if ((res = mp_sub (&D, &B, &D)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1220 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1221 }
wolfSSL 13:f67a6c6013ca 1222 }
wolfSSL 13:f67a6c6013ca 1223
wolfSSL 13:f67a6c6013ca 1224 /* if not zero goto step 4 */
wolfSSL 13:f67a6c6013ca 1225 if (mp_iszero (&u) == MP_NO)
wolfSSL 13:f67a6c6013ca 1226 goto top;
wolfSSL 13:f67a6c6013ca 1227
wolfSSL 13:f67a6c6013ca 1228 /* now a = C, b = D, gcd == g*v */
wolfSSL 13:f67a6c6013ca 1229
wolfSSL 13:f67a6c6013ca 1230 /* if v != 1 then there is no inverse */
wolfSSL 13:f67a6c6013ca 1231 if (mp_cmp_d (&v, 1) != MP_EQ) {
wolfSSL 13:f67a6c6013ca 1232 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 1233 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1234 }
wolfSSL 13:f67a6c6013ca 1235
wolfSSL 13:f67a6c6013ca 1236 /* if its too low */
wolfSSL 13:f67a6c6013ca 1237 while (mp_cmp_d(&C, 0) == MP_LT) {
wolfSSL 13:f67a6c6013ca 1238 if ((res = mp_add(&C, b, &C)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1239 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1240 }
wolfSSL 13:f67a6c6013ca 1241 }
wolfSSL 13:f67a6c6013ca 1242
wolfSSL 13:f67a6c6013ca 1243 /* too big */
wolfSSL 13:f67a6c6013ca 1244 while (mp_cmp_mag(&C, b) != MP_LT) {
wolfSSL 13:f67a6c6013ca 1245 if ((res = mp_sub(&C, b, &C)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1246 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1247 }
wolfSSL 13:f67a6c6013ca 1248 }
wolfSSL 13:f67a6c6013ca 1249
wolfSSL 13:f67a6c6013ca 1250 /* C is now the inverse */
wolfSSL 13:f67a6c6013ca 1251 mp_exch (&C, c);
wolfSSL 13:f67a6c6013ca 1252 res = MP_OKAY;
wolfSSL 13:f67a6c6013ca 1253 LBL_ERR:mp_clear(&x);
wolfSSL 13:f67a6c6013ca 1254 mp_clear(&y);
wolfSSL 13:f67a6c6013ca 1255 mp_clear(&u);
wolfSSL 13:f67a6c6013ca 1256 mp_clear(&v);
wolfSSL 13:f67a6c6013ca 1257 mp_clear(&A);
wolfSSL 13:f67a6c6013ca 1258 mp_clear(&B);
wolfSSL 13:f67a6c6013ca 1259 mp_clear(&C);
wolfSSL 13:f67a6c6013ca 1260 mp_clear(&D);
wolfSSL 13:f67a6c6013ca 1261 return res;
wolfSSL 13:f67a6c6013ca 1262 }
wolfSSL 13:f67a6c6013ca 1263
wolfSSL 13:f67a6c6013ca 1264
wolfSSL 13:f67a6c6013ca 1265 /* compare magnitude of two ints (unsigned) */
wolfSSL 13:f67a6c6013ca 1266 int mp_cmp_mag (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 1267 {
wolfSSL 13:f67a6c6013ca 1268 int n;
wolfSSL 13:f67a6c6013ca 1269 mp_digit *tmpa, *tmpb;
wolfSSL 13:f67a6c6013ca 1270
wolfSSL 13:f67a6c6013ca 1271 /* compare based on # of non-zero digits */
wolfSSL 13:f67a6c6013ca 1272 if (a->used > b->used) {
wolfSSL 13:f67a6c6013ca 1273 return MP_GT;
wolfSSL 13:f67a6c6013ca 1274 }
wolfSSL 13:f67a6c6013ca 1275
wolfSSL 13:f67a6c6013ca 1276 if (a->used < b->used) {
wolfSSL 13:f67a6c6013ca 1277 return MP_LT;
wolfSSL 13:f67a6c6013ca 1278 }
wolfSSL 13:f67a6c6013ca 1279
wolfSSL 13:f67a6c6013ca 1280 /* alias for a */
wolfSSL 13:f67a6c6013ca 1281 tmpa = a->dp + (a->used - 1);
wolfSSL 13:f67a6c6013ca 1282
wolfSSL 13:f67a6c6013ca 1283 /* alias for b */
wolfSSL 13:f67a6c6013ca 1284 tmpb = b->dp + (a->used - 1);
wolfSSL 13:f67a6c6013ca 1285
wolfSSL 13:f67a6c6013ca 1286 /* compare based on digits */
wolfSSL 13:f67a6c6013ca 1287 for (n = 0; n < a->used; ++n, --tmpa, --tmpb) {
wolfSSL 13:f67a6c6013ca 1288 if (*tmpa > *tmpb) {
wolfSSL 13:f67a6c6013ca 1289 return MP_GT;
wolfSSL 13:f67a6c6013ca 1290 }
wolfSSL 13:f67a6c6013ca 1291
wolfSSL 13:f67a6c6013ca 1292 if (*tmpa < *tmpb) {
wolfSSL 13:f67a6c6013ca 1293 return MP_LT;
wolfSSL 13:f67a6c6013ca 1294 }
wolfSSL 13:f67a6c6013ca 1295 }
wolfSSL 13:f67a6c6013ca 1296 return MP_EQ;
wolfSSL 13:f67a6c6013ca 1297 }
wolfSSL 13:f67a6c6013ca 1298
wolfSSL 13:f67a6c6013ca 1299
wolfSSL 13:f67a6c6013ca 1300 /* compare two ints (signed)*/
wolfSSL 13:f67a6c6013ca 1301 int mp_cmp (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 1302 {
wolfSSL 13:f67a6c6013ca 1303 /* compare based on sign */
wolfSSL 13:f67a6c6013ca 1304 if (a->sign != b->sign) {
wolfSSL 13:f67a6c6013ca 1305 if (a->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 1306 return MP_LT;
wolfSSL 13:f67a6c6013ca 1307 } else {
wolfSSL 13:f67a6c6013ca 1308 return MP_GT;
wolfSSL 13:f67a6c6013ca 1309 }
wolfSSL 13:f67a6c6013ca 1310 }
wolfSSL 13:f67a6c6013ca 1311
wolfSSL 13:f67a6c6013ca 1312 /* compare digits */
wolfSSL 13:f67a6c6013ca 1313 if (a->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 1314 /* if negative compare opposite direction */
wolfSSL 13:f67a6c6013ca 1315 return mp_cmp_mag(b, a);
wolfSSL 13:f67a6c6013ca 1316 } else {
wolfSSL 13:f67a6c6013ca 1317 return mp_cmp_mag(a, b);
wolfSSL 13:f67a6c6013ca 1318 }
wolfSSL 13:f67a6c6013ca 1319 }
wolfSSL 13:f67a6c6013ca 1320
wolfSSL 13:f67a6c6013ca 1321
wolfSSL 13:f67a6c6013ca 1322 /* compare a digit */
wolfSSL 13:f67a6c6013ca 1323 int mp_cmp_d(mp_int * a, mp_digit b)
wolfSSL 13:f67a6c6013ca 1324 {
wolfSSL 13:f67a6c6013ca 1325 /* special case for zero*/
wolfSSL 13:f67a6c6013ca 1326 if (a->used == 0 && b == 0)
wolfSSL 13:f67a6c6013ca 1327 return MP_EQ;
wolfSSL 13:f67a6c6013ca 1328
wolfSSL 13:f67a6c6013ca 1329 /* compare based on sign */
wolfSSL 13:f67a6c6013ca 1330 if ((b && a->used == 0) || a->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 1331 return MP_LT;
wolfSSL 13:f67a6c6013ca 1332 }
wolfSSL 13:f67a6c6013ca 1333
wolfSSL 13:f67a6c6013ca 1334 /* compare based on magnitude */
wolfSSL 13:f67a6c6013ca 1335 if (a->used > 1) {
wolfSSL 13:f67a6c6013ca 1336 return MP_GT;
wolfSSL 13:f67a6c6013ca 1337 }
wolfSSL 13:f67a6c6013ca 1338
wolfSSL 13:f67a6c6013ca 1339 /* compare the only digit of a to b */
wolfSSL 13:f67a6c6013ca 1340 if (a->dp[0] > b) {
wolfSSL 13:f67a6c6013ca 1341 return MP_GT;
wolfSSL 13:f67a6c6013ca 1342 } else if (a->dp[0] < b) {
wolfSSL 13:f67a6c6013ca 1343 return MP_LT;
wolfSSL 13:f67a6c6013ca 1344 } else {
wolfSSL 13:f67a6c6013ca 1345 return MP_EQ;
wolfSSL 13:f67a6c6013ca 1346 }
wolfSSL 13:f67a6c6013ca 1347 }
wolfSSL 13:f67a6c6013ca 1348
wolfSSL 13:f67a6c6013ca 1349
wolfSSL 13:f67a6c6013ca 1350 /* set to a digit */
wolfSSL 13:f67a6c6013ca 1351 int mp_set (mp_int * a, mp_digit b)
wolfSSL 13:f67a6c6013ca 1352 {
wolfSSL 13:f67a6c6013ca 1353 int res;
wolfSSL 13:f67a6c6013ca 1354 mp_zero (a);
wolfSSL 13:f67a6c6013ca 1355 res = mp_grow (a, 1);
wolfSSL 13:f67a6c6013ca 1356 if (res == MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1357 a->dp[0] = (mp_digit)(b & MP_MASK);
wolfSSL 13:f67a6c6013ca 1358 a->used = (a->dp[0] != 0) ? 1 : 0;
wolfSSL 13:f67a6c6013ca 1359 }
wolfSSL 13:f67a6c6013ca 1360 return res;
wolfSSL 13:f67a6c6013ca 1361 }
wolfSSL 13:f67a6c6013ca 1362
wolfSSL 13:f67a6c6013ca 1363 /* chek if a bit is set */
wolfSSL 13:f67a6c6013ca 1364 int mp_is_bit_set (mp_int *a, mp_digit b)
wolfSSL 13:f67a6c6013ca 1365 {
wolfSSL 13:f67a6c6013ca 1366 if ((mp_digit)a->used < b/DIGIT_BIT)
wolfSSL 13:f67a6c6013ca 1367 return 0;
wolfSSL 13:f67a6c6013ca 1368
wolfSSL 13:f67a6c6013ca 1369 return (int)((a->dp[b/DIGIT_BIT] >> b%DIGIT_BIT) & (mp_digit)1);
wolfSSL 13:f67a6c6013ca 1370 }
wolfSSL 13:f67a6c6013ca 1371
wolfSSL 13:f67a6c6013ca 1372 /* c = a mod b, 0 <= c < b */
wolfSSL 13:f67a6c6013ca 1373 #if defined(FREESCALE_LTC_TFM)
wolfSSL 13:f67a6c6013ca 1374 int wolfcrypt_mp_mod(mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1375 #else
wolfSSL 13:f67a6c6013ca 1376 int mp_mod (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1377 #endif
wolfSSL 13:f67a6c6013ca 1378 {
wolfSSL 13:f67a6c6013ca 1379 mp_int t;
wolfSSL 13:f67a6c6013ca 1380 int res;
wolfSSL 13:f67a6c6013ca 1381
wolfSSL 13:f67a6c6013ca 1382 if ((res = mp_init (&t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1383 return res;
wolfSSL 13:f67a6c6013ca 1384 }
wolfSSL 13:f67a6c6013ca 1385
wolfSSL 13:f67a6c6013ca 1386 if ((res = mp_div (a, b, NULL, &t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1387 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 1388 return res;
wolfSSL 13:f67a6c6013ca 1389 }
wolfSSL 13:f67a6c6013ca 1390
wolfSSL 13:f67a6c6013ca 1391 if (t.sign != b->sign) {
wolfSSL 13:f67a6c6013ca 1392 res = mp_add (b, &t, c);
wolfSSL 13:f67a6c6013ca 1393 } else {
wolfSSL 13:f67a6c6013ca 1394 res = MP_OKAY;
wolfSSL 13:f67a6c6013ca 1395 mp_exch (&t, c);
wolfSSL 13:f67a6c6013ca 1396 }
wolfSSL 13:f67a6c6013ca 1397
wolfSSL 13:f67a6c6013ca 1398 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 1399 return res;
wolfSSL 13:f67a6c6013ca 1400 }
wolfSSL 13:f67a6c6013ca 1401
wolfSSL 13:f67a6c6013ca 1402
wolfSSL 13:f67a6c6013ca 1403 /* slower bit-bang division... also smaller */
wolfSSL 13:f67a6c6013ca 1404 int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d)
wolfSSL 13:f67a6c6013ca 1405 {
wolfSSL 13:f67a6c6013ca 1406 mp_int ta, tb, tq, q;
wolfSSL 13:f67a6c6013ca 1407 int res, n, n2;
wolfSSL 13:f67a6c6013ca 1408
wolfSSL 13:f67a6c6013ca 1409 /* is divisor zero ? */
wolfSSL 13:f67a6c6013ca 1410 if (mp_iszero (b) == MP_YES) {
wolfSSL 13:f67a6c6013ca 1411 return MP_VAL;
wolfSSL 13:f67a6c6013ca 1412 }
wolfSSL 13:f67a6c6013ca 1413
wolfSSL 13:f67a6c6013ca 1414 /* if a < b then q=0, r = a */
wolfSSL 13:f67a6c6013ca 1415 if (mp_cmp_mag (a, b) == MP_LT) {
wolfSSL 13:f67a6c6013ca 1416 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 1417 res = mp_copy (a, d);
wolfSSL 13:f67a6c6013ca 1418 } else {
wolfSSL 13:f67a6c6013ca 1419 res = MP_OKAY;
wolfSSL 13:f67a6c6013ca 1420 }
wolfSSL 13:f67a6c6013ca 1421 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 1422 mp_zero (c);
wolfSSL 13:f67a6c6013ca 1423 }
wolfSSL 13:f67a6c6013ca 1424 return res;
wolfSSL 13:f67a6c6013ca 1425 }
wolfSSL 13:f67a6c6013ca 1426
wolfSSL 13:f67a6c6013ca 1427 /* init our temps */
wolfSSL 13:f67a6c6013ca 1428 if ((res = mp_init_multi(&ta, &tb, &tq, &q, 0, 0)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1429 return res;
wolfSSL 13:f67a6c6013ca 1430 }
wolfSSL 13:f67a6c6013ca 1431
wolfSSL 13:f67a6c6013ca 1432 if ((res = mp_set(&tq, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1433 return res;
wolfSSL 13:f67a6c6013ca 1434 }
wolfSSL 13:f67a6c6013ca 1435 n = mp_count_bits(a) - mp_count_bits(b);
wolfSSL 13:f67a6c6013ca 1436 if (((res = mp_abs(a, &ta)) != MP_OKAY) ||
wolfSSL 13:f67a6c6013ca 1437 ((res = mp_abs(b, &tb)) != MP_OKAY) ||
wolfSSL 13:f67a6c6013ca 1438 ((res = mp_mul_2d(&tb, n, &tb)) != MP_OKAY) ||
wolfSSL 13:f67a6c6013ca 1439 ((res = mp_mul_2d(&tq, n, &tq)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 1440 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1441 }
wolfSSL 13:f67a6c6013ca 1442
wolfSSL 13:f67a6c6013ca 1443 while (n-- >= 0) {
wolfSSL 13:f67a6c6013ca 1444 if (mp_cmp(&tb, &ta) != MP_GT) {
wolfSSL 13:f67a6c6013ca 1445 if (((res = mp_sub(&ta, &tb, &ta)) != MP_OKAY) ||
wolfSSL 13:f67a6c6013ca 1446 ((res = mp_add(&q, &tq, &q)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 1447 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1448 }
wolfSSL 13:f67a6c6013ca 1449 }
wolfSSL 13:f67a6c6013ca 1450 if (((res = mp_div_2d(&tb, 1, &tb, NULL)) != MP_OKAY) ||
wolfSSL 13:f67a6c6013ca 1451 ((res = mp_div_2d(&tq, 1, &tq, NULL)) != MP_OKAY)) {
wolfSSL 13:f67a6c6013ca 1452 goto LBL_ERR;
wolfSSL 13:f67a6c6013ca 1453 }
wolfSSL 13:f67a6c6013ca 1454 }
wolfSSL 13:f67a6c6013ca 1455
wolfSSL 13:f67a6c6013ca 1456 /* now q == quotient and ta == remainder */
wolfSSL 13:f67a6c6013ca 1457 n = a->sign;
wolfSSL 13:f67a6c6013ca 1458 n2 = (a->sign == b->sign ? MP_ZPOS : MP_NEG);
wolfSSL 13:f67a6c6013ca 1459 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 1460 mp_exch(c, &q);
wolfSSL 13:f67a6c6013ca 1461 c->sign = (mp_iszero(c) == MP_YES) ? MP_ZPOS : n2;
wolfSSL 13:f67a6c6013ca 1462 }
wolfSSL 13:f67a6c6013ca 1463 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 1464 mp_exch(d, &ta);
wolfSSL 13:f67a6c6013ca 1465 d->sign = (mp_iszero(d) == MP_YES) ? MP_ZPOS : n;
wolfSSL 13:f67a6c6013ca 1466 }
wolfSSL 13:f67a6c6013ca 1467 LBL_ERR:
wolfSSL 13:f67a6c6013ca 1468 mp_clear(&ta);
wolfSSL 13:f67a6c6013ca 1469 mp_clear(&tb);
wolfSSL 13:f67a6c6013ca 1470 mp_clear(&tq);
wolfSSL 13:f67a6c6013ca 1471 mp_clear(&q);
wolfSSL 13:f67a6c6013ca 1472 return res;
wolfSSL 13:f67a6c6013ca 1473 }
wolfSSL 13:f67a6c6013ca 1474
wolfSSL 13:f67a6c6013ca 1475
wolfSSL 13:f67a6c6013ca 1476 /* b = a/2 */
wolfSSL 13:f67a6c6013ca 1477 int mp_div_2(mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 1478 {
wolfSSL 13:f67a6c6013ca 1479 int x, res, oldused;
wolfSSL 13:f67a6c6013ca 1480
wolfSSL 13:f67a6c6013ca 1481 /* copy */
wolfSSL 13:f67a6c6013ca 1482 if (b->alloc < a->used) {
wolfSSL 13:f67a6c6013ca 1483 if ((res = mp_grow (b, a->used)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1484 return res;
wolfSSL 13:f67a6c6013ca 1485 }
wolfSSL 13:f67a6c6013ca 1486 }
wolfSSL 13:f67a6c6013ca 1487
wolfSSL 13:f67a6c6013ca 1488 oldused = b->used;
wolfSSL 13:f67a6c6013ca 1489 b->used = a->used;
wolfSSL 13:f67a6c6013ca 1490 {
wolfSSL 13:f67a6c6013ca 1491 mp_digit r, rr, *tmpa, *tmpb;
wolfSSL 13:f67a6c6013ca 1492
wolfSSL 13:f67a6c6013ca 1493 /* source alias */
wolfSSL 13:f67a6c6013ca 1494 tmpa = a->dp + b->used - 1;
wolfSSL 13:f67a6c6013ca 1495
wolfSSL 13:f67a6c6013ca 1496 /* dest alias */
wolfSSL 13:f67a6c6013ca 1497 tmpb = b->dp + b->used - 1;
wolfSSL 13:f67a6c6013ca 1498
wolfSSL 13:f67a6c6013ca 1499 /* carry */
wolfSSL 13:f67a6c6013ca 1500 r = 0;
wolfSSL 13:f67a6c6013ca 1501 for (x = b->used - 1; x >= 0; x--) {
wolfSSL 13:f67a6c6013ca 1502 /* get the carry for the next iteration */
wolfSSL 13:f67a6c6013ca 1503 rr = *tmpa & 1;
wolfSSL 13:f67a6c6013ca 1504
wolfSSL 13:f67a6c6013ca 1505 /* shift the current digit, add in carry and store */
wolfSSL 13:f67a6c6013ca 1506 *tmpb-- = (*tmpa-- >> 1) | (r << (DIGIT_BIT - 1));
wolfSSL 13:f67a6c6013ca 1507
wolfSSL 13:f67a6c6013ca 1508 /* forward carry to next iteration */
wolfSSL 13:f67a6c6013ca 1509 r = rr;
wolfSSL 13:f67a6c6013ca 1510 }
wolfSSL 13:f67a6c6013ca 1511
wolfSSL 13:f67a6c6013ca 1512 /* zero excess digits */
wolfSSL 13:f67a6c6013ca 1513 tmpb = b->dp + b->used;
wolfSSL 13:f67a6c6013ca 1514 for (x = b->used; x < oldused; x++) {
wolfSSL 13:f67a6c6013ca 1515 *tmpb++ = 0;
wolfSSL 13:f67a6c6013ca 1516 }
wolfSSL 13:f67a6c6013ca 1517 }
wolfSSL 13:f67a6c6013ca 1518 b->sign = a->sign;
wolfSSL 13:f67a6c6013ca 1519 mp_clamp (b);
wolfSSL 13:f67a6c6013ca 1520 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 1521 }
wolfSSL 13:f67a6c6013ca 1522
wolfSSL 13:f67a6c6013ca 1523
wolfSSL 13:f67a6c6013ca 1524 /* high level addition (handles signs) */
wolfSSL 13:f67a6c6013ca 1525 int mp_add (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1526 {
wolfSSL 13:f67a6c6013ca 1527 int sa, sb, res;
wolfSSL 13:f67a6c6013ca 1528
wolfSSL 13:f67a6c6013ca 1529 /* get sign of both inputs */
wolfSSL 13:f67a6c6013ca 1530 sa = a->sign;
wolfSSL 13:f67a6c6013ca 1531 sb = b->sign;
wolfSSL 13:f67a6c6013ca 1532
wolfSSL 13:f67a6c6013ca 1533 /* handle two cases, not four */
wolfSSL 13:f67a6c6013ca 1534 if (sa == sb) {
wolfSSL 13:f67a6c6013ca 1535 /* both positive or both negative */
wolfSSL 13:f67a6c6013ca 1536 /* add their magnitudes, copy the sign */
wolfSSL 13:f67a6c6013ca 1537 c->sign = sa;
wolfSSL 13:f67a6c6013ca 1538 res = s_mp_add (a, b, c);
wolfSSL 13:f67a6c6013ca 1539 } else {
wolfSSL 13:f67a6c6013ca 1540 /* one positive, the other negative */
wolfSSL 13:f67a6c6013ca 1541 /* subtract the one with the greater magnitude from */
wolfSSL 13:f67a6c6013ca 1542 /* the one of the lesser magnitude. The result gets */
wolfSSL 13:f67a6c6013ca 1543 /* the sign of the one with the greater magnitude. */
wolfSSL 13:f67a6c6013ca 1544 if (mp_cmp_mag (a, b) == MP_LT) {
wolfSSL 13:f67a6c6013ca 1545 c->sign = sb;
wolfSSL 13:f67a6c6013ca 1546 res = s_mp_sub (b, a, c);
wolfSSL 13:f67a6c6013ca 1547 } else {
wolfSSL 13:f67a6c6013ca 1548 c->sign = sa;
wolfSSL 13:f67a6c6013ca 1549 res = s_mp_sub (a, b, c);
wolfSSL 13:f67a6c6013ca 1550 }
wolfSSL 13:f67a6c6013ca 1551 }
wolfSSL 13:f67a6c6013ca 1552 return res;
wolfSSL 13:f67a6c6013ca 1553 }
wolfSSL 13:f67a6c6013ca 1554
wolfSSL 13:f67a6c6013ca 1555
wolfSSL 13:f67a6c6013ca 1556 /* low level addition, based on HAC pp.594, Algorithm 14.7 */
wolfSSL 13:f67a6c6013ca 1557 int s_mp_add (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1558 {
wolfSSL 13:f67a6c6013ca 1559 mp_int *x;
wolfSSL 13:f67a6c6013ca 1560 int olduse, res, min_ab, max_ab;
wolfSSL 13:f67a6c6013ca 1561
wolfSSL 13:f67a6c6013ca 1562 /* find sizes, we let |a| <= |b| which means we have to sort
wolfSSL 13:f67a6c6013ca 1563 * them. "x" will point to the input with the most digits
wolfSSL 13:f67a6c6013ca 1564 */
wolfSSL 13:f67a6c6013ca 1565 if (a->used > b->used) {
wolfSSL 13:f67a6c6013ca 1566 min_ab = b->used;
wolfSSL 13:f67a6c6013ca 1567 max_ab = a->used;
wolfSSL 13:f67a6c6013ca 1568 x = a;
wolfSSL 13:f67a6c6013ca 1569 } else {
wolfSSL 13:f67a6c6013ca 1570 min_ab = a->used;
wolfSSL 13:f67a6c6013ca 1571 max_ab = b->used;
wolfSSL 13:f67a6c6013ca 1572 x = b;
wolfSSL 13:f67a6c6013ca 1573 }
wolfSSL 13:f67a6c6013ca 1574
wolfSSL 13:f67a6c6013ca 1575 /* init result */
wolfSSL 13:f67a6c6013ca 1576 if (c->alloc < max_ab + 1) {
wolfSSL 13:f67a6c6013ca 1577 if ((res = mp_grow (c, max_ab + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1578 return res;
wolfSSL 13:f67a6c6013ca 1579 }
wolfSSL 13:f67a6c6013ca 1580 }
wolfSSL 13:f67a6c6013ca 1581
wolfSSL 13:f67a6c6013ca 1582 /* get old used digit count and set new one */
wolfSSL 13:f67a6c6013ca 1583 olduse = c->used;
wolfSSL 13:f67a6c6013ca 1584 c->used = max_ab + 1;
wolfSSL 13:f67a6c6013ca 1585
wolfSSL 13:f67a6c6013ca 1586 {
wolfSSL 13:f67a6c6013ca 1587 mp_digit u, *tmpa, *tmpb, *tmpc;
wolfSSL 13:f67a6c6013ca 1588 int i;
wolfSSL 13:f67a6c6013ca 1589
wolfSSL 13:f67a6c6013ca 1590 /* alias for digit pointers */
wolfSSL 13:f67a6c6013ca 1591
wolfSSL 13:f67a6c6013ca 1592 /* first input */
wolfSSL 13:f67a6c6013ca 1593 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 1594
wolfSSL 13:f67a6c6013ca 1595 /* second input */
wolfSSL 13:f67a6c6013ca 1596 tmpb = b->dp;
wolfSSL 13:f67a6c6013ca 1597
wolfSSL 13:f67a6c6013ca 1598 /* destination */
wolfSSL 13:f67a6c6013ca 1599 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 1600
wolfSSL 13:f67a6c6013ca 1601 /* zero the carry */
wolfSSL 13:f67a6c6013ca 1602 u = 0;
wolfSSL 13:f67a6c6013ca 1603 for (i = 0; i < min_ab; i++) {
wolfSSL 13:f67a6c6013ca 1604 /* Compute the sum at one digit, T[i] = A[i] + B[i] + U */
wolfSSL 13:f67a6c6013ca 1605 *tmpc = *tmpa++ + *tmpb++ + u;
wolfSSL 13:f67a6c6013ca 1606
wolfSSL 13:f67a6c6013ca 1607 /* U = carry bit of T[i] */
wolfSSL 13:f67a6c6013ca 1608 u = *tmpc >> ((mp_digit)DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 1609
wolfSSL 13:f67a6c6013ca 1610 /* take away carry bit from T[i] */
wolfSSL 13:f67a6c6013ca 1611 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 1612 }
wolfSSL 13:f67a6c6013ca 1613
wolfSSL 13:f67a6c6013ca 1614 /* now copy higher words if any, that is in A+B
wolfSSL 13:f67a6c6013ca 1615 * if A or B has more digits add those in
wolfSSL 13:f67a6c6013ca 1616 */
wolfSSL 13:f67a6c6013ca 1617 if (min_ab != max_ab) {
wolfSSL 13:f67a6c6013ca 1618 for (; i < max_ab; i++) {
wolfSSL 13:f67a6c6013ca 1619 /* T[i] = X[i] + U */
wolfSSL 13:f67a6c6013ca 1620 *tmpc = x->dp[i] + u;
wolfSSL 13:f67a6c6013ca 1621
wolfSSL 13:f67a6c6013ca 1622 /* U = carry bit of T[i] */
wolfSSL 13:f67a6c6013ca 1623 u = *tmpc >> ((mp_digit)DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 1624
wolfSSL 13:f67a6c6013ca 1625 /* take away carry bit from T[i] */
wolfSSL 13:f67a6c6013ca 1626 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 1627 }
wolfSSL 13:f67a6c6013ca 1628 }
wolfSSL 13:f67a6c6013ca 1629
wolfSSL 13:f67a6c6013ca 1630 /* add carry */
wolfSSL 13:f67a6c6013ca 1631 *tmpc++ = u;
wolfSSL 13:f67a6c6013ca 1632
wolfSSL 13:f67a6c6013ca 1633 /* clear digits above olduse */
wolfSSL 13:f67a6c6013ca 1634 for (i = c->used; i < olduse; i++) {
wolfSSL 13:f67a6c6013ca 1635 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 1636 }
wolfSSL 13:f67a6c6013ca 1637 }
wolfSSL 13:f67a6c6013ca 1638
wolfSSL 13:f67a6c6013ca 1639 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 1640 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 1641 }
wolfSSL 13:f67a6c6013ca 1642
wolfSSL 13:f67a6c6013ca 1643
wolfSSL 13:f67a6c6013ca 1644 /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */
wolfSSL 13:f67a6c6013ca 1645 int s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1646 {
wolfSSL 13:f67a6c6013ca 1647 int olduse, res, min_b, max_a;
wolfSSL 13:f67a6c6013ca 1648
wolfSSL 13:f67a6c6013ca 1649 /* find sizes */
wolfSSL 13:f67a6c6013ca 1650 min_b = b->used;
wolfSSL 13:f67a6c6013ca 1651 max_a = a->used;
wolfSSL 13:f67a6c6013ca 1652
wolfSSL 13:f67a6c6013ca 1653 /* init result */
wolfSSL 13:f67a6c6013ca 1654 if (c->alloc < max_a) {
wolfSSL 13:f67a6c6013ca 1655 if ((res = mp_grow (c, max_a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1656 return res;
wolfSSL 13:f67a6c6013ca 1657 }
wolfSSL 13:f67a6c6013ca 1658 }
wolfSSL 13:f67a6c6013ca 1659
wolfSSL 13:f67a6c6013ca 1660 /* sanity check on destination */
wolfSSL 13:f67a6c6013ca 1661 if (c->dp == NULL)
wolfSSL 13:f67a6c6013ca 1662 return MP_VAL;
wolfSSL 13:f67a6c6013ca 1663
wolfSSL 13:f67a6c6013ca 1664 olduse = c->used;
wolfSSL 13:f67a6c6013ca 1665 c->used = max_a;
wolfSSL 13:f67a6c6013ca 1666
wolfSSL 13:f67a6c6013ca 1667 {
wolfSSL 13:f67a6c6013ca 1668 mp_digit u, *tmpa, *tmpb, *tmpc;
wolfSSL 13:f67a6c6013ca 1669 int i;
wolfSSL 13:f67a6c6013ca 1670
wolfSSL 13:f67a6c6013ca 1671 /* alias for digit pointers */
wolfSSL 13:f67a6c6013ca 1672 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 1673 tmpb = b->dp;
wolfSSL 13:f67a6c6013ca 1674 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 1675
wolfSSL 13:f67a6c6013ca 1676 /* set carry to zero */
wolfSSL 13:f67a6c6013ca 1677 u = 0;
wolfSSL 13:f67a6c6013ca 1678 for (i = 0; i < min_b; i++) {
wolfSSL 13:f67a6c6013ca 1679 /* T[i] = A[i] - B[i] - U */
wolfSSL 13:f67a6c6013ca 1680 *tmpc = *tmpa++ - *tmpb++ - u;
wolfSSL 13:f67a6c6013ca 1681
wolfSSL 13:f67a6c6013ca 1682 /* U = carry bit of T[i]
wolfSSL 13:f67a6c6013ca 1683 * Note this saves performing an AND operation since
wolfSSL 13:f67a6c6013ca 1684 * if a carry does occur it will propagate all the way to the
wolfSSL 13:f67a6c6013ca 1685 * MSB. As a result a single shift is enough to get the carry
wolfSSL 13:f67a6c6013ca 1686 */
wolfSSL 13:f67a6c6013ca 1687 u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1));
wolfSSL 13:f67a6c6013ca 1688
wolfSSL 13:f67a6c6013ca 1689 /* Clear carry from T[i] */
wolfSSL 13:f67a6c6013ca 1690 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 1691 }
