sbin/nvmectl/bignum.c

1.6    andvar /*	$NetBSD: bignum.c,v 1.6 2023/02/27 22:00:25 andvar Exp $	*/
1.1    nonaka
1.1    nonaka /*-
1.1    nonaka  * Copyright (c) 2012 Alistair Crooks <agc (at) NetBSD.org>
1.1    nonaka  * All rights reserved.
1.1    nonaka  *
1.1    nonaka  * Redistribution and use in source and binary forms, with or without
1.1    nonaka  * modification, are permitted provided that the following conditions
1.1    nonaka  * are met:
1.1    nonaka  * 1. Redistributions of source code must retain the above copyright
1.1    nonaka  *    notice, this list of conditions and the following disclaimer.
1.1    nonaka  * 2. Redistributions in binary form must reproduce the above copyright
1.1    nonaka  *    notice, this list of conditions and the following disclaimer in the
1.1    nonaka  *    documentation and/or other materials provided with the distribution.
1.1    nonaka  *
1.1    nonaka  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1.1    nonaka  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1.1    nonaka  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1.1    nonaka  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1.1    nonaka  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.1    nonaka  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1.1    nonaka  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1.1    nonaka  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1.1    nonaka  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1.1    nonaka  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1    nonaka  */
1.1    nonaka /* LibTomMath, multiple-precision integer library -- Tom St Denis
1.1    nonaka  *
1.1    nonaka  * LibTomMath is a library that provides multiple-precision
1.1    nonaka  * integer arithmetic as well as number theoretic functionality.
1.1    nonaka  *
1.1    nonaka  * The library was designed directly after the MPI library by
1.1    nonaka  * Michael Fromberger but has been written from scratch with
1.1    nonaka  * additional optimizations in place.
1.1    nonaka  *
1.1    nonaka  * The library is free for all purposes without any express
1.1    nonaka  * guarantee it works.
1.1    nonaka  *
1.1    nonaka  * Tom St Denis, tomstdenis (at) gmail.com, http://libtom.org
1.1    nonaka  */
1.1    nonaka
1.1    nonaka #include <sys/types.h>
1.1    nonaka #include <sys/param.h>
1.1    nonaka
1.1    nonaka #include <limits.h>
1.1    nonaka #include <stdarg.h>
1.1    nonaka #include <stdio.h>
1.1    nonaka #include <stdlib.h>
1.1    nonaka #include <string.h>
1.1    nonaka #include <unistd.h>
1.1    nonaka
1.1    nonaka #include "bn.h"
1.1    nonaka
1.1    nonaka /**************************************************************************/
1.1    nonaka
1.1    nonaka /* LibTomMath, multiple-precision integer library -- Tom St Denis
1.1    nonaka  *
1.1    nonaka  * LibTomMath is a library that provides multiple-precision
1.1    nonaka  * integer arithmetic as well as number theoretic functionality.
1.1    nonaka  *
1.1    nonaka  * The library was designed directly after the MPI library by
1.1    nonaka  * Michael Fromberger but has been written from scratch with
1.1    nonaka  * additional optimizations in place.
1.1    nonaka  *
1.1    nonaka  * The library is free for all purposes without any express
1.1    nonaka  * guarantee it works.
1.1    nonaka  *
1.1    nonaka  * Tom St Denis, tomstdenis (at) gmail.com, http://libtom.org
1.1    nonaka  */
1.1    nonaka
1.1    nonaka #define MP_PREC		32
1.1    nonaka #define DIGIT_BIT	28
1.1    nonaka #define MP_MASK          ((((mp_digit)1)<<((mp_digit)DIGIT_BIT))-((mp_digit)1))
1.1    nonaka
1.1    nonaka #define MP_WARRAY	/*LINTED*/(1U << (((sizeof(mp_word) * CHAR_BIT) - (2 * DIGIT_BIT) + 1)))
1.1    nonaka
1.1    nonaka #define MP_NO		0
1.1    nonaka #define MP_YES		1
1.1    nonaka
1.1    nonaka #ifndef USE_ARG
1.1    nonaka #define USE_ARG(x)	/*LINTED*/(void)&(x)
1.1    nonaka #endif
1.1    nonaka
1.1    nonaka #ifndef __arraycount
1.1    nonaka #define	__arraycount(__x)	(sizeof(__x) / sizeof(__x[0]))
1.1    nonaka #endif
1.1    nonaka
1.1    nonaka #ifndef MIN
1.1    nonaka #define MIN(a,b)	(((a)<(b))?(a):(b))
1.1    nonaka #endif
1.1    nonaka
1.1    nonaka #define MP_ISZERO(a) (((a)->used == 0) ? MP_YES : MP_NO)
1.1    nonaka
1.1    nonaka typedef int           mp_err;
1.1    nonaka
1.1    nonaka static int signed_multiply(mp_int * a, mp_int * b, mp_int * c);
1.1    nonaka static int square(mp_int * a, mp_int * b);
1.1    nonaka
1.1    nonaka static int signed_subtract_word(mp_int *a, mp_digit b, mp_int *c);
1.1    nonaka
1.1    nonaka static inline void *
1.1    nonaka allocate(size_t n, size_t m)
1.1    nonaka {
1.1    nonaka 	return calloc(n, m);
1.1    nonaka }
1.1    nonaka
1.1    nonaka static inline void
1.1    nonaka deallocate(void *v, size_t sz)
1.1    nonaka {
1.1    nonaka 	USE_ARG(sz);
1.1    nonaka 	free(v);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* set to zero */
1.1    nonaka static inline void
1.1    nonaka mp_zero(mp_int *a)
1.1    nonaka {
1.1    nonaka 	a->sign = MP_ZPOS;
1.1    nonaka 	a->used = 0;
1.1    nonaka 	memset(a->dp, 0x0, a->alloc * sizeof(*a->dp));
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* grow as required */
1.1    nonaka static int
1.1    nonaka mp_grow(mp_int *a, int size)
1.1    nonaka {
1.1    nonaka 	mp_digit *tmp;
1.1    nonaka
1.1    nonaka 	/* if the alloc size is smaller alloc more ram */
1.1    nonaka 	if (a->alloc < size) {
1.1    nonaka 		/* ensure there are always at least MP_PREC digits extra on top */
1.1    nonaka 		size += (MP_PREC * 2) - (size % MP_PREC);
1.1    nonaka
1.1    nonaka 		/* reallocate the array a->dp
1.1    nonaka 		*
1.1    nonaka 		* We store the return in a temporary variable
1.1    nonaka 		* in case the operation failed we don't want
1.1    nonaka 		* to overwrite the dp member of a.
1.1    nonaka 		*/
1.1    nonaka 		tmp = realloc(a->dp, sizeof(*tmp) * size);
1.1    nonaka 		if (tmp == NULL) {
1.1    nonaka 			/* reallocation failed but "a" is still valid [can be freed] */
1.1    nonaka 			return MP_MEM;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* reallocation succeeded so set a->dp */
1.1    nonaka 		a->dp = tmp;
1.1    nonaka 		/* zero excess digits */
1.1    nonaka 		memset(&a->dp[a->alloc], 0x0, (size - a->alloc) * sizeof(*a->dp));
1.1    nonaka 		a->alloc = size;
1.1    nonaka 	}
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* shift left a certain amount of digits */
1.1    nonaka static int
1.1    nonaka lshift_digits(mp_int * a, int b)
1.1    nonaka {
1.1    nonaka 	mp_digit *top, *bottom;
1.1    nonaka 	int     x, res;
1.1    nonaka
1.1    nonaka 	/* if its less than zero return */
1.1    nonaka 	if (b <= 0) {
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* grow to fit the new digits */
1.1    nonaka 	if (a->alloc < a->used + b) {
1.1    nonaka 		if ((res = mp_grow(a, a->used + b)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* increment the used by the shift amount then copy upwards */
1.1    nonaka 	a->used += b;
1.1    nonaka
1.1    nonaka 	/* top */
1.1    nonaka 	top = a->dp + a->used - 1;
1.1    nonaka
1.1    nonaka 	/* base */
1.1    nonaka 	bottom = a->dp + a->used - 1 - b;
1.1    nonaka
1.1    nonaka 	/* much like rshift_digits this is implemented using a sliding window
1.1    nonaka 	* except the window goes the otherway around.  Copying from
1.1    nonaka 	* the bottom to the top.
1.1    nonaka 	*/
1.1    nonaka 	for (x = a->used - 1; x >= b; x--) {
1.1    nonaka 		*top-- = *bottom--;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* zero the lower digits */
1.1    nonaka 	memset(a->dp, 0x0, b * sizeof(*a->dp));
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* trim unused digits
1.1    nonaka  *
1.1    nonaka  * This is used to ensure that leading zero digits are
1.6    andvar  * trimmed and the leading "used" digit will be non-zero
1.1    nonaka  * Typically very fast.  Also fixes the sign if there
1.1    nonaka  * are no more leading digits
1.1    nonaka  */
1.1    nonaka static void
1.1    nonaka trim_unused_digits(mp_int * a)
1.1    nonaka {
1.1    nonaka 	/* decrease used while the most significant digit is
1.1    nonaka 	* zero.
1.1    nonaka 	*/
1.1    nonaka 	while (a->used > 0 && a->dp[a->used - 1] == 0) {
1.1    nonaka 		a->used -= 1;
1.1    nonaka 	}
1.1    nonaka 	/* reset the sign flag if used == 0 */
1.1    nonaka 	if (a->used == 0) {
1.1    nonaka 		a->sign = MP_ZPOS;
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* copy, b = a */
1.1    nonaka static int
1.1    nonaka mp_copy(BIGNUM *a, BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	int	res;
1.1    nonaka
1.1    nonaka 	/* if dst == src do nothing */
1.1    nonaka 	if (a == b) {
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka 	if (a == NULL || b == NULL) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* grow dest */
1.1    nonaka 	if (b->alloc < a->used) {
1.1    nonaka 		if ((res = mp_grow(b, a->used)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	memcpy(b->dp, a->dp, a->used * sizeof(*b->dp));
1.1    nonaka 	if (b->used > a->used) {
1.1    nonaka 		memset(&b->dp[a->used], 0x0, (b->used - a->used) * sizeof(*b->dp));
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* copy used count and sign */
1.1    nonaka 	b->used = a->used;
1.1    nonaka 	b->sign = a->sign;
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* shift left by a certain bit count */
1.1    nonaka static int
1.1    nonaka lshift_bits(mp_int *a, int b, mp_int *c)
1.1    nonaka {
1.1    nonaka 	mp_digit d;
1.1    nonaka 	int      res;
1.1    nonaka
1.1    nonaka 	/* copy */
1.1    nonaka 	if (a != c) {
1.1    nonaka 		if ((res = mp_copy(a, c)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (c->alloc < (int)(c->used + b/DIGIT_BIT + 1)) {
1.1    nonaka 		if ((res = mp_grow(c, c->used + b / DIGIT_BIT + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* shift by as many digits in the bit count */
1.1    nonaka 	if (b >= (int)DIGIT_BIT) {
1.1    nonaka 		if ((res = lshift_digits(c, b / DIGIT_BIT)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* shift any bit count < DIGIT_BIT */
1.1    nonaka 	d = (mp_digit) (b % DIGIT_BIT);
1.1    nonaka 	if (d != 0) {
1.1    nonaka 		mp_digit *tmpc, shift, mask, carry, rr;
1.1    nonaka 		int x;
1.1    nonaka
1.1    nonaka 		/* bitmask for carries */
1.1    nonaka 		mask = (((mp_digit)1) << d) - 1;
1.1    nonaka
1.1    nonaka 		/* shift for msbs */
1.1    nonaka 		shift = DIGIT_BIT - d;
1.1    nonaka
1.1    nonaka 		/* alias */
1.1    nonaka 		tmpc = c->dp;
1.1    nonaka
1.1    nonaka 		/* carry */
1.1    nonaka 		carry = 0;
1.1    nonaka 		for (x = 0; x < c->used; x++) {
1.1    nonaka 			/* get the higher bits of the current word */
1.1    nonaka 			rr = (*tmpc >> shift) & mask;
1.1    nonaka
1.1    nonaka 			/* shift the current word and OR in the carry */
1.1    nonaka 			*tmpc = ((*tmpc << d) | carry) & MP_MASK;
1.1    nonaka 			++tmpc;
1.1    nonaka
1.1    nonaka 			/* set the carry to the carry bits of the current word */
1.1    nonaka 			carry = rr;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* set final carry */
1.1    nonaka 		if (carry != 0) {
1.1    nonaka 			c->dp[c->used++] = carry;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* reads a unsigned char array, assumes the msb is stored first [big endian] */
1.1    nonaka static int
1.1    nonaka mp_read_unsigned_bin(mp_int *a, const uint8_t *b, int c)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	/* make sure there are at least two digits */
1.1    nonaka 	if (a->alloc < 2) {
1.1    nonaka 		if ((res = mp_grow(a, 2)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* zero the int */
1.1    nonaka 	mp_zero(a);
1.1    nonaka
1.1    nonaka 	/* read the bytes in */
1.1    nonaka 	while (c-- > 0) {
1.1    nonaka 		if ((res = lshift_bits(a, 8, a)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		a->dp[0] |= *b++;
1.1    nonaka 		a->used += 1;
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(a);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* returns the number of bits in an mpi */
1.1    nonaka static int
1.1    nonaka mp_count_bits(const mp_int *a)
1.1    nonaka {
1.1    nonaka 	int     r;
1.1    nonaka 	mp_digit q;
1.1    nonaka
1.1    nonaka 	/* shortcut */
1.1    nonaka 	if (a->used == 0) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* get number of digits and add that */
1.1    nonaka 	r = (a->used - 1) * DIGIT_BIT;
1.1    nonaka
1.1    nonaka 	/* take the last digit and count the bits in it */
1.1    nonaka 	for (q = a->dp[a->used - 1]; q > ((mp_digit) 0) ; r++) {
1.1    nonaka 		q >>= ((mp_digit) 1);
1.1    nonaka 	}
1.1    nonaka 	return r;
1.1    nonaka }
1.1    nonaka
1.6    andvar /* compare magnitude of two ints (unsigned) */
1.1    nonaka static int
1.1    nonaka compare_magnitude(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     n;
1.1    nonaka 	mp_digit *tmpa, *tmpb;
1.1    nonaka
1.1    nonaka 	/* compare based on # of non-zero digits */
1.1    nonaka 	if (a->used > b->used) {
1.1    nonaka 		return MP_GT;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (a->used < b->used) {
1.1    nonaka 		return MP_LT;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* alias for a */
1.1    nonaka 	tmpa = a->dp + (a->used - 1);
1.1    nonaka
1.1    nonaka 	/* alias for b */
1.1    nonaka 	tmpb = b->dp + (a->used - 1);
1.1    nonaka
1.1    nonaka 	/* compare based on digits  */
1.1    nonaka 	for (n = 0; n < a->used; ++n, --tmpa, --tmpb) {
1.1    nonaka 		if (*tmpa > *tmpb) {
1.1    nonaka 			return MP_GT;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if (*tmpa < *tmpb) {
1.1    nonaka 			return MP_LT;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return MP_EQ;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* compare two ints (signed)*/
1.1    nonaka static int
1.1    nonaka signed_compare(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	/* compare based on sign */
1.1    nonaka 	if (a->sign != b->sign) {
1.1    nonaka 		return (a->sign == MP_NEG) ? MP_LT : MP_GT;
1.1    nonaka 	}
1.1    nonaka 	return (a->sign == MP_NEG) ? compare_magnitude(b, a) : compare_magnitude(a, b);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* get the size for an unsigned equivalent */
1.1    nonaka static int
1.1    nonaka mp_unsigned_bin_size(mp_int * a)
1.1    nonaka {
1.1    nonaka 	int     size = mp_count_bits(a);
1.1    nonaka
1.1    nonaka 	return (size / 8 + ((size & 7) != 0 ? 1 : 0));
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* init a new mp_int */
1.1    nonaka static int
1.1    nonaka mp_init(mp_int * a)
1.1    nonaka {
1.1    nonaka 	/* allocate memory required and clear it */
1.1    nonaka 	a->dp = allocate(1, sizeof(*a->dp) * MP_PREC);
1.1    nonaka 	if (a->dp == NULL) {
1.1    nonaka 		return MP_MEM;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set the digits to zero */
1.1    nonaka 	memset(a->dp, 0x0, MP_PREC * sizeof(*a->dp));
1.1    nonaka
1.1    nonaka 	/* set the used to zero, allocated digits to the default precision
1.1    nonaka 	* and sign to positive */
1.1    nonaka 	a->used  = 0;
1.1    nonaka 	a->alloc = MP_PREC;
1.1    nonaka 	a->sign  = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* clear one (frees)  */
1.1    nonaka static void
1.1    nonaka mp_clear(mp_int * a)
1.1    nonaka {
1.1    nonaka 	/* only do anything if a hasn't been freed previously */
1.1    nonaka 	if (a->dp != NULL) {
1.1    nonaka 		memset(a->dp, 0x0, a->used * sizeof(*a->dp));
1.1    nonaka
1.1    nonaka 		/* free ram */
1.1    nonaka 		deallocate(a->dp, (size_t)a->alloc);
1.1    nonaka
1.1    nonaka 		/* reset members to make debugging easier */
1.1    nonaka 		a->dp = NULL;
1.1    nonaka 		a->alloc = a->used = 0;
1.1    nonaka 		a->sign  = MP_ZPOS;
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka static int
1.1    nonaka mp_init_multi(mp_int *mp, ...)
1.1    nonaka {
1.1    nonaka 	mp_err res = MP_OKAY;      /* Assume ok until proven otherwise */
1.1    nonaka 	int n = 0;                 /* Number of ok inits */
1.1    nonaka 	mp_int* cur_arg = mp;
1.1    nonaka 	va_list args;
1.1    nonaka
1.1    nonaka 	va_start(args, mp);        /* init args to next argument from caller */
1.1    nonaka 	while (cur_arg != NULL) {
1.1    nonaka 		if (mp_init(cur_arg) != MP_OKAY) {
1.1    nonaka 			/* Oops - error! Back-track and mp_clear what we already
1.1    nonaka 			succeeded in init-ing, then return error.
1.1    nonaka 			*/
1.1    nonaka 			va_list clean_args;
1.1    nonaka
1.1    nonaka 			/* end the current list */
1.1    nonaka 			va_end(args);
1.1    nonaka
1.1    nonaka 			/* now start cleaning up */
1.1    nonaka 			cur_arg = mp;
1.1    nonaka 			va_start(clean_args, mp);
1.1    nonaka 			while (n--) {
1.1    nonaka 				mp_clear(cur_arg);
1.1    nonaka 				cur_arg = va_arg(clean_args, mp_int*);
1.1    nonaka 			}
1.1    nonaka 			va_end(clean_args);
1.1    nonaka 			res = MP_MEM;
1.1    nonaka 			break;
1.1    nonaka 		}
1.1    nonaka 		n++;
1.1    nonaka 		cur_arg = va_arg(args, mp_int*);
1.1    nonaka 	}
1.1    nonaka 	va_end(args);
1.1    nonaka 	return res;                /* Assumed ok, if error flagged above. */
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* init an mp_init for a given size */
1.1    nonaka static int
1.1    nonaka mp_init_size(mp_int * a, int size)
1.1    nonaka {
1.1    nonaka 	/* pad size so there are always extra digits */
1.1    nonaka 	size += (MP_PREC * 2) - (size % MP_PREC);
1.1    nonaka
1.1    nonaka 	/* alloc mem */
1.1    nonaka 	a->dp = allocate(1, sizeof(*a->dp) * size);
1.1    nonaka 	if (a->dp == NULL) {
1.1    nonaka 		return MP_MEM;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set the members */
1.1    nonaka 	a->used  = 0;
1.1    nonaka 	a->alloc = size;
1.1    nonaka 	a->sign  = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	/* zero the digits */
1.1    nonaka 	memset(a->dp, 0x0, size * sizeof(*a->dp));
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* creates "a" then copies b into it */
1.1    nonaka static int
1.1    nonaka mp_init_copy(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(a)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	return mp_copy(b, a);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* low level addition, based on HAC pp.594, Algorithm 14.7 */
1.1    nonaka static int
1.1    nonaka basic_add(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_int *x;
1.1    nonaka 	int     olduse, res, min, max;
1.1    nonaka
1.1    nonaka 	/* find sizes, we let |a| <= |b| which means we have to sort
1.1    nonaka 	* them.  "x" will point to the input with the most digits
1.1    nonaka 	*/
1.1    nonaka 	if (a->used > b->used) {
1.1    nonaka 		min = b->used;
1.1    nonaka 		max = a->used;
1.1    nonaka 		x = a;
1.1    nonaka 	} else {
1.1    nonaka 		min = a->used;
1.1    nonaka 		max = b->used;
1.1    nonaka 		x = b;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* init result */
1.1    nonaka 	if (c->alloc < max + 1) {
1.1    nonaka 		if ((res = mp_grow(c, max + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* get old used digit count and set new one */
1.1    nonaka 	olduse = c->used;
1.1    nonaka 	c->used = max + 1;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		mp_digit carry, *tmpa, *tmpb, *tmpc;
1.1    nonaka 		int i;
1.1    nonaka
1.1    nonaka 		/* alias for digit pointers */
1.1    nonaka
1.1    nonaka 		/* first input */
1.1    nonaka 		tmpa = a->dp;
1.1    nonaka
1.1    nonaka 		/* second input */
1.1    nonaka 		tmpb = b->dp;
1.1    nonaka
1.1    nonaka 		/* destination */
1.1    nonaka 		tmpc = c->dp;
1.1    nonaka
1.1    nonaka 		/* zero the carry */
1.1    nonaka 		carry = 0;
1.1    nonaka 		for (i = 0; i < min; i++) {
1.1    nonaka 			/* Compute the sum at one digit, T[i] = A[i] + B[i] + U */
1.1    nonaka 			*tmpc = *tmpa++ + *tmpb++ + carry;
1.1    nonaka
1.1    nonaka 			/* U = carry bit of T[i] */
1.1    nonaka 			carry = *tmpc >> ((mp_digit)DIGIT_BIT);
1.1    nonaka
1.1    nonaka 			/* take away carry bit from T[i] */
1.1    nonaka 			*tmpc++ &= MP_MASK;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* now copy higher words if any, that is in A+B
1.1    nonaka 		* if A or B has more digits add those in
1.1    nonaka 		*/
1.1    nonaka 		if (min != max) {
1.1    nonaka 			for (; i < max; i++) {
1.1    nonaka 				/* T[i] = X[i] + U */
1.1    nonaka 				*tmpc = x->dp[i] + carry;
1.1    nonaka
1.1    nonaka 				/* U = carry bit of T[i] */
1.1    nonaka 				carry = *tmpc >> ((mp_digit)DIGIT_BIT);
1.1    nonaka
1.1    nonaka 				/* take away carry bit from T[i] */
1.1    nonaka 				*tmpc++ &= MP_MASK;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* add carry */
1.1    nonaka 		*tmpc++ = carry;
1.1    nonaka
1.1    nonaka 		/* clear digits above oldused */
1.1    nonaka 		if (olduse > c->used) {
1.1    nonaka 			memset(tmpc, 0x0, (olduse - c->used) * sizeof(*c->dp));
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */
1.1    nonaka static int
1.1    nonaka basic_subtract(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	int     olduse, res, min, max;
1.1    nonaka
1.1    nonaka 	/* find sizes */
1.1    nonaka 	min = b->used;
1.1    nonaka 	max = a->used;
1.1    nonaka
1.1    nonaka 	/* init result */
1.1    nonaka 	if (c->alloc < max) {
1.1    nonaka 		if ((res = mp_grow(c, max)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	olduse = c->used;
1.1    nonaka 	c->used = max;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		mp_digit carry, *tmpa, *tmpb, *tmpc;
1.1    nonaka 		int i;
1.1    nonaka
1.1    nonaka 		/* alias for digit pointers */
1.1    nonaka 		tmpa = a->dp;
1.1    nonaka 		tmpb = b->dp;
1.1    nonaka 		tmpc = c->dp;
1.1    nonaka
1.1    nonaka 		/* set carry to zero */
1.1    nonaka 		carry = 0;
1.1    nonaka 		for (i = 0; i < min; i++) {
1.1    nonaka 			/* T[i] = A[i] - B[i] - U */
1.1    nonaka 			*tmpc = *tmpa++ - *tmpb++ - carry;
1.1    nonaka
1.1    nonaka 			/* U = carry bit of T[i]
1.1    nonaka 			* Note this saves performing an AND operation since
1.1    nonaka 			* if a carry does occur it will propagate all the way to the
1.1    nonaka 			* MSB.  As a result a single shift is enough to get the carry
1.1    nonaka 			*/
1.1    nonaka 			carry = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof(mp_digit) - 1));
1.1    nonaka
1.1    nonaka 			/* Clear carry from T[i] */
1.1    nonaka 			*tmpc++ &= MP_MASK;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* now copy higher words if any, e.g. if A has more digits than B  */
1.1    nonaka 		for (; i < max; i++) {
1.1    nonaka 			/* T[i] = A[i] - U */
1.1    nonaka 			*tmpc = *tmpa++ - carry;
1.1    nonaka
1.1    nonaka 			/* U = carry bit of T[i] */
1.1    nonaka 			carry = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof(mp_digit) - 1));
1.1    nonaka
1.1    nonaka 			/* Clear carry from T[i] */
1.1    nonaka 			*tmpc++ &= MP_MASK;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* clear digits above used (since we may not have grown result above) */
1.1    nonaka 		if (olduse > c->used) {
1.1    nonaka 			memset(tmpc, 0x0, (olduse - c->used) * sizeof(*a->dp));
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* high level subtraction (handles signs) */
1.1    nonaka static int
1.1    nonaka signed_subtract(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	int     sa, sb, res;
1.1    nonaka
1.1    nonaka 	sa = a->sign;
1.1    nonaka 	sb = b->sign;
1.1    nonaka
1.1    nonaka 	if (sa != sb) {
1.1    nonaka 		/* subtract a negative from a positive, OR */
1.1    nonaka 		/* subtract a positive from a negative. */
1.1    nonaka 		/* In either case, ADD their magnitudes, */
1.1    nonaka 		/* and use the sign of the first number. */
1.1    nonaka 		c->sign = sa;
1.1    nonaka 		res = basic_add(a, b, c);
1.1    nonaka 	} else {
1.1    nonaka 		/* subtract a positive from a positive, OR */
1.1    nonaka 		/* subtract a negative from a negative. */
1.1    nonaka 		/* First, take the difference between their */
1.1    nonaka 		/* magnitudes, then... */
1.1    nonaka 		if (compare_magnitude(a, b) != MP_LT) {
1.1    nonaka 			/* Copy the sign from the first */
1.1    nonaka 			c->sign = sa;
1.1    nonaka 			/* The first has a larger or equal magnitude */
1.1    nonaka 			res = basic_subtract(a, b, c);
1.1    nonaka 		} else {
1.1    nonaka 			/* The result has the *opposite* sign from */
1.1    nonaka 			/* the first number. */
1.1    nonaka 			c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS;
1.1    nonaka 			/* The second has a larger magnitude */
1.1    nonaka 			res = basic_subtract(b, a, c);
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* shift right a certain amount of digits */
1.1    nonaka static int
1.1    nonaka rshift_digits(mp_int * a, int b)
1.1    nonaka {
1.1    nonaka 	/* if b <= 0 then ignore it */
1.1    nonaka 	if (b <= 0) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if b > used then simply zero it and return */
1.1    nonaka 	if (a->used <= b) {
1.1    nonaka 		mp_zero(a);
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* this is implemented as a sliding window where
1.1    nonaka 	* the window is b-digits long and digits from
1.1    nonaka 	* the top of the window are copied to the bottom
1.1    nonaka 	*
1.1    nonaka 	* e.g.
