TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fa85cc2da530ce887e22af3aed04a88b4fa3ba9d / . / library / bignum.c
blob: db46a0ecb5f0bc2df471972811550f0045a21a43 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * Multi-precision integer library
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]21
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]22/*
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]23 * The following sources were referenced in the design of this Multi-precision
24 * Integer library:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]25 *
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]26 * [1] Handbook of Applied Cryptography - 1997
27 * Menezes, van Oorschot and Vanstone
28 *
29 * [2] Multi-Precision Math
30 * Tom St Denis
31 * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
32 *
33 * [3] GNU Multi-Precision Arithmetic Library
34 * https://gmplib.org/manual/index.html
35 *
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]36 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]38#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]39#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]40#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_BIGNUM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/bignum.h"
47#include "mbedtls/bn_mul.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]49#include <string.h>
50
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]51#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]52#include "mbedtls/platform.h"
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]53#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]54#include <stdio.h>
55#include <stdlib.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#define mbedtls_printf printf
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]57#define mbedtls_calloc calloc
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#define mbedtls_free free
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]59#endif
60
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]61/* Implementation that should never be optimized out by the compiler */
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]62static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) {
Alexey Skalozub3d53f412016-01-13 16:53:40 +0200[diff] [blame]63 volatile mbedtls_mpi_uint *p = v; while( n-- ) *p++ = 0;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]64}
65
Hanno Becker88807112017-10-18 12:41:30 +0100[diff] [blame]66/* Implementation that should never be optimized out by the compiler */
67static void mbedtls_zeroize( void *v, size_t n ) {
68 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
69}
70
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]71#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72#define biL (ciL << 3) /* bits in limb */
73#define biH (ciL << 2) /* half limb size */
74
Manuel Pégourié-Gonnard2d708342015-10-05 15:23:11 +0100[diff] [blame]75#define MPI_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
76
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77/*
78 * Convert between bits/chars and number of limbs
Manuel Pégourié-Gonnard58fb4952015-09-28 13:48:04 +0200[diff] [blame]79 * Divide first in order to avoid potential overflows
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80 */
Manuel Pégourié-Gonnard58fb4952015-09-28 13:48:04 +0200[diff] [blame]81#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) )
82#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]83
84/*
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]85 * Initialize one MPI
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]87void mbedtls_mpi_init( mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]88{
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]89 if( X == NULL )
90 return;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]92 X->s = 1;
93 X->n = 0;
94 X->p = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95}
96
97/*
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]98 * Unallocate one MPI
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]99 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]100void mbedtls_mpi_free( mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]101{
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]102 if( X == NULL )
103 return;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]104
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]105 if( X->p != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]106 {
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]107 mbedtls_mpi_zeroize( X->p, X->n );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108 mbedtls_free( X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109 }
110
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]111 X->s = 1;
112 X->n = 0;
113 X->p = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]114}
115
116/*
117 * Enlarge to the specified number of limbs
118 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]119int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]120{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]121 mbedtls_mpi_uint *p;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123 if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]124 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]125
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]126 if( X->n < nblimbs )
127 {
Simon Butcher29176892016-05-20 00:19:09 +0100[diff] [blame]128 if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]129 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]130
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]131 if( X->p != NULL )
132 {
133 memcpy( p, X->p, X->n * ciL );
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]134 mbedtls_mpi_zeroize( X->p, X->n );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]135 mbedtls_free( X->p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]136 }
137
138 X->n = nblimbs;
139 X->p = p;
140 }
141
142 return( 0 );
143}
144
145/*
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]146 * Resize down as much as possible,
147 * while keeping at least the specified number of limbs
148 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]149int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]150{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]151 mbedtls_mpi_uint *p;
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]152 size_t i;
153
Gilles Peskine6a269672020-01-20 21:17:43 +0100[diff] [blame]154 /* Actually resize up if there are currently fewer than nblimbs limbs. */
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]155 if( X->n <= nblimbs )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]156 return( mbedtls_mpi_grow( X, nblimbs ) );
Gilles Peskine774c1632020-01-21 13:59:51 +0100[diff] [blame]157 /* After this point, then X->n > nblimbs and in particular X->n > 0. */
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]158
159 for( i = X->n - 1; i > 0; i-- )
160 if( X->p[i] != 0 )
161 break;
162 i++;
163
164 if( i < nblimbs )
165 i = nblimbs;
166
Simon Butcher29176892016-05-20 00:19:09 +0100[diff] [blame]167 if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]168 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]169
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]170 if( X->p != NULL )
171 {
172 memcpy( p, X->p, i * ciL );
Alexey Skalozube17a8da2016-01-13 17:19:33 +0200[diff] [blame]173 mbedtls_mpi_zeroize( X->p, X->n );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]174 mbedtls_free( X->p );
Manuel Pégourié-Gonnard58681632013-11-21 10:39:37 +0100[diff] [blame]175 }
176
177 X->n = i;
178 X->p = p;
179
180 return( 0 );
181}
182
183/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184 * Copy the contents of Y into X
185 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]186int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]188 int ret;
189 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190
191 if( X == Y )
192 return( 0 );
193
Gilles Peskine2aeab872020-01-20 21:12:50 +0100[diff] [blame]194 if( Y->n == 0 )
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200[diff] [blame]195 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]196 mbedtls_mpi_free( X );
Manuel Pégourié-Gonnardf4999932013-08-12 17:02:59 +0200[diff] [blame]197 return( 0 );
198 }
199
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200 for( i = Y->n - 1; i > 0; i-- )
201 if( Y->p[i] != 0 )
202 break;
203 i++;
204
205 X->s = Y->s;
206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]207 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208
209 memset( X->p, 0, X->n * ciL );
210 memcpy( X->p, Y->p, i * ciL );
211
212cleanup:
213
214 return( ret );
215}
216
217/*
218 * Swap the contents of X and Y
219 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]220void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]221{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]222 mbedtls_mpi T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]224 memcpy( &T, X, sizeof( mbedtls_mpi ) );
225 memcpy( X, Y, sizeof( mbedtls_mpi ) );
226 memcpy( Y, &T, sizeof( mbedtls_mpi ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227}
228
229/*
Gilles Peskine3c44c652020-06-04 19:14:58 +0200[diff] [blame]230 * Conditionally assign dest = src, without leaking information
231 * about whether the assignment was made or not.
232 * dest and src must be arrays of limbs of size n.
233 * assign must be 0 or 1.
234 */
235static void mpi_safe_cond_assign( size_t n,
236 mbedtls_mpi_uint *dest,
237 const mbedtls_mpi_uint *src,
238 unsigned char assign )
239{
240 size_t i;
241 for( i = 0; i < n; i++ )
242 dest[i] = dest[i] * ( 1 - assign ) + src[i] * assign;
243}
244
245/*
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]246 * Conditionally assign X = Y, without leaking information
Manuel Pégourié-Gonnard96c7a922013-11-25 18:28:53 +0100[diff] [blame]247 * about whether the assignment was made or not.
248 * (Leaking information about the respective sizes of X and Y is ok however.)
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]249 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]250int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign )
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]251{
252 int ret = 0;
253 size_t i;
254
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]255 /* make sure assign is 0 or 1 in a time-constant manner */
256 assign = (assign | (unsigned char)-assign) >> 7;
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]257
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]258 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]259
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]260 X->s = X->s * ( 1 - assign ) + Y->s * assign;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]261
Gilles Peskine3c44c652020-06-04 19:14:58 +0200[diff] [blame]262 mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]263
Gilles Peskine3c44c652020-06-04 19:14:58 +0200[diff] [blame]264 for( i = Y->n; i < X->n; i++ )
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]265 X->p[i] *= ( 1 - assign );
Manuel Pégourié-Gonnard71c2c212013-11-21 16:56:39 +0100[diff] [blame]266
267cleanup:
268 return( ret );
269}
270
271/*
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]272 * Conditionally swap X and Y, without leaking information
273 * about whether the swap was made or not.
274 * Here it is not ok to simply swap the pointers, which whould lead to
275 * different memory access patterns when X and Y are used afterwards.
