2 * Multi-precision integer library
4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
6 * This file is part of mbed TLS (https://polarssl.org)
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 * This MPI implementation is based on:
25 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
26 * http://www.stillhq.com/extracted/gnupg-api/mpi/
27 * http://math.libtomcrypt.com/files/tommath.pdf
30 #if !defined(POLARSSL_CONFIG_FILE)
31 #include "polarssl/config.h"
33 #include POLARSSL_CONFIG_FILE
36 #if defined(POLARSSL_BIGNUM_C)
38 #include "polarssl/bignum.h"
39 #include "polarssl/bn_mul.h"
41 #if defined(POLARSSL_PLATFORM_C)
42 #include "polarssl/platform.h"
44 #define polarssl_printf printf
45 #define polarssl_malloc malloc
46 #define polarssl_free free
51 /* Implementation that should never be optimized out by the compiler */
52 static void polarssl_zeroize( void *v
, size_t n
) {
53 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
56 #define ciL (sizeof(t_uint)) /* chars in limb */
57 #define biL (ciL << 3) /* bits in limb */
58 #define biH (ciL << 2) /* half limb size */
61 * Convert between bits/chars and number of limbs
63 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
64 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
69 void mpi_init( mpi
*X
)
82 void mpi_free( mpi
*X
)
89 polarssl_zeroize( X
->p
, X
->n
* ciL
);
90 polarssl_free( X
->p
);
99 * Enlarge to the specified number of limbs
101 int mpi_grow( mpi
*X
, size_t nblimbs
)
105 if( nblimbs
> POLARSSL_MPI_MAX_LIMBS
)
106 return( POLARSSL_ERR_MPI_MALLOC_FAILED
);
110 if( ( p
= (t_uint
*) polarssl_malloc( nblimbs
* ciL
) ) == NULL
)
111 return( POLARSSL_ERR_MPI_MALLOC_FAILED
);
113 memset( p
, 0, nblimbs
* ciL
);
117 memcpy( p
, X
->p
, X
->n
* ciL
);
118 polarssl_zeroize( X
->p
, X
->n
* ciL
);
119 polarssl_free( X
->p
);
130 * Resize down as much as possible,
131 * while keeping at least the specified number of limbs
133 int mpi_shrink( mpi
*X
, size_t nblimbs
)
138 /* Actually resize up in this case */
139 if( X
->n
<= nblimbs
)
140 return( mpi_grow( X
, nblimbs
) );
142 for( i
= X
->n
- 1; i
> 0; i
-- )
150 if( ( p
= (t_uint
*) polarssl_malloc( i
* ciL
) ) == NULL
)
151 return( POLARSSL_ERR_MPI_MALLOC_FAILED
);
153 memset( p
, 0, i
* ciL
);
157 memcpy( p
, X
->p
, i
* ciL
);
158 polarssl_zeroize( X
->p
, X
->n
* ciL
);
159 polarssl_free( X
->p
);
169 * Copy the contents of Y into X
171 int mpi_copy( mpi
*X
, const mpi
*Y
)
185 for( i
= Y
->n
- 1; i
> 0; i
-- )
192 MPI_CHK( mpi_grow( X
, i
) );
194 memset( X
->p
, 0, X
->n
* ciL
);
195 memcpy( X
->p
, Y
->p
, i
* ciL
);
203 * Swap the contents of X and Y
205 void mpi_swap( mpi
*X
, mpi
*Y
)
209 memcpy( &T
, X
, sizeof( mpi
) );
210 memcpy( X
, Y
, sizeof( mpi
) );
211 memcpy( Y
, &T
, sizeof( mpi
) );
215 * Conditionally assign X = Y, without leaking information
216 * about whether the assignment was made or not.
217 * (Leaking information about the respective sizes of X and Y is ok however.)
219 int mpi_safe_cond_assign( mpi
*X
, const mpi
*Y
, unsigned char assign
)
224 /* make sure assign is 0 or 1 */
225 assign
= ( assign
!= 0 );
227 MPI_CHK( mpi_grow( X
, Y
->n
) );
229 X
->s
= X
->s
* ( 1 - assign
) + Y
->s
* assign
;
231 for( i
= 0; i
< Y
->n
; i
++ )
232 X
->p
[i
] = X
->p
[i
] * ( 1 - assign
) + Y
->p
[i
] * assign
;
234 for( ; i
< X
->n
; i
++ )
235 X
->p
[i
] *= ( 1 - assign
);
242 * Conditionally swap X and Y, without leaking information
243 * about whether the swap was made or not.
244 * Here it is not ok to simply swap the pointers, which whould lead to
245 * different memory access patterns when X and Y are used afterwards.
247 int mpi_safe_cond_swap( mpi
*X
, mpi
*Y
, unsigned char swap
)
256 /* make sure swap is 0 or 1 */
257 swap
= ( swap
!= 0 );
259 MPI_CHK( mpi_grow( X
, Y
->n
) );
260 MPI_CHK( mpi_grow( Y
, X
->n
) );
263 X
->s
= X
->s
* ( 1 - swap
) + Y
->s
* swap
;
264 Y
->s
= Y
->s
* ( 1 - swap
) + s
* swap
;
267 for( i
= 0; i
< X
->n
; i
++ )
270 X
->p
[i
] = X
->p
[i
] * ( 1 - swap
) + Y
->p
[i
] * swap
;
271 Y
->p
[i
] = Y
->p
[i
] * ( 1 - swap
) + tmp
* swap
;
279 * Set value from integer
281 int mpi_lset( mpi
*X
, t_sint z
)
285 MPI_CHK( mpi_grow( X
, 1 ) );
286 memset( X
->p
, 0, X
->n
* ciL
);
288 X
->p
[0] = ( z
< 0 ) ? -z
: z
;
289 X
->s
= ( z
< 0 ) ? -1 : 1;
299 int mpi_get_bit( const mpi
*X
, size_t pos
)
301 if( X
->n
* biL
<= pos
)
304 return( ( X
->p
[pos
/ biL
] >> ( pos
% biL
) ) & 0x01 );
308 * Set a bit to a specific value of 0 or 1
310 int mpi_set_bit( mpi
*X
, size_t pos
, unsigned char val
)
313 size_t off
= pos
/ biL
;
314 size_t idx
= pos
% biL
;
316 if( val
!= 0 && val
!= 1 )
317 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
319 if( X
->n
* biL
<= pos