wolfSSL 13:f67a6c6013ca 1692
wolfSSL 13:f67a6c6013ca 1693 /* now copy higher words if any, e.g. if A has more digits than B */
wolfSSL 13:f67a6c6013ca 1694 for (; i < max_a; i++) {
wolfSSL 13:f67a6c6013ca 1695 /* T[i] = A[i] - U */
wolfSSL 13:f67a6c6013ca 1696 *tmpc = *tmpa++ - u;
wolfSSL 13:f67a6c6013ca 1697
wolfSSL 13:f67a6c6013ca 1698 /* U = carry bit of T[i] */
wolfSSL 13:f67a6c6013ca 1699 u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1));
wolfSSL 13:f67a6c6013ca 1700
wolfSSL 13:f67a6c6013ca 1701 /* Clear carry from T[i] */
wolfSSL 13:f67a6c6013ca 1702 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 1703 }
wolfSSL 13:f67a6c6013ca 1704
wolfSSL 13:f67a6c6013ca 1705 /* clear digits above used (since we may not have grown result above) */
wolfSSL 13:f67a6c6013ca 1706 for (i = c->used; i < olduse; i++) {
wolfSSL 13:f67a6c6013ca 1707 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 1708 }
wolfSSL 13:f67a6c6013ca 1709 }
wolfSSL 13:f67a6c6013ca 1710
wolfSSL 13:f67a6c6013ca 1711 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 1712 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 1713 }
wolfSSL 13:f67a6c6013ca 1714
wolfSSL 13:f67a6c6013ca 1715
wolfSSL 13:f67a6c6013ca 1716 /* high level subtraction (handles signs) */
wolfSSL 13:f67a6c6013ca 1717 int mp_sub (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 1718 {
wolfSSL 13:f67a6c6013ca 1719 int sa, sb, res;
wolfSSL 13:f67a6c6013ca 1720
wolfSSL 13:f67a6c6013ca 1721 sa = a->sign;
wolfSSL 13:f67a6c6013ca 1722 sb = b->sign;
wolfSSL 13:f67a6c6013ca 1723
wolfSSL 13:f67a6c6013ca 1724 if (sa != sb) {
wolfSSL 13:f67a6c6013ca 1725 /* subtract a negative from a positive, OR */
wolfSSL 13:f67a6c6013ca 1726 /* subtract a positive from a negative. */
wolfSSL 13:f67a6c6013ca 1727 /* In either case, ADD their magnitudes, */
wolfSSL 13:f67a6c6013ca 1728 /* and use the sign of the first number. */
wolfSSL 13:f67a6c6013ca 1729 c->sign = sa;
wolfSSL 13:f67a6c6013ca 1730 res = s_mp_add (a, b, c);
wolfSSL 13:f67a6c6013ca 1731 } else {
wolfSSL 13:f67a6c6013ca 1732 /* subtract a positive from a positive, OR */
wolfSSL 13:f67a6c6013ca 1733 /* subtract a negative from a negative. */
wolfSSL 13:f67a6c6013ca 1734 /* First, take the difference between their */
wolfSSL 13:f67a6c6013ca 1735 /* magnitudes, then... */
wolfSSL 13:f67a6c6013ca 1736 if (mp_cmp_mag (a, b) != MP_LT) {
wolfSSL 13:f67a6c6013ca 1737 /* Copy the sign from the first */
wolfSSL 13:f67a6c6013ca 1738 c->sign = sa;
wolfSSL 13:f67a6c6013ca 1739 /* The first has a larger or equal magnitude */
wolfSSL 13:f67a6c6013ca 1740 res = s_mp_sub (a, b, c);
wolfSSL 13:f67a6c6013ca 1741 } else {
wolfSSL 13:f67a6c6013ca 1742 /* The result has the *opposite* sign from */
wolfSSL 13:f67a6c6013ca 1743 /* the first number. */
wolfSSL 13:f67a6c6013ca 1744 c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS;
wolfSSL 13:f67a6c6013ca 1745 /* The second has a larger magnitude */
wolfSSL 13:f67a6c6013ca 1746 res = s_mp_sub (b, a, c);
wolfSSL 13:f67a6c6013ca 1747 }
wolfSSL 13:f67a6c6013ca 1748 }
wolfSSL 13:f67a6c6013ca 1749 return res;
wolfSSL 13:f67a6c6013ca 1750 }
wolfSSL 13:f67a6c6013ca 1751
wolfSSL 13:f67a6c6013ca 1752
wolfSSL 13:f67a6c6013ca 1753 /* determines if reduce_2k_l can be used */
wolfSSL 13:f67a6c6013ca 1754 int mp_reduce_is_2k_l(mp_int *a)
wolfSSL 13:f67a6c6013ca 1755 {
wolfSSL 13:f67a6c6013ca 1756 int ix, iy;
wolfSSL 13:f67a6c6013ca 1757
wolfSSL 13:f67a6c6013ca 1758 if (a->used == 0) {
wolfSSL 13:f67a6c6013ca 1759 return MP_NO;
wolfSSL 13:f67a6c6013ca 1760 } else if (a->used == 1) {
wolfSSL 13:f67a6c6013ca 1761 return MP_YES;
wolfSSL 13:f67a6c6013ca 1762 } else if (a->used > 1) {
wolfSSL 13:f67a6c6013ca 1763 /* if more than half of the digits are -1 we're sold */
wolfSSL 13:f67a6c6013ca 1764 for (iy = ix = 0; ix < a->used; ix++) {
wolfSSL 13:f67a6c6013ca 1765 if (a->dp[ix] == MP_MASK) {
wolfSSL 13:f67a6c6013ca 1766 ++iy;
wolfSSL 13:f67a6c6013ca 1767 }
wolfSSL 13:f67a6c6013ca 1768 }
wolfSSL 13:f67a6c6013ca 1769 return (iy >= (a->used/2)) ? MP_YES : MP_NO;
wolfSSL 13:f67a6c6013ca 1770
wolfSSL 13:f67a6c6013ca 1771 }
wolfSSL 13:f67a6c6013ca 1772 return MP_NO;
wolfSSL 13:f67a6c6013ca 1773 }
wolfSSL 13:f67a6c6013ca 1774
wolfSSL 13:f67a6c6013ca 1775
wolfSSL 13:f67a6c6013ca 1776 /* determines if mp_reduce_2k can be used */
wolfSSL 13:f67a6c6013ca 1777 int mp_reduce_is_2k(mp_int *a)
wolfSSL 13:f67a6c6013ca 1778 {
wolfSSL 13:f67a6c6013ca 1779 int ix, iy, iw;
wolfSSL 13:f67a6c6013ca 1780 mp_digit iz;
wolfSSL 13:f67a6c6013ca 1781
wolfSSL 13:f67a6c6013ca 1782 if (a->used == 0) {
wolfSSL 13:f67a6c6013ca 1783 return MP_NO;
wolfSSL 13:f67a6c6013ca 1784 } else if (a->used == 1) {
wolfSSL 13:f67a6c6013ca 1785 return MP_YES;
wolfSSL 13:f67a6c6013ca 1786 } else if (a->used > 1) {
wolfSSL 13:f67a6c6013ca 1787 iy = mp_count_bits(a);
wolfSSL 13:f67a6c6013ca 1788 iz = 1;
wolfSSL 13:f67a6c6013ca 1789 iw = 1;
wolfSSL 13:f67a6c6013ca 1790
wolfSSL 13:f67a6c6013ca 1791 /* Test every bit from the second digit up, must be 1 */
wolfSSL 13:f67a6c6013ca 1792 for (ix = DIGIT_BIT; ix < iy; ix++) {
wolfSSL 13:f67a6c6013ca 1793 if ((a->dp[iw] & iz) == 0) {
wolfSSL 13:f67a6c6013ca 1794 return MP_NO;
wolfSSL 13:f67a6c6013ca 1795 }
wolfSSL 13:f67a6c6013ca 1796 iz <<= 1;
wolfSSL 13:f67a6c6013ca 1797 if (iz > (mp_digit)MP_MASK) {
wolfSSL 13:f67a6c6013ca 1798 ++iw;
wolfSSL 13:f67a6c6013ca 1799 iz = 1;
wolfSSL 13:f67a6c6013ca 1800 }
wolfSSL 13:f67a6c6013ca 1801 }
wolfSSL 13:f67a6c6013ca 1802 }
wolfSSL 13:f67a6c6013ca 1803 return MP_YES;
wolfSSL 13:f67a6c6013ca 1804 }
wolfSSL 13:f67a6c6013ca 1805
wolfSSL 13:f67a6c6013ca 1806
wolfSSL 13:f67a6c6013ca 1807 /* determines if a number is a valid DR modulus */
wolfSSL 13:f67a6c6013ca 1808 int mp_dr_is_modulus(mp_int *a)
wolfSSL 13:f67a6c6013ca 1809 {
wolfSSL 13:f67a6c6013ca 1810 int ix;
wolfSSL 13:f67a6c6013ca 1811
wolfSSL 13:f67a6c6013ca 1812 /* must be at least two digits */
wolfSSL 13:f67a6c6013ca 1813 if (a->used < 2) {
wolfSSL 13:f67a6c6013ca 1814 return 0;
wolfSSL 13:f67a6c6013ca 1815 }
wolfSSL 13:f67a6c6013ca 1816
wolfSSL 13:f67a6c6013ca 1817 /* must be of the form b**k - a [a <= b] so all
wolfSSL 13:f67a6c6013ca 1818 * but the first digit must be equal to -1 (mod b).
wolfSSL 13:f67a6c6013ca 1819 */
wolfSSL 13:f67a6c6013ca 1820 for (ix = 1; ix < a->used; ix++) {
wolfSSL 13:f67a6c6013ca 1821 if (a->dp[ix] != MP_MASK) {
wolfSSL 13:f67a6c6013ca 1822 return 0;
wolfSSL 13:f67a6c6013ca 1823 }
wolfSSL 13:f67a6c6013ca 1824 }
wolfSSL 13:f67a6c6013ca 1825 return 1;
wolfSSL 13:f67a6c6013ca 1826 }
wolfSSL 13:f67a6c6013ca 1827
wolfSSL 13:f67a6c6013ca 1828
wolfSSL 13:f67a6c6013ca 1829 /* computes Y == G**X mod P, HAC pp.616, Algorithm 14.85
wolfSSL 13:f67a6c6013ca 1830 *
wolfSSL 13:f67a6c6013ca 1831 * Uses a left-to-right k-ary sliding window to compute the modular
wolfSSL 13:f67a6c6013ca 1832 * exponentiation.
wolfSSL 13:f67a6c6013ca 1833 * The value of k changes based on the size of the exponent.
wolfSSL 13:f67a6c6013ca 1834 *
wolfSSL 13:f67a6c6013ca 1835 * Uses Montgomery or Diminished Radix reduction [whichever appropriate]
wolfSSL 13:f67a6c6013ca 1836 */
wolfSSL 13:f67a6c6013ca 1837
wolfSSL 13:f67a6c6013ca 1838 #ifdef MP_LOW_MEM
wolfSSL 13:f67a6c6013ca 1839 #define TAB_SIZE 32
wolfSSL 13:f67a6c6013ca 1840 #else
wolfSSL 13:f67a6c6013ca 1841 #define TAB_SIZE 256
wolfSSL 13:f67a6c6013ca 1842 #endif
wolfSSL 13:f67a6c6013ca 1843
wolfSSL 13:f67a6c6013ca 1844 int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
wolfSSL 13:f67a6c6013ca 1845 int redmode)
wolfSSL 13:f67a6c6013ca 1846 {
wolfSSL 13:f67a6c6013ca 1847 mp_int res;
wolfSSL 13:f67a6c6013ca 1848 mp_digit buf, mp;
wolfSSL 13:f67a6c6013ca 1849 int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
wolfSSL 13:f67a6c6013ca 1850 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 1851 mp_int* M = NULL;
wolfSSL 13:f67a6c6013ca 1852 #else
wolfSSL 13:f67a6c6013ca 1853 mp_int M[TAB_SIZE];
wolfSSL 13:f67a6c6013ca 1854 #endif
wolfSSL 13:f67a6c6013ca 1855 /* use a pointer to the reduction algorithm. This allows us to use
wolfSSL 13:f67a6c6013ca 1856 * one of many reduction algorithms without modding the guts of
wolfSSL 13:f67a6c6013ca 1857 * the code with if statements everywhere.
wolfSSL 13:f67a6c6013ca 1858 */
wolfSSL 13:f67a6c6013ca 1859 int (*redux)(mp_int*,mp_int*,mp_digit);
wolfSSL 13:f67a6c6013ca 1860
wolfSSL 13:f67a6c6013ca 1861 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 1862 M = (mp_int*) XMALLOC(sizeof(mp_int) * TAB_SIZE, NULL,
wolfSSL 13:f67a6c6013ca 1863 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 1864 if (M == NULL)
wolfSSL 13:f67a6c6013ca 1865 return MP_MEM;
wolfSSL 13:f67a6c6013ca 1866 #endif
wolfSSL 13:f67a6c6013ca 1867
wolfSSL 13:f67a6c6013ca 1868 /* find window size */
wolfSSL 13:f67a6c6013ca 1869 x = mp_count_bits (X);
wolfSSL 13:f67a6c6013ca 1870 if (x <= 7) {
wolfSSL 13:f67a6c6013ca 1871 winsize = 2;
wolfSSL 13:f67a6c6013ca 1872 } else if (x <= 36) {
wolfSSL 13:f67a6c6013ca 1873 winsize = 3;
wolfSSL 13:f67a6c6013ca 1874 } else if (x <= 140) {
wolfSSL 13:f67a6c6013ca 1875 winsize = 4;
wolfSSL 13:f67a6c6013ca 1876 } else if (x <= 450) {
wolfSSL 13:f67a6c6013ca 1877 winsize = 5;
wolfSSL 13:f67a6c6013ca 1878 } else if (x <= 1303) {
wolfSSL 13:f67a6c6013ca 1879 winsize = 6;
wolfSSL 13:f67a6c6013ca 1880 } else if (x <= 3529) {
wolfSSL 13:f67a6c6013ca 1881 winsize = 7;
wolfSSL 13:f67a6c6013ca 1882 } else {
wolfSSL 13:f67a6c6013ca 1883 winsize = 8;
wolfSSL 13:f67a6c6013ca 1884 }
wolfSSL 13:f67a6c6013ca 1885
wolfSSL 13:f67a6c6013ca 1886 #ifdef MP_LOW_MEM
wolfSSL 13:f67a6c6013ca 1887 if (winsize > 5) {
wolfSSL 13:f67a6c6013ca 1888 winsize = 5;
wolfSSL 13:f67a6c6013ca 1889 }
wolfSSL 13:f67a6c6013ca 1890 #endif
wolfSSL 13:f67a6c6013ca 1891
wolfSSL 13:f67a6c6013ca 1892 /* init M array */
wolfSSL 13:f67a6c6013ca 1893 /* init first cell */
wolfSSL 13:f67a6c6013ca 1894 if ((err = mp_init(&M[1])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1895 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 1896 XFREE(M, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 1897 #endif
wolfSSL 13:f67a6c6013ca 1898
wolfSSL 13:f67a6c6013ca 1899 return err;
wolfSSL 13:f67a6c6013ca 1900 }
wolfSSL 13:f67a6c6013ca 1901
wolfSSL 13:f67a6c6013ca 1902 /* now init the second half of the array */
wolfSSL 13:f67a6c6013ca 1903 for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
wolfSSL 13:f67a6c6013ca 1904 if ((err = mp_init(&M[x])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1905 for (y = 1<<(winsize-1); y < x; y++) {
wolfSSL 13:f67a6c6013ca 1906 mp_clear (&M[y]);
wolfSSL 13:f67a6c6013ca 1907 }
wolfSSL 13:f67a6c6013ca 1908 mp_clear(&M[1]);
wolfSSL 13:f67a6c6013ca 1909
wolfSSL 13:f67a6c6013ca 1910 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 1911 XFREE(M, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 1912 #endif
wolfSSL 13:f67a6c6013ca 1913
wolfSSL 13:f67a6c6013ca 1914 return err;
wolfSSL 13:f67a6c6013ca 1915 }
wolfSSL 13:f67a6c6013ca 1916 }
wolfSSL 13:f67a6c6013ca 1917
wolfSSL 13:f67a6c6013ca 1918 /* determine and setup reduction code */
wolfSSL 13:f67a6c6013ca 1919 if (redmode == 0) {
wolfSSL 13:f67a6c6013ca 1920 #ifdef BN_MP_MONTGOMERY_SETUP_C
wolfSSL 13:f67a6c6013ca 1921 /* now setup montgomery */
wolfSSL 13:f67a6c6013ca 1922 if ((err = mp_montgomery_setup (P, &mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1923 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1924 }
wolfSSL 13:f67a6c6013ca 1925 #else
wolfSSL 13:f67a6c6013ca 1926 err = MP_VAL;
wolfSSL 13:f67a6c6013ca 1927 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1928 #endif
wolfSSL 13:f67a6c6013ca 1929
wolfSSL 13:f67a6c6013ca 1930 /* automatically pick the comba one if available (saves quite a few
wolfSSL 13:f67a6c6013ca 1931 calls/ifs) */
wolfSSL 13:f67a6c6013ca 1932 #ifdef BN_FAST_MP_MONTGOMERY_REDUCE_C
wolfSSL 13:f67a6c6013ca 1933 if (((P->used * 2 + 1) < MP_WARRAY) &&
wolfSSL 13:f67a6c6013ca 1934 P->used < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
wolfSSL 13:f67a6c6013ca 1935 redux = fast_mp_montgomery_reduce;
wolfSSL 13:f67a6c6013ca 1936 } else
wolfSSL 13:f67a6c6013ca 1937 #endif
wolfSSL 13:f67a6c6013ca 1938 {
wolfSSL 13:f67a6c6013ca 1939 #ifdef BN_MP_MONTGOMERY_REDUCE_C
wolfSSL 13:f67a6c6013ca 1940 /* use slower baseline Montgomery method */
wolfSSL 13:f67a6c6013ca 1941 redux = mp_montgomery_reduce;
wolfSSL 13:f67a6c6013ca 1942 #else
wolfSSL 13:f67a6c6013ca 1943 err = MP_VAL;
wolfSSL 13:f67a6c6013ca 1944 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1945 #endif
wolfSSL 13:f67a6c6013ca 1946 }
wolfSSL 13:f67a6c6013ca 1947 } else if (redmode == 1) {
wolfSSL 13:f67a6c6013ca 1948 #if defined(BN_MP_DR_SETUP_C) && defined(BN_MP_DR_REDUCE_C)
wolfSSL 13:f67a6c6013ca 1949 /* setup DR reduction for moduli of the form B**k - b */
wolfSSL 13:f67a6c6013ca 1950 mp_dr_setup(P, &mp);
wolfSSL 13:f67a6c6013ca 1951 redux = mp_dr_reduce;
wolfSSL 13:f67a6c6013ca 1952 #else
wolfSSL 13:f67a6c6013ca 1953 err = MP_VAL;
wolfSSL 13:f67a6c6013ca 1954 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1955 #endif
wolfSSL 13:f67a6c6013ca 1956 } else {
wolfSSL 13:f67a6c6013ca 1957 #if defined(BN_MP_REDUCE_2K_SETUP_C) && defined(BN_MP_REDUCE_2K_C)
wolfSSL 13:f67a6c6013ca 1958 /* setup DR reduction for moduli of the form 2**k - b */
wolfSSL 13:f67a6c6013ca 1959 if ((err = mp_reduce_2k_setup(P, &mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1960 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1961 }
wolfSSL 13:f67a6c6013ca 1962 redux = mp_reduce_2k;
wolfSSL 13:f67a6c6013ca 1963 #else
wolfSSL 13:f67a6c6013ca 1964 err = MP_VAL;
wolfSSL 13:f67a6c6013ca 1965 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1966 #endif
wolfSSL 13:f67a6c6013ca 1967 }
wolfSSL 13:f67a6c6013ca 1968
wolfSSL 13:f67a6c6013ca 1969 /* setup result */
wolfSSL 13:f67a6c6013ca 1970 if ((err = mp_init (&res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1971 goto LBL_M;
wolfSSL 13:f67a6c6013ca 1972 }
wolfSSL 13:f67a6c6013ca 1973
wolfSSL 13:f67a6c6013ca 1974 /* create M table
wolfSSL 13:f67a6c6013ca 1975 *
wolfSSL 13:f67a6c6013ca 1976
wolfSSL 13:f67a6c6013ca 1977 *
wolfSSL 13:f67a6c6013ca 1978 * The first half of the table is not computed though accept for M[0] and M[1]
wolfSSL 13:f67a6c6013ca 1979 */
wolfSSL 13:f67a6c6013ca 1980
wolfSSL 13:f67a6c6013ca 1981 if (redmode == 0) {
wolfSSL 13:f67a6c6013ca 1982 #ifdef BN_MP_MONTGOMERY_CALC_NORMALIZATION_C
wolfSSL 13:f67a6c6013ca 1983 /* now we need R mod m */
wolfSSL 13:f67a6c6013ca 1984 if ((err = mp_montgomery_calc_normalization (&res, P)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1985 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 1986 }
wolfSSL 13:f67a6c6013ca 1987 #else
wolfSSL 13:f67a6c6013ca 1988 err = MP_VAL;
wolfSSL 13:f67a6c6013ca 1989 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 1990 #endif
wolfSSL 13:f67a6c6013ca 1991
wolfSSL 13:f67a6c6013ca 1992 /* now set M[1] to G * R mod m */
wolfSSL 13:f67a6c6013ca 1993 if ((err = mp_mulmod (G, &res, P, &M[1])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1994 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 1995 }
wolfSSL 13:f67a6c6013ca 1996 } else {
wolfSSL 13:f67a6c6013ca 1997 if ((err = mp_set(&res, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1998 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 1999 }
wolfSSL 13:f67a6c6013ca 2000 if ((err = mp_mod(G, P, &M[1])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2001 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2002 }
wolfSSL 13:f67a6c6013ca 2003 }
wolfSSL 13:f67a6c6013ca 2004
wolfSSL 13:f67a6c6013ca 2005 /* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times*/
wolfSSL 13:f67a6c6013ca 2006 if ((err = mp_copy (&M[1], &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2007 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2008 }
wolfSSL 13:f67a6c6013ca 2009
wolfSSL 13:f67a6c6013ca 2010 for (x = 0; x < (winsize - 1); x++) {
wolfSSL 13:f67a6c6013ca 2011 if ((err = mp_sqr (&M[(mp_digit)(1 << (winsize - 1))],
wolfSSL 13:f67a6c6013ca 2012 &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2013 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2014 }
wolfSSL 13:f67a6c6013ca 2015 if ((err = redux (&M[(mp_digit)(1 << (winsize - 1))], P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2016 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2017 }
wolfSSL 13:f67a6c6013ca 2018 }
wolfSSL 13:f67a6c6013ca 2019
wolfSSL 13:f67a6c6013ca 2020 /* create upper table */
wolfSSL 13:f67a6c6013ca 2021 for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
wolfSSL 13:f67a6c6013ca 2022 if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2023 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2024 }
wolfSSL 13:f67a6c6013ca 2025 if ((err = redux (&M[x], P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2026 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2027 }
wolfSSL 13:f67a6c6013ca 2028 }
wolfSSL 13:f67a6c6013ca 2029
wolfSSL 13:f67a6c6013ca 2030 /* set initial mode and bit cnt */
wolfSSL 13:f67a6c6013ca 2031 mode = 0;
wolfSSL 13:f67a6c6013ca 2032 bitcnt = 1;
wolfSSL 13:f67a6c6013ca 2033 buf = 0;
wolfSSL 13:f67a6c6013ca 2034 digidx = X->used - 1;
wolfSSL 13:f67a6c6013ca 2035 bitcpy = 0;
wolfSSL 13:f67a6c6013ca 2036 bitbuf = 0;
wolfSSL 13:f67a6c6013ca 2037
wolfSSL 13:f67a6c6013ca 2038 for (;;) {
wolfSSL 13:f67a6c6013ca 2039 /* grab next digit as required */
wolfSSL 13:f67a6c6013ca 2040 if (--bitcnt == 0) {
wolfSSL 13:f67a6c6013ca 2041 /* if digidx == -1 we are out of digits so break */
wolfSSL 13:f67a6c6013ca 2042 if (digidx == -1) {
wolfSSL 13:f67a6c6013ca 2043 break;
wolfSSL 13:f67a6c6013ca 2044 }
wolfSSL 13:f67a6c6013ca 2045 /* read next digit and reset bitcnt */
wolfSSL 13:f67a6c6013ca 2046 buf = X->dp[digidx--];
wolfSSL 13:f67a6c6013ca 2047 bitcnt = (int)DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 2048 }
wolfSSL 13:f67a6c6013ca 2049
wolfSSL 13:f67a6c6013ca 2050 /* grab the next msb from the exponent */
wolfSSL 13:f67a6c6013ca 2051 y = (int)(buf >> (DIGIT_BIT - 1)) & 1;
wolfSSL 13:f67a6c6013ca 2052 buf <<= (mp_digit)1;
wolfSSL 13:f67a6c6013ca 2053
wolfSSL 13:f67a6c6013ca 2054 /* if the bit is zero and mode == 0 then we ignore it
wolfSSL 13:f67a6c6013ca 2055 * These represent the leading zero bits before the first 1 bit
wolfSSL 13:f67a6c6013ca 2056 * in the exponent. Technically this opt is not required but it
wolfSSL 13:f67a6c6013ca 2057 * does lower the # of trivial squaring/reductions used
wolfSSL 13:f67a6c6013ca 2058 */
wolfSSL 13:f67a6c6013ca 2059 if (mode == 0 && y == 0) {
wolfSSL 13:f67a6c6013ca 2060 continue;
wolfSSL 13:f67a6c6013ca 2061 }
wolfSSL 13:f67a6c6013ca 2062
wolfSSL 13:f67a6c6013ca 2063 /* if the bit is zero and mode == 1 then we square */
wolfSSL 13:f67a6c6013ca 2064 if (mode == 1 && y == 0) {
wolfSSL 13:f67a6c6013ca 2065 if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2066 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2067 }
wolfSSL 13:f67a6c6013ca 2068 if ((err = redux (&res, P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2069 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2070 }
wolfSSL 13:f67a6c6013ca 2071 continue;
wolfSSL 13:f67a6c6013ca 2072 }
wolfSSL 13:f67a6c6013ca 2073
wolfSSL 13:f67a6c6013ca 2074 /* else we add it to the window */
wolfSSL 13:f67a6c6013ca 2075 bitbuf |= (y << (winsize - ++bitcpy));
wolfSSL 13:f67a6c6013ca 2076 mode = 2;
wolfSSL 13:f67a6c6013ca 2077
wolfSSL 13:f67a6c6013ca 2078 if (bitcpy == winsize) {
wolfSSL 13:f67a6c6013ca 2079 /* ok window is filled so square as required and multiply */
wolfSSL 13:f67a6c6013ca 2080 /* square first */
wolfSSL 13:f67a6c6013ca 2081 for (x = 0; x < winsize; x++) {
wolfSSL 13:f67a6c6013ca 2082 if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2083 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2084 }
wolfSSL 13:f67a6c6013ca 2085 if ((err = redux (&res, P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2086 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2087 }
wolfSSL 13:f67a6c6013ca 2088 }
wolfSSL 13:f67a6c6013ca 2089
wolfSSL 13:f67a6c6013ca 2090 /* then multiply */
wolfSSL 13:f67a6c6013ca 2091 if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2092 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2093 }
wolfSSL 13:f67a6c6013ca 2094 if ((err = redux (&res, P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2095 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2096 }
wolfSSL 13:f67a6c6013ca 2097
wolfSSL 13:f67a6c6013ca 2098 /* empty window and reset */
wolfSSL 13:f67a6c6013ca 2099 bitcpy = 0;
wolfSSL 13:f67a6c6013ca 2100 bitbuf = 0;
wolfSSL 13:f67a6c6013ca 2101 mode = 1;
wolfSSL 13:f67a6c6013ca 2102 }
wolfSSL 13:f67a6c6013ca 2103 }
wolfSSL 13:f67a6c6013ca 2104
wolfSSL 13:f67a6c6013ca 2105 /* if bits remain then square/multiply */
wolfSSL 13:f67a6c6013ca 2106 if (mode == 2 && bitcpy > 0) {
wolfSSL 13:f67a6c6013ca 2107 /* square then multiply if the bit is set */
wolfSSL 13:f67a6c6013ca 2108 for (x = 0; x < bitcpy; x++) {
wolfSSL 13:f67a6c6013ca 2109 if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2110 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2111 }
wolfSSL 13:f67a6c6013ca 2112 if ((err = redux (&res, P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2113 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2114 }
wolfSSL 13:f67a6c6013ca 2115
wolfSSL 13:f67a6c6013ca 2116 /* get next bit of the window */
wolfSSL 13:f67a6c6013ca 2117 bitbuf <<= 1;
wolfSSL 13:f67a6c6013ca 2118 if ((bitbuf & (1 << winsize)) != 0) {
wolfSSL 13:f67a6c6013ca 2119 /* then multiply */
wolfSSL 13:f67a6c6013ca 2120 if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2121 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2122 }
wolfSSL 13:f67a6c6013ca 2123 if ((err = redux (&res, P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2124 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2125 }
wolfSSL 13:f67a6c6013ca 2126 }
wolfSSL 13:f67a6c6013ca 2127 }
wolfSSL 13:f67a6c6013ca 2128 }
wolfSSL 13:f67a6c6013ca 2129
wolfSSL 13:f67a6c6013ca 2130 if (redmode == 0) {
wolfSSL 13:f67a6c6013ca 2131 /* fixup result if Montgomery reduction is used
wolfSSL 13:f67a6c6013ca 2132 * recall that any value in a Montgomery system is
wolfSSL 13:f67a6c6013ca 2133 * actually multiplied by R mod n. So we have
wolfSSL 13:f67a6c6013ca 2134 * to reduce one more time to cancel out the factor
wolfSSL 13:f67a6c6013ca 2135 * of R.