276 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]277int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]278{
279 int ret, s;
280 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]281 mbedtls_mpi_uint tmp;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]282
283 if( X == Y )
284 return( 0 );
285
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]286 /* make sure swap is 0 or 1 in a time-constant manner */
287 swap = (swap | (unsigned char)-swap) >> 7;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]289 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
290 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]291
292 s = X->s;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]293 X->s = X->s * ( 1 - swap ) + Y->s * swap;
294 Y->s = Y->s * ( 1 - swap ) + s * swap;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]295
296
297 for( i = 0; i < X->n; i++ )
298 {
299 tmp = X->p[i];
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]300 X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
301 Y->p[i] = Y->p[i] * ( 1 - swap ) + tmp * swap;
Manuel Pégourié-Gonnarda60fe892013-12-04 21:41:50 +0100[diff] [blame]302 }
303
304cleanup:
305 return( ret );
306}
307
308/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]309 * Set value from integer
310 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]311int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312{
313 int ret;
314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]315 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]316 memset( X->p, 0, X->n * ciL );
317
318 X->p[0] = ( z < 0 ) ? -z : z;
319 X->s = ( z < 0 ) ? -1 : 1;
320
321cleanup:
322
323 return( ret );
324}
325
326/*
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]327 * Get a specific bit
328 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]329int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]330{
331 if( X->n * biL <= pos )
332 return( 0 );
333
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]334 return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]335}
336
Gilles Peskine220cc172018-11-20 16:47:47 +0100[diff] [blame]337/* Get a specific byte, without range checks. */
338#define GET_BYTE( X, i ) \
339 ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
340
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]341/*
342 * Set a bit to a specific value of 0 or 1
343 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]344int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]345{
346 int ret = 0;
347 size_t off = pos / biL;
348 size_t idx = pos % biL;
349
350 if( val != 0 && val != 1 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]351 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]352
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]353 if( X->n * biL <= pos )
354 {
355 if( val == 0 )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]356 return( 0 );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]358 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]359 }
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361 X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
362 X->p[off] |= (mbedtls_mpi_uint) val << idx;
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]363
364cleanup:
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]365
Paul Bakker2f5947e2011-05-18 15:47:11 +0000[diff] [blame]366 return( ret );
367}
368
369/*
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]370 * Return the number of less significant zero-bits
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]372size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]374 size_t i, j, count = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375
376 for( i = 0; i < X->n; i++ )
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]377 for( j = 0; j < biL; j++, count++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
379 return( count );
380
381 return( 0 );
382}
383
384/*
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]385 * Count leading zero bits in a given integer
386 */
387static size_t mbedtls_clz( const mbedtls_mpi_uint x )
388{
389 size_t j;
Manuel Pégourié-Gonnarde3e8edf2015-12-01 09:31:52 +0100[diff] [blame]390 mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]391
392 for( j = 0; j < biL; j++ )
393 {
394 if( x & mask ) break;
395
396 mask >>= 1;
397 }
398
399 return j;
400}
401
402/*
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]403 * Return the number of bits
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]404 */
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]405size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]406{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]407 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]408
Manuel Pégourié-Gonnard770b5e12015-04-29 17:02:01 +0200[diff] [blame]409 if( X->n == 0 )
410 return( 0 );
411
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]412 for( i = X->n - 1; i > 0; i-- )
413 if( X->p[i] != 0 )
414 break;
415
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]416 j = biL - mbedtls_clz( X->p[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]417
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]418 return( ( i * biL ) + j );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419}
420
421/*
422 * Return the total size in bytes
423 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]424size_t mbedtls_mpi_size( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]425{
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]426 return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427}
428
429/*
430 * Convert an ASCII character to digit value
431 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]432static int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]433{
434 *d = 255;
435
436 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
437 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
438 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]440 if( *d >= (mbedtls_mpi_uint) radix )
441 return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 return( 0 );
444}
445
446/*
447 * Import from an ASCII string
448 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]449int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]451 int ret;
452 size_t i, j, slen, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]453 mbedtls_mpi_uint d;
454 mbedtls_mpi T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
456 if( radix < 2 || radix > 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]457 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]459 mbedtls_mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]461 slen = strlen( s );
462
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 if( radix == 16 )
464 {
Manuel Pégourié-Gonnard2d708342015-10-05 15:23:11 +0100[diff] [blame]465 if( slen > MPI_SIZE_T_MAX >> 2 )
Manuel Pégourié-Gonnard58fb4952015-09-28 13:48:04 +0200[diff] [blame]466 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
467
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]468 n = BITS_TO_LIMBS( slen << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]470 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
471 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]473 for( i = slen, j = 0; i > 0; i--, j++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]475 if( i == 1 && s[i - 1] == '-' )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 {
477 X->s = -1;
478 break;
479 }
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481 MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]482 X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483 }
484 }
485 else
486 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]487 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]489 for( i = 0; i < slen; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]490 {
491 if( i == 0 && s[i] == '-' )
492 {
493 X->s = -1;
494 continue;
495 }
496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]497 MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
498 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]499
500 if( X->s == 1 )
501 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]502 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]503 }
504 else
505 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]506 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, &T, d ) );
Paul Bakker05feca62009-06-20 08:22:43 +0000[diff] [blame]507 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509 }
510
511cleanup:
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513 mbedtls_mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
515 return( ret );
516}
517
518/*
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]519 * Helper to write the digits high-order first.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]520 */
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]521static int mpi_write_hlp( mbedtls_mpi *X, int radix,
522 char **p, const size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523{
524 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525 mbedtls_mpi_uint r;
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]526 size_t length = 0;
527 char *p_end = *p + buflen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]528
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]529 do
530 {
531 if( length >= buflen )
532 {
533 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
534 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]535
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]536 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
537 MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
538 /*
539 * Write the residue in the current position, as an ASCII character.
540 */
541 if( r < 0xA )
542 *(--p_end) = (char)( '0' + r );
543 else
544 *(--p_end) = (char)( 'A' + ( r - 0xA ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]546 length++;
547 } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]549 memmove( *p, p_end, length );
550 *p += length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551
552cleanup:
553
554 return( ret );
555}
556
557/*
558 * Export into an ASCII string
559 */
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]560int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
561 char *buf, size_t buflen, size_t *olen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]563 int ret = 0;
564 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565 char *p;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]566 mbedtls_mpi T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567
568 if( radix < 2 || radix > 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]569 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570
Hanno Beckera277d4c2019-02-04 09:45:07 +0000[diff] [blame]571 n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
572 if( radix >= 4 ) n >>= 1; /* Number of 4-adic digits necessary to present
573 * `n`. If radix > 4, this might be a strict
574 * overapproximation of the number of
575 * radix-adic digits needed to present `n`. */
576 if( radix >= 16 ) n >>= 1; /* Number of hexadecimal digits necessary to
577 * present `n`. */
578
Janos Follath216e7382019-03-06 13:43:02 +0000[diff] [blame]579 n += 1; /* Terminating null byte */
Hanno Beckera277d4c2019-02-04 09:45:07 +0000[diff] [blame]580 n += 1; /* Compensate for the divisions above, which round down `n`
581 * in case it's not even. */
582 n += 1; /* Potential '-'-sign. */
583 n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
584 * which always uses an even number of hex-digits. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]586 if( buflen < n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587 {
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]588 *olen = n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]589 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590 }
591
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]592 p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]593 mbedtls_mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594
595 if( X->s == -1 )
Hanno Beckereff335d2019-02-01 16:41:30 +0000[diff] [blame]596 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597 *p++ = '-';
Hanno Beckereff335d2019-02-01 16:41:30 +0000[diff] [blame]598 buflen--;
599 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600
601 if( radix == 16 )
602 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]603 int c;
604 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]606 for( i = X->n, k = 0; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]608 for( j = ciL; j > 0; j-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]610 c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611
Paul Bakker6c343d72014-07-10 14:36:19 +0200[diff] [blame]612 if( c == 0 && k == 0 && ( i + j ) != 2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 continue;
614
Paul Bakker98fe5ea2012-10-24 11:17:48 +0000[diff] [blame]615 *(p++) = "0123456789ABCDEF" [c / 16];
Paul Bakkerd2c167e2012-10-30 07:49:19 +0000[diff] [blame]616 *(p++) = "0123456789ABCDEF" [c % 16];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617 k = 1;
618 }
619 }
620 }
621 else
622 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]624
625 if( T.s == -1 )
626 T.s = 1;
627
Ron Eldore6cbfc32018-11-20 14:07:01 +0200[diff] [blame]628 MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629 }
630
631 *p++ = '\0';
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]632 *olen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633
634cleanup:
635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]636 mbedtls_mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638 return( ret );
639}
640
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]641#if defined(MBEDTLS_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642/*
643 * Read X from an opened file
644 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]645int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]647 mbedtls_mpi_uint d;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]648 size_t slen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649 char *p;
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]650 /*
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]651 * Buffer should have space for (short) label and decimal formatted MPI,
652 * newline characters and '\0'
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]653 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]654 char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
656 memset( s, 0, sizeof( s ) );
657 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658 return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659
660 slen = strlen( s );
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]661 if( slen == sizeof( s ) - 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
Paul Bakkercb37aa52011-11-30 16:00:20 +0000[diff] [blame]663
Hanno Beckerb2034b72017-04-26 11:46:46 +0100[diff] [blame]664 if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
665 if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
667 p = s + slen;
Hanno Beckerb2034b72017-04-26 11:46:46 +0100[diff] [blame]668 while( p-- > s )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 if( mpi_get_digit( &d, radix, *p ) != 0 )
670 break;
671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]672 return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673}
674
675/*
676 * Write X into an opened file (or stdout if fout == NULL)
677 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]680 int ret;
681 size_t n, slen, plen;
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]682 /*
Paul Bakker5531c6d2012-09-26 19:20:46 +0000[diff] [blame]683 * Buffer should have space for (short) label and decimal formatted MPI,
684 * newline characters and '\0'
Paul Bakkerfe3256e2011-11-25 12:11:43 +0000[diff] [blame]685 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686 char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]688 memset( s, 0, sizeof( s ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardf79b4252015-06-02 15:41:48 +0100[diff] [blame]690 MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691
692 if( p == NULL ) p = "";
693
694 plen = strlen( p );
695 slen = strlen( s );
696 s[slen++] = '\r';
697 s[slen++] = '\n';
698
699 if( fout != NULL )
700 {
701 if( fwrite( p, 1, plen, fout ) != plen ||
702 fwrite( s, 1, slen, fout ) != slen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]703 return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704 }
705 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]706 mbedtls_printf( "%s%s", p, s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]707
708cleanup:
709
710 return( ret );
711}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]712#endif /* MBEDTLS_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713
714/*
715 * Import X from unsigned binary data, big endian
716 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]719 int ret;
Hanno Becker073c1992017-10-17 15:17:27 +0100[diff] [blame]720 size_t i, j;
721 size_t const limbs = CHARS_TO_LIMBS( buflen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722
Hanno Becker073c1992017-10-17 15:17:27 +0100[diff] [blame]723 /* Ensure that target MPI has exactly the necessary number of limbs */
724 if( X->n != limbs )
725 {
726 mbedtls_mpi_free( X );
727 mbedtls_mpi_init( X );
728 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
729 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732
Hanno Becker073c1992017-10-17 15:17:27 +0100[diff] [blame]733 for( i = buflen, j = 0; i > 0; i--, j++ )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]734 X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735
736cleanup:
737
738 return( ret );
739}
740
741/*
742 * Export X into unsigned binary data, big endian
743 */
Gilles Peskine220cc172018-11-20 16:47:47 +0100[diff] [blame]744int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
745 unsigned char *buf, size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]746{
Gilles Peskine220cc172018-11-20 16:47:47 +0100[diff] [blame]747 size_t stored_bytes = X->n * ciL;
748 size_t bytes_to_copy;
749 unsigned char *p;
750 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751
Gilles Peskine220cc172018-11-20 16:47:47 +0100[diff] [blame]752 if( stored_bytes < buflen )
753 {
754 /* There is enough space in the output buffer. Write initial
755 * null bytes and record the position at which to start
756 * writing the significant bytes. In this case, the execution
757 * trace of this function does not depend on the value of the
758 * number. */
759 bytes_to_copy = stored_bytes;
760 p = buf + buflen - stored_bytes;
761 memset( buf, 0, buflen - stored_bytes );
762 }
763 else
764 {
765 /* The output buffer is smaller than the allocated size of X.
