2
* Minimal code for RSA support from LibTomMath 0.3.9
3
* http://math.libtomcrypt.com/
4
* http://math.libtomcrypt.com/files/ltm-0.39.tar.bz2
5
* This library was released in public domain by Tom St Denis.
7
* The combination in this file is not using many of the optimized algorithms
8
* (e.g., Montgomery reduction) and is considerable slower than the LibTomMath
9
* with its default of SC_RSA_1 settins. The main purpose of having this
10
* version here is to make it easier to build bignum.c wrapper without having
11
* to install and build an external library. However, it is likely worth the
12
* effort to use the full library with SC_RSA_1 instead of this minimized copy.
13
* Including the optimized algorithms may increase the size requirements by
14
* 15 kB or so (measured with x86 build).
16
* If CONFIG_INTERNAL_LIBTOMMATH is defined, bignum.c includes this
17
* libtommath.c file instead of using the external LibTomMath library.
24
#define BN_MP_INVMOD_C
25
#define BN_S_MP_EXPTMOD_C /* Note: #undef in tommath_superclass.h; this would
26
* require BN_MP_EXPTMOD_FAST_C instead */
27
#define BN_S_MP_MUL_DIGS_C
28
#define BN_MP_INVMOD_SLOW_C
30
#define BN_S_MP_MUL_HIGH_DIGS_C /* Note: #undef in tommath_superclass.h; this
31
* would require other than mp_reduce */
37
#define MIN(x,y) ((x)<(y)?(x):(y))
41
#define MAX(x,y) ((x)>(y)?(x):(y))
46
typedef unsigned long mp_digit;
53
#define XMALLOC os_malloc
55
#define XREALLOC os_realloc
58
#define MP_MASK ((((mp_digit)1)<<((mp_digit)DIGIT_BIT))-((mp_digit)1))
60
#define MP_LT -1 /* less than */
61
#define MP_EQ 0 /* equal to */
62
#define MP_GT 1 /* greater than */
64
#define MP_ZPOS 0 /* positive integer */
65
#define MP_NEG 1 /* negative */
67
#define MP_OKAY 0 /* ok result */
68
#define MP_MEM -2 /* out of mem */
69
#define MP_VAL -3 /* invalid input */
71
#define MP_YES 1 /* yes response */
72
#define MP_NO 0 /* no response */
76
/* define this to use lower memory usage routines (exptmods mostly) */
79
/* default precision */
82
#define MP_PREC 32 /* default digits of precision */
84
#define MP_PREC 8 /* default digits of precision */
88
/* size of comba arrays, should be at least 2 * 2**(BITS_PER_WORD - BITS_PER_DIGIT*2) */
89
#define MP_WARRAY (1 << (sizeof(mp_word) * CHAR_BIT - 2 * DIGIT_BIT + 1))
91
/* the infamous mp_int structure */
93
int used, alloc, sign;
98
/* ---> Basic Manipulations <--- */
99
#define mp_iszero(a) (((a)->used == 0) ? MP_YES : MP_NO)
100
#define mp_iseven(a) (((a)->used > 0 && (((a)->dp[0] & 1) == 0)) ? MP_YES : MP_NO)
101
#define mp_isodd(a) (((a)->used > 0 && (((a)->dp[0] & 1) == 1)) ? MP_YES : MP_NO)
104
/* prototypes for copied functions */
105
#define s_mp_mul(a, b, c) s_mp_mul_digs(a, b, c, (a)->used + (b)->used + 1)
106
static int s_mp_exptmod(mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode);
107
static int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs);
108
static int s_mp_sqr(mp_int * a, mp_int * b);
109
static int s_mp_mul_high_digs(mp_int * a, mp_int * b, mp_int * c, int digs);
111
static int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs);
113
static int mp_init_multi(mp_int *mp, ...);
114
static void mp_clear_multi(mp_int *mp, ...);
115
static int mp_lshd(mp_int * a, int b);
116
static void mp_set(mp_int * a, mp_digit b);
117
static void mp_clamp(mp_int * a);
118
static void mp_exch(mp_int * a, mp_int * b);
119
static void mp_rshd(mp_int * a, int b);
120
static void mp_zero(mp_int * a);
121
static int mp_mod_2d(mp_int * a, int b, mp_int * c);
122
static int mp_div_2d(mp_int * a, int b, mp_int * c, mp_int * d);
123
static int mp_init_copy(mp_int * a, mp_int * b);
124
static int mp_mul_2d(mp_int * a, int b, mp_int * c);
125
static int mp_div_2(mp_int * a, mp_int * b);
126
static int mp_copy(mp_int * a, mp_int * b);
127
static int mp_count_bits(mp_int * a);
128
static int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d);
129
static int mp_mod(mp_int * a, mp_int * b, mp_int * c);
130
static int mp_grow(mp_int * a, int size);
131
static int mp_cmp_mag(mp_int * a, mp_int * b);
132
static int mp_invmod(mp_int * a, mp_int * b, mp_int * c);
133
static int mp_abs(mp_int * a, mp_int * b);
134
static int mp_invmod_slow(mp_int * a, mp_int * b, mp_int * c);
135
static int mp_sqr(mp_int * a, mp_int * b);
136
static int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d);
137
static int mp_reduce_2k_setup_l(mp_int *a, mp_int *d);
138
static int mp_2expt(mp_int * a, int b);
139
static int mp_reduce_setup(mp_int * a, mp_int * b);
140
static int mp_reduce(mp_int * x, mp_int * m, mp_int * mu);
141
static int mp_init_size(mp_int * a, int size);
145
/* functions from bn_<func name>.c */
148
/* reverse an array, used for radix code */
149
static void bn_reverse (unsigned char *s, int len)
166
