1 /** 2 * \file bignum.h 3 * 4 * \brief Multi-precision integer library 5 */ 6 /* 7 * Copyright The Mbed TLS Contributors 8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 9 * 10 * This file is provided under the Apache License 2.0, or the 11 * GNU General Public License v2.0 or later. 12 * 13 * ********** 14 * Apache License 2.0: 15 * 16 * Licensed under the Apache License, Version 2.0 (the "License"); you may 17 * not use this file except in compliance with the License. 18 * You may obtain a copy of the License at 19 * 20 * http://www.apache.org/licenses/LICENSE-2.0 21 * 22 * Unless required by applicable law or agreed to in writing, software 23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 25 * See the License for the specific language governing permissions and 26 * limitations under the License. 27 * 28 * ********** 29 * 30 * ********** 31 * GNU General Public License v2.0 or later: 32 * 33 * This program is free software; you can redistribute it and/or modify 34 * it under the terms of the GNU General Public License as published by 35 * the Free Software Foundation; either version 2 of the License, or 36 * (at your option) any later version. 37 * 38 * This program is distributed in the hope that it will be useful, 39 * but WITHOUT ANY WARRANTY; without even the implied warranty of 40 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 41 * GNU General Public License for more details. 42 * 43 * You should have received a copy of the GNU General Public License along 44 * with this program; if not, write to the Free Software Foundation, Inc., 45 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 46 * 47 * ********** 48 */ 49 #ifndef MBEDTLS_BIGNUM_H 50 #define MBEDTLS_BIGNUM_H 51 52 #if !defined(MBEDTLS_CONFIG_FILE) 53 #include "config.h" 54 #else 55 #include MBEDTLS_CONFIG_FILE 56 #endif 57 58 #include <stddef.h> 59 #include <stdint.h> 60 61 #if defined(MBEDTLS_FS_IO) 62 #include <stdio.h> 63 #endif 64 65 #define MBEDTLS_ERR_MPI_FILE_IO_ERROR -0x0002 /**< An error occurred while reading from or writing to a file. */ 66 #define MBEDTLS_ERR_MPI_BAD_INPUT_DATA -0x0004 /**< Bad input parameters to function. */ 67 #define MBEDTLS_ERR_MPI_INVALID_CHARACTER -0x0006 /**< There is an invalid character in the digit string. */ 68 #define MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL -0x0008 /**< The buffer is too small to write to. */ 69 #define MBEDTLS_ERR_MPI_NEGATIVE_VALUE -0x000A /**< The input arguments are negative or result in illegal output. */ 70 #define MBEDTLS_ERR_MPI_DIVISION_BY_ZERO -0x000C /**< The input argument for division is zero, which is not allowed. */ 71 #define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE -0x000E /**< The input arguments are not acceptable. */ 72 #define MBEDTLS_ERR_MPI_ALLOC_FAILED -0x0010 /**< Memory allocation failed. */ 73 74 #define MBEDTLS_MPI_CHK(f) \ 75 do \ 76 { \ 77 if( ( ret = (f) ) != 0 ) \ 78 goto cleanup; \ 79 } while( 0 ) 80 81 /* 82 * Maximum size MPIs are allowed to grow to in number of limbs. 83 */ 84 #define MBEDTLS_MPI_MAX_LIMBS 10000 85 86 #if !defined(MBEDTLS_MPI_WINDOW_SIZE) 87 /* 88 * Maximum window size used for modular exponentiation. Default: 6 89 * Minimum value: 1. Maximum value: 6. 90 * 91 * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used 92 * for the sliding window calculation. (So 64 by default) 93 * 94 * Reduction in size, reduces speed. 95 */ 96 #define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */ 97 #endif /* !MBEDTLS_MPI_WINDOW_SIZE */ 98 99 #if !defined(MBEDTLS_MPI_MAX_SIZE) 100 /* 101 * Maximum size of MPIs allowed in bits and bytes for user-MPIs. 102 * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits ) 103 * 104 * Note: Calculations can temporarily result in larger MPIs. So the number 105 * of limbs required (MBEDTLS_MPI_MAX_LIMBS) is higher. 106 */ 107 #define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ 108 #endif /* !MBEDTLS_MPI_MAX_SIZE */ 109 110 #define MBEDTLS_MPI_MAX_BITS ( 8 * MBEDTLS_MPI_MAX_SIZE ) /**< Maximum number of bits for usable MPIs. */ 111 112 /* 113 * When reading from files with mbedtls_mpi_read_file() and writing to files with 114 * mbedtls_mpi_write_file() the buffer should have space 115 * for a (short) label, the MPI (in the provided radix), the newline 116 * characters and the '\0'. 117 * 118 * By default we assume at least a 10 char label, a minimum radix of 10 119 * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars). 120 * Autosized at compile time for at least a 10 char label, a minimum radix 121 * of 10 (decimal) for a number of MBEDTLS_MPI_MAX_BITS size. 122 * 123 * This used to be statically sized to 1250 for a maximum of 4096 bit 124 * numbers (1234 decimal chars). 