)
324 MPI_CHK( mpi_grow( X
, off
+ 1 ) );
327 X
->p
[off
] &= ~( (t_uint
) 0x01 << idx
);
328 X
->p
[off
] |= (t_uint
) val
<< idx
;
336 * Return the number of least significant bits
338 size_t mpi_lsb( const mpi
*X
)
340 size_t i
, j
, count
= 0;
342 for( i
= 0; i
< X
->n
; i
++ )
343 for( j
= 0; j
< biL
; j
++, count
++ )
344 if( ( ( X
->p
[i
] >> j
) & 1 ) != 0 )
351 * Return the number of most significant bits
353 size_t mpi_msb( const mpi
*X
)
357 for( i
= X
->n
- 1; i
> 0; i
-- )
361 for( j
= biL
; j
> 0; j
-- )
362 if( ( ( X
->p
[i
] >> ( j
- 1 ) ) & 1 ) != 0 )
365 return( ( i
* biL
) + j
);
369 * Return the total size in bytes
371 size_t mpi_size( const mpi
*X
)
373 return( ( mpi_msb( X
) + 7 ) >> 3 );
377 * Convert an ASCII character to digit value
379 static int mpi_get_digit( t_uint
*d
, int radix
, char c
)
383 if( c
>= 0x30 && c
<= 0x39 ) *d
= c
- 0x30;
384 if( c
>= 0x41 && c
<= 0x46 ) *d
= c
- 0x37;
385 if( c
>= 0x61 && c
<= 0x66 ) *d
= c
- 0x57;
387 if( *d
>= (t_uint
) radix
)
388 return( POLARSSL_ERR_MPI_INVALID_CHARACTER
);
394 * Import from an ASCII string
396 int mpi_read_string( mpi
*X
, int radix
, const char *s
)
399 size_t i
, j
, slen
, n
;
403 if( radix
< 2 || radix
> 16 )
404 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
412 n
= BITS_TO_LIMBS( slen
<< 2 );
414 MPI_CHK( mpi_grow( X
, n
) );
415 MPI_CHK( mpi_lset( X
, 0 ) );
417 for( i
= slen
, j
= 0; i
> 0; i
--, j
++ )
419 if( i
== 1 && s
[i
- 1] == '-' )
425 MPI_CHK( mpi_get_digit( &d
, radix
, s
[i
- 1] ) );
426 X
->p
[j
/ ( 2 * ciL
)] |= d
<< ( ( j
% ( 2 * ciL
) ) << 2 );
431 MPI_CHK( mpi_lset( X
, 0 ) );
433 for( i
= 0; i
< slen
; i
++ )
435 if( i
== 0 && s
[i
] == '-' )
441 MPI_CHK( mpi_get_digit( &d
, radix
, s
[i
] ) );
442 MPI_CHK( mpi_mul_int( &T
, X
, radix
) );
446 MPI_CHK( mpi_add_int( X
, &T
, d
) );
450 MPI_CHK( mpi_sub_int( X
, &T
, d
) );
463 * Helper to write the digits high-order first
465 static int mpi_write_hlp( mpi
*X
, int radix
, char **p
)
470 if( radix
< 2 || radix
> 16 )
471 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
473 MPI_CHK( mpi_mod_int( &r
, X
, radix
) );
474 MPI_CHK( mpi_div_int( X
, NULL
, X
, radix
) );
476 if( mpi_cmp_int( X
, 0 ) != 0 )
477 MPI_CHK( mpi_write_hlp( X
, radix
, p
) );
480 *(*p
)++ = (char)( r
+ 0x30 );
482 *(*p
)++ = (char)( r
+ 0x37 );
490 * Export into an ASCII string
492 int mpi_write_string( const mpi
*X
, int radix
, char *s
, size_t *slen
)
499 if( radix
< 2 || radix
> 16 )
500 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
503 if( radix
>= 4 ) n
>>= 1;
504 if( radix
>= 16 ) n
>>= 1;
510 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL
);
524 for( i
= X
->n
, k
= 0; i
> 0; i
-- )
526 for( j
= ciL
; j
> 0; j
-- )
528 c
= ( X
->p
[i
- 1] >> ( ( j
- 1 ) << 3) ) & 0xFF;
530 if( c
== 0 && k
== 0 && ( i
+ j
) != 2 )
533 *(p
++) = "0123456789ABCDEF" [c
/ 16];
534 *(p
++) = "0123456789ABCDEF" [c
% 16];
541 MPI_CHK( mpi_copy( &T
, X
) );
546 MPI_CHK( mpi_write_hlp( &T
, radix
, &p
) );
559 #if defined(POLARSSL_FS_IO)
561 * Read X from an opened file
563 int mpi_read_file( mpi
*X
, int radix
, FILE *fin
)
569 * Buffer should have space for (short) label and decimal formatted MPI,
570 * newline characters and '\0'
572 char s
[ POLARSSL_MPI_RW_BUFFER_SIZE
];
574 memset( s
, 0, sizeof( s
) );
575 if( fgets( s
, sizeof( s
) - 1, fin
) == NULL
)
576 return( POLARSSL_ERR_MPI_FILE_IO_ERROR
);
579 if( slen
== sizeof( s
) - 2 )
580 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL
);
582 if( s
[slen
- 1] == '\n' ) { slen
--; s
[slen
] = '\0'; }
583 if( s
[slen
- 1] == '\r' ) { slen
--; s
[slen
] = '\0'; }
587 if( mpi_get_digit( &d
, radix
, *p
) != 0 )
590 return( mpi_read_string( X
, radix
, p
+ 1 ) );
594 * Write X into an opened file (or stdout if fout == NULL)
596 int mpi_write_file( const char *p
, const mpi
*X
, int radix
, FILE *fout
)
599 size_t n
, slen
, plen
;
601 * Buffer should have space for (short) label and decimal formatted MPI,
602 * newline characters and '\0'
604 char s
[ POLARSSL_MPI_RW_BUFFER_SIZE
];
610 MPI_CHK( mpi_write_string( X
, radix
, s
, (size_t *) &n
) );
612 if( p
== NULL
) p
= "";
621 if( fwrite( p
, 1, plen
, fout
) != plen
||
622 fwrite( s
, 1, slen
, fout
) != slen
)
623 return( POLARSSL_ERR_MPI_FILE_IO_ERROR
);
626 polarssl_printf( "%s%s", p
, s
);
632 #endif /* POLARSSL_FS_IO */
635 * Import X from unsigned binary data, big endian
637 int mpi_read_binary( mpi
*X
, const unsigned char *buf
, size_t buflen
)
642 for( n
= 0; n
< buflen
; n
++ )
646 MPI_CHK( mpi_grow( X
, CHARS_TO_LIMBS( buflen
- n
) ) );
647 MPI_CHK( mpi_lset( X
, 0 ) );
649 for( i
= buflen
, j
= 0; i
> n
; i
--, j
++ )
650 X
->p
[j
/ ciL
] |= ((t_uint
) buf
[i
- 1]) << ((j
% ciL