/* low level addition, based on HAC pp.594, Algorithm 14.7 */
167
static int s_mp_add (mp_int * a, mp_int * b, mp_int * c)
170
int olduse, res, min, max;
172
/* find sizes, we let |a| <= |b| which means we have to sort
173
* them. "x" will point to the input with the most digits
175
if (a->used > b->used) {
186
if (c->alloc < max + 1) {
187
if ((res = mp_grow (c, max + 1)) != MP_OKAY) {
192
/* get old used digit count and set new one */
197
register mp_digit u, *tmpa, *tmpb, *tmpc;
200
/* alias for digit pointers */
213
for (i = 0; i < min; i++) {
214
/* Compute the sum at one digit, T[i] = A[i] + B[i] + U */
215
*tmpc = *tmpa++ + *tmpb++ + u;
217
/* U = carry bit of T[i] */
218
u = *tmpc >> ((mp_digit)DIGIT_BIT);
220
/* take away carry bit from T[i] */
224
/* now copy higher words if any, that is in A+B
225
* if A or B has more digits add those in
228
for (; i < max; i++) {
229
/* T[i] = X[i] + U */
230
*tmpc = x->dp[i] + u;
232
/* U = carry bit of T[i] */
233
u = *tmpc >> ((mp_digit)DIGIT_BIT);
235
/* take away carry bit from T[i] */
243
/* clear digits above oldused */
244
for (i = c->used; i < olduse; i++) {
254
/* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */
255
static int s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
257
int olduse, res, min, max;
264
if (c->alloc < max) {
265
if ((res = mp_grow (c, max)) != MP_OKAY) {
273
register mp_digit u, *tmpa, *tmpb, *tmpc;
276
/* alias for digit pointers */
281
/* set carry to zero */
283
for (i = 0; i < min; i++) {
284
/* T[i] = A[i] - B[i] - U */
285
*tmpc = *tmpa++ - *tmpb++ - u;
287
/* U = carry bit of T[i]
288
* Note this saves performing an AND operation since
289
* if a carry does occur it will propagate all the way to the
290
* MSB. As a result a single shift is enough to get the carry
292
u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1));
294
/* Clear carry from T[i] */
298
/* now copy higher words if any, e.g. if A has more digits than B */
299
for (; i < max; i++) {
300
/* T[i] = A[i] - U */
303
/* U = carry bit of T[i] */
304
u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1));
306
/* Clear carry from T[i] */
310
/* clear digits above used (since we may not have grown result above) */
311
for (i = c->used; i < olduse; i++) {
321
/* init a new mp_int */
322
static int mp_init (mp_int * a)
326
/* allocate memory required and clear it */
327
a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * MP_PREC);
332
/* set the digits to zero */
333
for (i = 0; i < MP_PREC; i++) {
337
/* set the used to zero, allocated digits to the default precision
338
* and sign to positive */
347
/* clear one (frees) */
348
static void mp_clear (mp_int * a)
352
/* only do anything if a hasn't been freed previously */
354
/* first zero the digits */
355
for (i = 0; i < a->used; i++) {
362
/* reset members to make debugging easier */
364
a->alloc = a->used = 0;
370
/* high level addition (handles signs) */
371
static int mp_add (mp_int * a, mp_int * b, mp_int * c)
375
/* get sign of both inputs */
379
/* handle two cases, not four */
381
/* both positive or both negative */
382
/* add their magnitudes, copy the sign */
384
res = s_mp_add (a, b, c);
386
/* one positive, the other negative */
387
/* subtract the one with the greater magnitude from */
388
/* the one of the lesser magnitude. The result gets */
389
/* the sign of the one with the greater magnitude. */
390
if (mp_cmp_mag (a, b) == MP_LT) {
392
res = s_mp_sub (b, a, c);
395
res = s_mp_sub (a, b, c);
402
/* high level subtraction (handles signs) */
403
static int mp_sub (mp_int * a, mp_int * b, mp_int * c)
411
/* subtract a negative from a positive, OR */
412
/* subtract a positive from a negative. */
413
/* In either case, ADD their magnitudes, */
414
/* and use the sign of the first number. */
416
res = s_mp_add (a, b, c);
418
/* subtract a positive from a positive, OR */
419
/* subtract a negative from a negative. */
420
/* First, take the difference between their */
421
/* magnitudes, then... */
422
if (mp_cmp_mag (a, b) != MP_LT) {
423
/* Copy the sign from the first */
425
/* The first has a larger or equal magnitude */
426
res = s_mp_sub (a, b, c);
428
/* The result has the *opposite* sign from */
429
/* the first number. */
430
c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS;
431
/* The second has a larger magnitude */
432
res = s_mp_sub (b, a, c);
439
/* high level multiplication (handles sign) */
440
static int mp_mul (mp_int * a, mp_int * b, mp_int * c)
443
neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG;
446
#ifdef BN_MP_TOOM_MUL_C
447
if (MIN (a->used, b->used) >= TOOM_MUL_CUTOFF) {
448
res = mp_toom_mul(a, b, c);
451
#ifdef BN_MP_KARATSUBA_MUL_C
453
if (MIN (a->used, b->used) >= KARATSUBA_MUL_CUTOFF) {
454
res = mp_karatsuba_mul (a, b, c);
458
/* can we use the fast multiplier?