1.1    nonaka
1.1    nonaka 	b-2 | b-1 | b0 | b1 | b2 | ... | bb |   ---->
1.1    nonaka 		 /\                   |      ---->
1.1    nonaka 		  \-------------------/      ---->
1.1    nonaka 	*/
1.1    nonaka 	memmove(a->dp, &a->dp[b], (a->used - b) * sizeof(*a->dp));
1.1    nonaka 	memset(&a->dp[a->used - b], 0x0, b * sizeof(*a->dp));
1.1    nonaka
1.1    nonaka 	/* remove excess digits */
1.1    nonaka 	a->used -= b;
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* multiply by a digit */
1.1    nonaka static int
1.1    nonaka multiply_digit(mp_int * a, mp_digit b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_digit carry, *tmpa, *tmpc;
1.1    nonaka 	mp_word  r;
1.1    nonaka 	int      ix, res, olduse;
1.1    nonaka
1.1    nonaka 	/* make sure c is big enough to hold a*b */
1.1    nonaka 	if (c->alloc < a->used + 1) {
1.1    nonaka 		if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* get the original destinations used count */
1.1    nonaka 	olduse = c->used;
1.1    nonaka
1.1    nonaka 	/* set the sign */
1.1    nonaka 	c->sign = a->sign;
1.1    nonaka
1.1    nonaka 	/* alias for a->dp [source] */
1.1    nonaka 	tmpa = a->dp;
1.1    nonaka
1.1    nonaka 	/* alias for c->dp [dest] */
1.1    nonaka 	tmpc = c->dp;
1.1    nonaka
1.1    nonaka 	/* zero carry */
1.1    nonaka 	carry = 0;
1.1    nonaka
1.1    nonaka 	/* compute columns */
1.1    nonaka 	for (ix = 0; ix < a->used; ix++) {
1.1    nonaka 		/* compute product and carry sum for this term */
1.1    nonaka 		r = ((mp_word) carry) + ((mp_word)*tmpa++) * ((mp_word)b);
1.1    nonaka
1.1    nonaka 		/* mask off higher bits to get a single digit */
1.1    nonaka 		*tmpc++ = (mp_digit) (r & ((mp_word) MP_MASK));
1.1    nonaka
1.1    nonaka 		/* send carry into next iteration */
1.1    nonaka 		carry = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* store final carry [if any] and increment ix offset  */
1.1    nonaka 	*tmpc++ = carry;
1.1    nonaka 	++ix;
1.1    nonaka 	if (olduse > ix) {
1.1    nonaka 		memset(tmpc, 0x0, (olduse - ix) * sizeof(*tmpc));
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set used count */
1.1    nonaka 	c->used = a->used + 1;
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* high level addition (handles signs) */
1.1    nonaka static int
1.1    nonaka signed_add(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	int     asign, bsign, res;
1.1    nonaka
1.1    nonaka 	/* get sign of both inputs */
1.1    nonaka 	asign = a->sign;
1.1    nonaka 	bsign = b->sign;
1.1    nonaka
1.1    nonaka 	/* handle two cases, not four */
1.1    nonaka 	if (asign == bsign) {
1.1    nonaka 		/* both positive or both negative */
1.1    nonaka 		/* add their magnitudes, copy the sign */
1.1    nonaka 		c->sign = asign;
1.1    nonaka 		res = basic_add(a, b, c);
1.1    nonaka 	} else {
1.1    nonaka 		/* one positive, the other negative */
1.1    nonaka 		/* subtract the one with the greater magnitude from */
1.1    nonaka 		/* the one of the lesser magnitude.  The result gets */
1.1    nonaka 		/* the sign of the one with the greater magnitude. */
1.1    nonaka 		if (compare_magnitude(a, b) == MP_LT) {
1.1    nonaka 			c->sign = bsign;
1.1    nonaka 			res = basic_subtract(b, a, c);
1.1    nonaka 		} else {
1.1    nonaka 			c->sign = asign;
1.1    nonaka 			res = basic_subtract(a, b, c);
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* swap the elements of two integers, for cases where you can't simply swap the
1.1    nonaka  * mp_int pointers around
1.1    nonaka  */
1.1    nonaka static void
1.1    nonaka mp_exch(mp_int *a, mp_int *b)
1.1    nonaka {
1.1    nonaka 	mp_int  t;
1.1    nonaka
1.1    nonaka 	t  = *a;
1.1    nonaka 	*a = *b;
1.1    nonaka 	*b = t;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* calc a value mod 2**b */
1.1    nonaka static int
1.1    nonaka modulo_2_to_power(mp_int * a, int b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	int     x, res;
1.1    nonaka
1.1    nonaka 	/* if b is <= 0 then zero the int */
1.1    nonaka 	if (b <= 0) {
1.1    nonaka 		mp_zero(c);
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if the modulus is larger than the value than return */
1.1    nonaka 	if (b >= (int) (a->used * DIGIT_BIT)) {
1.1    nonaka 		res = mp_copy(a, c);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* copy */
1.1    nonaka 	if ((res = mp_copy(a, c)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* zero digits above the last digit of the modulus */
1.1    nonaka 	for (x = (b / DIGIT_BIT) + ((b % DIGIT_BIT) == 0 ? 0 : 1); x < c->used; x++) {
1.1    nonaka 		c->dp[x] = 0;
1.1    nonaka 	}
1.1    nonaka 	/* clear the digit that is not completely outside/inside the modulus */
1.1    nonaka 	c->dp[b / DIGIT_BIT] &=
1.1    nonaka 		(mp_digit) ((((mp_digit) 1) << (((mp_digit) b) % DIGIT_BIT)) - ((mp_digit) 1));
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* shift right by a certain bit count (store quotient in c, optional remainder in d) */
1.1    nonaka static int
1.1    nonaka rshift_bits(mp_int * a, int b, mp_int * c, mp_int * d)
1.1    nonaka {
1.1    nonaka 	mp_digit D, r, rr;
1.1    nonaka 	int     x, res;
1.1    nonaka 	mp_int  t;
1.1    nonaka
1.1    nonaka
1.1    nonaka 	/* if the shift count is <= 0 then we do no work */
1.1    nonaka 	if (b <= 0) {
1.1    nonaka 		res = mp_copy(a, c);
1.1    nonaka 		if (d != NULL) {
1.1    nonaka 			mp_zero(d);
1.1    nonaka 		}
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* get the remainder */
1.1    nonaka 	if (d != NULL) {
1.1    nonaka 		if ((res = modulo_2_to_power(a, b, &t)) != MP_OKAY) {
1.1    nonaka 			mp_clear(&t);
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* copy */
1.1    nonaka 	if ((res = mp_copy(a, c)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&t);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* shift by as many digits in the bit count */
1.1    nonaka 	if (b >= (int)DIGIT_BIT) {
1.1    nonaka 		rshift_digits(c, b / DIGIT_BIT);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* shift any bit count < DIGIT_BIT */
1.1    nonaka 	D = (mp_digit) (b % DIGIT_BIT);
1.1    nonaka 	if (D != 0) {
1.1    nonaka 		mp_digit *tmpc, mask, shift;
1.1    nonaka
1.1    nonaka 		/* mask */
1.1    nonaka 		mask = (((mp_digit)1) << D) - 1;
1.1    nonaka
1.1    nonaka 		/* shift for lsb */
1.1    nonaka 		shift = DIGIT_BIT - D;
1.1    nonaka
1.1    nonaka 		/* alias */
1.1    nonaka 		tmpc = c->dp + (c->used - 1);
1.1    nonaka
1.1    nonaka 		/* carry */
1.1    nonaka 		r = 0;
1.1    nonaka 		for (x = c->used - 1; x >= 0; x--) {
1.1    nonaka 			/* get the lower  bits of this word in a temp */
1.1    nonaka 			rr = *tmpc & mask;
1.1    nonaka
1.1    nonaka 			/* shift the current word and mix in the carry bits from the previous word */
1.1    nonaka 			*tmpc = (*tmpc >> D) | (r << shift);
1.1    nonaka 			--tmpc;
1.1    nonaka
1.1    nonaka 			/* set the carry to the carry bits of the current word found above */
1.1    nonaka 			r = rr;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	if (d != NULL) {
1.1    nonaka 		mp_exch(&t, d);
1.1    nonaka 	}
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* integer signed division.
1.1    nonaka  * c*b + d == a [e.g. a/b, c=quotient, d=remainder]
1.1    nonaka  * HAC pp.598 Algorithm 14.20
1.1    nonaka  *
1.1    nonaka  * Note that the description in HAC is horribly
1.1    nonaka  * incomplete.  For example, it doesn't consider
1.1    nonaka  * the case where digits are removed from 'x' in
1.1    nonaka  * the inner loop.  It also doesn't consider the
1.1    nonaka  * case that y has fewer than three digits, etc..
1.1    nonaka  *
1.1    nonaka  * The overall algorithm is as described as
1.1    nonaka  * 14.20 from HAC but fixed to treat these cases.
1.1    nonaka */
1.1    nonaka static int
1.1    nonaka signed_divide(mp_int *c, mp_int *d, mp_int *a, mp_int *b)
1.1    nonaka {
1.1    nonaka 	mp_int  q, x, y, t1, t2;
1.1    nonaka 	int     res, n, t, i, norm, neg;
1.1    nonaka
1.1    nonaka 	/* is divisor zero ? */
1.1    nonaka 	if (MP_ISZERO(b) == MP_YES) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if a < b then q=0, r = a */
1.1    nonaka 	if (compare_magnitude(a, b) == MP_LT) {
1.1    nonaka 		if (d != NULL) {
1.1    nonaka 			res = mp_copy(a, d);
1.1    nonaka 		} else {
1.1    nonaka 			res = MP_OKAY;
1.1    nonaka 		}
1.1    nonaka 		if (c != NULL) {
1.1    nonaka 			mp_zero(c);
1.1    nonaka 		}
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_size(&q, a->used + 2)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	q.used = a->used + 2;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t1)) != MP_OKAY) {
1.1    nonaka 		goto LBL_Q;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t2)) != MP_OKAY) {
1.1    nonaka 		goto LBL_T1;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_copy(&x, a)) != MP_OKAY) {
1.1    nonaka 		goto LBL_T2;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_copy(&y, b)) != MP_OKAY) {
1.1    nonaka 		goto LBL_X;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* fix the sign */
1.1    nonaka 	neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG;
1.1    nonaka 	x.sign = y.sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	/* normalize both x and y, ensure that y >= b/2, [b == 2**DIGIT_BIT] */
1.1    nonaka 	norm = mp_count_bits(&y) % DIGIT_BIT;
1.1    nonaka 	if (norm < (int)(DIGIT_BIT-1)) {
1.1    nonaka 		norm = (DIGIT_BIT-1) - norm;
1.1    nonaka 		if ((res = lshift_bits(&x, norm, &x)) != MP_OKAY) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka 		if ((res = lshift_bits(&y, norm, &y)) != MP_OKAY) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka 	} else {
1.1    nonaka 		norm = 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* note hac does 0 based, so if used==5 then its 0,1,2,3,4, e.g. use 4 */
1.1    nonaka 	n = x.used - 1;
1.1    nonaka 	t = y.used - 1;
1.1    nonaka
1.1    nonaka 	/* while (x >= y*b**n-t) do { q[n-t] += 1; x -= y*b**{n-t} } */
1.1    nonaka 	if ((res = lshift_digits(&y, n - t)) != MP_OKAY) { /* y = y*b**{n-t} */
1.1    nonaka 		goto LBL_Y;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	while (signed_compare(&x, &y) != MP_LT) {
1.1    nonaka 		++(q.dp[n - t]);
1.1    nonaka 		if ((res = signed_subtract(&x, &y, &x)) != MP_OKAY) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* reset y by shifting it back down */
1.1    nonaka 	rshift_digits(&y, n - t);
1.1    nonaka
1.1    nonaka 	/* step 3. for i from n down to (t + 1) */
1.1    nonaka 	for (i = n; i >= (t + 1); i--) {
1.1    nonaka 		if (i > x.used) {
1.1    nonaka 			continue;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* step 3.1 if xi == yt then set q{i-t-1} to b-1,
1.1    nonaka 		* otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */
1.1    nonaka 		if (x.dp[i] == y.dp[t]) {
1.1    nonaka 			q.dp[i - t - 1] = ((((mp_digit)1) << DIGIT_BIT) - 1);
1.1    nonaka 		} else {
1.1    nonaka 			mp_word tmp;
1.1    nonaka 			tmp = ((mp_word) x.dp[i]) << ((mp_word) DIGIT_BIT);
1.1    nonaka 			tmp |= ((mp_word) x.dp[i - 1]);
1.1    nonaka 			tmp /= ((mp_word) y.dp[t]);
1.1    nonaka 			if (tmp > (mp_word) MP_MASK) {
1.1    nonaka 				tmp = MP_MASK;
1.1    nonaka 			}
1.1    nonaka 			q.dp[i - t - 1] = (mp_digit) (tmp & (mp_word) (MP_MASK));
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* while (q{i-t-1} * (yt * b + y{t-1})) >
1.1    nonaka 		     xi * b**2 + xi-1 * b + xi-2
1.1    nonaka 			do q{i-t-1} -= 1;
1.1    nonaka 		*/
1.1    nonaka 		q.dp[i - t - 1] = (q.dp[i - t - 1] + 1) & MP_MASK;
1.1    nonaka 		do {
1.1    nonaka 			q.dp[i - t - 1] = (q.dp[i - t - 1] - 1) & MP_MASK;
1.1    nonaka
1.1    nonaka 			/* find left hand */
1.1    nonaka 			mp_zero(&t1);
1.1    nonaka 			t1.dp[0] = (t - 1 < 0) ? 0 : y.dp[t - 1];
1.1    nonaka 			t1.dp[1] = y.dp[t];
1.1    nonaka 			t1.used = 2;
1.1    nonaka 			if ((res = multiply_digit(&t1, q.dp[i - t - 1], &t1)) != MP_OKAY) {
1.1    nonaka 				goto LBL_Y;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* find right hand */
1.1    nonaka 			t2.dp[0] = (i - 2 < 0) ? 0 : x.dp[i - 2];
1.1    nonaka 			t2.dp[1] = (i - 1 < 0) ? 0 : x.dp[i - 1];
1.1    nonaka 			t2.dp[2] = x.dp[i];
1.1    nonaka 			t2.used = 3;
1.1    nonaka 		} while (compare_magnitude(&t1, &t2) == MP_GT);
1.1    nonaka
1.1    nonaka 		/* step 3.3 x = x - q{i-t-1} * y * b**{i-t-1} */
1.1    nonaka 		if ((res = multiply_digit(&y, q.dp[i - t - 1], &t1)) != MP_OKAY) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = lshift_digits(&t1, i - t - 1)) != MP_OKAY) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&x, &t1, &x)) != MP_OKAY) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* if x < 0 then { x = x + y*b**{i-t-1}; q{i-t-1} -= 1; } */
1.1    nonaka 		if (x.sign == MP_NEG) {
1.1    nonaka 			if ((res = mp_copy(&y, &t1)) != MP_OKAY) {
1.1    nonaka 				goto LBL_Y;
1.1    nonaka 			}
1.1    nonaka 			if ((res = lshift_digits(&t1, i - t - 1)) != MP_OKAY) {
1.1    nonaka 				goto LBL_Y;
1.1    nonaka 			}
1.1    nonaka 			if ((res = signed_add(&x, &t1, &x)) != MP_OKAY) {
1.1    nonaka 				goto LBL_Y;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			q.dp[i - t - 1] = (q.dp[i - t - 1] - 1UL) & MP_MASK;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now q is the quotient and x is the remainder
1.1    nonaka 	* [which we have to normalize]
1.1    nonaka 	*/
1.1    nonaka
1.1    nonaka 	/* get sign before writing to c */
1.1    nonaka 	x.sign = x.used == 0 ? MP_ZPOS : a->sign;
1.1    nonaka
1.1    nonaka 	if (c != NULL) {
1.1    nonaka 		trim_unused_digits(&q);
1.1    nonaka 		mp_exch(&q, c);
1.1    nonaka 		c->sign = neg;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (d != NULL) {
1.1    nonaka 		rshift_bits(&x, norm, &x, NULL);
1.1    nonaka 		mp_exch(&x, d);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	res = MP_OKAY;
1.1    nonaka
1.1    nonaka LBL_Y:
1.1    nonaka 	mp_clear(&y);
1.1    nonaka LBL_X:
1.1    nonaka 	mp_clear(&x);
1.1    nonaka LBL_T2:
1.1    nonaka 	mp_clear(&t2);
1.1    nonaka LBL_T1:
1.1    nonaka 	mp_clear(&t1);
1.1    nonaka LBL_Q:
1.1    nonaka 	mp_clear(&q);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* c = a mod b, 0 <= c < b */
1.1    nonaka static int
1.1    nonaka modulo(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_int  t;
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_divide(NULL, &t, a, b)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&t);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (t.sign != b->sign) {
1.1    nonaka 		res = signed_add(b, &t, c);
1.1    nonaka 	} else {
1.1    nonaka 		res = MP_OKAY;
1.1    nonaka 		mp_exch(&t, c);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* set to a digit */
1.1    nonaka static void
1.1    nonaka set_word(mp_int * a, mp_digit b)
1.1    nonaka {
1.1    nonaka 	mp_zero(a);
1.1    nonaka 	a->dp[0] = b & MP_MASK;
1.1    nonaka 	a->used = (a->dp[0] != 0) ? 1 : 0;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* b = a/2 */
1.1    nonaka static int
1.1    nonaka half(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     x, res, oldused;
1.1    nonaka
1.1    nonaka 	/* copy */
1.1    nonaka 	if (b->alloc < a->used) {
1.1    nonaka 		if ((res = mp_grow(b, a->used)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	oldused = b->used;
1.1    nonaka 	b->used = a->used;
1.1    nonaka 	{
1.1    nonaka 		mp_digit r, rr, *tmpa, *tmpb;
1.1    nonaka
1.1    nonaka 		/* source alias */
1.1    nonaka 		tmpa = a->dp + b->used - 1;
1.1    nonaka
1.1    nonaka 		/* dest alias */
1.1    nonaka 		tmpb = b->dp + b->used - 1;
1.1    nonaka
1.1    nonaka 		/* carry */
1.1    nonaka 		r = 0;
1.1    nonaka 		for (x = b->used - 1; x >= 0; x--) {
1.1    nonaka 			/* get the carry for the next iteration */
1.1    nonaka 			rr = *tmpa & 1;
1.1    nonaka
1.1    nonaka 			/* shift the current digit, add in carry and store */
1.1    nonaka 			*tmpb-- = (*tmpa-- >> 1) | (r << (DIGIT_BIT - 1));
1.1    nonaka
1.1    nonaka 			/* forward carry to next iteration */
1.1    nonaka 			r = rr;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* zero excess digits */
1.1    nonaka 		tmpb = b->dp + b->used;
1.1    nonaka 		for (x = b->used; x < oldused; x++) {
1.1    nonaka 			*tmpb++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	b->sign = a->sign;
1.1    nonaka 	trim_unused_digits(b);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* compare a digit */
1.1    nonaka static int
1.1    nonaka compare_digit(mp_int * a, mp_digit b)
1.1    nonaka {
1.1    nonaka 	/* compare based on sign */
1.1    nonaka 	if (a->sign == MP_NEG) {
1.1    nonaka 		return MP_LT;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* compare based on magnitude */
1.1    nonaka 	if (a->used > 1) {
1.1    nonaka 		return MP_GT;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* compare the only digit of a to b */
1.1    nonaka 	if (a->dp[0] > b) {
1.1    nonaka 		return MP_GT;
1.1    nonaka 	} else if (a->dp[0] < b) {
1.1    nonaka 		return MP_LT;
1.1    nonaka 	} else {
1.1    nonaka 		return MP_EQ;
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka static void
1.1    nonaka mp_clear_multi(mp_int *mp, ...)