wolfSSL 13:f67a6c6013ca 2136 */
wolfSSL 13:f67a6c6013ca 2137 if ((err = redux(&res, P, mp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2138 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 2139 }
wolfSSL 13:f67a6c6013ca 2140 }
wolfSSL 13:f67a6c6013ca 2141
wolfSSL 13:f67a6c6013ca 2142 /* swap res with Y */
wolfSSL 13:f67a6c6013ca 2143 mp_exch (&res, Y);
wolfSSL 13:f67a6c6013ca 2144 err = MP_OKAY;
wolfSSL 13:f67a6c6013ca 2145 LBL_RES:mp_clear (&res);
wolfSSL 13:f67a6c6013ca 2146 LBL_M:
wolfSSL 13:f67a6c6013ca 2147 mp_clear(&M[1]);
wolfSSL 13:f67a6c6013ca 2148 for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
wolfSSL 13:f67a6c6013ca 2149 mp_clear (&M[x]);
wolfSSL 13:f67a6c6013ca 2150 }
wolfSSL 13:f67a6c6013ca 2151
wolfSSL 13:f67a6c6013ca 2152 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 2153 XFREE(M, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 2154 #endif
wolfSSL 13:f67a6c6013ca 2155
wolfSSL 13:f67a6c6013ca 2156 return err;
wolfSSL 13:f67a6c6013ca 2157 }
wolfSSL 13:f67a6c6013ca 2158
wolfSSL 13:f67a6c6013ca 2159
wolfSSL 13:f67a6c6013ca 2160 /* setups the montgomery reduction stuff */
wolfSSL 13:f67a6c6013ca 2161 int mp_montgomery_setup (mp_int * n, mp_digit * rho)
wolfSSL 13:f67a6c6013ca 2162 {
wolfSSL 13:f67a6c6013ca 2163 mp_digit x, b;
wolfSSL 13:f67a6c6013ca 2164
wolfSSL 13:f67a6c6013ca 2165 /* fast inversion mod 2**k
wolfSSL 13:f67a6c6013ca 2166 *
wolfSSL 13:f67a6c6013ca 2167 * Based on the fact that
wolfSSL 13:f67a6c6013ca 2168 *
wolfSSL 13:f67a6c6013ca 2169 * XA = 1 (mod 2**n) => (X(2-XA)) A = 1 (mod 2**2n)
wolfSSL 13:f67a6c6013ca 2170 * => 2*X*A - X*X*A*A = 1
wolfSSL 13:f67a6c6013ca 2171 * => 2*(1) - (1) = 1
wolfSSL 13:f67a6c6013ca 2172 */
wolfSSL 13:f67a6c6013ca 2173 b = n->dp[0];
wolfSSL 13:f67a6c6013ca 2174
wolfSSL 13:f67a6c6013ca 2175 if ((b & 1) == 0) {
wolfSSL 13:f67a6c6013ca 2176 return MP_VAL;
wolfSSL 13:f67a6c6013ca 2177 }
wolfSSL 13:f67a6c6013ca 2178
wolfSSL 13:f67a6c6013ca 2179 x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
wolfSSL 13:f67a6c6013ca 2180 x *= 2 - b * x; /* here x*a==1 mod 2**8 */
wolfSSL 13:f67a6c6013ca 2181 #if !defined(MP_8BIT)
wolfSSL 13:f67a6c6013ca 2182 x *= 2 - b * x; /* here x*a==1 mod 2**16 */
wolfSSL 13:f67a6c6013ca 2183 #endif
wolfSSL 13:f67a6c6013ca 2184 #if defined(MP_64BIT) || !(defined(MP_8BIT) || defined(MP_16BIT))
wolfSSL 13:f67a6c6013ca 2185 x *= 2 - b * x; /* here x*a==1 mod 2**32 */
wolfSSL 13:f67a6c6013ca 2186 #endif
wolfSSL 13:f67a6c6013ca 2187 #ifdef MP_64BIT
wolfSSL 13:f67a6c6013ca 2188 x *= 2 - b * x; /* here x*a==1 mod 2**64 */
wolfSSL 13:f67a6c6013ca 2189 #endif
wolfSSL 13:f67a6c6013ca 2190
wolfSSL 13:f67a6c6013ca 2191 /* rho = -1/m mod b */
wolfSSL 13:f67a6c6013ca 2192 /* TAO, switched mp_word casts to mp_digit to shut up compiler */
wolfSSL 13:f67a6c6013ca 2193 *rho = (mp_digit)((((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK);
wolfSSL 13:f67a6c6013ca 2194
wolfSSL 13:f67a6c6013ca 2195 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2196 }
wolfSSL 13:f67a6c6013ca 2197
wolfSSL 13:f67a6c6013ca 2198
wolfSSL 13:f67a6c6013ca 2199 /* computes xR**-1 == x (mod N) via Montgomery Reduction
wolfSSL 13:f67a6c6013ca 2200 *
wolfSSL 13:f67a6c6013ca 2201 * This is an optimized implementation of montgomery_reduce
wolfSSL 13:f67a6c6013ca 2202 * which uses the comba method to quickly calculate the columns of the
wolfSSL 13:f67a6c6013ca 2203 * reduction.
wolfSSL 13:f67a6c6013ca 2204 *
wolfSSL 13:f67a6c6013ca 2205 * Based on Algorithm 14.32 on pp.601 of HAC.
wolfSSL 13:f67a6c6013ca 2206 */
wolfSSL 13:f67a6c6013ca 2207 int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
wolfSSL 13:f67a6c6013ca 2208 {
wolfSSL 13:f67a6c6013ca 2209 int ix, res, olduse;
wolfSSL 13:f67a6c6013ca 2210 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 2211 mp_word* W; /* uses dynamic memory and slower */
wolfSSL 13:f67a6c6013ca 2212 #else
wolfSSL 13:f67a6c6013ca 2213 mp_word W[MP_WARRAY];
wolfSSL 13:f67a6c6013ca 2214 #endif
wolfSSL 13:f67a6c6013ca 2215
wolfSSL 13:f67a6c6013ca 2216 /* get old used count */
wolfSSL 13:f67a6c6013ca 2217 olduse = x->used;
wolfSSL 13:f67a6c6013ca 2218
wolfSSL 13:f67a6c6013ca 2219 /* grow a as required */
wolfSSL 13:f67a6c6013ca 2220 if (x->alloc < n->used + 1) {
wolfSSL 13:f67a6c6013ca 2221 if ((res = mp_grow (x, n->used + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2222 return res;
wolfSSL 13:f67a6c6013ca 2223 }
wolfSSL 13:f67a6c6013ca 2224 }
wolfSSL 13:f67a6c6013ca 2225
wolfSSL 13:f67a6c6013ca 2226 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 2227 W = (mp_word*)XMALLOC(sizeof(mp_word) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 2228 if (W == NULL)
wolfSSL 13:f67a6c6013ca 2229 return MP_MEM;
wolfSSL 13:f67a6c6013ca 2230 #endif
wolfSSL 13:f67a6c6013ca 2231
wolfSSL 13:f67a6c6013ca 2232 /* first we have to get the digits of the input into
wolfSSL 13:f67a6c6013ca 2233 * an array of double precision words W[...]
wolfSSL 13:f67a6c6013ca 2234 */
wolfSSL 13:f67a6c6013ca 2235 {
wolfSSL 13:f67a6c6013ca 2236 mp_word *_W;
wolfSSL 13:f67a6c6013ca 2237 mp_digit *tmpx;
wolfSSL 13:f67a6c6013ca 2238
wolfSSL 13:f67a6c6013ca 2239 /* alias for the W[] array */
wolfSSL 13:f67a6c6013ca 2240 _W = W;
wolfSSL 13:f67a6c6013ca 2241
wolfSSL 13:f67a6c6013ca 2242 /* alias for the digits of x*/
wolfSSL 13:f67a6c6013ca 2243 tmpx = x->dp;
wolfSSL 13:f67a6c6013ca 2244
wolfSSL 13:f67a6c6013ca 2245 /* copy the digits of a into W[0..a->used-1] */
wolfSSL 13:f67a6c6013ca 2246 for (ix = 0; ix < x->used; ix++) {
wolfSSL 13:f67a6c6013ca 2247 *_W++ = *tmpx++;
wolfSSL 13:f67a6c6013ca 2248 }
wolfSSL 13:f67a6c6013ca 2249
wolfSSL 13:f67a6c6013ca 2250 /* zero the high words of W[a->used..m->used*2] */
wolfSSL 13:f67a6c6013ca 2251 for (; ix < n->used * 2 + 1; ix++) {
wolfSSL 13:f67a6c6013ca 2252 *_W++ = 0;
wolfSSL 13:f67a6c6013ca 2253 }
wolfSSL 13:f67a6c6013ca 2254 }
wolfSSL 13:f67a6c6013ca 2255
wolfSSL 13:f67a6c6013ca 2256 /* now we proceed to zero successive digits
wolfSSL 13:f67a6c6013ca 2257 * from the least significant upwards
wolfSSL 13:f67a6c6013ca 2258 */
wolfSSL 13:f67a6c6013ca 2259 for (ix = 0; ix < n->used; ix++) {
wolfSSL 13:f67a6c6013ca 2260 /* mu = ai * m' mod b
wolfSSL 13:f67a6c6013ca 2261 *
wolfSSL 13:f67a6c6013ca 2262 * We avoid a double precision multiplication (which isn't required)
wolfSSL 13:f67a6c6013ca 2263 * by casting the value down to a mp_digit. Note this requires
wolfSSL 13:f67a6c6013ca 2264 * that W[ix-1] have the carry cleared (see after the inner loop)
wolfSSL 13:f67a6c6013ca 2265 */
wolfSSL 13:f67a6c6013ca 2266 mp_digit mu;
wolfSSL 13:f67a6c6013ca 2267 mu = (mp_digit) (((W[ix] & MP_MASK) * rho) & MP_MASK);
wolfSSL 13:f67a6c6013ca 2268
wolfSSL 13:f67a6c6013ca 2269 /* a = a + mu * m * b**i
wolfSSL 13:f67a6c6013ca 2270 *
wolfSSL 13:f67a6c6013ca 2271 * This is computed in place and on the fly. The multiplication
wolfSSL 13:f67a6c6013ca 2272 * by b**i is handled by offseting which columns the results
wolfSSL 13:f67a6c6013ca 2273 * are added to.
wolfSSL 13:f67a6c6013ca 2274 *
wolfSSL 13:f67a6c6013ca 2275 * Note the comba method normally doesn't handle carries in the
wolfSSL 13:f67a6c6013ca 2276 * inner loop In this case we fix the carry from the previous
wolfSSL 13:f67a6c6013ca 2277 * column since the Montgomery reduction requires digits of the
wolfSSL 13:f67a6c6013ca 2278 * result (so far) [see above] to work. This is
wolfSSL 13:f67a6c6013ca 2279 * handled by fixing up one carry after the inner loop. The
wolfSSL 13:f67a6c6013ca 2280 * carry fixups are done in order so after these loops the
wolfSSL 13:f67a6c6013ca 2281 * first m->used words of W[] have the carries fixed
wolfSSL 13:f67a6c6013ca 2282 */
wolfSSL 13:f67a6c6013ca 2283 {
wolfSSL 13:f67a6c6013ca 2284 int iy;
wolfSSL 13:f67a6c6013ca 2285 mp_digit *tmpn;
wolfSSL 13:f67a6c6013ca 2286 mp_word *_W;
wolfSSL 13:f67a6c6013ca 2287
wolfSSL 13:f67a6c6013ca 2288 /* alias for the digits of the modulus */
wolfSSL 13:f67a6c6013ca 2289 tmpn = n->dp;
wolfSSL 13:f67a6c6013ca 2290
wolfSSL 13:f67a6c6013ca 2291 /* Alias for the columns set by an offset of ix */
wolfSSL 13:f67a6c6013ca 2292 _W = W + ix;
wolfSSL 13:f67a6c6013ca 2293
wolfSSL 13:f67a6c6013ca 2294 /* inner loop */
wolfSSL 13:f67a6c6013ca 2295 for (iy = 0; iy < n->used; iy++) {
wolfSSL 13:f67a6c6013ca 2296 *_W++ += ((mp_word)mu) * ((mp_word)*tmpn++);
wolfSSL 13:f67a6c6013ca 2297 }
wolfSSL 13:f67a6c6013ca 2298 }
wolfSSL 13:f67a6c6013ca 2299
wolfSSL 13:f67a6c6013ca 2300 /* now fix carry for next digit, W[ix+1] */
wolfSSL 13:f67a6c6013ca 2301 W[ix + 1] += W[ix] >> ((mp_word) DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 2302 }
wolfSSL 13:f67a6c6013ca 2303
wolfSSL 13:f67a6c6013ca 2304 /* now we have to propagate the carries and
wolfSSL 13:f67a6c6013ca 2305 * shift the words downward [all those least
wolfSSL 13:f67a6c6013ca 2306 * significant digits we zeroed].
wolfSSL 13:f67a6c6013ca 2307 */
wolfSSL 13:f67a6c6013ca 2308 {
wolfSSL 13:f67a6c6013ca 2309 mp_digit *tmpx;
wolfSSL 13:f67a6c6013ca 2310 mp_word *_W, *_W1;
wolfSSL 13:f67a6c6013ca 2311
wolfSSL 13:f67a6c6013ca 2312 /* nox fix rest of carries */
wolfSSL 13:f67a6c6013ca 2313
wolfSSL 13:f67a6c6013ca 2314 /* alias for current word */
wolfSSL 13:f67a6c6013ca 2315 _W1 = W + ix;
wolfSSL 13:f67a6c6013ca 2316
wolfSSL 13:f67a6c6013ca 2317 /* alias for next word, where the carry goes */
wolfSSL 13:f67a6c6013ca 2318 _W = W + ++ix;
wolfSSL 13:f67a6c6013ca 2319
wolfSSL 13:f67a6c6013ca 2320 for (; ix <= n->used * 2 + 1; ix++) {
wolfSSL 13:f67a6c6013ca 2321 *_W++ += *_W1++ >> ((mp_word) DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 2322 }
wolfSSL 13:f67a6c6013ca 2323
wolfSSL 13:f67a6c6013ca 2324 /* copy out, A = A/b**n
wolfSSL 13:f67a6c6013ca 2325 *
wolfSSL 13:f67a6c6013ca 2326 * The result is A/b**n but instead of converting from an
wolfSSL 13:f67a6c6013ca 2327 * array of mp_word to mp_digit than calling mp_rshd
wolfSSL 13:f67a6c6013ca 2328 * we just copy them in the right order
wolfSSL 13:f67a6c6013ca 2329 */
wolfSSL 13:f67a6c6013ca 2330
wolfSSL 13:f67a6c6013ca 2331 /* alias for destination word */
wolfSSL 13:f67a6c6013ca 2332 tmpx = x->dp;
wolfSSL 13:f67a6c6013ca 2333
wolfSSL 13:f67a6c6013ca 2334 /* alias for shifted double precision result */
wolfSSL 13:f67a6c6013ca 2335 _W = W + n->used;
wolfSSL 13:f67a6c6013ca 2336
wolfSSL 13:f67a6c6013ca 2337 for (ix = 0; ix < n->used + 1; ix++) {
wolfSSL 13:f67a6c6013ca 2338 *tmpx++ = (mp_digit)(*_W++ & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 2339 }
wolfSSL 13:f67a6c6013ca 2340
wolfSSL 13:f67a6c6013ca 2341 /* zero olduse digits, if the input a was larger than
wolfSSL 13:f67a6c6013ca 2342 * m->used+1 we'll have to clear the digits
wolfSSL 13:f67a6c6013ca 2343 */
wolfSSL 13:f67a6c6013ca 2344 for (; ix < olduse; ix++) {
wolfSSL 13:f67a6c6013ca 2345 *tmpx++ = 0;
wolfSSL 13:f67a6c6013ca 2346 }
wolfSSL 13:f67a6c6013ca 2347 }
wolfSSL 13:f67a6c6013ca 2348
wolfSSL 13:f67a6c6013ca 2349 /* set the max used and clamp */
wolfSSL 13:f67a6c6013ca 2350 x->used = n->used + 1;
wolfSSL 13:f67a6c6013ca 2351 mp_clamp (x);
wolfSSL 13:f67a6c6013ca 2352
wolfSSL 13:f67a6c6013ca 2353 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 2354 XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 2355 #endif
wolfSSL 13:f67a6c6013ca 2356
wolfSSL 13:f67a6c6013ca 2357 /* if A >= m then A = A - m */
wolfSSL 13:f67a6c6013ca 2358 if (mp_cmp_mag (x, n) != MP_LT) {
wolfSSL 13:f67a6c6013ca 2359 return s_mp_sub (x, n, x);
wolfSSL 13:f67a6c6013ca 2360 }
wolfSSL 13:f67a6c6013ca 2361 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2362 }
wolfSSL 13:f67a6c6013ca 2363
wolfSSL 13:f67a6c6013ca 2364
wolfSSL 13:f67a6c6013ca 2365 /* computes xR**-1 == x (mod N) via Montgomery Reduction */
wolfSSL 13:f67a6c6013ca 2366 int mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
wolfSSL 13:f67a6c6013ca 2367 {
wolfSSL 13:f67a6c6013ca 2368 int ix, res, digs;
wolfSSL 13:f67a6c6013ca 2369 mp_digit mu;
wolfSSL 13:f67a6c6013ca 2370
wolfSSL 13:f67a6c6013ca 2371 /* can the fast reduction [comba] method be used?
wolfSSL 13:f67a6c6013ca 2372 *
wolfSSL 13:f67a6c6013ca 2373 * Note that unlike in mul you're safely allowed *less*
wolfSSL 13:f67a6c6013ca 2374 * than the available columns [255 per default] since carries
wolfSSL 13:f67a6c6013ca 2375 * are fixed up in the inner loop.
wolfSSL 13:f67a6c6013ca 2376 */
wolfSSL 13:f67a6c6013ca 2377 digs = n->used * 2 + 1;
wolfSSL 13:f67a6c6013ca 2378 if ((digs < MP_WARRAY) &&
wolfSSL 13:f67a6c6013ca 2379 n->used <
wolfSSL 13:f67a6c6013ca 2380 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
wolfSSL 13:f67a6c6013ca 2381 return fast_mp_montgomery_reduce (x, n, rho);
wolfSSL 13:f67a6c6013ca 2382 }
wolfSSL 13:f67a6c6013ca 2383
wolfSSL 13:f67a6c6013ca 2384 /* grow the input as required */
wolfSSL 13:f67a6c6013ca 2385 if (x->alloc < digs) {
wolfSSL 13:f67a6c6013ca 2386 if ((res = mp_grow (x, digs)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2387 return res;
wolfSSL 13:f67a6c6013ca 2388 }
wolfSSL 13:f67a6c6013ca 2389 }
wolfSSL 13:f67a6c6013ca 2390 x->used = digs;
wolfSSL 13:f67a6c6013ca 2391
wolfSSL 13:f67a6c6013ca 2392 for (ix = 0; ix < n->used; ix++) {
wolfSSL 13:f67a6c6013ca 2393 /* mu = ai * rho mod b
wolfSSL 13:f67a6c6013ca 2394 *
wolfSSL 13:f67a6c6013ca 2395 * The value of rho must be precalculated via
wolfSSL 13:f67a6c6013ca 2396 * montgomery_setup() such that
wolfSSL 13:f67a6c6013ca 2397 * it equals -1/n0 mod b this allows the
wolfSSL 13:f67a6c6013ca 2398 * following inner loop to reduce the
wolfSSL 13:f67a6c6013ca 2399 * input one digit at a time
wolfSSL 13:f67a6c6013ca 2400 */
wolfSSL 13:f67a6c6013ca 2401 mu = (mp_digit) (((mp_word)x->dp[ix]) * ((mp_word)rho) & MP_MASK);
wolfSSL 13:f67a6c6013ca 2402
wolfSSL 13:f67a6c6013ca 2403 /* a = a + mu * m * b**i */
wolfSSL 13:f67a6c6013ca 2404 {
wolfSSL 13:f67a6c6013ca 2405 int iy;
wolfSSL 13:f67a6c6013ca 2406 mp_digit *tmpn, *tmpx, u;
wolfSSL 13:f67a6c6013ca 2407 mp_word r;
wolfSSL 13:f67a6c6013ca 2408
wolfSSL 13:f67a6c6013ca 2409 /* alias for digits of the modulus */
wolfSSL 13:f67a6c6013ca 2410 tmpn = n->dp;
wolfSSL 13:f67a6c6013ca 2411
wolfSSL 13:f67a6c6013ca 2412 /* alias for the digits of x [the input] */
wolfSSL 13:f67a6c6013ca 2413 tmpx = x->dp + ix;
wolfSSL 13:f67a6c6013ca 2414
wolfSSL 13:f67a6c6013ca 2415 /* set the carry to zero */
wolfSSL 13:f67a6c6013ca 2416 u = 0;
wolfSSL 13:f67a6c6013ca 2417
wolfSSL 13:f67a6c6013ca 2418 /* Multiply and add in place */
wolfSSL 13:f67a6c6013ca 2419 for (iy = 0; iy < n->used; iy++) {
wolfSSL 13:f67a6c6013ca 2420 /* compute product and sum */
wolfSSL 13:f67a6c6013ca 2421 r = ((mp_word)mu) * ((mp_word)*tmpn++) +
wolfSSL 13:f67a6c6013ca 2422 ((mp_word) u) + ((mp_word) * tmpx);
wolfSSL 13:f67a6c6013ca 2423
wolfSSL 13:f67a6c6013ca 2424 /* get carry */
wolfSSL 13:f67a6c6013ca 2425 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 2426
wolfSSL 13:f67a6c6013ca 2427 /* fix digit */
wolfSSL 13:f67a6c6013ca 2428 *tmpx++ = (mp_digit)(r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 2429 }
wolfSSL 13:f67a6c6013ca 2430 /* At this point the ix'th digit of x should be zero */
wolfSSL 13:f67a6c6013ca 2431
wolfSSL 13:f67a6c6013ca 2432
wolfSSL 13:f67a6c6013ca 2433 /* propagate carries upwards as required*/
wolfSSL 13:f67a6c6013ca 2434 while (u) {
wolfSSL 13:f67a6c6013ca 2435 *tmpx += u;
wolfSSL 13:f67a6c6013ca 2436 u = *tmpx >> DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 2437 *tmpx++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 2438 }
wolfSSL 13:f67a6c6013ca 2439 }
wolfSSL 13:f67a6c6013ca 2440 }
wolfSSL 13:f67a6c6013ca 2441
wolfSSL 13:f67a6c6013ca 2442 /* at this point the n.used'th least
wolfSSL 13:f67a6c6013ca 2443 * significant digits of x are all zero
wolfSSL 13:f67a6c6013ca 2444 * which means we can shift x to the
wolfSSL 13:f67a6c6013ca 2445 * right by n.used digits and the
wolfSSL 13:f67a6c6013ca 2446 * residue is unchanged.
wolfSSL 13:f67a6c6013ca 2447 */
wolfSSL 13:f67a6c6013ca 2448
wolfSSL 13:f67a6c6013ca 2449 /* x = x/b**n.used */
wolfSSL 13:f67a6c6013ca 2450 mp_clamp(x);
wolfSSL 13:f67a6c6013ca 2451 mp_rshd (x, n->used);
wolfSSL 13:f67a6c6013ca 2452
wolfSSL 13:f67a6c6013ca 2453 /* if x >= n then x = x - n */
wolfSSL 13:f67a6c6013ca 2454 if (mp_cmp_mag (x, n) != MP_LT) {
wolfSSL 13:f67a6c6013ca 2455 return s_mp_sub (x, n, x);
wolfSSL 13:f67a6c6013ca 2456 }
wolfSSL 13:f67a6c6013ca 2457
wolfSSL 13:f67a6c6013ca 2458 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2459 }
wolfSSL 13:f67a6c6013ca 2460
wolfSSL 13:f67a6c6013ca 2461
wolfSSL 13:f67a6c6013ca 2462 /* determines the setup value */
wolfSSL 13:f67a6c6013ca 2463 void mp_dr_setup(mp_int *a, mp_digit *d)
wolfSSL 13:f67a6c6013ca 2464 {
wolfSSL 13:f67a6c6013ca 2465 /* the casts are required if DIGIT_BIT is one less than
wolfSSL 13:f67a6c6013ca 2466 * the number of bits in a mp_digit [e.g. DIGIT_BIT==31]
wolfSSL 13:f67a6c6013ca 2467 */
wolfSSL 13:f67a6c6013ca 2468 *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) -
wolfSSL 13:f67a6c6013ca 2469 ((mp_word)a->dp[0]));
wolfSSL 13:f67a6c6013ca 2470 }
wolfSSL 13:f67a6c6013ca 2471
wolfSSL 13:f67a6c6013ca 2472
wolfSSL 13:f67a6c6013ca 2473 /* reduce "x" in place modulo "n" using the Diminished Radix algorithm.
wolfSSL 13:f67a6c6013ca 2474 *
wolfSSL 13:f67a6c6013ca 2475 * Based on algorithm from the paper
wolfSSL 13:f67a6c6013ca 2476 *
wolfSSL 13:f67a6c6013ca 2477 * "Generating Efficient Primes for Discrete Log Cryptosystems"
wolfSSL 13:f67a6c6013ca 2478 * Chae Hoon Lim, Pil Joong Lee,
wolfSSL 13:f67a6c6013ca 2479 * POSTECH Information Research Laboratories
wolfSSL 13:f67a6c6013ca 2480 *
wolfSSL 13:f67a6c6013ca 2481 * The modulus must be of a special format [see manual]
wolfSSL 13:f67a6c6013ca 2482 *
wolfSSL 13:f67a6c6013ca 2483 * Has been modified to use algorithm 7.10 from the LTM book instead
wolfSSL 13:f67a6c6013ca 2484 *
wolfSSL 13:f67a6c6013ca 2485 * Input x must be in the range 0 <= x <= (n-1)**2
wolfSSL 13:f67a6c6013ca 2486 */
wolfSSL 13:f67a6c6013ca 2487 int mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k)
wolfSSL 13:f67a6c6013ca 2488 {
wolfSSL 13:f67a6c6013ca 2489 int err, i, m;
wolfSSL 13:f67a6c6013ca 2490 mp_word r;
wolfSSL 13:f67a6c6013ca 2491 mp_digit mu, *tmpx1, *tmpx2;
wolfSSL 13:f67a6c6013ca 2492
wolfSSL 13:f67a6c6013ca 2493 /* m = digits in modulus */
wolfSSL 13:f67a6c6013ca 2494 m = n->used;
wolfSSL 13:f67a6c6013ca 2495
wolfSSL 13:f67a6c6013ca 2496 /* ensure that "x" has at least 2m digits */
wolfSSL 13:f67a6c6013ca 2497 if (x->alloc < m + m) {
wolfSSL 13:f67a6c6013ca 2498 if ((err = mp_grow (x, m + m)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2499 return err;
wolfSSL 13:f67a6c6013ca 2500 }
wolfSSL 13:f67a6c6013ca 2501 }
wolfSSL 13:f67a6c6013ca 2502
wolfSSL 13:f67a6c6013ca 2503 /* top of loop, this is where the code resumes if
wolfSSL 13:f67a6c6013ca 2504 * another reduction pass is required.
wolfSSL 13:f67a6c6013ca 2505 */
wolfSSL 13:f67a6c6013ca 2506 top:
wolfSSL 13:f67a6c6013ca 2507 /* aliases for digits */
wolfSSL 13:f67a6c6013ca 2508 /* alias for lower half of x */
wolfSSL 13:f67a6c6013ca 2509 tmpx1 = x->dp;
wolfSSL 13:f67a6c6013ca 2510
wolfSSL 13:f67a6c6013ca 2511 /* alias for upper half of x, or x/B**m */
wolfSSL 13:f67a6c6013ca 2512 tmpx2 = x->dp + m;
wolfSSL 13:f67a6c6013ca 2513
wolfSSL 13:f67a6c6013ca 2514 /* set carry to zero */
wolfSSL 13:f67a6c6013ca 2515 mu = 0;
wolfSSL 13:f67a6c6013ca 2516
wolfSSL 13:f67a6c6013ca 2517 /* compute (x mod B**m) + k * [x/B**m] inline and inplace */
wolfSSL 13:f67a6c6013ca 2518 for (i = 0; i < m; i++) {
wolfSSL 13:f67a6c6013ca 2519 r = ((mp_word)*tmpx2++) * ((mp_word)k) + *tmpx1 + mu;
wolfSSL 13:f67a6c6013ca 2520 *tmpx1++ = (mp_digit)(r & MP_MASK);
wolfSSL 13:f67a6c6013ca 2521 mu = (mp_digit)(r >> ((mp_word)DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 2522 }
wolfSSL 13:f67a6c6013ca 2523
wolfSSL 13:f67a6c6013ca 2524 /* set final carry */
wolfSSL 13:f67a6c6013ca 2525 *tmpx1++ = mu;
wolfSSL 13:f67a6c6013ca 2526
wolfSSL 13:f67a6c6013ca 2527 /* zero words above m */
wolfSSL 13:f67a6c6013ca 2528 for (i = m + 1; i < x->used; i++) {
wolfSSL 13:f67a6c6013ca 2529 *tmpx1++ = 0;
wolfSSL 13:f67a6c6013ca 2530 }
wolfSSL 13:f67a6c6013ca 2531
wolfSSL 13:f67a6c6013ca 2532 /* clamp, sub and return */
wolfSSL 13:f67a6c6013ca 2533 mp_clamp (x);
wolfSSL 13:f67a6c6013ca 2534
wolfSSL 13:f67a6c6013ca 2535 /* if x >= n then subtract and reduce again
wolfSSL 13:f67a6c6013ca 2536 * Each successive "recursion" makes the input smaller and smaller.