766 * However X may fit if its leading bytes are zero. */
767 bytes_to_copy = buflen;
768 p = buf;
769 for( i = bytes_to_copy; i < stored_bytes; i++ )
770 {
771 if( GET_BYTE( X, i ) != 0 )
772 return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
773 }
774 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775
Gilles Peskine220cc172018-11-20 16:47:47 +0100[diff] [blame]776 for( i = 0; i < bytes_to_copy; i++ )
777 p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778
779 return( 0 );
780}
781
782/*
783 * Left-shift: X <<= count
784 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]785int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]786{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]787 int ret;
788 size_t i, v0, t1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]789 mbedtls_mpi_uint r0 = 0, r1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]790
791 v0 = count / (biL );
792 t1 = count & (biL - 1);
793
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]794 i = mbedtls_mpi_bitlen( X ) + count;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]796 if( X->n * biL < i )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]797 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]798
799 ret = 0;
800
801 /*
802 * shift by count / limb_size
803 */
804 if( v0 > 0 )
805 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]806 for( i = X->n; i > v0; i-- )
807 X->p[i - 1] = X->p[i - v0 - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]809 for( ; i > 0; i-- )
810 X->p[i - 1] = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]811 }
812
813 /*
814 * shift by count % limb_size
815 */
816 if( t1 > 0 )
817 {
818 for( i = v0; i < X->n; i++ )
819 {
820 r1 = X->p[i] >> (biL - t1);
821 X->p[i] <<= t1;
822 X->p[i] |= r0;
823 r0 = r1;
824 }
825 }
826
827cleanup:
828
829 return( ret );
830}
831
832/*
833 * Right-shift: X >>= count
834 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]835int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]837 size_t i, v0, v1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]838 mbedtls_mpi_uint r0 = 0, r1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839
840 v0 = count / biL;
841 v1 = count & (biL - 1);
842
Manuel Pégourié-Gonnarde44ec102012-11-17 12:42:51 +0100[diff] [blame]843 if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]844 return mbedtls_mpi_lset( X, 0 );
Manuel Pégourié-Gonnarde44ec102012-11-17 12:42:51 +0100[diff] [blame]845
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846 /*
847 * shift by count / limb_size
848 */
849 if( v0 > 0 )
850 {
851 for( i = 0; i < X->n - v0; i++ )
852 X->p[i] = X->p[i + v0];
853
854 for( ; i < X->n; i++ )
855 X->p[i] = 0;
856 }
857
858 /*
859 * shift by count % limb_size
860 */
861 if( v1 > 0 )
862 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]863 for( i = X->n; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]865 r1 = X->p[i - 1] << (biL - v1);
866 X->p[i - 1] >>= v1;
867 X->p[i - 1] |= r0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868 r0 = r1;
869 }
870 }
871
872 return( 0 );
873}
874
875/*
876 * Compare unsigned values
877 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]878int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]879{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]880 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]882 for( i = X->n; i > 0; i-- )
883 if( X->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]884 break;
885
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]886 for( j = Y->n; j > 0; j-- )
887 if( Y->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]888 break;
889
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]890 if( i == 0 && j == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]891 return( 0 );
892
893 if( i > j ) return( 1 );
894 if( j > i ) return( -1 );
895
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]896 for( ; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]897 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]898 if( X->p[i - 1] > Y->p[i - 1] ) return( 1 );
899 if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]900 }
901
902 return( 0 );
903}
904
905/*
906 * Compare signed values
907 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]908int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]909{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]910 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]912 for( i = X->n; i > 0; i-- )
913 if( X->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914 break;
915
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]916 for( j = Y->n; j > 0; j-- )
917 if( Y->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918 break;
919
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]920 if( i == 0 && j == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]921 return( 0 );
922
923 if( i > j ) return( X->s );
Paul Bakker0c8f73b2012-03-22 14:08:57 +0000[diff] [blame]924 if( j > i ) return( -Y->s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]925
926 if( X->s > 0 && Y->s < 0 ) return( 1 );
927 if( Y->s > 0 && X->s < 0 ) return( -1 );
928
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]929 for( ; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]931 if( X->p[i - 1] > Y->p[i - 1] ) return( X->s );
932 if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]933 }
934
935 return( 0 );
936}
937
Janos Follath3173a532019-10-14 09:09:32 +0100[diff] [blame]938/** Decide if an integer is less than the other, without branches.
939 *
940 * \param x First integer.
941 * \param y Second integer.
942 *
943 * \return 1 if \p x is less than \p y, 0 otherwise
944 */
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]945static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x,
946 const mbedtls_mpi_uint y )
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]947{
948 mbedtls_mpi_uint ret;
949 mbedtls_mpi_uint cond;
950
951 /*
952 * Check if the most significant bits (MSB) of the operands are different.
953 */
954 cond = ( x ^ y );
955 /*
956 * If the MSB are the same then the difference x-y will be negative (and
957 * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
958 */
959 ret = ( x - y ) & ~cond;
960 /*
961 * If the MSB are different, then the operand with the MSB of 1 is the
962 * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
963 * the MSB of y is 0.)
964 */
965 ret |= y & cond;
966
967
Janos Follathdb9f4492019-10-14 08:59:14 +0100[diff] [blame]968 ret = ret >> ( biL - 1 );
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]969
Janos Follath58239612019-10-29 15:08:46 +0000[diff] [blame]970 return (unsigned) ret;
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]971}
972
973/*
974 * Compare signed values in constant time
975 */
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]976int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
977 unsigned *ret )
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]978{
979 size_t i;
Janos Follatha2b9a962019-10-28 12:23:18 +0000[diff] [blame]980 /* The value of any of these variables is either 0 or 1 at all times. */
Janos Follath8ec2a952019-10-28 12:31:34 +0000[diff] [blame]981 unsigned cond, done, X_is_negative, Y_is_negative;
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]982
983 if( X->n != Y->n )
984 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
985
986 /*
Janos Follath51ed14e2019-10-28 12:12:15 +0000[diff] [blame]987 * Set sign_N to 1 if N >= 0, 0 if N < 0.
988 * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]989 */
Janos Follath8ec2a952019-10-28 12:31:34 +0000[diff] [blame]990 X_is_negative = ( X->s & 2 ) >> 1;
991 Y_is_negative = ( Y->s & 2 ) >> 1;
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]992
993 /*
994 * If the signs are different, then the positive operand is the bigger.
Janos Follath8ec2a952019-10-28 12:31:34 +0000[diff] [blame]995 * That is if X is negative (X_is_negative == 1), then X < Y is true and it
996 * is false if X is positive (X_is_negative == 0).
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]997 */
Janos Follath8ec2a952019-10-28 12:31:34 +0000[diff] [blame]998 cond = ( X_is_negative ^ Y_is_negative );
999 *ret = cond & X_is_negative;
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]1000
1001 /*
Janos Follatha2b9a962019-10-28 12:23:18 +0000[diff] [blame]1002 * This is a constant-time function. We might have the result, but we still
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]1003 * need to go through the loop. Record if we have the result already.