1.1    nonaka {
1.1    nonaka 	mp_int* next_mp = mp;
1.1    nonaka 	va_list args;
1.1    nonaka
1.1    nonaka 	va_start(args, mp);
1.1    nonaka 	while (next_mp != NULL) {
1.1    nonaka 		mp_clear(next_mp);
1.1    nonaka 		next_mp = va_arg(args, mp_int*);
1.1    nonaka 	}
1.1    nonaka 	va_end(args);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* computes the modular inverse via binary extended euclidean algorithm,
1.1    nonaka  * that is c = 1/a mod b
1.1    nonaka  *
1.1    nonaka  * Based on slow invmod except this is optimized for the case where b is
1.1    nonaka  * odd as per HAC Note 14.64 on pp. 610
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka fast_modular_inverse(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_int  x, y, u, v, B, D;
1.1    nonaka 	int     res, neg;
1.1    nonaka
1.1    nonaka 	/* 2. [modified] b must be odd   */
1.1    nonaka 	if (MP_ISZERO(b) == MP_YES) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* init all our temps */
1.1    nonaka 	if ((res = mp_init_multi(&x, &y, &u, &v, &B, &D, NULL)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* x == modulus, y == value to invert */
1.1    nonaka 	if ((res = mp_copy(b, &x)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* we need y = |a| */
1.1    nonaka 	if ((res = modulo(a, b, &y)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
1.1    nonaka 	if ((res = mp_copy(&x, &u)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = mp_copy(&y, &v)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka 	set_word(&D, 1);
1.1    nonaka
1.1    nonaka top:
1.1    nonaka 	/* 4.  while u is even do */
1.1    nonaka 	while (BN_is_even(&u) == 1) {
1.1    nonaka 		/* 4.1 u = u/2 */
1.1    nonaka 		if ((res = half(&u, &u)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 		/* 4.2 if B is odd then */
1.1    nonaka 		if (BN_is_odd(&B) == 1) {
1.1    nonaka 			if ((res = signed_subtract(&B, &x, &B)) != MP_OKAY) {
1.1    nonaka 				goto LBL_ERR;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		/* B = B/2 */
1.1    nonaka 		if ((res = half(&B, &B)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 5.  while v is even do */
1.1    nonaka 	while (BN_is_even(&v) == 1) {
1.1    nonaka 		/* 5.1 v = v/2 */
1.1    nonaka 		if ((res = half(&v, &v)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 		/* 5.2 if D is odd then */
1.1    nonaka 		if (BN_is_odd(&D) == 1) {
1.1    nonaka 			/* D = (D-x)/2 */
1.1    nonaka 			if ((res = signed_subtract(&D, &x, &D)) != MP_OKAY) {
1.1    nonaka 				goto LBL_ERR;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		/* D = D/2 */
1.1    nonaka 		if ((res = half(&D, &D)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 6.  if u >= v then */
1.1    nonaka 	if (signed_compare(&u, &v) != MP_LT) {
1.1    nonaka 		/* u = u - v, B = B - D */
1.1    nonaka 		if ((res = signed_subtract(&u, &v, &u)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&B, &D, &B)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	} else {
1.1    nonaka 		/* v - v - u, D = D - B */
1.1    nonaka 		if ((res = signed_subtract(&v, &u, &v)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&D, &B, &D)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if not zero goto step 4 */
1.1    nonaka 	if (MP_ISZERO(&u) == MP_NO) {
1.1    nonaka 		goto top;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now a = C, b = D, gcd == g*v */
1.1    nonaka
1.1    nonaka 	/* if v != 1 then there is no inverse */
1.1    nonaka 	if (compare_digit(&v, 1) != MP_EQ) {
1.1    nonaka 		res = MP_VAL;
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* b is now the inverse */
1.1    nonaka 	neg = a->sign;
1.1    nonaka 	while (D.sign == MP_NEG) {
1.1    nonaka 		if ((res = signed_add(&D, b, &D)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	mp_exch(&D, c);
1.1    nonaka 	c->sign = neg;
1.1    nonaka 	res = MP_OKAY;
1.1    nonaka
1.1    nonaka LBL_ERR:
1.1    nonaka 	mp_clear_multi (&x, &y, &u, &v, &B, &D, NULL);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* hac 14.61, pp608 */
1.1    nonaka static int
1.1    nonaka slow_modular_inverse(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_int  x, y, u, v, A, B, C, D;
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	/* b cannot be negative */
1.1    nonaka 	if (b->sign == MP_NEG || MP_ISZERO(b) == MP_YES) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* init temps */
1.1    nonaka 	if ((res = mp_init_multi(&x, &y, &u, &v,
1.1    nonaka 		   &A, &B, &C, &D, NULL)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* x = a, y = b */
1.1    nonaka 	if ((res = modulo(a, b, &x)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = mp_copy(b, &y)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 2. [modified] if x,y are both even then return an error! */
1.1    nonaka 	if (BN_is_even(&x) == 1 && BN_is_even(&y) == 1) {
1.1    nonaka 		res = MP_VAL;
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
1.1    nonaka 	if ((res = mp_copy(&x, &u)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = mp_copy(&y, &v)) != MP_OKAY) {
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka 	set_word(&A, 1);
1.1    nonaka 	set_word(&D, 1);
1.1    nonaka
1.1    nonaka top:
1.1    nonaka 	/* 4.  while u is even do */
1.1    nonaka 	while (BN_is_even(&u) == 1) {
1.1    nonaka 		/* 4.1 u = u/2 */
1.1    nonaka 		if ((res = half(&u, &u)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 		/* 4.2 if A or B is odd then */
1.1    nonaka 		if (BN_is_odd(&A) == 1 || BN_is_odd(&B) == 1) {
1.1    nonaka 			/* A = (A+y)/2, B = (B-x)/2 */
1.1    nonaka 			if ((res = signed_add(&A, &y, &A)) != MP_OKAY) {
1.1    nonaka 				 goto LBL_ERR;
1.1    nonaka 			}
1.1    nonaka 			if ((res = signed_subtract(&B, &x, &B)) != MP_OKAY) {
1.1    nonaka 				 goto LBL_ERR;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		/* A = A/2, B = B/2 */
1.1    nonaka 		if ((res = half(&A, &A)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 		if ((res = half(&B, &B)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 5.  while v is even do */
1.1    nonaka 	while (BN_is_even(&v) == 1) {
1.1    nonaka 		/* 5.1 v = v/2 */
1.1    nonaka 		if ((res = half(&v, &v)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 		/* 5.2 if C or D is odd then */
1.1    nonaka 		if (BN_is_odd(&C) == 1 || BN_is_odd(&D) == 1) {
1.1    nonaka 			/* C = (C+y)/2, D = (D-x)/2 */
1.1    nonaka 			if ((res = signed_add(&C, &y, &C)) != MP_OKAY) {
1.1    nonaka 				 goto LBL_ERR;
1.1    nonaka 			}
1.1    nonaka 			if ((res = signed_subtract(&D, &x, &D)) != MP_OKAY) {
1.1    nonaka 				 goto LBL_ERR;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		/* C = C/2, D = D/2 */
1.1    nonaka 		if ((res = half(&C, &C)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 		if ((res = half(&D, &D)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* 6.  if u >= v then */
1.1    nonaka 	if (signed_compare(&u, &v) != MP_LT) {
1.1    nonaka 		/* u = u - v, A = A - C, B = B - D */
1.1    nonaka 		if ((res = signed_subtract(&u, &v, &u)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&A, &C, &A)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&B, &D, &B)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	} else {
1.1    nonaka 		/* v - v - u, C = C - A, D = D - B */
1.1    nonaka 		if ((res = signed_subtract(&v, &u, &v)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&C, &A, &C)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = signed_subtract(&D, &B, &D)) != MP_OKAY) {
1.1    nonaka 			goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if not zero goto step 4 */
1.1    nonaka 	if (BN_is_zero(&u) == 0) {
1.1    nonaka 		goto top;
1.1    nonaka 	}
1.1    nonaka 	/* now a = C, b = D, gcd == g*v */
1.1    nonaka
1.1    nonaka 	/* if v != 1 then there is no inverse */
1.1    nonaka 	if (compare_digit(&v, 1) != MP_EQ) {
1.1    nonaka 		res = MP_VAL;
1.1    nonaka 		goto LBL_ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if its too low */
1.1    nonaka 	while (compare_digit(&C, 0) == MP_LT) {
1.1    nonaka 		if ((res = signed_add(&C, b, &C)) != MP_OKAY) {
1.1    nonaka 			 goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* too big */
1.1    nonaka 	while (compare_magnitude(&C, b) != MP_LT) {
1.1    nonaka 		if ((res = signed_subtract(&C, b, &C)) != MP_OKAY) {
1.1    nonaka 			 goto LBL_ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* C is now the inverse */
1.1    nonaka 	mp_exch(&C, c);
1.1    nonaka 	res = MP_OKAY;
1.1    nonaka LBL_ERR:
1.1    nonaka 	mp_clear_multi(&x, &y, &u, &v, &A, &B, &C, &D, NULL);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static int
1.1    nonaka modular_inverse(mp_int *c, mp_int *a, mp_int *b)
1.1    nonaka {
1.1    nonaka 	/* b cannot be negative */
1.1    nonaka 	if (b->sign == MP_NEG || MP_ISZERO(b) == MP_YES) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if the modulus is odd we can use a faster routine instead */
1.1    nonaka 	if (BN_is_odd(b) == 1) {
1.1    nonaka 		return fast_modular_inverse(a, b, c);
1.1    nonaka 	}
1.1    nonaka 	return slow_modular_inverse(a, b, c);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* b = |a|
1.1    nonaka  *
1.1    nonaka  * Simple function copies the input and fixes the sign to positive
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka absolute(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	/* copy a to b */
1.1    nonaka 	if (a != b) {
1.1    nonaka 		if ((res = mp_copy(a, b)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* force the sign of b to positive */
1.1    nonaka 	b->sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* determines if reduce_2k_l can be used */
1.1    nonaka static int
1.1    nonaka mp_reduce_is_2k_l(mp_int *a)
1.1    nonaka {
1.1    nonaka 	int ix, iy;
1.1    nonaka
1.1    nonaka 	if (a->used == 0) {
1.1    nonaka 		return MP_NO;
1.1    nonaka 	} else if (a->used == 1) {
1.1    nonaka 		return MP_YES;
1.1    nonaka 	} else if (a->used > 1) {
1.1    nonaka 		/* if more than half of the digits are -1 we're sold */
1.1    nonaka 		for (iy = ix = 0; ix < a->used; ix++) {
1.1    nonaka 			if (a->dp[ix] == MP_MASK) {
1.1    nonaka 				++iy;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		return (iy >= (a->used/2)) ? MP_YES : MP_NO;
1.1    nonaka
1.1    nonaka 	}
1.1    nonaka 	return MP_NO;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* computes a = 2**b
1.1    nonaka  *
1.1    nonaka  * Simple algorithm which zeroes the int, grows it then just sets one bit
1.1    nonaka  * as required.
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka mp_2expt(mp_int * a, int b)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	/* zero a as per default */
1.1    nonaka 	mp_zero(a);
1.1    nonaka
1.2  dholland 	/* grow a to accommodate the single bit */
1.1    nonaka 	if ((res = mp_grow(a, b / DIGIT_BIT + 1)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set the used count of where the bit will go */
1.1    nonaka 	a->used = b / DIGIT_BIT + 1;
1.1    nonaka
1.1    nonaka 	/* put the single bit in its place */
1.1    nonaka 	a->dp[b / DIGIT_BIT] = ((mp_digit)1) << (b % DIGIT_BIT);
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* pre-calculate the value required for Barrett reduction
1.5    andvar  * For a given modulus "b" it calculates the value required in "a"
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka mp_reduce_setup(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	if ((res = mp_2expt(a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	return signed_divide(a, NULL, a, b);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* b = a*2 */
1.1    nonaka static int
1.1    nonaka doubled(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     x, res, oldused;
1.1    nonaka
1.2  dholland 	/* grow to accommodate result */
1.1    nonaka 	if (b->alloc < a->used + 1) {
1.1    nonaka 		if ((res = mp_grow(b, a->used + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	oldused = b->used;
1.1    nonaka 	b->used = a->used;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		mp_digit r, rr, *tmpa, *tmpb;
1.1    nonaka
1.1    nonaka 		/* alias for source */
1.1    nonaka 		tmpa = a->dp;
1.1    nonaka
1.1    nonaka 		/* alias for dest */
1.1    nonaka 		tmpb = b->dp;
1.1    nonaka
1.1    nonaka 		/* carry */
1.1    nonaka 		r = 0;
1.1    nonaka 		for (x = 0; x < a->used; x++) {
1.1    nonaka
1.1    nonaka 			/* get what will be the *next* carry bit from the
1.1    nonaka 			* MSB of the current digit
1.1    nonaka 			*/
1.1    nonaka 			rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1));
1.1    nonaka
1.1    nonaka 			/* now shift up this digit, add in the carry [from the previous] */
1.1    nonaka 			*tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK;
1.1    nonaka
1.1    nonaka 			/* copy the carry that would be from the source
1.1    nonaka 			* digit into the next iteration
1.1    nonaka 			*/
1.1    nonaka 			r = rr;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* new leading digit? */
1.1    nonaka 		if (r != 0) {
1.1    nonaka 			/* add a MSB which is always 1 at this point */
1.1    nonaka 			*tmpb = 1;
1.1    nonaka 			++(b->used);
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* now zero any excess digits on the destination
1.1    nonaka 		* that we didn't write to
1.1    nonaka 		*/
1.1    nonaka 		tmpb = b->dp + b->used;
1.1    nonaka 		for (x = b->used; x < oldused; x++) {
1.1    nonaka 			*tmpb++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	b->sign = a->sign;
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* divide by three (based on routine from MPI and the GMP manual) */
1.1    nonaka static int
1.1    nonaka third(mp_int * a, mp_int *c, mp_digit * d)
1.1    nonaka {
1.1    nonaka 	mp_int   q;
1.1    nonaka 	mp_word  w, t;
1.1    nonaka 	mp_digit b;
1.1    nonaka 	int      res, ix;
1.1    nonaka
1.1    nonaka 	/* b = 2**DIGIT_BIT / 3 */
1.1    nonaka 	b = (((mp_word)1) << ((mp_word)DIGIT_BIT)) / ((mp_word)3);
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	q.used = a->used;
1.1    nonaka 	q.sign = a->sign;
1.1    nonaka 	w = 0;
1.1    nonaka 	for (ix = a->used - 1; ix >= 0; ix--) {
1.1    nonaka 		w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
1.1    nonaka
1.1    nonaka 		if (w >= 3) {
1.1    nonaka 			/* multiply w by [1/3] */
1.1    nonaka 			t = (w * ((mp_word)b)) >> ((mp_word)DIGIT_BIT);
1.1    nonaka
1.1    nonaka 			/* now subtract 3 * [w/3] from w, to get the remainder */
1.1    nonaka 			w -= t+t+t;
1.1    nonaka
1.1    nonaka 			/* fixup the remainder as required since
1.1    nonaka 			* the optimization is not exact.
1.1    nonaka 			*/
1.1    nonaka 			while (w >= 3) {
1.1    nonaka 				t += 1;
1.1    nonaka 				w -= 3;
1.1    nonaka 			}
1.1    nonaka 		} else {
1.1    nonaka 			t = 0;
1.1    nonaka 		}
1.1    nonaka 		q.dp[ix] = (mp_digit)t;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* [optional] store the remainder */
1.1    nonaka 	if (d != NULL) {
1.1    nonaka 		*d = (mp_digit)w;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* [optional] store the quotient */
1.1    nonaka 	if (c != NULL) {
1.1    nonaka 		trim_unused_digits(&q);
1.1    nonaka 		mp_exch(&q, c);
1.1    nonaka 	}
1.1    nonaka 	mp_clear(&q);
1.1    nonaka
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* multiplication using the Toom-Cook 3-way algorithm
1.1    nonaka  *
1.1    nonaka  * Much more complicated than Karatsuba but has a lower
1.1    nonaka  * asymptotic running time of O(N**1.464).  This algorithm is
1.1    nonaka  * only particularly useful on VERY large inputs
1.1    nonaka  * (we're talking 1000s of digits here...).
1.1    nonaka */
1.1    nonaka static int
1.1    nonaka toom_cook_multiply(mp_int *a, mp_int *b, mp_int *c)
1.1    nonaka {
1.1    nonaka 	mp_int w0, w1, w2, w3, w4, tmp1, tmp2, a0, a1, a2, b0, b1, b2;
1.1    nonaka 	int res, B;
1.1    nonaka
1.1    nonaka 	/* init temps */
1.1    nonaka 	if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4,
1.1    nonaka 			&a0, &a1, &a2, &b0, &b1,
1.1    nonaka 			&b2, &tmp1, &tmp2, NULL)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* B */
1.1    nonaka 	B = MIN(a->used, b->used) / 3;
1.1    nonaka
1.1    nonaka 	/* a = a2 * B**2 + a1 * B + a0 */
1.1    nonaka 	if ((res = modulo_2_to_power(a, DIGIT_BIT * B, &a0)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_copy(a, &a1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	rshift_digits(&a1, B);
1.1    nonaka 	modulo_2_to_power(&a1, DIGIT_BIT * B, &a1);
1.1    nonaka
1.1    nonaka 	if ((res = mp_copy(a, &a2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	rshift_digits(&a2, B*2);
1.1    nonaka
1.1    nonaka 	/* b = b2 * B**2 + b1 * B + b0 */
1.1    nonaka 	if ((res = modulo_2_to_power(b, DIGIT_BIT * B, &b0)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_copy(b, &b1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	rshift_digits(&b1, B);
1.1    nonaka 	modulo_2_to_power(&b1, DIGIT_BIT * B, &b1);
1.1    nonaka
1.1    nonaka 	if ((res = mp_copy(b, &b2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	rshift_digits(&b2, B*2);
1.1    nonaka
1.1    nonaka 	/* w0 = a0*b0 */
1.1    nonaka 	if ((res = signed_multiply(&a0, &b0, &w0)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* w4 = a2 * b2 */
1.1    nonaka 	if ((res = signed_multiply(&a2, &b2, &w4)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* w1 = (a2 + 2(a1 + 2a0))(b2 + 2(b1 + 2b0)) */
1.1    nonaka 	if ((res = doubled(&a0, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = doubled(&tmp1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a2, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = doubled(&b0, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp2, &b1, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = doubled(&tmp2, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp2, &b2, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_multiply(&tmp1, &tmp2, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* w3 = (a0 + 2(a1 + 2a2))(b0 + 2(b1 + 2b2)) */
1.1    nonaka 	if ((res = doubled(&a2, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = doubled(&tmp1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a0, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = doubled(&b2, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp2, &b1, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = doubled(&tmp2, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp2, &b0, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_multiply(&tmp1, &tmp2, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka
1.1    nonaka 	/* w2 = (a2 + a1 + a0)(b2 + b1 + b0) */
1.1    nonaka 	if ((res = signed_add(&a2, &a1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a0, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&b2, &b1, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp2, &b0, &tmp2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_multiply(&tmp1, &tmp2, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now solve the matrix
1.1    nonaka
1.1    nonaka 	0  0  0  0  1
1.1    nonaka 	1  2  4  8  16
1.1    nonaka 	1  1  1  1  1
1.1    nonaka 	16 8  4  2  1
1.1    nonaka 	1  0  0  0  0
1.1    nonaka
1.1    nonaka 	using 12 subtractions, 4 shifts,
1.1    nonaka 	2 small divisions and 1 small multiplication
1.1    nonaka 	*/
1.1    nonaka
1.1    nonaka 	/* r1 - r4 */
1.1    nonaka 	if ((res = signed_subtract(&w1, &w4, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - r0 */
1.1    nonaka 	if ((res = signed_subtract(&w3, &w0, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1/2 */
1.1    nonaka 	if ((res = half(&w1, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3/2 */
1.1    nonaka 	if ((res = half(&w3, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r2 - r0 - r4 */
1.1    nonaka 	if ((res = signed_subtract(&w2, &w0, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w2, &w4, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w1, &w2, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w3, &w2, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1 - 8r0 */
1.1    nonaka 	if ((res = lshift_bits(&w0, 3, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w1, &tmp1, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - 8r4 */
1.1    nonaka 	if ((res = lshift_bits(&w4, 3, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w3, &tmp1, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* 3r2 - r1 - r3 */
1.1    nonaka 	if ((res = multiply_digit(&w2, 3, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w2, &w1, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w2, &w3, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w1, &w2, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w3, &w2, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1/3 */
1.1    nonaka 	if ((res = third(&w1, &w1, NULL)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3/3 */
1.1    nonaka 	if ((res = third(&w3, &w3, NULL)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* at this point shift W[n] by B*n */
1.1    nonaka 	if ((res = lshift_digits(&w1, 1*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = lshift_digits(&w2, 2*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = lshift_digits(&w3, 3*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = lshift_digits(&w4, 4*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_add(&w0, &w1, c)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&w2, &w3, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&w4, &tmp1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, c, c)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka ERR:
1.1    nonaka 	mp_clear_multi(&w0, &w1, &w2, &w3, &w4,
1.1    nonaka 		&a0, &a1, &a2, &b0, &b1,
1.1    nonaka 		&b2, &tmp1, &tmp2, NULL);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka #define TOOM_MUL_CUTOFF	350
1.1    nonaka #define KARATSUBA_MUL_CUTOFF 80
1.1    nonaka
1.1    nonaka /* c = |a| * |b| using Karatsuba Multiplication using
1.1    nonaka  * three half size multiplications
1.1    nonaka  *
1.1    nonaka  * Let B represent the radix [e.g. 2**DIGIT_BIT] and
1.1    nonaka  * let n represent half of the number of digits in
1.1    nonaka  * the min(a,b)
1.1    nonaka  *
1.1    nonaka  * a = a1 * B**n + a0
1.1    nonaka  * b = b1 * B**n + b0
1.1    nonaka  *
1.1    nonaka  * Then, a * b =>
1.1    nonaka    a1b1 * B**2n + ((a1 + a0)(b1 + b0) - (a0b0 + a1b1)) * B + a0b0
1.1    nonaka  *
1.1    nonaka  * Note that a1b1 and a0b0 are used twice and only need to be
1.1    nonaka  * computed once.  So in total three half size (half # of
1.1    nonaka  * digit) multiplications are performed, a0b0, a1b1 and
1.1    nonaka  * (a1+b1)(a0+b0)
1.1    nonaka  *
1.1    nonaka  * Note that a multiplication of half the digits requires
1.1    nonaka  * 1/4th the number of single precision multiplications so in
1.1    nonaka  * total after one call 25% of the single precision multiplications
1.1    nonaka  * are saved.  Note also that the call to signed_multiply can end up back
1.1    nonaka  * in this function if the a0, a1, b0, or b1 are above the threshold.
1.1    nonaka  * This is known as divide-and-conquer and leads to the famous
1.6    andvar  * O(N**lg(3)) or O(N**1.584) work which is asymptotically lower than
1.1    nonaka  * the standard O(N**2) that the baseline/comba methods use.
1.1    nonaka  * Generally though the overhead of this method doesn't pay off
1.1    nonaka  * until a certain size (N ~ 80) is reached.
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka karatsuba_multiply(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_int  x0, x1, y0, y1, t1, x0y0, x1y1;
1.1    nonaka 	int     B;
1.1    nonaka 	int     err;
1.1    nonaka
1.1    nonaka 	/* default the return code to an error */
1.1    nonaka 	err = MP_MEM;
1.1    nonaka
1.1    nonaka 	/* min # of digits */
1.1    nonaka 	B = MIN(a->used, b->used);
1.1    nonaka
1.1    nonaka 	/* now divide in two */
1.1    nonaka 	B = (int)((unsigned)B >> 1);
1.1    nonaka
1.1    nonaka 	/* init copy all the temps */
1.1    nonaka 	if (mp_init_size(&x0, B) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&x1, a->used - B) != MP_OKAY) {
1.1    nonaka 		goto X0;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&y0, B) != MP_OKAY) {
1.1    nonaka 		goto X1;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&y1, b->used - B) != MP_OKAY) {
1.1    nonaka 		goto Y0;
1.1    nonaka 	}
1.1    nonaka 	/* init temps */
1.1    nonaka 	if (mp_init_size(&t1, B * 2) != MP_OKAY) {
1.1    nonaka 		goto Y1;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&x0y0, B * 2) != MP_OKAY) {
1.1    nonaka 		goto T1;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&x1y1, B * 2) != MP_OKAY) {
1.1    nonaka 		goto X0Y0;
1.1    nonaka 	}
1.1    nonaka 	/* now shift the digits */
1.1    nonaka 	x0.used = y0.used = B;
1.1    nonaka 	x1.used = a->used - B;
1.1    nonaka 	y1.used = b->used - B;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		int x;
1.1    nonaka 		mp_digit *tmpa, *tmpb, *tmpx, *tmpy;
1.1    nonaka
1.1    nonaka 		/* we copy the digits directly instead of using higher level functions
1.1    nonaka 		* since we also need to shift the digits
1.1    nonaka 		*/
1.1    nonaka 		tmpa = a->dp;
1.1    nonaka 		tmpb = b->dp;
1.1    nonaka
1.1    nonaka 		tmpx = x0.dp;
1.1    nonaka 		tmpy = y0.dp;
1.1    nonaka 		for (x = 0; x < B; x++) {
1.1    nonaka 			*tmpx++ = *tmpa++;
1.1    nonaka 			*tmpy++ = *tmpb++;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		tmpx = x1.dp;
1.1    nonaka 		for (x = B; x < a->used; x++) {
1.1    nonaka 			*tmpx++ = *tmpa++;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		tmpy = y1.dp;
1.1    nonaka 		for (x = B; x < b->used; x++) {
1.1    nonaka 			*tmpy++ = *tmpb++;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* only need to clamp the lower words since by definition the
1.1    nonaka 	* upper words x1/y1 must have a known number of digits
1.1    nonaka 	*/
1.1    nonaka 	trim_unused_digits(&x0);
1.1    nonaka 	trim_unused_digits(&y0);
1.1    nonaka
1.1    nonaka 	/* now calc the products x0y0 and x1y1 */
1.1    nonaka 	/* after this x0 is no longer required, free temp [x0==t2]! */
1.1    nonaka 	if (signed_multiply(&x0, &y0, &x0y0) != MP_OKAY)  {
1.1    nonaka 		goto X1Y1;          /* x0y0 = x0*y0 */
1.1    nonaka 	}
1.1    nonaka 	if (signed_multiply(&x1, &y1, &x1y1) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* x1y1 = x1*y1 */
1.1    nonaka 	}
1.1    nonaka 	/* now calc x1+x0 and y1+y0 */
1.1    nonaka 	if (basic_add(&x1, &x0, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t1 = x1 - x0 */
1.1    nonaka 	}
1.1    nonaka 	if (basic_add(&y1, &y0, &x0) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t2 = y1 - y0 */
1.1    nonaka 	}
1.1    nonaka 	if (signed_multiply(&t1, &x0, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t1 = (x1 + x0) * (y1 + y0) */
1.1    nonaka 	}
1.1    nonaka 	/* add x0y0 */
1.1    nonaka 	if (signed_add(&x0y0, &x1y1, &x0) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t2 = x0y0 + x1y1 */
1.1    nonaka 	}
1.1    nonaka 	if (basic_subtract(&t1, &x0, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t1 = (x1+x0)*(y1+y0) - (x1y1 + x0y0) */
1.1    nonaka 	}
1.1    nonaka 	/* shift by B */
1.1    nonaka 	if (lshift_digits(&t1, B) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t1 = (x0y0 + x1y1 - (x1-x0)*(y1-y0))<<B */
1.1    nonaka 	}
1.1    nonaka 	if (lshift_digits(&x1y1, B * 2) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* x1y1 = x1y1 << 2*B */
1.1    nonaka 	}
1.1    nonaka 	if (signed_add(&x0y0, &t1, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t1 = x0y0 + t1 */
1.1    nonaka 	}
1.1    nonaka 	if (signed_add(&t1, &x1y1, c) != MP_OKAY) {
1.1    nonaka 		goto X1Y1;          /* t1 = x0y0 + t1 + x1y1 */
1.1    nonaka 	}
1.1    nonaka 	/* Algorithm succeeded set the return code to MP_OKAY */
1.1    nonaka 	err = MP_OKAY;
1.1    nonaka
1.1    nonaka X1Y1:
1.1    nonaka 	mp_clear(&x1y1);
1.1    nonaka X0Y0:
1.1    nonaka 	mp_clear(&x0y0);
1.1    nonaka T1:
1.1    nonaka 	mp_clear(&t1);
1.1    nonaka Y1:
1.1    nonaka 	mp_clear(&y1);
1.1    nonaka Y0:
1.1    nonaka 	mp_clear(&y0);
1.1    nonaka X1:
1.1    nonaka 	mp_clear(&x1);
1.1    nonaka X0:
1.1    nonaka 	mp_clear(&x0);
1.1    nonaka ERR:
1.1    nonaka 	return err;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Fast (comba) multiplier
1.1    nonaka  *
1.1    nonaka  * This is the fast column-array [comba] multiplier.  It is
1.1    nonaka  * designed to compute the columns of the product first
1.1    nonaka  * then handle the carries afterwards.  This has the effect
1.1    nonaka  * of making the nested loops that compute the columns very
1.1    nonaka  * simple and schedulable on super-scalar processors.