) << 3);
658 * Export X into unsigned binary data, big endian
660 int mpi_write_binary( const mpi
*X
, unsigned char *buf
, size_t buflen
)
667 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL
);
669 memset( buf
, 0, buflen
);
671 for( i
= buflen
- 1, j
= 0; n
> 0; i
--, j
++, n
-- )
672 buf
[i
] = (unsigned char)( X
->p
[j
/ ciL
] >> ((j
% ciL
) << 3) );
678 * Left-shift: X <<= count
680 int mpi_shift_l( mpi
*X
, size_t count
)
687 t1
= count
& (biL
- 1);
689 i
= mpi_msb( X
) + count
;
692 MPI_CHK( mpi_grow( X
, BITS_TO_LIMBS( i
) ) );
697 * shift by count / limb_size
701 for( i
= X
->n
; i
> v0
; i
-- )
702 X
->p
[i
- 1] = X
->p
[i
- v0
- 1];
709 * shift by count % limb_size
713 for( i
= v0
; i
< X
->n
; i
++ )
715 r1
= X
->p
[i
] >> (biL
- t1
);
728 * Right-shift: X >>= count
730 int mpi_shift_r( mpi
*X
, size_t count
)
736 v1
= count
& (biL
- 1);
738 if( v0
> X
->n
|| ( v0
== X
->n
&& v1
> 0 ) )
739 return mpi_lset( X
, 0 );
742 * shift by count / limb_size
746 for( i
= 0; i
< X
->n
- v0
; i
++ )
747 X
->p
[i
] = X
->p
[i
+ v0
];
749 for( ; i
< X
->n
; i
++ )
754 * shift by count % limb_size
758 for( i
= X
->n
; i
> 0; i
-- )
760 r1
= X
->p
[i
- 1] << (biL
- v1
);
771 * Compare unsigned values
773 int mpi_cmp_abs( const mpi
*X
, const mpi
*Y
)
777 for( i
= X
->n
; i
> 0; i
-- )
778 if( X
->p
[i
- 1] != 0 )
781 for( j
= Y
->n
; j
> 0; j
-- )
782 if( Y
->p
[j
- 1] != 0 )
785 if( i
== 0 && j
== 0 )
788 if( i
> j
) return( 1 );
789 if( j
> i
) return( -1 );
793 if( X
->p
[i
- 1] > Y
->p
[i
- 1] ) return( 1 );
794 if( X
->p
[i
- 1] < Y
->p
[i
- 1] ) return( -1 );
801 * Compare signed values
803 int mpi_cmp_mpi( const mpi
*X
, const mpi
*Y
)
807 for( i
= X
->n
; i
> 0; i
-- )
808 if( X
->p
[i
- 1] != 0 )
811 for( j
= Y
->n
; j
> 0; j
-- )
812 if( Y
->p
[j
- 1] != 0 )
815 if( i
== 0 && j
== 0 )
818 if( i
> j
) return( X
->s
);
819 if( j
> i
) return( -Y
->s
);
821 if( X
->s
> 0 && Y
->s
< 0 ) return( 1 );
822 if( Y
->s
> 0 && X
->s
< 0 ) return( -1 );
826 if( X
->p
[i
- 1] > Y
->p
[i
- 1] ) return( X
->s
);
827 if( X
->p
[i
- 1] < Y
->p
[i
- 1] ) return( -X
->s
);
834 * Compare signed values
836 int mpi_cmp_int( const mpi
*X
, t_sint z
)
841 *p
= ( z
< 0 ) ? -z
: z
;
842 Y
.s
= ( z
< 0 ) ? -1 : 1;
846 return( mpi_cmp_mpi( X
, &Y
) );
850 * Unsigned addition: X = |A| + |B| (HAC 14.7)
852 int mpi_add_abs( mpi
*X
, const mpi
*A
, const mpi
*B
)
860 const mpi
*T
= A
; A
= X
; B
= T
;
864 MPI_CHK( mpi_copy( X
, A
) );
867 * X should always be positive as a result of unsigned additions.
871 for( j
= B
->n
; j
> 0; j
-- )
872 if( B
->p
[j
- 1] != 0 )
875 MPI_CHK( mpi_grow( X
, j
) );
877 o
= B
->p
; p
= X
->p
; c
= 0;
879 for( i
= 0; i
< j
; i
++, o
++, p
++ )
881 *p
+= c
; c
= ( *p
< c
);
882 *p
+= *o
; c
+= ( *p
< *o
);
889 MPI_CHK( mpi_grow( X
, i
+ 1 ) );
893 *p
+= c
; c
= ( *p
< c
); i
++; p
++;
902 * Helper for mpi subtraction
904 static void mpi_sub_hlp( size_t n
, t_uint
*s
, t_uint
*d
)
909 for( i
= c
= 0; i
< n
; i
++, s
++, d
++ )
911 z
= ( *d
< c
); *d
-= c
;
912 c
= ( *d
< *s
) + z
; *d
-= *s
;
917 z
= ( *d
< c
); *d
-= c
;
923 * Unsigned subtraction: X = |A| - |B| (HAC 14.9)
925 int mpi_sub_abs( mpi
*X
, const mpi
*A
, const mpi
*B
)
931 if( mpi_cmp_abs( A
, B
) < 0 )
932 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE
);
938 MPI_CHK( mpi_copy( &TB
, B
) );
943 MPI_CHK( mpi_copy( X
, A
) );
946 * X should always be positive as a result of unsigned subtractions.
952 for( n
= B
->n
; n
> 0; n
-- )
953 if( B
->p
[n
- 1] != 0 )
956 mpi_sub_hlp( n
, B
->p
, X
->p
);
966 * Signed addition: X = A + B
968 int mpi_add_mpi( mpi
*X
, const mpi
*A
, const mpi
*B
)
972 if( A
->s
* B
->s
< 0 )
974 if( mpi_cmp_abs( A
, B
) >= 0 )
976 MPI_CHK( mpi_sub_abs( X
, A
, B
) );
981 MPI_CHK( mpi_sub_abs( X
, B
, A
) );
987 MPI_CHK( mpi_add_abs( X
, A
, B
) );
997 * Signed subtraction: X = A - B
999 int mpi_sub_mpi( mpi
*X
, const mpi
*A
, const mpi
*B
)
1003 if( A
->s
* B
->s
> 0 )
1005 if( mpi_cmp_abs( A
, B
) >= 0 )
1007 MPI_CHK( mpi_sub_abs( X
, A
, B
) );
1012 MPI_CHK( mpi_sub_abs( X
, B
, A
) );
1018 MPI_CHK( mpi_add_abs( X
, A
, B
) );
1028 * Signed addition: X = A + b
1030 int mpi_add_int( mpi
*X
, const mpi
*A
, t_sint b
)
1035 p
[0] = ( b
< 0 ) ? -b
: b
;
1036 _B
.s
= ( b
< 0 ) ? -1 : 1;
1040 return( mpi_add_mpi( X
, A
, &_B
) );
1044 * Signed subtraction: X = A - b
1046 int mpi_sub_int( mpi
*X
, const mpi
*A
, t_sint b
)
1051 p
[0] = ( b
< 0 ) ? -b
: b
;
1052 _B
.s
= ( b
< 0 ) ? -1 : 1;
1056 return( mpi_sub_mpi( X
, A
, &_B
) );
1060 * Helper for mpi multiplication
1063 #if defined(__APPLE__) && defined(__arm__)
1065 * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
1066 * appears to need this to prevent bad ARM code generation at -O3.