1004 */
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]1005 done = cond;
1006
1007 for( i = X->n; i > 0; i-- )
1008 {
1009 /*
Janos Follathb4edac52019-11-05 12:24:52 +0000[diff] [blame]1010 * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
1011 * X and Y are negative.
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]1012 *
1013 * Again even if we can make a decision, we just mark the result and
1014 * the fact that we are done and continue looping.
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]1015 */
Janos Follathb4edac52019-11-05 12:24:52 +0000[diff] [blame]1016 cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
1017 *ret |= cond & ( 1 - done ) & X_is_negative;
Janos Follathcff9e6e2019-10-28 12:37:21 +0000[diff] [blame]1018 done |= cond;
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]1019
1020 /*
Janos Follathb4edac52019-11-05 12:24:52 +0000[diff] [blame]1021 * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
1022 * X and Y are positive.
Janos Follathc3b376e2019-10-11 14:21:53 +0100[diff] [blame]1023 *
1024 * Again even if we can make a decision, we just mark the result and
1025 * the fact that we are done and continue looping.
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]1026 */
Janos Follathb4edac52019-11-05 12:24:52 +0000[diff] [blame]1027 cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
1028 *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
Janos Follathcff9e6e2019-10-28 12:37:21 +0000[diff] [blame]1029 done |= cond;
Janos Follathe0187b92019-09-05 14:47:19 +0100[diff] [blame]1030 }
1031
1032 return( 0 );
1033}
1034
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035/*
1036 * Compare signed values
1037 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1038int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040 mbedtls_mpi Y;
1041 mbedtls_mpi_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042
1043 *p = ( z < 0 ) ? -z : z;
1044 Y.s = ( z < 0 ) ? -1 : 1;
1045 Y.n = 1;
1046 Y.p = p;
1047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1048 return( mbedtls_mpi_cmp_mpi( X, &Y ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049}
1050
1051/*
1052 * Unsigned addition: X = |A| + |B| (HAC 14.7)
1053 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1056 int ret;
1057 size_t i, j;
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1058 mbedtls_mpi_uint *o, *p, c, tmp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1059
1060 if( X == B )
1061 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 const mbedtls_mpi *T = A; A = X; B = T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 }
1064
1065 if( X != A )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1067
Paul Bakkerf7ca7b92009-06-20 10:31:06 +0000[diff] [blame]1068 /*
1069 * X should always be positive as a result of unsigned additions.
1070 */
1071 X->s = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1073 for( j = B->n; j > 0; j-- )
1074 if( B->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 break;
1076
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1078
1079 o = B->p; p = X->p; c = 0;
1080
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1081 /*
1082 * tmp is used because it might happen that p == o
1083 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1084 for( i = 0; i < j; i++, o++, p++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1085 {
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1086 tmp= *o;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 *p += c; c = ( *p < c );
Janos Follath6c922682015-10-30 17:43:11 +0100[diff] [blame]1088 *p += tmp; c += ( *p < tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 }
1090
1091 while( c != 0 )
1092 {
1093 if( i >= X->n )
1094 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1095 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1096 p = X->p + i;
1097 }
1098
Paul Bakker2d319fd2012-09-16 21:34:26 +0000[diff] [blame]1099 *p += c; c = ( *p < c ); i++; p++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 }
1101
1102cleanup:
1103
1104 return( ret );
1105}
1106
1107/*
Gilles Peskine6f3b68d2020-06-08 21:58:22 +0200[diff] [blame]1108 * Helper for mbedtls_mpi subtraction.
1109 *
1110 * Calculate d - s where d and s have the same size.
1111 * This function operates modulo (2^ciL)^n and returns the carry
1112 * (1 if there was a wraparound, i.e. if `d < s`, and 0 otherwise).
1113 *
1114 * \param n Number of limbs of \p d and \p s.
1115 * \param[in,out] d On input, the left operand.
1116 * On output, the result of the subtraction:
1117 * \param[s] The right operand.
1118 *
1119 * \return 1 if `d < s`.
1120 * 0 if `d >= s`.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1121 */
Gilles Peskine6f3b68d2020-06-08 21:58:22 +0200[diff] [blame]1122static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
1123 mbedtls_mpi_uint *d,
1124 const mbedtls_mpi_uint *s )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1125{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1126 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1127 mbedtls_mpi_uint c, z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1128
1129 for( i = c = 0; i < n; i++, s++, d++ )
1130 {
1131 z = ( *d < c ); *d -= c;
1132 c = ( *d < *s ) + z; *d -= *s;
1133 }
1134
Gilles Peskine6f3b68d2020-06-08 21:58:22 +0200[diff] [blame]1135 return( c );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136}
1137
1138/*
Gilles Peskinefa85cc22020-06-08 22:50:35 +0200[diff] [blame^]1139 * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1140 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1141int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1142{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1143 mbedtls_mpi TB;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1144 int ret;
1145 size_t n;
Gilles Peskinefa85cc22020-06-08 22:50:35 +0200[diff] [blame^]1146 mbedtls_mpi_uint carry;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1147
Gilles Peskinefa85cc22020-06-08 22:50:35 +0200[diff] [blame^]1148 /* if( mbedtls_mpi_cmp_abs( A, B ) < 0 ) */
1149 /* return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE ); */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1150
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1151 mbedtls_mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1152
1153 if( X == B )
1154 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1155 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1156 B = &TB;
1157 }
1158
1159 if( X != A )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1160 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1161
Paul Bakker1ef7a532009-06-20 10:50:55 +0000[diff] [blame]1162 /*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1163 * X should always be positive as a result of unsigned subtractions.
Paul Bakker1ef7a532009-06-20 10:50:55 +0000[diff] [blame]1164 */
1165 X->s = 1;
1166
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167 ret = 0;
1168
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1169 for( n = B->n; n > 0; n-- )
1170 if( B->p[n - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1171 break;
1172
Gilles Peskinefa85cc22020-06-08 22:50:35 +0200[diff] [blame^]1173 carry = mpi_sub_hlp( n, X->p, B->p );
1174 if( carry != 0 )
Gilles Peskine6f3b68d2020-06-08 21:58:22 +0200[diff] [blame]1175 {
Gilles Peskinefa85cc22020-06-08 22:50:35 +0200[diff] [blame^]1176 /* Propagate the carry to the first nonzero limb of X. */
1177 for( ; n < X->n && X->p[n] == 0; n++ )
1178 --X->p[n];
1179 /* If we ran out of space for the carry, it means that the result
1180 * is negative. */
1181 if( n == X->n )
1182 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
1183 --X->p[n];
Gilles Peskine6f3b68d2020-06-08 21:58:22 +0200[diff] [blame]1184 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185
1186cleanup:
1187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1188 mbedtls_mpi_free( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1189
1190 return( ret );
1191}
1192
1193/*
1194 * Signed addition: X = A + B
1195 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1197{
1198 int ret, s = A->s;
1199
1200 if( A->s * B->s < 0 )
1201 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1202 if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1203 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1204 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205 X->s = s;
1206 }
1207 else
1208 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1209 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1210 X->s = -s;
1211 }
1212 }
1213 else
1214 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1215 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1216 X->s = s;
1217 }
1218
1219cleanup:
1220
1221 return( ret );
1222}
1223
1224/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1225 * Signed subtraction: X = A - B
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1227int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1228{
1229 int ret, s = A->s;
1230
1231 if( A->s * B->s > 0 )
1232 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1233 if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1234 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236 X->s = s;
1237 }
1238 else
1239 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1240 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1241 X->s = -s;
1242 }
1243 }
1244 else
1245 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246 MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1247 X->s = s;
1248 }
1249
1250cleanup:
1251
1252 return( ret );
1253}
1254
1255/*
1256 * Signed addition: X = A + b
1257 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1258int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1260 mbedtls_mpi _B;
1261 mbedtls_mpi_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262
1263 p[0] = ( b < 0 ) ? -b : b;
1264 _B.s = ( b < 0 ) ? -1 : 1;
1265 _B.n = 1;
1266 _B.p = p;
1267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1268 return( mbedtls_mpi_add_mpi( X, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269}
1270
1271/*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]1272 * Signed subtraction: X = A - b
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1273 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1274int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1276 mbedtls_mpi _B;
1277 mbedtls_mpi_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278
1279 p[0] = ( b < 0 ) ? -b : b;
1280 _B.s = ( b < 0 ) ? -1 : 1;
1281 _B.n = 1;
1282 _B.p = p;
1283
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1284 return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285}
1286
1287/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1288 * Helper for mbedtls_mpi multiplication
Paul Bakkerfc4f46f2013-06-24 19:23:56 +0200[diff] [blame]1289 */
1290static
1291#if defined(__APPLE__) && defined(__arm__)
1292/*
1293 * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
1294 * appears to need this to prevent bad ARM code generation at -O3.