wolfSSL 13:f67a6c6013ca 2537 */
wolfSSL 13:f67a6c6013ca 2538 if (mp_cmp_mag (x, n) != MP_LT) {
wolfSSL 13:f67a6c6013ca 2539 s_mp_sub(x, n, x);
wolfSSL 13:f67a6c6013ca 2540 goto top;
wolfSSL 13:f67a6c6013ca 2541 }
wolfSSL 13:f67a6c6013ca 2542 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2543 }
wolfSSL 13:f67a6c6013ca 2544
wolfSSL 13:f67a6c6013ca 2545
wolfSSL 13:f67a6c6013ca 2546 /* reduces a modulo n where n is of the form 2**p - d */
wolfSSL 13:f67a6c6013ca 2547 int mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d)
wolfSSL 13:f67a6c6013ca 2548 {
wolfSSL 13:f67a6c6013ca 2549 mp_int q;
wolfSSL 13:f67a6c6013ca 2550 int p, res;
wolfSSL 13:f67a6c6013ca 2551
wolfSSL 13:f67a6c6013ca 2552 if ((res = mp_init(&q)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2553 return res;
wolfSSL 13:f67a6c6013ca 2554 }
wolfSSL 13:f67a6c6013ca 2555
wolfSSL 13:f67a6c6013ca 2556 p = mp_count_bits(n);
wolfSSL 13:f67a6c6013ca 2557 top:
wolfSSL 13:f67a6c6013ca 2558 /* q = a/2**p, a = a mod 2**p */
wolfSSL 13:f67a6c6013ca 2559 if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2560 goto ERR;
wolfSSL 13:f67a6c6013ca 2561 }
wolfSSL 13:f67a6c6013ca 2562
wolfSSL 13:f67a6c6013ca 2563 if (d != 1) {
wolfSSL 13:f67a6c6013ca 2564 /* q = q * d */
wolfSSL 13:f67a6c6013ca 2565 if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2566 goto ERR;
wolfSSL 13:f67a6c6013ca 2567 }
wolfSSL 13:f67a6c6013ca 2568 }
wolfSSL 13:f67a6c6013ca 2569
wolfSSL 13:f67a6c6013ca 2570 /* a = a + q */
wolfSSL 13:f67a6c6013ca 2571 if ((res = s_mp_add(a, &q, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2572 goto ERR;
wolfSSL 13:f67a6c6013ca 2573 }
wolfSSL 13:f67a6c6013ca 2574
wolfSSL 13:f67a6c6013ca 2575 if (mp_cmp_mag(a, n) != MP_LT) {
wolfSSL 13:f67a6c6013ca 2576 s_mp_sub(a, n, a);
wolfSSL 13:f67a6c6013ca 2577 goto top;
wolfSSL 13:f67a6c6013ca 2578 }
wolfSSL 13:f67a6c6013ca 2579
wolfSSL 13:f67a6c6013ca 2580 ERR:
wolfSSL 13:f67a6c6013ca 2581 mp_clear(&q);
wolfSSL 13:f67a6c6013ca 2582 return res;
wolfSSL 13:f67a6c6013ca 2583 }
wolfSSL 13:f67a6c6013ca 2584
wolfSSL 13:f67a6c6013ca 2585
wolfSSL 13:f67a6c6013ca 2586 /* determines the setup value */
wolfSSL 13:f67a6c6013ca 2587 int mp_reduce_2k_setup(mp_int *a, mp_digit *d)
wolfSSL 13:f67a6c6013ca 2588 {
wolfSSL 13:f67a6c6013ca 2589 int res, p;
wolfSSL 13:f67a6c6013ca 2590 mp_int tmp;
wolfSSL 13:f67a6c6013ca 2591
wolfSSL 13:f67a6c6013ca 2592 if ((res = mp_init(&tmp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2593 return res;
wolfSSL 13:f67a6c6013ca 2594 }
wolfSSL 13:f67a6c6013ca 2595
wolfSSL 13:f67a6c6013ca 2596 p = mp_count_bits(a);
wolfSSL 13:f67a6c6013ca 2597 if ((res = mp_2expt(&tmp, p)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2598 mp_clear(&tmp);
wolfSSL 13:f67a6c6013ca 2599 return res;
wolfSSL 13:f67a6c6013ca 2600 }
wolfSSL 13:f67a6c6013ca 2601
wolfSSL 13:f67a6c6013ca 2602 if ((res = s_mp_sub(&tmp, a, &tmp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2603 mp_clear(&tmp);
wolfSSL 13:f67a6c6013ca 2604 return res;
wolfSSL 13:f67a6c6013ca 2605 }
wolfSSL 13:f67a6c6013ca 2606
wolfSSL 13:f67a6c6013ca 2607 *d = tmp.dp[0];
wolfSSL 13:f67a6c6013ca 2608 mp_clear(&tmp);
wolfSSL 13:f67a6c6013ca 2609 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2610 }
wolfSSL 13:f67a6c6013ca 2611
wolfSSL 13:f67a6c6013ca 2612
wolfSSL 13:f67a6c6013ca 2613 /* set the b bit of a */
wolfSSL 13:f67a6c6013ca 2614 int mp_set_bit (mp_int * a, int b)
wolfSSL 13:f67a6c6013ca 2615 {
wolfSSL 13:f67a6c6013ca 2616 int i = b / DIGIT_BIT, res;
wolfSSL 13:f67a6c6013ca 2617
wolfSSL 13:f67a6c6013ca 2618 if (a->used < (int)(i + 1)) {
wolfSSL 13:f67a6c6013ca 2619 /* grow a to accommodate the single bit */
wolfSSL 13:f67a6c6013ca 2620 if ((res = mp_grow (a, i + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2621 return res;
wolfSSL 13:f67a6c6013ca 2622 }
wolfSSL 13:f67a6c6013ca 2623
wolfSSL 13:f67a6c6013ca 2624 /* set the used count of where the bit will go */
wolfSSL 13:f67a6c6013ca 2625 a->used = (int)(i + 1);
wolfSSL 13:f67a6c6013ca 2626 }
wolfSSL 13:f67a6c6013ca 2627
wolfSSL 13:f67a6c6013ca 2628 /* put the single bit in its place */
wolfSSL 13:f67a6c6013ca 2629 a->dp[i] |= ((mp_digit)1) << (b % DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 2630
wolfSSL 13:f67a6c6013ca 2631 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2632 }
wolfSSL 13:f67a6c6013ca 2633
wolfSSL 13:f67a6c6013ca 2634 /* computes a = 2**b
wolfSSL 13:f67a6c6013ca 2635 *
wolfSSL 13:f67a6c6013ca 2636 * Simple algorithm which zeros the int, set the required bit
wolfSSL 13:f67a6c6013ca 2637 */
wolfSSL 13:f67a6c6013ca 2638 int mp_2expt (mp_int * a, int b)
wolfSSL 13:f67a6c6013ca 2639 {
wolfSSL 13:f67a6c6013ca 2640 /* zero a as per default */
wolfSSL 13:f67a6c6013ca 2641 mp_zero (a);
wolfSSL 13:f67a6c6013ca 2642
wolfSSL 13:f67a6c6013ca 2643 return mp_set_bit(a, b);
wolfSSL 13:f67a6c6013ca 2644 }
wolfSSL 13:f67a6c6013ca 2645
wolfSSL 13:f67a6c6013ca 2646 /* multiply by a digit */
wolfSSL 13:f67a6c6013ca 2647 int mp_mul_d (mp_int * a, mp_digit b, mp_int * c)
wolfSSL 13:f67a6c6013ca 2648 {
wolfSSL 13:f67a6c6013ca 2649 mp_digit u, *tmpa, *tmpc;
wolfSSL 13:f67a6c6013ca 2650 mp_word r;
wolfSSL 13:f67a6c6013ca 2651 int ix, res, olduse;
wolfSSL 13:f67a6c6013ca 2652
wolfSSL 13:f67a6c6013ca 2653 /* make sure c is big enough to hold a*b */
wolfSSL 13:f67a6c6013ca 2654 if (c->alloc < a->used + 1) {
wolfSSL 13:f67a6c6013ca 2655 if ((res = mp_grow (c, a->used + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2656 return res;
wolfSSL 13:f67a6c6013ca 2657 }
wolfSSL 13:f67a6c6013ca 2658 }
wolfSSL 13:f67a6c6013ca 2659
wolfSSL 13:f67a6c6013ca 2660 /* get the original destinations used count */
wolfSSL 13:f67a6c6013ca 2661 olduse = c->used;
wolfSSL 13:f67a6c6013ca 2662
wolfSSL 13:f67a6c6013ca 2663 /* set the sign */
wolfSSL 13:f67a6c6013ca 2664 c->sign = a->sign;
wolfSSL 13:f67a6c6013ca 2665
wolfSSL 13:f67a6c6013ca 2666 /* alias for a->dp [source] */
wolfSSL 13:f67a6c6013ca 2667 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 2668
wolfSSL 13:f67a6c6013ca 2669 /* alias for c->dp [dest] */
wolfSSL 13:f67a6c6013ca 2670 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 2671
wolfSSL 13:f67a6c6013ca 2672 /* zero carry */
wolfSSL 13:f67a6c6013ca 2673 u = 0;
wolfSSL 13:f67a6c6013ca 2674
wolfSSL 13:f67a6c6013ca 2675 /* compute columns */
wolfSSL 13:f67a6c6013ca 2676 for (ix = 0; ix < a->used; ix++) {
wolfSSL 13:f67a6c6013ca 2677 /* compute product and carry sum for this term */
wolfSSL 13:f67a6c6013ca 2678 r = ((mp_word) u) + ((mp_word)*tmpa++) * ((mp_word)b);
wolfSSL 13:f67a6c6013ca 2679
wolfSSL 13:f67a6c6013ca 2680 /* mask off higher bits to get a single digit */
wolfSSL 13:f67a6c6013ca 2681 *tmpc++ = (mp_digit) (r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 2682
wolfSSL 13:f67a6c6013ca 2683 /* send carry into next iteration */
wolfSSL 13:f67a6c6013ca 2684 u = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 2685 }
wolfSSL 13:f67a6c6013ca 2686
wolfSSL 13:f67a6c6013ca 2687 /* store final carry [if any] and increment ix offset */
wolfSSL 13:f67a6c6013ca 2688 *tmpc++ = u;
wolfSSL 13:f67a6c6013ca 2689 ++ix;
wolfSSL 13:f67a6c6013ca 2690
wolfSSL 13:f67a6c6013ca 2691 /* now zero digits above the top */
wolfSSL 13:f67a6c6013ca 2692 while (ix++ < olduse) {
wolfSSL 13:f67a6c6013ca 2693 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 2694 }
wolfSSL 13:f67a6c6013ca 2695
wolfSSL 13:f67a6c6013ca 2696 /* set used count */
wolfSSL 13:f67a6c6013ca 2697 c->used = a->used + 1;
wolfSSL 13:f67a6c6013ca 2698 mp_clamp(c);
wolfSSL 13:f67a6c6013ca 2699
wolfSSL 13:f67a6c6013ca 2700 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2701 }
wolfSSL 13:f67a6c6013ca 2702
wolfSSL 13:f67a6c6013ca 2703
wolfSSL 13:f67a6c6013ca 2704 /* d = a * b (mod c) */
wolfSSL 13:f67a6c6013ca 2705 #if defined(FREESCALE_LTC_TFM)
wolfSSL 13:f67a6c6013ca 2706 int wolfcrypt_mp_mulmod(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
wolfSSL 13:f67a6c6013ca 2707 #else
wolfSSL 13:f67a6c6013ca 2708 int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
wolfSSL 13:f67a6c6013ca 2709 #endif
wolfSSL 13:f67a6c6013ca 2710 {
wolfSSL 13:f67a6c6013ca 2711 int res;
wolfSSL 13:f67a6c6013ca 2712 mp_int t;
wolfSSL 13:f67a6c6013ca 2713
wolfSSL 13:f67a6c6013ca 2714 if ((res = mp_init (&t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2715 return res;
wolfSSL 13:f67a6c6013ca 2716 }
wolfSSL 13:f67a6c6013ca 2717
wolfSSL 13:f67a6c6013ca 2718 res = mp_mul (a, b, &t);
wolfSSL 13:f67a6c6013ca 2719 if (res == MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2720 res = mp_mod (&t, c, d);
wolfSSL 13:f67a6c6013ca 2721 }
wolfSSL 13:f67a6c6013ca 2722
wolfSSL 13:f67a6c6013ca 2723 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 2724 return res;
wolfSSL 13:f67a6c6013ca 2725 }
wolfSSL 13:f67a6c6013ca 2726
wolfSSL 13:f67a6c6013ca 2727
wolfSSL 13:f67a6c6013ca 2728 /* d = a - b (mod c) */
wolfSSL 13:f67a6c6013ca 2729 int mp_submod(mp_int* a, mp_int* b, mp_int* c, mp_int* d)
wolfSSL 13:f67a6c6013ca 2730 {
wolfSSL 13:f67a6c6013ca 2731 int res;
wolfSSL 13:f67a6c6013ca 2732 mp_int t;
wolfSSL 13:f67a6c6013ca 2733
wolfSSL 13:f67a6c6013ca 2734 if ((res = mp_init (&t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2735 return res;
wolfSSL 13:f67a6c6013ca 2736 }
wolfSSL 13:f67a6c6013ca 2737
wolfSSL 13:f67a6c6013ca 2738 res = mp_sub (a, b, &t);
wolfSSL 13:f67a6c6013ca 2739 if (res == MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2740 res = mp_mod (&t, c, d);
wolfSSL 13:f67a6c6013ca 2741 }
wolfSSL 13:f67a6c6013ca 2742
wolfSSL 13:f67a6c6013ca 2743 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 2744
wolfSSL 13:f67a6c6013ca 2745 return res;
wolfSSL 13:f67a6c6013ca 2746 }
wolfSSL 13:f67a6c6013ca 2747
wolfSSL 13:f67a6c6013ca 2748 /* d = a + b (mod c) */
wolfSSL 13:f67a6c6013ca 2749 int mp_addmod(mp_int* a, mp_int* b, mp_int* c, mp_int* d)
wolfSSL 13:f67a6c6013ca 2750 {
wolfSSL 13:f67a6c6013ca 2751 int res;
wolfSSL 13:f67a6c6013ca 2752 mp_int t;
wolfSSL 13:f67a6c6013ca 2753
wolfSSL 13:f67a6c6013ca 2754 if ((res = mp_init (&t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2755 return res;
wolfSSL 13:f67a6c6013ca 2756 }
wolfSSL 13:f67a6c6013ca 2757
wolfSSL 13:f67a6c6013ca 2758 res = mp_add (a, b, &t);
wolfSSL 13:f67a6c6013ca 2759 if (res == MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2760 res = mp_mod (&t, c, d);
wolfSSL 13:f67a6c6013ca 2761 }
wolfSSL 13:f67a6c6013ca 2762
wolfSSL 13:f67a6c6013ca 2763 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 2764
wolfSSL 13:f67a6c6013ca 2765 return res;
wolfSSL 13:f67a6c6013ca 2766 }
wolfSSL 13:f67a6c6013ca 2767
wolfSSL 13:f67a6c6013ca 2768 /* computes b = a*a */
wolfSSL 13:f67a6c6013ca 2769 int mp_sqr (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 2770 {
wolfSSL 13:f67a6c6013ca 2771 int res;
wolfSSL 13:f67a6c6013ca 2772
wolfSSL 13:f67a6c6013ca 2773 {
wolfSSL 13:f67a6c6013ca 2774 #ifdef BN_FAST_S_MP_SQR_C
wolfSSL 13:f67a6c6013ca 2775 /* can we use the fast comba multiplier? */
wolfSSL 13:f67a6c6013ca 2776 if ((a->used * 2 + 1) < MP_WARRAY &&
wolfSSL 13:f67a6c6013ca 2777 a->used <
wolfSSL 13:f67a6c6013ca 2778 (1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) {
wolfSSL 13:f67a6c6013ca 2779 res = fast_s_mp_sqr (a, b);
wolfSSL 13:f67a6c6013ca 2780 } else
wolfSSL 13:f67a6c6013ca 2781 #endif
wolfSSL 13:f67a6c6013ca 2782 #ifdef BN_S_MP_SQR_C
wolfSSL 13:f67a6c6013ca 2783 res = s_mp_sqr (a, b);
wolfSSL 13:f67a6c6013ca 2784 #else
wolfSSL 13:f67a6c6013ca 2785 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 2786 #endif
wolfSSL 13:f67a6c6013ca 2787 }
wolfSSL 13:f67a6c6013ca 2788 b->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 2789 return res;
wolfSSL 13:f67a6c6013ca 2790 }
wolfSSL 13:f67a6c6013ca 2791
wolfSSL 13:f67a6c6013ca 2792
wolfSSL 13:f67a6c6013ca 2793 /* high level multiplication (handles sign) */
wolfSSL 13:f67a6c6013ca 2794 #if defined(FREESCALE_LTC_TFM)
wolfSSL 13:f67a6c6013ca 2795 int wolfcrypt_mp_mul(mp_int *a, mp_int *b, mp_int *c)
wolfSSL 13:f67a6c6013ca 2796 #else
wolfSSL 13:f67a6c6013ca 2797 int mp_mul (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 2798 #endif
wolfSSL 13:f67a6c6013ca 2799 {
wolfSSL 13:f67a6c6013ca 2800 int res, neg;
wolfSSL 13:f67a6c6013ca 2801 neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG;
wolfSSL 13:f67a6c6013ca 2802
wolfSSL 13:f67a6c6013ca 2803 {
wolfSSL 13:f67a6c6013ca 2804 /* can we use the fast multiplier?
wolfSSL 13:f67a6c6013ca 2805 *
wolfSSL 13:f67a6c6013ca 2806 * The fast multiplier can be used if the output will
wolfSSL 13:f67a6c6013ca 2807 * have less than MP_WARRAY digits and the number of
wolfSSL 13:f67a6c6013ca 2808 * digits won't affect carry propagation
wolfSSL 13:f67a6c6013ca 2809 */
wolfSSL 13:f67a6c6013ca 2810 int digs = a->used + b->used + 1;
wolfSSL 13:f67a6c6013ca 2811
wolfSSL 13:f67a6c6013ca 2812 #ifdef BN_FAST_S_MP_MUL_DIGS_C
wolfSSL 13:f67a6c6013ca 2813 if ((digs < MP_WARRAY) &&
wolfSSL 13:f67a6c6013ca 2814 MIN(a->used, b->used) <=
wolfSSL 13:f67a6c6013ca 2815 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
wolfSSL 13:f67a6c6013ca 2816 res = fast_s_mp_mul_digs (a, b, c, digs);
wolfSSL 13:f67a6c6013ca 2817 } else
wolfSSL 13:f67a6c6013ca 2818 #endif
wolfSSL 13:f67a6c6013ca 2819 #ifdef BN_S_MP_MUL_DIGS_C
wolfSSL 13:f67a6c6013ca 2820 res = s_mp_mul (a, b, c); /* uses s_mp_mul_digs */
wolfSSL 13:f67a6c6013ca 2821 #else
wolfSSL 13:f67a6c6013ca 2822 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 2823 #endif
wolfSSL 13:f67a6c6013ca 2824
wolfSSL 13:f67a6c6013ca 2825 }
wolfSSL 13:f67a6c6013ca 2826 c->sign = (c->used > 0) ? neg : MP_ZPOS;
wolfSSL 13:f67a6c6013ca 2827 return res;
wolfSSL 13:f67a6c6013ca 2828 }
wolfSSL 13:f67a6c6013ca 2829
wolfSSL 13:f67a6c6013ca 2830
wolfSSL 13:f67a6c6013ca 2831 /* b = a*2 */
wolfSSL 13:f67a6c6013ca 2832 int mp_mul_2(mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 2833 {
wolfSSL 13:f67a6c6013ca 2834 int x, res, oldused;
wolfSSL 13:f67a6c6013ca 2835
wolfSSL 13:f67a6c6013ca 2836 /* grow to accommodate result */
wolfSSL 13:f67a6c6013ca 2837 if (b->alloc < a->used + 1) {
wolfSSL 13:f67a6c6013ca 2838 if ((res = mp_grow (b, a->used + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2839 return res;
wolfSSL 13:f67a6c6013ca 2840 }
wolfSSL 13:f67a6c6013ca 2841 }
wolfSSL 13:f67a6c6013ca 2842
wolfSSL 13:f67a6c6013ca 2843 oldused = b->used;
wolfSSL 13:f67a6c6013ca 2844 b->used = a->used;
wolfSSL 13:f67a6c6013ca 2845
wolfSSL 13:f67a6c6013ca 2846 {
wolfSSL 13:f67a6c6013ca 2847 mp_digit r, rr, *tmpa, *tmpb;
wolfSSL 13:f67a6c6013ca 2848
wolfSSL 13:f67a6c6013ca 2849 /* alias for source */
wolfSSL 13:f67a6c6013ca 2850 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 2851
wolfSSL 13:f67a6c6013ca 2852 /* alias for dest */
wolfSSL 13:f67a6c6013ca 2853 tmpb = b->dp;
wolfSSL 13:f67a6c6013ca 2854
wolfSSL 13:f67a6c6013ca 2855 /* carry */
wolfSSL 13:f67a6c6013ca 2856 r = 0;
wolfSSL 13:f67a6c6013ca 2857 for (x = 0; x < a->used; x++) {
wolfSSL 13:f67a6c6013ca 2858
wolfSSL 13:f67a6c6013ca 2859 /* get what will be the *next* carry bit from the
wolfSSL 13:f67a6c6013ca 2860 * MSB of the current digit
wolfSSL 13:f67a6c6013ca 2861 */
wolfSSL 13:f67a6c6013ca 2862 rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1));
wolfSSL 13:f67a6c6013ca 2863
wolfSSL 13:f67a6c6013ca 2864 /* now shift up this digit, add in the carry [from the previous] */
wolfSSL 13:f67a6c6013ca 2865 *tmpb++ = (mp_digit)(((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK);
wolfSSL 13:f67a6c6013ca 2866
wolfSSL 13:f67a6c6013ca 2867 /* copy the carry that would be from the source
wolfSSL 13:f67a6c6013ca 2868 * digit into the next iteration
wolfSSL 13:f67a6c6013ca 2869 */
wolfSSL 13:f67a6c6013ca 2870 r = rr;
wolfSSL 13:f67a6c6013ca 2871 }
wolfSSL 13:f67a6c6013ca 2872
wolfSSL 13:f67a6c6013ca 2873 /* new leading digit? */
wolfSSL 13:f67a6c6013ca 2874 if (r != 0) {
wolfSSL 13:f67a6c6013ca 2875 /* add a MSB which is always 1 at this point */
wolfSSL 13:f67a6c6013ca 2876 *tmpb = 1;
wolfSSL 13:f67a6c6013ca 2877 ++(b->used);
wolfSSL 13:f67a6c6013ca 2878 }
wolfSSL 13:f67a6c6013ca 2879
wolfSSL 13:f67a6c6013ca 2880 /* now zero any excess digits on the destination
wolfSSL 13:f67a6c6013ca 2881 * that we didn't write to
wolfSSL 13:f67a6c6013ca 2882 */
wolfSSL 13:f67a6c6013ca 2883 tmpb = b->dp + b->used;
wolfSSL 13:f67a6c6013ca 2884 for (x = b->used; x < oldused; x++) {
wolfSSL 13:f67a6c6013ca 2885 *tmpb++ = 0;
wolfSSL 13:f67a6c6013ca 2886 }
wolfSSL 13:f67a6c6013ca 2887 }
wolfSSL 13:f67a6c6013ca 2888 b->sign = a->sign;
wolfSSL 13:f67a6c6013ca 2889 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2890 }
wolfSSL 13:f67a6c6013ca 2891
wolfSSL 13:f67a6c6013ca 2892
wolfSSL 13:f67a6c6013ca 2893 /* divide by three (based on routine from MPI and the GMP manual) */
wolfSSL 13:f67a6c6013ca 2894 int mp_div_3 (mp_int * a, mp_int *c, mp_digit * d)
wolfSSL 13:f67a6c6013ca 2895 {
wolfSSL 13:f67a6c6013ca 2896 mp_int q;
wolfSSL 13:f67a6c6013ca 2897 mp_word w, t;
wolfSSL 13:f67a6c6013ca 2898 mp_digit b;
wolfSSL 13:f67a6c6013ca 2899 int res, ix;
wolfSSL 13:f67a6c6013ca 2900
wolfSSL 13:f67a6c6013ca 2901 /* b = 2**DIGIT_BIT / 3 */
wolfSSL 13:f67a6c6013ca 2902 b = (mp_digit) ( (((mp_word)1) << ((mp_word)DIGIT_BIT)) / ((mp_word)3) );
wolfSSL 13:f67a6c6013ca 2903
wolfSSL 13:f67a6c6013ca 2904 if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 2905 return res;
wolfSSL 13:f67a6c6013ca 2906 }
wolfSSL 13:f67a6c6013ca 2907
wolfSSL 13:f67a6c6013ca 2908 q.used = a->used;
wolfSSL 13:f67a6c6013ca 2909 q.sign = a->sign;
wolfSSL 13:f67a6c6013ca 2910 w = 0;
wolfSSL 13:f67a6c6013ca 2911 for (ix = a->used - 1; ix >= 0; ix--) {
wolfSSL 13:f67a6c6013ca 2912 w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
wolfSSL 13:f67a6c6013ca 2913
wolfSSL 13:f67a6c6013ca 2914 if (w >= 3) {
wolfSSL 13:f67a6c6013ca 2915 /* multiply w by [1/3] */
wolfSSL 13:f67a6c6013ca 2916 t = (w * ((mp_word)b)) >> ((mp_word)DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 2917
wolfSSL 13:f67a6c6013ca 2918 /* now subtract 3 * [w/3] from w, to get the remainder */
wolfSSL 13:f67a6c6013ca 2919 w -= t+t+t;
wolfSSL 13:f67a6c6013ca 2920
wolfSSL 13:f67a6c6013ca 2921 /* fixup the remainder as required since
wolfSSL 13:f67a6c6013ca 2922 * the optimization is not exact.
wolfSSL 13:f67a6c6013ca 2923 */
wolfSSL 13:f67a6c6013ca 2924 while (w >= 3) {
wolfSSL 13:f67a6c6013ca 2925 t += 1;
wolfSSL 13:f67a6c6013ca 2926 w -= 3;
wolfSSL 13:f67a6c6013ca 2927 }
wolfSSL 13:f67a6c6013ca 2928 } else {
wolfSSL 13:f67a6c6013ca 2929 t = 0;
wolfSSL 13:f67a6c6013ca 2930 }
wolfSSL 13:f67a6c6013ca 2931 q.dp[ix] = (mp_digit)t;
wolfSSL 13:f67a6c6013ca 2932 }
wolfSSL 13:f67a6c6013ca 2933
wolfSSL 13:f67a6c6013ca 2934 /* [optional] store the remainder */
wolfSSL 13:f67a6c6013ca 2935 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 2936 *d = (mp_digit)w;
wolfSSL 13:f67a6c6013ca 2937 }
wolfSSL 13:f67a6c6013ca 2938
wolfSSL 13:f67a6c6013ca 2939 /* [optional] store the quotient */
wolfSSL 13:f67a6c6013ca 2940 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 2941 mp_clamp(&q);
wolfSSL 13:f67a6c6013ca 2942 mp_exch(&q, c);
wolfSSL 13:f67a6c6013ca 2943 }
wolfSSL 13:f67a6c6013ca 2944 mp_clear(&q);
wolfSSL 13:f67a6c6013ca 2945
wolfSSL 13:f67a6c6013ca 2946 return res;
wolfSSL 13:f67a6c6013ca 2947 }
wolfSSL 13:f67a6c6013ca 2948
wolfSSL 13:f67a6c6013ca 2949
wolfSSL 13:f67a6c6013ca 2950 /* init an mp_init for a given size */
wolfSSL 13:f67a6c6013ca 2951 int mp_init_size (mp_int * a, int size)
wolfSSL 13:f67a6c6013ca 2952 {
wolfSSL 13:f67a6c6013ca 2953 int x;
wolfSSL 13:f67a6c6013ca 2954
wolfSSL 13:f67a6c6013ca 2955 /* pad size so there are always extra digits */
wolfSSL 13:f67a6c6013ca 2956 size += (MP_PREC * 2) - (size % MP_PREC);
wolfSSL 13:f67a6c6013ca 2957
wolfSSL 13:f67a6c6013ca 2958 /* alloc mem */
wolfSSL 13:f67a6c6013ca 2959 a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size, NULL,
wolfSSL 13:f67a6c6013ca 2960 DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 2961 if (a->dp == NULL) {
wolfSSL 13:f67a6c6013ca 2962 return MP_MEM;
wolfSSL 13:f67a6c6013ca 2963 }
wolfSSL 13:f67a6c6013ca 2964
wolfSSL 13:f67a6c6013ca 2965 /* set the members */
wolfSSL 13:f67a6c6013ca 2966 a->used = 0;
wolfSSL 13:f67a6c6013ca 2967 a->alloc = size;
wolfSSL 13:f67a6c6013ca 2968 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 2969 #ifdef HAVE_WOLF_BIGINT
wolfSSL 13:f67a6c6013ca 2970 wc_bigint_init(&a->raw);
wolfSSL 13:f67a6c6013ca 2971 #endif
wolfSSL 13:f67a6c6013ca 2972
wolfSSL 13:f67a6c6013ca 2973 /* zero the digits */
wolfSSL 13:f67a6c6013ca 2974 for (x = 0; x < size; x++) {
wolfSSL 13:f67a6c6013ca 2975 a->dp[x] = 0;
wolfSSL 13:f67a6c6013ca 2976 }
wolfSSL 13:f67a6c6013ca 2977
wolfSSL 13:f67a6c6013ca 2978 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 2979 }
wolfSSL 13:f67a6c6013ca 2980
wolfSSL 13:f67a6c6013ca 2981
wolfSSL 13:f67a6c6013ca 2982 /* the jist of squaring...
wolfSSL 13:f67a6c6013ca 2983 * you do like mult except the offset of the tmpx [one that
wolfSSL 13:f67a6c6013ca 2984 * starts closer to zero] can't equal the offset of tmpy.
wolfSSL 13:f67a6c6013ca 2985 * So basically you set up iy like before then you min it with
wolfSSL 13:f67a6c6013ca 2986 * (ty-tx) so that it never happens. You double all those
wolfSSL 13:f67a6c6013ca 2987 * you add in the inner loop
wolfSSL 13:f67a6c6013ca 2988
wolfSSL 13:f67a6c6013ca 2989 After that loop you do the squares and add them in.
wolfSSL 13:f67a6c6013ca 2990 */
wolfSSL 13:f67a6c6013ca 2991
wolfSSL 13:f67a6c6013ca 2992 int fast_s_mp_sqr (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 2993 {
wolfSSL 13:f67a6c6013ca 2994 int olduse, res, pa, ix, iz;
wolfSSL 13:f67a6c6013ca 2995 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 2996 mp_digit* W; /* uses dynamic memory and slower */
wolfSSL 13:f67a6c6013ca 2997 #else
wolfSSL 13:f67a6c6013ca 2998 mp_digit W[MP_WARRAY];
wolfSSL 13:f67a6c6013ca 2999 #endif
wolfSSL 13:f67a6c6013ca 3000 mp_digit *tmpx;
wolfSSL 13:f67a6c6013ca 3001 mp_word W1;
wolfSSL 13:f67a6c6013ca 3002
wolfSSL 13:f67a6c6013ca 3003 /* grow the destination as required */
wolfSSL 13:f67a6c6013ca 3004 pa = a->used + a->used;
wolfSSL 13:f67a6c6013ca 3005 if (b->alloc < pa) {
wolfSSL 13:f67a6c6013ca 3006 if ((res = mp_grow (b, pa)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3007 return res;
wolfSSL 13:f67a6c6013ca 3008 }
wolfSSL 13:f67a6c6013ca 3009 }
wolfSSL 13:f67a6c6013ca 3010
wolfSSL 13:f67a6c6013ca 3011 if (pa > MP_WARRAY)
wolfSSL 13:f67a6c6013ca 3012 return MP_RANGE; /* TAO range check */
wolfSSL 13:f67a6c6013ca 3013
wolfSSL 13:f67a6c6013ca 3014 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3015 W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 3016 if (W == NULL)
wolfSSL 13:f67a6c6013ca 3017 return MP_MEM;
wolfSSL 13:f67a6c6013ca 3018 #endif
wolfSSL 13:f67a6c6013ca 3019
wolfSSL 13:f67a6c6013ca 3020 /* number of output digits to produce */
wolfSSL 13:f67a6c6013ca 3021 W1 = 0;
wolfSSL 13:f67a6c6013ca 3022 for (ix = 0; ix < pa; ix++) {
wolfSSL 13:f67a6c6013ca 3023 int tx, ty, iy;
wolfSSL 13:f67a6c6013ca 3024 mp_word _W;
wolfSSL 13:f67a6c6013ca 3025 mp_digit *tmpy;
wolfSSL 13:f67a6c6013ca 3026
wolfSSL 13:f67a6c6013ca 3027 /* clear counter */
wolfSSL 13:f67a6c6013ca 3028 _W = 0;
wolfSSL 13:f67a6c6013ca 3029
wolfSSL 13:f67a6c6013ca 3030 /* get offsets into the two bignums */
wolfSSL 13:f67a6c6013ca 3031 ty = MIN(a->used-1, ix);
wolfSSL 13:f67a6c6013ca 3032 tx = ix - ty;
wolfSSL 13:f67a6c6013ca 3033
wolfSSL 13:f67a6c6013ca 3034 /* setup temp aliases */
wolfSSL 13:f67a6c6013ca 3035 tmpx = a->dp + tx;
wolfSSL 13:f67a6c6013ca 3036 tmpy = a->dp + ty;
wolfSSL 13:f67a6c6013ca 3037
wolfSSL 13:f67a6c6013ca 3038 /* this is the number of times the loop will iterate, essentially
wolfSSL 13:f67a6c6013ca 3039 while (tx++ < a->used && ty-- >= 0) { ... }
wolfSSL 13:f67a6c6013ca 3040 */
wolfSSL 13:f67a6c6013ca 3041 iy = MIN(a->used-tx, ty+1);
wolfSSL 13:f67a6c6013ca 3042
wolfSSL 13:f67a6c6013ca 3043 /* now for squaring tx can never equal ty
wolfSSL 13:f67a6c6013ca 3044 * we halve the distance since they approach at a rate of 2x
wolfSSL 13:f67a6c6013ca 3045 * and we have to round because odd cases need to be executed
wolfSSL 13:f67a6c6013ca 3046 */
wolfSSL 13:f67a6c6013ca 3047 iy = MIN(iy, (ty-tx+1)>>1);
wolfSSL 13:f67a6c6013ca 3048
wolfSSL 13:f67a6c6013ca 3049 /* execute loop */
wolfSSL 13:f67a6c6013ca 3050 for (iz = 0; iz < iy; iz++) {
wolfSSL 13:f67a6c6013ca 3051 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
wolfSSL 13:f67a6c6013ca 3052 }
wolfSSL 13:f67a6c6013ca 3053
wolfSSL 13:f67a6c6013ca 3054 /* double the inner product and add carry */
wolfSSL 13:f67a6c6013ca 3055 _W = _W + _W + W1;
wolfSSL 13:f67a6c6013ca 3056
wolfSSL 13:f67a6c6013ca 3057 /* even columns have the square term in them */
wolfSSL 13:f67a6c6013ca 3058 if ((ix&1) == 0) {
wolfSSL 13:f67a6c6013ca 3059 _W += ((mp_word)a->dp[ix>>1])*((mp_word)a->dp[ix>>1]);
wolfSSL 13:f67a6c6013ca 3060 }
wolfSSL 13:f67a6c6013ca 3061
wolfSSL 13:f67a6c6013ca 3062 /* store it */
wolfSSL 13:f67a6c6013ca 3063 W[ix] = (mp_digit)(_W & MP_MASK);
wolfSSL 13:f67a6c6013ca 3064
wolfSSL 13:f67a6c6013ca 3065 /* make next carry */
wolfSSL 13:f67a6c6013ca 3066 W1 = _W >> ((mp_word)DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 3067 }
wolfSSL 13:f67a6c6013ca 3068
wolfSSL 13:f67a6c6013ca 3069 /* setup dest */
wolfSSL 13:f67a6c6013ca 3070 olduse = b->used;
wolfSSL 13:f67a6c6013ca 3071 b->used = a->used+a->used;
wolfSSL 13:f67a6c6013ca 3072
wolfSSL 13:f67a6c6013ca 3073 {
wolfSSL 13:f67a6c6013ca 3074 mp_digit *tmpb;
wolfSSL 13:f67a6c6013ca 3075 tmpb = b->dp;
wolfSSL 13:f67a6c6013ca 3076 for (ix = 0; ix < pa; ix++) {
wolfSSL 13:f67a6c6013ca 3077 *tmpb++ = (mp_digit)(W[ix] & MP_MASK);
wolfSSL 13:f67a6c6013ca 3078 }
wolfSSL 13:f67a6c6013ca 3079
wolfSSL 13:f67a6c6013ca 3080 /* clear unused digits [that existed in the old copy of c] */
wolfSSL 13:f67a6c6013ca 3081 for (; ix < olduse; ix++) {
wolfSSL 13:f67a6c6013ca 3082 *tmpb++ = 0;
wolfSSL 13:f67a6c6013ca 3083 }
wolfSSL 13:f67a6c6013ca 3084 }
wolfSSL 13:f67a6c6013ca 3085 mp_clamp (b);
wolfSSL 13:f67a6c6013ca 3086
wolfSSL 13:f67a6c6013ca 3087 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3088 XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 3089 #endif
wolfSSL 13:f67a6c6013ca 3090
wolfSSL 13:f67a6c6013ca 3091 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3092 }
wolfSSL 13:f67a6c6013ca 3093
wolfSSL 13:f67a6c6013ca 3094
wolfSSL 13:f67a6c6013ca 3095 /* Fast (comba) multiplier
wolfSSL 13:f67a6c6013ca 3096 *
wolfSSL 13:f67a6c6013ca 3097 * This is the fast column-array [comba] multiplier. It is
wolfSSL 13:f67a6c6013ca 3098 * designed to compute the columns of the product first
wolfSSL 13:f67a6c6013ca 3099 * then handle the carries afterwards. This has the effect
wolfSSL 13:f67a6c6013ca 3100 * of making the nested loops that compute the columns very
wolfSSL 13:f67a6c6013ca 3101 * simple and schedulable on super-scalar processors.