1068 __attribute__ ((noinline
))
1070 void mpi_mul_hlp( size_t i
, t_uint
*s
, t_uint
*d
, t_uint b
)
1072 t_uint c
= 0, t
= 0;
1074 #if defined(MULADDC_HUIT)
1075 for( ; i
>= 8; i
-= 8 )
1088 #else /* MULADDC_HUIT */
1089 for( ; i
>= 16; i
-= 16 )
1092 MULADDC_CORE MULADDC_CORE
1093 MULADDC_CORE MULADDC_CORE
1094 MULADDC_CORE MULADDC_CORE
1095 MULADDC_CORE MULADDC_CORE
1097 MULADDC_CORE MULADDC_CORE
1098 MULADDC_CORE MULADDC_CORE
1099 MULADDC_CORE MULADDC_CORE
1100 MULADDC_CORE MULADDC_CORE
1104 for( ; i
>= 8; i
-= 8 )
1107 MULADDC_CORE MULADDC_CORE
1108 MULADDC_CORE MULADDC_CORE
1110 MULADDC_CORE MULADDC_CORE
1111 MULADDC_CORE MULADDC_CORE
1121 #endif /* MULADDC_HUIT */
1126 *d
+= c
; c
= ( *d
< c
); d
++;
1132 * Baseline multiplication: X = A * B (HAC 14.12)
1134 int mpi_mul_mpi( mpi
*X
, const mpi
*A
, const mpi
*B
)
1140 mpi_init( &TA
); mpi_init( &TB
);
1142 if( X
== A
) { MPI_CHK( mpi_copy( &TA
, A
) ); A
= &TA
; }
1143 if( X
== B
) { MPI_CHK( mpi_copy( &TB
, B
) ); B
= &TB
; }
1145 for( i
= A
->n
; i
> 0; i
-- )
1146 if( A
->p
[i
- 1] != 0 )
1149 for( j
= B
->n
; j
> 0; j
-- )
1150 if( B
->p
[j
- 1] != 0 )
1153 MPI_CHK( mpi_grow( X
, i
+ j
) );
1154 MPI_CHK( mpi_lset( X
, 0 ) );
1156 for( i
++; j
> 0; j
-- )
1157 mpi_mul_hlp( i
- 1, A
->p
, X
->p
+ j
- 1, B
->p
[j
- 1] );
1163 mpi_free( &TB
); mpi_free( &TA
);
1169 * Baseline multiplication: X = A * b
1171 int mpi_mul_int( mpi
*X
, const mpi
*A
, t_sint b
)
1181 return( mpi_mul_mpi( X
, A
, &_B
) );
1185 * Division by mpi: A = Q * B + R (HAC 14.20)
1187 int mpi_div_mpi( mpi
*Q
, mpi
*R
, const mpi
*A
, const mpi
*B
)
1191 mpi X
, Y
, Z
, T1
, T2
;
1193 if( mpi_cmp_int( B
, 0 ) == 0 )
1194 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO
);
1196 mpi_init( &X
); mpi_init( &Y
); mpi_init( &Z
);
1197 mpi_init( &T1
); mpi_init( &T2
);
1199 if( mpi_cmp_abs( A
, B
) < 0 )
1201 if( Q
!= NULL
) MPI_CHK( mpi_lset( Q
, 0 ) );
1202 if( R
!= NULL
) MPI_CHK( mpi_copy( R
, A
) );
1206 MPI_CHK( mpi_copy( &X
, A
) );
1207 MPI_CHK( mpi_copy( &Y
, B
) );
1210 MPI_CHK( mpi_grow( &Z
, A
->n
+ 2 ) );
1211 MPI_CHK( mpi_lset( &Z
, 0 ) );
1212 MPI_CHK( mpi_grow( &T1
, 2 ) );
1213 MPI_CHK( mpi_grow( &T2
, 3 ) );
1215 k
= mpi_msb( &Y
) % biL
;
1219 MPI_CHK( mpi_shift_l( &X
, k
) );
1220 MPI_CHK( mpi_shift_l( &Y
, k
) );
1226 MPI_CHK( mpi_shift_l( &Y
, biL
* ( n
- t
) ) );
1228 while( mpi_cmp_mpi( &X
, &Y
) >= 0 )
1231 MPI_CHK( mpi_sub_mpi( &X
, &X
, &Y
) );
1233 MPI_CHK( mpi_shift_r( &Y
, biL
* ( n
- t
) ) );
1235 for( i
= n
; i
> t
; i
-- )
1237 if( X
.p
[i
] >= Y
.p
[t
] )
1238 Z
.p
[i
- t
- 1] = ~0;
1242 * The version of Clang shipped by Apple with Mavericks around
1243 * 2014-03 can't handle 128-bit division properly. Disable
1244 * 128-bits division for this version. Let's be optimistic and
1245 * assume it'll be fixed in the next minor version (next
1246 * patchlevel is probably a bit too optimistic).
1248 #if defined(POLARSSL_HAVE_UDBL) && \
1249 ! ( defined(__x86_64__) && defined(__APPLE__) && \
1250 defined(__clang_major__) && __clang_major__ == 5 && \
1251 defined(__clang_minor__) && __clang_minor__ == 0 )
1254 r
= (t_udbl
) X
.p
[i
] << biL
;
1255 r
|= (t_udbl
) X
.p
[i
- 1];
1257 if( r
> ( (t_udbl
) 1 << biL
) - 1 )
1258 r
= ( (t_udbl
) 1 << biL
) - 1;
1260 Z
.p
[i
- t
- 1] = (t_uint
) r
;
1263 * __udiv_qrnnd_c, from gmp/longlong.h
1265 t_uint q0
, q1
, r0
, r1
;
1266 t_uint d0
, d1
, d
, m
;
1269 d0
= ( d
<< biH
) >> biH
;
1273 r1
= X
.p
[i
] - d1
* q1
;
1275 r1
|= ( X
.p
[i
- 1] >> biH
);
1281 while( r1
>= d
&& r1
< m
)
1289 r0
|= ( X
.p
[i
- 1] << biH
) >> biH
;
1295 while( r0
>= d
&& r0
< m
)
1300 Z
.p
[i
- t
- 1] = ( q1
<< biH
) | q0
;
1301 #endif /* POLARSSL_HAVE_UDBL && !64-bit Apple with Clang 5.0 */
1309 MPI_CHK( mpi_lset( &T1
, 0 ) );
1310 T1
.p
[0] = ( t
< 1 ) ? 0 : Y
.p
[t
- 1];
1312 MPI_CHK( mpi_mul_int( &T1
, &T1
, Z
.p
[i
- t
- 1] ) );
1314 MPI_CHK( mpi_lset( &T2
, 0 ) );
1315 T2
.p
[0] = ( i
< 2 ) ? 0 : X
.p
[i
- 2];
1316 T2
.p
[1] = ( i
< 1 ) ? 0 : X
.p
[i
- 1];
1319 while( mpi_cmp_mpi( &T1
, &T2
) > 0 );
1321 MPI_CHK( mpi_mul_int( &T1
, &Y
, Z
.p
[i
- t
- 1] ) );
1322 MPI_CHK( mpi_shift_l( &T1
, biL
* ( i
- t
- 1 ) ) );
1323 MPI_CHK( mpi_sub_mpi( &X
, &X
, &T1
) );
1325 if( mpi_cmp_int( &X
, 0 ) < 0 )
1327 MPI_CHK( mpi_copy( &T1
, &Y
) );
1328 MPI_CHK( mpi_shift_l( &T1
, biL
* ( i
- t
- 1 ) ) );
1329 MPI_CHK( mpi_add_mpi( &X
, &X
, &T1
) );
1336 MPI_CHK( mpi_copy( Q
, &Z
) );
1342 MPI_CHK( mpi_shift_r( &X
, k
) );
1344 MPI_CHK( mpi_copy( R
, &X
) );
1346 if( mpi_cmp_int( R
, 0 ) == 0 )
1352 mpi_free( &X
); mpi_free( &Y
); mpi_free( &Z
);
1353 mpi_free( &T1
); mpi_free( &T2
);
1359 * Division by int: A = Q * b + R
1361 int mpi_div_int( mpi
*Q
, mpi
*R
, const mpi
*A
, t_sint b
)
1366 p
[0] = ( b
< 0 ) ? -b
: b
;
1367 _B
.s
= ( b
< 0 ) ? -1 : 1;
1371 return( mpi_div_mpi( Q
, R
, A
, &_B
) );
1375 * Modulo: R = A mod B
1377 int mpi_mod_mpi( mpi
*R
, const mpi
*A
, const mpi
*B
)
1381 if( mpi_cmp_int( B
, 0 ) < 0 )
1382 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE
);
1384 MPI_CHK( mpi_div_mpi( NULL
, R
, A
, B
) );
1386 while( mpi_cmp_int( R
, 0 ) < 0 )
1387 MPI_CHK( mpi_add_mpi( R
, R
, B
) );
1389 while( mpi_cmp_mpi( R
, B
) >= 0 )
1390 MPI_CHK( mpi_sub_mpi( R
, R
, B
) );
1398 * Modulo: r = A mod b
1400 int mpi_mod_int( t_uint
*r
, const mpi
*A
, t_sint b
)
1406 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO
);
1409 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE
);
1412 * handle trivial cases
1429 for( i
= A
->n
, y
= 0; i
> 0; i
-- )
1432 y
= ( y
<< biH
) | ( x
>> biH
);
1437 y
= ( y
<< biH
) | ( x
>> biH
);
1443 * If A is negative, then the current y represents a negative value.
