| blob | 49cad971e9e28e88e79907e318c621ebdce241f5 |
1 /*
2 * Copyright(C) 2006 Cameron Rich
3 *
4 * This library is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU Lesser General Public License as published by
6 * the Free Software Foundation; either version 2.1 of the License, or
7 * (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public License
15 * along with this library; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
19 /**
20 * @defgroup bigint_api Big Integer API
21 * @brief The bigint implementation as used by the axTLS project.
22 *
23 * The bigint library is for RSA encryption/decryption as well as signing.
24 * This code tries to minimise use of malloc/free by maintaining a small
25 * cache. A bigint context may maintain state by being made "permanent".
26 * It be be later released with a bi_depermanent() and bi_free() call.
27 *
28 * It supports the following reduction techniques:
29 * - Classical
30 * - Barrett
31 * - Montgomery
32 *
33 * It also implements the following:
34 * - Karatsuba multiplication
35 * - Squaring
36 * - Sliding window exponentiation
37 * - Chinese Remainder Theorem (implemented in rsa.c).
38 *
39 * All the algorithms used are pretty standard, and designed for different
40 * data bus sizes. Negative numbers are not dealt with at all, so a subtraction
41 * may need to be tested for negativity.
42 *
43 * This library steals some ideas from Jef Poskanzer
44 * <http://cs.marlboro.edu/term/cs-fall02/algorithms/crypto/RSA/bigint>
45 * and GMP <http://www.swox.com/gmp>. It gets most of its implementation
46 * detail from "The Handbook of Applied Cryptography"
47 * <http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf>
48 * @{
49 */
51 #include <stdlib.h>
52 #include <limits.h>
53 #include <string.h>
54 #include <stdio.h>
55 #include <time.h>
64 #if defined(CONFIG_BIGINT_KARATSUBA) || defined(CONFIG_BIGINT_BARRETT) || \
65 defined(CONFIG_BIGINT_MONTGOMERY)
68 #endif
70 #ifdef CONFIG_BIGINT_CHECK_ON
72 #endif
74 /**
75 * @brief Start a new bigint context.
76 * @return A bigint context.
77 */
79 {
80 /* calloc() sets everything to zero */
83 /* the radix */
89 }
91 /**
92 * @brief Close the bigint context and free any resources.
93 *
94 * Free up any used memory - a check is done if all objects were not
95 * properly freed.
96 * @param ctx [in] The bigint session context.
97 */
99 {
106 {
107 #ifdef CONFIG_SSL_FULL_MODE
110 #endif
112 }
115 {
119 }
122 }
124 /**
125 * @brief Increment the number of references to this object.
126 * It does not do a full copy.
127 * @param bi [in] The bigint to copy.
128 * @return A reference to the same bigint.
129 */
131 {
136 }
138 /**
139 * @brief Simply make a bigint object "unfreeable" if bi_free() is called on it.
140 *
141 * For this object to be freed, bi_depermanent() must be called.
142 * @param bi [in] The bigint to be made permanent.
143 */
145 {
148 {
149 #ifdef CONFIG_SSL_FULL_MODE
151 #endif
153 }
156 }
158 /**
159 * @brief Take a permanent object and make it eligible for freedom.
160 * @param bi [in] The bigint to be made back to temporary.
161 */
163 {
166 {
167 #ifdef CONFIG_SSL_FULL_MODE
169 #endif
171 }
174 }
176 /**
177 * @brief Free a bigint object so it can be used again.
178 *
179 * The memory itself it not actually freed, just tagged as being available
180 * @param ctx [in] The bigint session context.
181 * @param bi [in] The bigint to be freed.
182 */
184 {
187 {
189 }
192 {
194 }
201 {
202 #ifdef CONFIG_SSL_FULL_MODE
205 #endif
207 }
208 }
210 /**
211 * @brief Convert an (unsigned) integer into a bigint.
212 * @param ctx [in] The bigint session context.
213 * @param i [in] The (unsigned) integer to be converted.
214 *
215 */
217 {
221 }
223 /**
224 * @brief Do a full copy of the bigint object.
225 * @param ctx [in] The bigint session context.
226 * @param bi [in] The bigint object to be copied.
227 */
229 {
234 }
236 /**
237 * @brief Perform an addition operation between two bigints.
238 * @param ctx [in] The bigint session context.
239 * @param bia [in] A bigint.
240 * @param bib [in] Another bigint.