460
* The fast multiplier can be used if the output will
461
* have less than MP_WARRAY digits and the number of
462
* digits won't affect carry propagation
464
#ifdef BN_FAST_S_MP_MUL_DIGS_C
465
int digs = a->used + b->used + 1;
467
if ((digs < MP_WARRAY) &&
468
MIN(a->used, b->used) <=
469
(1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
470
res = fast_s_mp_mul_digs (a, b, c, digs);
473
#ifdef BN_S_MP_MUL_DIGS_C
474
res = s_mp_mul (a, b, c); /* uses s_mp_mul_digs */
476
#error mp_mul could fail
481
c->sign = (c->used > 0) ? neg : MP_ZPOS;
486
/* d = a * b (mod c) */
487
static int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
492
if ((res = mp_init (&t)) != MP_OKAY) {
496
if ((res = mp_mul (a, b, &t)) != MP_OKAY) {
500
res = mp_mod (&t, c, d);
506
/* c = a mod b, 0 <= c < b */
507
static int mp_mod (mp_int * a, mp_int * b, mp_int * c)
512
if ((res = mp_init (&t)) != MP_OKAY) {
516
if ((res = mp_div (a, b, NULL, &t)) != MP_OKAY) {
521
if (t.sign != b->sign) {
522
res = mp_add (b, &t, c);
533
/* this is a shell function that calls either the normal or Montgomery
534
* exptmod functions. Originally the call to the montgomery code was
535
* embedded in the normal function but that wasted alot of stack space
536
* for nothing (since 99% of the time the Montgomery code would be called)
538
static int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
542
/* modulus P must be positive */
543
if (P->sign == MP_NEG) {
547
/* if exponent X is negative we have to recurse */
548
if (X->sign == MP_NEG) {
549
#ifdef BN_MP_INVMOD_C
553
/* first compute 1/G mod P */
554
if ((err = mp_init(&tmpG)) != MP_OKAY) {
557
if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) {
563
if ((err = mp_init(&tmpX)) != MP_OKAY) {
567
if ((err = mp_abs(X, &tmpX)) != MP_OKAY) {
568
mp_clear_multi(&tmpG, &tmpX, NULL);
572
/* and now compute (1/G)**|X| instead of G**X [X < 0] */
573
err = mp_exptmod(&tmpG, &tmpX, P, Y);
574
mp_clear_multi(&tmpG, &tmpX, NULL);
577
#error mp_exptmod would always fail
583
/* modified diminished radix reduction */
584
#if defined(BN_MP_REDUCE_IS_2K_L_C) && defined(BN_MP_REDUCE_2K_L_C) && defined(BN_S_MP_EXPTMOD_C)
585
if (mp_reduce_is_2k_l(P) == MP_YES) {
586
return s_mp_exptmod(G, X, P, Y, 1);
590
#ifdef BN_MP_DR_IS_MODULUS_C
591
/* is it a DR modulus? */
592
dr = mp_dr_is_modulus(P);
598
#ifdef BN_MP_REDUCE_IS_2K_C
599
/* if not, is it a unrestricted DR modulus? */
601
dr = mp_reduce_is_2k(P) << 1;
605
/* if the modulus is odd or dr != 0 use the montgomery method */
606
#ifdef BN_MP_EXPTMOD_FAST_C
607
if (mp_isodd (P) == 1 || dr != 0) {
608
return mp_exptmod_fast (G, X, P, Y, dr);
611
#ifdef BN_S_MP_EXPTMOD_C
612
/* otherwise use the generic Barrett reduction technique */
613
return s_mp_exptmod (G, X, P, Y, 0);
615
#error mp_exptmod could fail
616
/* no exptmod for evens */
619
#ifdef BN_MP_EXPTMOD_FAST_C
625
/* compare two ints (signed)*/
626
static int mp_cmp (mp_int * a, mp_int * b)
628
/* compare based on sign */
629
if (a->sign != b->sign) {
630
if (a->sign == MP_NEG) {
638
if (a->sign == MP_NEG) {
639
/* if negative compare opposite direction */
640
return mp_cmp_mag(b, a);
642
return mp_cmp_mag(a, b);
647
/* compare a digit */
648
static int mp_cmp_d(mp_int * a, mp_digit b)
650
/* compare based on sign */
651
if (a->sign == MP_NEG) {
655
/* compare based on magnitude */
660
/* compare the only digit of a to b */
663
} else if (a->dp[0] < b) {
671
/* hac 14.61, pp608 */
672
static int mp_invmod (mp_int * a, mp_int * b, mp_int * c)
674
/* b cannot be negative */
675
if (b->sign == MP_NEG || mp_iszero(b) == 1) {
679
#ifdef BN_FAST_MP_INVMOD_C
680
/* if the modulus is odd we can use a faster routine instead */
681
if (mp_isodd (b) == 1) {
682
return fast_mp_invmod (a, b, c);
686
#ifdef BN_MP_INVMOD_SLOW_C
687
return mp_invmod_slow(a, b, c);
690
#ifndef BN_FAST_MP_INVMOD_C
691
#ifndef BN_MP_INVMOD_SLOW_C
692
#error mp_invmod would always fail
699
/* get the size for an unsigned equivalent */
700
static int mp_unsigned_bin_size (mp_int * a)
702
int size = mp_count_bits (a);
703
return (size / 8 + ((size & 7) != 0 ? 1 : 0));
707
/* hac 14.61, pp608 */
708
static int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c)
710
mp_int x, y, u, v, A, B, C, D;
713
/* b cannot be negative */
714
if (b->sign == MP_NEG || mp_iszero(b) == 1) {
719
if ((res = mp_init_multi(&x, &y, &u, &v,
720
&A, &B, &C, &D, NULL)) != MP_OKAY) {
725
if ((res = mp_mod(a, b, &x)) != MP_OKAY) {
728
if ((res = mp_copy (b, &y)) != MP_OKAY) {
732
/* 2. [modified] if x,y are both even then return an error! */
733
if (mp_iseven (&x) == 1 && mp_iseven (&y) == 1) {
738
/* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
739
if ((res = mp_copy (&x, &u)) != MP_OKAY) {
742
if ((res = mp_copy (&y, &v)) != MP_OKAY) {
749
/* 4. while u is even do */
750
while (mp_iseven (&u) == 1) {
752
if ((res = mp_div_2 (&u, &u)) != MP_OKAY) {
755
/* 4.2 if A or B is odd then */
756
if (mp_isodd (&A) == 1 || mp_isodd (&B) == 1) {
757
/* A = (A+y)/2, B = (B-x)/2 */
758
if ((res = mp_add (&A, &y, &A)) != MP_OKAY) {
761
if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) {
765
/* A = A/2, B = B/2 */
766
if ((res = mp_div_2 (&A, &A)) != MP_OKAY) {
769
if ((res = mp_div_2 (&B, &B)) != MP_OKAY) {
774
/* 5. while v is even do */
775
while (mp_iseven (&v) == 1) {
777
if ((res = mp_div_2 (&v, &v)) != MP_OKAY) {
780
/* 5.2 if C or D is odd then */
781
if (mp_isodd (&C) == 1 || mp_isodd (&D) == 1) {
782
/* C = (C+y)/2, D = (D-x)/2 */
783
if ((res = mp_add (&C, &y, &C)) != MP_OKAY) {
786
if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) {