1.1    nonaka  *
1.1    nonaka  * This has been modified to produce a variable number of
1.1    nonaka  * digits of output so if say only a half-product is required
1.1    nonaka  * you don't have to compute the upper half (a feature
1.1    nonaka  * required for fast Barrett reduction).
1.1    nonaka  *
1.1    nonaka  * Based on Algorithm 14.12 on pp.595 of HAC.
1.1    nonaka  *
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka fast_col_array_multiply(mp_int * a, mp_int * b, mp_int * c, int digs)
1.1    nonaka {
1.1    nonaka 	int     olduse, res, pa, ix, iz;
1.1    nonaka 	/*LINTED*/
1.1    nonaka 	mp_digit W[MP_WARRAY];
1.1    nonaka 	mp_word  _W;
1.1    nonaka
1.1    nonaka 	/* grow the destination as required */
1.1    nonaka 	if (c->alloc < digs) {
1.1    nonaka 		if ((res = mp_grow(c, digs)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* number of output digits to produce */
1.1    nonaka 	pa = MIN(digs, a->used + b->used);
1.1    nonaka
1.1    nonaka 	/* clear the carry */
1.1    nonaka 	_W = 0;
1.1    nonaka 	for (ix = 0; ix < pa; ix++) {
1.1    nonaka 		int      tx, ty;
1.1    nonaka 		int      iy;
1.1    nonaka 		mp_digit *tmpx, *tmpy;
1.1    nonaka
1.1    nonaka 		/* get offsets into the two bignums */
1.1    nonaka 		ty = MIN(b->used-1, ix);
1.1    nonaka 		tx = ix - ty;
1.1    nonaka
1.1    nonaka 		/* setup temp aliases */
1.1    nonaka 		tmpx = a->dp + tx;
1.1    nonaka 		tmpy = b->dp + ty;
1.1    nonaka
1.6    andvar 		/* this is the number of times the loop will iterate, essentially
1.1    nonaka 		while (tx++ < a->used && ty-- >= 0) { ... }
1.1    nonaka 		*/
1.1    nonaka 		iy = MIN(a->used-tx, ty+1);
1.1    nonaka
1.1    nonaka 		/* execute loop */
1.1    nonaka 		for (iz = 0; iz < iy; ++iz) {
1.1    nonaka 			_W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
1.1    nonaka
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* store term */
1.1    nonaka 		W[ix] = ((mp_digit)_W) & MP_MASK;
1.1    nonaka
1.1    nonaka 		/* make next carry */
1.1    nonaka 		_W = _W >> ((mp_word)DIGIT_BIT);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* setup dest */
1.1    nonaka 	olduse  = c->used;
1.1    nonaka 	c->used = pa;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		mp_digit *tmpc;
1.1    nonaka 		tmpc = c->dp;
1.1    nonaka 		for (ix = 0; ix < pa+1; ix++) {
1.1    nonaka 			/* now extract the previous digit [below the carry] */
1.3       mrg 			*tmpc++ = (ix < pa) ? W[ix] : 0;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* clear unused digits [that existed in the old copy of c] */
1.1    nonaka 		for (; ix < olduse; ix++) {
1.1    nonaka 			*tmpc++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* return 1 if we can use fast column array multiply */
1.1    nonaka /*
1.1    nonaka * The fast multiplier can be used if the output will
1.1    nonaka * have less than MP_WARRAY digits and the number of
1.1    nonaka * digits won't affect carry propagation
1.1    nonaka */
1.1    nonaka static inline int
1.1    nonaka can_use_fast_column_array(int ndigits, int used)
1.1    nonaka {
1.1    nonaka 	return (((unsigned)ndigits < MP_WARRAY) &&
1.1    nonaka 		used < (1 << (unsigned)((CHAR_BIT * sizeof(mp_word)) - (2 * DIGIT_BIT))));
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_fast_s_mp_mul_digs.c,v $ */
1.1    nonaka /* Revision: 1.2 $ */
1.1    nonaka /* Date: 2011/03/18 16:22:09 $ */
1.1    nonaka
1.1    nonaka
1.1    nonaka /* multiplies |a| * |b| and only computes upto digs digits of result
1.1    nonaka  * HAC pp. 595, Algorithm 14.12  Modified so you can control how
1.1    nonaka  * many digits of output are created.
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka basic_multiply_partial_lower(mp_int * a, mp_int * b, mp_int * c, int digs)
1.1    nonaka {
1.1    nonaka 	mp_int  t;
1.1    nonaka 	int     res, pa, pb, ix, iy;
1.1    nonaka 	mp_digit u;
1.1    nonaka 	mp_word r;
1.1    nonaka 	mp_digit tmpx, *tmpt, *tmpy;
1.1    nonaka
1.1    nonaka 	/* can we use the fast multiplier? */
1.1    nonaka 	if (can_use_fast_column_array(digs, MIN(a->used, b->used))) {
1.1    nonaka 		return fast_col_array_multiply(a, b, c, digs);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_size(&t, digs)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	t.used = digs;
1.1    nonaka
1.1    nonaka 	/* compute the digits of the product directly */
1.1    nonaka 	pa = a->used;
1.1    nonaka 	for (ix = 0; ix < pa; ix++) {
1.1    nonaka 		/* set the carry to zero */
1.1    nonaka 		u = 0;
1.1    nonaka
1.1    nonaka 		/* limit ourselves to making digs digits of output */
1.1    nonaka 		pb = MIN(b->used, digs - ix);
1.1    nonaka
1.1    nonaka 		/* setup some aliases */
1.1    nonaka 		/* copy of the digit from a used within the nested loop */
1.1    nonaka 		tmpx = a->dp[ix];
1.1    nonaka
1.1    nonaka 		/* an alias for the destination shifted ix places */
1.1    nonaka 		tmpt = t.dp + ix;
1.1    nonaka
1.1    nonaka 		/* an alias for the digits of b */
1.1    nonaka 		tmpy = b->dp;
1.1    nonaka
1.1    nonaka 		/* compute the columns of the output and propagate the carry */
1.1    nonaka 		for (iy = 0; iy < pb; iy++) {
1.1    nonaka 			/* compute the column as a mp_word */
1.1    nonaka 			r = ((mp_word)*tmpt) +
1.1    nonaka 				((mp_word)tmpx) * ((mp_word)*tmpy++) +
1.1    nonaka 				((mp_word) u);
1.1    nonaka
1.1    nonaka 			/* the new column is the lower part of the result */
1.1    nonaka 			*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
1.1    nonaka
1.1    nonaka 			/* get the carry word from the result */
1.1    nonaka 			u = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
1.1    nonaka 		}
1.1    nonaka 		/* set carry if it is placed below digs */
1.1    nonaka 		if (ix + iy < digs) {
1.1    nonaka 			*tmpt = u;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	trim_unused_digits(&t);
1.1    nonaka 	mp_exch(&t, c);
1.1    nonaka
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_s_mp_mul_digs.c,v $ */
1.1    nonaka /* Revision: 1.3 $ */
1.1    nonaka /* Date: 2011/03/18 16:43:04 $ */
1.1    nonaka
1.1    nonaka /* high level multiplication (handles sign) */
1.1    nonaka static int
1.1    nonaka signed_multiply(mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	int     res, neg;
1.1    nonaka
1.1    nonaka 	neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG;
1.1    nonaka 	/* use Toom-Cook? */
1.1    nonaka 	if (MIN(a->used, b->used) >= TOOM_MUL_CUTOFF) {
1.1    nonaka 		res = toom_cook_multiply(a, b, c);
1.1    nonaka 	} else if (MIN(a->used, b->used) >= KARATSUBA_MUL_CUTOFF) {
1.1    nonaka 		/* use Karatsuba? */
1.1    nonaka 		res = karatsuba_multiply(a, b, c);
1.1    nonaka 	} else {
1.1    nonaka 		/* can we use the fast multiplier? */
1.1    nonaka 		int     digs = a->used + b->used + 1;
1.1    nonaka
1.1    nonaka 		if (can_use_fast_column_array(digs, MIN(a->used, b->used))) {
1.1    nonaka 			res = fast_col_array_multiply(a, b, c, digs);
1.1    nonaka 		} else  {
1.1    nonaka 			res = basic_multiply_partial_lower(a, b, c, (a)->used + (b)->used + 1);
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	c->sign = (c->used > 0) ? neg : MP_ZPOS;
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* this is a modified version of fast_s_mul_digs that only produces
1.1    nonaka  * output digits *above* digs.  See the comments for fast_s_mul_digs
1.1    nonaka  * to see how it works.
1.1    nonaka  *
1.1    nonaka  * This is used in the Barrett reduction since for one of the multiplications
1.1    nonaka  * only the higher digits were needed.  This essentially halves the work.
1.1    nonaka  *
1.1    nonaka  * Based on Algorithm 14.12 on pp.595 of HAC.
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka fast_basic_multiply_partial_upper(mp_int * a, mp_int * b, mp_int * c, int digs)
1.1    nonaka {
1.1    nonaka 	int     olduse, res, pa, ix, iz;
1.1    nonaka 	mp_digit W[MP_WARRAY];
1.1    nonaka 	mp_word  _W;
1.1    nonaka
1.1    nonaka 	/* grow the destination as required */
1.1    nonaka 	pa = a->used + b->used;
1.1    nonaka 	if (c->alloc < pa) {
1.1    nonaka 		if ((res = mp_grow(c, pa)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* number of output digits to produce */
1.1    nonaka 	pa = a->used + b->used;
1.1    nonaka 	_W = 0;
1.1    nonaka 	for (ix = digs; ix < pa; ix++) {
1.1    nonaka 		int      tx, ty, iy;
1.1    nonaka 		mp_digit *tmpx, *tmpy;
1.1    nonaka
1.1    nonaka 		/* get offsets into the two bignums */
1.1    nonaka 		ty = MIN(b->used-1, ix);
1.1    nonaka 		tx = ix - ty;
1.1    nonaka
1.1    nonaka 		/* setup temp aliases */
1.1    nonaka 		tmpx = a->dp + tx;
1.1    nonaka 		tmpy = b->dp + ty;
1.1    nonaka
1.6    andvar 		/* this is the number of times the loop will iterate, essentially its
1.1    nonaka 		 while (tx++ < a->used && ty-- >= 0) { ... }
1.1    nonaka 		*/
1.1    nonaka 		iy = MIN(a->used-tx, ty+1);
1.1    nonaka
1.1    nonaka 		/* execute loop */
1.1    nonaka 		for (iz = 0; iz < iy; iz++) {
1.1    nonaka 			 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* store term */
1.1    nonaka 		W[ix] = ((mp_digit)_W) & MP_MASK;
1.1    nonaka
1.1    nonaka 		/* make next carry */
1.1    nonaka 		_W = _W >> ((mp_word)DIGIT_BIT);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* setup dest */
1.1    nonaka 	olduse  = c->used;
1.1    nonaka 	c->used = pa;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		mp_digit *tmpc;
1.1    nonaka
1.1    nonaka 		tmpc = c->dp + digs;
1.1    nonaka 		for (ix = digs; ix < pa; ix++) {
1.1    nonaka 			/* now extract the previous digit [below the carry] */
1.1    nonaka 			*tmpc++ = W[ix];
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* clear unused digits [that existed in the old copy of c] */
1.1    nonaka 		for (; ix < olduse; ix++) {
1.1    nonaka 			*tmpc++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_fast_s_mp_mul_high_digs.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* multiplies |a| * |b| and does not compute the lower digs digits
1.1    nonaka  * [meant to get the higher part of the product]
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka basic_multiply_partial_upper(mp_int * a, mp_int * b, mp_int * c, int digs)
1.1    nonaka {
1.1    nonaka 	mp_int  t;
1.1    nonaka 	int     res, pa, pb, ix, iy;
1.1    nonaka 	mp_digit carry;
1.1    nonaka 	mp_word r;
1.1    nonaka 	mp_digit tmpx, *tmpt, *tmpy;
1.1    nonaka
1.1    nonaka 	/* can we use the fast multiplier? */
1.1    nonaka 	if (can_use_fast_column_array(a->used + b->used + 1, MIN(a->used, b->used))) {
1.1    nonaka 		return fast_basic_multiply_partial_upper(a, b, c, digs);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_size(&t, a->used + b->used + 1)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	t.used = a->used + b->used + 1;
1.1    nonaka
1.1    nonaka 	pa = a->used;
1.1    nonaka 	pb = b->used;
1.1    nonaka 	for (ix = 0; ix < pa; ix++) {
1.1    nonaka 		/* clear the carry */
1.1    nonaka 		carry = 0;
1.1    nonaka
1.1    nonaka 		/* left hand side of A[ix] * B[iy] */
1.1    nonaka 		tmpx = a->dp[ix];
1.1    nonaka
1.1    nonaka 		/* alias to the address of where the digits will be stored */
1.1    nonaka 		tmpt = &(t.dp[digs]);
1.1    nonaka
1.1    nonaka 		/* alias for where to read the right hand side from */
1.1    nonaka 		tmpy = b->dp + (digs - ix);
1.1    nonaka
1.1    nonaka 		for (iy = digs - ix; iy < pb; iy++) {
1.1    nonaka 			/* calculate the double precision result */
1.1    nonaka 			r = ((mp_word)*tmpt) +
1.1    nonaka 				((mp_word)tmpx) * ((mp_word)*tmpy++) +
1.1    nonaka 				((mp_word) carry);
1.1    nonaka
1.1    nonaka 			/* get the lower part */
1.1    nonaka 			*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
1.1    nonaka
1.1    nonaka 			/* carry the carry */
1.1    nonaka 			carry = (mp_digit) (r >> ((mp_word) DIGIT_BIT));
1.1    nonaka 		}
1.1    nonaka 		*tmpt = carry;
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(&t);
1.1    nonaka 	mp_exch(&t, c);
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_s_mp_mul_high_digs.c,v $ */
1.1    nonaka /* Revision: 1.3 $ */
1.1    nonaka /* Date: 2011/03/18 16:43:04 $ */
1.1    nonaka
1.1    nonaka /* reduces x mod m, assumes 0 < x < m**2, mu is
1.1    nonaka  * precomputed via mp_reduce_setup.
1.1    nonaka  * From HAC pp.604 Algorithm 14.42
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka mp_reduce(mp_int * x, mp_int * m, mp_int * mu)
1.1    nonaka {
1.1    nonaka 	mp_int  q;
1.1    nonaka 	int     res, um = m->used;
1.1    nonaka
1.1    nonaka 	/* q = x */
1.1    nonaka 	if ((res = mp_init_copy(&q, x)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* q1 = x / b**(k-1)  */
1.1    nonaka 	rshift_digits(&q, um - 1);
1.1    nonaka
1.1    nonaka 	/* according to HAC this optimization is ok */
1.1    nonaka 	if (((unsigned long) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) {
1.1    nonaka 		if ((res = signed_multiply(&q, mu, &q)) != MP_OKAY) {
1.1    nonaka 			goto CLEANUP;
1.1    nonaka 		}
1.1    nonaka 	} else {
1.1    nonaka 		if ((res = basic_multiply_partial_upper(&q, mu, &q, um)) != MP_OKAY) {
1.1    nonaka 			goto CLEANUP;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* q3 = q2 / b**(k+1) */
1.1    nonaka 	rshift_digits(&q, um + 1);
1.1    nonaka
1.1    nonaka 	/* x = x mod b**(k+1), quick (no division) */
1.1    nonaka 	if ((res = modulo_2_to_power(x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) {
1.1    nonaka 		goto CLEANUP;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* q = q * m mod b**(k+1), quick (no division) */
1.1    nonaka 	if ((res = basic_multiply_partial_lower(&q, m, &q, um + 1)) != MP_OKAY) {
1.1    nonaka 		goto CLEANUP;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* x = x - q */
1.1    nonaka 	if ((res = signed_subtract(x, &q, x)) != MP_OKAY) {
1.1    nonaka 		goto CLEANUP;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* If x < 0, add b**(k+1) to it */
1.1    nonaka 	if (compare_digit(x, 0) == MP_LT) {
1.1    nonaka 		set_word(&q, 1);
1.1    nonaka 		if ((res = lshift_digits(&q, um + 1)) != MP_OKAY) {
1.1    nonaka 			goto CLEANUP;
1.1    nonaka 		}
1.1    nonaka 		if ((res = signed_add(x, &q, x)) != MP_OKAY) {
1.1    nonaka 			goto CLEANUP;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* Back off if it's too big */
1.1    nonaka 	while (signed_compare(x, m) != MP_LT) {
1.1    nonaka 		if ((res = basic_subtract(x, m, x)) != MP_OKAY) {
1.1    nonaka 			goto CLEANUP;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka CLEANUP:
1.1    nonaka 	mp_clear(&q);
1.1    nonaka
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* determines the setup value */
1.1    nonaka static int
1.1    nonaka mp_reduce_2k_setup_l(mp_int *a, mp_int *d)
1.1    nonaka {
1.1    nonaka 	int    res;
1.1    nonaka 	mp_int tmp;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&tmp)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = basic_subtract(&tmp, a, d)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka ERR:
1.1    nonaka 	mp_clear(&tmp);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_reduce_2k_setup_l.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* reduces a modulo n where n is of the form 2**p - d
1.1    nonaka    This differs from reduce_2k since "d" can be larger
1.1    nonaka    than a single digit.
1.1    nonaka */
1.1    nonaka static int
1.1    nonaka mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d)
1.1    nonaka {
1.1    nonaka 	mp_int q;
1.1    nonaka 	int    p, res;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&q)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	p = mp_count_bits(n);
1.1    nonaka top:
1.1    nonaka 	/* q = a/2**p, a = a mod 2**p */
1.1    nonaka 	if ((res = rshift_bits(a, p, &q, a)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* q = q * d */
1.1    nonaka 	if ((res = signed_multiply(&q, d, &q)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* a = a + q */
1.1    nonaka 	if ((res = basic_add(a, &q, a)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (compare_magnitude(a, n) != MP_LT) {
1.1    nonaka 		basic_subtract(a, n, a);
1.1    nonaka 		goto top;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka ERR:
1.1    nonaka 	mp_clear(&q);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_reduce_2k_l.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* squaring using Toom-Cook 3-way algorithm */
1.1    nonaka static int
1.1    nonaka toom_cook_square(mp_int *a, mp_int *b)
1.1    nonaka {
1.1    nonaka 	mp_int w0, w1, w2, w3, w4, tmp1, a0, a1, a2;
1.1    nonaka 	int res, B;
1.1    nonaka
1.1    nonaka 	/* init temps */
1.1    nonaka 	if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4, &a0, &a1, &a2, &tmp1, NULL)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* B */
1.1    nonaka 	B = a->used / 3;
1.1    nonaka
1.1    nonaka 	/* a = a2 * B**2 + a1 * B + a0 */
1.1    nonaka 	if ((res = modulo_2_to_power(a, DIGIT_BIT * B, &a0)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_copy(a, &a1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	rshift_digits(&a1, B);
1.1    nonaka 	modulo_2_to_power(&a1, DIGIT_BIT * B, &a1);
1.1    nonaka
1.1    nonaka 	if ((res = mp_copy(a, &a2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	rshift_digits(&a2, B*2);
1.1    nonaka
1.1    nonaka 	/* w0 = a0*a0 */
1.1    nonaka 	if ((res = square(&a0, &w0)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* w4 = a2 * a2 */
1.1    nonaka 	if ((res = square(&a2, &w4)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* w1 = (a2 + 2(a1 + 2a0))**2 */
1.1    nonaka 	if ((res = doubled(&a0, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = doubled(&tmp1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a2, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = square(&tmp1, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* w3 = (a0 + 2(a1 + 2a2))**2 */
1.1    nonaka 	if ((res = doubled(&a2, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = doubled(&tmp1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a0, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = square(&tmp1, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka
1.1    nonaka 	/* w2 = (a2 + a1 + a0)**2 */
1.1    nonaka 	if ((res = signed_add(&a2, &a1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, &a0, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = square(&tmp1, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now solve the matrix
1.1    nonaka
1.1    nonaka 	0  0  0  0  1
1.1    nonaka 	1  2  4  8  16
1.1    nonaka 	1  1  1  1  1
1.1    nonaka 	16 8  4  2  1
1.1    nonaka 	1  0  0  0  0
1.1    nonaka
1.1    nonaka 	using 12 subtractions, 4 shifts, 2 small divisions and 1 small multiplication.
1.1    nonaka 	*/
1.1    nonaka
1.1    nonaka 	/* r1 - r4 */
1.1    nonaka 	if ((res = signed_subtract(&w1, &w4, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - r0 */
1.1    nonaka 	if ((res = signed_subtract(&w3, &w0, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1/2 */
1.1    nonaka 	if ((res = half(&w1, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3/2 */
1.1    nonaka 	if ((res = half(&w3, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r2 - r0 - r4 */
1.1    nonaka 	if ((res = signed_subtract(&w2, &w0, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w2, &w4, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w1, &w2, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w3, &w2, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1 - 8r0 */
1.1    nonaka 	if ((res = lshift_bits(&w0, 3, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w1, &tmp1, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - 8r4 */
1.1    nonaka 	if ((res = lshift_bits(&w4, 3, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w3, &tmp1, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* 3r2 - r1 - r3 */
1.1    nonaka 	if ((res = multiply_digit(&w2, 3, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w2, &w1, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_subtract(&w2, &w3, &w2)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w1, &w2, &w1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3 - r2 */
1.1    nonaka 	if ((res = signed_subtract(&w3, &w2, &w3)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r1/3 */
1.1    nonaka 	if ((res = third(&w1, &w1, NULL)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	/* r3/3 */
1.1    nonaka 	if ((res = third(&w3, &w3, NULL)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* at this point shift W[n] by B*n */
1.1    nonaka 	if ((res = lshift_digits(&w1, 1*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = lshift_digits(&w2, 2*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = lshift_digits(&w3, 3*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = lshift_digits(&w4, 4*B)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_add(&w0, &w1, b)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&w2, &w3, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&w4, &tmp1, &tmp1)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if ((res = signed_add(&tmp1, b, b)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka ERR:
1.1    nonaka 	mp_clear_multi(&w0, &w1, &w2, &w3, &w4, &a0, &a1, &a2, &tmp1, NULL);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_toom_sqr.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* Karatsuba squaring, computes b = a*a using three
1.1    nonaka  * half size squarings
1.1    nonaka  *
1.1    nonaka  * See comments of karatsuba_mul for details.  It
1.1    nonaka  * is essentially the same algorithm but merely
1.1    nonaka  * tuned to perform recursive squarings.
