3rdparty/mbedtls/bignum.c

c2c66affSColin Finck/*
c2c66affSColin Finck *  Multi-precision integer library
c2c66affSColin Finck *
218e2596SThomas Faber *  Copyright The Mbed TLS Contributors
e57126f5SThomas Faber *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
e57126f5SThomas Faber *
e57126f5SThomas Faber *  This file is provided under the Apache License 2.0, or the
e57126f5SThomas Faber *  GNU General Public License v2.0 or later.
e57126f5SThomas Faber *
e57126f5SThomas Faber *  **********
e57126f5SThomas Faber *  Apache License 2.0:
e57126f5SThomas Faber *
e57126f5SThomas Faber *  Licensed under the Apache License, Version 2.0 (the "License"); you may
e57126f5SThomas Faber *  not use this file except in compliance with the License.
e57126f5SThomas Faber *  You may obtain a copy of the License at
e57126f5SThomas Faber *
e57126f5SThomas Faber *  http://www.apache.org/licenses/LICENSE-2.0
e57126f5SThomas Faber *
e57126f5SThomas Faber *  Unless required by applicable law or agreed to in writing, software
e57126f5SThomas Faber *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
e57126f5SThomas Faber *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
e57126f5SThomas Faber *  See the License for the specific language governing permissions and
e57126f5SThomas Faber *  limitations under the License.
e57126f5SThomas Faber *
e57126f5SThomas Faber *  **********
e57126f5SThomas Faber *
e57126f5SThomas Faber *  **********
e57126f5SThomas Faber *  GNU General Public License v2.0 or later:
c2c66affSColin Finck *
c2c66affSColin Finck *  This program is free software; you can redistribute it and/or modify
c2c66affSColin Finck *  it under the terms of the GNU General Public License as published by
c2c66affSColin Finck *  the Free Software Foundation; either version 2 of the License, or
c2c66affSColin Finck *  (at your option) any later version.
c2c66affSColin Finck *
c2c66affSColin Finck *  This program is distributed in the hope that it will be useful,
c2c66affSColin Finck *  but WITHOUT ANY WARRANTY; without even the implied warranty of
c2c66affSColin Finck *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
c2c66affSColin Finck *  GNU General Public License for more details.
c2c66affSColin Finck *
c2c66affSColin Finck *  You should have received a copy of the GNU General Public License along
c2c66affSColin Finck *  with this program; if not, write to the Free Software Foundation, Inc.,
c2c66affSColin Finck *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
c2c66affSColin Finck *
e57126f5SThomas Faber *  **********
c2c66affSColin Finck */
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck *  The following sources were referenced in the design of this Multi-precision
c2c66affSColin Finck *  Integer library:
c2c66affSColin Finck *
c2c66affSColin Finck *  [1] Handbook of Applied Cryptography - 1997
c2c66affSColin Finck *      Menezes, van Oorschot and Vanstone
c2c66affSColin Finck *
c2c66affSColin Finck *  [2] Multi-Precision Math
c2c66affSColin Finck *      Tom St Denis
c2c66affSColin Finck *      https://github.com/libtom/libtommath/blob/develop/tommath.pdf
c2c66affSColin Finck *
c2c66affSColin Finck *  [3] GNU Multi-Precision Arithmetic Library
c2c66affSColin Finck *      https://gmplib.org/manual/index.html
c2c66affSColin Finck *
c2c66affSColin Finck */
c2c66affSColin Finck
c2c66affSColin Finck#if !defined(MBEDTLS_CONFIG_FILE)
c2c66affSColin Finck#include "mbedtls/config.h"
c2c66affSColin Finck#else
c2c66affSColin Finck#include MBEDTLS_CONFIG_FILE
c2c66affSColin Finck#endif
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MBEDTLS_BIGNUM_C)
c2c66affSColin Finck
c2c66affSColin Finck#include "mbedtls/bignum.h"
c2c66affSColin Finck#include "mbedtls/bn_mul.h"
cbda039fSThomas Faber#include "mbedtls/platform_util.h"
c2c66affSColin Finck
c2c66affSColin Finck#include <string.h>
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MBEDTLS_PLATFORM_C)
c2c66affSColin Finck#include "mbedtls/platform.h"
c2c66affSColin Finck#else
c2c66affSColin Finck#include <stdio.h>
c2c66affSColin Finck#include <stdlib.h>
c2c66affSColin Finck#define mbedtls_printf     printf
c2c66affSColin Finck#define mbedtls_calloc    calloc
c2c66affSColin Finck#define mbedtls_free       free
c2c66affSColin Finck#endif
c2c66affSColin Finck
cbda039fSThomas Faber#define MPI_VALIDATE_RET( cond )                                       \
cbda039fSThomas Faber    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
cbda039fSThomas Faber#define MPI_VALIDATE( cond )                                           \
cbda039fSThomas Faber    MBEDTLS_INTERNAL_VALIDATE( cond )
d9e6c9b5SThomas Faber
c2c66affSColin Finck#define ciL    (sizeof(mbedtls_mpi_uint))         /* chars in limb  */
c2c66affSColin Finck#define biL    (ciL << 3)               /* bits  in limb  */
c2c66affSColin Finck#define biH    (ciL << 2)               /* half limb size */
c2c66affSColin Finck
c2c66affSColin Finck#define MPI_SIZE_T_MAX  ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Convert between bits/chars and number of limbs
c2c66affSColin Finck * Divide first in order to avoid potential overflows
c2c66affSColin Finck */
c2c66affSColin Finck#define BITS_TO_LIMBS(i)  ( (i) / biL + ( (i) % biL != 0 ) )
c2c66affSColin Finck#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
c2c66affSColin Finck
cbda039fSThomas Faber/* Implementation that should never be optimized out by the compiler */
cbda039fSThomas Faberstatic void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n )
cbda039fSThomas Faber{
cbda039fSThomas Faber    mbedtls_platform_zeroize( v, ciL * n );
cbda039fSThomas Faber}
cbda039fSThomas Faber
c2c66affSColin Finck/*
c2c66affSColin Finck * Initialize one MPI
c2c66affSColin Finck */
c2c66affSColin Finckvoid mbedtls_mpi_init( mbedtls_mpi *X )
c2c66affSColin Finck{
cbda039fSThomas Faber    MPI_VALIDATE( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    X->s = 1;
c2c66affSColin Finck    X->n = 0;
c2c66affSColin Finck    X->p = NULL;
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Unallocate one MPI
c2c66affSColin Finck */
c2c66affSColin Finckvoid mbedtls_mpi_free( mbedtls_mpi *X )
c2c66affSColin Finck{
c2c66affSColin Finck    if( X == NULL )
c2c66affSColin Finck        return;
c2c66affSColin Finck
c2c66affSColin Finck    if( X->p != NULL )
c2c66affSColin Finck    {
c2c66affSColin Finck        mbedtls_mpi_zeroize( X->p, X->n );
c2c66affSColin Finck        mbedtls_free( X->p );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    X->s = 1;
c2c66affSColin Finck    X->n = 0;
c2c66affSColin Finck    X->p = NULL;
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Enlarge to the specified number of limbs
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi_uint *p;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
c2c66affSColin Finck
c2c66affSColin Finck    if( X->n < nblimbs )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
c2c66affSColin Finck            return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
c2c66affSColin Finck
c2c66affSColin Finck        if( X->p != NULL )
c2c66affSColin Finck        {
c2c66affSColin Finck            memcpy( p, X->p, X->n * ciL );
c2c66affSColin Finck            mbedtls_mpi_zeroize( X->p, X->n );
c2c66affSColin Finck            mbedtls_free( X->p );
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        X->n = nblimbs;
c2c66affSColin Finck        X->p = p;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Resize down as much as possible,
c2c66affSColin Finck * while keeping at least the specified number of limbs
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi_uint *p;
c2c66affSColin Finck    size_t i;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber
cbda039fSThomas Faber    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
cbda039fSThomas Faber        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
c2c66affSColin Finck
1b00a1f5SThomas Faber    /* Actually resize up if there are currently fewer than nblimbs limbs. */
c2c66affSColin Finck    if( X->n <= nblimbs )
c2c66affSColin Finck        return( mbedtls_mpi_grow( X, nblimbs ) );
1b00a1f5SThomas Faber    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
c2c66affSColin Finck
c2c66affSColin Finck    for( i = X->n - 1; i > 0; i-- )
c2c66affSColin Finck        if( X->p[i] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck    i++;
c2c66affSColin Finck
c2c66affSColin Finck    if( i < nblimbs )
c2c66affSColin Finck        i = nblimbs;
c2c66affSColin Finck
c2c66affSColin Finck    if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
c2c66affSColin Finck
c2c66affSColin Finck    if( X->p != NULL )
c2c66affSColin Finck    {
c2c66affSColin Finck        memcpy( p, X->p, i * ciL );
c2c66affSColin Finck        mbedtls_mpi_zeroize( X->p, X->n );
c2c66affSColin Finck        mbedtls_free( X->p );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    X->n = i;
c2c66affSColin Finck    X->p = p;
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Copy the contents of Y into X
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
c2c66affSColin Finck{
cbda039fSThomas Faber    int ret = 0;
c2c66affSColin Finck    size_t i;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( Y != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( X == Y )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
1b00a1f5SThomas Faber    if( Y->n == 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        mbedtls_mpi_free( X );
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    for( i = Y->n - 1; i > 0; i-- )
c2c66affSColin Finck        if( Y->p[i] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck    i++;
c2c66affSColin Finck
c2c66affSColin Finck    X->s = Y->s;
c2c66affSColin Finck
cbda039fSThomas Faber    if( X->n < i )
cbda039fSThomas Faber    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
cbda039fSThomas Faber    }
cbda039fSThomas Faber    else
cbda039fSThomas Faber    {
cbda039fSThomas Faber        memset( X->p + i, 0, ( X->n - i ) * ciL );
cbda039fSThomas Faber    }
c2c66affSColin Finck
c2c66affSColin Finck    memcpy( X->p, Y->p, i * ciL );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Swap the contents of X and Y
c2c66affSColin Finck */
c2c66affSColin Finckvoid mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi T;
cbda039fSThomas Faber    MPI_VALIDATE( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE( Y != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    memcpy( &T,  X, sizeof( mbedtls_mpi ) );
c2c66affSColin Finck    memcpy(  X,  Y, sizeof( mbedtls_mpi ) );
c2c66affSColin Finck    memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
c2c66affSColin Finck}
c2c66affSColin Finck
*103a79ceSThomas Faber/**
*103a79ceSThomas Faber * Select between two sign values in constant-time.
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * This is functionally equivalent to second ? a : b but uses only bit
*103a79ceSThomas Faber * operations in order to avoid branches.
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * \param[in] a         The first sign; must be either +1 or -1.
*103a79ceSThomas Faber * \param[in] b         The second sign; must be either +1 or -1.
*103a79ceSThomas Faber * \param[in] second    Must be either 1 (return b) or 0 (return a).
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * \return The selected sign value.
*103a79ceSThomas Faber */
*103a79ceSThomas Faberstatic int mpi_safe_cond_select_sign( int a, int b, unsigned char second )
*103a79ceSThomas Faber{
*103a79ceSThomas Faber    /* In order to avoid questions about what we can reasonnably assume about
*103a79ceSThomas Faber     * the representations of signed integers, move everything to unsigned
*103a79ceSThomas Faber     * by taking advantage of the fact that a and b are either +1 or -1. */
*103a79ceSThomas Faber    unsigned ua = a + 1;
*103a79ceSThomas Faber    unsigned ub = b + 1;
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* second was 0 or 1, mask is 0 or 2 as are ua and ub */
*103a79ceSThomas Faber    const unsigned mask = second << 1;
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* select ua or ub */
*103a79ceSThomas Faber    unsigned ur = ( ua & ~mask ) | ( ub & mask );
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* ur is now 0 or 2, convert back to -1 or +1 */
*103a79ceSThomas Faber    return( (int) ur - 1 );
*103a79ceSThomas Faber}
*103a79ceSThomas Faber
c2c66affSColin Finck/*
292f67afSThomas Faber * Conditionally assign dest = src, without leaking information
292f67afSThomas Faber * about whether the assignment was made or not.
292f67afSThomas Faber * dest and src must be arrays of limbs of size n.
292f67afSThomas Faber * assign must be 0 or 1.
292f67afSThomas Faber */
292f67afSThomas Faberstatic void mpi_safe_cond_assign( size_t n,
292f67afSThomas Faber                                  mbedtls_mpi_uint *dest,
292f67afSThomas Faber                                  const mbedtls_mpi_uint *src,
292f67afSThomas Faber                                  unsigned char assign )
292f67afSThomas Faber{
292f67afSThomas Faber    size_t i;
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* MSVC has a warning about unary minus on unsigned integer types,
*103a79ceSThomas Faber     * but this is well-defined and precisely what we want to do here. */
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( push )
*103a79ceSThomas Faber#pragma warning( disable : 4146 )
*103a79ceSThomas Faber#endif
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
*103a79ceSThomas Faber    const mbedtls_mpi_uint mask = -assign;
*103a79ceSThomas Faber
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( pop )
*103a79ceSThomas Faber#endif
*103a79ceSThomas Faber
292f67afSThomas Faber    for( i = 0; i < n; i++ )
*103a79ceSThomas Faber        dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
292f67afSThomas Faber}
292f67afSThomas Faber
292f67afSThomas Faber/*
c2c66affSColin Finck * Conditionally assign X = Y, without leaking information
c2c66affSColin Finck * about whether the assignment was made or not.
c2c66affSColin Finck * (Leaking information about the respective sizes of X and Y is ok however.)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret = 0;
c2c66affSColin Finck    size_t i;
*103a79ceSThomas Faber    mbedtls_mpi_uint limb_mask;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( Y != NULL );
c2c66affSColin Finck
*103a79ceSThomas Faber    /* MSVC has a warning about unary minus on unsigned integer types,
*103a79ceSThomas Faber     * but this is well-defined and precisely what we want to do here. */
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( push )
*103a79ceSThomas Faber#pragma warning( disable : 4146 )
*103a79ceSThomas Faber#endif
*103a79ceSThomas Faber
c2c66affSColin Finck    /* make sure assign is 0 or 1 in a time-constant manner */
*103a79ceSThomas Faber    assign = (assign | (unsigned char)-assign) >> (sizeof( assign ) * 8 - 1);
*103a79ceSThomas Faber    /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
*103a79ceSThomas Faber    limb_mask = -assign;
*103a79ceSThomas Faber
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( pop )
*103a79ceSThomas Faber#endif
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
c2c66affSColin Finck
*103a79ceSThomas Faber    X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign );
c2c66affSColin Finck
292f67afSThomas Faber    mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
c2c66affSColin Finck
292f67afSThomas Faber    for( i = Y->n; i < X->n; i++ )
*103a79ceSThomas Faber        X->p[i] &= ~limb_mask;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Conditionally swap X and Y, without leaking information
c2c66affSColin Finck * about whether the swap was made or not.
c2c66affSColin Finck * Here it is not ok to simply swap the pointers, which whould lead to
c2c66affSColin Finck * different memory access patterns when X and Y are used afterwards.