790
/* C = C/2, D = D/2 */
791
if ((res = mp_div_2 (&C, &C)) != MP_OKAY) {
794
if ((res = mp_div_2 (&D, &D)) != MP_OKAY) {
799
/* 6. if u >= v then */
800
if (mp_cmp (&u, &v) != MP_LT) {
801
/* u = u - v, A = A - C, B = B - D */
802
if ((res = mp_sub (&u, &v, &u)) != MP_OKAY) {
806
if ((res = mp_sub (&A, &C, &A)) != MP_OKAY) {
810
if ((res = mp_sub (&B, &D, &B)) != MP_OKAY) {
814
/* v - v - u, C = C - A, D = D - B */
815
if ((res = mp_sub (&v, &u, &v)) != MP_OKAY) {
819
if ((res = mp_sub (&C, &A, &C)) != MP_OKAY) {
823
if ((res = mp_sub (&D, &B, &D)) != MP_OKAY) {
828
/* if not zero goto step 4 */
829
if (mp_iszero (&u) == 0)
832
/* now a = C, b = D, gcd == g*v */
834
/* if v != 1 then there is no inverse */
835
if (mp_cmp_d (&v, 1) != MP_EQ) {
841
while (mp_cmp_d(&C, 0) == MP_LT) {
842
if ((res = mp_add(&C, b, &C)) != MP_OKAY) {
848
while (mp_cmp_mag(&C, b) != MP_LT) {
849
if ((res = mp_sub(&C, b, &C)) != MP_OKAY) {
854
/* C is now the inverse */
857
LBL_ERR:mp_clear_multi (&x, &y, &u, &v, &A, &B, &C, &D, NULL);
862
/* compare maginitude of two ints (unsigned) */
863
static int mp_cmp_mag (mp_int * a, mp_int * b)
866
mp_digit *tmpa, *tmpb;
868
/* compare based on # of non-zero digits */
869
if (a->used > b->used) {
873
if (a->used < b->used) {
878
tmpa = a->dp + (a->used - 1);
881
tmpb = b->dp + (a->used - 1);
883
/* compare based on digits */
884
for (n = 0; n < a->used; ++n, --tmpa, --tmpb) {
897
/* reads a unsigned char array, assumes the msb is stored first [big endian] */
898
static int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c)
902
/* make sure there are at least two digits */
904
if ((res = mp_grow(a, 2)) != MP_OKAY) {
912
/* read the bytes in */
914
if ((res = mp_mul_2d (a, 8, a)) != MP_OKAY) {
922
a->dp[0] = (*b & MP_MASK);
923
a->dp[1] |= ((*b++ >> 7U) & 1);
932
/* store in unsigned [big endian] format */
933
static int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
938
if ((res = mp_init_copy (&t, a)) != MP_OKAY) {
943
while (mp_iszero (&t) == 0) {
945
b[x++] = (unsigned char) (t.dp[0] & 255);
947
b[x++] = (unsigned char) (t.dp[0] | ((t.dp[1] & 0x01) << 7));
949
if ((res = mp_div_2d (&t, 8, &t, NULL)) != MP_OKAY) {
960
/* shift right by a certain bit count (store quotient in c, optional remainder in d) */
961
static int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d)
968
/* if the shift count is <= 0 then we do no work */
970
res = mp_copy (a, c);
977
if ((res = mp_init (&t)) != MP_OKAY) {
981
/* get the remainder */
983
if ((res = mp_mod_2d (a, b, &t)) != MP_OKAY) {
990
if ((res = mp_copy (a, c)) != MP_OKAY) {
995
/* shift by as many digits in the bit count */
996
if (b >= (int)DIGIT_BIT) {
997
mp_rshd (c, b / DIGIT_BIT);
1000
/* shift any bit count < DIGIT_BIT */
1001
D = (mp_digit) (b % DIGIT_BIT);
1003
register mp_digit *tmpc, mask, shift;
1006
mask = (((mp_digit)1) << D) - 1;
1009
shift = DIGIT_BIT - D;
1012
tmpc = c->dp + (c->used - 1);
1016
for (x = c->used - 1; x >= 0; x--) {
1017
/* get the lower bits of this word in a temp */
1020
/* shift the current word and mix in the carry bits from the previous word */
1021
*tmpc = (*tmpc >> D) | (r << shift);
1024
/* set the carry to the carry bits of the current word found above */
1037
static int mp_init_copy (mp_int * a, mp_int * b)
1041
if ((res = mp_init (a)) != MP_OKAY) {
1044
return mp_copy (b, a);
1049
static void mp_zero (mp_int * a)
1058
for (n = 0; n < a->alloc; n++) {
1065
static int mp_copy (mp_int * a, mp_int * b)
1069
/* if dst == src do nothing */
1075
if (b->alloc < a->used) {
1076
if ((res = mp_grow (b, a->used)) != MP_OKAY) {
1081
/* zero b and copy the parameters over */
1083
register mp_digit *tmpa, *tmpb;
1085
/* pointer aliases */
1093
/* copy all the digits */
1094
for (n = 0; n < a->used; n++) {
1098
/* clear high digits */
1099
for (; n < b->used; n++) {
1104
/* copy used count and sign */
1111
/* shift right a certain amount of digits */
1112
static void mp_rshd (mp_int * a, int b)
1116
/* if b <= 0 then ignore it */
1121
/* if b > used then simply zero it and return */
1128
register mp_digit *bottom, *top;
1130
/* shift the digits down */
1135
/* top [offset into digits] */
1138
/* this is implemented as a sliding window where
1139
* the window is b-digits long and digits from
1140
* the top of the window are copied to the bottom
1144
b-2 | b-1 | b0 | b1 | b2 | ... | bb | ---->
1146
\-------------------/ ---->
1148
for (x = 0; x < (a->used - b); x++) {
1152
/* zero the top digits */
1153
for (; x < a->used; x++) {
1158
/* remove excess digits */
1163
/* swap the elements of two integers, for cases where you can't simply swap the
1164
* mp_int pointers around
1166
static void mp_exch (mp_int * a, mp_int * b)
1176
/* trim unused digits
1178
* This is used to ensure that leading zero digits are
1179
* trimed and the leading "used" digit will be non-zero
1180
* Typically very fast. Also fixes the sign if there
1181
* are no more leading digits
1183
static void mp_clamp (mp_int * a)
1185
/* decrease used while the most significant digit is
1188
while (a->used > 0 && a->dp[a->used - 1] == 0) {
1192
/* reset the sign flag if used == 0 */
1199
/* grow as required */
1200
static int mp_grow (mp_int * a, int size)
1205
/* if the alloc size is smaller alloc more ram */
1206
if (a->alloc < size) {
1207
/* ensure there are always at least MP_PREC digits extra on top */
1208
size += (MP_PREC * 2) - (size % MP_PREC);
1210
/* reallocate the array a->dp
1212
* We store the return in a temporary variable
1213
* in case the operation failed we don't want
1214
* to overwrite the dp member of a.