241 * @return The result of the addition.
242 */
244 {
258 do
259 {
271 }
273 /**
274 * @brief Perform a subtraction operation between two bigints.
275 * @param ctx [in] The bigint session context.
276 * @param bia [in] A bigint.
277 * @param bib [in] Another bigint.
278 * @param is_negative [out] If defined, indicates that the result was negative.
279 * is_negative may be null.
280 * @return The result of the subtraction. The result is always positive.
281 */
284 {
295 do
296 {
306 {
308 }
312 }
314 /**
315 * Perform a multiply between a bigint an an (unsigned) integer
316 */
318 {
327 /* clear things to start with */
330 do
331 {
340 }
342 /**
343 * @brief Does both division and modulo calculations.
344 *
345 * Used extensively when doing classical reduction.
346 * @param ctx [in] The bigint session context.
347 * @param u [in] A bigint which is the numerator.
348 * @param v [in] Either the denominator or the modulus depending on the mode.
349 * @param is_mod [n] Determines if this is a normal division (0) or a reduction
350 * (1).
351 * @return The result of the division/reduction.
352 */
354 {
358 comp d;
360 comp q_dash;
365 /* if doing reduction and we are < mod, then return mod */
367 {
370 }
377 /* clear things to start with */
380 /* normalise */
382 {
386 {
388 }
389 else
390 {
392 }
393 }
396 {
398 }
400 do
401 {
402 /* get a temporary short version of u */
405 /* calculate q' */
407 {
409 }
410 else
411 {
413 }
416 {
417 /* we are implementing the following:
418 if (V2*q_dash > (((U(0)*COMP_RADIX + U(1) -
419 q_dash*V1)*COMP_RADIX) + U(2))) ... */
423 {
424 q_dash--;
425 }
426 }
428 /* multiply and subtract */
430 {
438 /* add back */
440 {
444 /* lop off the carry */
447 }
448 }
449 else
450 {
452 }
454 /* copy back to u */
462 {
465 }
467 {
470 }
471 }
473 /*
474 * Perform an integer divide on a bigint.
475 */
477 {
483 do
484 {
491 }
493 #ifdef CONFIG_BIGINT_MONTGOMERY
494 /**
495 * There is a need for the value of integer N' such that B^-1(B-1)-N^-1N'=1,
496 * where B^-1(B-1) mod N=1. Actually, only the least significant part of
497 * N' is needed, hence the definition N0'=N' mod b. We reproduce below the
498 * simple algorithm from an article by Dusse and Kaliski to efficiently
499 * find N0' from N0 and b */
501 {
509 {
511 {
513 }
517 }
520 }
521 #endif
523 #if defined(CONFIG_BIGINT_KARATSUBA) || defined(CONFIG_BIGINT_BARRETT) || \
524 defined(CONFIG_BIGINT_MONTGOMERY)
525 /**
526 * Take each component and shift down (in terms of components)
527 */
529 {
537 {
541 }
543 do
544 {
550 }
552 /**
553 * Take each component and shift it up (in terms of components)
554 */
556 {
563 {
565 }
572 do
573 {
579 }
580 #endif
582 /**
583 * @brief Allow a binary sequence to be imported as a bigint.
584 * @param ctx [in] The bigint session context.
585 * @param data [in] The data to be converted.
586 * @param size [in] The number of bytes of data.
587 * @return A bigint representing this data.
588 */
590 {
597 {
601 {
603 offset ++;
604 }
605 }
608 }
610 #ifdef CONFIG_SSL_FULL_MODE
611 /**
612 * @brief The testharness uses this code to import text hex-streams and
613 * convert them into bigints.
614 * @param ctx [in] The bigint session context.
615 * @param data [in] A string consisting of hex characters. The characters must
616 * be in upper case.
617 * @return A bigint representing this data.
618 */
620 {
627 {
632 {
634 offset ++;
635 }
636 }
639 }
642 {
646 {
649 }
653 {
655 {
659 }
660 }
663 }
664 #endif
666 /**
667 * @brief Take a bigint and convert it into a byte sequence.
668 *
669 * This is useful after a decrypt operation.
670 * @param ctx [in] The bigint session context.
671 * @param x [in] The bigint to be converted.
672 * @param data [out] The converted data as a byte stream.
673 * @param size [in] The maximum size of the byte stream. Unused bytes will be
674 * zeroed.