125 * 126 * Calculate using the formula: 127 * MBEDTLS_MPI_RW_BUFFER_SIZE = ceil(MBEDTLS_MPI_MAX_BITS / ln(10) * ln(2)) + 128 * LabelSize + 6 129 */ 130 #define MBEDTLS_MPI_MAX_BITS_SCALE100 ( 100 * MBEDTLS_MPI_MAX_BITS ) 131 #define MBEDTLS_LN_2_DIV_LN_10_SCALE100 332 132 #define MBEDTLS_MPI_RW_BUFFER_SIZE ( ((MBEDTLS_MPI_MAX_BITS_SCALE100 + MBEDTLS_LN_2_DIV_LN_10_SCALE100 - 1) / MBEDTLS_LN_2_DIV_LN_10_SCALE100) + 10 + 6 ) 133 134 /* 135 * Define the base integer type, architecture-wise. 136 * 137 * 32 or 64-bit integer types can be forced regardless of the underlying 138 * architecture by defining MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64 139 * respectively and undefining MBEDTLS_HAVE_ASM. 140 * 141 * Double-width integers (e.g. 128-bit in 64-bit architectures) can be 142 * disabled by defining MBEDTLS_NO_UDBL_DIVISION. 143 */ 144 #if !defined(MBEDTLS_HAVE_INT32) 145 #if defined(_MSC_VER) && defined(_M_AMD64) 146 /* Always choose 64-bit when using MSC */ 147 #if !defined(MBEDTLS_HAVE_INT64) 148 #define MBEDTLS_HAVE_INT64 149 #endif /* !MBEDTLS_HAVE_INT64 */ 150 typedef int64_t mbedtls_mpi_sint; 151 typedef uint64_t mbedtls_mpi_uint; 152 #elif defined(__GNUC__) && ( \ 153 defined(__amd64__) || defined(__x86_64__) || \ 154 defined(__ppc64__) || defined(__powerpc64__) || \ 155 defined(__ia64__) || defined(__alpha__) || \ 156 ( defined(__sparc__) && defined(__arch64__) ) || \ 157 defined(__s390x__) || defined(__mips64) ) 158 #if !defined(MBEDTLS_HAVE_INT64) 159 #define MBEDTLS_HAVE_INT64 160 #endif /* MBEDTLS_HAVE_INT64 */ 161 typedef int64_t mbedtls_mpi_sint; 162 typedef uint64_t mbedtls_mpi_uint; 163 #if !defined(MBEDTLS_NO_UDBL_DIVISION) 164 /* mbedtls_t_udbl defined as 128-bit unsigned int */ 165 typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI))); 166 #define MBEDTLS_HAVE_UDBL 167 #endif /* !MBEDTLS_NO_UDBL_DIVISION */ 168 #elif defined(__ARMCC_VERSION) && defined(__aarch64__) 169 /* 170 * __ARMCC_VERSION is defined for both armcc and armclang and 171 * __aarch64__ is only defined by armclang when compiling 64-bit code 172 */ 173 #if !defined(MBEDTLS_HAVE_INT64) 174 #define MBEDTLS_HAVE_INT64 175 #endif /* !MBEDTLS_HAVE_INT64 */ 176 typedef int64_t mbedtls_mpi_sint; 177 typedef uint64_t mbedtls_mpi_uint; 178 #if !defined(MBEDTLS_NO_UDBL_DIVISION) 179 /* mbedtls_t_udbl defined as 128-bit unsigned int */ 180 typedef __uint128_t mbedtls_t_udbl; 181 #define MBEDTLS_HAVE_UDBL 182 #endif /* !MBEDTLS_NO_UDBL_DIVISION */ 183 #elif defined(MBEDTLS_HAVE_INT64) 184 /* Force 64-bit integers with unknown compiler */ 185 typedef int64_t mbedtls_mpi_sint; 186 typedef uint64_t mbedtls_mpi_uint; 187 #endif 188 #endif /* !MBEDTLS_HAVE_INT32 */ 189 190 #if !defined(MBEDTLS_HAVE_INT64) 191 /* Default to 32-bit compilation */ 192 #if !defined(MBEDTLS_HAVE_INT32) 193 #define MBEDTLS_HAVE_INT32 194 #endif /* !MBEDTLS_HAVE_INT32 */ 195 typedef int32_t mbedtls_mpi_sint; 196 typedef uint32_t mbedtls_mpi_uint; 197 #if !defined(MBEDTLS_NO_UDBL_DIVISION) 198 typedef uint64_t mbedtls_t_udbl; 199 #define MBEDTLS_HAVE_UDBL 200 #endif /* !MBEDTLS_NO_UDBL_DIVISION */ 201 #endif /* !MBEDTLS_HAVE_INT64 */ 202 203 #ifdef __cplusplus 204 extern "C" { 205 #endif 206 207 /** 208 * \brief MPI structure 209 */ 210 typedef struct mbedtls_mpi 211 { 212 int s; /*!< Sign: -1 if the mpi is negative, 1 otherwise */ 213 size_t n; /*!< total # of limbs */ 214 mbedtls_mpi_uint *p; /*!< pointer to limbs */ 215 } 216 mbedtls_mpi; 217 218 /** 219 * \brief Initialize an MPI context. 220 * 221 * This makes the MPI ready to be set or freed, 222 * but does not define a value for the MPI. 223 * 224 * \param X The MPI context to initialize. This must not be \c NULL. 225 */ 226 void mbedtls_mpi_init( mbedtls_mpi *X ); 227 228 /** 229 * \brief This function frees the components of an MPI context. 230 * 231 * \param X The MPI context to be cleared. This may be \c NULL, 232 * in which case this function is a no-op. If it is 233 * not \c NULL, it must point to an initialized MPI. 234 */ 235 void mbedtls_mpi_free( mbedtls_mpi *X ); 236 237 /** 238 * \brief Enlarge an MPI to the specified number of limbs. 239 * 240 * \note This function does nothing if the MPI is 241 * already large enough. 242 * 243 * \param X The MPI to grow. It must be initialized. 244 * \param nblimbs The target number of limbs. 245 * 246 * \return \c 0 if successful. 247 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 248 * \return Another negative error code on other kinds of failure. 249 */ 250 int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs ); 251 252 /** 253 * \brief This function resizes an MPI downwards, keeping at least the 254 * specified number of limbs. 255 * 256 * If \c X is smaller than \c nblimbs, it is resized up 257 * instead. 258 * 259 * \param X The MPI to shrink. This must point to an initialized MPI. 260 * \param nblimbs The minimum number of limbs to keep. 261 * 262 * \return \c 0 if successful. 