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret, s;
c2c66affSColin Finck    size_t i;
*103a79ceSThomas Faber    mbedtls_mpi_uint limb_mask;
c2c66affSColin Finck    mbedtls_mpi_uint tmp;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( Y != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( X == Y )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
*103a79ceSThomas Faber    /* MSVC has a warning about unary minus on unsigned integer types,
*103a79ceSThomas Faber     * but this is well-defined and precisely what we want to do here. */
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( push )
*103a79ceSThomas Faber#pragma warning( disable : 4146 )
*103a79ceSThomas Faber#endif
*103a79ceSThomas Faber
c2c66affSColin Finck    /* make sure swap is 0 or 1 in a time-constant manner */
*103a79ceSThomas Faber    swap = (swap | (unsigned char)-swap) >> (sizeof( swap ) * 8 - 1);
*103a79ceSThomas Faber    /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
*103a79ceSThomas Faber    limb_mask = -swap;
*103a79ceSThomas Faber
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( pop )
*103a79ceSThomas Faber#endif
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
c2c66affSColin Finck
c2c66affSColin Finck    s = X->s;
*103a79ceSThomas Faber    X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap );
*103a79ceSThomas Faber    Y->s = mpi_safe_cond_select_sign( Y->s, s, swap );
c2c66affSColin Finck
c2c66affSColin Finck
c2c66affSColin Finck    for( i = 0; i < X->n; i++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        tmp = X->p[i];
*103a79ceSThomas Faber        X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
*103a79ceSThomas Faber        Y->p[i] = ( Y->p[i] & ~limb_mask ) | (     tmp & limb_mask );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Set value from integer
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
c2c66affSColin Finck    memset( X->p, 0, X->n * ciL );
c2c66affSColin Finck
c2c66affSColin Finck    X->p[0] = ( z < 0 ) ? -z : z;
c2c66affSColin Finck    X->s    = ( z < 0 ) ? -1 : 1;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Get a specific bit
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
c2c66affSColin Finck{
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber
c2c66affSColin Finck    if( X->n * biL <= pos )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck    return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
c2c66affSColin Finck}
c2c66affSColin Finck
0ba5bc40SThomas Faber/* Get a specific byte, without range checks. */
0ba5bc40SThomas Faber#define GET_BYTE( X, i )                                \
0ba5bc40SThomas Faber    ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
0ba5bc40SThomas Faber
c2c66affSColin Finck/*
c2c66affSColin Finck * Set a bit to a specific value of 0 or 1
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret = 0;
c2c66affSColin Finck    size_t off = pos / biL;
c2c66affSColin Finck    size_t idx = pos % biL;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( val != 0 && val != 1 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck    if( X->n * biL <= pos )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( val == 0 )
c2c66affSColin Finck            return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
c2c66affSColin Finck    X->p[off] |= (mbedtls_mpi_uint) val << idx;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Return the number of less significant zero-bits
c2c66affSColin Finck */
c2c66affSColin Fincksize_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i, j, count = 0;
cbda039fSThomas Faber    MBEDTLS_INTERNAL_VALIDATE_RET( X != NULL, 0 );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = 0; i < X->n; i++ )
c2c66affSColin Finck        for( j = 0; j < biL; j++, count++ )
c2c66affSColin Finck            if( ( ( X->p[i] >> j ) & 1 ) != 0 )
c2c66affSColin Finck                return( count );
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Count leading zero bits in a given integer
c2c66affSColin Finck */
c2c66affSColin Finckstatic size_t mbedtls_clz( const mbedtls_mpi_uint x )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t j;
c2c66affSColin Finck    mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
c2c66affSColin Finck
c2c66affSColin Finck    for( j = 0; j < biL; j++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( x & mask ) break;
c2c66affSColin Finck
c2c66affSColin Finck        mask >>= 1;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    return j;
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Return the number of bits
c2c66affSColin Finck */
c2c66affSColin Fincksize_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i, j;
c2c66affSColin Finck
c2c66affSColin Finck    if( X->n == 0 )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = X->n - 1; i > 0; i-- )
c2c66affSColin Finck        if( X->p[i] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    j = biL - mbedtls_clz( X->p[i] );
c2c66affSColin Finck
c2c66affSColin Finck    return( ( i * biL ) + j );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Return the total size in bytes
c2c66affSColin Finck */
c2c66affSColin Fincksize_t mbedtls_mpi_size( const mbedtls_mpi *X )
c2c66affSColin Finck{
c2c66affSColin Finck    return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Convert an ASCII character to digit value
c2c66affSColin Finck */
c2c66affSColin Finckstatic int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
c2c66affSColin Finck{
c2c66affSColin Finck    *d = 255;
c2c66affSColin Finck
c2c66affSColin Finck    if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
c2c66affSColin Finck    if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
c2c66affSColin Finck    if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
c2c66affSColin Finck
c2c66affSColin Finck    if( *d >= (mbedtls_mpi_uint) radix )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Import from an ASCII string
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t i, j, slen, n;
*103a79ceSThomas Faber    int sign = 1;
c2c66affSColin Finck    mbedtls_mpi_uint d;
c2c66affSColin Finck    mbedtls_mpi T;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( s != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( radix < 2 || radix > 16 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &T );
c2c66affSColin Finck
*103a79ceSThomas Faber    if( s[0] == '-' )
*103a79ceSThomas Faber    {
*103a79ceSThomas Faber        ++s;
*103a79ceSThomas Faber        sign = -1;
*103a79ceSThomas Faber    }
*103a79ceSThomas Faber
c2c66affSColin Finck    slen = strlen( s );
c2c66affSColin Finck
c2c66affSColin Finck    if( radix == 16 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( slen > MPI_SIZE_T_MAX >> 2 )
c2c66affSColin Finck            return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck        n = BITS_TO_LIMBS( slen << 2 );
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
c2c66affSColin Finck
c2c66affSColin Finck        for( i = slen, j = 0; i > 0; i--, j++ )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
c2c66affSColin Finck            X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck    else
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
c2c66affSColin Finck
c2c66affSColin Finck        for( i = 0; i < slen; i++ )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
c2c66affSColin Finck        }
c2c66affSColin Finck    }
*103a79ceSThomas Faber
*103a79ceSThomas Faber    if( sign < 0 && mbedtls_mpi_bitlen( X ) != 0 )
*103a79ceSThomas Faber        X->s = -1;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &T );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
ca86ee9cSThomas Faber * Helper to write the digits high-order first.
c2c66affSColin Finck */
ca86ee9cSThomas Faberstatic int mpi_write_hlp( mbedtls_mpi *X, int radix,
ca86ee9cSThomas Faber                          char **p, const size_t buflen )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    mbedtls_mpi_uint r;
ca86ee9cSThomas Faber    size_t length = 0;
ca86ee9cSThomas Faber    char *p_end = *p + buflen;
c2c66affSColin Finck
ca86ee9cSThomas Faber    do
ca86ee9cSThomas Faber    {
ca86ee9cSThomas Faber        if( length >= buflen )
ca86ee9cSThomas Faber        {
ca86ee9cSThomas Faber            return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
ca86ee9cSThomas Faber        }
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
ca86ee9cSThomas Faber        /*
ca86ee9cSThomas Faber         * Write the residue in the current position, as an ASCII character.
ca86ee9cSThomas Faber         */
ca86ee9cSThomas Faber        if( r < 0xA )
ca86ee9cSThomas Faber            *(--p_end) = (char)( '0' + r );
c2c66affSColin Finck        else
ca86ee9cSThomas Faber            *(--p_end) = (char)( 'A' + ( r - 0xA ) );
ca86ee9cSThomas Faber
ca86ee9cSThomas Faber        length++;
ca86ee9cSThomas Faber    } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
ca86ee9cSThomas Faber
ca86ee9cSThomas Faber    memmove( *p, p_end, length );
ca86ee9cSThomas Faber    *p += length;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Export into an ASCII string
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
c2c66affSColin Finck                              char *buf, size_t buflen, size_t *olen )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret = 0;
c2c66affSColin Finck    size_t n;
c2c66affSColin Finck    char *p;
c2c66affSColin Finck    mbedtls_mpi T;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X    != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( olen != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( radix < 2 || radix > 16 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
430656f0SThomas Faber    n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
430656f0SThomas Faber    if( radix >=  4 ) n >>= 1;   /* Number of 4-adic digits necessary to present
430656f0SThomas Faber                                  * `n`. If radix > 4, this might be a strict
430656f0SThomas Faber                                  * overapproximation of the number of
430656f0SThomas Faber                                  * radix-adic digits needed to present `n`. */
430656f0SThomas Faber    if( radix >= 16 ) n >>= 1;   /* Number of hexadecimal digits necessary to
430656f0SThomas Faber                                  * present `n`. */
430656f0SThomas Faber
430656f0SThomas Faber    n += 1; /* Terminating null byte */
430656f0SThomas Faber    n += 1; /* Compensate for the divisions above, which round down `n`
430656f0SThomas Faber             * in case it's not even. */
430656f0SThomas Faber    n += 1; /* Potential '-'-sign. */
430656f0SThomas Faber    n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
430656f0SThomas Faber                     * which always uses an even number of hex-digits. */
c2c66affSColin Finck
c2c66affSColin Finck    if( buflen < n )
c2c66affSColin Finck    {
c2c66affSColin Finck        *olen = n;
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    p = buf;
c2c66affSColin Finck    mbedtls_mpi_init( &T );
c2c66affSColin Finck
c2c66affSColin Finck    if( X->s == -1 )
430656f0SThomas Faber    {
c2c66affSColin Finck        *p++ = '-';
430656f0SThomas Faber        buflen--;
430656f0SThomas Faber    }
c2c66affSColin Finck
c2c66affSColin Finck    if( radix == 16 )
c2c66affSColin Finck    {
c2c66affSColin Finck        int c;
c2c66affSColin Finck        size_t i, j, k;
c2c66affSColin Finck
c2c66affSColin Finck        for( i = X->n, k = 0; i > 0; i-- )
c2c66affSColin Finck        {
c2c66affSColin Finck            for( j = ciL; j > 0; j-- )
c2c66affSColin Finck            {
c2c66affSColin Finck                c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
c2c66affSColin Finck
c2c66affSColin Finck                if( c == 0 && k == 0 && ( i + j ) != 2 )
c2c66affSColin Finck                    continue;
c2c66affSColin Finck
c2c66affSColin Finck                *(p++) = "0123456789ABCDEF" [c / 16];
c2c66affSColin Finck                *(p++) = "0123456789ABCDEF" [c % 16];
c2c66affSColin Finck                k = 1;
c2c66affSColin Finck            }
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck    else
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( T.s == -1 )
c2c66affSColin Finck            T.s = 1;
c2c66affSColin Finck
ca86ee9cSThomas Faber        MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    *p++ = '\0';
c2c66affSColin Finck    *olen = p - buf;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &T );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MBEDTLS_FS_IO)
c2c66affSColin Finck/*
c2c66affSColin Finck * Read X from an opened file
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi_uint d;
c2c66affSColin Finck    size_t slen;
c2c66affSColin Finck    char *p;
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Buffer should have space for (short) label and decimal formatted MPI,
c2c66affSColin Finck     * newline characters and '\0'
c2c66affSColin Finck     */
c2c66affSColin Finck    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( X   != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( fin != NULL );
cbda039fSThomas Faber
cbda039fSThomas Faber    if( radix < 2 || radix > 16 )
cbda039fSThomas Faber        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
cbda039fSThomas Faber
c2c66affSColin Finck    memset( s, 0, sizeof( s ) );
c2c66affSColin Finck    if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
c2c66affSColin Finck
c2c66affSColin Finck    slen = strlen( s );
c2c66affSColin Finck    if( slen == sizeof( s ) - 2 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
c2c66affSColin Finck
c2c66affSColin Finck    if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
c2c66affSColin Finck    if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
c2c66affSColin Finck
c2c66affSColin Finck    p = s + slen;
c2c66affSColin Finck    while( p-- > s )
c2c66affSColin Finck        if( mpi_get_digit( &d, radix, *p ) != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Write X into an opened file (or stdout if fout == NULL)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t n, slen, plen;