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka karatsuba_square(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	mp_int  x0, x1, t1, t2, x0x0, x1x1;
1.1    nonaka 	int     B, err;
1.1    nonaka
1.1    nonaka 	err = MP_MEM;
1.1    nonaka
1.1    nonaka 	/* min # of digits */
1.1    nonaka 	B = a->used;
1.1    nonaka
1.1    nonaka 	/* now divide in two */
1.1    nonaka 	B = (unsigned)B >> 1;
1.1    nonaka
1.1    nonaka 	/* init copy all the temps */
1.1    nonaka 	if (mp_init_size(&x0, B) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&x1, a->used - B) != MP_OKAY) {
1.1    nonaka 		goto X0;
1.1    nonaka 	}
1.1    nonaka 	/* init temps */
1.1    nonaka 	if (mp_init_size(&t1, a->used * 2) != MP_OKAY) {
1.1    nonaka 		goto X1;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&t2, a->used * 2) != MP_OKAY) {
1.1    nonaka 		goto T1;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&x0x0, B * 2) != MP_OKAY) {
1.1    nonaka 		goto T2;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_size(&x1x1, (a->used - B) * 2) != MP_OKAY) {
1.1    nonaka 		goto X0X0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	memcpy(x0.dp, a->dp, B * sizeof(*x0.dp));
1.1    nonaka 	memcpy(x1.dp, &a->dp[B], (a->used - B) * sizeof(*x1.dp));
1.1    nonaka
1.1    nonaka 	x0.used = B;
1.1    nonaka 	x1.used = a->used - B;
1.1    nonaka
1.1    nonaka 	trim_unused_digits(&x0);
1.1    nonaka
1.1    nonaka 	/* now calc the products x0*x0 and x1*x1 */
1.1    nonaka 	if (square(&x0, &x0x0) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* x0x0 = x0*x0 */
1.1    nonaka 	}
1.1    nonaka 	if (square(&x1, &x1x1) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* x1x1 = x1*x1 */
1.1    nonaka 	}
1.1    nonaka 	/* now calc (x1+x0)**2 */
1.1    nonaka 	if (basic_add(&x1, &x0, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t1 = x1 - x0 */
1.1    nonaka 	}
1.1    nonaka 	if (square(&t1, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t1 = (x1 - x0) * (x1 - x0) */
1.1    nonaka 	}
1.1    nonaka 	/* add x0y0 */
1.1    nonaka 	if (basic_add(&x0x0, &x1x1, &t2) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t2 = x0x0 + x1x1 */
1.1    nonaka 	}
1.1    nonaka 	if (basic_subtract(&t1, &t2, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t1 = (x1+x0)**2 - (x0x0 + x1x1) */
1.1    nonaka 	}
1.1    nonaka 	/* shift by B */
1.1    nonaka 	if (lshift_digits(&t1, B) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t1 = (x0x0 + x1x1 - (x1-x0)*(x1-x0))<<B */
1.1    nonaka 	}
1.1    nonaka 	if (lshift_digits(&x1x1, B * 2) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* x1x1 = x1x1 << 2*B */
1.1    nonaka 	}
1.1    nonaka 	if (signed_add(&x0x0, &t1, &t1) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t1 = x0x0 + t1 */
1.1    nonaka 	}
1.1    nonaka 	if (signed_add(&t1, &x1x1, b) != MP_OKAY) {
1.1    nonaka 		goto X1X1;           /* t1 = x0x0 + t1 + x1x1 */
1.1    nonaka 	}
1.1    nonaka 	err = MP_OKAY;
1.1    nonaka
1.1    nonaka X1X1:
1.1    nonaka 	mp_clear(&x1x1);
1.1    nonaka X0X0:
1.1    nonaka 	mp_clear(&x0x0);
1.1    nonaka T2:
1.1    nonaka 	mp_clear(&t2);
1.1    nonaka T1:
1.1    nonaka 	mp_clear(&t1);
1.1    nonaka X1:
1.1    nonaka 	mp_clear(&x1);
1.1    nonaka X0:
1.1    nonaka 	mp_clear(&x0);
1.1    nonaka ERR:
1.1    nonaka 	return err;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_karatsuba_sqr.c,v $ */
1.1    nonaka /* Revision: 1.2 $ */
1.1    nonaka /* Date: 2011/03/12 23:43:54 $ */
1.1    nonaka
1.1    nonaka /* the jist of squaring...
1.1    nonaka  * you do like mult except the offset of the tmpx [one that
1.1    nonaka  * starts closer to zero] can't equal the offset of tmpy.
1.1    nonaka  * So basically you set up iy like before then you min it with
1.1    nonaka  * (ty-tx) so that it never happens.  You double all those
1.1    nonaka  * you add in the inner loop
1.1    nonaka
1.1    nonaka After that loop you do the squares and add them in.
1.1    nonaka */
1.1    nonaka
1.1    nonaka static int
1.1    nonaka fast_basic_square(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int       olduse, res, pa, ix, iz;
1.1    nonaka 	mp_digit   W[MP_WARRAY], *tmpx;
1.1    nonaka 	mp_word   W1;
1.1    nonaka
1.1    nonaka 	/* grow the destination as required */
1.1    nonaka 	pa = a->used + a->used;
1.1    nonaka 	if (b->alloc < pa) {
1.1    nonaka 		if ((res = mp_grow(b, pa)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* number of output digits to produce */
1.1    nonaka 	W1 = 0;
1.1    nonaka 	for (ix = 0; ix < pa; ix++) {
1.1    nonaka 		int      tx, ty, iy;
1.1    nonaka 		mp_word  _W;
1.1    nonaka 		mp_digit *tmpy;
1.1    nonaka
1.1    nonaka 		/* clear counter */
1.1    nonaka 		_W = 0;
1.1    nonaka
1.1    nonaka 		/* get offsets into the two bignums */
1.1    nonaka 		ty = MIN(a->used-1, ix);
1.1    nonaka 		tx = ix - ty;
1.1    nonaka
1.1    nonaka 		/* setup temp aliases */
1.1    nonaka 		tmpx = a->dp + tx;
1.1    nonaka 		tmpy = a->dp + ty;
1.1    nonaka
1.6    andvar 		/* this is the number of times the loop will iterate, essentially
1.1    nonaka 		 while (tx++ < a->used && ty-- >= 0) { ... }
1.1    nonaka 		*/
1.1    nonaka 		iy = MIN(a->used-tx, ty+1);
1.1    nonaka
1.1    nonaka 		/* now for squaring tx can never equal ty
1.1    nonaka 		* we halve the distance since they approach at a rate of 2x
1.1    nonaka 		* and we have to round because odd cases need to be executed
1.1    nonaka 		*/
1.1    nonaka 		iy = MIN(iy, (int)((unsigned)(ty-tx+1)>>1));
1.1    nonaka
1.1    nonaka 		/* execute loop */
1.1    nonaka 		for (iz = 0; iz < iy; iz++) {
1.1    nonaka 			 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--);
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* double the inner product and add carry */
1.1    nonaka 		_W = _W + _W + W1;
1.1    nonaka
1.1    nonaka 		/* even columns have the square term in them */
1.1    nonaka 		if ((ix&1) == 0) {
1.1    nonaka 			 _W += ((mp_word)a->dp[(unsigned)ix>>1])*((mp_word)a->dp[(unsigned)ix>>1]);
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* store it */
1.1    nonaka 		W[ix] = (mp_digit)(_W & MP_MASK);
1.1    nonaka
1.1    nonaka 		/* make next carry */
1.1    nonaka 		W1 = _W >> ((mp_word)DIGIT_BIT);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* setup dest */
1.1    nonaka 	olduse  = b->used;
1.1    nonaka 	b->used = a->used+a->used;
1.1    nonaka
1.1    nonaka 	{
1.1    nonaka 		mp_digit *tmpb;
1.1    nonaka 		tmpb = b->dp;
1.1    nonaka 		for (ix = 0; ix < pa; ix++) {
1.1    nonaka 			*tmpb++ = W[ix] & MP_MASK;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* clear unused digits [that existed in the old copy of c] */
1.1    nonaka 		for (; ix < olduse; ix++) {
1.1    nonaka 			*tmpb++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(b);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_fast_s_mp_sqr.c,v $ */
1.1    nonaka /* Revision: 1.3 $ */
1.1    nonaka /* Date: 2011/03/18 16:43:04 $ */
1.1    nonaka
1.1    nonaka /* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */
1.1    nonaka static int
1.1    nonaka basic_square(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	mp_int  t;
1.1    nonaka 	int     res, ix, iy, pa;
1.1    nonaka 	mp_word r;
1.1    nonaka 	mp_digit carry, tmpx, *tmpt;
1.1    nonaka
1.1    nonaka 	pa = a->used;
1.1    nonaka 	if ((res = mp_init_size(&t, 2*pa + 1)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* default used is maximum possible size */
1.1    nonaka 	t.used = 2*pa + 1;
1.1    nonaka
1.1    nonaka 	for (ix = 0; ix < pa; ix++) {
1.1    nonaka 		/* first calculate the digit at 2*ix */
1.1    nonaka 		/* calculate double precision result */
1.1    nonaka 		r = ((mp_word) t.dp[2*ix]) +
1.1    nonaka 		((mp_word)a->dp[ix])*((mp_word)a->dp[ix]);
1.1    nonaka
1.1    nonaka 		/* store lower part in result */
1.1    nonaka 		t.dp[ix+ix] = (mp_digit) (r & ((mp_word) MP_MASK));
1.1    nonaka
1.1    nonaka 		/* get the carry */
1.1    nonaka 		carry = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
1.1    nonaka
1.1    nonaka 		/* left hand side of A[ix] * A[iy] */
1.1    nonaka 		tmpx = a->dp[ix];
1.1    nonaka
1.1    nonaka 		/* alias for where to store the results */
1.1    nonaka 		tmpt = t.dp + (2*ix + 1);
1.1    nonaka
1.1    nonaka 		for (iy = ix + 1; iy < pa; iy++) {
1.1    nonaka 			/* first calculate the product */
1.1    nonaka 			r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]);
1.1    nonaka
1.1    nonaka 			/* now calculate the double precision result, note we use
1.1    nonaka 			* addition instead of *2 since it's easier to optimize
1.1    nonaka 			*/
1.1    nonaka 			r = ((mp_word) *tmpt) + r + r + ((mp_word) carry);
1.1    nonaka
1.1    nonaka 			/* store lower part */
1.1    nonaka 			*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
1.1    nonaka
1.1    nonaka 			/* get carry */
1.1    nonaka 			carry = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
1.1    nonaka 		}
1.1    nonaka 		/* propagate upwards */
1.1    nonaka 		while (carry != ((mp_digit) 0)) {
1.1    nonaka 			r = ((mp_word) *tmpt) + ((mp_word) carry);
1.1    nonaka 			*tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK));
1.1    nonaka 			carry = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	trim_unused_digits(&t);
1.1    nonaka 	mp_exch(&t, b);
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_s_mp_sqr.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka #define TOOM_SQR_CUTOFF      400
1.1    nonaka #define KARATSUBA_SQR_CUTOFF 120
1.1    nonaka
1.1    nonaka /* computes b = a*a */
1.1    nonaka static int
1.1    nonaka square(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	/* use Toom-Cook? */
1.1    nonaka 	if (a->used >= TOOM_SQR_CUTOFF) {
1.1    nonaka 		res = toom_cook_square(a, b);
1.1    nonaka 		/* Karatsuba? */
1.1    nonaka 	} else if (a->used >= KARATSUBA_SQR_CUTOFF) {
1.1    nonaka 		res = karatsuba_square(a, b);
1.1    nonaka 	} else {
1.1    nonaka 		/* can we use the fast comba multiplier? */
1.1    nonaka 		if (can_use_fast_column_array(a->used + a->used + 1, a->used)) {
1.1    nonaka 			res = fast_basic_square(a, b);
1.1    nonaka 		} else {
1.1    nonaka 			res = basic_square(a, b);
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	b->sign = MP_ZPOS;
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* find window size */
1.1    nonaka static inline int
1.1    nonaka find_window_size(mp_int *X)
1.1    nonaka {
1.1    nonaka 	int	x;
1.1    nonaka
1.1    nonaka 	x = mp_count_bits(X);
1.1    nonaka 	return (x <= 7) ? 2 : (x <= 36) ? 3 : (x <= 140) ? 4 : (x <= 450) ? 5 : (x <= 1303) ? 6 : (x <= 3529) ? 7 : 8;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_sqr.c,v $ */
1.1    nonaka /* Revision: 1.3 $ */
1.1    nonaka /* Date: 2011/03/18 16:43:04 $ */
1.1    nonaka
1.1    nonaka #define TAB_SIZE 256
1.1    nonaka
1.1    nonaka static int
1.1    nonaka basic_exponent_mod(mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode)
1.1    nonaka {
1.1    nonaka 	mp_digit buf;
1.1    nonaka 	mp_int  M[TAB_SIZE], res, mu;
1.1    nonaka 	int     err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
1.1    nonaka 	int	(*redux)(mp_int*,mp_int*,mp_int*);
1.1    nonaka
1.1    nonaka 	winsize = find_window_size(X);
1.1    nonaka
1.1    nonaka 	/* init M array */
1.1    nonaka 	/* init first cell */
1.1    nonaka 	if ((err = mp_init(&M[1])) != MP_OKAY) {
1.1    nonaka 		return err;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now init the second half of the array */
1.1    nonaka 	for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
1.1    nonaka 		if ((err = mp_init(&M[x])) != MP_OKAY) {
1.1    nonaka 			for (y = 1<<(winsize-1); y < x; y++) {
1.1    nonaka 				mp_clear(&M[y]);
1.1    nonaka 			}
1.1    nonaka 			mp_clear(&M[1]);
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* create mu, used for Barrett reduction */
1.1    nonaka 	if ((err = mp_init(&mu)) != MP_OKAY) {
1.1    nonaka 		goto LBL_M;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (redmode == 0) {
1.1    nonaka 		if ((err = mp_reduce_setup(&mu, P)) != MP_OKAY) {
1.1    nonaka 			goto LBL_MU;
1.1    nonaka 		}
1.1    nonaka 		redux = mp_reduce;
1.1    nonaka 	} else {
1.1    nonaka 		if ((err = mp_reduce_2k_setup_l(P, &mu)) != MP_OKAY) {
1.1    nonaka 			goto LBL_MU;
1.1    nonaka 		}
1.1    nonaka 		redux = mp_reduce_2k_l;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* create M table
1.1    nonaka 	*
1.1    nonaka 	* The M table contains powers of the base,
1.1    nonaka 	* e.g. M[x] = G**x mod P
1.1    nonaka 	*
1.1    nonaka 	* The first half of the table is not
1.1    nonaka 	* computed though accept for M[0] and M[1]
1.1    nonaka 	*/
1.1    nonaka 	if ((err = modulo(G, P, &M[1])) != MP_OKAY) {
1.1    nonaka 		goto LBL_MU;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* compute the value at M[1<<(winsize-1)] by squaring
1.1    nonaka 	* M[1] (winsize-1) times
1.1    nonaka 	*/
1.1    nonaka 	if ((err = mp_copy( &M[1], &M[1 << (winsize - 1)])) != MP_OKAY) {
1.1    nonaka 		goto LBL_MU;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	for (x = 0; x < (winsize - 1); x++) {
1.1    nonaka 		/* square it */
1.1    nonaka 		if ((err = square(&M[1 << (winsize - 1)],
1.1    nonaka 		       &M[1 << (winsize - 1)])) != MP_OKAY) {
1.1    nonaka 			goto LBL_MU;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* reduce modulo P */
1.1    nonaka 		if ((err = redux(&M[1 << (winsize - 1)], P, &mu)) != MP_OKAY) {
1.1    nonaka 			goto LBL_MU;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* create upper table, that is M[x] = M[x-1] * M[1] (mod P)
1.1    nonaka 	* for x = (2**(winsize - 1) + 1) to (2**winsize - 1)
1.1    nonaka 	*/
1.1    nonaka 	for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
1.1    nonaka 		if ((err = signed_multiply(&M[x - 1], &M[1], &M[x])) != MP_OKAY) {
1.1    nonaka 			goto LBL_MU;
1.1    nonaka 		}
1.1    nonaka 		if ((err = redux(&M[x], P, &mu)) != MP_OKAY) {
1.1    nonaka 			goto LBL_MU;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* setup result */
1.1    nonaka 	if ((err = mp_init(&res)) != MP_OKAY) {
1.1    nonaka 		goto LBL_MU;
1.1    nonaka 	}
1.1    nonaka 	set_word(&res, 1);
1.1    nonaka
1.1    nonaka 	/* set initial mode and bit cnt */
1.1    nonaka 	mode = 0;
1.1    nonaka 	bitcnt = 1;
1.1    nonaka 	buf = 0;
1.1    nonaka 	digidx = X->used - 1;
1.1    nonaka 	bitcpy = 0;
1.1    nonaka 	bitbuf = 0;
1.1    nonaka
1.1    nonaka 	for (;;) {
1.1    nonaka 		/* grab next digit as required */
1.1    nonaka 		if (--bitcnt == 0) {
1.1    nonaka 			/* if digidx == -1 we are out of digits */
1.1    nonaka 			if (digidx == -1) {
1.1    nonaka 				break;
1.1    nonaka 			}
1.1    nonaka 			/* read next digit and reset the bitcnt */
1.1    nonaka 			buf = X->dp[digidx--];
1.1    nonaka 			bitcnt = (int) DIGIT_BIT;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* grab the next msb from the exponent */
1.1    nonaka 		y = (unsigned)(buf >> (mp_digit)(DIGIT_BIT - 1)) & 1;
1.1    nonaka 		buf <<= (mp_digit)1;
1.1    nonaka
1.1    nonaka 		/* if the bit is zero and mode == 0 then we ignore it
1.1    nonaka 		* These represent the leading zero bits before the first 1 bit
1.1    nonaka 		* in the exponent.  Technically this opt is not required but it
1.1    nonaka 		* does lower the # of trivial squaring/reductions used
1.1    nonaka 		*/
1.1    nonaka 		if (mode == 0 && y == 0) {
1.1    nonaka 			continue;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* if the bit is zero and mode == 1 then we square */
1.1    nonaka 		if (mode == 1 && y == 0) {
1.1    nonaka 			if ((err = square(&res, &res)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			if ((err = redux(&res, P, &mu)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			continue;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* else we add it to the window */
1.1    nonaka 		bitbuf |= (y << (winsize - ++bitcpy));
1.1    nonaka 		mode = 2;
1.1    nonaka
1.1    nonaka 		if (bitcpy == winsize) {
1.1    nonaka 			/* ok window is filled so square as required and multiply  */
1.1    nonaka 			/* square first */
1.1    nonaka 			for (x = 0; x < winsize; x++) {
1.1    nonaka 				if ((err = square(&res, &res)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 				if ((err = redux(&res, P, &mu)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* then multiply */
1.1    nonaka 			if ((err = signed_multiply(&res, &M[bitbuf], &res)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			if ((err = redux(&res, P, &mu)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* empty window and reset */
1.1    nonaka 			bitcpy = 0;
1.1    nonaka 			bitbuf = 0;
1.1    nonaka 			mode = 1;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if bits remain then square/multiply */
1.1    nonaka 	if (mode == 2 && bitcpy > 0) {
1.1    nonaka 		/* square then multiply if the bit is set */
1.1    nonaka 		for (x = 0; x < bitcpy; x++) {
1.1    nonaka 			if ((err = square(&res, &res)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			if ((err = redux(&res, P, &mu)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			bitbuf <<= 1;
1.1    nonaka 			if ((bitbuf & (1 << winsize)) != 0) {
1.1    nonaka 				/* then multiply */
1.1    nonaka 				if ((err = signed_multiply(&res, &M[1], &res)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 				if ((err = redux(&res, P, &mu)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	mp_exch(&res, Y);
1.1    nonaka 	err = MP_OKAY;
1.1    nonaka LBL_RES:
1.1    nonaka 	mp_clear(&res);
1.1    nonaka LBL_MU:
1.1    nonaka 	mp_clear(&mu);
1.1    nonaka LBL_M:
1.1    nonaka 	mp_clear(&M[1]);
1.1    nonaka 	for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
1.1    nonaka 		mp_clear(&M[x]);
1.1    nonaka 	}
1.1    nonaka 	return err;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* determines if a number is a valid DR modulus */
1.1    nonaka static int
1.1    nonaka is_diminished_radix_modulus(mp_int *a)
1.1    nonaka {
1.1    nonaka 	int ix;
1.1    nonaka
1.1    nonaka 	/* must be at least two digits */
1.1    nonaka 	if (a->used < 2) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* must be of the form b**k - a [a <= b] so all
1.1    nonaka 	* but the first digit must be equal to -1 (mod b).
1.1    nonaka 	*/
1.1    nonaka 	for (ix = 1; ix < a->used; ix++) {
1.1    nonaka 		if (a->dp[ix] != MP_MASK) {
1.1    nonaka 			  return 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_dr_is_modulus.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* determines if mp_reduce_2k can be used */
1.1    nonaka static int
1.1    nonaka mp_reduce_is_2k(mp_int *a)
1.1    nonaka {
1.1    nonaka 	int ix, iy, iw;
1.1    nonaka 	mp_digit iz;
1.1    nonaka
1.1    nonaka 	if (a->used == 0) {
1.1    nonaka 		return MP_NO;
1.1    nonaka 	}
1.1    nonaka 	if (a->used == 1) {
1.1    nonaka 		return MP_YES;
1.1    nonaka 	}
1.1    nonaka 	if (a->used > 1) {
1.1    nonaka 		iy = mp_count_bits(a);
1.1    nonaka 		iz = 1;
1.1    nonaka 		iw = 1;
1.1    nonaka
1.1    nonaka 		/* Test every bit from the second digit up, must be 1 */
1.1    nonaka 		for (ix = DIGIT_BIT; ix < iy; ix++) {
1.1    nonaka 			if ((a->dp[iw] & iz) == 0) {
1.1    nonaka 				return MP_NO;
1.1    nonaka 			}
1.1    nonaka 			iz <<= 1;
1.1    nonaka 			if (iz > (mp_digit)MP_MASK) {
1.1    nonaka 				++iw;
1.1    nonaka 				iz = 1;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return MP_YES;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_reduce_is_2k.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka
1.1    nonaka /* d = a * b (mod c) */
1.1    nonaka static int
1.1    nonaka multiply_modulo(mp_int *d, mp_int * a, mp_int * b, mp_int * c)
1.1    nonaka {
1.1    nonaka 	mp_int  t;
1.1    nonaka 	int     res;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_multiply(a, b, &t)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&t);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	res = modulo(&t, c, d);
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_mulmod.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* setups the montgomery reduction stuff */
1.1    nonaka static int
1.1    nonaka mp_montgomery_setup(mp_int * n, mp_digit * rho)
1.1    nonaka {
1.1    nonaka 	mp_digit x, b;
1.1    nonaka
1.1    nonaka 	/* fast inversion mod 2**k
1.1    nonaka 	*
1.1    nonaka 	* Based on the fact that
1.1    nonaka 	*
1.1    nonaka 	* XA = 1 (mod 2**n)  =>  (X(2-XA)) A = 1 (mod 2**2n)
1.1    nonaka 	*                    =>  2*X*A - X*X*A*A = 1
1.1    nonaka 	*                    =>  2*(1) - (1)     = 1
1.1    nonaka 	*/
1.1    nonaka 	b = n->dp[0];
1.1    nonaka
1.1    nonaka 	if ((b & 1) == 0) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
1.1    nonaka 	x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
1.1    nonaka 	x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
1.1    nonaka 	x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
1.1    nonaka 	if (/*CONSTCOND*/sizeof(mp_digit) == 8) {
1.1    nonaka 		x *= 2 - b * x;	/* here x*a==1 mod 2**64 */
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* rho = -1/m mod b */
1.1    nonaka 	*rho = (unsigned long)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK;
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_montgomery_setup.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* computes xR**-1 == x (mod N) via Montgomery Reduction
1.1    nonaka  *
1.1    nonaka  * This is an optimized implementation of montgomery_reduce
1.1    nonaka  * which uses the comba method to quickly calculate the columns of the
1.1    nonaka  * reduction.
1.1    nonaka  *
1.1    nonaka  * Based on Algorithm 14.32 on pp.601 of HAC.
1.1    nonaka */
1.1    nonaka static int
1.1    nonaka fast_mp_montgomery_reduce(mp_int * x, mp_int * n, mp_digit rho)
1.1    nonaka {
1.1    nonaka 	int     ix, res, olduse;
1.1    nonaka 	/*LINTED*/
1.1    nonaka 	mp_word W[MP_WARRAY];
1.1    nonaka
1.1    nonaka 	/* get old used count */
1.1    nonaka 	olduse = x->used;
1.1    nonaka
1.1    nonaka 	/* grow a as required */
1.1    nonaka 	if (x->alloc < n->used + 1) {
1.1    nonaka 		if ((res = mp_grow(x, n->used + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* first we have to get the digits of the input into
1.1    nonaka 	* an array of double precision words W[...]