1444 * Flipping it to the positive side.
1446 if( A
->s
< 0 && y
!= 0 )
1455 * Fast Montgomery initialization (thanks to Tom St Denis)
1457 static void mpi_montg_init( t_uint
*mm
, const mpi
*N
)
1459 t_uint x
, m0
= N
->p
[0];
1463 x
+= ( ( m0
+ 2 ) & 4 ) << 1;
1465 for( i
= biL
; i
>= 8; i
/= 2 )
1466 x
*= ( 2 - ( m0
* x
) );
1472 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1474 static void mpi_montmul( mpi
*A
, const mpi
*B
, const mpi
*N
, t_uint mm
,
1480 memset( T
->p
, 0, T
->n
* ciL
);
1484 m
= ( B
->n
< n
) ? B
->n
: n
;
1486 for( i
= 0; i
< n
; i
++ )
1489 * T = (T + u0*B + u1*N) / 2^biL
1492 u1
= ( d
[0] + u0
* B
->p
[0] ) * mm
;
1494 mpi_mul_hlp( m
, B
->p
, d
, u0
);
1495 mpi_mul_hlp( n
, N
->p
, d
, u1
);
1497 *d
++ = u0
; d
[n
+ 1] = 0;
1500 memcpy( A
->p
, d
, ( n
+ 1 ) * ciL
);
1502 if( mpi_cmp_abs( A
, N
) >= 0 )
1503 mpi_sub_hlp( n
, N
->p
, A
->p
);
1505 /* prevent timing attacks */
1506 mpi_sub_hlp( n
, A
->p
, T
->p
);
1510 * Montgomery reduction: A = A * R^-1 mod N
1512 static void mpi_montred( mpi
*A
, const mpi
*N
, t_uint mm
, const mpi
*T
)
1517 U
.n
= U
.s
= (int) z
;
1520 mpi_montmul( A
, &U
, N
, mm
, T
);
1524 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1526 int mpi_exp_mod( mpi
*X
, const mpi
*A
, const mpi
*E
, const mpi
*N
, mpi
*_RR
)
1529 size_t wbits
, wsize
, one
= 1;
1530 size_t i
, j
, nblimbs
;
1531 size_t bufsize
, nbits
;
1532 t_uint ei
, mm
, state
;
1533 mpi RR
, T
, W
[ 2 << POLARSSL_MPI_WINDOW_SIZE
], Apos
;
1536 if( mpi_cmp_int( N
, 0 ) < 0 || ( N
->p
[0] & 1 ) == 0 )
1537 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
1539 if( mpi_cmp_int( E
, 0 ) < 0 )
1540 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
1543 * Init temps and window size
1545 mpi_montg_init( &mm
, N
);
1546 mpi_init( &RR
); mpi_init( &T
);
1548 memset( W
, 0, sizeof( W
) );
1552 wsize
= ( i
> 671 ) ? 6 : ( i
> 239 ) ? 5 :
1553 ( i
> 79 ) ? 4 : ( i
> 23 ) ? 3 : 1;
1555 if( wsize
> POLARSSL_MPI_WINDOW_SIZE
)
1556 wsize
= POLARSSL_MPI_WINDOW_SIZE
;
1559 MPI_CHK( mpi_grow( X
, j
) );
1560 MPI_CHK( mpi_grow( &W
[1], j
) );
1561 MPI_CHK( mpi_grow( &T
, j
* 2 ) );
1564 * Compensate for negative A (and correct at the end)
1566 neg
= ( A
->s
== -1 );
1569 MPI_CHK( mpi_copy( &Apos
, A
) );
1575 * If 1st call, pre-compute R^2 mod N
1577 if( _RR
== NULL
|| _RR
->p
== NULL
)
1579 MPI_CHK( mpi_lset( &RR
, 1 ) );
1580 MPI_CHK( mpi_shift_l( &RR
, N
->n
* 2 * biL
) );
1581 MPI_CHK( mpi_mod_mpi( &RR
, &RR
, N
) );
1584 memcpy( _RR
, &RR
, sizeof( mpi
) );
1587 memcpy( &RR
, _RR
, sizeof( mpi
) );
1590 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1592 if( mpi_cmp_mpi( A
, N
) >= 0 )
1593 MPI_CHK( mpi_mod_mpi( &W
[1], A
, N
) );
1595 MPI_CHK( mpi_copy( &W
[1], A
) );
1597 mpi_montmul( &W
[1], &RR
, N
, mm
, &T
);
1600 * X = R^2 * R^-1 mod N = R mod N
1602 MPI_CHK( mpi_copy( X
, &RR
) );
1603 mpi_montred( X
, N
, mm
, &T
);
1608 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1610 j
= one
<< ( wsize
- 1 );
1612 MPI_CHK( mpi_grow( &W
[j
], N
->n
+ 1 ) );
1613 MPI_CHK( mpi_copy( &W
[j
], &W
[1] ) );
1615 for( i
= 0; i
< wsize
- 1; i
++ )
1616 mpi_montmul( &W
[j
], &W
[j
], N
, mm
, &T
);
1619 * W[i] = W[i - 1] * W[1]
1621 for( i
= j
+ 1; i
< ( one
<< wsize
); i
++ )
1623 MPI_CHK( mpi_grow( &W
[i
], N
->n
+ 1 ) );
1624 MPI_CHK( mpi_copy( &W
[i
], &W
[i
- 1] ) );
1626 mpi_montmul( &W
[i
], &W
[1], N
, mm
, &T
);
1645 bufsize
= sizeof( t_uint
) << 3;
1650 ei
= (E
->p
[nblimbs
] >> bufsize
) & 1;
1655 if( ei
== 0 && state
== 0 )
1658 if( ei
== 0 && state
== 1 )
1661 * out of window, square X
1663 mpi_montmul( X
, X
, N
, mm
, &T
);
1668 * add ei to current window
1673 wbits
|= ( ei
<< ( wsize
- nbits
) );
1675 if( nbits
== wsize
)
1678 * X = X^wsize R^-1 mod N
1680 for( i
= 0; i
< wsize
; i
++ )
1681 mpi_montmul( X
, X
, N
, mm
, &T
);
1684 * X = X * W[wbits] R^-1 mod N
1686 mpi_montmul( X
, &W
[wbits
], N
, mm
, &T
);
1695 * process the remaining bits
1697 for( i
= 0; i
< nbits
; i
++ )
1699 mpi_montmul( X
, X
, N
, mm
, &T
);
1703 if( ( wbits
& ( one
<< wsize
) ) != 0 )
1704 mpi_montmul( X
, &W
[1], N
, mm
, &T
);
1708 * X = A^E * R * R^-1 mod N = A^E mod N
1710 mpi_montred( X
, N
, mm
, &T
);
1715 MPI_CHK( mpi_add_mpi( X
, N
, X
) );
1720 for( i
= ( one
<< ( wsize
- 1 ) ); i
< ( one
<< wsize
); i
++ )
1723 mpi_free( &W