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Buffer should have space for (short) label and decimal formatted MPI,
c2c66affSColin Finck     * newline characters and '\0'
c2c66affSColin Finck     */
c2c66affSColin Finck    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber
cbda039fSThomas Faber    if( radix < 2 || radix > 16 )
cbda039fSThomas Faber        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck    memset( s, 0, sizeof( s ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
c2c66affSColin Finck
c2c66affSColin Finck    if( p == NULL ) p = "";
c2c66affSColin Finck
c2c66affSColin Finck    plen = strlen( p );
c2c66affSColin Finck    slen = strlen( s );
c2c66affSColin Finck    s[slen++] = '\r';
c2c66affSColin Finck    s[slen++] = '\n';
c2c66affSColin Finck
c2c66affSColin Finck    if( fout != NULL )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( fwrite( p, 1, plen, fout ) != plen ||
c2c66affSColin Finck            fwrite( s, 1, slen, fout ) != slen )
c2c66affSColin Finck            return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
c2c66affSColin Finck    }
c2c66affSColin Finck    else
c2c66affSColin Finck        mbedtls_printf( "%s%s", p, s );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck#endif /* MBEDTLS_FS_IO */
c2c66affSColin Finck
cbda039fSThomas Faber
cbda039fSThomas Faber/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
cbda039fSThomas Faber * into the storage form used by mbedtls_mpi. */
cbda039fSThomas Faber
cbda039fSThomas Faberstatic mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
cbda039fSThomas Faber{
cbda039fSThomas Faber    uint8_t i;
cbda039fSThomas Faber    unsigned char *x_ptr;
cbda039fSThomas Faber    mbedtls_mpi_uint tmp = 0;
cbda039fSThomas Faber
cbda039fSThomas Faber    for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ )
cbda039fSThomas Faber    {
cbda039fSThomas Faber        tmp <<= CHAR_BIT;
cbda039fSThomas Faber        tmp |= (mbedtls_mpi_uint) *x_ptr;
cbda039fSThomas Faber    }
cbda039fSThomas Faber
cbda039fSThomas Faber    return( tmp );
cbda039fSThomas Faber}
cbda039fSThomas Faber
cbda039fSThomas Faberstatic mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x )
cbda039fSThomas Faber{
cbda039fSThomas Faber#if defined(__BYTE_ORDER__)
cbda039fSThomas Faber
cbda039fSThomas Faber/* Nothing to do on bigendian systems. */
cbda039fSThomas Faber#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
cbda039fSThomas Faber    return( x );
cbda039fSThomas Faber#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
cbda039fSThomas Faber
cbda039fSThomas Faber#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
cbda039fSThomas Faber
cbda039fSThomas Faber/* For GCC and Clang, have builtins for byte swapping. */
cbda039fSThomas Faber#if defined(__GNUC__) && defined(__GNUC_PREREQ)
cbda039fSThomas Faber#if __GNUC_PREREQ(4,3)
cbda039fSThomas Faber#define have_bswap
cbda039fSThomas Faber#endif
cbda039fSThomas Faber#endif
cbda039fSThomas Faber
cbda039fSThomas Faber#if defined(__clang__) && defined(__has_builtin)
cbda039fSThomas Faber#if __has_builtin(__builtin_bswap32)  &&                 \
cbda039fSThomas Faber    __has_builtin(__builtin_bswap64)
cbda039fSThomas Faber#define have_bswap
cbda039fSThomas Faber#endif
cbda039fSThomas Faber#endif
cbda039fSThomas Faber
cbda039fSThomas Faber#if defined(have_bswap)
cbda039fSThomas Faber    /* The compiler is hopefully able to statically evaluate this! */
cbda039fSThomas Faber    switch( sizeof(mbedtls_mpi_uint) )
cbda039fSThomas Faber    {
cbda039fSThomas Faber        case 4:
cbda039fSThomas Faber            return( __builtin_bswap32(x) );
cbda039fSThomas Faber        case 8:
cbda039fSThomas Faber            return( __builtin_bswap64(x) );
cbda039fSThomas Faber    }
cbda039fSThomas Faber#endif
cbda039fSThomas Faber#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
cbda039fSThomas Faber#endif /* __BYTE_ORDER__ */
cbda039fSThomas Faber
cbda039fSThomas Faber    /* Fall back to C-based reordering if we don't know the byte order
cbda039fSThomas Faber     * or we couldn't use a compiler-specific builtin. */
cbda039fSThomas Faber    return( mpi_uint_bigendian_to_host_c( x ) );
cbda039fSThomas Faber}
cbda039fSThomas Faber
cbda039fSThomas Faberstatic void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs )
cbda039fSThomas Faber{
cbda039fSThomas Faber    mbedtls_mpi_uint *cur_limb_left;
cbda039fSThomas Faber    mbedtls_mpi_uint *cur_limb_right;
cbda039fSThomas Faber    if( limbs == 0 )
cbda039fSThomas Faber        return;
cbda039fSThomas Faber
cbda039fSThomas Faber    /*
cbda039fSThomas Faber     * Traverse limbs and
cbda039fSThomas Faber     * - adapt byte-order in each limb
cbda039fSThomas Faber     * - swap the limbs themselves.
cbda039fSThomas Faber     * For that, simultaneously traverse the limbs from left to right
cbda039fSThomas Faber     * and from right to left, as long as the left index is not bigger
cbda039fSThomas Faber     * than the right index (it's not a problem if limbs is odd and the
cbda039fSThomas Faber     * indices coincide in the last iteration).
cbda039fSThomas Faber     */
cbda039fSThomas Faber    for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 );
cbda039fSThomas Faber         cur_limb_left <= cur_limb_right;
cbda039fSThomas Faber         cur_limb_left++, cur_limb_right-- )
cbda039fSThomas Faber    {
cbda039fSThomas Faber        mbedtls_mpi_uint tmp;
cbda039fSThomas Faber        /* Note that if cur_limb_left == cur_limb_right,
cbda039fSThomas Faber         * this code effectively swaps the bytes only once. */
cbda039fSThomas Faber        tmp             = mpi_uint_bigendian_to_host( *cur_limb_left  );
cbda039fSThomas Faber        *cur_limb_left  = mpi_uint_bigendian_to_host( *cur_limb_right );
cbda039fSThomas Faber        *cur_limb_right = tmp;
cbda039fSThomas Faber    }
cbda039fSThomas Faber}
cbda039fSThomas Faber
c2c66affSColin Finck/*
c2c66affSColin Finck * Import X from unsigned binary data, big endian
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
d9e6c9b5SThomas Faber    size_t const limbs    = CHARS_TO_LIMBS( buflen );
cbda039fSThomas Faber    size_t const overhead = ( limbs * ciL ) - buflen;
cbda039fSThomas Faber    unsigned char *Xp;
cbda039fSThomas Faber
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
c2c66affSColin Finck
d9e6c9b5SThomas Faber    /* Ensure that target MPI has exactly the necessary number of limbs */
d9e6c9b5SThomas Faber    if( X->n != limbs )
d9e6c9b5SThomas Faber    {
d9e6c9b5SThomas Faber        mbedtls_mpi_free( X );
d9e6c9b5SThomas Faber        mbedtls_mpi_init( X );
d9e6c9b5SThomas Faber        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
d9e6c9b5SThomas Faber    }
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
c2c66affSColin Finck
cbda039fSThomas Faber    /* Avoid calling `memcpy` with NULL source argument,
cbda039fSThomas Faber     * even if buflen is 0. */
cbda039fSThomas Faber    if( buf != NULL )
cbda039fSThomas Faber    {
cbda039fSThomas Faber        Xp = (unsigned char*) X->p;
cbda039fSThomas Faber        memcpy( Xp + overhead, buf, buflen );
cbda039fSThomas Faber
cbda039fSThomas Faber        mpi_bigendian_to_host( X->p, limbs );
cbda039fSThomas Faber    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Export X into unsigned binary data, big endian
c2c66affSColin Finck */
0ba5bc40SThomas Faberint mbedtls_mpi_write_binary( const mbedtls_mpi *X,
0ba5bc40SThomas Faber                              unsigned char *buf, size_t buflen )
c2c66affSColin Finck{
cbda039fSThomas Faber    size_t stored_bytes;
0ba5bc40SThomas Faber    size_t bytes_to_copy;
0ba5bc40SThomas Faber    unsigned char *p;
0ba5bc40SThomas Faber    size_t i;
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
cbda039fSThomas Faber
cbda039fSThomas Faber    stored_bytes = X->n * ciL;
cbda039fSThomas Faber
0ba5bc40SThomas Faber    if( stored_bytes < buflen )
0ba5bc40SThomas Faber    {
0ba5bc40SThomas Faber        /* There is enough space in the output buffer. Write initial
0ba5bc40SThomas Faber         * null bytes and record the position at which to start
0ba5bc40SThomas Faber         * writing the significant bytes. In this case, the execution
0ba5bc40SThomas Faber         * trace of this function does not depend on the value of the
0ba5bc40SThomas Faber         * number. */
0ba5bc40SThomas Faber        bytes_to_copy = stored_bytes;
0ba5bc40SThomas Faber        p = buf + buflen - stored_bytes;
0ba5bc40SThomas Faber        memset( buf, 0, buflen - stored_bytes );
0ba5bc40SThomas Faber    }
0ba5bc40SThomas Faber    else
0ba5bc40SThomas Faber    {
0ba5bc40SThomas Faber        /* The output buffer is smaller than the allocated size of X.
0ba5bc40SThomas Faber         * However X may fit if its leading bytes are zero. */
0ba5bc40SThomas Faber        bytes_to_copy = buflen;
0ba5bc40SThomas Faber        p = buf;
0ba5bc40SThomas Faber        for( i = bytes_to_copy; i < stored_bytes; i++ )
0ba5bc40SThomas Faber        {
0ba5bc40SThomas Faber            if( GET_BYTE( X, i ) != 0 )
c2c66affSColin Finck                return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
0ba5bc40SThomas Faber        }
0ba5bc40SThomas Faber    }
c2c66affSColin Finck
0ba5bc40SThomas Faber    for( i = 0; i < bytes_to_copy; i++ )
0ba5bc40SThomas Faber        p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Left-shift: X <<= count
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t i, v0, t1;
c2c66affSColin Finck    mbedtls_mpi_uint r0 = 0, r1;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    v0 = count / (biL    );
c2c66affSColin Finck    t1 = count & (biL - 1);
c2c66affSColin Finck
c2c66affSColin Finck    i = mbedtls_mpi_bitlen( X ) + count;
c2c66affSColin Finck
c2c66affSColin Finck    if( X->n * biL < i )
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
c2c66affSColin Finck
c2c66affSColin Finck    ret = 0;
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * shift by count / limb_size
c2c66affSColin Finck     */
c2c66affSColin Finck    if( v0 > 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        for( i = X->n; i > v0; i-- )
c2c66affSColin Finck            X->p[i - 1] = X->p[i - v0 - 1];
c2c66affSColin Finck
c2c66affSColin Finck        for( ; i > 0; i-- )
c2c66affSColin Finck            X->p[i - 1] = 0;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * shift by count % limb_size
c2c66affSColin Finck     */
c2c66affSColin Finck    if( t1 > 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        for( i = v0; i < X->n; i++ )
c2c66affSColin Finck        {
c2c66affSColin Finck            r1 = X->p[i] >> (biL - t1);
c2c66affSColin Finck            X->p[i] <<= t1;
c2c66affSColin Finck            X->p[i] |= r0;
c2c66affSColin Finck            r0 = r1;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Right-shift: X >>= count
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i, v0, v1;
c2c66affSColin Finck    mbedtls_mpi_uint r0 = 0, r1;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    v0 = count /  biL;
c2c66affSColin Finck    v1 = count & (biL - 1);
c2c66affSColin Finck
c2c66affSColin Finck    if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
c2c66affSColin Finck        return mbedtls_mpi_lset( X, 0 );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * shift by count / limb_size
c2c66affSColin Finck     */
c2c66affSColin Finck    if( v0 > 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        for( i = 0; i < X->n - v0; i++ )
c2c66affSColin Finck            X->p[i] = X->p[i + v0];
c2c66affSColin Finck
c2c66affSColin Finck        for( ; i < X->n; i++ )
c2c66affSColin Finck            X->p[i] = 0;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * shift by count % limb_size
c2c66affSColin Finck     */
c2c66affSColin Finck    if( v1 > 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        for( i = X->n; i > 0; i-- )
c2c66affSColin Finck        {
c2c66affSColin Finck            r1 = X->p[i - 1] << (biL - v1);
c2c66affSColin Finck            X->p[i - 1] >>= v1;
c2c66affSColin Finck            X->p[i - 1] |= r0;
c2c66affSColin Finck            r0 = r1;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Compare unsigned values
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i, j;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( Y != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = X->n; i > 0; i-- )
c2c66affSColin Finck        if( X->p[i - 1] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    for( j = Y->n; j > 0; j-- )
c2c66affSColin Finck        if( Y->p[j - 1] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    if( i == 0 && j == 0 )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck    if( i > j ) return(  1 );
c2c66affSColin Finck    if( j > i ) return( -1 );
c2c66affSColin Finck
c2c66affSColin Finck    for( ; i > 0; i-- )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( X->p[i - 1] > Y->p[i - 1] ) return(  1 );
c2c66affSColin Finck        if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Compare signed values
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i, j;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( Y != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = X->n; i > 0; i-- )
c2c66affSColin Finck        if( X->p[i - 1] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    for( j = Y->n; j > 0; j-- )
c2c66affSColin Finck        if( Y->p[j - 1] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    if( i == 0 && j == 0 )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck    if( i > j ) return(  X->s );
c2c66affSColin Finck    if( j > i ) return( -Y->s );
c2c66affSColin Finck
c2c66affSColin Finck    if( X->s > 0 && Y->s < 0 ) return(  1 );
c2c66affSColin Finck    if( Y->s > 0 && X->s < 0 ) return( -1 );
c2c66affSColin Finck
c2c66affSColin Finck    for( ; i > 0; i-- )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( X->p[i - 1] > Y->p[i - 1] ) return(  X->s );
c2c66affSColin Finck        if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
d152519aSThomas Faber/** Decide if an integer is less than the other, without branches.
d152519aSThomas Faber *
d152519aSThomas Faber * \param x         First integer.
d152519aSThomas Faber * \param y         Second integer.