1.1    nonaka 	*/
1.1    nonaka 	{
1.1    nonaka 		mp_word *_W;
1.1    nonaka 		mp_digit *tmpx;
1.1    nonaka
1.1    nonaka 		/* alias for the W[] array */
1.1    nonaka 		_W = W;
1.1    nonaka
1.1    nonaka 		/* alias for the digits of  x*/
1.1    nonaka 		tmpx = x->dp;
1.1    nonaka
1.1    nonaka 		/* copy the digits of a into W[0..a->used-1] */
1.1    nonaka 		for (ix = 0; ix < x->used; ix++) {
1.1    nonaka 			*_W++ = *tmpx++;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* zero the high words of W[a->used..m->used*2] */
1.1    nonaka 		for (; ix < n->used * 2 + 1; ix++) {
1.1    nonaka 			*_W++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now we proceed to zero successive digits
1.1    nonaka 	* from the least significant upwards
1.1    nonaka 	*/
1.1    nonaka 	for (ix = 0; ix < n->used; ix++) {
1.1    nonaka 		/* mu = ai * m' mod b
1.1    nonaka 		*
1.1    nonaka 		* We avoid a double precision multiplication (which isn't required)
1.1    nonaka 		* by casting the value down to a mp_digit.  Note this requires
1.1    nonaka 		* that W[ix-1] have  the carry cleared (see after the inner loop)
1.1    nonaka 		*/
1.1    nonaka 		mp_digit mu;
1.1    nonaka 		mu = (mp_digit) (((W[ix] & MP_MASK) * rho) & MP_MASK);
1.1    nonaka
1.1    nonaka 		/* a = a + mu * m * b**i
1.1    nonaka 		*
1.1    nonaka 		* This is computed in place and on the fly.  The multiplication
1.4   msaitoh 		* by b**i is handled by offsetting which columns the results
1.1    nonaka 		* are added to.
1.1    nonaka 		*
1.1    nonaka 		* Note the comba method normally doesn't handle carries in the
1.1    nonaka 		* inner loop In this case we fix the carry from the previous
1.1    nonaka 		* column since the Montgomery reduction requires digits of the
1.1    nonaka 		* result (so far) [see above] to work.  This is
1.1    nonaka 		* handled by fixing up one carry after the inner loop.  The
1.1    nonaka 		* carry fixups are done in order so after these loops the
1.1    nonaka 		* first m->used words of W[] have the carries fixed
1.1    nonaka 		*/
1.1    nonaka 		{
1.1    nonaka 			int iy;
1.1    nonaka 			mp_digit *tmpn;
1.1    nonaka 			mp_word *_W;
1.1    nonaka
1.1    nonaka 			/* alias for the digits of the modulus */
1.1    nonaka 			tmpn = n->dp;
1.1    nonaka
1.1    nonaka 			/* Alias for the columns set by an offset of ix */
1.1    nonaka 			_W = W + ix;
1.1    nonaka
1.1    nonaka 			/* inner loop */
1.1    nonaka 			for (iy = 0; iy < n->used; iy++) {
1.1    nonaka 				  *_W++ += ((mp_word)mu) * ((mp_word)*tmpn++);
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* now fix carry for next digit, W[ix+1] */
1.1    nonaka 		W[ix + 1] += W[ix] >> ((mp_word) DIGIT_BIT);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now we have to propagate the carries and
1.1    nonaka 	* shift the words downward [all those least
1.1    nonaka 	* significant digits we zeroed].
1.1    nonaka 	*/
1.1    nonaka 	{
1.1    nonaka 		mp_digit *tmpx;
1.1    nonaka 		mp_word *_W, *_W1;
1.1    nonaka
1.1    nonaka 		/* nox fix rest of carries */
1.1    nonaka
1.1    nonaka 		/* alias for current word */
1.1    nonaka 		_W1 = W + ix;
1.1    nonaka
1.1    nonaka 		/* alias for next word, where the carry goes */
1.1    nonaka 		_W = W + ++ix;
1.1    nonaka
1.1    nonaka 		for (; ix <= n->used * 2 + 1; ix++) {
1.1    nonaka 			*_W++ += *_W1++ >> ((mp_word) DIGIT_BIT);
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* copy out, A = A/b**n
1.1    nonaka 		*
1.1    nonaka 		* The result is A/b**n but instead of converting from an
1.1    nonaka 		* array of mp_word to mp_digit than calling rshift_digits
1.1    nonaka 		* we just copy them in the right order
1.1    nonaka 		*/
1.1    nonaka
1.1    nonaka 		/* alias for destination word */
1.1    nonaka 		tmpx = x->dp;
1.1    nonaka
1.1    nonaka 		/* alias for shifted double precision result */
1.1    nonaka 		_W = W + n->used;
1.1    nonaka
1.1    nonaka 		for (ix = 0; ix < n->used + 1; ix++) {
1.1    nonaka 			*tmpx++ = (mp_digit)(*_W++ & ((mp_word) MP_MASK));
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* zero oldused digits, if the input a was larger than
1.1    nonaka 		* m->used+1 we'll have to clear the digits
1.1    nonaka 		*/
1.1    nonaka 		for (; ix < olduse; ix++) {
1.1    nonaka 			*tmpx++ = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set the max used and clamp */
1.1    nonaka 	x->used = n->used + 1;
1.1    nonaka 	trim_unused_digits(x);
1.1    nonaka
1.1    nonaka 	/* if A >= m then A = A - m */
1.1    nonaka 	if (compare_magnitude(x, n) != MP_LT) {
1.1    nonaka 		return basic_subtract(x, n, x);
1.1    nonaka 	}
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_fast_mp_montgomery_reduce.c,v $ */
1.1    nonaka /* Revision: 1.2 $ */
1.1    nonaka /* Date: 2011/03/18 16:22:09 $ */
1.1    nonaka
1.1    nonaka /* computes xR**-1 == x (mod N) via Montgomery Reduction */
1.1    nonaka static int
1.1    nonaka mp_montgomery_reduce(mp_int * x, mp_int * n, mp_digit rho)
1.1    nonaka {
1.1    nonaka 	int     ix, res, digs;
1.1    nonaka 	mp_digit mu;
1.1    nonaka
1.1    nonaka 	/* can the fast reduction [comba] method be used?
1.1    nonaka 	*
1.1    nonaka 	* Note that unlike in mul you're safely allowed *less*
1.1    nonaka 	* than the available columns [255 per default] since carries
1.1    nonaka 	* are fixed up in the inner loop.
1.1    nonaka 	*/
1.1    nonaka 	digs = n->used * 2 + 1;
1.1    nonaka 	if (can_use_fast_column_array(digs, n->used)) {
1.1    nonaka 		return fast_mp_montgomery_reduce(x, n, rho);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* grow the input as required */
1.1    nonaka 	if (x->alloc < digs) {
1.1    nonaka 		if ((res = mp_grow(x, digs)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	x->used = digs;
1.1    nonaka
1.1    nonaka 	for (ix = 0; ix < n->used; ix++) {
1.1    nonaka 		/* mu = ai * rho mod b
1.1    nonaka 		*
1.1    nonaka 		* The value of rho must be precalculated via
1.1    nonaka 		* montgomery_setup() such that
1.1    nonaka 		* it equals -1/n0 mod b this allows the
1.1    nonaka 		* following inner loop to reduce the
1.1    nonaka 		* input one digit at a time
1.1    nonaka 		*/
1.1    nonaka 		mu = (mp_digit) (((mp_word)x->dp[ix]) * ((mp_word)rho) & MP_MASK);
1.1    nonaka
1.1    nonaka 		/* a = a + mu * m * b**i */
1.1    nonaka 		{
1.1    nonaka 			int iy;
1.1    nonaka 			mp_digit *tmpn, *tmpx, carry;
1.1    nonaka 			mp_word r;
1.1    nonaka
1.1    nonaka 			/* alias for digits of the modulus */
1.1    nonaka 			tmpn = n->dp;
1.1    nonaka
1.1    nonaka 			/* alias for the digits of x [the input] */
1.1    nonaka 			tmpx = x->dp + ix;
1.1    nonaka
1.1    nonaka 			/* set the carry to zero */
1.1    nonaka 			carry = 0;
1.1    nonaka
1.1    nonaka 			/* Multiply and add in place */
1.1    nonaka 			for (iy = 0; iy < n->used; iy++) {
1.1    nonaka 				/* compute product and sum */
1.1    nonaka 				r = ((mp_word)mu) * ((mp_word)*tmpn++) +
1.1    nonaka 					  ((mp_word) carry) + ((mp_word) * tmpx);
1.1    nonaka
1.1    nonaka 				/* get carry */
1.1    nonaka 				carry = (mp_digit)(r >> ((mp_word) DIGIT_BIT));
1.1    nonaka
1.1    nonaka 				/* fix digit */
1.1    nonaka 				*tmpx++ = (mp_digit)(r & ((mp_word) MP_MASK));
1.1    nonaka 			}
1.1    nonaka 			/* At this point the ix'th digit of x should be zero */
1.1    nonaka
1.1    nonaka
1.1    nonaka 			/* propagate carries upwards as required*/
1.1    nonaka 			while (carry) {
1.1    nonaka 				*tmpx += carry;
1.1    nonaka 				carry = *tmpx >> DIGIT_BIT;
1.1    nonaka 				*tmpx++ &= MP_MASK;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* at this point the n.used'th least
1.1    nonaka 	* significant digits of x are all zero
1.1    nonaka 	* which means we can shift x to the
1.1    nonaka 	* right by n.used digits and the
1.1    nonaka 	* residue is unchanged.
1.1    nonaka 	*/
1.1    nonaka
1.1    nonaka 	/* x = x/b**n.used */
1.1    nonaka 	trim_unused_digits(x);
1.1    nonaka 	rshift_digits(x, n->used);
1.1    nonaka
1.1    nonaka 	/* if x >= n then x = x - n */
1.1    nonaka 	if (compare_magnitude(x, n) != MP_LT) {
1.1    nonaka 		return basic_subtract(x, n, x);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_montgomery_reduce.c,v $ */
1.1    nonaka /* Revision: 1.3 $ */
1.1    nonaka /* Date: 2011/03/18 16:43:04 $ */
1.1    nonaka
1.1    nonaka /* determines the setup value */
1.1    nonaka static void
1.1    nonaka diminished_radix_setup(mp_int *a, mp_digit *d)
1.1    nonaka {
1.1    nonaka 	/* the casts are required if DIGIT_BIT is one less than
1.1    nonaka 	* the number of bits in a mp_digit [e.g. DIGIT_BIT==31]
1.1    nonaka 	*/
1.1    nonaka 	*d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) -
1.1    nonaka 		((mp_word)a->dp[0]));
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_dr_setup.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* reduce "x" in place modulo "n" using the Diminished Radix algorithm.
1.1    nonaka  *
1.1    nonaka  * Based on algorithm from the paper
1.1    nonaka  *
1.1    nonaka  * "Generating Efficient Primes for Discrete Log Cryptosystems"
1.1    nonaka  *                 Chae Hoon Lim, Pil Joong Lee,
1.1    nonaka  *          POSTECH Information Research Laboratories
1.1    nonaka  *
1.1    nonaka  * The modulus must be of a special format [see manual]
1.1    nonaka  *
1.1    nonaka  * Has been modified to use algorithm 7.10 from the LTM book instead
1.1    nonaka  *
1.1    nonaka  * Input x must be in the range 0 <= x <= (n-1)**2
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka diminished_radix_reduce(mp_int * x, mp_int * n, mp_digit k)
1.1    nonaka {
1.1    nonaka 	int      err, i, m;
1.1    nonaka 	mp_word  r;
1.1    nonaka 	mp_digit mu, *tmpx1, *tmpx2;
1.1    nonaka
1.1    nonaka 	/* m = digits in modulus */
1.1    nonaka 	m = n->used;
1.1    nonaka
1.1    nonaka 	/* ensure that "x" has at least 2m digits */
1.1    nonaka 	if (x->alloc < m + m) {
1.1    nonaka 		if ((err = mp_grow(x, m + m)) != MP_OKAY) {
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* top of loop, this is where the code resumes if
1.1    nonaka 	* another reduction pass is required.
1.1    nonaka 	*/
1.1    nonaka top:
1.1    nonaka 	/* aliases for digits */
1.1    nonaka 	/* alias for lower half of x */
1.1    nonaka 	tmpx1 = x->dp;
1.1    nonaka
1.1    nonaka 	/* alias for upper half of x, or x/B**m */
1.1    nonaka 	tmpx2 = x->dp + m;
1.1    nonaka
1.1    nonaka 	/* set carry to zero */
1.1    nonaka 	mu = 0;
1.1    nonaka
1.1    nonaka 	/* compute (x mod B**m) + k * [x/B**m] inline and inplace */
1.1    nonaka 	for (i = 0; i < m; i++) {
1.1    nonaka 		r = ((mp_word)*tmpx2++) * ((mp_word)k) + *tmpx1 + mu;
1.1    nonaka 		*tmpx1++  = (mp_digit)(r & MP_MASK);
1.1    nonaka 		mu = (mp_digit)(r >> ((mp_word)DIGIT_BIT));
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set final carry */
1.1    nonaka 	*tmpx1++ = mu;
1.1    nonaka
1.1    nonaka 	/* zero words above m */
1.1    nonaka 	for (i = m + 1; i < x->used; i++) {
1.1    nonaka 		*tmpx1++ = 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* clamp, sub and return */
1.1    nonaka 	trim_unused_digits(x);
1.1    nonaka
1.1    nonaka 	/* if x >= n then subtract and reduce again
1.1    nonaka 	* Each successive "recursion" makes the input smaller and smaller.
1.1    nonaka 	*/
1.1    nonaka 	if (compare_magnitude(x, n) != MP_LT) {
1.1    nonaka 		basic_subtract(x, n, x);
1.1    nonaka 		goto top;
1.1    nonaka 	}
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_dr_reduce.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* determines the setup value */
1.1    nonaka static int
1.1    nonaka mp_reduce_2k_setup(mp_int *a, mp_digit *d)
1.1    nonaka {
1.1    nonaka 	int res, p;
1.1    nonaka 	mp_int tmp;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&tmp)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	p = mp_count_bits(a);
1.1    nonaka 	if ((res = mp_2expt(&tmp, p)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&tmp);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = basic_subtract(&tmp, a, &tmp)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&tmp);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	*d = tmp.dp[0];
1.1    nonaka 	mp_clear(&tmp);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_reduce_2k_setup.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* reduces a modulo n where n is of the form 2**p - d */
1.1    nonaka static int
1.1    nonaka mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d)
1.1    nonaka {
1.1    nonaka 	mp_int q;
1.1    nonaka 	int    p, res;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&q)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	p = mp_count_bits(n);
1.1    nonaka top:
1.1    nonaka 	/* q = a/2**p, a = a mod 2**p */
1.1    nonaka 	if ((res = rshift_bits(a, p, &q, a)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (d != 1) {
1.1    nonaka 		/* q = q * d */
1.1    nonaka 		if ((res = multiply_digit(&q, d, &q)) != MP_OKAY) {
1.1    nonaka 			 goto ERR;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* a = a + q */
1.1    nonaka 	if ((res = basic_add(a, &q, a)) != MP_OKAY) {
1.1    nonaka 		goto ERR;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (compare_magnitude(a, n) != MP_LT) {
1.1    nonaka 		basic_subtract(a, n, a);
1.1    nonaka 		goto top;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka ERR:
1.1    nonaka 	mp_clear(&q);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_reduce_2k.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /*
1.1    nonaka  * shifts with subtractions when the result is greater than b.
1.1    nonaka  *
1.1    nonaka  * The method is slightly modified to shift B unconditionally upto just under
1.6    andvar  * the leading bit of b.  This saves a lot of multiple precision shifting.
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka mp_montgomery_calc_normalization(mp_int * a, mp_int * b)
1.1    nonaka {
1.1    nonaka 	int     x, bits, res;
1.1    nonaka
1.1    nonaka 	/* how many bits of last digit does b use */
1.1    nonaka 	bits = mp_count_bits(b) % DIGIT_BIT;
1.1    nonaka
1.1    nonaka 	if (b->used > 1) {
1.1    nonaka 		if ((res = mp_2expt(a, (b->used - 1) * DIGIT_BIT + bits - 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	} else {
1.1    nonaka 		set_word(a, 1);
1.1    nonaka 		bits = 1;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka
1.1    nonaka 	/* now compute C = A * B mod b */
1.1    nonaka 	for (x = bits - 1; x < (int)DIGIT_BIT; x++) {
1.1    nonaka 		if ((res = doubled(a, a)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 		if (compare_magnitude(a, b) != MP_LT) {
1.1    nonaka 			if ((res = basic_subtract(a, b, a)) != MP_OKAY) {
1.1    nonaka 				return res;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_mp_montgomery_calc_normalization.c,v $ */
1.1    nonaka /* Revision: 1.1.1.1 $ */
1.1    nonaka /* Date: 2011/03/12 22:58:18 $ */
1.1    nonaka
1.1    nonaka /* computes Y == G**X mod P, HAC pp.616, Algorithm 14.85
1.1    nonaka  *
1.1    nonaka  * Uses a left-to-right k-ary sliding window to compute the modular exponentiation.
1.1    nonaka  * The value of k changes based on the size of the exponent.
1.1    nonaka  *
1.1    nonaka  * Uses Montgomery or Diminished Radix reduction [whichever appropriate]
1.1    nonaka  */
1.1    nonaka
1.1    nonaka #define TAB_SIZE 256
1.1    nonaka
1.1    nonaka static int
1.1    nonaka fast_exponent_modulo(mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode)
1.1    nonaka {
1.1    nonaka 	mp_int  M[TAB_SIZE], res;
1.1    nonaka 	mp_digit buf, mp;
1.1    nonaka 	int     err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
1.1    nonaka
1.1    nonaka 	/* use a pointer to the reduction algorithm.  This allows us to use
1.1    nonaka 	* one of many reduction algorithms without modding the guts of
1.1    nonaka 	* the code with if statements everywhere.
1.1    nonaka 	*/
1.1    nonaka 	int     (*redux)(mp_int*,mp_int*,mp_digit);
1.1    nonaka
1.1    nonaka 	winsize = find_window_size(X);
1.1    nonaka
1.1    nonaka 	/* init M array */
1.1    nonaka 	/* init first cell */
1.1    nonaka 	if ((err = mp_init(&M[1])) != MP_OKAY) {
1.1    nonaka 		return err;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now init the second half of the array */
1.1    nonaka 	for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
1.1    nonaka 		if ((err = mp_init(&M[x])) != MP_OKAY) {
1.1    nonaka 			for (y = 1<<(winsize-1); y < x; y++) {
1.1    nonaka 				mp_clear(&M[y]);
1.1    nonaka 			}
1.1    nonaka 			mp_clear(&M[1]);
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* determine and setup reduction code */
1.1    nonaka 	if (redmode == 0) {
1.1    nonaka 		/* now setup montgomery  */
1.1    nonaka 		if ((err = mp_montgomery_setup(P, &mp)) != MP_OKAY) {
1.1    nonaka 			goto LBL_M;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* automatically pick the comba one if available (saves quite a few calls/ifs) */
1.1    nonaka 		if (can_use_fast_column_array(P->used + P->used + 1, P->used)) {
1.1    nonaka 			redux = fast_mp_montgomery_reduce;
1.1    nonaka 		} else {
1.1    nonaka 			/* use slower baseline Montgomery method */
1.1    nonaka 			redux = mp_montgomery_reduce;
1.1    nonaka 		}
1.1    nonaka 	} else if (redmode == 1) {
1.1    nonaka 		/* setup DR reduction for moduli of the form B**k - b */
1.1    nonaka 		diminished_radix_setup(P, &mp);
1.1    nonaka 		redux = diminished_radix_reduce;
1.1    nonaka 	} else {
1.1    nonaka 		/* setup DR reduction for moduli of the form 2**k - b */
1.1    nonaka 		if ((err = mp_reduce_2k_setup(P, &mp)) != MP_OKAY) {
1.1    nonaka 			goto LBL_M;
1.1    nonaka 		}
1.1    nonaka 		redux = mp_reduce_2k;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* setup result */
1.1    nonaka 	if ((err = mp_init(&res)) != MP_OKAY) {
1.1    nonaka 		goto LBL_M;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* create M table
1.1    nonaka 	*
1.1    nonaka
1.1    nonaka 	*
1.1    nonaka 	* The first half of the table is not computed though accept for M[0] and M[1]
1.1    nonaka 	*/
1.1    nonaka
1.1    nonaka 	if (redmode == 0) {
1.1    nonaka 		/* now we need R mod m */
1.1    nonaka 		if ((err = mp_montgomery_calc_normalization(&res, P)) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* now set M[1] to G * R mod m */
1.1    nonaka 		if ((err = multiply_modulo(&M[1], G, &res, P)) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 	} else {
1.1    nonaka 		set_word(&res, 1);
1.1    nonaka 		if ((err = modulo(G, P, &M[1])) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times */
1.1    nonaka 	if ((err = mp_copy( &M[1], &M[1 << (winsize - 1)])) != MP_OKAY) {
1.1    nonaka 		goto LBL_RES;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	for (x = 0; x < (winsize - 1); x++) {
1.1    nonaka 		if ((err = square(&M[1 << (winsize - 1)], &M[1 << (winsize - 1)])) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 		if ((err = (*redux)(&M[1 << (winsize - 1)], P, mp)) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* create upper table */
1.1    nonaka 	for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
1.1    nonaka 		if ((err = signed_multiply(&M[x - 1], &M[1], &M[x])) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 		if ((err = (*redux)(&M[x], P, mp)) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set initial mode and bit cnt */
1.1    nonaka 	mode = 0;
1.1    nonaka 	bitcnt = 1;
1.1    nonaka 	buf = 0;
1.1    nonaka 	digidx = X->used - 1;
1.1    nonaka 	bitcpy = 0;
1.1    nonaka 	bitbuf = 0;
1.1    nonaka
1.1    nonaka 	for (;;) {
1.1    nonaka 		/* grab next digit as required */
1.1    nonaka 		if (--bitcnt == 0) {
1.1    nonaka 			/* if digidx == -1 we are out of digits so break */
1.1    nonaka 			if (digidx == -1) {
1.1    nonaka 				break;
1.1    nonaka 			}
1.1    nonaka 			/* read next digit and reset bitcnt */
1.1    nonaka 			buf = X->dp[digidx--];
1.1    nonaka 			bitcnt = (int)DIGIT_BIT;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* grab the next msb from the exponent */
1.1    nonaka 		y = (int)(mp_digit)((mp_digit)buf >> (unsigned)(DIGIT_BIT - 1)) & 1;
1.1    nonaka 		buf <<= (mp_digit)1;
1.1    nonaka
1.1    nonaka 		/* if the bit is zero and mode == 0 then we ignore it
1.1    nonaka 		* These represent the leading zero bits before the first 1 bit
1.1    nonaka 		* in the exponent.  Technically this opt is not required but it
1.1    nonaka 		* does lower the # of trivial squaring/reductions used
1.1    nonaka 		*/
1.1    nonaka 		if (mode == 0 && y == 0) {
1.1    nonaka 			continue;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* if the bit is zero and mode == 1 then we square */
1.1    nonaka 		if (mode == 1 && y == 0) {
1.1    nonaka 			if ((err = square(&res, &res)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			if ((err = (*redux)(&res, P, mp)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			continue;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* else we add it to the window */
1.1    nonaka 		bitbuf |= (y << (winsize - ++bitcpy));
1.1    nonaka 		mode = 2;
1.1    nonaka
1.1    nonaka 		if (bitcpy == winsize) {
1.1    nonaka 			/* ok window is filled so square as required and multiply  */
1.1    nonaka 			/* square first */
1.1    nonaka 			for (x = 0; x < winsize; x++) {
1.1    nonaka 				if ((err = square(&res, &res)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 				if ((err = (*redux)(&res, P, mp)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* then multiply */
1.1    nonaka 			if ((err = signed_multiply(&res, &M[bitbuf], &res)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			if ((err = (*redux)(&res, P, mp)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* empty window and reset */
1.1    nonaka 			bitcpy = 0;
1.1    nonaka 			bitbuf = 0;
1.1    nonaka 			mode = 1;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if bits remain then square/multiply */
1.1    nonaka 	if (mode == 2 && bitcpy > 0) {
1.1    nonaka 		/* square then multiply if the bit is set */
1.1    nonaka 		for (x = 0; x < bitcpy; x++) {
1.1    nonaka 			if ((err = square(&res, &res)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka 			if ((err = (*redux)(&res, P, mp)) != MP_OKAY) {
1.1    nonaka 				goto LBL_RES;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* get next bit of the window */
1.1    nonaka 			bitbuf <<= 1;
1.1    nonaka 			if ((bitbuf & (1 << winsize)) != 0) {
1.1    nonaka 				/* then multiply */
1.1    nonaka 				if ((err = signed_multiply(&res, &M[1], &res)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 				if ((err = (*redux)(&res, P, mp)) != MP_OKAY) {
1.1    nonaka 					goto LBL_RES;
1.1    nonaka 				}
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (redmode == 0) {
1.1    nonaka 		/* fixup result if Montgomery reduction is used
1.1    nonaka 		* recall that any value in a Montgomery system is
1.1    nonaka 		* actually multiplied by R mod n.  So we have
1.1    nonaka 		* to reduce one more time to cancel out the factor
1.1    nonaka 		* of R.