263 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed 264 * (this can only happen when resizing up). 265 * \return Another negative error code on other kinds of failure. 266 */ 267 int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs ); 268 269 /** 270 * \brief Make a copy of an MPI. 271 * 272 * \param X The destination MPI. This must point to an initialized MPI. 273 * \param Y The source MPI. This must point to an initialized MPI. 274 * 275 * \note The limb-buffer in the destination MPI is enlarged 276 * if necessary to hold the value in the source MPI. 277 * 278 * \return \c 0 if successful. 279 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 280 * \return Another negative error code on other kinds of failure. 281 */ 282 int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y ); 283 284 /** 285 * \brief Swap the contents of two MPIs. 286 * 287 * \param X The first MPI. It must be initialized. 288 * \param Y The second MPI. It must be initialized. 289 */ 290 void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ); 291 292 /** 293 * \brief Perform a safe conditional copy of MPI which doesn't 294 * reveal whether the condition was true or not. 295 * 296 * \param X The MPI to conditionally assign to. This must point 297 * to an initialized MPI. 298 * \param Y The MPI to be assigned from. This must point to an 299 * initialized MPI. 300 * \param assign The condition deciding whether to perform the 301 * assignment or not. Possible values: 302 * * \c 1: Perform the assignment `X = Y`. 303 * * \c 0: Keep the original value of \p X. 304 * 305 * \note This function is equivalent to 306 * `if( assign ) mbedtls_mpi_copy( X, Y );` 307 * except that it avoids leaking any information about whether 308 * the assignment was done or not (the above code may leak 309 * information through branch prediction and/or memory access 310 * patterns analysis). 311 * 312 * \return \c 0 if successful. 313 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 314 * \return Another negative error code on other kinds of failure. 315 */ 316 int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign ); 317 318 /** 319 * \brief Perform a safe conditional swap which doesn't 320 * reveal whether the condition was true or not. 321 * 322 * \param X The first MPI. This must be initialized. 323 * \param Y The second MPI. This must be initialized. 324 * \param assign The condition deciding whether to perform 325 * the swap or not. Possible values: 326 * * \c 1: Swap the values of \p X and \p Y. 327 * * \c 0: Keep the original values of \p X and \p Y. 328 * 329 * \note This function is equivalent to 330 * if( assign ) mbedtls_mpi_swap( X, Y ); 331 * except that it avoids leaking any information about whether 332 * the assignment was done or not (the above code may leak 333 * information through branch prediction and/or memory access 334 * patterns analysis). 335 * 336 * \return \c 0 if successful. 337 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 338 * \return Another negative error code on other kinds of failure. 339 * 340 */ 341 int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign ); 342 343 /** 344 * \brief Store integer value in MPI. 345 * 346 * \param X The MPI to set. This must be initialized. 347 * \param z The value to use. 348 * 349 * \return \c 0 if successful. 350 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 351 * \return Another negative error code on other kinds of failure. 352 */ 353 int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z ); 354 355 /** 356 * \brief Get a specific bit from an MPI. 357 * 358 * \param X The MPI to query. This must be initialized. 359 * \param pos Zero-based index of the bit to query. 360 * 361 * \return \c 0 or \c 1 on success, depending on whether bit \c pos 362 * of \c X is unset or set. 363 * \return A negative error code on failure. 364 */ 365 int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos ); 366 367 /** 368 * \brief Modify a specific bit in an MPI. 369 * 370 * \note This function will grow the target MPI if necessary to set a 371 * bit to \c 1 in a not yet existing limb. It will not grow if 372 * the bit should be set to \c 0. 373 * 374 * \param X The MPI to modify. This must be initialized. 375 * \param pos Zero-based index of the bit to modify. 376 * \param val The desired value of bit \c pos: \c 0 or \c 1. 377 * 378 * \return \c 0 if successful. 379 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 380 * \return Another negative error code on other kinds of failure. 381 */ 382 int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val ); 383 384 /** 385 * \brief Return the number of bits of value \c 0 before the 386 * least significant bit of value \c 1. 