d152519aSThomas Faber *
d152519aSThomas Faber * \return          1 if \p x is less than \p y, 0 otherwise
d152519aSThomas Faber */
d152519aSThomas Faberstatic unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x,
d152519aSThomas Faber        const mbedtls_mpi_uint y )
d152519aSThomas Faber{
d152519aSThomas Faber    mbedtls_mpi_uint ret;
d152519aSThomas Faber    mbedtls_mpi_uint cond;
d152519aSThomas Faber
d152519aSThomas Faber    /*
d152519aSThomas Faber     * Check if the most significant bits (MSB) of the operands are different.
d152519aSThomas Faber     */
d152519aSThomas Faber    cond = ( x ^ y );
d152519aSThomas Faber    /*
d152519aSThomas Faber     * If the MSB are the same then the difference x-y will be negative (and
d152519aSThomas Faber     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
d152519aSThomas Faber     */
d152519aSThomas Faber    ret = ( x - y ) & ~cond;
d152519aSThomas Faber    /*
d152519aSThomas Faber     * If the MSB are different, then the operand with the MSB of 1 is the
d152519aSThomas Faber     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
d152519aSThomas Faber     * the MSB of y is 0.)
d152519aSThomas Faber     */
d152519aSThomas Faber    ret |= y & cond;
d152519aSThomas Faber
d152519aSThomas Faber
d152519aSThomas Faber    ret = ret >> ( biL - 1 );
d152519aSThomas Faber
d152519aSThomas Faber    return (unsigned) ret;
d152519aSThomas Faber}
d152519aSThomas Faber
d152519aSThomas Faber/*
d152519aSThomas Faber * Compare signed values in constant time
d152519aSThomas Faber */
d152519aSThomas Faberint mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
d152519aSThomas Faber        unsigned *ret )
d152519aSThomas Faber{
d152519aSThomas Faber    size_t i;
d152519aSThomas Faber    /* The value of any of these variables is either 0 or 1 at all times. */
d152519aSThomas Faber    unsigned cond, done, X_is_negative, Y_is_negative;
d152519aSThomas Faber
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( Y != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( ret != NULL );
cbda039fSThomas Faber
d152519aSThomas Faber    if( X->n != Y->n )
d152519aSThomas Faber        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
d152519aSThomas Faber
d152519aSThomas Faber    /*
d152519aSThomas Faber     * Set sign_N to 1 if N >= 0, 0 if N < 0.
d152519aSThomas Faber     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
d152519aSThomas Faber     */
d152519aSThomas Faber    X_is_negative = ( X->s & 2 ) >> 1;
d152519aSThomas Faber    Y_is_negative = ( Y->s & 2 ) >> 1;
d152519aSThomas Faber
d152519aSThomas Faber    /*
d152519aSThomas Faber     * If the signs are different, then the positive operand is the bigger.
d152519aSThomas Faber     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
d152519aSThomas Faber     * is false if X is positive (X_is_negative == 0).
d152519aSThomas Faber     */
d152519aSThomas Faber    cond = ( X_is_negative ^ Y_is_negative );
d152519aSThomas Faber    *ret = cond & X_is_negative;
d152519aSThomas Faber
d152519aSThomas Faber    /*
d152519aSThomas Faber     * This is a constant-time function. We might have the result, but we still
d152519aSThomas Faber     * need to go through the loop. Record if we have the result already.
d152519aSThomas Faber     */
d152519aSThomas Faber    done = cond;
d152519aSThomas Faber
d152519aSThomas Faber    for( i = X->n; i > 0; i-- )
d152519aSThomas Faber    {
d152519aSThomas Faber        /*
d152519aSThomas Faber         * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
d152519aSThomas Faber         * X and Y are negative.
d152519aSThomas Faber         *
d152519aSThomas Faber         * Again even if we can make a decision, we just mark the result and
d152519aSThomas Faber         * the fact that we are done and continue looping.
d152519aSThomas Faber         */
d152519aSThomas Faber        cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
d152519aSThomas Faber        *ret |= cond & ( 1 - done ) & X_is_negative;
d152519aSThomas Faber        done |= cond;
d152519aSThomas Faber
d152519aSThomas Faber        /*
d152519aSThomas Faber         * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
d152519aSThomas Faber         * X and Y are positive.
d152519aSThomas Faber         *
d152519aSThomas Faber         * Again even if we can make a decision, we just mark the result and
d152519aSThomas Faber         * the fact that we are done and continue looping.
d152519aSThomas Faber         */
d152519aSThomas Faber        cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
d152519aSThomas Faber        *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
d152519aSThomas Faber        done |= cond;
d152519aSThomas Faber    }
d152519aSThomas Faber
d152519aSThomas Faber    return( 0 );
d152519aSThomas Faber}
d152519aSThomas Faber
c2c66affSColin Finck/*
c2c66affSColin Finck * Compare signed values
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi Y;
c2c66affSColin Finck    mbedtls_mpi_uint p[1];
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    *p  = ( z < 0 ) ? -z : z;
c2c66affSColin Finck    Y.s = ( z < 0 ) ? -1 : 1;
c2c66affSColin Finck    Y.n = 1;
c2c66affSColin Finck    Y.p = p;
c2c66affSColin Finck
c2c66affSColin Finck    return( mbedtls_mpi_cmp_mpi( X, &Y ) );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Unsigned addition: X = |A| + |B|  (HAC 14.7)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t i, j;
c2c66affSColin Finck    mbedtls_mpi_uint *o, *p, c, tmp;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( X == B )
c2c66affSColin Finck    {
c2c66affSColin Finck        const mbedtls_mpi *T = A; A = X; B = T;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( X != A )
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * X should always be positive as a result of unsigned additions.
c2c66affSColin Finck     */
c2c66affSColin Finck    X->s = 1;
c2c66affSColin Finck
c2c66affSColin Finck    for( j = B->n; j > 0; j-- )
c2c66affSColin Finck        if( B->p[j - 1] != 0 )
c2c66affSColin Finck            break;
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
c2c66affSColin Finck
c2c66affSColin Finck    o = B->p; p = X->p; c = 0;
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * tmp is used because it might happen that p == o
c2c66affSColin Finck     */
c2c66affSColin Finck    for( i = 0; i < j; i++, o++, p++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        tmp= *o;
c2c66affSColin Finck        *p +=  c; c  = ( *p <  c );
c2c66affSColin Finck        *p += tmp; c += ( *p < tmp );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    while( c != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( i >= X->n )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
c2c66affSColin Finck            p = X->p + i;
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        *p += c; c = ( *p < c ); i++; p++;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
292f67afSThomas Faber/**
292f67afSThomas Faber * Helper for mbedtls_mpi subtraction.
292f67afSThomas Faber *
292f67afSThomas Faber * Calculate d - s where d and s have the same size.
292f67afSThomas Faber * This function operates modulo (2^ciL)^n and returns the carry
292f67afSThomas Faber * (1 if there was a wraparound, i.e. if `d < s`, and 0 otherwise).
292f67afSThomas Faber *
292f67afSThomas Faber * \param n             Number of limbs of \p d and \p s.
292f67afSThomas Faber * \param[in,out] d     On input, the left operand.
292f67afSThomas Faber *                      On output, the result of the subtraction:
292f67afSThomas Faber * \param[in] s         The right operand.
292f67afSThomas Faber *
292f67afSThomas Faber * \return              1 if `d < s`.
292f67afSThomas Faber *                      0 if `d >= s`.
c2c66affSColin Finck */
292f67afSThomas Faberstatic mbedtls_mpi_uint mpi_sub_hlp( size_t n,
292f67afSThomas Faber                                     mbedtls_mpi_uint *d,
292f67afSThomas Faber                                     const mbedtls_mpi_uint *s )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i;
c2c66affSColin Finck    mbedtls_mpi_uint c, z;
c2c66affSColin Finck
c2c66affSColin Finck    for( i = c = 0; i < n; i++, s++, d++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        z = ( *d <  c );     *d -=  c;
c2c66affSColin Finck        c = ( *d < *s ) + z; *d -= *s;
c2c66affSColin Finck    }
c2c66affSColin Finck
292f67afSThomas Faber    return( c );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
292f67afSThomas Faber * Unsigned subtraction: X = |A| - |B|  (HAC 14.9, 14.10)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi TB;
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t n;
292f67afSThomas Faber    mbedtls_mpi_uint carry;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &TB );
c2c66affSColin Finck
c2c66affSColin Finck    if( X == B )
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
c2c66affSColin Finck        B = &TB;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( X != A )
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * X should always be positive as a result of unsigned subtractions.
c2c66affSColin Finck     */
c2c66affSColin Finck    X->s = 1;
c2c66affSColin Finck
c2c66affSColin Finck    ret = 0;
c2c66affSColin Finck
c2c66affSColin Finck    for( n = B->n; n > 0; n-- )
c2c66affSColin Finck        if( B->p[n - 1] != 0 )
c2c66affSColin Finck            break;
a01a8faaSThomas Faber    if( n > A->n )
a01a8faaSThomas Faber    {
a01a8faaSThomas Faber        /* B >= (2^ciL)^n > A */
a01a8faaSThomas Faber        ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
a01a8faaSThomas Faber        goto cleanup;
a01a8faaSThomas Faber    }
c2c66affSColin Finck
292f67afSThomas Faber    carry = mpi_sub_hlp( n, X->p, B->p );
292f67afSThomas Faber    if( carry != 0 )
292f67afSThomas Faber    {
292f67afSThomas Faber        /* Propagate the carry to the first nonzero limb of X. */
292f67afSThomas Faber        for( ; n < X->n && X->p[n] == 0; n++ )
292f67afSThomas Faber            --X->p[n];
292f67afSThomas Faber        /* If we ran out of space for the carry, it means that the result
292f67afSThomas Faber         * is negative. */
292f67afSThomas Faber        if( n == X->n )
2e53fc8eSThomas Faber        {
2e53fc8eSThomas Faber            ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
2e53fc8eSThomas Faber            goto cleanup;
2e53fc8eSThomas Faber        }
292f67afSThomas Faber        --X->p[n];
292f67afSThomas Faber    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &TB );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Signed addition: X = A + B
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
cbda039fSThomas Faber    int ret, s;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
cbda039fSThomas Faber    s = A->s;
c2c66affSColin Finck    if( A->s * B->s < 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
c2c66affSColin Finck            X->s =  s;
c2c66affSColin Finck        }
c2c66affSColin Finck        else
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
c2c66affSColin Finck            X->s = -s;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck    else
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
c2c66affSColin Finck        X->s = s;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Signed subtraction: X = A - B
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
cbda039fSThomas Faber    int ret, s;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
cbda039fSThomas Faber    s = A->s;
c2c66affSColin Finck    if( A->s * B->s > 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
c2c66affSColin Finck            X->s =  s;
c2c66affSColin Finck        }
c2c66affSColin Finck        else
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
c2c66affSColin Finck            X->s = -s;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck    else
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
c2c66affSColin Finck        X->s = s;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Signed addition: X = A + b
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi _B;
c2c66affSColin Finck    mbedtls_mpi_uint p[1];
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    p[0] = ( b < 0 ) ? -b : b;
c2c66affSColin Finck    _B.s = ( b < 0 ) ? -1 : 1;
c2c66affSColin Finck    _B.n = 1;
c2c66affSColin Finck    _B.p = p;
c2c66affSColin Finck
c2c66affSColin Finck    return( mbedtls_mpi_add_mpi( X, A, &_B ) );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Signed subtraction: X = A - b
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi _B;
c2c66affSColin Finck    mbedtls_mpi_uint p[1];
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    p[0] = ( b < 0 ) ? -b : b;
c2c66affSColin Finck    _B.s = ( b < 0 ) ? -1 : 1;
c2c66affSColin Finck    _B.n = 1;
c2c66affSColin Finck    _B.p = p;
c2c66affSColin Finck
c2c66affSColin Finck    return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Helper for mbedtls_mpi multiplication
c2c66affSColin Finck */
c2c66affSColin Finckstatic
c2c66affSColin Finck#if defined(__APPLE__) && defined(__arm__)
c2c66affSColin Finck/*
c2c66affSColin Finck * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
c2c66affSColin Finck * appears to need this to prevent bad ARM code generation at -O3.