wolfSSL 13:f67a6c6013ca 3102 *
wolfSSL 13:f67a6c6013ca 3103 * This has been modified to produce a variable number of
wolfSSL 13:f67a6c6013ca 3104 * digits of output so if say only a half-product is required
wolfSSL 13:f67a6c6013ca 3105 * you don't have to compute the upper half (a feature
wolfSSL 13:f67a6c6013ca 3106 * required for fast Barrett reduction).
wolfSSL 13:f67a6c6013ca 3107 *
wolfSSL 13:f67a6c6013ca 3108 * Based on Algorithm 14.12 on pp.595 of HAC.
wolfSSL 13:f67a6c6013ca 3109 *
wolfSSL 13:f67a6c6013ca 3110 */
wolfSSL 13:f67a6c6013ca 3111 int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
wolfSSL 13:f67a6c6013ca 3112 {
wolfSSL 13:f67a6c6013ca 3113 int olduse, res, pa, ix, iz;
wolfSSL 13:f67a6c6013ca 3114 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3115 mp_digit* W; /* uses dynamic memory and slower */
wolfSSL 13:f67a6c6013ca 3116 #else
wolfSSL 13:f67a6c6013ca 3117 mp_digit W[MP_WARRAY];
wolfSSL 13:f67a6c6013ca 3118 #endif
wolfSSL 13:f67a6c6013ca 3119 mp_word _W;
wolfSSL 13:f67a6c6013ca 3120
wolfSSL 13:f67a6c6013ca 3121 /* grow the destination as required */
wolfSSL 13:f67a6c6013ca 3122 if (c->alloc < digs) {
wolfSSL 13:f67a6c6013ca 3123 if ((res = mp_grow (c, digs)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3124 return res;
wolfSSL 13:f67a6c6013ca 3125 }
wolfSSL 13:f67a6c6013ca 3126 }
wolfSSL 13:f67a6c6013ca 3127
wolfSSL 13:f67a6c6013ca 3128 /* number of output digits to produce */
wolfSSL 13:f67a6c6013ca 3129 pa = MIN(digs, a->used + b->used);
wolfSSL 13:f67a6c6013ca 3130 if (pa > MP_WARRAY)
wolfSSL 13:f67a6c6013ca 3131 return MP_RANGE; /* TAO range check */
wolfSSL 13:f67a6c6013ca 3132
wolfSSL 13:f67a6c6013ca 3133 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3134 W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 3135 if (W == NULL)
wolfSSL 13:f67a6c6013ca 3136 return MP_MEM;
wolfSSL 13:f67a6c6013ca 3137 #endif
wolfSSL 13:f67a6c6013ca 3138
wolfSSL 13:f67a6c6013ca 3139 /* clear the carry */
wolfSSL 13:f67a6c6013ca 3140 _W = 0;
wolfSSL 13:f67a6c6013ca 3141 for (ix = 0; ix < pa; ix++) {
wolfSSL 13:f67a6c6013ca 3142 int tx, ty;
wolfSSL 13:f67a6c6013ca 3143 int iy;
wolfSSL 13:f67a6c6013ca 3144 mp_digit *tmpx, *tmpy;
wolfSSL 13:f67a6c6013ca 3145
wolfSSL 13:f67a6c6013ca 3146 /* get offsets into the two bignums */
wolfSSL 13:f67a6c6013ca 3147 ty = MIN(b->used-1, ix);
wolfSSL 13:f67a6c6013ca 3148 tx = ix - ty;
wolfSSL 13:f67a6c6013ca 3149
wolfSSL 13:f67a6c6013ca 3150 /* setup temp aliases */
wolfSSL 13:f67a6c6013ca 3151 tmpx = a->dp + tx;
wolfSSL 13:f67a6c6013ca 3152 tmpy = b->dp + ty;
wolfSSL 13:f67a6c6013ca 3153
wolfSSL 13:f67a6c6013ca 3154 /* this is the number of times the loop will iterate, essentially
wolfSSL 13:f67a6c6013ca 3155 while (tx++ < a->used && ty-- >= 0) { ... }
wolfSSL 13:f67a6c6013ca 3156 */
wolfSSL 13:f67a6c6013ca 3157 iy = MIN(a->used-tx, ty+1);
wolfSSL 13:f67a6c6013ca 3158
wolfSSL 13:f67a6c6013ca 3159 /* execute loop */
wolfSSL 13:f67a6c6013ca 3160 for (iz = 0; iz < iy; ++iz) {
wolfSSL 13:f67a6c6013ca 3161 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
wolfSSL 13:f67a6c6013ca 3162
wolfSSL 13:f67a6c6013ca 3163 }
wolfSSL 13:f67a6c6013ca 3164
wolfSSL 13:f67a6c6013ca 3165 /* store term */
wolfSSL 13:f67a6c6013ca 3166 W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK);
wolfSSL 13:f67a6c6013ca 3167
wolfSSL 13:f67a6c6013ca 3168 /* make next carry */
wolfSSL 13:f67a6c6013ca 3169 _W = _W >> ((mp_word)DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 3170 }
wolfSSL 13:f67a6c6013ca 3171
wolfSSL 13:f67a6c6013ca 3172 /* setup dest */
wolfSSL 13:f67a6c6013ca 3173 olduse = c->used;
wolfSSL 13:f67a6c6013ca 3174 c->used = pa;
wolfSSL 13:f67a6c6013ca 3175
wolfSSL 13:f67a6c6013ca 3176 {
wolfSSL 13:f67a6c6013ca 3177 mp_digit *tmpc;
wolfSSL 13:f67a6c6013ca 3178 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 3179 for (ix = 0; ix < pa; ix++) { /* JRB, +1 could read uninitialized data */
wolfSSL 13:f67a6c6013ca 3180 /* now extract the previous digit [below the carry] */
wolfSSL 13:f67a6c6013ca 3181 *tmpc++ = W[ix];
wolfSSL 13:f67a6c6013ca 3182 }
wolfSSL 13:f67a6c6013ca 3183
wolfSSL 13:f67a6c6013ca 3184 /* clear unused digits [that existed in the old copy of c] */
wolfSSL 13:f67a6c6013ca 3185 for (; ix < olduse; ix++) {
wolfSSL 13:f67a6c6013ca 3186 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 3187 }
wolfSSL 13:f67a6c6013ca 3188 }
wolfSSL 13:f67a6c6013ca 3189 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 3190
wolfSSL 13:f67a6c6013ca 3191 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3192 XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 3193 #endif
wolfSSL 13:f67a6c6013ca 3194
wolfSSL 13:f67a6c6013ca 3195 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3196 }
wolfSSL 13:f67a6c6013ca 3197
wolfSSL 13:f67a6c6013ca 3198
wolfSSL 13:f67a6c6013ca 3199 /* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */
wolfSSL 13:f67a6c6013ca 3200 int s_mp_sqr (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 3201 {
wolfSSL 13:f67a6c6013ca 3202 mp_int t;
wolfSSL 13:f67a6c6013ca 3203 int res, ix, iy, pa;
wolfSSL 13:f67a6c6013ca 3204 mp_word r;
wolfSSL 13:f67a6c6013ca 3205 mp_digit u, tmpx, *tmpt;
wolfSSL 13:f67a6c6013ca 3206
wolfSSL 13:f67a6c6013ca 3207 pa = a->used;
wolfSSL 13:f67a6c6013ca 3208 if ((res = mp_init_size (&t, 2*pa + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3209 return res;
wolfSSL 13:f67a6c6013ca 3210 }
wolfSSL 13:f67a6c6013ca 3211
wolfSSL 13:f67a6c6013ca 3212 /* default used is maximum possible size */
wolfSSL 13:f67a6c6013ca 3213 t.used = 2*pa + 1;
wolfSSL 13:f67a6c6013ca 3214
wolfSSL 13:f67a6c6013ca 3215 for (ix = 0; ix < pa; ix++) {
wolfSSL 13:f67a6c6013ca 3216 /* first calculate the digit at 2*ix */
wolfSSL 13:f67a6c6013ca 3217 /* calculate double precision result */
wolfSSL 13:f67a6c6013ca 3218 r = ((mp_word) t.dp[2*ix]) +
wolfSSL 13:f67a6c6013ca 3219 ((mp_word)a->dp[ix])*((mp_word)a->dp[ix]);
wolfSSL 13:f67a6c6013ca 3220
wolfSSL 13:f67a6c6013ca 3221 /* store lower part in result */
wolfSSL 13:f67a6c6013ca 3222 t.dp[ix+ix] = (mp_digit) (r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 3223
wolfSSL 13:f67a6c6013ca 3224 /* get the carry */
wolfSSL 13:f67a6c6013ca 3225 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 3226
wolfSSL 13:f67a6c6013ca 3227 /* left hand side of A[ix] * A[iy] */
wolfSSL 13:f67a6c6013ca 3228 tmpx = a->dp[ix];
wolfSSL 13:f67a6c6013ca 3229
wolfSSL 13:f67a6c6013ca 3230 /* alias for where to store the results */
wolfSSL 13:f67a6c6013ca 3231 tmpt = t.dp + (2*ix + 1);
wolfSSL 13:f67a6c6013ca 3232
wolfSSL 13:f67a6c6013ca 3233 for (iy = ix + 1; iy < pa; iy++) {
wolfSSL 13:f67a6c6013ca 3234 /* first calculate the product */
wolfSSL 13:f67a6c6013ca 3235 r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]);
wolfSSL 13:f67a6c6013ca 3236
wolfSSL 13:f67a6c6013ca 3237 /* now calculate the double precision result, note we use
wolfSSL 13:f67a6c6013ca 3238 * addition instead of *2 since it's easier to optimize
wolfSSL 13:f67a6c6013ca 3239 */
wolfSSL 13:f67a6c6013ca 3240 r = ((mp_word) *tmpt) + r + r + ((mp_word) u);
wolfSSL 13:f67a6c6013ca 3241
wolfSSL 13:f67a6c6013ca 3242 /* store lower part */
wolfSSL 13:f67a6c6013ca 3243 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 3244
wolfSSL 13:f67a6c6013ca 3245 /* get carry */
wolfSSL 13:f67a6c6013ca 3246 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 3247 }
wolfSSL 13:f67a6c6013ca 3248 /* propagate upwards */
wolfSSL 13:f67a6c6013ca 3249 while (u != ((mp_digit) 0)) {
wolfSSL 13:f67a6c6013ca 3250 r = ((mp_word) *tmpt) + ((mp_word) u);
wolfSSL 13:f67a6c6013ca 3251 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 3252 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 3253 }
wolfSSL 13:f67a6c6013ca 3254 }
wolfSSL 13:f67a6c6013ca 3255
wolfSSL 13:f67a6c6013ca 3256 mp_clamp (&t);
wolfSSL 13:f67a6c6013ca 3257 mp_exch (&t, b);
wolfSSL 13:f67a6c6013ca 3258 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 3259 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3260 }
wolfSSL 13:f67a6c6013ca 3261
wolfSSL 13:f67a6c6013ca 3262
wolfSSL 13:f67a6c6013ca 3263 /* multiplies |a| * |b| and only computes up to digs digits of result
wolfSSL 13:f67a6c6013ca 3264 * HAC pp. 595, Algorithm 14.12 Modified so you can control how
wolfSSL 13:f67a6c6013ca 3265 * many digits of output are created.
wolfSSL 13:f67a6c6013ca 3266 */
wolfSSL 13:f67a6c6013ca 3267 int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
wolfSSL 13:f67a6c6013ca 3268 {
wolfSSL 13:f67a6c6013ca 3269 mp_int t;
wolfSSL 13:f67a6c6013ca 3270 int res, pa, pb, ix, iy;
wolfSSL 13:f67a6c6013ca 3271 mp_digit u;
wolfSSL 13:f67a6c6013ca 3272 mp_word r;
wolfSSL 13:f67a6c6013ca 3273 mp_digit tmpx, *tmpt, *tmpy;
wolfSSL 13:f67a6c6013ca 3274
wolfSSL 13:f67a6c6013ca 3275 /* can we use the fast multiplier? */
wolfSSL 13:f67a6c6013ca 3276 if (((digs) < MP_WARRAY) &&
wolfSSL 13:f67a6c6013ca 3277 MIN (a->used, b->used) <
wolfSSL 13:f67a6c6013ca 3278 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
wolfSSL 13:f67a6c6013ca 3279 return fast_s_mp_mul_digs (a, b, c, digs);
wolfSSL 13:f67a6c6013ca 3280 }
wolfSSL 13:f67a6c6013ca 3281
wolfSSL 13:f67a6c6013ca 3282 if ((res = mp_init_size (&t, digs)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3283 return res;
wolfSSL 13:f67a6c6013ca 3284 }
wolfSSL 13:f67a6c6013ca 3285 t.used = digs;
wolfSSL 13:f67a6c6013ca 3286
wolfSSL 13:f67a6c6013ca 3287 /* compute the digits of the product directly */
wolfSSL 13:f67a6c6013ca 3288 pa = a->used;
wolfSSL 13:f67a6c6013ca 3289 for (ix = 0; ix < pa; ix++) {
wolfSSL 13:f67a6c6013ca 3290 /* set the carry to zero */
wolfSSL 13:f67a6c6013ca 3291 u = 0;
wolfSSL 13:f67a6c6013ca 3292
wolfSSL 13:f67a6c6013ca 3293 /* limit ourselves to making digs digits of output */
wolfSSL 13:f67a6c6013ca 3294 pb = MIN (b->used, digs - ix);
wolfSSL 13:f67a6c6013ca 3295
wolfSSL 13:f67a6c6013ca 3296 /* setup some aliases */
wolfSSL 13:f67a6c6013ca 3297 /* copy of the digit from a used within the nested loop */
wolfSSL 13:f67a6c6013ca 3298 tmpx = a->dp[ix];
wolfSSL 13:f67a6c6013ca 3299
wolfSSL 13:f67a6c6013ca 3300 /* an alias for the destination shifted ix places */
wolfSSL 13:f67a6c6013ca 3301 tmpt = t.dp + ix;
wolfSSL 13:f67a6c6013ca 3302
wolfSSL 13:f67a6c6013ca 3303 /* an alias for the digits of b */
wolfSSL 13:f67a6c6013ca 3304 tmpy = b->dp;
wolfSSL 13:f67a6c6013ca 3305
wolfSSL 13:f67a6c6013ca 3306 /* compute the columns of the output and propagate the carry */
wolfSSL 13:f67a6c6013ca 3307 for (iy = 0; iy < pb; iy++) {
wolfSSL 13:f67a6c6013ca 3308 /* compute the column as a mp_word */
wolfSSL 13:f67a6c6013ca 3309 r = ((mp_word)*tmpt) +
wolfSSL 13:f67a6c6013ca 3310 ((mp_word)tmpx) * ((mp_word)*tmpy++) +
wolfSSL 13:f67a6c6013ca 3311 ((mp_word) u);
wolfSSL 13:f67a6c6013ca 3312
wolfSSL 13:f67a6c6013ca 3313 /* the new column is the lower part of the result */
wolfSSL 13:f67a6c6013ca 3314 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 3315
wolfSSL 13:f67a6c6013ca 3316 /* get the carry word from the result */
wolfSSL 13:f67a6c6013ca 3317 u = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 3318 }
wolfSSL 13:f67a6c6013ca 3319 /* set carry if it is placed below digs */
wolfSSL 13:f67a6c6013ca 3320 if (ix + iy < digs) {
wolfSSL 13:f67a6c6013ca 3321 *tmpt = u;
wolfSSL 13:f67a6c6013ca 3322 }
wolfSSL 13:f67a6c6013ca 3323 }
wolfSSL 13:f67a6c6013ca 3324
wolfSSL 13:f67a6c6013ca 3325 mp_clamp (&t);
wolfSSL 13:f67a6c6013ca 3326 mp_exch (&t, c);
wolfSSL 13:f67a6c6013ca 3327
wolfSSL 13:f67a6c6013ca 3328 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 3329 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3330 }
wolfSSL 13:f67a6c6013ca 3331
wolfSSL 13:f67a6c6013ca 3332
wolfSSL 13:f67a6c6013ca 3333 /*
wolfSSL 13:f67a6c6013ca 3334 * shifts with subtractions when the result is greater than b.
wolfSSL 13:f67a6c6013ca 3335 *
wolfSSL 13:f67a6c6013ca 3336 * The method is slightly modified to shift B unconditionally up to just under
wolfSSL 13:f67a6c6013ca 3337 * the leading bit of b. This saves a lot of multiple precision shifting.
wolfSSL 13:f67a6c6013ca 3338 */
wolfSSL 13:f67a6c6013ca 3339 int mp_montgomery_calc_normalization (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 3340 {
wolfSSL 13:f67a6c6013ca 3341 int x, bits, res;
wolfSSL 13:f67a6c6013ca 3342
wolfSSL 13:f67a6c6013ca 3343 /* how many bits of last digit does b use */
wolfSSL 13:f67a6c6013ca 3344 bits = mp_count_bits (b) % DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 3345
wolfSSL 13:f67a6c6013ca 3346 if (b->used > 1) {
wolfSSL 13:f67a6c6013ca 3347 if ((res = mp_2expt (a, (b->used - 1) * DIGIT_BIT + bits - 1))
wolfSSL 13:f67a6c6013ca 3348 != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3349 return res;
wolfSSL 13:f67a6c6013ca 3350 }
wolfSSL 13:f67a6c6013ca 3351 } else {
wolfSSL 13:f67a6c6013ca 3352 if ((res = mp_set(a, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3353 return res;
wolfSSL 13:f67a6c6013ca 3354 }
wolfSSL 13:f67a6c6013ca 3355 bits = 1;
wolfSSL 13:f67a6c6013ca 3356 }
wolfSSL 13:f67a6c6013ca 3357
wolfSSL 13:f67a6c6013ca 3358 /* now compute C = A * B mod b */
wolfSSL 13:f67a6c6013ca 3359 for (x = bits - 1; x < (int)DIGIT_BIT; x++) {
wolfSSL 13:f67a6c6013ca 3360 if ((res = mp_mul_2 (a, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3361 return res;
wolfSSL 13:f67a6c6013ca 3362 }
wolfSSL 13:f67a6c6013ca 3363 if (mp_cmp_mag (a, b) != MP_LT) {
wolfSSL 13:f67a6c6013ca 3364 if ((res = s_mp_sub (a, b, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3365 return res;
wolfSSL 13:f67a6c6013ca 3366 }
wolfSSL 13:f67a6c6013ca 3367 }
wolfSSL 13:f67a6c6013ca 3368 }
wolfSSL 13:f67a6c6013ca 3369
wolfSSL 13:f67a6c6013ca 3370 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3371 }
wolfSSL 13:f67a6c6013ca 3372
wolfSSL 13:f67a6c6013ca 3373
wolfSSL 13:f67a6c6013ca 3374 #ifdef MP_LOW_MEM
wolfSSL 13:f67a6c6013ca 3375 #define TAB_SIZE 32
wolfSSL 13:f67a6c6013ca 3376 #else
wolfSSL 13:f67a6c6013ca 3377 #define TAB_SIZE 256
wolfSSL 13:f67a6c6013ca 3378 #endif
wolfSSL 13:f67a6c6013ca 3379
wolfSSL 13:f67a6c6013ca 3380 int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode)
wolfSSL 13:f67a6c6013ca 3381 {
wolfSSL 13:f67a6c6013ca 3382 mp_int M[TAB_SIZE], res, mu;
wolfSSL 13:f67a6c6013ca 3383 mp_digit buf;
wolfSSL 13:f67a6c6013ca 3384 int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
wolfSSL 13:f67a6c6013ca 3385 int (*redux)(mp_int*,mp_int*,mp_int*);
wolfSSL 13:f67a6c6013ca 3386
wolfSSL 13:f67a6c6013ca 3387 /* find window size */
wolfSSL 13:f67a6c6013ca 3388 x = mp_count_bits (X);
wolfSSL 13:f67a6c6013ca 3389 if (x <= 7) {
wolfSSL 13:f67a6c6013ca 3390 winsize = 2;
wolfSSL 13:f67a6c6013ca 3391 } else if (x <= 36) {
wolfSSL 13:f67a6c6013ca 3392 winsize = 3;
wolfSSL 13:f67a6c6013ca 3393 } else if (x <= 140) {
wolfSSL 13:f67a6c6013ca 3394 winsize = 4;
wolfSSL 13:f67a6c6013ca 3395 } else if (x <= 450) {
wolfSSL 13:f67a6c6013ca 3396 winsize = 5;
wolfSSL 13:f67a6c6013ca 3397 } else if (x <= 1303) {
wolfSSL 13:f67a6c6013ca 3398 winsize = 6;
wolfSSL 13:f67a6c6013ca 3399 } else if (x <= 3529) {
wolfSSL 13:f67a6c6013ca 3400 winsize = 7;
wolfSSL 13:f67a6c6013ca 3401 } else {
wolfSSL 13:f67a6c6013ca 3402 winsize = 8;
wolfSSL 13:f67a6c6013ca 3403 }
wolfSSL 13:f67a6c6013ca 3404
wolfSSL 13:f67a6c6013ca 3405 #ifdef MP_LOW_MEM
wolfSSL 13:f67a6c6013ca 3406 if (winsize > 5) {
wolfSSL 13:f67a6c6013ca 3407 winsize = 5;
wolfSSL 13:f67a6c6013ca 3408 }
wolfSSL 13:f67a6c6013ca 3409 #endif
wolfSSL 13:f67a6c6013ca 3410
wolfSSL 13:f67a6c6013ca 3411 /* init M array */
wolfSSL 13:f67a6c6013ca 3412 /* init first cell */
wolfSSL 13:f67a6c6013ca 3413 if ((err = mp_init(&M[1])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3414 return err;
wolfSSL 13:f67a6c6013ca 3415 }
wolfSSL 13:f67a6c6013ca 3416
wolfSSL 13:f67a6c6013ca 3417 /* now init the second half of the array */
wolfSSL 13:f67a6c6013ca 3418 for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
wolfSSL 13:f67a6c6013ca 3419 if ((err = mp_init(&M[x])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3420 for (y = 1<<(winsize-1); y < x; y++) {
wolfSSL 13:f67a6c6013ca 3421 mp_clear (&M[y]);
wolfSSL 13:f67a6c6013ca 3422 }
wolfSSL 13:f67a6c6013ca 3423 mp_clear(&M[1]);
wolfSSL 13:f67a6c6013ca 3424 return err;
wolfSSL 13:f67a6c6013ca 3425 }
wolfSSL 13:f67a6c6013ca 3426 }
wolfSSL 13:f67a6c6013ca 3427
wolfSSL 13:f67a6c6013ca 3428 /* create mu, used for Barrett reduction */
wolfSSL 13:f67a6c6013ca 3429 if ((err = mp_init (&mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3430 goto LBL_M;
wolfSSL 13:f67a6c6013ca 3431 }
wolfSSL 13:f67a6c6013ca 3432
wolfSSL 13:f67a6c6013ca 3433 if (redmode == 0) {
wolfSSL 13:f67a6c6013ca 3434 if ((err = mp_reduce_setup (&mu, P)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3435 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3436 }
wolfSSL 13:f67a6c6013ca 3437 redux = mp_reduce;
wolfSSL 13:f67a6c6013ca 3438 } else {
wolfSSL 13:f67a6c6013ca 3439 if ((err = mp_reduce_2k_setup_l (P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3440 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3441 }
wolfSSL 13:f67a6c6013ca 3442 redux = mp_reduce_2k_l;
wolfSSL 13:f67a6c6013ca 3443 }
wolfSSL 13:f67a6c6013ca 3444
wolfSSL 13:f67a6c6013ca 3445 /* create M table
wolfSSL 13:f67a6c6013ca 3446 *
wolfSSL 13:f67a6c6013ca 3447 * The M table contains powers of the base,
wolfSSL 13:f67a6c6013ca 3448 * e.g. M[x] = G**x mod P
wolfSSL 13:f67a6c6013ca 3449 *
wolfSSL 13:f67a6c6013ca 3450 * The first half of the table is not
wolfSSL 13:f67a6c6013ca 3451 * computed though accept for M[0] and M[1]
wolfSSL 13:f67a6c6013ca 3452 */
wolfSSL 13:f67a6c6013ca 3453 if ((err = mp_mod (G, P, &M[1])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3454 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3455 }
wolfSSL 13:f67a6c6013ca 3456
wolfSSL 13:f67a6c6013ca 3457 /* compute the value at M[1<<(winsize-1)] by squaring
wolfSSL 13:f67a6c6013ca 3458 * M[1] (winsize-1) times
wolfSSL 13:f67a6c6013ca 3459 */
wolfSSL 13:f67a6c6013ca 3460 if ((err = mp_copy (&M[1], &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3461 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3462 }
wolfSSL 13:f67a6c6013ca 3463
wolfSSL 13:f67a6c6013ca 3464 for (x = 0; x < (winsize - 1); x++) {
wolfSSL 13:f67a6c6013ca 3465 /* square it */
wolfSSL 13:f67a6c6013ca 3466 if ((err = mp_sqr (&M[(mp_digit)(1 << (winsize - 1))],
wolfSSL 13:f67a6c6013ca 3467 &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3468 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3469 }
wolfSSL 13:f67a6c6013ca 3470
wolfSSL 13:f67a6c6013ca 3471 /* reduce modulo P */
wolfSSL 13:f67a6c6013ca 3472 if ((err = redux (&M[(mp_digit)(1 << (winsize - 1))], P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3473 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3474 }
wolfSSL 13:f67a6c6013ca 3475 }
wolfSSL 13:f67a6c6013ca 3476
wolfSSL 13:f67a6c6013ca 3477 /* create upper table, that is M[x] = M[x-1] * M[1] (mod P)
wolfSSL 13:f67a6c6013ca 3478 * for x = (2**(winsize - 1) + 1) to (2**winsize - 1)
wolfSSL 13:f67a6c6013ca 3479 */
wolfSSL 13:f67a6c6013ca 3480 for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
wolfSSL 13:f67a6c6013ca 3481 if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3482 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3483 }
wolfSSL 13:f67a6c6013ca 3484 if ((err = redux (&M[x], P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3485 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3486 }
wolfSSL 13:f67a6c6013ca 3487 }
wolfSSL 13:f67a6c6013ca 3488
wolfSSL 13:f67a6c6013ca 3489 /* setup result */
wolfSSL 13:f67a6c6013ca 3490 if ((err = mp_init (&res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3491 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3492 }
wolfSSL 13:f67a6c6013ca 3493 if ((err = mp_set (&res, 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3494 goto LBL_MU;
wolfSSL 13:f67a6c6013ca 3495 }
wolfSSL 13:f67a6c6013ca 3496
wolfSSL 13:f67a6c6013ca 3497 /* set initial mode and bit cnt */
wolfSSL 13:f67a6c6013ca 3498 mode = 0;
wolfSSL 13:f67a6c6013ca 3499 bitcnt = 1;
wolfSSL 13:f67a6c6013ca 3500 buf = 0;
wolfSSL 13:f67a6c6013ca 3501 digidx = X->used - 1;
wolfSSL 13:f67a6c6013ca 3502 bitcpy = 0;
wolfSSL 13:f67a6c6013ca 3503 bitbuf = 0;
wolfSSL 13:f67a6c6013ca 3504
wolfSSL 13:f67a6c6013ca 3505 for (;;) {
wolfSSL 13:f67a6c6013ca 3506 /* grab next digit as required */
wolfSSL 13:f67a6c6013ca 3507 if (--bitcnt == 0) {
wolfSSL 13:f67a6c6013ca 3508 /* if digidx == -1 we are out of digits */
wolfSSL 13:f67a6c6013ca 3509 if (digidx == -1) {
wolfSSL 13:f67a6c6013ca 3510 break;
wolfSSL 13:f67a6c6013ca 3511 }
wolfSSL 13:f67a6c6013ca 3512 /* read next digit and reset the bitcnt */
wolfSSL 13:f67a6c6013ca 3513 buf = X->dp[digidx--];
wolfSSL 13:f67a6c6013ca 3514 bitcnt = (int) DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 3515 }
wolfSSL 13:f67a6c6013ca 3516
wolfSSL 13:f67a6c6013ca 3517 /* grab the next msb from the exponent */
wolfSSL 13:f67a6c6013ca 3518 y = (int)(buf >> (mp_digit)(DIGIT_BIT - 1)) & 1;
wolfSSL 13:f67a6c6013ca 3519 buf <<= (mp_digit)1;
wolfSSL 13:f67a6c6013ca 3520
wolfSSL 13:f67a6c6013ca 3521 /* if the bit is zero and mode == 0 then we ignore it
wolfSSL 13:f67a6c6013ca 3522 * These represent the leading zero bits before the first 1 bit
wolfSSL 13:f67a6c6013ca 3523 * in the exponent. Technically this opt is not required but it
wolfSSL 13:f67a6c6013ca 3524 * does lower the # of trivial squaring/reductions used
wolfSSL 13:f67a6c6013ca 3525 */
wolfSSL 13:f67a6c6013ca 3526 if (mode == 0 && y == 0) {
wolfSSL 13:f67a6c6013ca 3527 continue;
wolfSSL 13:f67a6c6013ca 3528 }
wolfSSL 13:f67a6c6013ca 3529
wolfSSL 13:f67a6c6013ca 3530 /* if the bit is zero and mode == 1 then we square */
wolfSSL 13:f67a6c6013ca 3531 if (mode == 1 && y == 0) {
wolfSSL 13:f67a6c6013ca 3532 if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3533 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3534 }
wolfSSL 13:f67a6c6013ca 3535 if ((err = redux (&res, P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3536 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3537 }
wolfSSL 13:f67a6c6013ca 3538 continue;
wolfSSL 13:f67a6c6013ca 3539 }
wolfSSL 13:f67a6c6013ca 3540
wolfSSL 13:f67a6c6013ca 3541 /* else we add it to the window */
wolfSSL 13:f67a6c6013ca 3542 bitbuf |= (y << (winsize - ++bitcpy));
wolfSSL 13:f67a6c6013ca 3543 mode = 2;
wolfSSL 13:f67a6c6013ca 3544
wolfSSL 13:f67a6c6013ca 3545 if (bitcpy == winsize) {
wolfSSL 13:f67a6c6013ca 3546 /* ok window is filled so square as required and multiply */
wolfSSL 13:f67a6c6013ca 3547 /* square first */
wolfSSL 13:f67a6c6013ca 3548 for (x = 0; x < winsize; x++) {
wolfSSL 13:f67a6c6013ca 3549 if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3550 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3551 }
wolfSSL 13:f67a6c6013ca 3552 if ((err = redux (&res, P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3553 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3554 }
wolfSSL 13:f67a6c6013ca 3555 }
wolfSSL 13:f67a6c6013ca 3556
wolfSSL 13:f67a6c6013ca 3557 /* then multiply */
wolfSSL 13:f67a6c6013ca 3558 if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3559 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3560 }
wolfSSL 13:f67a6c6013ca 3561 if ((err = redux (&res, P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3562 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3563 }
wolfSSL 13:f67a6c6013ca 3564
wolfSSL 13:f67a6c6013ca 3565 /* empty window and reset */
wolfSSL 13:f67a6c6013ca 3566 bitcpy = 0;
wolfSSL 13:f67a6c6013ca 3567 bitbuf = 0;
wolfSSL 13:f67a6c6013ca 3568 mode = 1;
wolfSSL 13:f67a6c6013ca 3569 }
wolfSSL 13:f67a6c6013ca 3570 }
wolfSSL 13:f67a6c6013ca 3571
wolfSSL 13:f67a6c6013ca 3572 /* if bits remain then square/multiply */
wolfSSL 13:f67a6c6013ca 3573 if (mode == 2 && bitcpy > 0) {
wolfSSL 13:f67a6c6013ca 3574 /* square then multiply if the bit is set */
wolfSSL 13:f67a6c6013ca 3575 for (x = 0; x < bitcpy; x++) {
wolfSSL 13:f67a6c6013ca 3576 if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3577 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3578 }
wolfSSL 13:f67a6c6013ca 3579 if ((err = redux (&res, P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3580 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3581 }
wolfSSL 13:f67a6c6013ca 3582
wolfSSL 13:f67a6c6013ca 3583 bitbuf <<= 1;
wolfSSL 13:f67a6c6013ca 3584 if ((bitbuf & (1 << winsize)) != 0) {
wolfSSL 13:f67a6c6013ca 3585 /* then multiply */
wolfSSL 13:f67a6c6013ca 3586 if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3587 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3588 }
wolfSSL 13:f67a6c6013ca 3589 if ((err = redux (&res, P, &mu)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3590 goto LBL_RES;
wolfSSL 13:f67a6c6013ca 3591 }
wolfSSL 13:f67a6c6013ca 3592 }
wolfSSL 13:f67a6c6013ca 3593 }
wolfSSL 13:f67a6c6013ca 3594 }
wolfSSL 13:f67a6c6013ca 3595
wolfSSL 13:f67a6c6013ca 3596 mp_exch (&res, Y);
wolfSSL 13:f67a6c6013ca 3597 err = MP_OKAY;
wolfSSL 13:f67a6c6013ca 3598 LBL_RES:mp_clear (&res);
wolfSSL 13:f67a6c6013ca 3599 LBL_MU:mp_clear (&mu);
wolfSSL 13:f67a6c6013ca 3600 LBL_M:
wolfSSL 13:f67a6c6013ca 3601 mp_clear(&M[1]);
wolfSSL 13:f67a6c6013ca 3602 for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
wolfSSL 13:f67a6c6013ca 3603 mp_clear (&M[x]);
wolfSSL 13:f67a6c6013ca 3604 }
wolfSSL 13:f67a6c6013ca 3605 return err;
wolfSSL 13:f67a6c6013ca 3606 }
wolfSSL 13:f67a6c6013ca 3607
wolfSSL 13:f67a6c6013ca 3608
wolfSSL 13:f67a6c6013ca 3609 /* pre-calculate the value required for Barrett reduction
wolfSSL 13:f67a6c6013ca 3610 * For a given modulus "b" it calculates the value required in "a"
wolfSSL 13:f67a6c6013ca 3611 */
wolfSSL 13:f67a6c6013ca 3612 int mp_reduce_setup (mp_int * a, mp_int * b)
wolfSSL 13:f67a6c6013ca 3613 {
wolfSSL 13:f67a6c6013ca 3614 int res;
wolfSSL 13:f67a6c6013ca 3615
wolfSSL 13:f67a6c6013ca 3616 if ((res = mp_2expt (a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3617 return res;
wolfSSL 13:f67a6c6013ca 3618 }
wolfSSL 13:f67a6c6013ca 3619 return mp_div (a, b, a, NULL);
wolfSSL 13:f67a6c6013ca 3620 }
wolfSSL 13:f67a6c6013ca 3621
wolfSSL 13:f67a6c6013ca 3622
wolfSSL 13:f67a6c6013ca 3623 /* reduces x mod m, assumes 0 < x < m**2, mu is
wolfSSL 13:f67a6c6013ca 3624 * precomputed via mp_reduce_setup.