1295 */
1296__attribute__ ((noinline))
1297#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1298void mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1300 mbedtls_mpi_uint c = 0, t = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301
1302#if defined(MULADDC_HUIT)
1303 for( ; i >= 8; i -= 8 )
1304 {
1305 MULADDC_INIT
1306 MULADDC_HUIT
1307 MULADDC_STOP
1308 }
1309
1310 for( ; i > 0; i-- )
1311 {
1312 MULADDC_INIT
1313 MULADDC_CORE
1314 MULADDC_STOP
1315 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1316#else /* MULADDC_HUIT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317 for( ; i >= 16; i -= 16 )
1318 {
1319 MULADDC_INIT
1320 MULADDC_CORE MULADDC_CORE
1321 MULADDC_CORE MULADDC_CORE
1322 MULADDC_CORE MULADDC_CORE
1323 MULADDC_CORE MULADDC_CORE
1324
1325 MULADDC_CORE MULADDC_CORE
1326 MULADDC_CORE MULADDC_CORE
1327 MULADDC_CORE MULADDC_CORE
1328 MULADDC_CORE MULADDC_CORE
1329 MULADDC_STOP
1330 }
1331
1332 for( ; i >= 8; i -= 8 )
1333 {
1334 MULADDC_INIT
1335 MULADDC_CORE MULADDC_CORE
1336 MULADDC_CORE MULADDC_CORE
1337
1338 MULADDC_CORE MULADDC_CORE
1339 MULADDC_CORE MULADDC_CORE
1340 MULADDC_STOP
1341 }
1342
1343 for( ; i > 0; i-- )
1344 {
1345 MULADDC_INIT
1346 MULADDC_CORE
1347 MULADDC_STOP
1348 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1349#endif /* MULADDC_HUIT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350
1351 t++;
1352
1353 do {
1354 *d += c; c = ( *d < c ); d++;
1355 }
1356 while( c != 0 );
1357}
1358
1359/*
1360 * Baseline multiplication: X = A * B (HAC 14.12)
1361 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1363{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1364 int ret;
1365 size_t i, j;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1366 mbedtls_mpi TA, TB;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1368 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370 if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
1371 if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1373 for( i = A->n; i > 0; i-- )
1374 if( A->p[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375 break;
1376
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1377 for( j = B->n; j > 0; j-- )
1378 if( B->p[j - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379 break;
1380
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
1382 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1383
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1384 for( i++; j > 0; j-- )
1385 mpi_mul_hlp( i - 1, A->p, X->p + j - 1, B->p[j - 1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1386
1387 X->s = A->s * B->s;
1388
1389cleanup:
1390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391 mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392
1393 return( ret );
1394}
1395
1396/*
1397 * Baseline multiplication: X = A * b
1398 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1401 mbedtls_mpi _B;
1402 mbedtls_mpi_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1403
1404 _B.s = 1;
1405 _B.n = 1;
1406 _B.p = p;
1407 p[0] = b;
1408
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409 return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1410}
1411
1412/*
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1413 * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
1414 * mbedtls_mpi_uint divisor, d
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1415 */
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1416static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
1417 mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1418{
Manuel Pégourié-Gonnard16308882015-12-01 10:27:00 +0100[diff] [blame]1419#if defined(MBEDTLS_HAVE_UDBL)
1420 mbedtls_t_udbl dividend, quotient;
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1421#else
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1422 const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
1423 const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1424 mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
1425 mbedtls_mpi_uint u0_msw, u0_lsw;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1426 size_t s;
Manuel Pégourié-Gonnard16308882015-12-01 10:27:00 +0100[diff] [blame]1427#endif
1428
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1429 /*
1430 * Check for overflow
1431 */
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1432 if( 0 == d || u1 >= d )
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1433 {
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1434 if (r != NULL) *r = ~0;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1435
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1436 return ( ~0 );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1437 }
1438
1439#if defined(MBEDTLS_HAVE_UDBL)
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1440 dividend = (mbedtls_t_udbl) u1 << biL;
1441 dividend |= (mbedtls_t_udbl) u0;
1442 quotient = dividend / d;
1443 if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
1444 quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
1445
1446 if( r != NULL )
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1447 *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1448
1449 return (mbedtls_mpi_uint) quotient;
1450#else
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1451
1452 /*
1453 * Algorithm D, Section 4.3.1 - The Art of Computer Programming
1454 * Vol. 2 - Seminumerical Algorithms, Knuth
1455 */
1456
1457 /*
1458 * Normalize the divisor, d, and dividend, u0, u1
1459 */
1460 s = mbedtls_clz( d );
1461 d = d << s;
1462
1463 u1 = u1 << s;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1464 u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1465 u0 = u0 << s;
1466
1467 d1 = d >> biH;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1468 d0 = d & uint_halfword_mask;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1469
1470 u0_msw = u0 >> biH;
Simon Butcher9803d072016-01-03 00:24:34 +0000[diff] [blame]1471 u0_lsw = u0 & uint_halfword_mask;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1472
1473 /*
1474 * Find the first quotient and remainder
1475 */
1476 q1 = u1 / d1;
1477 r0 = u1 - d1 * q1;
1478
1479 while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
1480 {
1481 q1 -= 1;
1482 r0 += d1;
1483
1484 if ( r0 >= radix ) break;
1485 }
1486
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1487 rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1488 q0 = rAX / d1;
1489 r0 = rAX - q0 * d1;
1490
1491 while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
1492 {
1493 q0 -= 1;
1494 r0 += d1;
1495
1496 if ( r0 >= radix ) break;
1497 }
1498
1499 if (r != NULL)
Simon Butcherf5ba0452015-12-27 23:01:55 +0000[diff] [blame]1500 *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1501
1502 quotient = q1 * radix + q0;
1503
1504 return quotient;
1505#endif
1506}
1507
1508/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509 * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1511int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1512{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1513 int ret;
1514 size_t i, n, t, k;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515 mbedtls_mpi X, Y, Z, T1, T2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1517 if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
1518 return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520 mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
1521 mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523 if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1525 if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
1526 if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527 return( 0 );
1528 }
1529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
1531 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1532 X.s = Y.s = 1;
1533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
1535 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z, 0 ) );
1536 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
1537 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T2, 3 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]1539 k = mbedtls_mpi_bitlen( &Y ) % biL;
Paul Bakkerf9688572011-05-05 10:00:45 +0000[diff] [blame]1540 if( k < biL - 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1541 {
1542 k = biL - 1 - k;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
1544 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545 }
1546 else k = 0;
1547
1548 n = X.n - 1;
1549 t = Y.n - 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552 while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1553 {
1554 Z.p[n - t]++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1555 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1556 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1557 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558
1559 for( i = n; i > t ; i-- )
1560 {
1561 if( X.p[i] >= Y.p[t] )
1562 Z.p[i - t - 1] = ~0;
1563 else
1564 {
Simon Butcher15b15d12015-11-26 19:35:03 +0000[diff] [blame]1565 Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
1566 Y.p[t], NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1567 }
1568
1569 Z.p[i - t - 1]++;
1570 do
1571 {
1572 Z.p[i - t - 1]--;
1573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1574 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1575 T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1576 T1.p[1] = Y.p[t];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T2, 0 ) );
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1580 T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
1581 T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1582 T2.p[2] = X.p[i];
1583 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1584 while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1586 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1587 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
1588 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1590 if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1591 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1592 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
1593 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
1594 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1595 Z.p[i - t - 1]--;
1596 }
1597 }
1598
1599 if( Q != NULL )
1600 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1601 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1602 Q->s = A->s * B->s;
1603 }
1604
1605 if( R != NULL )
1606 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1607 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
Paul Bakkerf02c5642012-11-13 10:25:21 +0000[diff] [blame]1608 X.s = A->s;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1609 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1610
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1611 if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1612 R->s = 1;
1613 }
1614
1615cleanup:
1616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1617 mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
1618 mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1619
1620 return( ret );
1621}
1622
1623/*
1624 * Division by int: A = Q * b + R
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1626int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1627{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1628 mbedtls_mpi _B;
1629 mbedtls_mpi_uint p[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1630
1631 p[0] = ( b < 0 ) ? -b : b;
1632 _B.s = ( b < 0 ) ? -1 : 1;
1633 _B.n = 1;
1634 _B.p = p;
1635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 return( mbedtls_mpi_div_mpi( Q, R, A, &_B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1637}
1638
1639/*
1640 * Modulo: R = A mod B
1641 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1642int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1643{
1644 int ret;
1645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646 if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
1647 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1649 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1651 while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
1652 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1654 while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
1655 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1656
1657cleanup:
1658
1659 return( ret );
1660}
1661
1662/*
1663 * Modulo: r = A mod b
1664 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1665int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1666{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1667 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1668 mbedtls_mpi_uint x, y, z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669
1670 if( b == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671 return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1672
1673 if( b < 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1674 return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1675
1676 /*
1677 * handle trivial cases
1678 */
1679 if( b == 1 )
1680 {
1681 *r = 0;
1682 return( 0 );
1683 }
1684
1685 if( b == 2 )
1686 {
1687 *r = A->p[0] & 1;
1688 return( 0 );
1689 }
1690
1691 /*
1692 * general case
1693 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1694 for( i = A->n, y = 0; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1695 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1696 x = A->p[i - 1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1697 y = ( y << biH ) | ( x >> biH );
1698 z = y / b;
1699 y -= z * b;
1700
1701 x <<= biH;
1702 y = ( y << biH ) | ( x >> biH );
1703 z = y / b;
1704 y -= z * b;
1705 }
1706
Paul Bakkerce40a6d2009-06-23 19:46:08 +0000[diff] [blame]1707 /*
1708 * If A is negative, then the current y represents a negative value.