387 * 388 * \note This is the same as the zero-based index of 389 * the least significant bit of value \c 1. 390 * 391 * \param X The MPI to query. 392 * 393 * \return The number of bits of value \c 0 before the least significant 394 * bit of value \c 1 in \p X. 395 */ 396 size_t mbedtls_mpi_lsb( const mbedtls_mpi *X ); 397 398 /** 399 * \brief Return the number of bits up to and including the most 400 * significant bit of value \c 1. 401 * 402 * * \note This is same as the one-based index of the most 403 * significant bit of value \c 1. 404 * 405 * \param X The MPI to query. This must point to an initialized MPI. 406 * 407 * \return The number of bits up to and including the most 408 * significant bit of value \c 1. 409 */ 410 size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X ); 411 412 /** 413 * \brief Return the total size of an MPI value in bytes. 414 * 415 * \param X The MPI to use. This must point to an initialized MPI. 416 * 417 * \note The value returned by this function may be less than 418 * the number of bytes used to store \p X internally. 419 * This happens if and only if there are trailing bytes 420 * of value zero. 421 * 422 * \return The least number of bytes capable of storing 423 * the absolute value of \p X. 424 */ 425 size_t mbedtls_mpi_size( const mbedtls_mpi *X ); 426 427 /** 428 * \brief Import an MPI from an ASCII string. 429 * 430 * \param X The destination MPI. This must point to an initialized MPI. 431 * \param radix The numeric base of the input string. 432 * \param s Null-terminated string buffer. 433 * 434 * \return \c 0 if successful. 435 * \return A negative error code on failure. 436 */ 437 int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s ); 438 439 /** 440 * \brief Export an MPI to an ASCII string. 441 * 442 * \param X The source MPI. This must point to an initialized MPI. 443 * \param radix The numeric base of the output string. 444 * \param buf The buffer to write the string to. This must be writable 445 * buffer of length \p buflen Bytes. 446 * \param buflen The available size in Bytes of \p buf. 447 * \param olen The address at which to store the length of the string 448 * written, including the final \c NULL byte. This must 449 * not be \c NULL. 450 * 451 * \note You can call this function with `buflen == 0` to obtain the 452 * minimum required buffer size in `*olen`. 453 * 454 * \return \c 0 if successful. 455 * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf 456 * is too small to hold the value of \p X in the desired base. 457 * In this case, `*olen` is nonetheless updated to contain the 458 * size of \p buf required for a successful call. 459 * \return Another negative error code on different kinds of failure. 460 */ 461 int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix, 462 char *buf, size_t buflen, size_t *olen ); 463 464 #if defined(MBEDTLS_FS_IO) 465 /** 466 * \brief Read an MPI from a line in an opened file. 467 * 468 * \param X The destination MPI. This must point to an initialized MPI. 469 * \param radix The numeric base of the string representation used 470 * in the source line. 471 * \param fin The input file handle to use. This must not be \c NULL. 472 * 473 * \note On success, this function advances the file stream 474 * to the end of the current line or to EOF. 475 * 476 * The function returns \c 0 on an empty line. 477 * 478 * Leading whitespaces are ignored, as is a 479 * '0x' prefix for radix \c 16. 480 * 481 * \return \c 0 if successful. 482 * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer 483 * is too small. 484 * \return Another negative error code on failure. 485 */ 486 int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin ); 487 488 /** 489 * \brief Export an MPI into an opened file. 490 * 491 * \param p A string prefix to emit prior to the MPI data. 492 * For example, this might be a label, or "0x" when 493 * printing in base \c 16. This may be \c NULL if no prefix 494 * is needed. 495 * \param X The source MPI. This must point to an initialized MPI. 496 * \param radix The numeric base to be used in the emitted string. 497 * \param fout The output file handle. This may be \c NULL, in which case 498 * the output is written to \c stdout. 499 * 500 * \return \c 0 if successful. 501 * \return A negative error code on failure. 502 */ 503 int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, 504 int radix, FILE *fout ); 505 #endif /* MBEDTLS_FS_IO */ 506 507 /** 508 * \brief Import an MPI from unsigned big endian binary data. 509 * 510 * \param X The destination MPI. This must point to an initialized MPI. 511 * \param buf The input buffer. This must be a readable buffer of length 512 * \p buflen Bytes. 513 * \param buflen The length of the input buffer \p p in Bytes. 514 * 515 * \return \c 0 if successful. 