1216
tmp = OPT_CAST(mp_digit) XREALLOC (a->dp, sizeof (mp_digit) * size);
1218
/* reallocation failed but "a" is still valid [can be freed] */
1222
/* reallocation succeeded so set a->dp */
1225
/* zero excess digits */
1228
for (; i < a->alloc; i++) {
1238
* Simple function copies the input and fixes the sign to positive
1240
static int mp_abs (mp_int * a, mp_int * b)
1246
if ((res = mp_copy (a, b)) != MP_OKAY) {
1251
/* force the sign of b to positive */
1258
/* set to a digit */
1259
static void mp_set (mp_int * a, mp_digit b)
1262
a->dp[0] = b & MP_MASK;
1263
a->used = (a->dp[0] != 0) ? 1 : 0;
1268
static int mp_div_2(mp_int * a, mp_int * b)
1270
int x, res, oldused;
1273
if (b->alloc < a->used) {
1274
if ((res = mp_grow (b, a->used)) != MP_OKAY) {
1282
register mp_digit r, rr, *tmpa, *tmpb;
1285
tmpa = a->dp + b->used - 1;
1288
tmpb = b->dp + b->used - 1;
1292
for (x = b->used - 1; x >= 0; x--) {
1293
/* get the carry for the next iteration */
1296
/* shift the current digit, add in carry and store */
1297
*tmpb-- = (*tmpa-- >> 1) | (r << (DIGIT_BIT - 1));
1299
/* forward carry to next iteration */
1303
/* zero excess digits */
1304
tmpb = b->dp + b->used;
1305
for (x = b->used; x < oldused; x++) {
1315
/* shift left by a certain bit count */
1316
static int mp_mul_2d (mp_int * a, int b, mp_int * c)
1323
if ((res = mp_copy (a, c)) != MP_OKAY) {
1328
if (c->alloc < (int)(c->used + b/DIGIT_BIT + 1)) {
1329
if ((res = mp_grow (c, c->used + b / DIGIT_BIT + 1)) != MP_OKAY) {
1334
/* shift by as many digits in the bit count */
1335
if (b >= (int)DIGIT_BIT) {
1336
if ((res = mp_lshd (c, b / DIGIT_BIT)) != MP_OKAY) {
1341
/* shift any bit count < DIGIT_BIT */
1342
d = (mp_digit) (b % DIGIT_BIT);
1344
register mp_digit *tmpc, shift, mask, r, rr;
1347
/* bitmask for carries */
1348
mask = (((mp_digit)1) << d) - 1;
1350
/* shift for msbs */
1351
shift = DIGIT_BIT - d;
1358
for (x = 0; x < c->used; x++) {
1359
/* get the higher bits of the current word */
1360
rr = (*tmpc >> shift) & mask;
1362
/* shift the current word and OR in the carry */
1363
*tmpc = ((*tmpc << d) | r) & MP_MASK;
1366
/* set the carry to the carry bits of the current word */
1370
/* set final carry */
1372
c->dp[(c->used)++] = r;
1380
static int mp_init_multi(mp_int *mp, ...)
1382
mp_err res = MP_OKAY; /* Assume ok until proven otherwise */
1383
int n = 0; /* Number of ok inits */
1384
mp_int* cur_arg = mp;
1387
va_start(args, mp); /* init args to next argument from caller */
1388
while (cur_arg != NULL) {
1389
if (mp_init(cur_arg) != MP_OKAY) {
1390
/* Oops - error! Back-track and mp_clear what we already
1391
succeeded in init-ing, then return error.
1395
/* end the current list */
1398
/* now start cleaning up */
1400
va_start(clean_args, mp);
1403
cur_arg = va_arg(clean_args, mp_int*);
1410
cur_arg = va_arg(args, mp_int*);
1413
return res; /* Assumed ok, if error flagged above. */
1417
static void mp_clear_multi(mp_int *mp, ...)
1419
mp_int* next_mp = mp;
1422
while (next_mp != NULL) {
1424
next_mp = va_arg(args, mp_int*);
1430
/* shift left a certain amount of digits */
1431
static int mp_lshd (mp_int * a, int b)
1435
/* if its less than zero return */
1440
/* grow to fit the new digits */
1441
if (a->alloc < a->used + b) {
1442
if ((res = mp_grow (a, a->used + b)) != MP_OKAY) {
1448
register mp_digit *top, *bottom;
1450
/* increment the used by the shift amount then copy upwards */
1454
top = a->dp + a->used - 1;
1457
bottom = a->dp + a->used - 1 - b;
1459
/* much like mp_rshd this is implemented using a sliding window
1460
* except the window goes the otherway around. Copying from
1461
* the bottom to the top. see bn_mp_rshd.c for more info.