1709 * Flipping it to the positive side.
1710 */
1711 if( A->s < 0 && y != 0 )
1712 y = b - y;
1713
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1714 *r = y;
1715
1716 return( 0 );
1717}
1718
1719/*
1720 * Fast Montgomery initialization (thanks to Tom St Denis)
1721 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1722static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 mbedtls_mpi_uint x, m0 = N->p[0];
Manuel Pégourié-Gonnardfdf3f0e2014-03-11 13:47:05 +0100[diff] [blame]1725 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1726
1727 x = m0;
1728 x += ( ( m0 + 2 ) & 4 ) << 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1729
Manuel Pégourié-Gonnardfdf3f0e2014-03-11 13:47:05 +0100[diff] [blame]1730 for( i = biL; i >= 8; i /= 2 )
1731 x *= ( 2 - ( m0 * x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732
1733 *mm = ~x + 1;
1734}
1735
Gilles Peskined108d072020-06-04 15:00:49 +0200[diff] [blame]1736/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1737 *
1738 * \param[in,out] A One of the numbers to multiply.
Gilles Peskinecc6a6bf2020-06-08 22:37:50 +0200[diff] [blame]1739 * It must have at least as many limbs as N
1740 * (A->n >= N->n), and any limbs beyond n are ignored.
Gilles Peskined108d072020-06-04 15:00:49 +0200[diff] [blame]1741 * On successful completion, A contains the result of
1742 * the multiplication A * B * R^-1 mod N where
1743 * R = (2^ciL)^n.
1744 * \param[in] B One of the numbers to multiply.
1745 * It must be nonzero and must not have more limbs than N
1746 * (B->n <= N->n).
1747 * \param[in] N The modulo. N must be odd.
1748 * \param mm The value calculated by `mpi_montg_init(&mm, N)`.
1749 * This is -N^-1 mod 2^ciL.
1750 * \param[in,out] T A bignum for temporary storage.
1751 * It must be at least twice the limb size of N plus 2
1752 * (T->n >= 2 * (N->n + 1)).
1753 * Its initial content is unused and
1754 * its final content is indeterminate.
1755 * Note that unlike the usual convention in the library
1756 * for `const mbedtls_mpi*`, the content of T can change.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1757 */
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1758static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1759 const mbedtls_mpi *T )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1760{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1761 size_t i, n, m;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762 mbedtls_mpi_uint u0, u1, *d;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1763
1764 memset( T->p, 0, T->n * ciL );
1765
1766 d = T->p;
1767 n = N->n;
1768 m = ( B->n < n ) ? B->n : n;
1769
1770 for( i = 0; i < n; i++ )
1771 {
1772 /*
1773 * T = (T + u0*B + u1*N) / 2^biL
1774 */
1775 u0 = A->p[i];
1776 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1777
1778 mpi_mul_hlp( m, B->p, d, u0 );
1779 mpi_mul_hlp( n, N->p, d, u1 );
1780
1781 *d++ = u0; d[n + 1] = 0;
1782 }
1783
Gilles Peskinecc6a6bf2020-06-08 22:37:50 +0200[diff] [blame]1784 /* At this point, d is either the desired result or the desired result
1785 * plus N. We now potentially subtract N, avoiding leaking whether the
1786 * subtraction is performed through side channels. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787
Gilles Peskinecc6a6bf2020-06-08 22:37:50 +0200[diff] [blame]1788 /* Copy the n least significant limbs of d to A, so that
1789 * A = d if d < N (recall that N has n limbs). */
1790 memcpy( A->p, d, n * ciL );
1791 /* If d >= N then we want to set A to N - d. To prevent timing attacks,
1792 * do the calculation without using conditional tests. */
1793 /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
Gilles Peskine7ff812e2020-06-04 21:05:24 +0200[diff] [blame]1794 d[n] += 1;
Gilles Peskine6f3b68d2020-06-08 21:58:22 +0200[diff] [blame]1795 d[n] -= mpi_sub_hlp( n, d, N->p );
Gilles Peskinecc6a6bf2020-06-08 22:37:50 +0200[diff] [blame]1796 /* If d0 < N then d < (2^biL)^n
1797 * so d[n] == 0 and we want to keep A as it is.
1798 * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
1799 * so d[n] == 1 and we want to set A to the result of the subtraction
1800 * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
1801 * This exactly corresponds to a conditional assignment. */
1802 mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803}
1804
1805/*
1806 * Montgomery reduction: A = A * R^-1 mod N
Gilles Peskined108d072020-06-04 15:00:49 +0200[diff] [blame]1807 *
1808 * See mpi_montmul() regarding constraints and guarantees on the parameters.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809 */
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1810static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint mm, const mbedtls_mpi *T )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812 mbedtls_mpi_uint z = 1;
1813 mbedtls_mpi U;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1814
Paul Bakker8ddb6452013-02-27 14:56:33 +0100[diff] [blame]1815 U.n = U.s = (int) z;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816 U.p = &z;
1817
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1818 mpi_montmul( A, &U, N, mm, T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819}
1820
1821/*
1822 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1823 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1824int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1825{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1826 int ret;
1827 size_t wbits, wsize, one = 1;
1828 size_t i, j, nblimbs;
1829 size_t bufsize, nbits;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1830 mbedtls_mpi_uint ei, mm, state;
1831 mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1832 int neg;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833
Hanno Becker930ec7d2018-03-09 10:48:00 +0000[diff] [blame]1834 if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1835 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1837 if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
1838 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]1839
1840 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841 * Init temps and window size
1842 */
1843 mpi_montg_init( &mm, N );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1844 mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
1845 mbedtls_mpi_init( &Apos );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846 memset( W, 0, sizeof( W ) );
1847
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]1848 i = mbedtls_mpi_bitlen( E );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849
1850 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1851 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1852
Peter Kolbusf5d153d2018-12-11 14:01:44 -0600[diff] [blame]1853#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1854 if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
1855 wsize = MBEDTLS_MPI_WINDOW_SIZE;
Peter Kolbusf5d153d2018-12-11 14:01:44 -0600[diff] [blame]1856#endif
Paul Bakkerb6d5f082011-11-25 11:52:11 +0000[diff] [blame]1857
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858 j = N->n + 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1859 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
1860 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) );
1861 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862
1863 /*
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1864 * Compensate for negative A (and correct at the end)
1865 */
1866 neg = ( A->s == -1 );
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1867 if( neg )
1868 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1869 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
Paul Bakker50546922012-05-19 08:40:49 +0000[diff] [blame]1870 Apos.s = 1;
1871 A = &Apos;
1872 }
1873
1874 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875 * If 1st call, pre-compute R^2 mod N
1876 */
1877 if( _RR == NULL || _RR->p == NULL )
1878 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &RR, 1 ) );
1880 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &RR, N->n * 2 * biL ) );
1881 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &RR, &RR, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882
1883 if( _RR != NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1884 memcpy( _RR, &RR, sizeof( mbedtls_mpi ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885 }
1886 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1887 memcpy( &RR, _RR, sizeof( mbedtls_mpi ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1888
1889 /*
1890 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1891 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1892 if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
1893 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
Paul Bakkerc2024f42014-01-23 20:38:35 +0100[diff] [blame]1894 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1895 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1897 mpi_montmul( &W[1], &RR, N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
1899 /*
1900 * X = R^2 * R^-1 mod N = R mod N
1901 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1902 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1903 mpi_montred( X, N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904
1905 if( wsize > 1 )
1906 {
1907 /*
1908 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1909 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1910 j = one << ( wsize - 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1912 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
1913 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914
1915 for( i = 0; i < wsize - 1; i++ )
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1916 mpi_montmul( &W[j], &W[j], N, mm, &T );
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]1917
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 /*
1919 * W[i] = W[i - 1] * W[1]
1920 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1921 for( i = j + 1; i < ( one << wsize ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
1924 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1925
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1926 mpi_montmul( &W[i], &W[1], N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1927 }
1928 }
1929
1930 nblimbs = E->n;
1931 bufsize = 0;
1932 nbits = 0;
1933 wbits = 0;
1934 state = 0;
1935
1936 while( 1 )
1937 {
1938 if( bufsize == 0 )
1939 {
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]1940 if( nblimbs == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941 break;
1942
Paul Bakker0d7702c2013-10-29 16:18:35 +0100[diff] [blame]1943 nblimbs--;
1944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1945 bufsize = sizeof( mbedtls_mpi_uint ) << 3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946 }
1947
1948 bufsize--;
1949
1950 ei = (E->p[nblimbs] >> bufsize) & 1;
1951
1952 /*
1953 * skip leading 0s
1954 */
1955 if( ei == 0 && state == 0 )
1956 continue;
1957
1958 if( ei == 0 && state == 1 )
1959 {
1960 /*
1961 * out of window, square X
1962 */
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1963 mpi_montmul( X, X, N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964 continue;
1965 }
1966
1967 /*
1968 * add ei to current window
1969 */
1970 state = 2;
1971
1972 nbits++;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1973 wbits |= ( ei << ( wsize - nbits ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1974
1975 if( nbits == wsize )
1976 {
1977 /*
1978 * X = X^wsize R^-1 mod N
1979 */
1980 for( i = 0; i < wsize; i++ )
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1981 mpi_montmul( X, X, N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982
1983 /*
1984 * X = X * W[wbits] R^-1 mod N
1985 */
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1986 mpi_montmul( X, &W[wbits], N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987
1988 state--;
1989 nbits = 0;
1990 wbits = 0;
1991 }
1992 }
1993
1994 /*
1995 * process the remaining bits
1996 */
1997 for( i = 0; i < nbits; i++ )
1998 {
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]1999 mpi_montmul( X, X, N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000
2001 wbits <<= 1;
2002
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2003 if( ( wbits & ( one << wsize ) ) != 0 )
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]2004 mpi_montmul( X, &W[1], N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005 }
2006
2007 /*
2008 * X = A^E * R * R^-1 mod N = A^E mod N
2009 */
Gilles Peskine8ff7cc92020-06-04 20:55:15 +0200[diff] [blame]2010 mpi_montred( X, N, mm, &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2011
Hanno Beckera4af1c42017-04-18 09:07:45 +0100[diff] [blame]2012 if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]2013 {
2014 X->s = -1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
Paul Bakkerf6198c12012-05-16 08:02:29 +0000[diff] [blame]2016 }
2017
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018cleanup:
2019
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2020 for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2021 mbedtls_mpi_free( &W[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2023 mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]2024
Paul Bakker75a28602014-03-31 12:08:17 +0200[diff] [blame]2025 if( _RR == NULL || _RR->p == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2026 mbedtls_mpi_free( &RR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2027
2028 return( ret );
2029}
2030
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031/*
2032 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
2033 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2036 int ret;
2037 size_t lz, lzt;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2038 mbedtls_mpi TG, TA, TB;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2040 mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2041
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2042 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
2043 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2044
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2045 lz = mbedtls_mpi_lsb( &TA );
2046 lzt = mbedtls_mpi_lsb( &TB );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2047
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2048 if( lzt < lz )
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2049 lz = lzt;
2050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
2052 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2053
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054 TA.s = TB.s = 1;
2055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056 while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2058 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
2059 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2060
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2061 if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2063 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
2064 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2065 }
2066 else
2067 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2068 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
2069 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070 }
2071 }
2072
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2073 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
2074 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2075
2076cleanup:
2077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2078 mbedtls_mpi_free( &TG ); mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2079
2080 return( ret );
2081}
2082
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]2083/*
2084 * Fill X with size bytes of random.