516 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 517 * \return Another negative error code on different kinds of failure. 518 */ 519 int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, 520 size_t buflen ); 521 522 /** 523 * \brief Export an MPI into unsigned big endian binary data 524 * of fixed size. 525 * 526 * \param X The source MPI. This must point to an initialized MPI. 527 * \param buf The output buffer. This must be a writable buffer of length 528 * \p buflen Bytes. 529 * \param buflen The size of the output buffer \p buf in Bytes. 530 * 531 * \return \c 0 if successful. 532 * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't 533 * large enough to hold the value of \p X. 534 * \return Another negative error code on different kinds of failure. 535 */ 536 int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf, 537 size_t buflen ); 538 539 /** 540 * \brief Perform a left-shift on an MPI: X <<= count 541 * 542 * \param X The MPI to shift. This must point to an initialized MPI. 543 * \param count The number of bits to shift by. 544 * 545 * \return \c 0 if successful. 546 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 547 * \return Another negative error code on different kinds of failure. 548 */ 549 int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count ); 550 551 /** 552 * \brief Perform a right-shift on an MPI: X >>= count 553 * 554 * \param X The MPI to shift. This must point to an initialized MPI. 555 * \param count The number of bits to shift by. 556 * 557 * \return \c 0 if successful. 558 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 559 * \return Another negative error code on different kinds of failure. 560 */ 561 int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count ); 562 563 /** 564 * \brief Compare the absolute values of two MPIs. 565 * 566 * \param X The left-hand MPI. This must point to an initialized MPI. 567 * \param Y The right-hand MPI. This must point to an initialized MPI. 568 * 569 * \return \c 1 if `|X|` is greater than `|Y|`. 570 * \return \c -1 if `|X|` is lesser than `|Y|`. 571 * \return \c 0 if `|X|` is equal to `|Y|`. 572 */ 573 int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y ); 574 575 /** 576 * \brief Compare two MPIs. 577 * 578 * \param X The left-hand MPI. This must point to an initialized MPI. 579 * \param Y The right-hand MPI. This must point to an initialized MPI. 580 * 581 * \return \c 1 if \p X is greater than \p Y. 582 * \return \c -1 if \p X is lesser than \p Y. 583 * \return \c 0 if \p X is equal to \p Y. 584 */ 585 int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y ); 586 587 /** 588 * \brief Check if an MPI is less than the other in constant time. 589 * 590 * \param X The left-hand MPI. This must point to an initialized MPI 591 * with the same allocated length as Y. 592 * \param Y The right-hand MPI. This must point to an initialized MPI 593 * with the same allocated length as X. 594 * \param ret The result of the comparison: 595 * \c 1 if \p X is less than \p Y. 596 * \c 0 if \p X is greater than or equal to \p Y. 597 * 598 * \return 0 on success. 599 * \return MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of 600 * the two input MPIs is not the same. 601 */ 602 int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y, 603 unsigned *ret ); 604 605 /** 606 * \brief Compare an MPI with an integer. 607 * 608 * \param X The left-hand MPI. This must point to an initialized MPI. 609 * \param z The integer value to compare \p X to. 610 * 611 * \return \c 1 if \p X is greater than \p z. 612 * \return \c -1 if \p X is lesser than \p z. 613 * \return \c 0 if \p X is equal to \p z. 614 */ 615 int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z ); 616 617 /** 618 * \brief Perform an unsigned addition of MPIs: X = |A| + |B| 619 * 620 * \param X The destination MPI. This must point to an initialized MPI. 621 * \param A The first summand. This must point to an initialized MPI. 622 * \param B The second summand. This must point to an initialized MPI. 623 * 624 * \return \c 0 if successful. 625 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 626 * \return Another negative error code on different kinds of failure. 627 */ 628 int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, 629 const mbedtls_mpi *B ); 630 631 /** 632 * \brief Perform an unsigned subtraction of MPIs: X = |A| - |B| 633 * 634 * \param X The destination MPI. This must point to an initialized MPI. 635 * \param A The minuend. This must point to an initialized MPI. 636 * \param B The subtrahend. This must point to an initialized MPI. 637 * 638 * \return \c 0 if successful. 639 * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A. 640 * \return Another negative error code on different kinds of failure. 