wolfSSL 13:f67a6c6013ca 3625 * From HAC pp.604 Algorithm 14.42
wolfSSL 13:f67a6c6013ca 3626 */
wolfSSL 13:f67a6c6013ca 3627 int mp_reduce (mp_int * x, mp_int * m, mp_int * mu)
wolfSSL 13:f67a6c6013ca 3628 {
wolfSSL 13:f67a6c6013ca 3629 mp_int q;
wolfSSL 13:f67a6c6013ca 3630 int res, um = m->used;
wolfSSL 13:f67a6c6013ca 3631
wolfSSL 13:f67a6c6013ca 3632 /* q = x */
wolfSSL 13:f67a6c6013ca 3633 if ((res = mp_init_copy (&q, x)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3634 return res;
wolfSSL 13:f67a6c6013ca 3635 }
wolfSSL 13:f67a6c6013ca 3636
wolfSSL 13:f67a6c6013ca 3637 /* q1 = x / b**(k-1) */
wolfSSL 13:f67a6c6013ca 3638 mp_rshd (&q, um - 1);
wolfSSL 13:f67a6c6013ca 3639
wolfSSL 13:f67a6c6013ca 3640 /* according to HAC this optimization is ok */
wolfSSL 13:f67a6c6013ca 3641 if (((mp_word) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) {
wolfSSL 13:f67a6c6013ca 3642 if ((res = mp_mul (&q, mu, &q)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3643 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3644 }
wolfSSL 13:f67a6c6013ca 3645 } else {
wolfSSL 13:f67a6c6013ca 3646 #ifdef BN_S_MP_MUL_HIGH_DIGS_C
wolfSSL 13:f67a6c6013ca 3647 if ((res = s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3648 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3649 }
wolfSSL 13:f67a6c6013ca 3650 #elif defined(BN_FAST_S_MP_MUL_HIGH_DIGS_C)
wolfSSL 13:f67a6c6013ca 3651 if ((res = fast_s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3652 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3653 }
wolfSSL 13:f67a6c6013ca 3654 #else
wolfSSL 13:f67a6c6013ca 3655 {
wolfSSL 13:f67a6c6013ca 3656 res = MP_VAL;
wolfSSL 13:f67a6c6013ca 3657 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3658 }
wolfSSL 13:f67a6c6013ca 3659 #endif
wolfSSL 13:f67a6c6013ca 3660 }
wolfSSL 13:f67a6c6013ca 3661
wolfSSL 13:f67a6c6013ca 3662 /* q3 = q2 / b**(k+1) */
wolfSSL 13:f67a6c6013ca 3663 mp_rshd (&q, um + 1);
wolfSSL 13:f67a6c6013ca 3664
wolfSSL 13:f67a6c6013ca 3665 /* x = x mod b**(k+1), quick (no division) */
wolfSSL 13:f67a6c6013ca 3666 if ((res = mp_mod_2d (x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3667 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3668 }
wolfSSL 13:f67a6c6013ca 3669
wolfSSL 13:f67a6c6013ca 3670 /* q = q * m mod b**(k+1), quick (no division) */
wolfSSL 13:f67a6c6013ca 3671 if ((res = s_mp_mul_digs (&q, m, &q, um + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3672 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3673 }
wolfSSL 13:f67a6c6013ca 3674
wolfSSL 13:f67a6c6013ca 3675 /* x = x - q */
wolfSSL 13:f67a6c6013ca 3676 if ((res = mp_sub (x, &q, x)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3677 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3678 }
wolfSSL 13:f67a6c6013ca 3679
wolfSSL 13:f67a6c6013ca 3680 /* If x < 0, add b**(k+1) to it */
wolfSSL 13:f67a6c6013ca 3681 if (mp_cmp_d (x, 0) == MP_LT) {
wolfSSL 13:f67a6c6013ca 3682 if ((res = mp_set (&q, 1)) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 3683 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3684 if ((res = mp_lshd (&q, um + 1)) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 3685 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3686 if ((res = mp_add (x, &q, x)) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 3687 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3688 }
wolfSSL 13:f67a6c6013ca 3689
wolfSSL 13:f67a6c6013ca 3690 /* Back off if it's too big */
wolfSSL 13:f67a6c6013ca 3691 while (mp_cmp (x, m) != MP_LT) {
wolfSSL 13:f67a6c6013ca 3692 if ((res = s_mp_sub (x, m, x)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3693 goto CLEANUP;
wolfSSL 13:f67a6c6013ca 3694 }
wolfSSL 13:f67a6c6013ca 3695 }
wolfSSL 13:f67a6c6013ca 3696
wolfSSL 13:f67a6c6013ca 3697 CLEANUP:
wolfSSL 13:f67a6c6013ca 3698 mp_clear (&q);
wolfSSL 13:f67a6c6013ca 3699
wolfSSL 13:f67a6c6013ca 3700 return res;
wolfSSL 13:f67a6c6013ca 3701 }
wolfSSL 13:f67a6c6013ca 3702
wolfSSL 13:f67a6c6013ca 3703
wolfSSL 13:f67a6c6013ca 3704 /* reduces a modulo n where n is of the form 2**p - d
wolfSSL 13:f67a6c6013ca 3705 This differs from reduce_2k since "d" can be larger
wolfSSL 13:f67a6c6013ca 3706 than a single digit.
wolfSSL 13:f67a6c6013ca 3707 */
wolfSSL 13:f67a6c6013ca 3708 int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d)
wolfSSL 13:f67a6c6013ca 3709 {
wolfSSL 13:f67a6c6013ca 3710 mp_int q;
wolfSSL 13:f67a6c6013ca 3711 int p, res;
wolfSSL 13:f67a6c6013ca 3712
wolfSSL 13:f67a6c6013ca 3713 if ((res = mp_init(&q)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3714 return res;
wolfSSL 13:f67a6c6013ca 3715 }
wolfSSL 13:f67a6c6013ca 3716
wolfSSL 13:f67a6c6013ca 3717 p = mp_count_bits(n);
wolfSSL 13:f67a6c6013ca 3718 top:
wolfSSL 13:f67a6c6013ca 3719 /* q = a/2**p, a = a mod 2**p */
wolfSSL 13:f67a6c6013ca 3720 if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3721 goto ERR;
wolfSSL 13:f67a6c6013ca 3722 }
wolfSSL 13:f67a6c6013ca 3723
wolfSSL 13:f67a6c6013ca 3724 /* q = q * d */
wolfSSL 13:f67a6c6013ca 3725 if ((res = mp_mul(&q, d, &q)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3726 goto ERR;
wolfSSL 13:f67a6c6013ca 3727 }
wolfSSL 13:f67a6c6013ca 3728
wolfSSL 13:f67a6c6013ca 3729 /* a = a + q */
wolfSSL 13:f67a6c6013ca 3730 if ((res = s_mp_add(a, &q, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3731 goto ERR;
wolfSSL 13:f67a6c6013ca 3732 }
wolfSSL 13:f67a6c6013ca 3733
wolfSSL 13:f67a6c6013ca 3734 if (mp_cmp_mag(a, n) != MP_LT) {
wolfSSL 13:f67a6c6013ca 3735 s_mp_sub(a, n, a);
wolfSSL 13:f67a6c6013ca 3736 goto top;
wolfSSL 13:f67a6c6013ca 3737 }
wolfSSL 13:f67a6c6013ca 3738
wolfSSL 13:f67a6c6013ca 3739 ERR:
wolfSSL 13:f67a6c6013ca 3740 mp_clear(&q);
wolfSSL 13:f67a6c6013ca 3741 return res;
wolfSSL 13:f67a6c6013ca 3742 }
wolfSSL 13:f67a6c6013ca 3743
wolfSSL 13:f67a6c6013ca 3744
wolfSSL 13:f67a6c6013ca 3745 /* determines the setup value */
wolfSSL 13:f67a6c6013ca 3746 int mp_reduce_2k_setup_l(mp_int *a, mp_int *d)
wolfSSL 13:f67a6c6013ca 3747 {
wolfSSL 13:f67a6c6013ca 3748 int res;
wolfSSL 13:f67a6c6013ca 3749 mp_int tmp;
wolfSSL 13:f67a6c6013ca 3750
wolfSSL 13:f67a6c6013ca 3751 if ((res = mp_init(&tmp)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3752 return res;
wolfSSL 13:f67a6c6013ca 3753 }
wolfSSL 13:f67a6c6013ca 3754
wolfSSL 13:f67a6c6013ca 3755 if ((res = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3756 goto ERR;
wolfSSL 13:f67a6c6013ca 3757 }
wolfSSL 13:f67a6c6013ca 3758
wolfSSL 13:f67a6c6013ca 3759 if ((res = s_mp_sub(&tmp, a, d)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3760 goto ERR;
wolfSSL 13:f67a6c6013ca 3761 }
wolfSSL 13:f67a6c6013ca 3762
wolfSSL 13:f67a6c6013ca 3763 ERR:
wolfSSL 13:f67a6c6013ca 3764 mp_clear(&tmp);
wolfSSL 13:f67a6c6013ca 3765 return res;
wolfSSL 13:f67a6c6013ca 3766 }
wolfSSL 13:f67a6c6013ca 3767
wolfSSL 13:f67a6c6013ca 3768
wolfSSL 13:f67a6c6013ca 3769 /* multiplies |a| * |b| and does not compute the lower digs digits
wolfSSL 13:f67a6c6013ca 3770 * [meant to get the higher part of the product]
wolfSSL 13:f67a6c6013ca 3771 */
wolfSSL 13:f67a6c6013ca 3772 int s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
wolfSSL 13:f67a6c6013ca 3773 {
wolfSSL 13:f67a6c6013ca 3774 mp_int t;
wolfSSL 13:f67a6c6013ca 3775 int res, pa, pb, ix, iy;
wolfSSL 13:f67a6c6013ca 3776 mp_digit u;
wolfSSL 13:f67a6c6013ca 3777 mp_word r;
wolfSSL 13:f67a6c6013ca 3778 mp_digit tmpx, *tmpt, *tmpy;
wolfSSL 13:f67a6c6013ca 3779
wolfSSL 13:f67a6c6013ca 3780 /* can we use the fast multiplier? */
wolfSSL 13:f67a6c6013ca 3781 #ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C
wolfSSL 13:f67a6c6013ca 3782 if (((a->used + b->used + 1) < MP_WARRAY)
wolfSSL 13:f67a6c6013ca 3783 && MIN (a->used, b->used) <
wolfSSL 13:f67a6c6013ca 3784 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
wolfSSL 13:f67a6c6013ca 3785 return fast_s_mp_mul_high_digs (a, b, c, digs);
wolfSSL 13:f67a6c6013ca 3786 }
wolfSSL 13:f67a6c6013ca 3787 #endif
wolfSSL 13:f67a6c6013ca 3788
wolfSSL 13:f67a6c6013ca 3789 if ((res = mp_init_size (&t, a->used + b->used + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3790 return res;
wolfSSL 13:f67a6c6013ca 3791 }
wolfSSL 13:f67a6c6013ca 3792 t.used = a->used + b->used + 1;
wolfSSL 13:f67a6c6013ca 3793
wolfSSL 13:f67a6c6013ca 3794 pa = a->used;
wolfSSL 13:f67a6c6013ca 3795 pb = b->used;
wolfSSL 13:f67a6c6013ca 3796 for (ix = 0; ix < pa && a->dp; ix++) {
wolfSSL 13:f67a6c6013ca 3797 /* clear the carry */
wolfSSL 13:f67a6c6013ca 3798 u = 0;
wolfSSL 13:f67a6c6013ca 3799
wolfSSL 13:f67a6c6013ca 3800 /* left hand side of A[ix] * B[iy] */
wolfSSL 13:f67a6c6013ca 3801 tmpx = a->dp[ix];
wolfSSL 13:f67a6c6013ca 3802
wolfSSL 13:f67a6c6013ca 3803 /* alias to the address of where the digits will be stored */
wolfSSL 13:f67a6c6013ca 3804 tmpt = &(t.dp[digs]);
wolfSSL 13:f67a6c6013ca 3805
wolfSSL 13:f67a6c6013ca 3806 /* alias for where to read the right hand side from */
wolfSSL 13:f67a6c6013ca 3807 tmpy = b->dp + (digs - ix);
wolfSSL 13:f67a6c6013ca 3808
wolfSSL 13:f67a6c6013ca 3809 for (iy = digs - ix; iy < pb; iy++) {
wolfSSL 13:f67a6c6013ca 3810 /* calculate the double precision result */
wolfSSL 13:f67a6c6013ca 3811 r = ((mp_word)*tmpt) +
wolfSSL 13:f67a6c6013ca 3812 ((mp_word)tmpx) * ((mp_word)*tmpy++) +
wolfSSL 13:f67a6c6013ca 3813 ((mp_word) u);
wolfSSL 13:f67a6c6013ca 3814
wolfSSL 13:f67a6c6013ca 3815 /* get the lower part */
wolfSSL 13:f67a6c6013ca 3816 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
wolfSSL 13:f67a6c6013ca 3817
wolfSSL 13:f67a6c6013ca 3818 /* carry the carry */
wolfSSL 13:f67a6c6013ca 3819 u = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
wolfSSL 13:f67a6c6013ca 3820 }
wolfSSL 13:f67a6c6013ca 3821 *tmpt = u;
wolfSSL 13:f67a6c6013ca 3822 }
wolfSSL 13:f67a6c6013ca 3823 mp_clamp (&t);
wolfSSL 13:f67a6c6013ca 3824 mp_exch (&t, c);
wolfSSL 13:f67a6c6013ca 3825 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 3826 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3827 }
wolfSSL 13:f67a6c6013ca 3828
wolfSSL 13:f67a6c6013ca 3829
wolfSSL 13:f67a6c6013ca 3830 /* this is a modified version of fast_s_mul_digs that only produces
wolfSSL 13:f67a6c6013ca 3831 * output digits *above* digs. See the comments for fast_s_mul_digs
wolfSSL 13:f67a6c6013ca 3832 * to see how it works.
wolfSSL 13:f67a6c6013ca 3833 *
wolfSSL 13:f67a6c6013ca 3834 * This is used in the Barrett reduction since for one of the multiplications
wolfSSL 13:f67a6c6013ca 3835 * only the higher digits were needed. This essentially halves the work.
wolfSSL 13:f67a6c6013ca 3836 *
wolfSSL 13:f67a6c6013ca 3837 * Based on Algorithm 14.12 on pp.595 of HAC.
wolfSSL 13:f67a6c6013ca 3838 */
wolfSSL 13:f67a6c6013ca 3839 int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
wolfSSL 13:f67a6c6013ca 3840 {
wolfSSL 13:f67a6c6013ca 3841 int olduse, res, pa, ix, iz;
wolfSSL 13:f67a6c6013ca 3842 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3843 mp_digit* W; /* uses dynamic memory and slower */
wolfSSL 13:f67a6c6013ca 3844 #else
wolfSSL 13:f67a6c6013ca 3845 mp_digit W[MP_WARRAY];
wolfSSL 13:f67a6c6013ca 3846 #endif
wolfSSL 13:f67a6c6013ca 3847 mp_word _W;
wolfSSL 13:f67a6c6013ca 3848
wolfSSL 13:f67a6c6013ca 3849 if (a->dp == NULL) { /* JRB, avoid reading uninitialized values */
wolfSSL 13:f67a6c6013ca 3850 return MP_VAL;
wolfSSL 13:f67a6c6013ca 3851 }
wolfSSL 13:f67a6c6013ca 3852
wolfSSL 13:f67a6c6013ca 3853 /* grow the destination as required */
wolfSSL 13:f67a6c6013ca 3854 pa = a->used + b->used;
wolfSSL 13:f67a6c6013ca 3855 if (c->alloc < pa) {
wolfSSL 13:f67a6c6013ca 3856 if ((res = mp_grow (c, pa)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3857 return res;
wolfSSL 13:f67a6c6013ca 3858 }
wolfSSL 13:f67a6c6013ca 3859 }
wolfSSL 13:f67a6c6013ca 3860
wolfSSL 13:f67a6c6013ca 3861 if (pa > MP_WARRAY)
wolfSSL 13:f67a6c6013ca 3862 return MP_RANGE; /* TAO range check */
wolfSSL 13:f67a6c6013ca 3863
wolfSSL 13:f67a6c6013ca 3864 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3865 W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 3866 if (W == NULL)
wolfSSL 13:f67a6c6013ca 3867 return MP_MEM;
wolfSSL 13:f67a6c6013ca 3868 #endif
wolfSSL 13:f67a6c6013ca 3869
wolfSSL 13:f67a6c6013ca 3870 /* number of output digits to produce */
wolfSSL 13:f67a6c6013ca 3871 pa = a->used + b->used;
wolfSSL 13:f67a6c6013ca 3872 _W = 0;
wolfSSL 13:f67a6c6013ca 3873 for (ix = digs; ix < pa; ix++) { /* JRB, have a->dp check at top of function*/
wolfSSL 13:f67a6c6013ca 3874 int tx, ty, iy;
wolfSSL 13:f67a6c6013ca 3875 mp_digit *tmpx, *tmpy;
wolfSSL 13:f67a6c6013ca 3876
wolfSSL 13:f67a6c6013ca 3877 /* get offsets into the two bignums */
wolfSSL 13:f67a6c6013ca 3878 ty = MIN(b->used-1, ix);
wolfSSL 13:f67a6c6013ca 3879 tx = ix - ty;
wolfSSL 13:f67a6c6013ca 3880
wolfSSL 13:f67a6c6013ca 3881 /* setup temp aliases */
wolfSSL 13:f67a6c6013ca 3882 tmpx = a->dp + tx;
wolfSSL 13:f67a6c6013ca 3883 tmpy = b->dp + ty;
wolfSSL 13:f67a6c6013ca 3884
wolfSSL 13:f67a6c6013ca 3885 /* this is the number of times the loop will iterate, essentially its
wolfSSL 13:f67a6c6013ca 3886 while (tx++ < a->used && ty-- >= 0) { ... }
wolfSSL 13:f67a6c6013ca 3887 */
wolfSSL 13:f67a6c6013ca 3888 iy = MIN(a->used-tx, ty+1);
wolfSSL 13:f67a6c6013ca 3889
wolfSSL 13:f67a6c6013ca 3890 /* execute loop */
wolfSSL 13:f67a6c6013ca 3891 for (iz = 0; iz < iy; iz++) {
wolfSSL 13:f67a6c6013ca 3892 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
wolfSSL 13:f67a6c6013ca 3893 }
wolfSSL 13:f67a6c6013ca 3894
wolfSSL 13:f67a6c6013ca 3895 /* store term */
wolfSSL 13:f67a6c6013ca 3896 W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK);
wolfSSL 13:f67a6c6013ca 3897
wolfSSL 13:f67a6c6013ca 3898 /* make next carry */
wolfSSL 13:f67a6c6013ca 3899 _W = _W >> ((mp_word)DIGIT_BIT);
wolfSSL 13:f67a6c6013ca 3900 }
wolfSSL 13:f67a6c6013ca 3901
wolfSSL 13:f67a6c6013ca 3902 /* setup dest */
wolfSSL 13:f67a6c6013ca 3903 olduse = c->used;
wolfSSL 13:f67a6c6013ca 3904 c->used = pa;
wolfSSL 13:f67a6c6013ca 3905
wolfSSL 13:f67a6c6013ca 3906 {
wolfSSL 13:f67a6c6013ca 3907 mp_digit *tmpc;
wolfSSL 13:f67a6c6013ca 3908
wolfSSL 13:f67a6c6013ca 3909 tmpc = c->dp + digs;
wolfSSL 13:f67a6c6013ca 3910 for (ix = digs; ix < pa; ix++) { /* TAO, <= could potentially overwrite */
wolfSSL 13:f67a6c6013ca 3911 /* now extract the previous digit [below the carry] */
wolfSSL 13:f67a6c6013ca 3912 *tmpc++ = W[ix];
wolfSSL 13:f67a6c6013ca 3913 }
wolfSSL 13:f67a6c6013ca 3914
wolfSSL 13:f67a6c6013ca 3915 /* clear unused digits [that existed in the old copy of c] */
wolfSSL 13:f67a6c6013ca 3916 for (; ix < olduse; ix++) {
wolfSSL 13:f67a6c6013ca 3917 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 3918 }
wolfSSL 13:f67a6c6013ca 3919 }
wolfSSL 13:f67a6c6013ca 3920 mp_clamp (c);
wolfSSL 13:f67a6c6013ca 3921
wolfSSL 13:f67a6c6013ca 3922 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 3923 XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
wolfSSL 13:f67a6c6013ca 3924 #endif
wolfSSL 13:f67a6c6013ca 3925
wolfSSL 13:f67a6c6013ca 3926 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3927 }
wolfSSL 13:f67a6c6013ca 3928
wolfSSL 13:f67a6c6013ca 3929
wolfSSL 13:f67a6c6013ca 3930 #ifndef MP_SET_CHUNK_BITS
wolfSSL 13:f67a6c6013ca 3931 #define MP_SET_CHUNK_BITS 4
wolfSSL 13:f67a6c6013ca 3932 #endif
wolfSSL 13:f67a6c6013ca 3933 int mp_set_int (mp_int * a, unsigned long b)
wolfSSL 13:f67a6c6013ca 3934 {
wolfSSL 13:f67a6c6013ca 3935 int x, res;
wolfSSL 13:f67a6c6013ca 3936
wolfSSL 13:f67a6c6013ca 3937 /* use direct mp_set if b is less than mp_digit max */
wolfSSL 13:f67a6c6013ca 3938 if (b < MP_DIGIT_MAX) {
wolfSSL 13:f67a6c6013ca 3939 return mp_set (a, (mp_digit)b);
wolfSSL 13:f67a6c6013ca 3940 }
wolfSSL 13:f67a6c6013ca 3941
wolfSSL 13:f67a6c6013ca 3942 mp_zero (a);
wolfSSL 13:f67a6c6013ca 3943
wolfSSL 13:f67a6c6013ca 3944 /* set chunk bits at a time */
wolfSSL 13:f67a6c6013ca 3945 for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) {
wolfSSL 13:f67a6c6013ca 3946 /* shift the number up chunk bits */
wolfSSL 13:f67a6c6013ca 3947 if ((res = mp_mul_2d (a, MP_SET_CHUNK_BITS, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3948 return res;
wolfSSL 13:f67a6c6013ca 3949 }
wolfSSL 13:f67a6c6013ca 3950
wolfSSL 13:f67a6c6013ca 3951 /* OR in the top bits of the source */
wolfSSL 13:f67a6c6013ca 3952 a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) &
wolfSSL 13:f67a6c6013ca 3953 ((1 << MP_SET_CHUNK_BITS) - 1);
wolfSSL 13:f67a6c6013ca 3954
wolfSSL 13:f67a6c6013ca 3955 /* shift the source up to the next chunk bits */
wolfSSL 13:f67a6c6013ca 3956 b <<= MP_SET_CHUNK_BITS;
wolfSSL 13:f67a6c6013ca 3957
wolfSSL 13:f67a6c6013ca 3958 /* ensure that digits are not clamped off */
wolfSSL 13:f67a6c6013ca 3959 a->used += 1;
wolfSSL 13:f67a6c6013ca 3960 }
wolfSSL 13:f67a6c6013ca 3961 mp_clamp (a);
wolfSSL 13:f67a6c6013ca 3962 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 3963 }
wolfSSL 13:f67a6c6013ca 3964
wolfSSL 13:f67a6c6013ca 3965
wolfSSL 13:f67a6c6013ca 3966 #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_ECC)
wolfSSL 13:f67a6c6013ca 3967
wolfSSL 13:f67a6c6013ca 3968 /* c = a * a (mod b) */
wolfSSL 13:f67a6c6013ca 3969 int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 3970 {
wolfSSL 13:f67a6c6013ca 3971 int res;
wolfSSL 13:f67a6c6013ca 3972 mp_int t;
wolfSSL 13:f67a6c6013ca 3973
wolfSSL 13:f67a6c6013ca 3974 if ((res = mp_init (&t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3975 return res;
wolfSSL 13:f67a6c6013ca 3976 }
wolfSSL 13:f67a6c6013ca 3977
wolfSSL 13:f67a6c6013ca 3978 if ((res = mp_sqr (a, &t)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 3979 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 3980 return res;
wolfSSL 13:f67a6c6013ca 3981 }
wolfSSL 13:f67a6c6013ca 3982 res = mp_mod (&t, b, c);
wolfSSL 13:f67a6c6013ca 3983 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 3984 return res;
wolfSSL 13:f67a6c6013ca 3985 }
wolfSSL 13:f67a6c6013ca 3986
wolfSSL 13:f67a6c6013ca 3987 #endif
wolfSSL 13:f67a6c6013ca 3988
wolfSSL 13:f67a6c6013ca 3989
wolfSSL 13:f67a6c6013ca 3990 #if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(WOLFSSL_SNIFFER) || \
wolfSSL 13:f67a6c6013ca 3991 defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN) || \
wolfSSL 13:f67a6c6013ca 3992 defined(OPENSSL_EXTRA) || defined(WC_RSA_BLINDING)
wolfSSL 13:f67a6c6013ca 3993
wolfSSL 13:f67a6c6013ca 3994 /* single digit addition */
wolfSSL 13:f67a6c6013ca 3995 int mp_add_d (mp_int* a, mp_digit b, mp_int* c)
wolfSSL 13:f67a6c6013ca 3996 {
wolfSSL 13:f67a6c6013ca 3997 int res, ix, oldused;
wolfSSL 13:f67a6c6013ca 3998 mp_digit *tmpa, *tmpc, mu;
wolfSSL 13:f67a6c6013ca 3999
wolfSSL 13:f67a6c6013ca 4000 /* grow c as required */
wolfSSL 13:f67a6c6013ca 4001 if (c->alloc < a->used + 1) {
wolfSSL 13:f67a6c6013ca 4002 if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4003 return res;
wolfSSL 13:f67a6c6013ca 4004 }
wolfSSL 13:f67a6c6013ca 4005 }
wolfSSL 13:f67a6c6013ca 4006
wolfSSL 13:f67a6c6013ca 4007 /* if a is negative and |a| >= b, call c = |a| - b */
wolfSSL 13:f67a6c6013ca 4008 if (a->sign == MP_NEG && (a->used > 1 || a->dp[0] >= b)) {
wolfSSL 13:f67a6c6013ca 4009 /* temporarily fix sign of a */
wolfSSL 13:f67a6c6013ca 4010 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4011
wolfSSL 13:f67a6c6013ca 4012 /* c = |a| - b */
wolfSSL 13:f67a6c6013ca 4013 res = mp_sub_d(a, b, c);
wolfSSL 13:f67a6c6013ca 4014
wolfSSL 13:f67a6c6013ca 4015 /* fix sign */
wolfSSL 13:f67a6c6013ca 4016 a->sign = c->sign = MP_NEG;
wolfSSL 13:f67a6c6013ca 4017
wolfSSL 13:f67a6c6013ca 4018 /* clamp */
wolfSSL 13:f67a6c6013ca 4019 mp_clamp(c);
wolfSSL 13:f67a6c6013ca 4020
wolfSSL 13:f67a6c6013ca 4021 return res;
wolfSSL 13:f67a6c6013ca 4022 }
wolfSSL 13:f67a6c6013ca 4023
wolfSSL 13:f67a6c6013ca 4024 /* old number of used digits in c */
wolfSSL 13:f67a6c6013ca 4025 oldused = c->used;
wolfSSL 13:f67a6c6013ca 4026
wolfSSL 13:f67a6c6013ca 4027 /* sign always positive */
wolfSSL 13:f67a6c6013ca 4028 c->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4029
wolfSSL 13:f67a6c6013ca 4030 /* source alias */
wolfSSL 13:f67a6c6013ca 4031 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 4032
wolfSSL 13:f67a6c6013ca 4033 /* destination alias */
wolfSSL 13:f67a6c6013ca 4034 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 4035
wolfSSL 13:f67a6c6013ca 4036 /* if a is positive */
wolfSSL 13:f67a6c6013ca 4037 if (a->sign == MP_ZPOS) {
wolfSSL 13:f67a6c6013ca 4038 /* add digit, after this we're propagating
wolfSSL 13:f67a6c6013ca 4039 * the carry.