c2c66affSColin Finck */
c2c66affSColin Finck__attribute__ ((noinline))
c2c66affSColin Finck#endif
c2c66affSColin Finckvoid mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi_uint c = 0, t = 0;
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MULADDC_HUIT)
c2c66affSColin Finck    for( ; i >= 8; i -= 8 )
c2c66affSColin Finck    {
c2c66affSColin Finck        MULADDC_INIT
c2c66affSColin Finck        MULADDC_HUIT
c2c66affSColin Finck        MULADDC_STOP
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    for( ; i > 0; i-- )
c2c66affSColin Finck    {
c2c66affSColin Finck        MULADDC_INIT
c2c66affSColin Finck        MULADDC_CORE
c2c66affSColin Finck        MULADDC_STOP
c2c66affSColin Finck    }
c2c66affSColin Finck#else /* MULADDC_HUIT */
c2c66affSColin Finck    for( ; i >= 16; i -= 16 )
c2c66affSColin Finck    {
c2c66affSColin Finck        MULADDC_INIT
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_STOP
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    for( ; i >= 8; i -= 8 )
c2c66affSColin Finck    {
c2c66affSColin Finck        MULADDC_INIT
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_CORE   MULADDC_CORE
c2c66affSColin Finck        MULADDC_STOP
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    for( ; i > 0; i-- )
c2c66affSColin Finck    {
c2c66affSColin Finck        MULADDC_INIT
c2c66affSColin Finck        MULADDC_CORE
c2c66affSColin Finck        MULADDC_STOP
c2c66affSColin Finck    }
c2c66affSColin Finck#endif /* MULADDC_HUIT */
c2c66affSColin Finck
c2c66affSColin Finck    t++;
c2c66affSColin Finck
c2c66affSColin Finck    do {
c2c66affSColin Finck        *d += c; c = ( *d < c ); d++;
c2c66affSColin Finck    }
c2c66affSColin Finck    while( c != 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Baseline multiplication: X = A * B  (HAC 14.12)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t i, j;
c2c66affSColin Finck    mbedtls_mpi TA, TB;
*103a79ceSThomas Faber    int result_is_zero = 0;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
c2c66affSColin Finck
c2c66affSColin Finck    if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
c2c66affSColin Finck    if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
c2c66affSColin Finck
c2c66affSColin Finck    for( i = A->n; i > 0; i-- )
c2c66affSColin Finck        if( A->p[i - 1] != 0 )
c2c66affSColin Finck            break;
*103a79ceSThomas Faber    if( i == 0 )
*103a79ceSThomas Faber        result_is_zero = 1;
c2c66affSColin Finck
c2c66affSColin Finck    for( j = B->n; j > 0; j-- )
c2c66affSColin Finck        if( B->p[j - 1] != 0 )
c2c66affSColin Finck            break;
*103a79ceSThomas Faber    if( j == 0 )
*103a79ceSThomas Faber        result_is_zero = 1;
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
c2c66affSColin Finck
cbda039fSThomas Faber    for( ; j > 0; j-- )
cbda039fSThomas Faber        mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
c2c66affSColin Finck
*103a79ceSThomas Faber    /* If the result is 0, we don't shortcut the operation, which reduces
*103a79ceSThomas Faber     * but does not eliminate side channels leaking the zero-ness. We do
*103a79ceSThomas Faber     * need to take care to set the sign bit properly since the library does
*103a79ceSThomas Faber     * not fully support an MPI object with a value of 0 and s == -1. */
*103a79ceSThomas Faber    if( result_is_zero )
*103a79ceSThomas Faber        X->s = 1;
*103a79ceSThomas Faber    else
c2c66affSColin Finck        X->s = A->s * B->s;
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Baseline multiplication: X = A * b
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi _B;
c2c66affSColin Finck    mbedtls_mpi_uint p[1];
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    _B.s = 1;
c2c66affSColin Finck    _B.n = 1;
c2c66affSColin Finck    _B.p = p;
c2c66affSColin Finck    p[0] = b;
c2c66affSColin Finck
c2c66affSColin Finck    return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
c2c66affSColin Finck * mbedtls_mpi_uint divisor, d
c2c66affSColin Finck */
c2c66affSColin Finckstatic mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
c2c66affSColin Finck            mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
c2c66affSColin Finck{
c2c66affSColin Finck#if defined(MBEDTLS_HAVE_UDBL)
c2c66affSColin Finck    mbedtls_t_udbl dividend, quotient;
c2c66affSColin Finck#else
c2c66affSColin Finck    const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
c2c66affSColin Finck    const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
c2c66affSColin Finck    mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
c2c66affSColin Finck    mbedtls_mpi_uint u0_msw, u0_lsw;
c2c66affSColin Finck    size_t s;
c2c66affSColin Finck#endif
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Check for overflow
c2c66affSColin Finck     */
c2c66affSColin Finck    if( 0 == d || u1 >= d )
c2c66affSColin Finck    {
c2c66affSColin Finck        if (r != NULL) *r = ~0;
c2c66affSColin Finck
c2c66affSColin Finck        return ( ~0 );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MBEDTLS_HAVE_UDBL)
c2c66affSColin Finck    dividend  = (mbedtls_t_udbl) u1 << biL;
c2c66affSColin Finck    dividend |= (mbedtls_t_udbl) u0;
c2c66affSColin Finck    quotient = dividend / d;
c2c66affSColin Finck    if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
c2c66affSColin Finck        quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
c2c66affSColin Finck
c2c66affSColin Finck    if( r != NULL )
c2c66affSColin Finck        *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
c2c66affSColin Finck
c2c66affSColin Finck    return (mbedtls_mpi_uint) quotient;
c2c66affSColin Finck#else
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
c2c66affSColin Finck     *   Vol. 2 - Seminumerical Algorithms, Knuth
c2c66affSColin Finck     */
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Normalize the divisor, d, and dividend, u0, u1
c2c66affSColin Finck     */
c2c66affSColin Finck    s = mbedtls_clz( d );
c2c66affSColin Finck    d = d << s;
c2c66affSColin Finck
c2c66affSColin Finck    u1 = u1 << s;
c2c66affSColin Finck    u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
c2c66affSColin Finck    u0 =  u0 << s;
c2c66affSColin Finck
c2c66affSColin Finck    d1 = d >> biH;
c2c66affSColin Finck    d0 = d & uint_halfword_mask;
c2c66affSColin Finck
c2c66affSColin Finck    u0_msw = u0 >> biH;
c2c66affSColin Finck    u0_lsw = u0 & uint_halfword_mask;
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Find the first quotient and remainder
c2c66affSColin Finck     */
c2c66affSColin Finck    q1 = u1 / d1;
c2c66affSColin Finck    r0 = u1 - d1 * q1;
c2c66affSColin Finck
c2c66affSColin Finck    while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
c2c66affSColin Finck    {
c2c66affSColin Finck        q1 -= 1;
c2c66affSColin Finck        r0 += d1;
c2c66affSColin Finck
c2c66affSColin Finck        if ( r0 >= radix ) break;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
c2c66affSColin Finck    q0 = rAX / d1;
c2c66affSColin Finck    r0 = rAX - q0 * d1;
c2c66affSColin Finck
c2c66affSColin Finck    while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
c2c66affSColin Finck    {
c2c66affSColin Finck        q0 -= 1;
c2c66affSColin Finck        r0 += d1;
c2c66affSColin Finck
c2c66affSColin Finck        if ( r0 >= radix ) break;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if (r != NULL)
c2c66affSColin Finck        *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
c2c66affSColin Finck
c2c66affSColin Finck    quotient = q1 * radix + q0;
c2c66affSColin Finck
c2c66affSColin Finck    return quotient;
c2c66affSColin Finck#endif
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
c2c66affSColin Finck */
cbda039fSThomas Faberint mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
cbda039fSThomas Faber                         const mbedtls_mpi *B )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t i, n, t, k;
c2c66affSColin Finck    mbedtls_mpi X, Y, Z, T1, T2;
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
c2c66affSColin Finck    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
c2c66affSColin Finck        if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
c2c66affSColin Finck    X.s = Y.s = 1;
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z,  0 ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T2, 3 ) );
c2c66affSColin Finck
c2c66affSColin Finck    k = mbedtls_mpi_bitlen( &Y ) % biL;
c2c66affSColin Finck    if( k < biL - 1 )
c2c66affSColin Finck    {
c2c66affSColin Finck        k = biL - 1 - k;
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
c2c66affSColin Finck    }
c2c66affSColin Finck    else k = 0;
c2c66affSColin Finck
c2c66affSColin Finck    n = X.n - 1;
c2c66affSColin Finck    t = Y.n - 1;
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
c2c66affSColin Finck
c2c66affSColin Finck    while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        Z.p[n - t]++;
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
c2c66affSColin Finck    }
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = n; i > t ; i-- )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( X.p[i] >= Y.p[t] )
c2c66affSColin Finck            Z.p[i - t - 1] = ~0;
c2c66affSColin Finck        else
c2c66affSColin Finck        {
c2c66affSColin Finck            Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
c2c66affSColin Finck                                                            Y.p[t], NULL);
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        Z.p[i - t - 1]++;
c2c66affSColin Finck        do
c2c66affSColin Finck        {
c2c66affSColin Finck            Z.p[i - t - 1]--;
c2c66affSColin Finck
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
c2c66affSColin Finck            T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
c2c66affSColin Finck            T1.p[1] = Y.p[t];
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
c2c66affSColin Finck
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T2, 0 ) );
c2c66affSColin Finck            T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
c2c66affSColin Finck            T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
c2c66affSColin Finck            T2.p[2] = X.p[i];
c2c66affSColin Finck        }
c2c66affSColin Finck        while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1,  biL * ( i - t - 1 ) ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
c2c66affSColin Finck            Z.p[i - t - 1]--;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( Q != NULL )
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
c2c66affSColin Finck        Q->s = A->s * B->s;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( R != NULL )
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
c2c66affSColin Finck        X.s = A->s;
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
c2c66affSColin Finck            R->s = 1;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
c2c66affSColin Finck    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Division by int: A = Q * b + R
c2c66affSColin Finck */
cbda039fSThomas Faberint mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
cbda039fSThomas Faber                         const mbedtls_mpi *A,
cbda039fSThomas Faber                         mbedtls_mpi_sint b )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi _B;
c2c66affSColin Finck    mbedtls_mpi_uint p[1];
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    p[0] = ( b < 0 ) ? -b : b;
c2c66affSColin Finck    _B.s = ( b < 0 ) ? -1 : 1;
c2c66affSColin Finck    _B.n = 1;
c2c66affSColin Finck    _B.p = p;
c2c66affSColin Finck
c2c66affSColin Finck    return( mbedtls_mpi_div_mpi( Q, R, A, &_B ) );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Modulo: R = A mod B
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
cbda039fSThomas Faber    MPI_VALIDATE_RET( R != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
c2c66affSColin Finck
c2c66affSColin Finck    while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
c2c66affSColin Finck      MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
c2c66affSColin Finck
c2c66affSColin Finck    while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
c2c66affSColin Finck      MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Modulo: r = A mod b
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i;
c2c66affSColin Finck    mbedtls_mpi_uint x, y, z;
cbda039fSThomas Faber    MPI_VALIDATE_RET( r != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( b == 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
c2c66affSColin Finck
c2c66affSColin Finck    if( b < 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * handle trivial cases
c2c66affSColin Finck     */
c2c66affSColin Finck    if( b == 1 )
c2c66affSColin Finck    {
c2c66affSColin Finck        *r = 0;
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( b == 2 )
c2c66affSColin Finck    {
c2c66affSColin Finck        *r = A->p[0] & 1;
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * general case
c2c66affSColin Finck     */
c2c66affSColin Finck    for( i = A->n, y = 0; i > 0; i-- )
c2c66affSColin Finck    {
c2c66affSColin Finck        x  = A->p[i - 1];
c2c66affSColin Finck        y  = ( y << biH ) | ( x >> biH );
c2c66affSColin Finck        z  = y / b;
c2c66affSColin Finck        y -= z * b;
c2c66affSColin Finck
c2c66affSColin Finck        x <<= biH;
c2c66affSColin Finck        y  = ( y << biH ) | ( x >> biH );
c2c66affSColin Finck        z  = y / b;
c2c66affSColin Finck        y -= z * b;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * If A is negative, then the current y represents a negative value.
c2c66affSColin Finck     * Flipping it to the positive side.
c2c66affSColin Finck     */
c2c66affSColin Finck    if( A->s < 0 && y != 0 )
c2c66affSColin Finck        y = b - y;
c2c66affSColin Finck
c2c66affSColin Finck    *r = y;
c2c66affSColin Finck
c2c66affSColin Finck    return( 0 );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Fast Montgomery initialization (thanks to Tom St Denis)
c2c66affSColin Finck */
c2c66affSColin Finckstatic void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi_uint x, m0 = N->p[0];
c2c66affSColin Finck    unsigned int i;
c2c66affSColin Finck
c2c66affSColin Finck    x  = m0;
c2c66affSColin Finck    x += ( ( m0 + 2 ) & 4 ) << 1;
c2c66affSColin Finck
c2c66affSColin Finck    for( i = biL; i >= 8; i /= 2 )
c2c66affSColin Finck        x *= ( 2 - ( m0 * x ) );
c2c66affSColin Finck
c2c66affSColin Finck    *mm = ~x + 1;
c2c66affSColin Finck}
c2c66affSColin Finck
292f67afSThomas Faber/** Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
292f67afSThomas Faber *
292f67afSThomas Faber * \param[in,out]   A   One of the numbers to multiply.
292f67afSThomas Faber *                      It must have at least as many limbs as N
292f67afSThomas Faber *                      (A->n >= N->n), and any limbs beyond n are ignored.
292f67afSThomas Faber *                      On successful completion, A contains the result of
292f67afSThomas Faber *                      the multiplication A * B * R^-1 mod N where
292f67afSThomas Faber *                      R = (2^ciL)^n.
292f67afSThomas Faber * \param[in]       B   One of the numbers to multiply.
292f67afSThomas Faber *                      It must be nonzero and must not have more limbs than N
292f67afSThomas Faber *                      (B->n <= N->n).
292f67afSThomas Faber * \param[in]       N   The modulo. N must be odd.
292f67afSThomas Faber * \param           mm  The value calculated by `mpi_montg_init(&mm, N)`.
292f67afSThomas Faber *                      This is -N^-1 mod 2^ciL.
292f67afSThomas Faber * \param[in,out]   T   A bignum for temporary storage.
292f67afSThomas Faber *                      It must be at least twice the limb size of N plus 2
292f67afSThomas Faber *                      (T->n >= 2 * (N->n + 1)).
292f67afSThomas Faber *                      Its initial content is unused and
292f67afSThomas Faber *                      its final content is indeterminate.