641 * 642 */ 643 int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, 644 const mbedtls_mpi *B ); 645 646 /** 647 * \brief Perform a signed addition of MPIs: X = A + B 648 * 649 * \param X The destination MPI. This must point to an initialized MPI. 650 * \param A The first summand. This must point to an initialized MPI. 651 * \param B The second summand. This must point to an initialized MPI. 652 * 653 * \return \c 0 if successful. 654 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 655 * \return Another negative error code on different kinds of failure. 656 */ 657 int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, 658 const mbedtls_mpi *B ); 659 660 /** 661 * \brief Perform a signed subtraction of MPIs: X = A - B 662 * 663 * \param X The destination MPI. This must point to an initialized MPI. 664 * \param A The minuend. This must point to an initialized MPI. 665 * \param B The subtrahend. This must point to an initialized MPI. 666 * 667 * \return \c 0 if successful. 668 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 669 * \return Another negative error code on different kinds of failure. 670 */ 671 int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, 672 const mbedtls_mpi *B ); 673 674 /** 675 * \brief Perform a signed addition of an MPI and an integer: X = A + b 676 * 677 * \param X The destination MPI. This must point to an initialized MPI. 678 * \param A The first summand. This must point to an initialized MPI. 679 * \param b The second summand. 680 * 681 * \return \c 0 if successful. 682 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 683 * \return Another negative error code on different kinds of failure. 684 */ 685 int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, 686 mbedtls_mpi_sint b ); 687 688 /** 689 * \brief Perform a signed subtraction of an MPI and an integer: 690 * X = A - b 691 * 692 * \param X The destination MPI. This must point to an initialized MPI. 693 * \param A The minuend. This must point to an initialized MPI. 694 * \param b The subtrahend. 695 * 696 * \return \c 0 if successful. 697 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 698 * \return Another negative error code on different kinds of failure. 699 */ 700 int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, 701 mbedtls_mpi_sint b ); 702 703 /** 704 * \brief Perform a multiplication of two MPIs: X = A * B 705 * 706 * \param X The destination MPI. This must point to an initialized MPI. 707 * \param A The first factor. This must point to an initialized MPI. 708 * \param B The second factor. This must point to an initialized MPI. 709 * 710 * \return \c 0 if successful. 711 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 712 * \return Another negative error code on different kinds of failure. 713 * 714 */ 715 int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, 716 const mbedtls_mpi *B ); 717 718 /** 719 * \brief Perform a multiplication of an MPI with an unsigned integer: 720 * X = A * b 721 * 722 * \param X The destination MPI. This must point to an initialized MPI. 723 * \param A The first factor. This must point to an initialized MPI. 724 * \param b The second factor. 725 * 726 * \return \c 0 if successful. 727 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 728 * \return Another negative error code on different kinds of failure. 729 * 730 */ 731 int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, 732 mbedtls_mpi_uint b ); 733 734 /** 735 * \brief Perform a division with remainder of two MPIs: 736 * A = Q * B + R 737 * 738 * \param Q The destination MPI for the quotient. 739 * This may be \c NULL if the value of the 740 * quotient is not needed. 741 * \param R The destination MPI for the remainder value. 742 * This may be \c NULL if the value of the 743 * remainder is not needed. 744 * \param A The dividend. This must point to an initialized MPi. 745 * \param B The divisor. This must point to an initialized MPI. 746 * 747 * \return \c 0 if successful. 748 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 749 * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero. 750 * \return Another negative error code on different kinds of failure. 751 */ 752 int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, 753 const mbedtls_mpi *B ); 754 755 /** 756 * \brief Perform a division with remainder of an MPI by an integer: 757 * A = Q * b + R 758 * 759 * \param Q The destination MPI for the quotient. 760 * This may be \c NULL if the value of the 761 * quotient is not needed. 762 * \param R The destination MPI for the remainder value. 763 * This may be \c NULL if the value of the 764 * remainder is not needed. 765 * \param A The dividend. This must point to an initialized MPi. 766 * \param b The divisor. 767 * 768 * \return \c 0 if successful. 769 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. 