675 */
677 {
684 {
686 {
692 {
694 }
695 }
696 }
699 }
701 /**
702 * @brief Pre-calculate some of the expensive steps in reduction.
703 *
704 * This function should only be called once (normally when a session starts).
705 * When the session is over, bi_free_mod() should be called. bi_mod_power()
706 * relies on this function being called.
707 * @param ctx [in] The bigint session context.
708 * @param bim [in] The bigint modulus that will be used.
709 * @param mod_offset [in] There are three moduluii that can be stored - the
710 * standard modulus, and its two primes p and q. This offset refers to which
711 * modulus we are referring to.
712 * @see bi_free_mod(), bi_mod_power().
713 */
715 {
718 #ifdef CONFIG_BIGINT_MONTGOMERY
720 #endif
727 #if defined(CONFIG_BIGINT_MONTGOMERY)
728 /* set montgomery variables */
739 #elif defined (CONFIG_BIGINT_BARRETT)
744 #endif
745 }
747 /**
748 * @brief Used when cleaning various bigints at the end of a session.
749 * @param ctx [in] The bigint session context.
750 * @param mod_offset [in] The offset to use.
751 * @see bi_set_mod().
752 */
754 {
757 #if defined (CONFIG_BIGINT_MONTGOMERY)
762 #elif defined(CONFIG_BIGINT_BARRETT)
765 #endif
768 }
770 /**
771 * Perform a standard multiplication between two bigints.
772 */
774 {
786 /* clear things to start with */
790 do
791 {
797 do
798 {
810 }
812 #ifdef CONFIG_BIGINT_KARATSUBA
813 /*
814 * Karatsuba improves on regular multiplication due to only 3 multiplications
815 * being done instead of 4. The additional additions/subtractions are O(N)
816 * rather than O(N^2) and so for big numbers it saves on a few operations
817 */
819 {
825 {
827 }
828 else
829 {
831 }
839 /* work out the 3 partial products */
841 {
845 }
847 {
858 }
866 }
867 #endif
869 /**
870 * @brief Perform a multiplication operation between two bigints.
871 * @param ctx [in] The bigint session context.
872 * @param bia [in] A bigint.
873 * @param bib [in] Another bigint.
874 * @return The result of the multiplication.
875 */
877 {
881 #ifdef CONFIG_BIGINT_KARATSUBA
883 {
885 }
888 #else
890 #endif
891 }
893 #ifdef CONFIG_BIGINT_SQUARE
894 /*
895 * Perform the actual square operion. It takes into account overflow.
896 */
898 {
904 comp carry;
908 do
909 {
916 {
921 {
923 }
927 {
929 }
934 }
939 {
941 }
946 }
948 /**
949 * @brief Perform a square operation on a bigint.
950 * @param ctx [in] The bigint session context.
951 * @param bia [in] A bigint.
952 * @return The result of the multiplication.
953 */
955 {
958 #ifdef CONFIG_BIGINT_KARATSUBA
960 {
962 }
965 #else
967 #endif
968 }
969 #endif
971 /**
972 * @brief Compare two bigints.
973 * @param bia [in] A bigint.
974 * @param bib [in] Another bigint.
975 * @return -1 if smaller, 1 if larger and 0 if equal.
976 */
978 {
988 else
989 {
993 /* Same number of components. Compare starting from the high end
994 * and working down. */
998 do
999 {
1001 {
1004 }
1006 {
1009 }
1011 }
1014 }
1016 /*
1017 * Allocate and zero more components. Does not consume bi.
1018 */
1020 {
1022 {
1025 }
1028 {
1030 }
1033 }
1035 /*
1036 * Make a new empty bigint. It may just use an old one if one is available.
1037 * Otherwise get one off the heap.
1038 */
1040 {
1043 /* Can we recycle an old bigint? */
1045 {
1051 {
1052 #ifdef CONFIG_SSL_FULL_MODE
1054 #endif
1056 }
1059 }
1060 else
1061 {
1062 /* No free bigints available - create a new one. */
1066 }
1073 }
1075 /*
1076 * Work out the highest '1' bit in an exponent. Used when doing sliding-window
1077 * exponentiation.
1078 */
1080 {
1087 do
1088 {
1090 {
1092 }
1098 }
1100 /*
1101 * Is a particular bit is an exponent 1 or 0? Used when doing sliding-window
1102 * exponentiation.