[1] ); mpi_free( &T
); mpi_free( &Apos
);
1725 if( _RR
== NULL
|| _RR
->p
== NULL
)
1732 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1734 int mpi_gcd( mpi
*G
, const mpi
*A
, const mpi
*B
)
1740 mpi_init( &TG
); mpi_init( &TA
); mpi_init( &TB
);
1742 MPI_CHK( mpi_copy( &TA
, A
) );
1743 MPI_CHK( mpi_copy( &TB
, B
) );
1745 lz
= mpi_lsb( &TA
);
1746 lzt
= mpi_lsb( &TB
);
1751 MPI_CHK( mpi_shift_r( &TA
, lz
) );
1752 MPI_CHK( mpi_shift_r( &TB
, lz
) );
1756 while( mpi_cmp_int( &TA
, 0 ) != 0 )
1758 MPI_CHK( mpi_shift_r( &TA
, mpi_lsb( &TA
) ) );
1759 MPI_CHK( mpi_shift_r( &TB
, mpi_lsb( &TB
) ) );
1761 if( mpi_cmp_mpi( &TA
, &TB
) >= 0 )
1763 MPI_CHK( mpi_sub_abs( &TA
, &TA
, &TB
) );
1764 MPI_CHK( mpi_shift_r( &TA
, 1 ) );
1768 MPI_CHK( mpi_sub_abs( &TB
, &TB
, &TA
) );
1769 MPI_CHK( mpi_shift_r( &TB
, 1 ) );
1773 MPI_CHK( mpi_shift_l( &TB
, lz
) );
1774 MPI_CHK( mpi_copy( G
, &TB
) );
1778 mpi_free( &TG
); mpi_free( &TA
); mpi_free( &TB
);
1784 * Fill X with size bytes of random.
1786 * Use a temporary bytes representation to make sure the result is the same
1787 * regardless of the platform endianness (useful when f_rng is actually
1788 * deterministic, eg for tests).
1790 int mpi_fill_random( mpi
*X
, size_t size
,
1791 int (*f_rng
)(void *, unsigned char *, size_t),
1795 unsigned char buf
[POLARSSL_MPI_MAX_SIZE
];
1797 if( size
> POLARSSL_MPI_MAX_SIZE
)
1798 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
1800 MPI_CHK( f_rng( p_rng
, buf
, size
) );
1801 MPI_CHK( mpi_read_binary( X
, buf
, size
) );
1808 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1810 int mpi_inv_mod( mpi
*X
, const mpi
*A
, const mpi
*N
)
1813 mpi G
, TA
, TU
, U1
, U2
, TB
, TV
, V1
, V2
;
1815 if( mpi_cmp_int( N
, 0 ) <= 0 )
1816 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
1818 mpi_init( &TA
); mpi_init( &TU
); mpi_init( &U1
); mpi_init( &U2
);
1819 mpi_init( &G
); mpi_init( &TB
); mpi_init( &TV
);
1820 mpi_init( &V1
); mpi_init( &V2
);
1822 MPI_CHK( mpi_gcd( &G
, A
, N
) );
1824 if( mpi_cmp_int( &G
, 1 ) != 0 )
1826 ret
= POLARSSL_ERR_MPI_NOT_ACCEPTABLE
;
1830 MPI_CHK( mpi_mod_mpi( &TA
, A
, N
) );
1831 MPI_CHK( mpi_copy( &TU
, &TA
) );
1832 MPI_CHK( mpi_copy( &TB
, N
) );
1833 MPI_CHK( mpi_copy( &TV
, N
) );
1835 MPI_CHK( mpi_lset( &U1
, 1 ) );
1836 MPI_CHK( mpi_lset( &U2
, 0 ) );
1837 MPI_CHK( mpi_lset( &V1
, 0 ) );
1838 MPI_CHK( mpi_lset( &V2
, 1 ) );
1842 while( ( TU
.p
[0] & 1 ) == 0 )
1844 MPI_CHK( mpi_shift_r( &TU
, 1 ) );
1846 if( ( U1
.p
[0] & 1 ) != 0 || ( U2
.p
[0] & 1 ) != 0 )
1848 MPI_CHK( mpi_add_mpi( &U1
, &U1
, &TB
) );
1849 MPI_CHK( mpi_sub_mpi( &U2
, &U2
, &TA
) );
1852 MPI_CHK( mpi_shift_r( &U1
, 1 ) );
1853 MPI_CHK( mpi_shift_r( &U2
, 1 ) );
1856 while( ( TV
.p
[0] & 1 ) == 0 )
1858 MPI_CHK( mpi_shift_r( &TV
, 1 ) );
1860 if( ( V1
.p
[0] & 1 ) != 0 || ( V2
.p
[0] & 1 ) != 0 )
1862 MPI_CHK( mpi_add_mpi( &V1
, &V1
, &TB
) );
1863 MPI_CHK( mpi_sub_mpi( &V2
, &V2
, &TA
) );
1866 MPI_CHK( mpi_shift_r( &V1
, 1 ) );
1867 MPI_CHK( mpi_shift_r( &V2
, 1 ) );
1870 if( mpi_cmp_mpi( &TU
, &TV
) >= 0 )
1872 MPI_CHK( mpi_sub_mpi( &TU
, &TU
, &TV
) );
1873 MPI_CHK( mpi_sub_mpi( &U1
, &U1
, &V1
) );
1874 MPI_CHK( mpi_sub_mpi( &U2
, &U2
, &V2
) );
1878 MPI_CHK( mpi_sub_mpi( &TV
, &TV
, &TU
) );
1879 MPI_CHK( mpi_sub_mpi( &V1
, &V1
, &U1
) );
1880 MPI_CHK( mpi_sub_mpi( &V2
, &V2
, &U2
) );
1883 while( mpi_cmp_int( &TU
, 0 ) != 0 );
1885 while( mpi_cmp_int( &V1
, 0 ) < 0 )
1886 MPI_CHK( mpi_add_mpi( &V1
, &V1
, N
) );
1888 while( mpi_cmp_mpi( &V1
, N
) >= 0 )
1889 MPI_CHK( mpi_sub_mpi( &V1
, &V1
, N
) );
1891 MPI_CHK( mpi_copy( X
, &V1
) );
1895 mpi_free( &TA
); mpi_free( &TU
); mpi_free( &U1
); mpi_free( &U2
);
1896 mpi_free( &G
); mpi_free( &TB
); mpi_free( &TV
);
1897 mpi_free( &V1
); mpi_free( &V2
);
1902 #if defined(POLARSSL_GENPRIME)
1904 static const int small_prime
[] =
1906 3, 5, 7, 11, 13, 17, 19, 23,
1907 29, 31, 37, 41, 43, 47, 53, 59,
1908 61, 67, 71, 73, 79, 83, 89, 97,
1909 101, 103, 107, 109, 113, 127, 131, 137,
1910 139, 149, 151, 157, 163, 167, 173, 179,
1911 181, 191, 193, 197, 199, 211, 223, 227,
1912 229, 233, 239, 241, 251, 257, 263, 269,
1913 271, 277, 281, 283, 293, 307, 311, 313,
1914 317, 331, 337, 347, 349, 353, 359, 367,
1915 373, 379, 383, 389, 397, 401, 409, 419,
1916 421, 431, 433, 439, 443, 449, 457, 461,
1917 463, 467, 479, 487, 491, 499, 503, 509,