wolfSSL 13:f67a6c6013ca 4040 */
wolfSSL 13:f67a6c6013ca 4041 *tmpc = *tmpa++ + b;
wolfSSL 13:f67a6c6013ca 4042 mu = *tmpc >> DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 4043 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 4044
wolfSSL 13:f67a6c6013ca 4045 /* now handle rest of the digits */
wolfSSL 13:f67a6c6013ca 4046 for (ix = 1; ix < a->used; ix++) {
wolfSSL 13:f67a6c6013ca 4047 *tmpc = *tmpa++ + mu;
wolfSSL 13:f67a6c6013ca 4048 mu = *tmpc >> DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 4049 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 4050 }
wolfSSL 13:f67a6c6013ca 4051 /* set final carry */
wolfSSL 13:f67a6c6013ca 4052 if (ix < c->alloc) {
wolfSSL 13:f67a6c6013ca 4053 ix++;
wolfSSL 13:f67a6c6013ca 4054 *tmpc++ = mu;
wolfSSL 13:f67a6c6013ca 4055 }
wolfSSL 13:f67a6c6013ca 4056
wolfSSL 13:f67a6c6013ca 4057 /* setup size */
wolfSSL 13:f67a6c6013ca 4058 c->used = a->used + 1;
wolfSSL 13:f67a6c6013ca 4059 } else {
wolfSSL 13:f67a6c6013ca 4060 /* a was negative and |a| < b */
wolfSSL 13:f67a6c6013ca 4061 c->used = 1;
wolfSSL 13:f67a6c6013ca 4062
wolfSSL 13:f67a6c6013ca 4063 /* the result is a single digit */
wolfSSL 13:f67a6c6013ca 4064 if (a->used == 1) {
wolfSSL 13:f67a6c6013ca 4065 *tmpc++ = b - a->dp[0];
wolfSSL 13:f67a6c6013ca 4066 } else {
wolfSSL 13:f67a6c6013ca 4067 *tmpc++ = b;
wolfSSL 13:f67a6c6013ca 4068 }
wolfSSL 13:f67a6c6013ca 4069
wolfSSL 13:f67a6c6013ca 4070 /* setup count so the clearing of oldused
wolfSSL 13:f67a6c6013ca 4071 * can fall through correctly
wolfSSL 13:f67a6c6013ca 4072 */
wolfSSL 13:f67a6c6013ca 4073 ix = 1;
wolfSSL 13:f67a6c6013ca 4074 }
wolfSSL 13:f67a6c6013ca 4075
wolfSSL 13:f67a6c6013ca 4076 /* now zero to oldused */
wolfSSL 13:f67a6c6013ca 4077 while (ix++ < oldused) {
wolfSSL 13:f67a6c6013ca 4078 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 4079 }
wolfSSL 13:f67a6c6013ca 4080 mp_clamp(c);
wolfSSL 13:f67a6c6013ca 4081
wolfSSL 13:f67a6c6013ca 4082 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4083 }
wolfSSL 13:f67a6c6013ca 4084
wolfSSL 13:f67a6c6013ca 4085
wolfSSL 13:f67a6c6013ca 4086 /* single digit subtraction */
wolfSSL 13:f67a6c6013ca 4087 int mp_sub_d (mp_int * a, mp_digit b, mp_int * c)
wolfSSL 13:f67a6c6013ca 4088 {
wolfSSL 13:f67a6c6013ca 4089 mp_digit *tmpa, *tmpc, mu;
wolfSSL 13:f67a6c6013ca 4090 int res, ix, oldused;
wolfSSL 13:f67a6c6013ca 4091
wolfSSL 13:f67a6c6013ca 4092 /* grow c as required */
wolfSSL 13:f67a6c6013ca 4093 if (c->alloc < a->used + 1) {
wolfSSL 13:f67a6c6013ca 4094 if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4095 return res;
wolfSSL 13:f67a6c6013ca 4096 }
wolfSSL 13:f67a6c6013ca 4097 }
wolfSSL 13:f67a6c6013ca 4098
wolfSSL 13:f67a6c6013ca 4099 /* if a is negative just do an unsigned
wolfSSL 13:f67a6c6013ca 4100 * addition [with fudged signs]
wolfSSL 13:f67a6c6013ca 4101 */
wolfSSL 13:f67a6c6013ca 4102 if (a->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 4103 a->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4104 res = mp_add_d(a, b, c);
wolfSSL 13:f67a6c6013ca 4105 a->sign = c->sign = MP_NEG;
wolfSSL 13:f67a6c6013ca 4106
wolfSSL 13:f67a6c6013ca 4107 /* clamp */
wolfSSL 13:f67a6c6013ca 4108 mp_clamp(c);
wolfSSL 13:f67a6c6013ca 4109
wolfSSL 13:f67a6c6013ca 4110 return res;
wolfSSL 13:f67a6c6013ca 4111 }
wolfSSL 13:f67a6c6013ca 4112
wolfSSL 13:f67a6c6013ca 4113 /* setup regs */
wolfSSL 13:f67a6c6013ca 4114 oldused = c->used;
wolfSSL 13:f67a6c6013ca 4115 tmpa = a->dp;
wolfSSL 13:f67a6c6013ca 4116 tmpc = c->dp;
wolfSSL 13:f67a6c6013ca 4117
wolfSSL 13:f67a6c6013ca 4118 /* if a <= b simply fix the single digit */
wolfSSL 13:f67a6c6013ca 4119 if ((a->used == 1 && a->dp[0] <= b) || a->used == 0) {
wolfSSL 13:f67a6c6013ca 4120 if (a->used == 1) {
wolfSSL 13:f67a6c6013ca 4121 *tmpc++ = b - *tmpa;
wolfSSL 13:f67a6c6013ca 4122 } else {
wolfSSL 13:f67a6c6013ca 4123 *tmpc++ = b;
wolfSSL 13:f67a6c6013ca 4124 }
wolfSSL 13:f67a6c6013ca 4125 ix = 1;
wolfSSL 13:f67a6c6013ca 4126
wolfSSL 13:f67a6c6013ca 4127 /* negative/1digit */
wolfSSL 13:f67a6c6013ca 4128 c->sign = MP_NEG;
wolfSSL 13:f67a6c6013ca 4129 c->used = 1;
wolfSSL 13:f67a6c6013ca 4130 } else {
wolfSSL 13:f67a6c6013ca 4131 /* positive/size */
wolfSSL 13:f67a6c6013ca 4132 c->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4133 c->used = a->used;
wolfSSL 13:f67a6c6013ca 4134
wolfSSL 13:f67a6c6013ca 4135 /* subtract first digit */
wolfSSL 13:f67a6c6013ca 4136 *tmpc = *tmpa++ - b;
wolfSSL 13:f67a6c6013ca 4137 mu = *tmpc >> (sizeof(mp_digit) * CHAR_BIT - 1);
wolfSSL 13:f67a6c6013ca 4138 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 4139
wolfSSL 13:f67a6c6013ca 4140 /* handle rest of the digits */
wolfSSL 13:f67a6c6013ca 4141 for (ix = 1; ix < a->used; ix++) {
wolfSSL 13:f67a6c6013ca 4142 *tmpc = *tmpa++ - mu;
wolfSSL 13:f67a6c6013ca 4143 mu = *tmpc >> (sizeof(mp_digit) * CHAR_BIT - 1);
wolfSSL 13:f67a6c6013ca 4144 *tmpc++ &= MP_MASK;
wolfSSL 13:f67a6c6013ca 4145 }
wolfSSL 13:f67a6c6013ca 4146 }
wolfSSL 13:f67a6c6013ca 4147
wolfSSL 13:f67a6c6013ca 4148 /* zero excess digits */
wolfSSL 13:f67a6c6013ca 4149 while (ix++ < oldused) {
wolfSSL 13:f67a6c6013ca 4150 *tmpc++ = 0;
wolfSSL 13:f67a6c6013ca 4151 }
wolfSSL 13:f67a6c6013ca 4152 mp_clamp(c);
wolfSSL 13:f67a6c6013ca 4153 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4154 }
wolfSSL 13:f67a6c6013ca 4155
wolfSSL 13:f67a6c6013ca 4156 #endif /* defined(HAVE_ECC) || !defined(NO_PWDBASED) */
wolfSSL 13:f67a6c6013ca 4157
wolfSSL 13:f67a6c6013ca 4158
wolfSSL 13:f67a6c6013ca 4159 #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) || defined(HAVE_ECC)
wolfSSL 13:f67a6c6013ca 4160
wolfSSL 13:f67a6c6013ca 4161 static const int lnz[16] = {
wolfSSL 13:f67a6c6013ca 4162 4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
wolfSSL 13:f67a6c6013ca 4163 };
wolfSSL 13:f67a6c6013ca 4164
wolfSSL 13:f67a6c6013ca 4165 /* Counts the number of lsbs which are zero before the first zero bit */
wolfSSL 13:f67a6c6013ca 4166 int mp_cnt_lsb(mp_int *a)
wolfSSL 13:f67a6c6013ca 4167 {
wolfSSL 13:f67a6c6013ca 4168 int x;
wolfSSL 13:f67a6c6013ca 4169 mp_digit q = 0, qq;
wolfSSL 13:f67a6c6013ca 4170
wolfSSL 13:f67a6c6013ca 4171 /* easy out */
wolfSSL 13:f67a6c6013ca 4172 if (mp_iszero(a) == MP_YES) {
wolfSSL 13:f67a6c6013ca 4173 return 0;
wolfSSL 13:f67a6c6013ca 4174 }
wolfSSL 13:f67a6c6013ca 4175
wolfSSL 13:f67a6c6013ca 4176 /* scan lower digits until non-zero */
wolfSSL 13:f67a6c6013ca 4177 for (x = 0; x < a->used && a->dp[x] == 0; x++) {}
wolfSSL 13:f67a6c6013ca 4178 if (a->dp)
wolfSSL 13:f67a6c6013ca 4179 q = a->dp[x];
wolfSSL 13:f67a6c6013ca 4180 x *= DIGIT_BIT;
wolfSSL 13:f67a6c6013ca 4181
wolfSSL 13:f67a6c6013ca 4182 /* now scan this digit until a 1 is found */
wolfSSL 13:f67a6c6013ca 4183 if ((q & 1) == 0) {
wolfSSL 13:f67a6c6013ca 4184 do {
wolfSSL 13:f67a6c6013ca 4185 qq = q & 15;
wolfSSL 13:f67a6c6013ca 4186 x += lnz[qq];
wolfSSL 13:f67a6c6013ca 4187 q >>= 4;
wolfSSL 13:f67a6c6013ca 4188 } while (qq == 0);
wolfSSL 13:f67a6c6013ca 4189 }
wolfSSL 13:f67a6c6013ca 4190 return x;
wolfSSL 13:f67a6c6013ca 4191 }
wolfSSL 13:f67a6c6013ca 4192
wolfSSL 13:f67a6c6013ca 4193
wolfSSL 13:f67a6c6013ca 4194
wolfSSL 13:f67a6c6013ca 4195
wolfSSL 13:f67a6c6013ca 4196 static int s_is_power_of_two(mp_digit b, int *p)
wolfSSL 13:f67a6c6013ca 4197 {
wolfSSL 13:f67a6c6013ca 4198 int x;
wolfSSL 13:f67a6c6013ca 4199
wolfSSL 13:f67a6c6013ca 4200 /* fast return if no power of two */
wolfSSL 13:f67a6c6013ca 4201 if ((b==0) || (b & (b-1))) {
wolfSSL 13:f67a6c6013ca 4202 return 0;
wolfSSL 13:f67a6c6013ca 4203 }
wolfSSL 13:f67a6c6013ca 4204
wolfSSL 13:f67a6c6013ca 4205 for (x = 0; x < DIGIT_BIT; x++) {
wolfSSL 13:f67a6c6013ca 4206 if (b == (((mp_digit)1)<<x)) {
wolfSSL 13:f67a6c6013ca 4207 *p = x;
wolfSSL 13:f67a6c6013ca 4208 return 1;
wolfSSL 13:f67a6c6013ca 4209 }
wolfSSL 13:f67a6c6013ca 4210 }
wolfSSL 13:f67a6c6013ca 4211 return 0;
wolfSSL 13:f67a6c6013ca 4212 }
wolfSSL 13:f67a6c6013ca 4213
wolfSSL 13:f67a6c6013ca 4214 /* single digit division (based on routine from MPI) */
wolfSSL 13:f67a6c6013ca 4215 static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d)
wolfSSL 13:f67a6c6013ca 4216 {
wolfSSL 13:f67a6c6013ca 4217 mp_int q;
wolfSSL 13:f67a6c6013ca 4218 mp_word w;
wolfSSL 13:f67a6c6013ca 4219 mp_digit t;
wolfSSL 13:f67a6c6013ca 4220 int res = MP_OKAY, ix;
wolfSSL 13:f67a6c6013ca 4221
wolfSSL 13:f67a6c6013ca 4222 /* cannot divide by zero */
wolfSSL 13:f67a6c6013ca 4223 if (b == 0) {
wolfSSL 13:f67a6c6013ca 4224 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4225 }
wolfSSL 13:f67a6c6013ca 4226
wolfSSL 13:f67a6c6013ca 4227 /* quick outs */
wolfSSL 13:f67a6c6013ca 4228 if (b == 1 || mp_iszero(a) == MP_YES) {
wolfSSL 13:f67a6c6013ca 4229 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 4230 *d = 0;
wolfSSL 13:f67a6c6013ca 4231 }
wolfSSL 13:f67a6c6013ca 4232 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 4233 return mp_copy(a, c);
wolfSSL 13:f67a6c6013ca 4234 }
wolfSSL 13:f67a6c6013ca 4235 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4236 }
wolfSSL 13:f67a6c6013ca 4237
wolfSSL 13:f67a6c6013ca 4238 /* power of two ? */
wolfSSL 13:f67a6c6013ca 4239 if (s_is_power_of_two(b, &ix) == 1) {
wolfSSL 13:f67a6c6013ca 4240 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 4241 *d = a->dp[0] & ((((mp_digit)1)<<ix) - 1);
wolfSSL 13:f67a6c6013ca 4242 }
wolfSSL 13:f67a6c6013ca 4243 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 4244 return mp_div_2d(a, ix, c, NULL);
wolfSSL 13:f67a6c6013ca 4245 }
wolfSSL 13:f67a6c6013ca 4246 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4247 }
wolfSSL 13:f67a6c6013ca 4248
wolfSSL 13:f67a6c6013ca 4249 #ifdef BN_MP_DIV_3_C
wolfSSL 13:f67a6c6013ca 4250 /* three? */
wolfSSL 13:f67a6c6013ca 4251 if (b == 3) {
wolfSSL 13:f67a6c6013ca 4252 return mp_div_3(a, c, d);
wolfSSL 13:f67a6c6013ca 4253 }
wolfSSL 13:f67a6c6013ca 4254 #endif
wolfSSL 13:f67a6c6013ca 4255
wolfSSL 13:f67a6c6013ca 4256 /* no easy answer [c'est la vie]. Just division */
wolfSSL 13:f67a6c6013ca 4257 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 4258 if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4259 return res;
wolfSSL 13:f67a6c6013ca 4260 }
wolfSSL 13:f67a6c6013ca 4261
wolfSSL 13:f67a6c6013ca 4262 q.used = a->used;
wolfSSL 13:f67a6c6013ca 4263 q.sign = a->sign;
wolfSSL 13:f67a6c6013ca 4264 }
wolfSSL 13:f67a6c6013ca 4265 else {
wolfSSL 13:f67a6c6013ca 4266 if ((res = mp_init(&q)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4267 return res;
wolfSSL 13:f67a6c6013ca 4268 }
wolfSSL 13:f67a6c6013ca 4269 }
wolfSSL 13:f67a6c6013ca 4270
wolfSSL 13:f67a6c6013ca 4271
wolfSSL 13:f67a6c6013ca 4272 w = 0;
wolfSSL 13:f67a6c6013ca 4273 for (ix = a->used - 1; ix >= 0; ix--) {
wolfSSL 13:f67a6c6013ca 4274 w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
wolfSSL 13:f67a6c6013ca 4275
wolfSSL 13:f67a6c6013ca 4276 if (w >= b) {
wolfSSL 13:f67a6c6013ca 4277 t = (mp_digit)(w / b);
wolfSSL 13:f67a6c6013ca 4278 w -= ((mp_word)t) * ((mp_word)b);
wolfSSL 13:f67a6c6013ca 4279 } else {
wolfSSL 13:f67a6c6013ca 4280 t = 0;
wolfSSL 13:f67a6c6013ca 4281 }
wolfSSL 13:f67a6c6013ca 4282 if (c != NULL)
wolfSSL 13:f67a6c6013ca 4283 q.dp[ix] = (mp_digit)t;
wolfSSL 13:f67a6c6013ca 4284 }
wolfSSL 13:f67a6c6013ca 4285
wolfSSL 13:f67a6c6013ca 4286 if (d != NULL) {
wolfSSL 13:f67a6c6013ca 4287 *d = (mp_digit)w;
wolfSSL 13:f67a6c6013ca 4288 }
wolfSSL 13:f67a6c6013ca 4289
wolfSSL 13:f67a6c6013ca 4290 if (c != NULL) {
wolfSSL 13:f67a6c6013ca 4291 mp_clamp(&q);
wolfSSL 13:f67a6c6013ca 4292 mp_exch(&q, c);
wolfSSL 13:f67a6c6013ca 4293 }
wolfSSL 13:f67a6c6013ca 4294 mp_clear(&q);
wolfSSL 13:f67a6c6013ca 4295
wolfSSL 13:f67a6c6013ca 4296 return res;
wolfSSL 13:f67a6c6013ca 4297 }
wolfSSL 13:f67a6c6013ca 4298
wolfSSL 13:f67a6c6013ca 4299
wolfSSL 13:f67a6c6013ca 4300 int mp_mod_d (mp_int * a, mp_digit b, mp_digit * c)
wolfSSL 13:f67a6c6013ca 4301 {
wolfSSL 13:f67a6c6013ca 4302 return mp_div_d(a, b, NULL, c);
wolfSSL 13:f67a6c6013ca 4303 }
wolfSSL 13:f67a6c6013ca 4304
wolfSSL 13:f67a6c6013ca 4305 #endif /* defined(WOLFSSL_KEY_GEN)||defined(HAVE_COMP_KEY)||defined(HAVE_ECC) */
wolfSSL 13:f67a6c6013ca 4306
wolfSSL 13:f67a6c6013ca 4307 #ifdef WOLFSSL_KEY_GEN
wolfSSL 13:f67a6c6013ca 4308
wolfSSL 13:f67a6c6013ca 4309 const mp_digit ltm_prime_tab[PRIME_SIZE] = {
wolfSSL 13:f67a6c6013ca 4310 0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
wolfSSL 13:f67a6c6013ca 4311 0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
wolfSSL 13:f67a6c6013ca 4312 0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
wolfSSL 13:f67a6c6013ca 4313 0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F,
wolfSSL 13:f67a6c6013ca 4314 #ifndef MP_8BIT
wolfSSL 13:f67a6c6013ca 4315 0x0083,
wolfSSL 13:f67a6c6013ca 4316 0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD,
wolfSSL 13:f67a6c6013ca 4317 0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF,
wolfSSL 13:f67a6c6013ca 4318 0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107,
wolfSSL 13:f67a6c6013ca 4319 0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137,
wolfSSL 13:f67a6c6013ca 4320
wolfSSL 13:f67a6c6013ca 4321 0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167,
wolfSSL 13:f67a6c6013ca 4322 0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199,
wolfSSL 13:f67a6c6013ca 4323 0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9,
wolfSSL 13:f67a6c6013ca 4324 0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7,
wolfSSL 13:f67a6c6013ca 4325 0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239,
wolfSSL 13:f67a6c6013ca 4326 0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265,
wolfSSL 13:f67a6c6013ca 4327 0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293,
wolfSSL 13:f67a6c6013ca 4328 0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF,
wolfSSL 13:f67a6c6013ca 4329
wolfSSL 13:f67a6c6013ca 4330 0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301,
wolfSSL 13:f67a6c6013ca 4331 0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B,
wolfSSL 13:f67a6c6013ca 4332 0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371,
wolfSSL 13:f67a6c6013ca 4333 0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD,
wolfSSL 13:f67a6c6013ca 4334 0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5,
wolfSSL 13:f67a6c6013ca 4335 0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419,
wolfSSL 13:f67a6c6013ca 4336 0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449,
wolfSSL 13:f67a6c6013ca 4337 0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B,
wolfSSL 13:f67a6c6013ca 4338
wolfSSL 13:f67a6c6013ca 4339 0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7,
wolfSSL 13:f67a6c6013ca 4340 0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503,
wolfSSL 13:f67a6c6013ca 4341 0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529,
wolfSSL 13:f67a6c6013ca 4342 0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F,
wolfSSL 13:f67a6c6013ca 4343 0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3,
wolfSSL 13:f67a6c6013ca 4344 0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7,
wolfSSL 13:f67a6c6013ca 4345 0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623,
wolfSSL 13:f67a6c6013ca 4346 0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653
wolfSSL 13:f67a6c6013ca 4347 #endif
wolfSSL 13:f67a6c6013ca 4348 };
wolfSSL 13:f67a6c6013ca 4349
wolfSSL 13:f67a6c6013ca 4350
wolfSSL 13:f67a6c6013ca 4351 /* Miller-Rabin test of "a" to the base of "b" as described in
wolfSSL 13:f67a6c6013ca 4352 * HAC pp. 139 Algorithm 4.24
wolfSSL 13:f67a6c6013ca 4353 *
wolfSSL 13:f67a6c6013ca 4354 * Sets result to 0 if definitely composite or 1 if probably prime.
wolfSSL 13:f67a6c6013ca 4355 * Randomly the chance of error is no more than 1/4 and often
wolfSSL 13:f67a6c6013ca 4356 * very much lower.