292f67afSThomas Faber *                      Note that unlike the usual convention in the library
292f67afSThomas Faber *                      for `const mbedtls_mpi*`, the content of T can change.
c2c66affSColin Finck */
292f67afSThomas Faberstatic void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
c2c66affSColin Finck                         const mbedtls_mpi *T )
c2c66affSColin Finck{
c2c66affSColin Finck    size_t i, n, m;
c2c66affSColin Finck    mbedtls_mpi_uint u0, u1, *d;
c2c66affSColin Finck
c2c66affSColin Finck    memset( T->p, 0, T->n * ciL );
c2c66affSColin Finck
c2c66affSColin Finck    d = T->p;
c2c66affSColin Finck    n = N->n;
c2c66affSColin Finck    m = ( B->n < n ) ? B->n : n;
c2c66affSColin Finck
c2c66affSColin Finck    for( i = 0; i < n; i++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        /*
c2c66affSColin Finck         * T = (T + u0*B + u1*N) / 2^biL
c2c66affSColin Finck         */
c2c66affSColin Finck        u0 = A->p[i];
c2c66affSColin Finck        u1 = ( d[0] + u0 * B->p[0] ) * mm;
c2c66affSColin Finck
c2c66affSColin Finck        mpi_mul_hlp( m, B->p, d, u0 );
c2c66affSColin Finck        mpi_mul_hlp( n, N->p, d, u1 );
c2c66affSColin Finck
c2c66affSColin Finck        *d++ = u0; d[n + 1] = 0;
c2c66affSColin Finck    }
c2c66affSColin Finck
292f67afSThomas Faber    /* At this point, d is either the desired result or the desired result
292f67afSThomas Faber     * plus N. We now potentially subtract N, avoiding leaking whether the
292f67afSThomas Faber     * subtraction is performed through side channels. */
c2c66affSColin Finck
292f67afSThomas Faber    /* Copy the n least significant limbs of d to A, so that
292f67afSThomas Faber     * A = d if d < N (recall that N has n limbs). */
292f67afSThomas Faber    memcpy( A->p, d, n * ciL );
292f67afSThomas Faber    /* If d >= N then we want to set A to d - N. To prevent timing attacks,
292f67afSThomas Faber     * do the calculation without using conditional tests. */
292f67afSThomas Faber    /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
292f67afSThomas Faber    d[n] += 1;
292f67afSThomas Faber    d[n] -= mpi_sub_hlp( n, d, N->p );
292f67afSThomas Faber    /* If d0 < N then d < (2^biL)^n
292f67afSThomas Faber     * so d[n] == 0 and we want to keep A as it is.
292f67afSThomas Faber     * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
292f67afSThomas Faber     * so d[n] == 1 and we want to set A to the result of the subtraction
292f67afSThomas Faber     * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
292f67afSThomas Faber     * This exactly corresponds to a conditional assignment. */
292f67afSThomas Faber    mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Montgomery reduction: A = A * R^-1 mod N
292f67afSThomas Faber *
292f67afSThomas Faber * See mpi_montmul() regarding constraints and guarantees on the parameters.
c2c66affSColin Finck */
cbda039fSThomas Faberstatic void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
cbda039fSThomas Faber                         mbedtls_mpi_uint mm, const mbedtls_mpi *T )
c2c66affSColin Finck{
c2c66affSColin Finck    mbedtls_mpi_uint z = 1;
c2c66affSColin Finck    mbedtls_mpi U;
c2c66affSColin Finck
c2c66affSColin Finck    U.n = U.s = (int) z;
c2c66affSColin Finck    U.p = &z;
c2c66affSColin Finck
292f67afSThomas Faber    mpi_montmul( A, &U, N, mm, T );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
*103a79ceSThomas Faber * Constant-flow boolean "equal" comparison:
*103a79ceSThomas Faber * return x == y
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * This function can be used to write constant-time code by replacing branches
*103a79ceSThomas Faber * with bit operations - it can be used in conjunction with
*103a79ceSThomas Faber * mbedtls_ssl_cf_mask_from_bit().
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * This function is implemented without using comparison operators, as those
*103a79ceSThomas Faber * might be translated to branches by some compilers on some platforms.
*103a79ceSThomas Faber */
*103a79ceSThomas Faberstatic size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y )
*103a79ceSThomas Faber{
*103a79ceSThomas Faber    /* diff = 0 if x == y, non-zero otherwise */
*103a79ceSThomas Faber    const size_t diff = x ^ y;
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* MSVC has a warning about unary minus on unsigned integer types,
*103a79ceSThomas Faber     * but this is well-defined and precisely what we want to do here. */
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( push )
*103a79ceSThomas Faber#pragma warning( disable : 4146 )
*103a79ceSThomas Faber#endif
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* diff_msb's most significant bit is equal to x != y */
*103a79ceSThomas Faber    const size_t diff_msb = ( diff | (size_t) -diff );
*103a79ceSThomas Faber
*103a79ceSThomas Faber#if defined(_MSC_VER)
*103a79ceSThomas Faber#pragma warning( pop )
*103a79ceSThomas Faber#endif
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* diff1 = (x != y) ? 1 : 0 */
*103a79ceSThomas Faber    const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
*103a79ceSThomas Faber
*103a79ceSThomas Faber    return( 1 ^ diff1 );
*103a79ceSThomas Faber}
*103a79ceSThomas Faber
*103a79ceSThomas Faber/**
*103a79ceSThomas Faber * Select an MPI from a table without leaking the index.
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
*103a79ceSThomas Faber * reads the entire table in order to avoid leaking the value of idx to an
*103a79ceSThomas Faber * attacker able to observe memory access patterns.
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * \param[out] R        Where to write the selected MPI.
*103a79ceSThomas Faber * \param[in] T         The table to read from.
*103a79ceSThomas Faber * \param[in] T_size    The number of elements in the table.
*103a79ceSThomas Faber * \param[in] idx       The index of the element to select;
*103a79ceSThomas Faber *                      this must satisfy 0 <= idx < T_size.
*103a79ceSThomas Faber *
*103a79ceSThomas Faber * \return \c 0 on success, or a negative error code.
*103a79ceSThomas Faber */
*103a79ceSThomas Faberstatic int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx )
*103a79ceSThomas Faber{
*103a79ceSThomas Faber    int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
*103a79ceSThomas Faber    size_t i;
*103a79ceSThomas Faber
*103a79ceSThomas Faber    for( i = 0; i < T_size; i++ )
*103a79ceSThomas Faber    {
*103a79ceSThomas Faber        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
*103a79ceSThomas Faber                        (unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) );
*103a79ceSThomas Faber    }
*103a79ceSThomas Faber
*103a79ceSThomas Fabercleanup:
*103a79ceSThomas Faber    return( ret );
*103a79ceSThomas Faber}
*103a79ceSThomas Faber
*103a79ceSThomas Faber/*
c2c66affSColin Finck * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
c2c66affSColin Finck */
cbda039fSThomas Faberint mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
cbda039fSThomas Faber                         const mbedtls_mpi *E, const mbedtls_mpi *N,
cbda039fSThomas Faber                         mbedtls_mpi *_RR )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t wbits, wsize, one = 1;
c2c66affSColin Finck    size_t i, j, nblimbs;
c2c66affSColin Finck    size_t bufsize, nbits;
c2c66affSColin Finck    mbedtls_mpi_uint ei, mm, state;
*103a79ceSThomas Faber    mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
c2c66affSColin Finck    int neg;
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( E != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( N != NULL );
cbda039fSThomas Faber
d9e6c9b5SThomas Faber    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
2e53fc8eSThomas Faber    if( mbedtls_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS ||
2e53fc8eSThomas Faber        mbedtls_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS )
2e53fc8eSThomas Faber        return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
2e53fc8eSThomas Faber
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Init temps and window size
c2c66affSColin Finck     */
c2c66affSColin Finck    mpi_montg_init( &mm, N );
c2c66affSColin Finck    mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
c2c66affSColin Finck    mbedtls_mpi_init( &Apos );
*103a79ceSThomas Faber    mbedtls_mpi_init( &WW );
c2c66affSColin Finck    memset( W, 0, sizeof( W ) );
c2c66affSColin Finck
c2c66affSColin Finck    i = mbedtls_mpi_bitlen( E );
c2c66affSColin Finck
c2c66affSColin Finck    wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
c2c66affSColin Finck            ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
c2c66affSColin Finck
430656f0SThomas Faber#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
c2c66affSColin Finck    if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
c2c66affSColin Finck        wsize = MBEDTLS_MPI_WINDOW_SIZE;
430656f0SThomas Faber#endif
c2c66affSColin Finck
c2c66affSColin Finck    j = N->n + 1;
*103a79ceSThomas Faber    /* All W[i] and X must have at least N->n limbs for the mpi_montmul()
*103a79ceSThomas Faber     * and mpi_montred() calls later. Here we ensure that W[1] and X are
*103a79ceSThomas Faber     * large enough, and later we'll grow other W[i] to the same length.
*103a79ceSThomas Faber     * They must not be shrunk midway through this function!
*103a79ceSThomas Faber     */
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1],  j ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * Compensate for negative A (and correct at the end)
c2c66affSColin Finck     */
c2c66affSColin Finck    neg = ( A->s == -1 );
c2c66affSColin Finck    if( neg )
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
c2c66affSColin Finck        Apos.s = 1;
c2c66affSColin Finck        A = &Apos;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * If 1st call, pre-compute R^2 mod N
c2c66affSColin Finck     */
c2c66affSColin Finck    if( _RR == NULL || _RR->p == NULL )
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &RR, 1 ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &RR, N->n * 2 * biL ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &RR, &RR, N ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( _RR != NULL )
c2c66affSColin Finck            memcpy( _RR, &RR, sizeof( mbedtls_mpi ) );
c2c66affSColin Finck    }
c2c66affSColin Finck    else
c2c66affSColin Finck        memcpy( &RR, _RR, sizeof( mbedtls_mpi ) );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
c2c66affSColin Finck     */
c2c66affSColin Finck    if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
c2c66affSColin Finck    else
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
*103a79ceSThomas Faber    /* Re-grow W[1] if necessary. This should be only necessary in one corner
*103a79ceSThomas Faber     * case: when A == 0 represented with A.n == 0, mbedtls_mpi_copy shrinks
*103a79ceSThomas Faber     * W[1] to 0 limbs. */
*103a79ceSThomas Faber    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], N->n +1 ) );
c2c66affSColin Finck
292f67afSThomas Faber    mpi_montmul( &W[1], &RR, N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * X = R^2 * R^-1 mod N = R mod N
c2c66affSColin Finck     */
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
292f67afSThomas Faber    mpi_montred( X, N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck    if( wsize > 1 )
c2c66affSColin Finck    {
c2c66affSColin Finck        /*
c2c66affSColin Finck         * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
c2c66affSColin Finck         */
c2c66affSColin Finck        j =  one << ( wsize - 1 );
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1]    ) );
c2c66affSColin Finck
c2c66affSColin Finck        for( i = 0; i < wsize - 1; i++ )
292f67afSThomas Faber            mpi_montmul( &W[j], &W[j], N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck        /*
c2c66affSColin Finck         * W[i] = W[i - 1] * W[1]
c2c66affSColin Finck         */
c2c66affSColin Finck        for( i = j + 1; i < ( one << wsize ); i++ )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
c2c66affSColin Finck
292f67afSThomas Faber            mpi_montmul( &W[i], &W[1], N, mm, &T );
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    nblimbs = E->n;
c2c66affSColin Finck    bufsize = 0;
c2c66affSColin Finck    nbits   = 0;
c2c66affSColin Finck    wbits   = 0;
c2c66affSColin Finck    state   = 0;
c2c66affSColin Finck
c2c66affSColin Finck    while( 1 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( bufsize == 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            if( nblimbs == 0 )
c2c66affSColin Finck                break;
c2c66affSColin Finck
c2c66affSColin Finck            nblimbs--;
c2c66affSColin Finck
c2c66affSColin Finck            bufsize = sizeof( mbedtls_mpi_uint ) << 3;
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        bufsize--;
c2c66affSColin Finck
c2c66affSColin Finck        ei = (E->p[nblimbs] >> bufsize) & 1;
c2c66affSColin Finck
c2c66affSColin Finck        /*
c2c66affSColin Finck         * skip leading 0s
c2c66affSColin Finck         */
c2c66affSColin Finck        if( ei == 0 && state == 0 )
c2c66affSColin Finck            continue;
c2c66affSColin Finck
c2c66affSColin Finck        if( ei == 0 && state == 1 )
c2c66affSColin Finck        {
c2c66affSColin Finck            /*
c2c66affSColin Finck             * out of window, square X
c2c66affSColin Finck             */
292f67afSThomas Faber            mpi_montmul( X, X, N, mm, &T );
c2c66affSColin Finck            continue;
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        /*
c2c66affSColin Finck         * add ei to current window
c2c66affSColin Finck         */
c2c66affSColin Finck        state = 2;
c2c66affSColin Finck
c2c66affSColin Finck        nbits++;
c2c66affSColin Finck        wbits |= ( ei << ( wsize - nbits ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( nbits == wsize )
c2c66affSColin Finck        {
c2c66affSColin Finck            /*
c2c66affSColin Finck             * X = X^wsize R^-1 mod N
c2c66affSColin Finck             */
c2c66affSColin Finck            for( i = 0; i < wsize; i++ )
292f67afSThomas Faber                mpi_montmul( X, X, N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck            /*
c2c66affSColin Finck             * X = X * W[wbits] R^-1 mod N
c2c66affSColin Finck             */
*103a79ceSThomas Faber            MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) );
*103a79ceSThomas Faber            mpi_montmul( X, &WW, N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck            state--;
c2c66affSColin Finck            nbits = 0;
c2c66affSColin Finck            wbits = 0;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * process the remaining bits
c2c66affSColin Finck     */
c2c66affSColin Finck    for( i = 0; i < nbits; i++ )
c2c66affSColin Finck    {
292f67afSThomas Faber        mpi_montmul( X, X, N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck        wbits <<= 1;
c2c66affSColin Finck
c2c66affSColin Finck        if( ( wbits & ( one << wsize ) ) != 0 )
292f67afSThomas Faber            mpi_montmul( X, &W[1], N, mm, &T );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * X = A^E * R * R^-1 mod N = A^E mod N
c2c66affSColin Finck     */
292f67afSThomas Faber    mpi_montred( X, N, mm, &T );
c2c66affSColin Finck
c2c66affSColin Finck    if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        X->s = -1;
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
c2c66affSColin Finck        mbedtls_mpi_free( &W[i] );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
*103a79ceSThomas Faber    mbedtls_mpi_free( &WW );
c2c66affSColin Finck
c2c66affSColin Finck    if( _RR == NULL || _RR->p == NULL )
c2c66affSColin Finck        mbedtls_mpi_free( &RR );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    size_t lz, lzt;
c2c66affSColin Finck    mbedtls_mpi TG, TA, TB;
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( G != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( B != NULL );
cbda039fSThomas Faber
c2c66affSColin Finck    mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
c2c66affSColin Finck
c2c66affSColin Finck    lz = mbedtls_mpi_lsb( &TA );
c2c66affSColin Finck    lzt = mbedtls_mpi_lsb( &TB );
c2c66affSColin Finck
*103a79ceSThomas Faber    /* The loop below gives the correct result when A==0 but not when B==0.