1918 521, 523, 541, 547, 557, 563, 569, 571,
1919 577, 587, 593, 599, 601, 607, 613, 617,
1920 619, 631, 641, 643, 647, 653, 659, 661,
1921 673, 677, 683, 691, 701, 709, 719, 727,
1922 733, 739, 743, 751, 757, 761, 769, 773,
1923 787, 797, 809, 811, 821, 823, 827, 829,
1924 839, 853, 857, 859, 863, 877, 881, 883,
1925 887, 907, 911, 919, 929, 937, 941, 947,
1926 953, 967, 971, 977, 983, 991, 997, -103
1930 * Small divisors test (X must be positive)
1933 * 0: no small factor (possible prime, more tests needed)
1935 * POLARSSL_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
1936 * other negative: error
1938 static int mpi_check_small_factors( const mpi
*X
)
1944 if( ( X
->p
[0] & 1 ) == 0 )
1945 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE
);
1947 for( i
= 0; small_prime
[i
] > 0; i
++ )
1949 if( mpi_cmp_int( X
, small_prime
[i
] ) <= 0 )
1952 MPI_CHK( mpi_mod_int( &r
, X
, small_prime
[i
] ) );
1955 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE
);
1963 * Miller-Rabin pseudo-primality test (HAC 4.24)
1965 static int mpi_miller_rabin( const mpi
*X
,
1966 int (*f_rng
)(void *, unsigned char *, size_t),
1973 mpi_init( &W
); mpi_init( &R
); mpi_init( &T
); mpi_init( &A
);
1980 MPI_CHK( mpi_sub_int( &W
, X
, 1 ) );
1982 MPI_CHK( mpi_copy( &R
, &W
) );
1983 MPI_CHK( mpi_shift_r( &R
, s
) );
1989 n
= ( ( i
>= 1300 ) ? 2 : ( i
>= 850 ) ? 3 :
1990 ( i
>= 650 ) ? 4 : ( i
>= 350 ) ? 8 :
1991 ( i
>= 250 ) ? 12 : ( i
>= 150 ) ? 18 : 27 );
1993 for( i
= 0; i
< n
; i
++ )
1996 * pick a random A, 1 < A < |X| - 1
1998 MPI_CHK( mpi_fill_random( &A
, X
->n
* ciL
, f_rng
, p_rng
) );
2000 if( mpi_cmp_mpi( &A
, &W
) >= 0 )
2002 j
= mpi_msb( &A
) - mpi_msb( &W
);
2003 MPI_CHK( mpi_shift_r( &A
, j
+ 1 ) );
2010 MPI_CHK( mpi_exp_mod( &A
, &A
, &R
, X
, &RR
) );
2012 if( mpi_cmp_mpi( &A
, &W
) == 0 ||
2013 mpi_cmp_int( &A
, 1 ) == 0 )
2017 while( j
< s
&& mpi_cmp_mpi( &A
, &W
) != 0 )
2022 MPI_CHK( mpi_mul_mpi( &T
, &A
, &A
) );
2023 MPI_CHK( mpi_mod_mpi( &A
, &T
, X
) );
2025 if( mpi_cmp_int( &A
, 1 ) == 0 )
2032 * not prime if A != |X| - 1 or A == 1
2034 if( mpi_cmp_mpi( &A
, &W
) != 0 ||
2035 mpi_cmp_int( &A
, 1 ) == 0 )
2037 ret
= POLARSSL_ERR_MPI_NOT_ACCEPTABLE
;
2043 mpi_free( &W
); mpi_free( &R
); mpi_free( &T
); mpi_free( &A
);
2050 * Pseudo-primality test: small factors, then Miller-Rabin
2052 int mpi_is_prime( mpi
*X
,
2053 int (*f_rng
)(void *, unsigned char *, size_t),
2063 if( mpi_cmp_int( &XX
, 0 ) == 0 ||
2064 mpi_cmp_int( &XX
, 1 ) == 0 )
2065 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE
);
2067 if( mpi_cmp_int( &XX
, 2 ) == 0 )
2070 if( ( ret
= mpi_check_small_factors( &XX
) ) != 0 )
2078 return( mpi_miller_rabin( &XX
, f_rng
, p_rng
) );
2082 * Prime number generation
2084 int mpi_gen_prime( mpi
*X
, size_t nbits
, int dh_flag
,
2085 int (*f_rng
)(void *, unsigned char *, size_t),
2093 if( nbits
< 3 || nbits
> POLARSSL_MPI_MAX_BITS
)
2094 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA
);
2098 n
= BITS_TO_LIMBS( nbits
);
2100 MPI_CHK( mpi_fill_random( X
, n
* ciL
, f_rng
, p_rng
) );
2103 if( k
< nbits
) MPI_CHK( mpi_shift_l( X
, nbits
- k
) );
2104 if( k
> nbits
) MPI_CHK( mpi_shift_r( X
, k
- nbits
) );
2110 while( ( ret
= mpi_is_prime( X
, f_rng
, p_rng
) ) != 0 )
2112 if( ret
!= POLARSSL_ERR_MPI_NOT_ACCEPTABLE
)
2115 MPI_CHK( mpi_add_int( X
, X
, 2 ) );
2121 * An necessary condition for Y and X = 2Y + 1 to be prime
2122 * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
2123 * Make sure it is satisfied, while keeping X = 3 mod 4
2125 MPI_CHK( mpi_mod_int( &r
, X
, 3 ) );
2127 MPI_CHK( mpi_add_int( X
, X
, 8 ) );
2129 MPI_CHK( mpi_add_int( X
, X
, 4 ) );
2131 /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
2132 MPI_CHK( mpi_copy( &Y
, X
) );
2133 MPI_CHK( mpi_shift_r( &Y
, 1 ) );
2138 * First, check small factors for X and Y
2139 * before doing Miller-Rabin on any of them
2141 if( ( ret
= mpi_check_small_factors( X
) ) == 0 &&
2142 ( ret
= mpi_check_small_factors( &Y
) ) == 0 &&
2143 ( ret
= mpi_miller_rabin( X
, f_rng
, p_rng
) ) == 0 &&
2144 ( ret
= mpi_miller_rabin( &Y
, f_rng
, p_rng
) ) == 0 )
2149 if( ret
!= POLARSSL_ERR_MPI_NOT_ACCEPTABLE
)
2153 * Next candidates. We want to preserve Y = (X-1) / 2 and
2154 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
2155 * so up Y by 6 and X by 12.