1463
for (x = a->used - 1; x >= b; x--) {
1467
/* zero the lower digits */
1469
for (x = 0; x < b; x++) {
1477
/* returns the number of bits in an int */
1478
static int mp_count_bits (mp_int * a)
1488
/* get number of digits and add that */
1489
r = (a->used - 1) * DIGIT_BIT;
1491
/* take the last digit and count the bits in it */
1492
q = a->dp[a->used - 1];
1493
while (q > ((mp_digit) 0)) {
1495
q >>= ((mp_digit) 1);
1501
/* calc a value mod 2**b */
1502
static int mp_mod_2d (mp_int * a, int b, mp_int * c)
1506
/* if b is <= 0 then zero the int */
1512
/* if the modulus is larger than the value than return */
1513
if (b >= (int) (a->used * DIGIT_BIT)) {
1514
res = mp_copy (a, c);
1519
if ((res = mp_copy (a, c)) != MP_OKAY) {
1523
/* zero digits above the last digit of the modulus */
1524
for (x = (b / DIGIT_BIT) + ((b % DIGIT_BIT) == 0 ? 0 : 1); x < c->used; x++) {
1527
/* clear the digit that is not completely outside/inside the modulus */
1528
c->dp[b / DIGIT_BIT] &=
1529
(mp_digit) ((((mp_digit) 1) << (((mp_digit) b) % DIGIT_BIT)) - ((mp_digit) 1));
1535
/* slower bit-bang division... also smaller */
1536
static int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d)
1538
mp_int ta, tb, tq, q;
1541
/* is divisor zero ? */
1542
if (mp_iszero (b) == 1) {
1546
/* if a < b then q=0, r = a */
1547
if (mp_cmp_mag (a, b) == MP_LT) {
1549
res = mp_copy (a, d);
1559
/* init our temps */
1560
if ((res = mp_init_multi(&ta, &tb, &tq, &q, NULL) != MP_OKAY)) {
1566
n = mp_count_bits(a) - mp_count_bits(b);
1567
if (((res = mp_abs(a, &ta)) != MP_OKAY) ||
1568
((res = mp_abs(b, &tb)) != MP_OKAY) ||
1569
((res = mp_mul_2d(&tb, n, &tb)) != MP_OKAY) ||
1570
((res = mp_mul_2d(&tq, n, &tq)) != MP_OKAY)) {
1575
if (mp_cmp(&tb, &ta) != MP_GT) {
1576
if (((res = mp_sub(&ta, &tb, &ta)) != MP_OKAY) ||
1577
((res = mp_add(&q, &tq, &q)) != MP_OKAY)) {
1581
if (((res = mp_div_2d(&tb, 1, &tb, NULL)) != MP_OKAY) ||
1582
((res = mp_div_2d(&tq, 1, &tq, NULL)) != MP_OKAY)) {
1587
/* now q == quotient and ta == remainder */
1589
n2 = (a->sign == b->sign ? MP_ZPOS : MP_NEG);
1592
c->sign = (mp_iszero(c) == MP_YES) ? MP_ZPOS : n2;
1596
d->sign = (mp_iszero(d) == MP_YES) ? MP_ZPOS : n;
1599
mp_clear_multi(&ta, &tb, &tq, &q, NULL);
1607
#define TAB_SIZE 256
1610
static int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode)
1612
mp_int M[TAB_SIZE], res, mu;
1614
int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
1615
int (*redux)(mp_int*,mp_int*,mp_int*);
1617
/* find window size */
1618
x = mp_count_bits (X);
1621
} else if (x <= 36) {
1623
} else if (x <= 140) {
1625
} else if (x <= 450) {
1627
} else if (x <= 1303) {
1629
} else if (x <= 3529) {
1642
/* init first cell */
1643
if ((err = mp_init(&M[1])) != MP_OKAY) {
1647
/* now init the second half of the array */
1648
for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
1649
if ((err = mp_init(&M[x])) != MP_OKAY) {
1650
for (y = 1<<(winsize-1); y < x; y++) {
1658
/* create mu, used for Barrett reduction */
1659
if ((err = mp_init (&mu)) != MP_OKAY) {
1664
if ((err = mp_reduce_setup (&mu, P)) != MP_OKAY) {
1669
if ((err = mp_reduce_2k_setup_l (P, &mu)) != MP_OKAY) {
1672
redux = mp_reduce_2k_l;
1677
* The M table contains powers of the base,
1678
* e.g. M[x] = G**x mod P
1680
* The first half of the table is not
1681
* computed though accept for M[0] and M[1]
1683
if ((err = mp_mod (G, P, &M[1])) != MP_OKAY) {
1687
/* compute the value at M[1<<(winsize-1)] by squaring
1688
* M[1] (winsize-1) times
1690
if ((err = mp_copy (&M[1], &M[1 << (winsize - 1)])) != MP_OKAY) {
1694
for (x = 0; x < (winsize - 1); x++) {
1696
if ((err = mp_sqr (&M[1 << (winsize - 1)],
1697
&M[1 << (winsize - 1)])) != MP_OKAY) {
1701
/* reduce modulo P */
1702
if ((err = redux (&M[1 << (winsize - 1)], P, &mu)) != MP_OKAY) {
1707
/* create upper table, that is M[x] = M[x-1] * M[1] (mod P)
1708
* for x = (2**(winsize - 1) + 1) to (2**winsize - 1)
1710
for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
1711
if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) {
1714
if ((err = redux (&M[x], P, &mu)) != MP_OKAY) {
1720
if ((err = mp_init (&res)) != MP_OKAY) {
1725
/* set initial mode and bit cnt */
1729
digidx = X->used - 1;
1734
/* grab next digit as required */
1735
if (--bitcnt == 0) {
1736
/* if digidx == -1 we are out of digits */
1740
/* read next digit and reset the bitcnt */
1741
buf = X->dp[digidx--];
1742
bitcnt = (int) DIGIT_BIT;
1745
/* grab the next msb from the exponent */
1746
y = (buf >> (mp_digit)(DIGIT_BIT - 1)) & 1;
1747
buf <<= (mp_digit)1;
1749
/* if the bit is zero and mode == 0 then we ignore it
1750
* These represent the leading zero bits before the first 1 bit
1751
* in the exponent. Technically this opt is not required but it
1752
* does lower the # of trivial squaring/reductions used
1754
if (mode == 0 && y == 0) {
1758
/* if the bit is zero and mode == 1 then we square */
1759
if (mode == 1 && y == 0) {
1760