1103 */
1105 {
1114 {
1116 }
1119 }
1121 #ifdef CONFIG_BIGINT_CHECK_ON
1122 /*
1123 * Perform a sanity check on bi.
1124 */
1126 {
1128 {
1131 }
1134 {
1138 }
1139 }
1140 #endif
1142 /*
1143 * Delete any leading 0's (and allow for 0).
1144 */
1146 {
1150 {
1152 }
1155 }
1157 #if defined(CONFIG_BIGINT_MONTGOMERY)
1158 /**
1159 * @brief Perform a single montgomery reduction.
1160 * @param ctx [in] The bigint session context.
1161 * @param bixy [in] A bigint.
1162 * @return The result of the montgomery reduction.
1163 */
1165 {
1174 {
1176 }
1180 do
1181 {
1189 {
1191 }
1194 }
1196 #elif defined(CONFIG_BIGINT_BARRETT)
1197 /*
1198 * Stomp on the most significant components to give the illusion of a "mod base
1199 * radix" operation
1200 */
1202 {
1206 {
1208 }
1211 }
1213 /*
1214 * Barrett reduction has no need for some parts of the product, so ignore bits
1215 * of the multiply. This routine gives Barrett its big performance
1216 * improvements over Classical/Montgomery reduction methods.
1217 */
1220 {
1223 comp carry;
1235 {
1237 }
1239 {
1241 {
1247 }
1250 }
1252 do
1253 {
1256 long_comp tmp;
1262 {
1266 }
1268 do
1269 {
1271 {
1273 }
1286 }
1288 /**
1289 * @brief Perform a single Barrett reduction.
1290 * @param ctx [in] The bigint session context.
1291 * @param bi [in] A bigint.
1292 * @return The result of the Barrett reduction.
1293 */
1295 {
1304 /* use Classical method instead - Barrett cannot help here */
1306 {
1308 }
1312 /* do outer partial multiply */
1317 /* do inner partial multiply */
1321 /* if (r >= m) r = r - m; */
1323 {
1325 }
1328 }
1331 #ifdef CONFIG_BIGINT_SLIDING_WINDOW
1332 /*
1333 * Work out g1, g3, g5, g7... etc for the sliding-window algorithm
1334 */
1336 {
1341 {
1343 }
1351 {
1354 }
1358 }
1359 #endif
1361 /**
1362 * @brief Perform a modular exponentiation.
1363 *
1364 * This function requires bi_set_mod() to have been called previously. This is
1365 * one of the optimisations used for performance.
1366 * @param ctx [in] The bigint session context.
1367 * @param bi [in] The bigint on which to perform the mod power operation.
1368 * @param biexp [in] The bigint exponent.
1369 * @see bi_set_mod().
1370 */
1372 {
1376 #if defined(CONFIG_BIGINT_MONTGOMERY)
1379 {
1380 /* preconvert */
1385 }
1386 #endif
1391 #ifdef CONFIG_BIGINT_SLIDING_WINDOW
1393 window_size++;
1395 /* work out the slide constants */
1402 #endif
1404 /* if sliding-window is off, then only one bit will be done at a time and
1405 * will reduce to standard left-to-right exponentiation */
1406 do
1407 {
1409 {
1415 else
1416 {
1419 }
1421 /* build up the section of the exponent */
1423 {
1426 part_exp++;
1430 }
1435 }
1437 {
1439 i--;
1440 }
1443 /* cleanup */
1445 {
1448 }
1453 #if defined CONFIG_BIGINT_MONTGOMERY
1457 #endif
1458 }
1460 #ifdef CONFIG_SSL_CERT_VERIFICATION
1461 /**
1462 * @brief Perform a modular exponentiation using a temporary modulus.
1463 *
1464 * We need this function to check the signatures of certificates. The modulus
1465 * of this function is temporary as it's just used for authentication.
1466 * @param ctx [in] The bigint session context.
1467 * @param bi [in] The bigint to perform the exp/mod.
1468 * @param bim [in] The temporary modulus.
1469 * @param biexp [in] The bigint exponent.
1470 * @see bi_set_mod().
1471 */
1473 {
1476 /* Set up a temporary bigint context and transfer what we need between
1477 * them. We need to do this since we want to keep the original modulus
1478 * which is already in this context. This operation is only called when
1479 * doing peer verification, and so is not expensive :-) */
1494 }
1495 #endif
1496 /** @} */