770 * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero. 771 * \return Another negative error code on different kinds of failure. 772 */ 773 int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, 774 mbedtls_mpi_sint b ); 775 776 /** 777 * \brief Perform a modular reduction. R = A mod B 778 * 779 * \param R The destination MPI for the residue value. 780 * This must point to an initialized MPI. 781 * \param A The MPI to compute the residue of. 782 * This must point to an initialized MPI. 783 * \param B The base of the modular reduction. 784 * This must point to an initialized MPI. 785 * 786 * \return \c 0 if successful. 787 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 788 * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero. 789 * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative. 790 * \return Another negative error code on different kinds of failure. 791 * 792 */ 793 int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, 794 const mbedtls_mpi *B ); 795 796 /** 797 * \brief Perform a modular reduction with respect to an integer. 798 * r = A mod b 799 * 800 * \param r The address at which to store the residue. 801 * This must not be \c NULL. 802 * \param A The MPI to compute the residue of. 803 * This must point to an initialized MPi. 804 * \param b The integer base of the modular reduction. 805 * 806 * \return \c 0 if successful. 807 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 808 * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero. 809 * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative. 810 * \return Another negative error code on different kinds of failure. 811 */ 812 int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, 813 mbedtls_mpi_sint b ); 814 815 /** 816 * \brief Perform a sliding-window exponentiation: X = A^E mod N 817 * 818 * \param X The destination MPI. This must point to an initialized MPI. 819 * \param A The base of the exponentiation. 820 * This must point to an initialized MPI. 821 * \param E The exponent MPI. This must point to an initialized MPI. 822 * \param N The base for the modular reduction. This must point to an 823 * initialized MPI. 824 * \param _RR A helper MPI depending solely on \p N which can be used to 825 * speed-up multiple modular exponentiations for the same value 826 * of \p N. This may be \c NULL. If it is not \c NULL, it must 827 * point to an initialized MPI. If it hasn't been used after 828 * the call to mbedtls_mpi_init(), this function will compute 829 * the helper value and store it in \p _RR for reuse on 830 * subsequent calls to this function. Otherwise, the function 831 * will assume that \p _RR holds the helper value set by a 832 * previous call to mbedtls_mpi_exp_mod(), and reuse it. 833 * 834 * \return \c 0 if successful. 835 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 836 * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or 837 * even, or if \c E is negative. 838 * \return Another negative error code on different kinds of failures. 839 * 840 */ 841 int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, 842 const mbedtls_mpi *E, const mbedtls_mpi *N, 843 mbedtls_mpi *_RR ); 844 845 /** 846 * \brief Fill an MPI with a number of random bytes. 847 * 848 * \param X The destination MPI. This must point to an initialized MPI. 849 * \param size The number of random bytes to generate. 850 * \param f_rng The RNG function to use. This must not be \c NULL. 851 * \param p_rng The RNG parameter to be passed to \p f_rng. This may be 852 * \c NULL if \p f_rng doesn't need a context argument. 853 * 854 * \return \c 0 if successful. 855 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 856 * \return Another negative error code on failure. 857 * 858 * \note The bytes obtained from the RNG are interpreted 859 * as a big-endian representation of an MPI; this can 860 * be relevant in applications like deterministic ECDSA. 861 */ 862 int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, 863 int (*f_rng)(void *, unsigned char *, size_t), 864 void *p_rng ); 865 866 /** 867 * \brief Compute the greatest common divisor: G = gcd(A, B) 868 * 869 * \param G The destination MPI. This must point to an initialized MPI. 870 * \param A The first operand. This must point to an initialized MPI. 871 * \param B The second operand. This must point to an initialized MPI. 872 * 873 * \return \c 0 if successful. 874 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 875 * \return Another negative error code on different kinds of failure. 876 */ 877 int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, 878 const mbedtls_mpi *B ); 879 880 /** 881 * \brief Compute the modular inverse: X = A^-1 mod N 882 * 883 * \param X The destination MPI. This must point to an initialized MPI. 884 * \param A The MPI to calculate the modular inverse of. This must point 885 * to an initialized MPI. 886 * \param N The base of the modular inversion. This must point to an 887 * initialized MPI. 888 * 889 * \return \c 0 if successful. 