wolfSSL 13:f67a6c6013ca 4357 */
wolfSSL 13:f67a6c6013ca 4358 static int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result)
wolfSSL 13:f67a6c6013ca 4359 {
wolfSSL 13:f67a6c6013ca 4360 mp_int n1, y, r;
wolfSSL 13:f67a6c6013ca 4361 int s, j, err;
wolfSSL 13:f67a6c6013ca 4362
wolfSSL 13:f67a6c6013ca 4363 /* default */
wolfSSL 13:f67a6c6013ca 4364 *result = MP_NO;
wolfSSL 13:f67a6c6013ca 4365
wolfSSL 13:f67a6c6013ca 4366 /* ensure b > 1 */
wolfSSL 13:f67a6c6013ca 4367 if (mp_cmp_d(b, 1) != MP_GT) {
wolfSSL 13:f67a6c6013ca 4368 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4369 }
wolfSSL 13:f67a6c6013ca 4370
wolfSSL 13:f67a6c6013ca 4371 /* get n1 = a - 1 */
wolfSSL 13:f67a6c6013ca 4372 if ((err = mp_init_copy (&n1, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4373 return err;
wolfSSL 13:f67a6c6013ca 4374 }
wolfSSL 13:f67a6c6013ca 4375 if ((err = mp_sub_d (&n1, 1, &n1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4376 goto LBL_N1;
wolfSSL 13:f67a6c6013ca 4377 }
wolfSSL 13:f67a6c6013ca 4378
wolfSSL 13:f67a6c6013ca 4379 /* set 2**s * r = n1 */
wolfSSL 13:f67a6c6013ca 4380 if ((err = mp_init_copy (&r, &n1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4381 goto LBL_N1;
wolfSSL 13:f67a6c6013ca 4382 }
wolfSSL 13:f67a6c6013ca 4383
wolfSSL 13:f67a6c6013ca 4384 /* count the number of least significant bits
wolfSSL 13:f67a6c6013ca 4385 * which are zero
wolfSSL 13:f67a6c6013ca 4386 */
wolfSSL 13:f67a6c6013ca 4387 s = mp_cnt_lsb(&r);
wolfSSL 13:f67a6c6013ca 4388
wolfSSL 13:f67a6c6013ca 4389 /* now divide n - 1 by 2**s */
wolfSSL 13:f67a6c6013ca 4390 if ((err = mp_div_2d (&r, s, &r, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4391 goto LBL_R;
wolfSSL 13:f67a6c6013ca 4392 }
wolfSSL 13:f67a6c6013ca 4393
wolfSSL 13:f67a6c6013ca 4394 /* compute y = b**r mod a */
wolfSSL 13:f67a6c6013ca 4395 if ((err = mp_init (&y)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4396 goto LBL_R;
wolfSSL 13:f67a6c6013ca 4397 }
wolfSSL 13:f67a6c6013ca 4398 if ((err = mp_exptmod (b, &r, a, &y)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4399 goto LBL_Y;
wolfSSL 13:f67a6c6013ca 4400 }
wolfSSL 13:f67a6c6013ca 4401
wolfSSL 13:f67a6c6013ca 4402 /* if y != 1 and y != n1 do */
wolfSSL 13:f67a6c6013ca 4403 if (mp_cmp_d (&y, 1) != MP_EQ && mp_cmp (&y, &n1) != MP_EQ) {
wolfSSL 13:f67a6c6013ca 4404 j = 1;
wolfSSL 13:f67a6c6013ca 4405 /* while j <= s-1 and y != n1 */
wolfSSL 13:f67a6c6013ca 4406 while ((j <= (s - 1)) && mp_cmp (&y, &n1) != MP_EQ) {
wolfSSL 13:f67a6c6013ca 4407 if ((err = mp_sqrmod (&y, a, &y)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4408 goto LBL_Y;
wolfSSL 13:f67a6c6013ca 4409 }
wolfSSL 13:f67a6c6013ca 4410
wolfSSL 13:f67a6c6013ca 4411 /* if y == 1 then composite */
wolfSSL 13:f67a6c6013ca 4412 if (mp_cmp_d (&y, 1) == MP_EQ) {
wolfSSL 13:f67a6c6013ca 4413 goto LBL_Y;
wolfSSL 13:f67a6c6013ca 4414 }
wolfSSL 13:f67a6c6013ca 4415
wolfSSL 13:f67a6c6013ca 4416 ++j;
wolfSSL 13:f67a6c6013ca 4417 }
wolfSSL 13:f67a6c6013ca 4418
wolfSSL 13:f67a6c6013ca 4419 /* if y != n1 then composite */
wolfSSL 13:f67a6c6013ca 4420 if (mp_cmp (&y, &n1) != MP_EQ) {
wolfSSL 13:f67a6c6013ca 4421 goto LBL_Y;
wolfSSL 13:f67a6c6013ca 4422 }
wolfSSL 13:f67a6c6013ca 4423 }
wolfSSL 13:f67a6c6013ca 4424
wolfSSL 13:f67a6c6013ca 4425 /* probably prime now */
wolfSSL 13:f67a6c6013ca 4426 *result = MP_YES;
wolfSSL 13:f67a6c6013ca 4427 LBL_Y:mp_clear (&y);
wolfSSL 13:f67a6c6013ca 4428 LBL_R:mp_clear (&r);
wolfSSL 13:f67a6c6013ca 4429 LBL_N1:mp_clear (&n1);
wolfSSL 13:f67a6c6013ca 4430 return err;
wolfSSL 13:f67a6c6013ca 4431 }
wolfSSL 13:f67a6c6013ca 4432
wolfSSL 13:f67a6c6013ca 4433
wolfSSL 13:f67a6c6013ca 4434 /* determines if an integers is divisible by one
wolfSSL 13:f67a6c6013ca 4435 * of the first PRIME_SIZE primes or not
wolfSSL 13:f67a6c6013ca 4436 *
wolfSSL 13:f67a6c6013ca 4437 * sets result to 0 if not, 1 if yes
wolfSSL 13:f67a6c6013ca 4438 */
wolfSSL 13:f67a6c6013ca 4439 static int mp_prime_is_divisible (mp_int * a, int *result)
wolfSSL 13:f67a6c6013ca 4440 {
wolfSSL 13:f67a6c6013ca 4441 int err, ix;
wolfSSL 13:f67a6c6013ca 4442 mp_digit res;
wolfSSL 13:f67a6c6013ca 4443
wolfSSL 13:f67a6c6013ca 4444 /* default to not */
wolfSSL 13:f67a6c6013ca 4445 *result = MP_NO;
wolfSSL 13:f67a6c6013ca 4446
wolfSSL 13:f67a6c6013ca 4447 for (ix = 0; ix < PRIME_SIZE; ix++) {
wolfSSL 13:f67a6c6013ca 4448 /* what is a mod LBL_prime_tab[ix] */
wolfSSL 13:f67a6c6013ca 4449 if ((err = mp_mod_d (a, ltm_prime_tab[ix], &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4450 return err;
wolfSSL 13:f67a6c6013ca 4451 }
wolfSSL 13:f67a6c6013ca 4452
wolfSSL 13:f67a6c6013ca 4453 /* is the residue zero? */
wolfSSL 13:f67a6c6013ca 4454 if (res == 0) {
wolfSSL 13:f67a6c6013ca 4455 *result = MP_YES;
wolfSSL 13:f67a6c6013ca 4456 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4457 }
wolfSSL 13:f67a6c6013ca 4458 }
wolfSSL 13:f67a6c6013ca 4459
wolfSSL 13:f67a6c6013ca 4460 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4461 }
wolfSSL 13:f67a6c6013ca 4462
wolfSSL 13:f67a6c6013ca 4463 static const int USE_BBS = 1;
wolfSSL 13:f67a6c6013ca 4464
wolfSSL 13:f67a6c6013ca 4465 int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap)
wolfSSL 13:f67a6c6013ca 4466 {
wolfSSL 13:f67a6c6013ca 4467 int err, res, type;
wolfSSL 13:f67a6c6013ca 4468 byte* buf;
wolfSSL 13:f67a6c6013ca 4469
wolfSSL 13:f67a6c6013ca 4470 if (N == NULL || rng == NULL)
wolfSSL 13:f67a6c6013ca 4471 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4472
wolfSSL 13:f67a6c6013ca 4473 /* get type */
wolfSSL 13:f67a6c6013ca 4474 if (len < 0) {
wolfSSL 13:f67a6c6013ca 4475 type = USE_BBS;
wolfSSL 13:f67a6c6013ca 4476 len = -len;
wolfSSL 13:f67a6c6013ca 4477 } else {
wolfSSL 13:f67a6c6013ca 4478 type = 0;
wolfSSL 13:f67a6c6013ca 4479 }
wolfSSL 13:f67a6c6013ca 4480
wolfSSL 13:f67a6c6013ca 4481 /* allow sizes between 2 and 512 bytes for a prime size */
wolfSSL 13:f67a6c6013ca 4482 if (len < 2 || len > 512) {
wolfSSL 13:f67a6c6013ca 4483 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4484 }
wolfSSL 13:f67a6c6013ca 4485
wolfSSL 13:f67a6c6013ca 4486 /* allocate buffer to work with */
wolfSSL 13:f67a6c6013ca 4487 buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 4488 if (buf == NULL) {
wolfSSL 13:f67a6c6013ca 4489 return MP_MEM;
wolfSSL 13:f67a6c6013ca 4490 }
wolfSSL 13:f67a6c6013ca 4491 XMEMSET(buf, 0, len);
wolfSSL 13:f67a6c6013ca 4492
wolfSSL 13:f67a6c6013ca 4493 do {
wolfSSL 13:f67a6c6013ca 4494 #ifdef SHOW_GEN
wolfSSL 13:f67a6c6013ca 4495 printf(".");
wolfSSL 13:f67a6c6013ca 4496 fflush(stdout);
wolfSSL 13:f67a6c6013ca 4497 #endif
wolfSSL 13:f67a6c6013ca 4498 /* generate value */
wolfSSL 13:f67a6c6013ca 4499 err = wc_RNG_GenerateBlock(rng, buf, len);
wolfSSL 13:f67a6c6013ca 4500 if (err != 0) {
wolfSSL 13:f67a6c6013ca 4501 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 4502 return err;
wolfSSL 13:f67a6c6013ca 4503 }
wolfSSL 13:f67a6c6013ca 4504
wolfSSL 13:f67a6c6013ca 4505 /* munge bits */
wolfSSL 13:f67a6c6013ca 4506 buf[0] |= 0x80 | 0x40;
wolfSSL 13:f67a6c6013ca 4507 buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
wolfSSL 13:f67a6c6013ca 4508
wolfSSL 13:f67a6c6013ca 4509 /* load value */
wolfSSL 13:f67a6c6013ca 4510 if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4511 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 4512 return err;
wolfSSL 13:f67a6c6013ca 4513 }
wolfSSL 13:f67a6c6013ca 4514
wolfSSL 13:f67a6c6013ca 4515 /* test */
wolfSSL 13:f67a6c6013ca 4516 if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4517 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 4518 return err;
wolfSSL 13:f67a6c6013ca 4519 }
wolfSSL 13:f67a6c6013ca 4520 } while (res == MP_NO);
wolfSSL 13:f67a6c6013ca 4521
wolfSSL 13:f67a6c6013ca 4522 XMEMSET(buf, 0, len);
wolfSSL 13:f67a6c6013ca 4523 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 4524
wolfSSL 13:f67a6c6013ca 4525 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4526 }
wolfSSL 13:f67a6c6013ca 4527
wolfSSL 13:f67a6c6013ca 4528 /*
wolfSSL 13:f67a6c6013ca 4529 * Sets result to 1 if probably prime, 0 otherwise
wolfSSL 13:f67a6c6013ca 4530 */
wolfSSL 13:f67a6c6013ca 4531 int mp_prime_is_prime (mp_int * a, int t, int *result)
wolfSSL 13:f67a6c6013ca 4532 {
wolfSSL 13:f67a6c6013ca 4533 mp_int b;
wolfSSL 13:f67a6c6013ca 4534 int ix, err, res;
wolfSSL 13:f67a6c6013ca 4535
wolfSSL 13:f67a6c6013ca 4536 /* default to no */
wolfSSL 13:f67a6c6013ca 4537 *result = MP_NO;
wolfSSL 13:f67a6c6013ca 4538
wolfSSL 13:f67a6c6013ca 4539 /* valid value of t? */
wolfSSL 13:f67a6c6013ca 4540 if (t <= 0 || t > PRIME_SIZE) {
wolfSSL 13:f67a6c6013ca 4541 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4542 }
wolfSSL 13:f67a6c6013ca 4543
wolfSSL 13:f67a6c6013ca 4544 /* is the input equal to one of the primes in the table? */
wolfSSL 13:f67a6c6013ca 4545 for (ix = 0; ix < PRIME_SIZE; ix++) {
wolfSSL 13:f67a6c6013ca 4546 if (mp_cmp_d(a, ltm_prime_tab[ix]) == MP_EQ) {
wolfSSL 13:f67a6c6013ca 4547 *result = 1;
wolfSSL 13:f67a6c6013ca 4548 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4549 }
wolfSSL 13:f67a6c6013ca 4550 }
wolfSSL 13:f67a6c6013ca 4551
wolfSSL 13:f67a6c6013ca 4552 /* first perform trial division */
wolfSSL 13:f67a6c6013ca 4553 if ((err = mp_prime_is_divisible (a, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4554 return err;
wolfSSL 13:f67a6c6013ca 4555 }
wolfSSL 13:f67a6c6013ca 4556
wolfSSL 13:f67a6c6013ca 4557 /* return if it was trivially divisible */
wolfSSL 13:f67a6c6013ca 4558 if (res == MP_YES) {
wolfSSL 13:f67a6c6013ca 4559 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4560 }
wolfSSL 13:f67a6c6013ca 4561
wolfSSL 13:f67a6c6013ca 4562 /* now perform the miller-rabin rounds */
wolfSSL 13:f67a6c6013ca 4563 if ((err = mp_init (&b)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4564 return err;
wolfSSL 13:f67a6c6013ca 4565 }
wolfSSL 13:f67a6c6013ca 4566
wolfSSL 13:f67a6c6013ca 4567 for (ix = 0; ix < t; ix++) {
wolfSSL 13:f67a6c6013ca 4568 /* set the prime */
wolfSSL 13:f67a6c6013ca 4569 if ((err = mp_set (&b, ltm_prime_tab[ix])) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4570 goto LBL_B;
wolfSSL 13:f67a6c6013ca 4571 }
wolfSSL 13:f67a6c6013ca 4572
wolfSSL 13:f67a6c6013ca 4573 if ((err = mp_prime_miller_rabin (a, &b, &res)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4574 goto LBL_B;
wolfSSL 13:f67a6c6013ca 4575 }
wolfSSL 13:f67a6c6013ca 4576
wolfSSL 13:f67a6c6013ca 4577 if (res == MP_NO) {
wolfSSL 13:f67a6c6013ca 4578 goto LBL_B;
wolfSSL 13:f67a6c6013ca 4579 }
wolfSSL 13:f67a6c6013ca 4580 }
wolfSSL 13:f67a6c6013ca 4581
wolfSSL 13:f67a6c6013ca 4582 /* passed the test */
wolfSSL 13:f67a6c6013ca 4583 *result = MP_YES;
wolfSSL 13:f67a6c6013ca 4584 LBL_B:mp_clear (&b);
wolfSSL 13:f67a6c6013ca 4585 return err;
wolfSSL 13:f67a6c6013ca 4586 }
wolfSSL 13:f67a6c6013ca 4587
wolfSSL 13:f67a6c6013ca 4588
wolfSSL 13:f67a6c6013ca 4589 /* computes least common multiple as |a*b|/(a, b) */
wolfSSL 13:f67a6c6013ca 4590 int mp_lcm (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 4591 {
wolfSSL 13:f67a6c6013ca 4592 int res;
wolfSSL 13:f67a6c6013ca 4593 mp_int t1, t2;
wolfSSL 13:f67a6c6013ca 4594
wolfSSL 13:f67a6c6013ca 4595
wolfSSL 13:f67a6c6013ca 4596 if ((res = mp_init_multi (&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4597 return res;
wolfSSL 13:f67a6c6013ca 4598 }
wolfSSL 13:f67a6c6013ca 4599
wolfSSL 13:f67a6c6013ca 4600 /* t1 = get the GCD of the two inputs */
wolfSSL 13:f67a6c6013ca 4601 if ((res = mp_gcd (a, b, &t1)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4602 goto LBL_T;
wolfSSL 13:f67a6c6013ca 4603 }
wolfSSL 13:f67a6c6013ca 4604
wolfSSL 13:f67a6c6013ca 4605 /* divide the smallest by the GCD */
wolfSSL 13:f67a6c6013ca 4606 if (mp_cmp_mag(a, b) == MP_LT) {
wolfSSL 13:f67a6c6013ca 4607 /* store quotient in t2 such that t2 * b is the LCM */
wolfSSL 13:f67a6c6013ca 4608 if ((res = mp_div(a, &t1, &t2, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4609 goto LBL_T;
wolfSSL 13:f67a6c6013ca 4610 }
wolfSSL 13:f67a6c6013ca 4611 res = mp_mul(b, &t2, c);
wolfSSL 13:f67a6c6013ca 4612 } else {
wolfSSL 13:f67a6c6013ca 4613 /* store quotient in t2 such that t2 * a is the LCM */
wolfSSL 13:f67a6c6013ca 4614 if ((res = mp_div(b, &t1, &t2, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4615 goto LBL_T;
wolfSSL 13:f67a6c6013ca 4616 }
wolfSSL 13:f67a6c6013ca 4617 res = mp_mul(a, &t2, c);
wolfSSL 13:f67a6c6013ca 4618 }
wolfSSL 13:f67a6c6013ca 4619
wolfSSL 13:f67a6c6013ca 4620 /* fix the sign to positive */
wolfSSL 13:f67a6c6013ca 4621 c->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4622
wolfSSL 13:f67a6c6013ca 4623 LBL_T:
wolfSSL 13:f67a6c6013ca 4624 mp_clear(&t1);
wolfSSL 13:f67a6c6013ca 4625 mp_clear(&t2);
wolfSSL 13:f67a6c6013ca 4626 return res;
wolfSSL 13:f67a6c6013ca 4627 }
wolfSSL 13:f67a6c6013ca 4628
wolfSSL 13:f67a6c6013ca 4629
wolfSSL 13:f67a6c6013ca 4630
wolfSSL 13:f67a6c6013ca 4631 /* Greatest Common Divisor using the binary method */
wolfSSL 13:f67a6c6013ca 4632 int mp_gcd (mp_int * a, mp_int * b, mp_int * c)
wolfSSL 13:f67a6c6013ca 4633 {
wolfSSL 13:f67a6c6013ca 4634 mp_int u, v;
wolfSSL 13:f67a6c6013ca 4635 int k, u_lsb, v_lsb, res;
wolfSSL 13:f67a6c6013ca 4636
wolfSSL 13:f67a6c6013ca 4637 /* either zero than gcd is the largest */
wolfSSL 13:f67a6c6013ca 4638 if (mp_iszero (a) == MP_YES) {
wolfSSL 13:f67a6c6013ca 4639 return mp_abs (b, c);
wolfSSL 13:f67a6c6013ca 4640 }
wolfSSL 13:f67a6c6013ca 4641 if (mp_iszero (b) == MP_YES) {
wolfSSL 13:f67a6c6013ca 4642 return mp_abs (a, c);
wolfSSL 13:f67a6c6013ca 4643 }
wolfSSL 13:f67a6c6013ca 4644
wolfSSL 13:f67a6c6013ca 4645 /* get copies of a and b we can modify */
wolfSSL 13:f67a6c6013ca 4646 if ((res = mp_init_copy (&u, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4647 return res;
wolfSSL 13:f67a6c6013ca 4648 }
wolfSSL 13:f67a6c6013ca 4649
wolfSSL 13:f67a6c6013ca 4650 if ((res = mp_init_copy (&v, b)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4651 goto LBL_U;
wolfSSL 13:f67a6c6013ca 4652 }
wolfSSL 13:f67a6c6013ca 4653
wolfSSL 13:f67a6c6013ca 4654 /* must be positive for the remainder of the algorithm */
wolfSSL 13:f67a6c6013ca 4655 u.sign = v.sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4656
wolfSSL 13:f67a6c6013ca 4657 /* B1. Find the common power of two for u and v */
wolfSSL 13:f67a6c6013ca 4658 u_lsb = mp_cnt_lsb(&u);
wolfSSL 13:f67a6c6013ca 4659 v_lsb = mp_cnt_lsb(&v);
wolfSSL 13:f67a6c6013ca 4660 k = MIN(u_lsb, v_lsb);
wolfSSL 13:f67a6c6013ca 4661
wolfSSL 13:f67a6c6013ca 4662 if (k > 0) {
wolfSSL 13:f67a6c6013ca 4663 /* divide the power of two out */
wolfSSL 13:f67a6c6013ca 4664 if ((res = mp_div_2d(&u, k, &u, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4665 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4666 }
wolfSSL 13:f67a6c6013ca 4667
wolfSSL 13:f67a6c6013ca 4668 if ((res = mp_div_2d(&v, k, &v, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4669 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4670 }
wolfSSL 13:f67a6c6013ca 4671 }
wolfSSL 13:f67a6c6013ca 4672
wolfSSL 13:f67a6c6013ca 4673 /* divide any remaining factors of two out */
wolfSSL 13:f67a6c6013ca 4674 if (u_lsb != k) {
wolfSSL 13:f67a6c6013ca 4675 if ((res = mp_div_2d(&u, u_lsb - k, &u, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4676 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4677 }
wolfSSL 13:f67a6c6013ca 4678 }
wolfSSL 13:f67a6c6013ca 4679
wolfSSL 13:f67a6c6013ca 4680 if (v_lsb != k) {
wolfSSL 13:f67a6c6013ca 4681 if ((res = mp_div_2d(&v, v_lsb - k, &v, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4682 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4683 }
wolfSSL 13:f67a6c6013ca 4684 }
wolfSSL 13:f67a6c6013ca 4685
wolfSSL 13:f67a6c6013ca 4686 while (mp_iszero(&v) == MP_NO) {
wolfSSL 13:f67a6c6013ca 4687 /* make sure v is the largest */
wolfSSL 13:f67a6c6013ca 4688 if (mp_cmp_mag(&u, &v) == MP_GT) {
wolfSSL 13:f67a6c6013ca 4689 /* swap u and v to make sure v is >= u */
wolfSSL 13:f67a6c6013ca 4690 mp_exch(&u, &v);
wolfSSL 13:f67a6c6013ca 4691 }
wolfSSL 13:f67a6c6013ca 4692
wolfSSL 13:f67a6c6013ca 4693 /* subtract smallest from largest */
wolfSSL 13:f67a6c6013ca 4694 if ((res = s_mp_sub(&v, &u, &v)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4695 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4696 }
wolfSSL 13:f67a6c6013ca 4697
wolfSSL 13:f67a6c6013ca 4698 /* Divide out all factors of two */
wolfSSL 13:f67a6c6013ca 4699 if ((res = mp_div_2d(&v, mp_cnt_lsb(&v), &v, NULL)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4700 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4701 }
wolfSSL 13:f67a6c6013ca 4702 }
wolfSSL 13:f67a6c6013ca 4703
wolfSSL 13:f67a6c6013ca 4704 /* multiply by 2**k which we divided out at the beginning */
wolfSSL 13:f67a6c6013ca 4705 if ((res = mp_mul_2d (&u, k, c)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4706 goto LBL_V;
wolfSSL 13:f67a6c6013ca 4707 }
wolfSSL 13:f67a6c6013ca 4708 c->sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4709 res = MP_OKAY;
wolfSSL 13:f67a6c6013ca 4710 LBL_V:mp_clear (&u);
wolfSSL 13:f67a6c6013ca 4711 LBL_U:mp_clear (&v);
wolfSSL 13:f67a6c6013ca 4712 return res;
wolfSSL 13:f67a6c6013ca 4713 }
wolfSSL 13:f67a6c6013ca 4714
wolfSSL 13:f67a6c6013ca 4715 #endif /* WOLFSSL_KEY_GEN */
wolfSSL 13:f67a6c6013ca 4716
wolfSSL 13:f67a6c6013ca 4717
wolfSSL 13:f67a6c6013ca 4718 #if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
wolfSSL 13:f67a6c6013ca 4719
wolfSSL 13:f67a6c6013ca 4720 /* chars used in radix conversions */
wolfSSL 13:f67a6c6013ca 4721 const char *mp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\
wolfSSL 13:f67a6c6013ca 4722 abcdefghijklmnopqrstuvwxyz+/";
wolfSSL 13:f67a6c6013ca 4723 #endif
wolfSSL 13:f67a6c6013ca 4724
wolfSSL 13:f67a6c6013ca 4725 #ifdef HAVE_ECC
wolfSSL 13:f67a6c6013ca 4726 /* read a string [ASCII] in a given radix */
wolfSSL 13:f67a6c6013ca 4727 int mp_read_radix (mp_int * a, const char *str, int radix)
wolfSSL 13:f67a6c6013ca 4728 {
wolfSSL 13:f67a6c6013ca 4729 int y, res, neg;
wolfSSL 13:f67a6c6013ca 4730 char ch;
wolfSSL 13:f67a6c6013ca 4731
wolfSSL 13:f67a6c6013ca 4732 /* zero the digit bignum */
wolfSSL 13:f67a6c6013ca 4733 mp_zero(a);
wolfSSL 13:f67a6c6013ca 4734
wolfSSL 13:f67a6c6013ca 4735 /* make sure the radix is ok */
wolfSSL 13:f67a6c6013ca 4736 if (radix < 2 || radix > 64) {
wolfSSL 13:f67a6c6013ca 4737 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4738 }
wolfSSL 13:f67a6c6013ca 4739
wolfSSL 13:f67a6c6013ca 4740 /* if the leading digit is a
wolfSSL 13:f67a6c6013ca 4741 * minus set the sign to negative.
wolfSSL 13:f67a6c6013ca 4742 */
wolfSSL 13:f67a6c6013ca 4743 if (*str == '-') {
wolfSSL 13:f67a6c6013ca 4744 ++str;
wolfSSL 13:f67a6c6013ca 4745 neg = MP_NEG;
wolfSSL 13:f67a6c6013ca 4746 } else {
wolfSSL 13:f67a6c6013ca 4747 neg = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4748 }
wolfSSL 13:f67a6c6013ca 4749
wolfSSL 13:f67a6c6013ca 4750 /* set the integer to the default of zero */
wolfSSL 13:f67a6c6013ca 4751 mp_zero (a);
wolfSSL 13:f67a6c6013ca 4752
wolfSSL 13:f67a6c6013ca 4753 /* process each digit of the string */
wolfSSL 13:f67a6c6013ca 4754 while (*str) {
wolfSSL 13:f67a6c6013ca 4755 /* if the radix <= 36 the conversion is case insensitive
wolfSSL 13:f67a6c6013ca 4756 * this allows numbers like 1AB and 1ab to represent the same value
wolfSSL 13:f67a6c6013ca 4757 * [e.g. in hex]
wolfSSL 13:f67a6c6013ca 4758 */
wolfSSL 13:f67a6c6013ca 4759 ch = (radix <= 36) ? (char)XTOUPPER((unsigned char)*str) : *str;
wolfSSL 13:f67a6c6013ca 4760 for (y = 0; y < 64; y++) {
wolfSSL 13:f67a6c6013ca 4761 if (ch == mp_s_rmap[y]) {
wolfSSL 13:f67a6c6013ca 4762 break;
wolfSSL 13:f67a6c6013ca 4763 }
wolfSSL 13:f67a6c6013ca 4764 }
wolfSSL 13:f67a6c6013ca 4765
wolfSSL 13:f67a6c6013ca 4766 /* if the char was found in the map
wolfSSL 13:f67a6c6013ca 4767 * and is less than the given radix add it
wolfSSL 13:f67a6c6013ca 4768 * to the number, otherwise exit the loop.
wolfSSL 13:f67a6c6013ca 4769 */
wolfSSL 13:f67a6c6013ca 4770 if (y < radix) {
wolfSSL 13:f67a6c6013ca 4771 if ((res = mp_mul_d (a, (mp_digit) radix, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4772 return res;
wolfSSL 13:f67a6c6013ca 4773 }
wolfSSL 13:f67a6c6013ca 4774 if ((res = mp_add_d (a, (mp_digit) y, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4775 return res;
wolfSSL 13:f67a6c6013ca 4776 }
wolfSSL 13:f67a6c6013ca 4777 } else {
wolfSSL 13:f67a6c6013ca 4778 break;
wolfSSL 13:f67a6c6013ca 4779 }
wolfSSL 13:f67a6c6013ca 4780 ++str;
wolfSSL 13:f67a6c6013ca 4781 }
wolfSSL 13:f67a6c6013ca 4782
wolfSSL 13:f67a6c6013ca 4783 /* set the sign only if a != 0 */
wolfSSL 13:f67a6c6013ca 4784 if (mp_iszero(a) != MP_YES) {
wolfSSL 13:f67a6c6013ca 4785 a->sign = neg;
wolfSSL 13:f67a6c6013ca 4786 }
wolfSSL 13:f67a6c6013ca 4787 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4788 }
wolfSSL 13:f67a6c6013ca 4789 #endif /* HAVE_ECC */
wolfSSL 13:f67a6c6013ca 4790
wolfSSL 13:f67a6c6013ca 4791 #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) || \
wolfSSL 13:f67a6c6013ca 4792 defined(WOLFSSL_DEBUG_MATH)
wolfSSL 13:f67a6c6013ca 4793
wolfSSL 13:f67a6c6013ca 4794 /* returns size of ASCII representation */
wolfSSL 13:f67a6c6013ca 4795 int mp_radix_size (mp_int *a, int radix, int *size)
wolfSSL 13:f67a6c6013ca 4796 {
wolfSSL 13:f67a6c6013ca 4797 int res, digs;
wolfSSL 13:f67a6c6013ca 4798 mp_int t;
wolfSSL 13:f67a6c6013ca 4799 mp_digit d;
wolfSSL 13:f67a6c6013ca 4800
wolfSSL 13:f67a6c6013ca 4801 *size = 0;
wolfSSL 13:f67a6c6013ca 4802
wolfSSL 13:f67a6c6013ca 4803 /* special case for binary */
wolfSSL 13:f67a6c6013ca 4804 if (radix == 2) {
wolfSSL 13:f67a6c6013ca 4805 *size = mp_count_bits (a) + (a->sign == MP_NEG ? 1 : 0) + 1;
wolfSSL 13:f67a6c6013ca 4806 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4807 }
wolfSSL 13:f67a6c6013ca 4808
wolfSSL 13:f67a6c6013ca 4809 /* make sure the radix is in range */
wolfSSL 13:f67a6c6013ca 4810 if (radix < 2 || radix > 64) {
wolfSSL 13:f67a6c6013ca 4811 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4812 }
wolfSSL 13:f67a6c6013ca 4813
wolfSSL 13:f67a6c6013ca 4814 if (mp_iszero(a) == MP_YES) {
wolfSSL 13:f67a6c6013ca 4815 *size = 2;
wolfSSL 13:f67a6c6013ca 4816 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4817 }
wolfSSL 13:f67a6c6013ca 4818
wolfSSL 13:f67a6c6013ca 4819 /* digs is the digit count */
wolfSSL 13:f67a6c6013ca 4820 digs = 0;
wolfSSL 13:f67a6c6013ca 4821
wolfSSL 13:f67a6c6013ca 4822 /* if it's negative add one for the sign */
wolfSSL 13:f67a6c6013ca 4823 if (a->sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 4824 ++digs;
wolfSSL 13:f67a6c6013ca 4825 }
wolfSSL 13:f67a6c6013ca 4826
wolfSSL 13:f67a6c6013ca 4827 /* init a copy of the input */
wolfSSL 13:f67a6c6013ca 4828 if ((res = mp_init_copy (&t, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4829 return res;
wolfSSL 13:f67a6c6013ca 4830 }
wolfSSL 13:f67a6c6013ca 4831
wolfSSL 13:f67a6c6013ca 4832 /* force temp to positive */
wolfSSL 13:f67a6c6013ca 4833 t.sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4834
wolfSSL 13:f67a6c6013ca 4835 /* fetch out all of the digits */
wolfSSL 13:f67a6c6013ca 4836 while (mp_iszero (&t) == MP_NO) {
wolfSSL 13:f67a6c6013ca 4837 if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4838 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 4839 return res;
wolfSSL 13:f67a6c6013ca 4840 }
wolfSSL 13:f67a6c6013ca 4841 ++digs;
wolfSSL 13:f67a6c6013ca 4842 }
wolfSSL 13:f67a6c6013ca 4843 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 4844
wolfSSL 13:f67a6c6013ca 4845 /* return digs + 1, the 1 is for the NULL byte that would be required. */
wolfSSL 13:f67a6c6013ca 4846 *size = digs + 1;
wolfSSL 13:f67a6c6013ca 4847 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4848 }
wolfSSL 13:f67a6c6013ca 4849
wolfSSL 13:f67a6c6013ca 4850 /* stores a bignum as a ASCII string in a given radix (2..64) */
wolfSSL 13:f67a6c6013ca 4851 int mp_toradix (mp_int *a, char *str, int radix)
wolfSSL 13:f67a6c6013ca 4852 {
wolfSSL 13:f67a6c6013ca 4853 int res, digs;
wolfSSL 13:f67a6c6013ca 4854 mp_int t;
wolfSSL 13:f67a6c6013ca 4855 mp_digit d;
wolfSSL 13:f67a6c6013ca 4856 char *_s = str;
wolfSSL 13:f67a6c6013ca 4857
wolfSSL 13:f67a6c6013ca 4858 /* check range of the radix */
wolfSSL 13:f67a6c6013ca 4859 if (radix < 2 || radix > 64) {
wolfSSL 13:f67a6c6013ca 4860 return MP_VAL;
wolfSSL 13:f67a6c6013ca 4861 }
wolfSSL 13:f67a6c6013ca 4862
wolfSSL 13:f67a6c6013ca 4863 /* quick out if its zero */
wolfSSL 13:f67a6c6013ca 4864 if (mp_iszero(a) == MP_YES) {
wolfSSL 13:f67a6c6013ca 4865 *str++ = '0';
wolfSSL 13:f67a6c6013ca 4866 *str = '\0';
wolfSSL 13:f67a6c6013ca 4867 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4868 }
wolfSSL 13:f67a6c6013ca 4869
wolfSSL 13:f67a6c6013ca 4870 if ((res = mp_init_copy (&t, a)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4871 return res;
wolfSSL 13:f67a6c6013ca 4872 }
wolfSSL 13:f67a6c6013ca 4873
wolfSSL 13:f67a6c6013ca 4874 /* if it is negative output a - */
wolfSSL 13:f67a6c6013ca 4875 if (t.sign == MP_NEG) {
wolfSSL 13:f67a6c6013ca 4876 ++_s;
wolfSSL 13:f67a6c6013ca 4877 *str++ = '-';
wolfSSL 13:f67a6c6013ca 4878 t.sign = MP_ZPOS;
wolfSSL 13:f67a6c6013ca 4879 }
wolfSSL 13:f67a6c6013ca 4880
wolfSSL 13:f67a6c6013ca 4881 digs = 0;
wolfSSL 13:f67a6c6013ca 4882 while (mp_iszero (&t) == MP_NO) {
wolfSSL 13:f67a6c6013ca 4883 if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 4884 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 4885 return res;
wolfSSL 13:f67a6c6013ca 4886 }
wolfSSL 13:f67a6c6013ca 4887 *str++ = mp_s_rmap[d];
wolfSSL 13:f67a6c6013ca 4888 ++digs;
wolfSSL 13:f67a6c6013ca 4889 }
wolfSSL 13:f67a6c6013ca 4890
wolfSSL 13:f67a6c6013ca 4891 /* reverse the digits of the string. In this case _s points
wolfSSL 13:f67a6c6013ca 4892 * to the first digit [excluding the sign] of the number]
wolfSSL 13:f67a6c6013ca 4893 */
wolfSSL 13:f67a6c6013ca 4894 bn_reverse ((unsigned char *)_s, digs);
wolfSSL 13:f67a6c6013ca 4895
wolfSSL 13:f67a6c6013ca 4896 /* append a NULL so the string is properly terminated */
wolfSSL 13:f67a6c6013ca 4897 *str = '\0';
wolfSSL 13:f67a6c6013ca 4898
wolfSSL 13:f67a6c6013ca 4899 mp_clear (&t);
wolfSSL 13:f67a6c6013ca 4900 return MP_OKAY;
wolfSSL 13:f67a6c6013ca 4901 }
wolfSSL 13:f67a6c6013ca 4902
wolfSSL 13:f67a6c6013ca 4903 #ifdef WOLFSSL_DEBUG_MATH
wolfSSL 13:f67a6c6013ca 4904 void mp_dump(const char* desc, mp_int* a, byte verbose)
wolfSSL 13:f67a6c6013ca 4905 {
wolfSSL 13:f67a6c6013ca 4906 char *buffer;
wolfSSL 13:f67a6c6013ca 4907 int size = a->alloc;
wolfSSL 13:f67a6c6013ca 4908
wolfSSL 13:f67a6c6013ca 4909 buffer = (char*)XMALLOC(size * sizeof(mp_digit) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 4910 if (buffer == NULL) {
wolfSSL 13:f67a6c6013ca 4911 return;
wolfSSL 13:f67a6c6013ca 4912 }
wolfSSL 13:f67a6c6013ca 4913
wolfSSL 13:f67a6c6013ca 4914 printf("%s: ptr=%p, used=%d, sign=%d, size=%d, mpd=%d\n",
wolfSSL 13:f67a6c6013ca 4915 desc, a, a->used, a->sign, size, (int)sizeof(mp_digit));
wolfSSL 13:f67a6c6013ca 4916
wolfSSL 13:f67a6c6013ca 4917 mp_toradix(a, buffer, 16);
wolfSSL 13:f67a6c6013ca 4918 printf(" %s\n ", buffer);
wolfSSL 13:f67a6c6013ca 4919
wolfSSL 13:f67a6c6013ca 4920 if (verbose) {
wolfSSL 13:f67a6c6013ca 4921 int i;
wolfSSL 13:f67a6c6013ca 4922 for(i=0; i<a->alloc * (int)sizeof(mp_digit); i++) {
wolfSSL 13:f67a6c6013ca 4923 printf("%02x ", *(((byte*)a->dp) + i));
wolfSSL 13:f67a6c6013ca 4924 }
wolfSSL 13:f67a6c6013ca 4925 printf("\n");
wolfSSL 13:f67a6c6013ca 4926 }
wolfSSL 13:f67a6c6013ca 4927
wolfSSL 13:f67a6c6013ca 4928 XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 13:f67a6c6013ca 4929 }
wolfSSL 13:f67a6c6013ca 4930 #endif /* WOLFSSL_DEBUG_MATH */
wolfSSL 13:f67a6c6013ca 4931
wolfSSL 13:f67a6c6013ca 4932 #endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) || defined(WOLFSSL_DEBUG_MATH) */
wolfSSL 13:f67a6c6013ca 4933
wolfSSL 13:f67a6c6013ca 4934 #endif /* USE_FAST_MATH */
wolfSSL 13:f67a6c6013ca 4935
wolfSSL 13:f67a6c6013ca 4936 #endif /* NO_BIG_INT */
wolfSSL 13:f67a6c6013ca 4937
wolfSSL 13:f67a6c6013ca 4938