2085 *
2086 * Use a temporary bytes representation to make sure the result is the same
Paul Bakkerc37b0ac2014-05-01 14:19:23 +0200[diff] [blame]2087 * regardless of the platform endianness (useful when f_rng is actually
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]2088 * deterministic, eg for tests).
2089 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2090int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2091 int (*f_rng)(void *, unsigned char *, size_t),
2092 void *p_rng )
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2093{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2094 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2095 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Paul Bakker33dc46b2014-04-30 16:11:39 +0200[diff] [blame]2096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097 if( size > MBEDTLS_MPI_MAX_SIZE )
2098 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2100 MBEDTLS_MPI_CHK( f_rng( p_rng, buf, size ) );
2101 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( X, buf, size ) );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2102
2103cleanup:
Hanno Becker88807112017-10-18 12:41:30 +0100[diff] [blame]2104 mbedtls_zeroize( buf, sizeof( buf ) );
Paul Bakker287781a2011-03-26 13:18:49 +0000[diff] [blame]2105 return( ret );
2106}
2107
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108/*
2109 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
2110 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2111int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2112{
2113 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114 mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2115
Hanno Becker4bcb4912017-04-18 15:49:39 +0100[diff] [blame]2116 if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2117 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2119 mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
2120 mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
2121 mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2123 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2124
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2125 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2126 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2127 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2128 goto cleanup;
2129 }
2130
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2131 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
2132 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
2133 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
2134 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2136 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
2137 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
2138 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
2139 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2140
2141 do
2142 {
2143 while( ( TU.p[0] & 1 ) == 0 )
2144 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2145 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
2147 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
2148 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2149 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
2150 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151 }
2152
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2153 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
2154 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155 }
2156
2157 while( ( TV.p[0] & 1 ) == 0 )
2158 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2159 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2160
2161 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
2162 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2163 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
2164 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2165 }
2166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2167 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
2168 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169 }
2170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171 if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2172 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2173 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
2174 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
2175 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2176 }
2177 else
2178 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2179 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
2180 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
2181 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182 }
2183 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2184 while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2186 while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
2187 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2189 while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
2190 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2191
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2192 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193
2194cleanup:
2195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2196 mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
2197 mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
2198 mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199
2200 return( ret );
2201}
2202
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2203#if defined(MBEDTLS_GENPRIME)
Paul Bakkerd9374b02012-11-02 11:02:58 +0000[diff] [blame]2204
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205static const int small_prime[] =
2206{
2207 3, 5, 7, 11, 13, 17, 19, 23,
2208 29, 31, 37, 41, 43, 47, 53, 59,
2209 61, 67, 71, 73, 79, 83, 89, 97,
2210 101, 103, 107, 109, 113, 127, 131, 137,
2211 139, 149, 151, 157, 163, 167, 173, 179,
2212 181, 191, 193, 197, 199, 211, 223, 227,
2213 229, 233, 239, 241, 251, 257, 263, 269,
2214 271, 277, 281, 283, 293, 307, 311, 313,
2215 317, 331, 337, 347, 349, 353, 359, 367,
2216 373, 379, 383, 389, 397, 401, 409, 419,
2217 421, 431, 433, 439, 443, 449, 457, 461,
2218 463, 467, 479, 487, 491, 499, 503, 509,
2219 521, 523, 541, 547, 557, 563, 569, 571,
2220 577, 587, 593, 599, 601, 607, 613, 617,
2221 619, 631, 641, 643, 647, 653, 659, 661,
2222 673, 677, 683, 691, 701, 709, 719, 727,
2223 733, 739, 743, 751, 757, 761, 769, 773,
2224 787, 797, 809, 811, 821, 823, 827, 829,
2225 839, 853, 857, 859, 863, 877, 881, 883,
2226 887, 907, 911, 919, 929, 937, 941, 947,
2227 953, 967, 971, 977, 983, 991, 997, -103
2228};
2229
2230/*
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2231 * Small divisors test (X must be positive)
2232 *
2233 * Return values:
2234 * 0: no small factor (possible prime, more tests needed)
2235 * 1: certain prime
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2236 * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2237 * other negative: error
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2238 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2239static int mpi_check_small_factors( const mbedtls_mpi *X )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2240{
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2241 int ret = 0;
2242 size_t i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2243 mbedtls_mpi_uint r;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2244
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245 if( ( X->p[0] & 1 ) == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2246 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2247
2248 for( i = 0; small_prime[i] > 0; i++ )
2249 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2250 if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2251 return( 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2253 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2254
2255 if( r == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2256 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257 }
2258
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2259cleanup:
2260 return( ret );
2261}
2262
2263/*
2264 * Miller-Rabin pseudo-primality test (HAC 4.24)
2265 */
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2266static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2267 int (*f_rng)(void *, unsigned char *, size_t),
2268 void *p_rng )
2269{
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2270 int ret, count;
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2271 size_t i, j, k, s;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2272 mbedtls_mpi W, R, T, A, RR;
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2274 mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
2275 mbedtls_mpi_init( &RR );
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2276
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2277 /*
2278 * W = |X| - 1
2279 * R = W >> lsb( W )
2280 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2281 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
2282 s = mbedtls_mpi_lsb( &W );
2283 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
2284 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2285
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]2286 i = mbedtls_mpi_bitlen( X );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2287
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2288 for( i = 0; i < rounds; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2289 {
2290 /*
2291 * pick a random A, 1 < A < |X| - 1
2292 */
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2293 count = 0;
2294 do {
Manuel Pégourié-Gonnard53c76c02015-04-17 20:15:36 +0200[diff] [blame]2295 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2296
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]2297 j = mbedtls_mpi_bitlen( &A );
2298 k = mbedtls_mpi_bitlen( &W );
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2299 if (j > k) {
Darryl Green56d7cc42018-10-02 13:21:35 +0100[diff] [blame]2300 A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2301 }
2302
2303 if (count++ > 30) {
Jens Wiklanderb2aa9382019-01-17 13:30:57 +0100[diff] [blame]2304 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
2305 goto cleanup;
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2306 }
2307
Manuel Pégourié-Gonnard53c76c02015-04-17 20:15:36 +0200[diff] [blame]2308 } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
2309 mbedtls_mpi_cmp_int( &A, 1 ) <= 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2310
2311 /*
2312 * A = A^R mod |X|
2313 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2314 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2316 if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
2317 mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2318 continue;
2319
2320 j = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2321 while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2322 {
2323 /*
2324 * A = A * A mod |X|
2325 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2326 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
2327 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2329 if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2330 break;
2331
2332 j++;
2333 }
2334
2335 /*
2336 * not prime if A != |X| - 1 or A == 1
2337 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2338 if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
2339 mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2340 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2341 ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2342 break;
2343 }
2344 }
2345
2346cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347 mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
2348 mbedtls_mpi_free( &RR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2349
2350 return( ret );
2351}
2352
2353/*
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2354 * Pseudo-primality test: small factors, then Miller-Rabin
2355 */
Darryl Green94759f62018-10-16 15:09:19 +0100[diff] [blame]2356static int mpi_is_prime_internal( const mbedtls_mpi *X, int rounds,
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2357 int (*f_rng)(void *, unsigned char *, size_t),
2358 void *p_rng )
2359{
2360 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2361 mbedtls_mpi XX;
Manuel Pégourié-Gonnard7f4ed672014-10-14 20:56:02 +0200[diff] [blame]2362
2363 XX.s = 1;
2364 XX.n = X->n;
2365 XX.p = X->p;
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2367 if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
2368 mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
2369 return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2370
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2371 if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2372 return( 0 );
2373
2374 if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
2375 {
2376 if( ret == 1 )