890 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 891 * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than 892 * or equal to one. 893 * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse 894 * with respect to \p N. 895 */ 896 int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, 897 const mbedtls_mpi *N ); 898 899 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 900 #if defined(MBEDTLS_DEPRECATED_WARNING) 901 #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 902 #else 903 #define MBEDTLS_DEPRECATED 904 #endif 905 /** 906 * \brief Perform a Miller-Rabin primality test with error 907 * probability of 2<sup>-80</sup>. 908 * 909 * \deprecated Superseded by mbedtls_mpi_is_prime_ext() which allows 910 * specifying the number of Miller-Rabin rounds. 911 * 912 * \param X The MPI to check for primality. 913 * This must point to an initialized MPI. 914 * \param f_rng The RNG function to use. This must not be \c NULL. 915 * \param p_rng The RNG parameter to be passed to \p f_rng. 916 * This may be \c NULL if \p f_rng doesn't use a 917 * context parameter. 918 * 919 * \return \c 0 if successful, i.e. \p X is probably prime. 920 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 921 * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime. 922 * \return Another negative error code on other kinds of failure. 923 */ 924 MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X, 925 int (*f_rng)(void *, unsigned char *, size_t), 926 void *p_rng ); 927 #undef MBEDTLS_DEPRECATED 928 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 929 930 /** 931 * \brief Miller-Rabin primality test. 932 * 933 * \warning If \p X is potentially generated by an adversary, for example 934 * when validating cryptographic parameters that you didn't 935 * generate yourself and that are supposed to be prime, then 936 * \p rounds should be at least the half of the security 937 * strength of the cryptographic algorithm. On the other hand, 938 * if \p X is chosen uniformly or non-adversially (as is the 939 * case when mbedtls_mpi_gen_prime calls this function), then 940 * \p rounds can be much lower. 941 * 942 * \param X The MPI to check for primality. 943 * This must point to an initialized MPI. 944 * \param rounds The number of bases to perform the Miller-Rabin primality 945 * test for. The probability of returning 0 on a composite is 946 * at most 2<sup>-2*\p rounds</sup>. 947 * \param f_rng The RNG function to use. This must not be \c NULL. 948 * \param p_rng The RNG parameter to be passed to \p f_rng. 949 * This may be \c NULL if \p f_rng doesn't use 950 * a context parameter. 951 * 952 * \return \c 0 if successful, i.e. \p X is probably prime. 953 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 954 * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime. 955 * \return Another negative error code on other kinds of failure. 956 */ 957 int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds, 958 int (*f_rng)(void *, unsigned char *, size_t), 959 void *p_rng ); 960 /** 961 * \brief Flags for mbedtls_mpi_gen_prime() 962 * 963 * Each of these flags is a constraint on the result X returned by 964 * mbedtls_mpi_gen_prime(). 965 */ 966 typedef enum { 967 MBEDTLS_MPI_GEN_PRIME_FLAG_DH = 0x0001, /**< (X-1)/2 is prime too */ 968 MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */ 969 } mbedtls_mpi_gen_prime_flag_t; 970 971 /** 972 * \brief Generate a prime number. 973 * 974 * \param X The destination MPI to store the generated prime in. 975 * This must point to an initialized MPi. 976 * \param nbits The required size of the destination MPI in bits. 977 * This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS. 978 * \param flags A mask of flags of type #mbedtls_mpi_gen_prime_flag_t. 979 * \param f_rng The RNG function to use. This must not be \c NULL. 980 * \param p_rng The RNG parameter to be passed to \p f_rng. 981 * This may be \c NULL if \p f_rng doesn't use 982 * a context parameter. 983 * 984 * \return \c 0 if successful, in which case \p X holds a 985 * probably prime number. 986 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. 987 * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between 988 * \c 3 and #MBEDTLS_MPI_MAX_BITS. 989 */ 990 int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags, 991 int (*f_rng)(void *, unsigned char *, size_t), 992 void *p_rng ); 993 994 #if defined(MBEDTLS_SELF_TEST) 995 996 /** 997 * \brief Checkup routine 998 * 999 * \return 0 if successful, or 1 if the test failed 1000 */ 1001 int mbedtls_mpi_self_test( int verbose ); 1002 1003 #endif /* MBEDTLS_SELF_TEST */ 1004 1005 #ifdef __cplusplus 1006 } 1007 #endif 1008 1009 #endif /* bignum.h */ 1010