1.1    nonaka 		*/
1.1    nonaka 		if ((err = (*redux)(&res, P, mp)) != MP_OKAY) {
1.1    nonaka 			goto LBL_RES;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* swap res with Y */
1.1    nonaka 	mp_exch(&res, Y);
1.1    nonaka 	err = MP_OKAY;
1.1    nonaka LBL_RES:
1.1    nonaka 	mp_clear(&res);
1.1    nonaka LBL_M:
1.1    nonaka 	mp_clear(&M[1]);
1.1    nonaka 	for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
1.1    nonaka 		mp_clear(&M[x]);
1.1    nonaka 	}
1.1    nonaka 	return err;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* Source: /usr/cvsroot/libtommath/dist/libtommath/bn_fast_exponent_modulo.c,v $ */
1.1    nonaka /* Revision: 1.4 $ */
1.1    nonaka /* Date: 2011/03/18 16:43:04 $ */
1.1    nonaka
1.1    nonaka /* this is a shell function that calls either the normal or Montgomery
1.1    nonaka  * exptmod functions.  Originally the call to the montgomery code was
1.6    andvar  * embedded in the normal function but that wasted a lot of stack space
1.1    nonaka  * for nothing (since 99% of the time the Montgomery code would be called)
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka exponent_modulo(mp_int * G, mp_int * X, mp_int * P, mp_int *Y)
1.1    nonaka {
1.1    nonaka 	int diminished_radix;
1.1    nonaka
1.1    nonaka 	/* modulus P must be positive */
1.1    nonaka 	if (P->sign == MP_NEG) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if exponent X is negative we have to recurse */
1.1    nonaka 	if (X->sign == MP_NEG) {
1.1    nonaka 		mp_int tmpG, tmpX;
1.1    nonaka 		int err;
1.1    nonaka
1.1    nonaka 		/* first compute 1/G mod P */
1.1    nonaka 		if ((err = mp_init(&tmpG)) != MP_OKAY) {
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka 		if ((err = modular_inverse(&tmpG, G, P)) != MP_OKAY) {
1.1    nonaka 			mp_clear(&tmpG);
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* now get |X| */
1.1    nonaka 		if ((err = mp_init(&tmpX)) != MP_OKAY) {
1.1    nonaka 			mp_clear(&tmpG);
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka 		if ((err = absolute(X, &tmpX)) != MP_OKAY) {
1.1    nonaka 			mp_clear_multi(&tmpG, &tmpX, NULL);
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* and now compute (1/G)**|X| instead of G**X [X < 0] */
1.1    nonaka 		err = exponent_modulo(&tmpG, &tmpX, P, Y);
1.1    nonaka 		mp_clear_multi(&tmpG, &tmpX, NULL);
1.1    nonaka 		return err;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* modified diminished radix reduction */
1.1    nonaka 	if (mp_reduce_is_2k_l(P) == MP_YES) {
1.1    nonaka 		return basic_exponent_mod(G, X, P, Y, 1);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* is it a DR modulus? */
1.1    nonaka 	diminished_radix = is_diminished_radix_modulus(P);
1.1    nonaka
1.6    andvar 	/* if not, is it an unrestricted DR modulus? */
1.1    nonaka 	if (!diminished_radix) {
1.1    nonaka 		diminished_radix = mp_reduce_is_2k(P) << 1;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if the modulus is odd or diminished_radix, use the montgomery method */
1.1    nonaka 	if (BN_is_odd(P) == 1 || diminished_radix) {
1.1    nonaka 		return fast_exponent_modulo(G, X, P, Y, diminished_radix);
1.1    nonaka 	}
1.1    nonaka 	/* otherwise use the generic Barrett reduction technique */
1.1    nonaka 	return basic_exponent_mod(G, X, P, Y, 0);
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* reverse an array, used for radix code */
1.1    nonaka static void
1.1    nonaka bn_reverse(unsigned char *s, int len)
1.1    nonaka {
1.1    nonaka 	int     ix, iy;
1.1    nonaka 	uint8_t t;
1.1    nonaka
1.1    nonaka 	for (ix = 0, iy = len - 1; ix < iy ; ix++, --iy) {
1.1    nonaka 		t = s[ix];
1.1    nonaka 		s[ix] = s[iy];
1.1    nonaka 		s[iy] = t;
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka static inline int
1.1    nonaka is_power_of_two(mp_digit b, int *p)
1.1    nonaka {
1.1    nonaka 	int x;
1.1    nonaka
1.1    nonaka 	/* fast return if no power of two */
1.1    nonaka 	if ((b==0) || (b & (b-1))) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	for (x = 0; x < DIGIT_BIT; x++) {
1.1    nonaka 		if (b == (((mp_digit)1)<<x)) {
1.1    nonaka 			*p = x;
1.1    nonaka 			return 1;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return 0;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* single digit division (based on routine from MPI) */
1.1    nonaka static int
1.1    nonaka signed_divide_word(mp_int *a, mp_digit b, mp_int *c, mp_digit *d)
1.1    nonaka {
1.1    nonaka 	mp_int  q;
1.1    nonaka 	mp_word w;
1.1    nonaka 	mp_digit t;
1.1    nonaka 	int     res, ix;
1.1    nonaka
1.1    nonaka 	/* cannot divide by zero */
1.1    nonaka 	if (b == 0) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* quick outs */
1.1    nonaka 	if (b == 1 || MP_ISZERO(a) == 1) {
1.1    nonaka 		if (d != NULL) {
1.1    nonaka 			*d = 0;
1.1    nonaka 		}
1.1    nonaka 		if (c != NULL) {
1.1    nonaka 			return mp_copy(a, c);
1.1    nonaka 		}
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* power of two ? */
1.1    nonaka 	if (is_power_of_two(b, &ix) == 1) {
1.1    nonaka 		if (d != NULL) {
1.1    nonaka 			*d = a->dp[0] & ((((mp_digit)1)<<ix) - 1);
1.1    nonaka 		}
1.1    nonaka 		if (c != NULL) {
1.1    nonaka 			return rshift_bits(a, ix, c, NULL);
1.1    nonaka 		}
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* three? */
1.1    nonaka 	if (b == 3) {
1.1    nonaka 		return third(a, c, d);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* no easy answer [c'est la vie].  Just division */
1.1    nonaka 	if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	q.used = a->used;
1.1    nonaka 	q.sign = a->sign;
1.1    nonaka 	w = 0;
1.1    nonaka 	for (ix = a->used - 1; ix >= 0; ix--) {
1.1    nonaka 		w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
1.1    nonaka
1.1    nonaka 		if (w >= b) {
1.1    nonaka 			t = (mp_digit)(w / b);
1.1    nonaka 			w -= ((mp_word)t) * ((mp_word)b);
1.1    nonaka 		} else {
1.1    nonaka 			t = 0;
1.1    nonaka 		}
1.1    nonaka 		q.dp[ix] = (mp_digit)t;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (d != NULL) {
1.1    nonaka 		*d = (mp_digit)w;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (c != NULL) {
1.1    nonaka 		trim_unused_digits(&q);
1.1    nonaka 		mp_exch(&q, c);
1.1    nonaka 	}
1.1    nonaka 	mp_clear(&q);
1.1    nonaka
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static const mp_digit ltm_prime_tab[] = {
1.1    nonaka 	0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
1.1    nonaka 	0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
1.1    nonaka 	0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
1.1    nonaka 	0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F,
1.1    nonaka #ifndef MP_8BIT
1.1    nonaka 	0x0083,
1.1    nonaka 	0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD,
1.1    nonaka 	0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF,
1.1    nonaka 	0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107,
1.1    nonaka 	0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137,
1.1    nonaka
1.1    nonaka 	0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167,
1.1    nonaka 	0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199,
1.1    nonaka 	0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9,
1.1    nonaka 	0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7,
1.1    nonaka 	0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239,
1.1    nonaka 	0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265,
1.1    nonaka 	0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293,
1.1    nonaka 	0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF,
1.1    nonaka
1.1    nonaka 	0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301,
1.1    nonaka 	0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B,
1.1    nonaka 	0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371,
1.1    nonaka 	0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD,
1.1    nonaka 	0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5,
1.1    nonaka 	0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419,
1.1    nonaka 	0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449,
1.1    nonaka 	0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B,
1.1    nonaka
1.1    nonaka 	0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7,
1.1    nonaka 	0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503,
1.1    nonaka 	0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529,
1.1    nonaka 	0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F,
1.1    nonaka 	0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3,
1.1    nonaka 	0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7,
1.1    nonaka 	0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623,
1.1    nonaka 	0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653
1.1    nonaka #endif
1.1    nonaka };
1.1    nonaka
1.1    nonaka #define PRIME_SIZE	__arraycount(ltm_prime_tab)
1.1    nonaka
1.1    nonaka static inline int
1.1    nonaka mp_prime_is_divisible(mp_int *a, int *result)
1.1    nonaka {
1.1    nonaka 	int     err, ix;
1.1    nonaka 	mp_digit res;
1.1    nonaka
1.1    nonaka 	/* default to not */
1.1    nonaka 	*result = MP_NO;
1.1    nonaka
1.1    nonaka 	for (ix = 0; ix < (int)PRIME_SIZE; ix++) {
1.1    nonaka 		/* what is a mod LBL_prime_tab[ix] */
1.1    nonaka 		if ((err = signed_divide_word(a, ltm_prime_tab[ix], NULL, &res)) != MP_OKAY) {
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* is the residue zero? */
1.1    nonaka 		if (res == 0) {
1.1    nonaka 			*result = MP_YES;
1.1    nonaka 			return MP_OKAY;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* single digit addition */
1.1    nonaka static int
1.1    nonaka add_single_digit(mp_int *a, mp_digit b, mp_int *c)
1.1    nonaka {
1.1    nonaka 	int     res, ix, oldused;
1.1    nonaka 	mp_digit *tmpa, *tmpc, mu;
1.1    nonaka
1.1    nonaka 	/* grow c as required */
1.1    nonaka 	if (c->alloc < a->used + 1) {
1.1    nonaka 		if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if a is negative and |a| >= b, call c = |a| - b */
1.1    nonaka 	if (a->sign == MP_NEG && (a->used > 1 || a->dp[0] >= b)) {
1.1    nonaka 		/* temporarily fix sign of a */
1.1    nonaka 		a->sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 		/* c = |a| - b */
1.1    nonaka 		res = signed_subtract_word(a, b, c);
1.1    nonaka
1.1    nonaka 		/* fix sign  */
1.1    nonaka 		a->sign = c->sign = MP_NEG;
1.1    nonaka
1.1    nonaka 		/* clamp */
1.1    nonaka 		trim_unused_digits(c);
1.1    nonaka
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* old number of used digits in c */
1.1    nonaka 	oldused = c->used;
1.1    nonaka
1.1    nonaka 	/* sign always positive */
1.1    nonaka 	c->sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	/* source alias */
1.1    nonaka 	tmpa = a->dp;
1.1    nonaka
1.1    nonaka 	/* destination alias */
1.1    nonaka 	tmpc = c->dp;
1.1    nonaka
1.1    nonaka 	/* if a is positive */
1.1    nonaka 	if (a->sign == MP_ZPOS) {
1.1    nonaka 		/* add digit, after this we're propagating
1.1    nonaka 		* the carry.
1.1    nonaka 		*/
1.1    nonaka 		*tmpc = *tmpa++ + b;
1.1    nonaka 		mu = *tmpc >> DIGIT_BIT;
1.1    nonaka 		*tmpc++ &= MP_MASK;
1.1    nonaka
1.1    nonaka 		/* now handle rest of the digits */
1.1    nonaka 		for (ix = 1; ix < a->used; ix++) {
1.1    nonaka 			*tmpc = *tmpa++ + mu;
1.1    nonaka 			mu = *tmpc >> DIGIT_BIT;
1.1    nonaka 			*tmpc++ &= MP_MASK;
1.1    nonaka 		}
1.1    nonaka 		/* set final carry */
1.1    nonaka 		ix++;
1.1    nonaka 		*tmpc++  = mu;
1.1    nonaka
1.1    nonaka 		/* setup size */
1.1    nonaka 		c->used = a->used + 1;
1.1    nonaka 	} else {
1.1    nonaka 		/* a was negative and |a| < b */
1.1    nonaka 		c->used  = 1;
1.1    nonaka
1.1    nonaka 		/* the result is a single digit */
1.1    nonaka 		if (a->used == 1) {
1.1    nonaka 			*tmpc++  =  b - a->dp[0];
1.1    nonaka 		} else {
1.1    nonaka 			*tmpc++  =  b;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* setup count so the clearing of oldused
1.1    nonaka 		* can fall through correctly
1.1    nonaka 		*/
1.1    nonaka 		ix = 1;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now zero to oldused */
1.1    nonaka 	while (ix++ < oldused) {
1.1    nonaka 		*tmpc++ = 0;
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* single digit subtraction */
1.1    nonaka static int
1.1    nonaka signed_subtract_word(mp_int *a, mp_digit b, mp_int *c)
1.1    nonaka {
1.1    nonaka 	mp_digit *tmpa, *tmpc, mu;
1.1    nonaka 	int       res, ix, oldused;
1.1    nonaka
1.1    nonaka 	/* grow c as required */
1.1    nonaka 	if (c->alloc < a->used + 1) {
1.1    nonaka 		if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) {
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if a is negative just do an unsigned
1.1    nonaka 	* addition [with fudged signs]
1.1    nonaka 	*/
1.1    nonaka 	if (a->sign == MP_NEG) {
1.1    nonaka 		a->sign = MP_ZPOS;
1.1    nonaka 		res = add_single_digit(a, b, c);
1.1    nonaka 		a->sign = c->sign = MP_NEG;
1.1    nonaka
1.1    nonaka 		/* clamp */
1.1    nonaka 		trim_unused_digits(c);
1.1    nonaka
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* setup regs */
1.1    nonaka 	oldused = c->used;
1.1    nonaka 	tmpa = a->dp;
1.1    nonaka 	tmpc = c->dp;
1.1    nonaka
1.1    nonaka 	/* if a <= b simply fix the single digit */
1.1    nonaka 	if ((a->used == 1 && a->dp[0] <= b) || a->used == 0) {
1.1    nonaka 		if (a->used == 1) {
1.1    nonaka 			*tmpc++ = b - *tmpa;
1.1    nonaka 		} else {
1.1    nonaka 			*tmpc++ = b;
1.1    nonaka 		}
1.1    nonaka 		ix = 1;
1.1    nonaka
1.1    nonaka 		/* negative/1digit */
1.1    nonaka 		c->sign = MP_NEG;
1.1    nonaka 		c->used = 1;
1.1    nonaka 	} else {
1.1    nonaka 		/* positive/size */
1.1    nonaka 		c->sign = MP_ZPOS;
1.1    nonaka 		c->used = a->used;
1.1    nonaka
1.1    nonaka 		/* subtract first digit */
1.1    nonaka 		*tmpc = *tmpa++ - b;
1.1    nonaka 		mu = *tmpc >> (sizeof(mp_digit) * CHAR_BIT - 1);
1.1    nonaka 		*tmpc++ &= MP_MASK;
1.1    nonaka
1.1    nonaka 		/* handle rest of the digits */
1.1    nonaka 		for (ix = 1; ix < a->used; ix++) {
1.1    nonaka 			*tmpc = *tmpa++ - mu;
1.1    nonaka 			mu = *tmpc >> (sizeof(mp_digit) * CHAR_BIT - 1);
1.1    nonaka 			*tmpc++ &= MP_MASK;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* zero excess digits */
1.1    nonaka 	while (ix++ < oldused) {
1.1    nonaka 		*tmpc++ = 0;
1.1    nonaka 	}
1.1    nonaka 	trim_unused_digits(c);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static const int lnz[16] = {
1.1    nonaka 	4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
1.1    nonaka };
1.1    nonaka
1.1    nonaka /* Counts the number of lsbs which are zero before the first zero bit */
1.1    nonaka static int
1.1    nonaka mp_cnt_lsb(mp_int *a)
1.1    nonaka {
1.1    nonaka 	int x;
1.1    nonaka 	mp_digit q, qq;
1.1    nonaka
1.1    nonaka 	/* easy out */
1.1    nonaka 	if (MP_ISZERO(a) == 1) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* scan lower digits until non-zero */
1.1    nonaka 	for (x = 0; x < a->used && a->dp[x] == 0; x++) {
1.1    nonaka 	}
1.1    nonaka 	q = a->dp[x];
1.1    nonaka 	x *= DIGIT_BIT;
1.1    nonaka
1.1    nonaka 	/* now scan this digit until a 1 is found */
1.1    nonaka 	if ((q & 1) == 0) {
1.1    nonaka 		do {
1.1    nonaka 			 qq  = q & 15;
1.1    nonaka 			 /* LINTED previous op ensures range of qq */
1.1    nonaka 			 x  += lnz[qq];
1.1    nonaka 			 q >>= 4;
1.1    nonaka 		} while (qq == 0);
1.1    nonaka 	}
1.1    nonaka 	return x;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* c = a * a (mod b) */
1.1    nonaka static int
1.1    nonaka square_modulo(mp_int *a, mp_int *b, mp_int *c)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka 	mp_int  t;
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = square(a, &t)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&t);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	res = modulo(&t, b, c);
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static int
1.1    nonaka mp_prime_miller_rabin(mp_int *a, mp_int *b, int *result)
1.1    nonaka {
1.1    nonaka 	mp_int  n1, y, r;
1.1    nonaka 	int     s, j, err;
1.1    nonaka
1.1    nonaka 	/* default */
1.1    nonaka 	*result = MP_NO;
1.1    nonaka
1.1    nonaka 	/* ensure b > 1 */
1.1    nonaka 	if (compare_digit(b, 1) != MP_GT) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* get n1 = a - 1 */
1.1    nonaka 	if ((err = mp_init_copy(&n1, a)) != MP_OKAY) {
1.1    nonaka 		return err;
1.1    nonaka 	}
1.1    nonaka 	if ((err = signed_subtract_word(&n1, 1, &n1)) != MP_OKAY) {
1.1    nonaka 		goto LBL_N1;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* set 2**s * r = n1 */
1.1    nonaka 	if ((err = mp_init_copy(&r, &n1)) != MP_OKAY) {
1.1    nonaka 		goto LBL_N1;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* count the number of least significant bits
1.1    nonaka 	* which are zero
1.1    nonaka 	*/
1.1    nonaka 	s = mp_cnt_lsb(&r);
1.1    nonaka
1.1    nonaka 	/* now divide n - 1 by 2**s */
1.1    nonaka 	if ((err = rshift_bits(&r, s, &r, NULL)) != MP_OKAY) {
1.1    nonaka 		goto LBL_R;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* compute y = b**r mod a */
1.1    nonaka 	if ((err = mp_init(&y)) != MP_OKAY) {
1.1    nonaka 		goto LBL_R;
1.1    nonaka 	}
1.1    nonaka 	if ((err = exponent_modulo(b, &r, a, &y)) != MP_OKAY) {
1.1    nonaka 		goto LBL_Y;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if y != 1 and y != n1 do */
1.1    nonaka 	if (compare_digit(&y, 1) != MP_EQ && signed_compare(&y, &n1) != MP_EQ) {
1.1    nonaka 		j = 1;
1.1    nonaka 		/* while j <= s-1 and y != n1 */
1.1    nonaka 		while ((j <= (s - 1)) && signed_compare(&y, &n1) != MP_EQ) {
1.1    nonaka 			if ((err = square_modulo(&y, a, &y)) != MP_OKAY) {
1.1    nonaka 				goto LBL_Y;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			/* if y == 1 then composite */
1.1    nonaka 			if (compare_digit(&y, 1) == MP_EQ) {
1.1    nonaka 				goto LBL_Y;
1.1    nonaka 			}
1.1    nonaka
1.1    nonaka 			++j;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* if y != n1 then composite */
1.1    nonaka 		if (signed_compare(&y, &n1) != MP_EQ) {
1.1    nonaka 			goto LBL_Y;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* probably prime now */
1.1    nonaka 	*result = MP_YES;
1.1    nonaka LBL_Y:
1.1    nonaka 	mp_clear(&y);
1.1    nonaka LBL_R:
1.1    nonaka 	mp_clear(&r);
1.1    nonaka LBL_N1:
1.1    nonaka 	mp_clear(&n1);
1.1    nonaka 	return err;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* performs a variable number of rounds of Miller-Rabin
1.1    nonaka  *
1.1    nonaka  * Probability of error after t rounds is no more than
1.1    nonaka
1.1    nonaka  *
1.1    nonaka  * Sets result to 1 if probably prime, 0 otherwise
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka mp_prime_is_prime(mp_int *a, int t, int *result)
1.1    nonaka {
1.1    nonaka 	mp_int  b;
1.1    nonaka 	int     ix, err, res;
1.1    nonaka
1.1    nonaka 	/* default to no */
1.1    nonaka 	*result = MP_NO;
1.1    nonaka
1.1    nonaka 	/* valid value of t? */
1.1    nonaka 	if (t <= 0 || t > (int)PRIME_SIZE) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* is the input equal to one of the primes in the table? */
1.1    nonaka 	for (ix = 0; ix < (int)PRIME_SIZE; ix++) {
1.1    nonaka 		if (compare_digit(a, ltm_prime_tab[ix]) == MP_EQ) {
1.1    nonaka 			*result = 1;
1.1    nonaka 			return MP_OKAY;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* first perform trial division */
1.1    nonaka 	if ((err = mp_prime_is_divisible(a, &res)) != MP_OKAY) {
1.1    nonaka 		return err;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* return if it was trivially divisible */
1.1    nonaka 	if (res == MP_YES) {
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* now perform the miller-rabin rounds */
1.1    nonaka 	if ((err = mp_init(&b)) != MP_OKAY) {
1.1    nonaka 		return err;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	for (ix = 0; ix < t; ix++) {
1.1    nonaka 		/* set the prime */
1.1    nonaka 		set_word(&b, ltm_prime_tab[ix]);
1.1    nonaka
1.1    nonaka 		if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
1.1    nonaka 			goto LBL_B;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if (res == MP_NO) {
1.1    nonaka 			goto LBL_B;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* passed the test */
1.1    nonaka 	*result = MP_YES;
1.1    nonaka LBL_B:
1.1    nonaka 	mp_clear(&b);
1.1    nonaka 	return err;
1.1    nonaka }
1.1    nonaka
1.6    andvar /* returns size of ASCII representation */
1.1    nonaka static int
1.1    nonaka mp_radix_size(mp_int *a, int radix, int *size)
1.1    nonaka {
1.1    nonaka 	int     res, digs;
1.1    nonaka 	mp_int  t;
1.1    nonaka 	mp_digit d;
1.1    nonaka
1.1    nonaka 	*size = 0;
1.1    nonaka
1.1    nonaka 	/* special case for binary */
1.1    nonaka 	if (radix == 2) {
1.1    nonaka 		*size = mp_count_bits(a) + (a->sign == MP_NEG ? 1 : 0) + 1;
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* make sure the radix is in range */
1.1    nonaka 	if (radix < 2 || radix > 64) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (MP_ISZERO(a) == MP_YES) {
1.1    nonaka 		*size = 2;
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* digs is the digit count */
1.1    nonaka 	digs = 0;
1.1    nonaka
1.1    nonaka 	/* if it's negative add one for the sign */
1.1    nonaka 	if (a->sign == MP_NEG) {
1.1    nonaka 		++digs;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* init a copy of the input */
1.1    nonaka 	if ((res = mp_init_copy(&t, a)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* force temp to positive */
1.1    nonaka 	t.sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	/* fetch out all of the digits */
1.1    nonaka 	while (MP_ISZERO(&t) == MP_NO) {
1.1    nonaka 		if ((res = signed_divide_word(&t, (mp_digit) radix, &t, &d)) != MP_OKAY) {
1.1    nonaka 			mp_clear(&t);
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 		++digs;
1.1    nonaka 	}
1.1    nonaka 	mp_clear(&t);
1.1    nonaka
1.1    nonaka 	/* return digs + 1, the 1 is for the NULL byte that would be required. */
1.1    nonaka 	*size = digs + 1;
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static const char *mp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
1.1    nonaka
1.1    nonaka /* stores a bignum as a ASCII string in a given radix (2..64)
1.1    nonaka  *
1.1    nonaka  * Stores upto maxlen-1 chars and always a NULL byte
1.1    nonaka  */
1.1    nonaka static int
1.1    nonaka mp_toradix_n(mp_int * a, char *str, int radix, int maxlen)
1.1    nonaka {
1.1    nonaka 	int     res, digs;
1.1    nonaka 	mp_int  t;
1.1    nonaka 	mp_digit d;
1.1    nonaka 	char   *_s = str;
1.1    nonaka
1.1    nonaka 	/* check range of the maxlen, radix */
1.1    nonaka 	if (maxlen < 2 || radix < 2 || radix > 64) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* quick out if its zero */
1.1    nonaka 	if (MP_ISZERO(a) == MP_YES) {
1.1    nonaka 		*str++ = '0';
1.1    nonaka 		*str = '\0';