*103a79ceSThomas Faber     * So have a special case for B==0. Leverage the fact that we just
*103a79ceSThomas Faber     * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
*103a79ceSThomas Faber     * slightly more efficient than cmp_int(). */
*103a79ceSThomas Faber    if( lzt == 0 && mbedtls_mpi_get_bit( &TB, 0 ) == 0 )
*103a79ceSThomas Faber    {
*103a79ceSThomas Faber        ret = mbedtls_mpi_copy( G, A );
*103a79ceSThomas Faber        goto cleanup;
*103a79ceSThomas Faber    }
*103a79ceSThomas Faber
c2c66affSColin Finck    if( lzt < lz )
c2c66affSColin Finck        lz = lzt;
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
c2c66affSColin Finck
c2c66affSColin Finck    TA.s = TB.s = 1;
c2c66affSColin Finck
*103a79ceSThomas Faber    /* We mostly follow the procedure described in HAC 14.54, but with some
*103a79ceSThomas Faber     * minor differences:
*103a79ceSThomas Faber     * - Sequences of multiplications or divisions by 2 are grouped into a
*103a79ceSThomas Faber     *   single shift operation.
*103a79ceSThomas Faber     * - The procedure in HAC assumes that 0 < TB <= TA.
*103a79ceSThomas Faber     *     - The condition TB <= TA is not actually necessary for correctness.
*103a79ceSThomas Faber     *       TA and TB have symmetric roles except for the loop termination
*103a79ceSThomas Faber     *       condition, and the shifts at the beginning of the loop body
*103a79ceSThomas Faber     *       remove any significance from the ordering of TA vs TB before
*103a79ceSThomas Faber     *       the shifts.
*103a79ceSThomas Faber     *     - If TA = 0, the loop goes through 0 iterations and the result is
*103a79ceSThomas Faber     *       correctly TB.
*103a79ceSThomas Faber     *     - The case TB = 0 was short-circuited above.
*103a79ceSThomas Faber     *
*103a79ceSThomas Faber     * For the correctness proof below, decompose the original values of
*103a79ceSThomas Faber     * A and B as
*103a79ceSThomas Faber     *   A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
*103a79ceSThomas Faber     *   B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
*103a79ceSThomas Faber     * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
*103a79ceSThomas Faber     * and gcd(A',B') is odd or 0.
*103a79ceSThomas Faber     *
*103a79ceSThomas Faber     * At the beginning, we have TA = |A|/2^a and TB = |B|/2^b.
*103a79ceSThomas Faber     * The code maintains the following invariant:
*103a79ceSThomas Faber     *     gcd(A,B) = 2^k * gcd(TA,TB) for some k   (I)
*103a79ceSThomas Faber     */
*103a79ceSThomas Faber
*103a79ceSThomas Faber    /* Proof that the loop terminates:
*103a79ceSThomas Faber     * At each iteration, either the right-shift by 1 is made on a nonzero
*103a79ceSThomas Faber     * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
*103a79ceSThomas Faber     * by at least 1, or the right-shift by 1 is made on zero and then
*103a79ceSThomas Faber     * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
*103a79ceSThomas Faber     * since in that case TB is calculated from TB-TA with the condition TB>TA).
*103a79ceSThomas Faber     */
c2c66affSColin Finck    while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
c2c66affSColin Finck    {
*103a79ceSThomas Faber        /* Divisions by 2 preserve the invariant (I). */
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
c2c66affSColin Finck
*103a79ceSThomas Faber        /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
*103a79ceSThomas Faber         * TA-TB is even so the division by 2 has an integer result.
*103a79ceSThomas Faber         * Invariant (I) is preserved since any odd divisor of both TA and TB
*103a79ceSThomas Faber         * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
*103a79ceSThomas Faber         * also divides TB, and any odd divisior of both TB and |TA-TB|/2 also
*103a79ceSThomas Faber         * divides TA.
*103a79ceSThomas Faber         */
c2c66affSColin Finck        if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
c2c66affSColin Finck        }
c2c66affSColin Finck        else
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
c2c66affSColin Finck        }
*103a79ceSThomas Faber        /* Note that one of TA or TB is still odd. */
c2c66affSColin Finck    }
c2c66affSColin Finck
*103a79ceSThomas Faber    /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
*103a79ceSThomas Faber     * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
*103a79ceSThomas Faber     * - If there was at least one loop iteration, then one of TA or TB is odd,
*103a79ceSThomas Faber     *   and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
*103a79ceSThomas Faber     *   lz = min(a,b) so gcd(A,B) = 2^lz * TB.
*103a79ceSThomas Faber     * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
*103a79ceSThomas Faber     *   In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
*103a79ceSThomas Faber     */
*103a79ceSThomas Faber
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &TG ); mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Fill X with size bytes of random.
c2c66affSColin Finck *
c2c66affSColin Finck * Use a temporary bytes representation to make sure the result is the same
c2c66affSColin Finck * regardless of the platform endianness (useful when f_rng is actually
c2c66affSColin Finck * deterministic, eg for tests).
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
c2c66affSColin Finck                     int (*f_rng)(void *, unsigned char *, size_t),
c2c66affSColin Finck                     void *p_rng )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
cbda039fSThomas Faber    size_t const limbs = CHARS_TO_LIMBS( size );
cbda039fSThomas Faber    size_t const overhead = ( limbs * ciL ) - size;
cbda039fSThomas Faber    unsigned char *Xp;
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( X     != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( f_rng != NULL );
c2c66affSColin Finck
cbda039fSThomas Faber    /* Ensure that target MPI has exactly the necessary number of limbs */
cbda039fSThomas Faber    if( X->n != limbs )
cbda039fSThomas Faber    {
cbda039fSThomas Faber        mbedtls_mpi_free( X );
cbda039fSThomas Faber        mbedtls_mpi_init( X );
cbda039fSThomas Faber        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
cbda039fSThomas Faber    }
cbda039fSThomas Faber    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
cbda039fSThomas Faber
cbda039fSThomas Faber    Xp = (unsigned char*) X->p;
cbda039fSThomas Faber    MBEDTLS_MPI_CHK( f_rng( p_rng, Xp + overhead, size ) );
cbda039fSThomas Faber
cbda039fSThomas Faber    mpi_bigendian_to_host( X->p, limbs );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( A != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( N != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
c2c66affSColin Finck    mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
c2c66affSColin Finck    mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
c2c66affSColin Finck        goto cleanup;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
c2c66affSColin Finck
c2c66affSColin Finck    do
c2c66affSColin Finck    {
c2c66affSColin Finck        while( ( TU.p[0] & 1 ) == 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
c2c66affSColin Finck
c2c66affSColin Finck            if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
c2c66affSColin Finck            {
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
c2c66affSColin Finck            }
c2c66affSColin Finck
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        while( ( TV.p[0] & 1 ) == 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
c2c66affSColin Finck
c2c66affSColin Finck            if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
c2c66affSColin Finck            {
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
c2c66affSColin Finck            }
c2c66affSColin Finck
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
c2c66affSColin Finck        }
c2c66affSColin Finck        else
c2c66affSColin Finck        {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck    while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
c2c66affSColin Finck
c2c66affSColin Finck    while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
c2c66affSColin Finck
c2c66affSColin Finck    while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
c2c66affSColin Finck    mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
c2c66affSColin Finck    mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MBEDTLS_GENPRIME)
c2c66affSColin Finck
c2c66affSColin Finckstatic const int small_prime[] =
c2c66affSColin Finck{
c2c66affSColin Finck        3,    5,    7,   11,   13,   17,   19,   23,
c2c66affSColin Finck       29,   31,   37,   41,   43,   47,   53,   59,
c2c66affSColin Finck       61,   67,   71,   73,   79,   83,   89,   97,
c2c66affSColin Finck      101,  103,  107,  109,  113,  127,  131,  137,
c2c66affSColin Finck      139,  149,  151,  157,  163,  167,  173,  179,
c2c66affSColin Finck      181,  191,  193,  197,  199,  211,  223,  227,
c2c66affSColin Finck      229,  233,  239,  241,  251,  257,  263,  269,
c2c66affSColin Finck      271,  277,  281,  283,  293,  307,  311,  313,
c2c66affSColin Finck      317,  331,  337,  347,  349,  353,  359,  367,
c2c66affSColin Finck      373,  379,  383,  389,  397,  401,  409,  419,
c2c66affSColin Finck      421,  431,  433,  439,  443,  449,  457,  461,
c2c66affSColin Finck      463,  467,  479,  487,  491,  499,  503,  509,
c2c66affSColin Finck      521,  523,  541,  547,  557,  563,  569,  571,
c2c66affSColin Finck      577,  587,  593,  599,  601,  607,  613,  617,
c2c66affSColin Finck      619,  631,  641,  643,  647,  653,  659,  661,
c2c66affSColin Finck      673,  677,  683,  691,  701,  709,  719,  727,
c2c66affSColin Finck      733,  739,  743,  751,  757,  761,  769,  773,
c2c66affSColin Finck      787,  797,  809,  811,  821,  823,  827,  829,
c2c66affSColin Finck      839,  853,  857,  859,  863,  877,  881,  883,
c2c66affSColin Finck      887,  907,  911,  919,  929,  937,  941,  947,
c2c66affSColin Finck      953,  967,  971,  977,  983,  991,  997, -103
c2c66affSColin Finck};
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Small divisors test (X must be positive)
c2c66affSColin Finck *
c2c66affSColin Finck * Return values:
c2c66affSColin Finck * 0: no small factor (possible prime, more tests needed)
c2c66affSColin Finck * 1: certain prime
c2c66affSColin Finck * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
c2c66affSColin Finck * other negative: error
c2c66affSColin Finck */
c2c66affSColin Finckstatic int mpi_check_small_factors( const mbedtls_mpi *X )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret = 0;
c2c66affSColin Finck    size_t i;
c2c66affSColin Finck    mbedtls_mpi_uint r;
c2c66affSColin Finck
c2c66affSColin Finck    if( ( X->p[0] & 1 ) == 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = 0; small_prime[i] > 0; i++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
c2c66affSColin Finck            return( 1 );
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( r == 0 )
c2c66affSColin Finck            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Miller-Rabin pseudo-primality test  (HAC 4.24)
c2c66affSColin Finck */
0ba5bc40SThomas Faberstatic int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
c2c66affSColin Finck                             int (*f_rng)(void *, unsigned char *, size_t),
c2c66affSColin Finck                             void *p_rng )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret, count;
0ba5bc40SThomas Faber    size_t i, j, k, s;
c2c66affSColin Finck    mbedtls_mpi W, R, T, A, RR;
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( X     != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( f_rng != NULL );
cbda039fSThomas Faber
cbda039fSThomas Faber    mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R );
cbda039fSThomas Faber    mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
c2c66affSColin Finck    mbedtls_mpi_init( &RR );
c2c66affSColin Finck
c2c66affSColin Finck    /*
c2c66affSColin Finck     * W = |X| - 1
c2c66affSColin Finck     * R = W >> lsb( W )
c2c66affSColin Finck     */
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
c2c66affSColin Finck    s = mbedtls_mpi_lsb( &W );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
c2c66affSColin Finck
0ba5bc40SThomas Faber    for( i = 0; i < rounds; i++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        /*
c2c66affSColin Finck         * pick a random A, 1 < A < |X| - 1
c2c66affSColin Finck         */
c2c66affSColin Finck        count = 0;
c2c66affSColin Finck        do {
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
c2c66affSColin Finck
c2c66affSColin Finck            j = mbedtls_mpi_bitlen( &A );
c2c66affSColin Finck            k = mbedtls_mpi_bitlen( &W );
c2c66affSColin Finck            if (j > k) {
0ba5bc40SThomas Faber                A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
c2c66affSColin Finck            }
c2c66affSColin Finck
c2c66affSColin Finck            if (count++ > 30) {
c1eccaffSThomas Faber                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
c1eccaffSThomas Faber                goto cleanup;
c2c66affSColin Finck            }
c2c66affSColin Finck
c2c66affSColin Finck        } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
c2c66affSColin Finck                  mbedtls_mpi_cmp_int( &A, 1 )  <= 0    );
c2c66affSColin Finck
c2c66affSColin Finck        /*
c2c66affSColin Finck         * A = A^R mod |X|
c2c66affSColin Finck         */
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
c2c66affSColin Finck            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
c2c66affSColin Finck            continue;
c2c66affSColin Finck
c2c66affSColin Finck        j = 1;
c2c66affSColin Finck        while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            /*
c2c66affSColin Finck             * A = A * A mod |X|
c2c66affSColin Finck             */
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X  ) );
c2c66affSColin Finck
c2c66affSColin Finck            if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
c2c66affSColin Finck                break;
c2c66affSColin Finck
c2c66affSColin Finck            j++;
c2c66affSColin Finck        }
c2c66affSColin Finck
c2c66affSColin Finck        /*
c2c66affSColin Finck         * not prime if A != |X| - 1 or A == 1
c2c66affSColin Finck         */
c2c66affSColin Finck        if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
c2c66affSColin Finck            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
c2c66affSColin Finck            break;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
cbda039fSThomas Faber    mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R );
cbda039fSThomas Faber    mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
c2c66affSColin Finck    mbedtls_mpi_free( &RR );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Pseudo-primality test: small factors, then Miller-Rabin
c2c66affSColin Finck */
cbda039fSThomas Faberint mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
c2c66affSColin Finck                              int (*f_rng)(void *, unsigned char *, size_t),
c2c66affSColin Finck                              void *p_rng )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret;
c2c66affSColin Finck    mbedtls_mpi XX;
cbda039fSThomas Faber    MPI_VALIDATE_RET( X     != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( f_rng != NULL );
c2c66affSColin Finck
c2c66affSColin Finck    XX.s = 1;
c2c66affSColin Finck    XX.n = X->n;
c2c66affSColin Finck    XX.p = X->p;
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
c2c66affSColin Finck        mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
c2c66affSColin Finck        return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck    if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( ret == 1 )
c2c66affSColin Finck            return( 0 );
c2c66affSColin Finck
c2c66affSColin Finck        return( ret );
c2c66affSColin Finck    }
c2c66affSColin Finck
0ba5bc40SThomas Faber    return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
0ba5bc40SThomas Faber}
0ba5bc40SThomas Faber
cbda039fSThomas Faber#if !defined(MBEDTLS_DEPRECATED_REMOVED)
0ba5bc40SThomas Faber/*
0ba5bc40SThomas Faber * Pseudo-primality test, error probability 2^-80
0ba5bc40SThomas Faber */
0ba5bc40SThomas Faberint mbedtls_mpi_is_prime( const mbedtls_mpi *X,
0ba5bc40SThomas Faber                  int (*f_rng)(void *, unsigned char *, size_t),
0ba5bc40SThomas Faber                  void *p_rng )
0ba5bc40SThomas Faber{
cbda039fSThomas Faber    MPI_VALIDATE_RET( X     != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( f_rng != NULL );
cbda039fSThomas Faber
cbda039fSThomas Faber    /*
cbda039fSThomas Faber     * In the past our key generation aimed for an error rate of at most
cbda039fSThomas Faber     * 2^-80. Since this function is deprecated, aim for the same certainty
cbda039fSThomas Faber     * here as well.