2377 return( 0 );
2378
2379 return( ret );
2380 }
2381
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2382 return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
2383}
2384
2385/*
2386 * Pseudo-primality test, error probability 2^-80
2387 */
2388int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
2389 int (*f_rng)(void *, unsigned char *, size_t),
2390 void *p_rng )
2391{
2392 return mpi_is_prime_internal( X, 40, f_rng, p_rng );
Manuel Pégourié-Gonnard378fb4b2013-11-22 18:39:18 +0100[diff] [blame]2393}
2394
2395/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396 * Prime number generation
2397 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2399 int (*f_rng)(void *, unsigned char *, size_t),
2400 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2401{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2402 int ret;
2403 size_t k, n;
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2404 int rounds;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2405 mbedtls_mpi_uint r;
2406 mbedtls_mpi Y;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2408 if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
2409 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2411 mbedtls_mpi_init( &Y );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2412
2413 n = BITS_TO_LIMBS( nbits );
2414
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2415 /*
2416 * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
2417 */
2418 rounds = ( ( nbits >= 1300 ) ? 2 : ( nbits >= 850 ) ? 3 :
2419 ( nbits >= 650 ) ? 4 : ( nbits >= 350 ) ? 8 :
2420 ( nbits >= 250 ) ? 12 : ( nbits >= 150 ) ? 18 : 27 );
2421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2422 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2423
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200[diff] [blame]2424 k = mbedtls_mpi_bitlen( X );
Manuel Pégourié-Gonnard53c76c02015-04-17 20:15:36 +0200[diff] [blame]2425 if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2426
Manuel Pégourié-Gonnard53c76c02015-04-17 20:15:36 +0200[diff] [blame]2427 mbedtls_mpi_set_bit( X, nbits-1, 1 );
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2428
2429 X->p[0] |= 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2430
2431 if( dh_flag == 0 )
2432 {
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2433 while( ( ret = mpi_is_prime_internal( X, rounds, f_rng, p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2434 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2435 if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2436 goto cleanup;
2437
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2438 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 2 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2439 }
2440 }
2441 else
2442 {
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2443 /*
2444 * An necessary condition for Y and X = 2Y + 1 to be prime
2445 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
2446 * Make sure it is satisfied, while keeping X = 3 mod 4
2447 */
Pascal Junodb99183d2015-03-11 16:49:45 +0100[diff] [blame]2448
2449 X->p[0] |= 2;
2450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2451 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2452 if( r == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2453 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2454 else if( r == 1 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2455 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2456
2457 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2458 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
2459 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2460
2461 while( 1 )
2462 {
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2463 /*
2464 * First, check small factors for X and Y
2465 * before doing Miller-Rabin on any of them
2466 */
2467 if( ( ret = mpi_check_small_factors( X ) ) == 0 &&
2468 ( ret = mpi_check_small_factors( &Y ) ) == 0 &&
Janos Follath72d555d2018-09-03 14:45:23 +0100[diff] [blame]2469 ( ret = mpi_miller_rabin( X, rounds, f_rng, p_rng ) )
2470 == 0 &&
2471 ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng ) )
2472 == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473 {
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2474 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475 }
2476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2477 if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2478 goto cleanup;
2479
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2480 /*
Manuel Pégourié-Gonnardddf76152013-11-22 19:58:22 +0100[diff] [blame]2481 * Next candidates. We want to preserve Y = (X-1) / 2 and
Manuel Pégourié-Gonnard0160eac2013-11-22 17:54:59 +0100[diff] [blame]2482 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
2483 * so up Y by 6 and X by 12.
2484 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2485 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 12 ) );
2486 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2487 }
2488 }
2489
2490cleanup:
2491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2492 mbedtls_mpi_free( &Y );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2493
2494 return( ret );
2495}
2496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2497#endif /* MBEDTLS_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2499#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2500
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2501#define GCD_PAIR_COUNT 3
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2502
2503static const int gcd_pairs[GCD_PAIR_COUNT][3] =
2504{
2505 { 693, 609, 21 },
2506 { 1764, 868, 28 },
2507 { 768454923, 542167814, 1 }
2508};
2509
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510/*
2511 * Checkup routine
2512 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2513int mbedtls_mpi_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2514{
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2515 int ret, i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 mbedtls_mpi A, E, N, X, Y, U, V;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2518 mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
2519 mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2521 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2522 "EFE021C2645FD1DC586E69184AF4A31E" \
2523 "D5F53E93B5F123FA41680867BA110131" \
2524 "944FE7952E2517337780CB0DB80E61AA" \
2525 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
2526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2527 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528 "B2E7EFD37075B9F03FF989C7C5051C20" \
2529 "34D2A323810251127E7BF8625A4F49A5" \
2530 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
2531 "5B5C25763222FEFCCFC38B832366C29E" ) );
2532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2533 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2534 "0066A198186C18C10B2F5ED9B522752A" \
2535 "9830B69916E535C8F047518A889A43A5" \
2536 "94B6BED27A168D31D4A52F88925AA8F5" ) );
2537
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2538 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2539
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2540 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2541 "602AB7ECA597A3D6B56FF9829A5E8B85" \
2542 "9E857EA95A03512E2BAE7391688D264A" \
2543 "A5663B0341DB9CCFD2C4C5F421FEC814" \
2544 "8001B72E848A38CAE1C65F78E56ABDEF" \
2545 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
2546 "ECF677152EF804370C1A305CAF3B5BF1" \
2547 "30879B56C61DE584A0F53A2447A51E" ) );
2548
2549 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2550 mbedtls_printf( " MPI test #1 (mul_mpi): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2552 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2553 {
2554 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2555 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2556
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2557 ret = 1;
2558 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2559 }
2560
2561 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2562 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2563
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2564 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2566 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2567 "256567336059E52CAE22925474705F39A94" ) );
2568
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2569 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2570 "6613F26162223DF488E9CD48CC132C7A" \
2571 "0AC93C701B001B092E4E5B9F73BCD27B" \
2572 "9EE50D0657C77F374E903CDFA4C642" ) );
2573
2574 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2575 mbedtls_printf( " MPI test #2 (div_mpi): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
2578 mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2579 {
2580 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2581 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2582
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2583 ret = 1;
2584 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2585 }
2586
2587 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2588 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2590 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2592 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2593 "36E139AEA55215609D2816998ED020BB" \
2594 "BD96C37890F65171D948E9BC7CBAA4D9" \
2595 "325D24D6A3C12710F10A09FA08AB87" ) );
2596
2597 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2598 mbedtls_printf( " MPI test #3 (exp_mod): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2599
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2600 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2601 {
2602 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2603 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2604
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2605 ret = 1;
2606 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2607 }
2608
2609 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2610 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2611
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2612 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2614 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2615 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
2616 "C3DBA76456363A10869622EAC2DD84EC" \
2617 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
2618
2619 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2620 mbedtls_printf( " MPI test #4 (inv_mod): " );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2622 if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2623 {
2624 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2625 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2626
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2627 ret = 1;
2628 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2629 }
2630
2631 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2632 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2633
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2634 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2635 mbedtls_printf( " MPI test #5 (simple gcd): " );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2636
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2637 for( i = 0; i < GCD_PAIR_COUNT; i++ )
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2638 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2639 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
2640 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2641
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2642 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2644 if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2645 {
2646 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2647 mbedtls_printf( "failed at %d\n", i );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2648
Manuel Pégourié-Gonnard9e987ed2014-01-20 10:03:15 +0100[diff] [blame]2649 ret = 1;
2650 goto cleanup;
2651 }
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2652 }
2653
2654 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2655 mbedtls_printf( "passed\n" );
Paul Bakker4e0d7ca2009-01-29 22:24:33 +0000[diff] [blame]2656
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2657cleanup:
2658
2659 if( ret != 0 && verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2660 mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2662 mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
2663 mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2664
2665 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2666 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2667
2668 return( ret );
2669}
2670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2671#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2673#endif /* MBEDTLS_BIGNUM_C */