2157 MPI_CHK( mpi_add_int( X
, X
, 12 ) );
2158 MPI_CHK( mpi_add_int( &Y
, &Y
, 6 ) );
2169 #endif /* POLARSSL_GENPRIME */
2171 #if defined(POLARSSL_SELF_TEST)
2173 #define GCD_PAIR_COUNT 3
2175 static const int gcd_pairs
[GCD_PAIR_COUNT
][3] =
2179 { 768454923, 542167814, 1 }
2185 int mpi_self_test( int verbose
)
2188 mpi A
, E
, N
, X
, Y
, U
, V
;
2190 mpi_init( &A
); mpi_init( &E
); mpi_init( &N
); mpi_init( &X
);
2191 mpi_init( &Y
); mpi_init( &U
); mpi_init( &V
);
2193 MPI_CHK( mpi_read_string( &A
, 16,
2194 "EFE021C2645FD1DC586E69184AF4A31E" \
2195 "D5F53E93B5F123FA41680867BA110131" \
2196 "944FE7952E2517337780CB0DB80E61AA" \
2197 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
2199 MPI_CHK( mpi_read_string( &E
, 16,
2200 "B2E7EFD37075B9F03FF989C7C5051C20" \
2201 "34D2A323810251127E7BF8625A4F49A5" \
2202 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
2203 "5B5C25763222FEFCCFC38B832366C29E" ) );
2205 MPI_CHK( mpi_read_string( &N
, 16,
2206 "0066A198186C18C10B2F5ED9B522752A" \
2207 "9830B69916E535C8F047518A889A43A5" \
2208 "94B6BED27A168D31D4A52F88925AA8F5" ) );
2210 MPI_CHK( mpi_mul_mpi( &X
, &A
, &N
) );
2212 MPI_CHK( mpi_read_string( &U
, 16,
2213 "602AB7ECA597A3D6B56FF9829A5E8B85" \
2214 "9E857EA95A03512E2BAE7391688D264A" \
2215 "A5663B0341DB9CCFD2C4C5F421FEC814" \
2216 "8001B72E848A38CAE1C65F78E56ABDEF" \
2217 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
2218 "ECF677152EF804370C1A305CAF3B5BF1" \
2219 "30879B56C61DE584A0F53A2447A51E" ) );
2222 polarssl_printf( " MPI test #1 (mul_mpi): " );
2224 if( mpi_cmp_mpi( &X
, &U
) != 0 )
2227 polarssl_printf( "failed\n" );
2234 polarssl_printf( "passed\n" );
2236 MPI_CHK( mpi_div_mpi( &X
, &Y
, &A
, &N
) );
2238 MPI_CHK( mpi_read_string( &U
, 16,
2239 "256567336059E52CAE22925474705F39A94" ) );
2241 MPI_CHK( mpi_read_string( &V
, 16,
2242 "6613F26162223DF488E9CD48CC132C7A" \
2243 "0AC93C701B001B092E4E5B9F73BCD27B" \
2244 "9EE50D0657C77F374E903CDFA4C642" ) );
2247 polarssl_printf( " MPI test #2 (div_mpi): " );
2249 if( mpi_cmp_mpi( &X
, &U
) != 0 ||
2250 mpi_cmp_mpi( &Y
, &V
) != 0 )
2253 polarssl_printf( "failed\n" );
2260 polarssl_printf( "passed\n" );
2262 MPI_CHK( mpi_exp_mod( &X
, &A
, &E
, &N
, NULL
) );
2264 MPI_CHK( mpi_read_string( &U
, 16,
2265 "36E139AEA55215609D2816998ED020BB" \
2266 "BD96C37890F65171D948E9BC7CBAA4D9" \
2267 "325D24D6A3C12710F10A09FA08AB87" ) );
2270 polarssl_printf( " MPI test #3 (exp_mod): " );
2272 if( mpi_cmp_mpi( &X
, &U
) != 0 )
2275 polarssl_printf( "failed\n" );
2282 polarssl_printf( "passed\n" );
2284 MPI_CHK( mpi_inv_mod( &X
, &A
, &N
) );
2286 MPI_CHK( mpi_read_string( &U
, 16,
2287 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
2288 "C3DBA76456363A10869622EAC2DD84EC" \
2289 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
2292 polarssl_printf( " MPI test #4 (inv_mod): " );
2294 if( mpi_cmp_mpi( &X
, &U
) != 0 )
2297 polarssl_printf( "failed\n" );
2304 polarssl_printf( "passed\n" );
2307 polarssl_printf( " MPI test #5 (simple gcd): " );
2309 for( i
= 0; i
< GCD_PAIR_COUNT
; i
++ )
2311 MPI_CHK( mpi_lset( &X
, gcd_pairs
[i
][0] ) );
2312 MPI_CHK( mpi_lset( &Y
, gcd_pairs
[i
][1] ) );
2314 MPI_CHK( mpi_gcd( &A
, &X
, &Y
) );
2316 if( mpi_cmp_int( &A
, gcd_pairs
[i
][2] ) != 0 )
2319 polarssl_printf( "failed at %d\n", i
);
2327 polarssl_printf( "passed\n" );
2331 if( ret
!= 0 && verbose
!= 0 )
2332 polarssl_printf( "Unexpected error, return code = %08X\n", ret
);
2334 mpi_free( &A
); mpi_free( &E
); mpi_free( &N
); mpi_free( &X
);
2335 mpi_free( &Y
); mpi_free( &U
); mpi_free( &V
);
2338 polarssl_printf( "\n" );
2343 #endif /* POLARSSL_SELF_TEST */
2345 #endif /* POLARSSL_BIGNUM_C */