1.1    nonaka 		return MP_OKAY;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_copy(&t, a)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* if it is negative output a - */
1.1    nonaka 	if (t.sign == MP_NEG) {
1.1    nonaka 		/* we have to reverse our digits later... but not the - sign!! */
1.1    nonaka 		++_s;
1.1    nonaka
1.1    nonaka 		/* store the flag and mark the number as positive */
1.1    nonaka 		*str++ = '-';
1.1    nonaka 		t.sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 		/* subtract a char */
1.1    nonaka 		--maxlen;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	digs = 0;
1.1    nonaka 	while (MP_ISZERO(&t) == 0) {
1.1    nonaka 		if (--maxlen < 1) {
1.1    nonaka 			/* no more room */
1.1    nonaka 			break;
1.1    nonaka 		}
1.1    nonaka 		if ((res = signed_divide_word(&t, (mp_digit) radix, &t, &d)) != MP_OKAY) {
1.1    nonaka 			mp_clear(&t);
1.1    nonaka 			return res;
1.1    nonaka 		}
1.1    nonaka 		/* LINTED -- radix' range is checked above, limits d's range */
1.1    nonaka 		*str++ = mp_s_rmap[d];
1.1    nonaka 		++digs;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* reverse the digits of the string.  In this case _s points
1.6    andvar 	* to the first digit [excluding the sign] of the number
1.1    nonaka 	*/
1.1    nonaka 	bn_reverse((unsigned char *)_s, digs);
1.1    nonaka
1.1    nonaka 	/* append a NULL so the string is properly terminated */
1.1    nonaka 	*str = '\0';
1.1    nonaka
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static char *
1.1    nonaka formatbn(const BIGNUM *a, const int radix)
1.1    nonaka {
1.1    nonaka 	char	*s;
1.1    nonaka 	int	 len;
1.1    nonaka
1.1    nonaka 	if (mp_radix_size(__UNCONST(a), radix, &len) != MP_OKAY) {
1.1    nonaka 		return NULL;
1.1    nonaka 	}
1.1    nonaka 	if ((s = allocate(1, (size_t)len)) != NULL) {
1.1    nonaka 		if (mp_toradix_n(__UNCONST(a), s, radix, len) != MP_OKAY) {
1.1    nonaka 			deallocate(s, (size_t)len);
1.1    nonaka 			return NULL;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return s;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static int
1.1    nonaka mp_getradix_num(mp_int *a, int radix, char *s)
1.1    nonaka {
1.1    nonaka 	int err, ch, neg, y;
1.1    nonaka
1.1    nonaka 	/* clear a */
1.1    nonaka 	mp_zero(a);
1.1    nonaka
1.1    nonaka 	/* if first digit is - then set negative */
1.1    nonaka 	if ((ch = *s++) == '-') {
1.1    nonaka 		neg = MP_NEG;
1.1    nonaka 		ch = *s++;
1.1    nonaka 	} else {
1.1    nonaka 		neg = MP_ZPOS;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	for (;;) {
1.1    nonaka 		/* find y in the radix map */
1.1    nonaka 		for (y = 0; y < radix; y++) {
1.1    nonaka 			if (mp_s_rmap[y] == ch) {
1.1    nonaka 				break;
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		if (y == radix) {
1.1    nonaka 			break;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* shift up and add */
1.1    nonaka 		if ((err = multiply_digit(a, radix, a)) != MP_OKAY) {
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka 		if ((err = add_single_digit(a, y, a)) != MP_OKAY) {
1.1    nonaka 			return err;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		ch = *s++;
1.1    nonaka 	}
1.1    nonaka 	if (compare_digit(a, 0) != MP_EQ) {
1.1    nonaka 		a->sign = neg;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	return MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka static int
1.1    nonaka getbn(BIGNUM **a, const char *str, int radix)
1.1    nonaka {
1.1    nonaka 	int	len;
1.1    nonaka
1.1    nonaka 	if (a == NULL || str == NULL || (*a = BN_new()) == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	if (mp_getradix_num(*a, radix, __UNCONST(str)) != MP_OKAY) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	mp_radix_size(__UNCONST(*a), radix, &len);
1.1    nonaka 	return len - 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* d = a - b (mod c) */
1.1    nonaka static int
1.1    nonaka subtract_modulo(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
1.1    nonaka {
1.1    nonaka 	int     res;
1.1    nonaka 	mp_int  t;
1.1    nonaka
1.1    nonaka
1.1    nonaka 	if ((res = mp_init(&t)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = signed_subtract(a, b, &t)) != MP_OKAY) {
1.1    nonaka 		mp_clear(&t);
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka 	res = modulo(&t, c, d);
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* bn_mp_gcd.c */
1.1    nonaka /* Greatest Common Divisor using the binary method */
1.1    nonaka static int
1.1    nonaka mp_gcd(mp_int *a, mp_int *b, mp_int *c)
1.1    nonaka {
1.1    nonaka 	mp_int  u, v;
1.1    nonaka 	int     k, u_lsb, v_lsb, res;
1.1    nonaka
1.1    nonaka 	/* either zero than gcd is the largest */
1.1    nonaka 	if (BN_is_zero(a) == MP_YES) {
1.1    nonaka 		return absolute(b, c);
1.1    nonaka 	}
1.1    nonaka 	if (BN_is_zero(b) == MP_YES) {
1.1    nonaka 		return absolute(a, c);
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* get copies of a and b we can modify */
1.1    nonaka 	if ((res = mp_init_copy(&u, a)) != MP_OKAY) {
1.1    nonaka 		return res;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if ((res = mp_init_copy(&v, b)) != MP_OKAY) {
1.1    nonaka 		goto LBL_U;
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* must be positive for the remainder of the algorithm */
1.1    nonaka 	u.sign = v.sign = MP_ZPOS;
1.1    nonaka
1.1    nonaka 	/* B1.  Find the common power of two for u and v */
1.1    nonaka 	u_lsb = mp_cnt_lsb(&u);
1.1    nonaka 	v_lsb = mp_cnt_lsb(&v);
1.1    nonaka 	k = MIN(u_lsb, v_lsb);
1.1    nonaka
1.1    nonaka 	if (k > 0) {
1.1    nonaka 		/* divide the power of two out */
1.1    nonaka 		if ((res = rshift_bits(&u, k, &u, NULL)) != MP_OKAY) {
1.1    nonaka 			goto LBL_V;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		if ((res = rshift_bits(&v, k, &v, NULL)) != MP_OKAY) {
1.1    nonaka 			goto LBL_V;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* divide any remaining factors of two out */
1.1    nonaka 	if (u_lsb != k) {
1.1    nonaka 		if ((res = rshift_bits(&u, u_lsb - k, &u, NULL)) != MP_OKAY) {
1.1    nonaka 			goto LBL_V;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	if (v_lsb != k) {
1.1    nonaka 		if ((res = rshift_bits(&v, v_lsb - k, &v, NULL)) != MP_OKAY) {
1.1    nonaka 			goto LBL_V;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	while (BN_is_zero(&v) == 0) {
1.1    nonaka 		/* make sure v is the largest */
1.1    nonaka 		if (compare_magnitude(&u, &v) == MP_GT) {
1.1    nonaka 			/* swap u and v to make sure v is >= u */
1.1    nonaka 			mp_exch(&u, &v);
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* subtract smallest from largest */
1.1    nonaka 		if ((res = signed_subtract(&v, &u, &v)) != MP_OKAY) {
1.1    nonaka 			goto LBL_V;
1.1    nonaka 		}
1.1    nonaka
1.1    nonaka 		/* Divide out all factors of two */
1.1    nonaka 		if ((res = rshift_bits(&v, mp_cnt_lsb(&v), &v, NULL)) != MP_OKAY) {
1.1    nonaka 			goto LBL_V;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka
1.1    nonaka 	/* multiply by 2**k which we divided out at the beginning */
1.1    nonaka 	if ((res = lshift_bits(&u, k, c)) != MP_OKAY) {
1.1    nonaka 		goto LBL_V;
1.1    nonaka 	}
1.1    nonaka 	c->sign = MP_ZPOS;
1.1    nonaka 	res = MP_OKAY;
1.1    nonaka LBL_V:
1.1    nonaka 	mp_clear (&u);
1.1    nonaka LBL_U:
1.1    nonaka 	mp_clear (&v);
1.1    nonaka 	return res;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /**************************************************************************/
1.1    nonaka
1.1    nonaka /* BIGNUM emulation layer */
1.1    nonaka
1.6    andvar /* essentially, these are just wrappers around the libtommath functions */
1.1    nonaka /* usually the order of args changes */
1.1    nonaka /* the BIGNUM API tends to have more const poisoning */
1.1    nonaka /* these wrappers also check the arguments passed for sanity */
1.1    nonaka
1.1    nonaka BIGNUM *
1.1    nonaka BN_bin2bn(const uint8_t *data, int len, BIGNUM *ret)
1.1    nonaka {
1.1    nonaka 	if (data == NULL) {
1.1    nonaka 		return BN_new();
1.1    nonaka 	}
1.1    nonaka 	if (ret == NULL) {
1.1    nonaka 		ret = BN_new();
1.1    nonaka 	}
1.1    nonaka 	return (mp_read_unsigned_bin(ret, data, len) == MP_OKAY) ? ret : NULL;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* store in unsigned [big endian] format */
1.1    nonaka int
1.1    nonaka BN_bn2bin(const BIGNUM *a, unsigned char *b)
1.1    nonaka {
1.1    nonaka 	BIGNUM	t;
1.1    nonaka 	int    	x;
1.1    nonaka
1.1    nonaka 	if (a == NULL || b == NULL) {
1.1    nonaka 		return -1;
1.1    nonaka 	}
1.1    nonaka 	if (mp_init_copy (&t, __UNCONST(a)) != MP_OKAY) {
1.1    nonaka 		return -1;
1.1    nonaka 	}
1.1    nonaka 	for (x = 0; !BN_is_zero(&t) ; ) {
1.1    nonaka 		b[x++] = (unsigned char) (t.dp[0] & 0xff);
1.1    nonaka 		if (rshift_bits(&t, 8, &t, NULL) != MP_OKAY) {
1.1    nonaka 			mp_clear(&t);
1.1    nonaka 			return -1;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	bn_reverse(b, x);
1.1    nonaka 	mp_clear(&t);
1.1    nonaka 	return x;
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_init(BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (a != NULL) {
1.1    nonaka 		mp_init(a);
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka BIGNUM *
1.1    nonaka BN_new(void)
1.1    nonaka {
1.1    nonaka 	BIGNUM	*a;
1.1    nonaka
1.1    nonaka 	if ((a = allocate(1, sizeof(*a))) != NULL) {
1.1    nonaka 		mp_init(a);
1.1    nonaka 	}
1.1    nonaka 	return a;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* copy, b = a */
1.1    nonaka int
1.1    nonaka BN_copy(BIGNUM *b, const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (a == NULL || b == NULL) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka 	return mp_copy(__UNCONST(a), b);
1.1    nonaka }
1.1    nonaka
1.1    nonaka BIGNUM *
1.1    nonaka BN_dup(const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	BIGNUM	*ret;
1.1    nonaka
1.1    nonaka 	if (a == NULL) {
1.1    nonaka 		return NULL;
1.1    nonaka 	}
1.1    nonaka 	if ((ret = BN_new()) != NULL) {
1.1    nonaka 		BN_copy(ret, a);
1.1    nonaka 	}
1.1    nonaka 	return ret;
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_swap(BIGNUM *a, BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	if (a && b) {
1.1    nonaka 		mp_exch(a, b);
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
1.1    nonaka {
1.1    nonaka 	if (r == NULL || a == NULL || n < 0) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	BN_copy(r, a);
1.1    nonaka 	return lshift_digits(r, n) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_lshift1(BIGNUM *r, BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (r == NULL || a == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	BN_copy(r, a);
1.1    nonaka 	return lshift_digits(r, 1) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
1.1    nonaka {
1.1    nonaka 	if (r == NULL || a == NULL || n < 0) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka 	BN_copy(r, a);
1.1    nonaka 	return rshift_digits(r, n) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_rshift1(BIGNUM *r, BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (r == NULL || a == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	BN_copy(r, a);
1.1    nonaka 	return rshift_digits(r, 1) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_set_word(BIGNUM *a, BN_ULONG w)
1.1    nonaka {
1.1    nonaka 	if (a == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	set_word(a, w);
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	if (a == NULL || b == NULL || r == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	return signed_add(__UNCONST(a), __UNCONST(b), r) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	if (a == NULL || b == NULL || r == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	return signed_subtract(__UNCONST(a), __UNCONST(b), r) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	if (a == NULL || b == NULL || r == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	return signed_multiply(__UNCONST(a), __UNCONST(b), r) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	if ((dv == NULL && rem == NULL) || a == NULL || d == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	return signed_divide(dv, rem, __UNCONST(a), __UNCONST(d)) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* perform a bit operation on the 2 bignums */
1.1    nonaka int
1.1    nonaka BN_bitop(BIGNUM *r, const BIGNUM *a, char op, const BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	unsigned	ndigits;
1.1    nonaka 	mp_digit	ad;
1.1    nonaka 	mp_digit	bd;
1.1    nonaka 	int		i;
1.1    nonaka
1.1    nonaka 	if (a == NULL || b == NULL || r == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	if (BN_cmp(__UNCONST(a), __UNCONST(b)) >= 0) {
1.1    nonaka 		BN_copy(r, a);
1.1    nonaka 		ndigits = a->used;
1.1    nonaka 	} else {
1.1    nonaka 		BN_copy(r, b);
1.1    nonaka 		ndigits = b->used;
1.1    nonaka 	}
1.1    nonaka 	for (i = 0 ; i < (int)ndigits ; i++) {
1.1    nonaka 		ad = (i > a->used) ? 0 : a->dp[i];
1.1    nonaka 		bd = (i > b->used) ? 0 : b->dp[i];
1.1    nonaka 		switch(op) {
1.1    nonaka 		case '&':
1.1    nonaka 			r->dp[i] = (ad & bd);
1.1    nonaka 			break;
1.1    nonaka 		case '|':
1.1    nonaka 			r->dp[i] = (ad | bd);
1.1    nonaka 			break;
1.1    nonaka 		case '^':
1.1    nonaka 			r->dp[i] = (ad ^ bd);
1.1    nonaka 			break;
1.1    nonaka 		default:
1.1    nonaka 			break;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_free(BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (a) {
1.1    nonaka 		mp_clear(a);
1.1    nonaka 		free(a);
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_clear(BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (a) {
1.1    nonaka 		mp_clear(a);
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_clear_free(BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	BN_clear(a);
1.1    nonaka 	free(a);
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_num_bytes(const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (a == NULL) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka 	return mp_unsigned_bin_size(__UNCONST(a));
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_num_bits(const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	if (a == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	return mp_count_bits(a);
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_set_negative(BIGNUM *a, int n)
1.1    nonaka {
1.1    nonaka 	if (a) {
1.1    nonaka 		a->sign = (n) ? MP_NEG : 0;
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_cmp(BIGNUM *a, BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	if (a == NULL || b == NULL) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka 	switch(signed_compare(a, b)) {
1.1    nonaka 	case MP_LT:
1.1    nonaka 		return -1;
1.1    nonaka 	case MP_GT:
1.1    nonaka 		return 1;
1.1    nonaka 	case MP_EQ:
1.1    nonaka 	default:
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_mod_exp(BIGNUM *Y, BIGNUM *G, BIGNUM *X, BIGNUM *P, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	if (Y == NULL || G == NULL || X == NULL || P == NULL) {
1.1    nonaka 		return MP_VAL;
1.1    nonaka 	}
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	return exponent_modulo(G, X, P, Y) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka BIGNUM *
1.1    nonaka BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	if (r == NULL || a == NULL || n == NULL) {
1.1    nonaka 		return NULL;
1.1    nonaka 	}
1.1    nonaka 	return (modular_inverse(r, a, __UNCONST(n)) == MP_OKAY) ? r : NULL;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	if (ret == NULL || a == NULL || b == NULL || m == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	return multiply_modulo(ret, a, b, __UNCONST(m)) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka BN_CTX *
1.1    nonaka BN_CTX_new(void)
1.1    nonaka {
1.1    nonaka 	return allocate(1, sizeof(BN_CTX));
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_CTX_init(BN_CTX *c)
1.1    nonaka {
1.1    nonaka 	if (c != NULL) {
1.1    nonaka 		c->arraysize = 15;
1.1    nonaka 		if ((c->v = allocate(sizeof(*c->v), c->arraysize)) == NULL) {
1.1    nonaka 			c->arraysize = 0;
1.1    nonaka 		}
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka BIGNUM *
1.1    nonaka BN_CTX_get(BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	if (ctx == NULL || ctx->v == NULL || ctx->arraysize == 0 || ctx->count == ctx->arraysize - 1) {
1.1    nonaka 		return NULL;
1.1    nonaka 	}
1.1    nonaka 	return ctx->v[ctx->count++] = BN_new();
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_CTX_start(BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	BN_CTX_init(ctx);
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_CTX_free(BN_CTX *c)
1.1    nonaka {
1.1    nonaka 	unsigned	i;
1.1    nonaka
1.1    nonaka 	if (c != NULL && c->v != NULL) {
1.1    nonaka 		for (i = 0 ; i < c->count ; i++) {
1.1    nonaka 			BN_clear_free(c->v[i]);
1.1    nonaka 		}
1.1    nonaka 		deallocate(c->v, sizeof(*c->v) * c->arraysize);
1.1    nonaka 	}
1.1    nonaka }
1.1    nonaka
1.1    nonaka void
1.1    nonaka BN_CTX_end(BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	BN_CTX_free(ctx);
1.1    nonaka }
1.1    nonaka
1.1    nonaka char *
1.1    nonaka BN_bn2hex(const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	return (a == NULL) ? NULL : formatbn(a, 16);
1.1    nonaka }
1.1    nonaka
1.1    nonaka char *
1.1    nonaka BN_bn2dec(const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	return (a == NULL) ? NULL : formatbn(a, 10);
1.1    nonaka }
1.1    nonaka
1.1    nonaka char *
1.1    nonaka BN_bn2radix(const BIGNUM *a, unsigned radix)
1.1    nonaka {
1.1    nonaka 	return (a == NULL) ? NULL : formatbn(a, (int)radix);
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_print_fp(FILE *fp, const BIGNUM *a)
1.1    nonaka {
1.1    nonaka 	char	*s;
1.1    nonaka 	int	 ret;
1.1    nonaka
1.1    nonaka 	if (fp == NULL || a == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	s = BN_bn2hex(a);
1.1    nonaka 	ret = fprintf(fp, "%s", s);
1.1    nonaka 	deallocate(s, strlen(s) + 1);
1.1    nonaka 	return ret;
1.1    nonaka }
1.1    nonaka
1.1    nonaka #ifdef BN_RAND_NEEDED
1.1    nonaka int
1.1    nonaka BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
1.1    nonaka {
1.1    nonaka 	uint64_t	r;
1.1    nonaka 	int		digits;
1.1    nonaka 	int		i;
1.1    nonaka
1.1    nonaka 	if (rnd == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	mp_init_size(rnd, digits = howmany(bits, DIGIT_BIT));
1.1    nonaka 	for (i = 0 ; i < digits ; i++) {
1.1    nonaka 		r = (uint64_t)arc4random();
1.1    nonaka 		r <<= 32;
1.1    nonaka 		r |= arc4random();
1.1    nonaka 		rnd->dp[i] = (r & MP_MASK);
1.1    nonaka 		rnd->used += 1;
1.1    nonaka 	}
1.1    nonaka 	if (top == 0) {
1.1    nonaka 		rnd->dp[rnd->used - 1] |= (((mp_digit)1)<<((mp_digit)DIGIT_BIT));
1.1    nonaka 	}
1.1    nonaka 	if (top == 1) {
1.1    nonaka 		rnd->dp[rnd->used - 1] |= (((mp_digit)1)<<((mp_digit)DIGIT_BIT));
1.1    nonaka 		rnd->dp[rnd->used - 1] |= (((mp_digit)1)<<((mp_digit)(DIGIT_BIT - 1)));
1.1    nonaka 	}
1.1    nonaka 	if (bottom) {
1.1    nonaka 		rnd->dp[0] |= 0x1;
1.1    nonaka 	}
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_rand_range(BIGNUM *rnd, BIGNUM *range)
1.1    nonaka {
1.1    nonaka 	if (rnd == NULL || range == NULL || BN_is_zero(range)) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	BN_rand(rnd, BN_num_bits(range), 1, 0);
1.1    nonaka 	return modulo(rnd, range, rnd) == MP_OKAY;
1.1    nonaka }
1.1    nonaka #endif
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg)
1.1    nonaka {
1.1    nonaka 	int	primality;
1.1    nonaka
1.1    nonaka 	if (a == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	USE_ARG(cb_arg);
1.1    nonaka 	USE_ARG(callback);
1.1    nonaka 	return (mp_prime_is_prime(__UNCONST(a), checks, &primality) == MP_OKAY) ? primality : 0;
1.1    nonaka }
1.1    nonaka
1.1    nonaka const BIGNUM *
1.1    nonaka BN_value_one(void)
1.1    nonaka {
1.1    nonaka 	static mp_digit		digit = 1UL;
1.1    nonaka 	static const BIGNUM	one = { &digit, 1, 1, 0 };
1.1    nonaka
1.1    nonaka 	return &one;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_hex2bn(BIGNUM **a, const char *str)
1.1    nonaka {
1.1    nonaka 	return getbn(a, str, 16);
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_dec2bn(BIGNUM **a, const char *str)
1.1    nonaka {
1.1    nonaka 	return getbn(a, str, 10);
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_radix2bn(BIGNUM **a, const char *str, unsigned radix)
1.1    nonaka {
1.1    nonaka 	return getbn(a, str, (int)radix);
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	USE_ARG(ctx);
1.1    nonaka 	if (r == NULL || a == NULL || b == NULL || m == NULL) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	return subtract_modulo(a, b, __UNCONST(m), r) == MP_OKAY;
1.1    nonaka }
1.1    nonaka
1.1    nonaka int
1.1    nonaka BN_is_bit_set(const BIGNUM *a, int n)
1.1    nonaka {
1.1    nonaka 	if (a == NULL || n < 0 || n >= a->used * DIGIT_BIT) {
1.1    nonaka 		return 0;
1.1    nonaka 	}
1.1    nonaka 	return (a->dp[n / DIGIT_BIT] & (1 << (n % DIGIT_BIT))) ? 1 : 0;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* raise 'a' to power of 'b' */
1.1    nonaka int
1.1    nonaka BN_raise(BIGNUM *res, BIGNUM *a, BIGNUM *b)
1.1    nonaka {
1.1    nonaka 	uint64_t	 exponent;
1.1    nonaka 	BIGNUM		*power;
1.1    nonaka 	BIGNUM		*temp;
1.1    nonaka 	char		*t;
1.1    nonaka
1.1    nonaka 	t = BN_bn2dec(b);
1.1    nonaka 	exponent = (uint64_t)strtoull(t, NULL, 10);
1.1    nonaka 	free(t);
1.1    nonaka 	if (exponent == 0) {
1.1    nonaka 		BN_copy(res, BN_value_one());
1.1    nonaka 	} else {
1.1    nonaka 		power = BN_dup(a);
1.1    nonaka 		for ( ; (exponent & 1) == 0 ; exponent >>= 1) {
1.1    nonaka 			BN_mul(power, power, power, NULL);
1.1    nonaka 		}
1.1    nonaka 		temp = BN_dup(power);
1.1    nonaka 		for (exponent >>= 1 ; exponent > 0 ; exponent >>= 1) {
1.1    nonaka 			BN_mul(power, power, power, NULL);
1.1    nonaka 			if (exponent & 1) {
1.1    nonaka 				BN_mul(temp, power, temp, NULL);
1.1    nonaka 			}
1.1    nonaka 		}
1.1    nonaka 		BN_copy(res, temp);
1.1    nonaka 		BN_free(power);
1.1    nonaka 		BN_free(temp);
1.1    nonaka 	}
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* compute the factorial */
1.1    nonaka int
1.1    nonaka BN_factorial(BIGNUM *res, BIGNUM *f)
1.1    nonaka {
1.1    nonaka 	BIGNUM	*one;
1.1    nonaka 	BIGNUM	*i;
1.1    nonaka
1.1    nonaka 	i = BN_dup(f);
1.1    nonaka 	one = __UNCONST(BN_value_one());
1.1    nonaka 	BN_sub(i, i, one);
1.1    nonaka 	BN_copy(res, f);
1.1    nonaka 	while (BN_cmp(i, one) > 0) {
1.1    nonaka 		BN_mul(res, res, i, NULL);
1.1    nonaka 		BN_sub(i, i, one);
1.1    nonaka 	}
1.1    nonaka 	BN_free(i);
1.1    nonaka 	return 1;
1.1    nonaka }
1.1    nonaka
1.1    nonaka /* get greatest common divisor */
1.1    nonaka int
1.1    nonaka BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
1.1    nonaka {
1.1    nonaka 	return mp_gcd(a, b, r);
1.1    nonaka }