if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
1763
if ((err = redux (&res, P, &mu)) != MP_OKAY) {
1769
/* else we add it to the window */
1770
bitbuf |= (y << (winsize - ++bitcpy));
1773
if (bitcpy == winsize) {
1774
/* ok window is filled so square as required and multiply */
1776
for (x = 0; x < winsize; x++) {
1777
if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
1780
if ((err = redux (&res, P, &mu)) != MP_OKAY) {
1786
if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) {
1789
if ((err = redux (&res, P, &mu)) != MP_OKAY) {
1793
/* empty window and reset */
1800
/* if bits remain then square/multiply */
1801
if (mode == 2 && bitcpy > 0) {
1802
/* square then multiply if the bit is set */
1803
for (x = 0; x < bitcpy; x++) {
1804
if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
1807
if ((err = redux (&res, P, &mu)) != MP_OKAY) {
1812
if ((bitbuf & (1 << winsize)) != 0) {
1814
if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) {
1817
if ((err = redux (&res, P, &mu)) != MP_OKAY) {
1826
LBL_RES:mp_clear (&res);
1827
LBL_MU:mp_clear (&mu);
1830
for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
1837
/* computes b = a*a */
1838
static int mp_sqr (mp_int * a, mp_int * b)
1842
#ifdef BN_MP_TOOM_SQR_C
1843
/* use Toom-Cook? */
1844
if (a->used >= TOOM_SQR_CUTOFF) {
1845
res = mp_toom_sqr(a, b);
1849
#ifdef BN_MP_KARATSUBA_SQR_C
1850
if (a->used >= KARATSUBA_SQR_CUTOFF) {
1851
res = mp_karatsuba_sqr (a, b);
1855
#ifdef BN_FAST_S_MP_SQR_C
1856
/* can we use the fast comba multiplier? */
1857
if ((a->used * 2 + 1) < MP_WARRAY &&
1859
(1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) {
1860
res = fast_s_mp_sqr (a, b);
1863
#ifdef BN_S_MP_SQR_C
1864
res = s_mp_sqr (a, b);
1866
#error mp_sqr could fail
1875
/* reduces a modulo n where n is of the form 2**p - d
1876
This differs from reduce_2k since "d" can be larger
1877
than a single digit.
1879
static int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d)
1884
if ((res = mp_init(&q)) != MP_OKAY) {
1888
p = mp_count_bits(n);
1890
/* q = a/2**p, a = a mod 2**p */
1891
if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) {
1896
if ((res = mp_mul(&q, d, &q)) != MP_OKAY) {
1901
if ((res = s_mp_add(a, &q, a)) != MP_OKAY) {
1905
if (mp_cmp_mag(a, n) != MP_LT) {
1916
/* determines the setup value */
1917
static int mp_reduce_2k_setup_l(mp_int *a, mp_int *d)
1922
if ((res = mp_init(&tmp)) != MP_OKAY) {
1926
if ((res = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) {
1930
if ((res = s_mp_sub(&tmp, a, d)) != MP_OKAY) {
1940
/* computes a = 2**b
1942
* Simple algorithm which zeroes the int, grows it then just sets one bit
1945
static int mp_2expt (mp_int * a, int b)
1949
/* zero a as per default */
1952
/* grow a to accomodate the single bit */
1953
if ((res = mp_grow (a, b / DIGIT_BIT + 1)) != MP_OKAY) {
1957
/* set the used count of where the bit will go */
1958
a->used = b / DIGIT_BIT + 1;
1960
/* put the single bit in its place */
1961
a->dp[b / DIGIT_BIT] = ((mp_digit)1) << (b % DIGIT_BIT);
1967
/* pre-calculate the value required for Barrett reduction
1968
* For a given modulus "b" it calulates the value required in "a"
1970
static int mp_reduce_setup (mp_int * a, mp_int * b)
1974
if ((res = mp_2expt (a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) {
1977
return mp_div (a, b, a, NULL);
1981
/* reduces x mod m, assumes 0 < x < m**2, mu is
1982
* precomputed via mp_reduce_setup.
1983
* From HAC pp.604 Algorithm 14.42
1985
static int mp_reduce (mp_int * x, mp_int * m, mp_int * mu)
1988
int res, um = m->used;
1991
if ((res = mp_init_copy (&q, x)) != MP_OKAY) {
1995
/* q1 = x / b**(k-1) */
1996
mp_rshd (&q, um - 1);
1998
/* according to HAC this optimization is ok */
1999
if (((unsigned long) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) {
2000
if ((res = mp_mul (&q, mu, &q)) != MP_OKAY) {
2004
#ifdef BN_S_MP_MUL_HIGH_DIGS_C
2005
if ((res = s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) {
2008
#elif defined(BN_FAST_S_MP_MUL_HIGH_DIGS_C)
2009
if ((res = fast_s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) {
2014
#error mp_reduce would always fail
2021
/* q3 = q2 / b**(k+1) */
2022
mp_rshd (&q, um + 1);
2024
/* x = x mod b**(k+1), quick (no division) */
2025
if ((res = mp_mod_2d (x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) {
2029
/* q = q * m mod b**(k+1), quick (no division) */
2030
if ((res = s_mp_mul_digs (&q, m, &q, um + 1)) != MP_OKAY) {
2035
if ((res = mp_sub (x, &q, x)) != MP_OKAY) {
2039
/* If x < 0, add b**(k+1) to it */
2040
if (mp_cmp_d (x, 0) == MP_LT) {
2042
if ((res = mp_lshd (&q, um + 1)) != MP_OKAY) {
2045
if ((res = mp_add (x, &q, x)) != MP_OKAY) {
2050
/* Back off if it's too big */
2051
while (mp_cmp (x, m) != MP_LT) {
2052
if ((res = s_mp_sub (x, m, x)) != MP_OKAY) {
2064
/* multiplies |a| * |b| and only computes upto digs digits of result
2065
* HAC pp. 595, Algorithm 14.12 Modified so you can control how
2066
* many digits of output are created.