cbda039fSThomas Faber     */
cbda039fSThomas Faber    return( mbedtls_mpi_is_prime_ext( X, 40, f_rng, p_rng ) );
c2c66affSColin Finck}
cbda039fSThomas Faber#endif
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Prime number generation
cbda039fSThomas Faber *
cbda039fSThomas Faber * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
cbda039fSThomas Faber * be either 1024 bits or 1536 bits long, and flags must contain
cbda039fSThomas Faber * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
c2c66affSColin Finck */
cbda039fSThomas Faberint mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
c2c66affSColin Finck                   int (*f_rng)(void *, unsigned char *, size_t),
c2c66affSColin Finck                   void *p_rng )
c2c66affSColin Finck{
cbda039fSThomas Faber#ifdef MBEDTLS_HAVE_INT64
cbda039fSThomas Faber// ceil(2^63.5)
cbda039fSThomas Faber#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
cbda039fSThomas Faber#else
cbda039fSThomas Faber// ceil(2^31.5)
cbda039fSThomas Faber#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
cbda039fSThomas Faber#endif
cbda039fSThomas Faber    int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
c2c66affSColin Finck    size_t k, n;
0ba5bc40SThomas Faber    int rounds;
c2c66affSColin Finck    mbedtls_mpi_uint r;
c2c66affSColin Finck    mbedtls_mpi Y;
c2c66affSColin Finck
cbda039fSThomas Faber    MPI_VALIDATE_RET( X     != NULL );
cbda039fSThomas Faber    MPI_VALIDATE_RET( f_rng != NULL );
cbda039fSThomas Faber
c2c66affSColin Finck    if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
c2c66affSColin Finck        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &Y );
c2c66affSColin Finck
c2c66affSColin Finck    n = BITS_TO_LIMBS( nbits );
c2c66affSColin Finck
cbda039fSThomas Faber    if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR ) == 0 )
cbda039fSThomas Faber    {
0ba5bc40SThomas Faber        /*
0ba5bc40SThomas Faber         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
0ba5bc40SThomas Faber         */
0ba5bc40SThomas Faber        rounds = ( ( nbits >= 1300 ) ?  2 : ( nbits >=  850 ) ?  3 :
0ba5bc40SThomas Faber                   ( nbits >=  650 ) ?  4 : ( nbits >=  350 ) ?  8 :
0ba5bc40SThomas Faber                   ( nbits >=  250 ) ? 12 : ( nbits >=  150 ) ? 18 : 27 );
cbda039fSThomas Faber    }
cbda039fSThomas Faber    else
cbda039fSThomas Faber    {
cbda039fSThomas Faber        /*
cbda039fSThomas Faber         * 2^-100 error probability, number of rounds computed based on HAC,
cbda039fSThomas Faber         * fact 4.48
cbda039fSThomas Faber         */
cbda039fSThomas Faber        rounds = ( ( nbits >= 1450 ) ?  4 : ( nbits >=  1150 ) ?  5 :
cbda039fSThomas Faber                   ( nbits >= 1000 ) ?  6 : ( nbits >=   850 ) ?  7 :
cbda039fSThomas Faber                   ( nbits >=  750 ) ?  8 : ( nbits >=   500 ) ? 13 :
cbda039fSThomas Faber                   ( nbits >=  250 ) ? 28 : ( nbits >=   150 ) ? 40 : 51 );
cbda039fSThomas Faber    }
0ba5bc40SThomas Faber
cbda039fSThomas Faber    while( 1 )
cbda039fSThomas Faber    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
cbda039fSThomas Faber        /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
cbda039fSThomas Faber        if( X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2 ) continue;
c2c66affSColin Finck
cbda039fSThomas Faber        k = n * biL;
cbda039fSThomas Faber        if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
c2c66affSColin Finck        X->p[0] |= 1;
c2c66affSColin Finck
cbda039fSThomas Faber        if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH ) == 0 )
c2c66affSColin Finck        {
cbda039fSThomas Faber            ret = mbedtls_mpi_is_prime_ext( X, rounds, f_rng, p_rng );
cbda039fSThomas Faber
c2c66affSColin Finck            if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
c2c66affSColin Finck                goto cleanup;
c2c66affSColin Finck        }
c2c66affSColin Finck        else
c2c66affSColin Finck        {
c2c66affSColin Finck            /*
c2c66affSColin Finck             * An necessary condition for Y and X = 2Y + 1 to be prime
c2c66affSColin Finck             * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
c2c66affSColin Finck             * Make sure it is satisfied, while keeping X = 3 mod 4
c2c66affSColin Finck             */
c2c66affSColin Finck
c2c66affSColin Finck            X->p[0] |= 2;
c2c66affSColin Finck
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
c2c66affSColin Finck            if( r == 0 )
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
c2c66affSColin Finck            else if( r == 1 )
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
c2c66affSColin Finck
c2c66affSColin Finck            /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
c2c66affSColin Finck            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
c2c66affSColin Finck
c2c66affSColin Finck            while( 1 )
c2c66affSColin Finck            {
c2c66affSColin Finck                /*
c2c66affSColin Finck                 * First, check small factors for X and Y
c2c66affSColin Finck                 * before doing Miller-Rabin on any of them
c2c66affSColin Finck                 */
c2c66affSColin Finck                if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
c2c66affSColin Finck                    ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
0ba5bc40SThomas Faber                    ( ret = mpi_miller_rabin(  X, rounds, f_rng, p_rng  ) )
0ba5bc40SThomas Faber                                                                    == 0 &&
0ba5bc40SThomas Faber                    ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng  ) )
0ba5bc40SThomas Faber                                                                    == 0 )
cbda039fSThomas Faber                    goto cleanup;
c2c66affSColin Finck
c2c66affSColin Finck                if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
c2c66affSColin Finck                    goto cleanup;
c2c66affSColin Finck
c2c66affSColin Finck                /*
c2c66affSColin Finck                 * Next candidates. We want to preserve Y = (X-1) / 2 and
c2c66affSColin Finck                 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
c2c66affSColin Finck                 * so up Y by 6 and X by 12.
c2c66affSColin Finck                 */
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(  X,  X, 12 ) );
c2c66affSColin Finck                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6  ) );
c2c66affSColin Finck            }
c2c66affSColin Finck        }
cbda039fSThomas Faber    }
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &Y );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck#endif /* MBEDTLS_GENPRIME */
c2c66affSColin Finck
c2c66affSColin Finck#if defined(MBEDTLS_SELF_TEST)
c2c66affSColin Finck
c2c66affSColin Finck#define GCD_PAIR_COUNT  3
c2c66affSColin Finck
c2c66affSColin Finckstatic const int gcd_pairs[GCD_PAIR_COUNT][3] =
c2c66affSColin Finck{
c2c66affSColin Finck    { 693, 609, 21 },
c2c66affSColin Finck    { 1764, 868, 28 },
c2c66affSColin Finck    { 768454923, 542167814, 1 }
c2c66affSColin Finck};
c2c66affSColin Finck
c2c66affSColin Finck/*
c2c66affSColin Finck * Checkup routine
c2c66affSColin Finck */
c2c66affSColin Finckint mbedtls_mpi_self_test( int verbose )
c2c66affSColin Finck{
c2c66affSColin Finck    int ret, i;
c2c66affSColin Finck    mbedtls_mpi A, E, N, X, Y, U, V;
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
c2c66affSColin Finck    mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
c2c66affSColin Finck        "EFE021C2645FD1DC586E69184AF4A31E" \
c2c66affSColin Finck        "D5F53E93B5F123FA41680867BA110131" \
c2c66affSColin Finck        "944FE7952E2517337780CB0DB80E61AA" \
c2c66affSColin Finck        "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
c2c66affSColin Finck        "B2E7EFD37075B9F03FF989C7C5051C20" \
c2c66affSColin Finck        "34D2A323810251127E7BF8625A4F49A5" \
c2c66affSColin Finck        "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
c2c66affSColin Finck        "5B5C25763222FEFCCFC38B832366C29E" ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
c2c66affSColin Finck        "0066A198186C18C10B2F5ED9B522752A" \
c2c66affSColin Finck        "9830B69916E535C8F047518A889A43A5" \
c2c66affSColin Finck        "94B6BED27A168D31D4A52F88925AA8F5" ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
c2c66affSColin Finck        "602AB7ECA597A3D6B56FF9829A5E8B85" \
c2c66affSColin Finck        "9E857EA95A03512E2BAE7391688D264A" \
c2c66affSColin Finck        "A5663B0341DB9CCFD2C4C5F421FEC814" \
c2c66affSColin Finck        "8001B72E848A38CAE1C65F78E56ABDEF" \
c2c66affSColin Finck        "E12D3C039B8A02D6BE593F0BBBDA56F1" \
c2c66affSColin Finck        "ECF677152EF804370C1A305CAF3B5BF1" \
c2c66affSColin Finck        "30879B56C61DE584A0F53A2447A51E" ) );
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "  MPI test #1 (mul_mpi): " );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( verbose != 0 )
c2c66affSColin Finck            mbedtls_printf( "failed\n" );
c2c66affSColin Finck
c2c66affSColin Finck        ret = 1;
c2c66affSColin Finck        goto cleanup;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "passed\n" );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
c2c66affSColin Finck        "256567336059E52CAE22925474705F39A94" ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
c2c66affSColin Finck        "6613F26162223DF488E9CD48CC132C7A" \
c2c66affSColin Finck        "0AC93C701B001B092E4E5B9F73BCD27B" \
c2c66affSColin Finck        "9EE50D0657C77F374E903CDFA4C642" ) );
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "  MPI test #2 (div_mpi): " );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
c2c66affSColin Finck        mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( verbose != 0 )
c2c66affSColin Finck            mbedtls_printf( "failed\n" );
c2c66affSColin Finck
c2c66affSColin Finck        ret = 1;
c2c66affSColin Finck        goto cleanup;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "passed\n" );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
c2c66affSColin Finck        "36E139AEA55215609D2816998ED020BB" \
c2c66affSColin Finck        "BD96C37890F65171D948E9BC7CBAA4D9" \
c2c66affSColin Finck        "325D24D6A3C12710F10A09FA08AB87" ) );
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "  MPI test #3 (exp_mod): " );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( verbose != 0 )
c2c66affSColin Finck            mbedtls_printf( "failed\n" );
c2c66affSColin Finck
c2c66affSColin Finck        ret = 1;
c2c66affSColin Finck        goto cleanup;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "passed\n" );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
c2c66affSColin Finck
c2c66affSColin Finck    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
c2c66affSColin Finck        "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
c2c66affSColin Finck        "C3DBA76456363A10869622EAC2DD84EC" \
c2c66affSColin Finck        "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "  MPI test #4 (inv_mod): " );
c2c66affSColin Finck
c2c66affSColin Finck    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
c2c66affSColin Finck    {
c2c66affSColin Finck        if( verbose != 0 )
c2c66affSColin Finck            mbedtls_printf( "failed\n" );
c2c66affSColin Finck
c2c66affSColin Finck        ret = 1;
c2c66affSColin Finck        goto cleanup;
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "passed\n" );
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "  MPI test #5 (simple gcd): " );
c2c66affSColin Finck
c2c66affSColin Finck    for( i = 0; i < GCD_PAIR_COUNT; i++ )
c2c66affSColin Finck    {
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
c2c66affSColin Finck
c2c66affSColin Finck        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
c2c66affSColin Finck
c2c66affSColin Finck        if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
c2c66affSColin Finck        {
c2c66affSColin Finck            if( verbose != 0 )
c2c66affSColin Finck                mbedtls_printf( "failed at %d\n", i );
c2c66affSColin Finck
c2c66affSColin Finck            ret = 1;
c2c66affSColin Finck            goto cleanup;
c2c66affSColin Finck        }
c2c66affSColin Finck    }
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "passed\n" );
c2c66affSColin Finck
c2c66affSColin Finckcleanup:
c2c66affSColin Finck
c2c66affSColin Finck    if( ret != 0 && verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
c2c66affSColin Finck
c2c66affSColin Finck    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
c2c66affSColin Finck    mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
c2c66affSColin Finck
c2c66affSColin Finck    if( verbose != 0 )
c2c66affSColin Finck        mbedtls_printf( "\n" );
c2c66affSColin Finck
c2c66affSColin Finck    return( ret );
c2c66affSColin Finck}
c2c66affSColin Finck
c2c66affSColin Finck#endif /* MBEDTLS_SELF_TEST */
c2c66affSColin Finck
c2c66affSColin Finck#endif /* MBEDTLS_BIGNUM_C */