2068
static int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
2071
int res, pa, pb, ix, iy;
2074
mp_digit tmpx, *tmpt, *tmpy;
2076
/* can we use the fast multiplier? */
2077
if (((digs) < MP_WARRAY) &&
2078
MIN (a->used, b->used) <
2079
(1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
2080
return fast_s_mp_mul_digs (a, b, c, digs);
2083
if ((res = mp_init_size (&t, digs)) != MP_OKAY) {
2088
/* compute the digits of the product directly */
2090
for (ix = 0; ix < pa; ix++) {
2091
/* set the carry to zero */
2094
/* limit ourselves to making digs digits of output */
2095
pb = MIN (b->used, digs - ix);
2097
/* setup some aliases */
2098
/* copy of the digit from a used within the nested loop */
2101
/* an alias for the destination shifted ix places */
2104
/* an alias for the digits of b */
2107
/* compute the columns of the output and propagate the carry */
2108
for (iy = 0; iy < pb; iy++) {
2109
/* compute the column as a mp_word */
2110
r = ((mp_word)*tmpt) +
2111
((mp_word)tmpx) * ((mp_word)*tmpy++) +
2114
/* the new column is the lower part of the result */
2115
*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
2117
/* get the carry word from the result */
2118
u = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
2120
/* set carry if it is placed below digs */
2121
if (ix + iy < digs) {
2134
/* Fast (comba) multiplier
2136
* This is the fast column-array [comba] multiplier. It is
2137
* designed to compute the columns of the product first
2138
* then handle the carries afterwards. This has the effect
2139
* of making the nested loops that compute the columns very
2140
* simple and schedulable on super-scalar processors.
2142
* This has been modified to produce a variable number of
2143
* digits of output so if say only a half-product is required
2144
* you don't have to compute the upper half (a feature
2145
* required for fast Barrett reduction).
2147
* Based on Algorithm 14.12 on pp.595 of HAC.
2150
static int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
2152
int olduse, res, pa, ix, iz;
2153
mp_digit W[MP_WARRAY];
2154
register mp_word _W;
2156
/* grow the destination as required */
2157
if (c->alloc < digs) {
2158
if ((res = mp_grow (c, digs)) != MP_OKAY) {
2163
/* number of output digits to produce */
2164
pa = MIN(digs, a->used + b->used);
2166
/* clear the carry */
2168
for (ix = 0; ix < pa; ix++) {
2171
mp_digit *tmpx, *tmpy;
2173
/* get offsets into the two bignums */
2174
ty = MIN(b->used-1, ix);
2177
/* setup temp aliases */
2181
/* this is the number of times the loop will iterrate, essentially
2182
while (tx++ < a->used && ty-- >= 0) { ... }
2184
iy = MIN(a->used-tx, ty+1);
2187
for (iz = 0; iz < iy; ++iz) {
2188
_W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
2193
W[ix] = ((mp_digit)_W) & MP_MASK;
2195
/* make next carry */
2196
_W = _W >> ((mp_word)DIGIT_BIT);
2204
register mp_digit *tmpc;
2206
for (ix = 0; ix < pa+1; ix++) {
2207
/* now extract the previous digit [below the carry] */
2211
/* clear unused digits [that existed in the old copy of c] */
2212
for (; ix < olduse; ix++) {
2221
/* init an mp_init for a given size */
2222
static int mp_init_size (mp_int * a, int size)
2226
/* pad size so there are always extra digits */
2227
size += (MP_PREC * 2) - (size % MP_PREC);
2230
a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size);
2231
if (a->dp == NULL) {
2235
/* set the members */
2240
/* zero the digits */
2241
for (x = 0; x < size; x++) {
2249
/* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */
2250
static int s_mp_sqr (mp_int * a, mp_int * b)
2253
int res, ix, iy, pa;
2255
mp_digit u, tmpx, *tmpt;
2258
if ((res = mp_init_size (&t, 2*pa + 1)) != MP_OKAY) {
2262
/* default used is maximum possible size */
2265
for (ix = 0; ix < pa; ix++) {
2266
/* first calculate the digit at 2*ix */
2267
/* calculate double precision result */
2268
r = ((mp_word) t.dp[2*ix]) +
2269
((mp_word)a->dp[ix])*((mp_word)a->dp[ix]);
2271
/* store lower part in result */
2272
t.dp[ix+ix] = (mp_digit) (r & ((mp_word) MP_MASK));
2275
u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
2277
/* left hand side of A[ix] * A[iy] */
2280
/* alias for where to store the results */
2281
tmpt = t.dp + (2*ix + 1);
2283
for (iy = ix + 1; iy < pa; iy++) {
2284
/* first calculate the product */
2285
r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]);
2287
/* now calculate the double precision result, note we use
2288
* addition instead of *2 since it's easier to optimize
2290
r = ((mp_word) *tmpt) + r + r + ((mp_word) u);
2292
/* store lower part */
2293
*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
2296
u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
2298
/* propagate upwards */
2299
while (u != ((mp_digit) 0)) {
2300
r = ((mp_word) *tmpt) + ((mp_word) u);
2301
*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
2302
u = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
2313
/* multiplies |a| * |b| and does not compute the lower digs digits
2314
* [meant to get the higher part of the product]
2316
static int s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
2319
int res, pa, pb, ix, iy;
2322
mp_digit tmpx, *tmpt, *tmpy;
2324
/* can we use the fast multiplier? */
2325
#ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C
2326
if (((a->used + b->used + 1) < MP_WARRAY)
2327
&& MIN (a->used, b->used) < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
2328
return fast_s_mp_mul_high_digs (a, b, c, digs);
2332
if ((res = mp_init_size (&t, a->used + b->used + 1)) != MP_OKAY) {
2335
t.used = a->used + b->used + 1;
2339
for (ix = 0; ix < pa; ix++) {
2340
/* clear the carry */
2343
/* left hand side of A[ix] * B[iy] */
2346
/* alias to the address of where the digits will be stored */
2347
tmpt = &(t.dp[digs]);
2349
/* alias for where to read the right hand side from */
2350
tmpy = b->dp + (digs - ix);
2352
for (iy = digs - ix; iy < pb; iy++) {
2353
/* calculate the double precision result */
2354
r = ((mp_word)*tmpt) +
2355
((mp_word)tmpx) * ((mp_word)*tmpy++) +
2358
/* get the lower part */
2359
*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
2361
/* carry the carry */
2362
u = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
added
removed
src/tls/libtommath.c
