2 * Bignum routines for RSA and DH and stuff.
9 #define BIGNUM_INTERNAL
10 typedef unsigned short *Bignum;
14 unsigned short bnZero[1] = { 0 };
15 unsigned short bnOne[2] = { 1, 1 };
18 * The Bignum format is an array of `unsigned short'. The first
19 * element of the array counts the remaining elements. The
20 * remaining elements express the actual number, base 2^16, _least_
21 * significant digit first. (So it's trivial to extract the bit
22 * with value 2^n for any n.)
24 * All Bignums in this module are positive. Negative numbers must
25 * be dealt with outside it.
27 * INVARIANT: the most significant word of any Bignum must be
31 Bignum Zero = bnZero, One = bnOne;
33 static Bignum newbn(int length) {
34 Bignum b = smalloc((length+1)*sizeof(unsigned short));
37 memset(b, 0, (length+1)*sizeof(*b));
42 void bn_restore_invariant(Bignum b) {
43 while (b[0] > 1 && b[b[0]] == 0) b[0]--;
46 Bignum copybn(Bignum orig) {
47 Bignum b = smalloc((orig[0]+1)*sizeof(unsigned short));
50 memcpy(b, orig, (orig[0]+1)*sizeof(*b));
54 void freebn(Bignum b) {
56 * Burn the evidence, just in case.
58 memset(b, 0, sizeof(b[0]) * (b[0] + 1));
62 Bignum bn_power_2(int n) {
63 Bignum ret = newbn((n+15)/16);
64 bignum_set_bit(ret, n, 1);
70 * Input is in the first len words of a and b.
71 * Result is returned in the first 2*len words of c.
73 static void internal_mul(unsigned short *a, unsigned short *b,
74 unsigned short *c, int len)
79 for (j = 0; j < 2*len; j++)
82 for (i = len - 1; i >= 0; i--) {
85 for (j = len - 1; j >= 0; j--) {
86 t += ai * (unsigned long) b[j];
87 t += (unsigned long) c[i+j+1];
88 c[i+j+1] = (unsigned short)t;
91 c[i] = (unsigned short)t;
95 static void internal_add_shifted(unsigned short *number,
96 unsigned n, int shift) {
97 int word = 1 + (shift / 16);
98 int bshift = shift % 16;
101 addend = n << bshift;
104 addend += number[word];
105 number[word] = (unsigned short) addend & 0xFFFF;
113 * Input in first alen words of a and first mlen words of m.
114 * Output in first alen words of a
115 * (of which first alen-mlen words will be zero).
116 * The MSW of m MUST have its high bit set.
117 * Quotient is accumulated in the `quotient' array, which is a Bignum
118 * rather than the internal bigendian format. Quotient parts are shifted
119 * left by `qshift' before adding into quot.
121 static void internal_mod(unsigned short *a, int alen,
122 unsigned short *m, int mlen,
123 unsigned short *quot, int qshift)
125 unsigned short m0, m1;
135 for (i = 0; i <= alen-mlen; i++) {
137 unsigned int q, r, c, ai1;
151 /* Find q = h:a[i] / m0 */
152 t = ((unsigned long) h << 16) + a[i];
156 /* Refine our estimate of q by looking at
157 h:a[i]:a[i+1] / m0:m1 */
158 t = (long) m1 * (long) q;
159 if (t > ((unsigned long) r << 16) + ai1) {
162 r = (r + m0) & 0xffff; /* overflow? */
163 if (r >= (unsigned long)m0 &&
164 t > ((unsigned long) r << 16) + ai1)
168 /* Subtract q * m from a[i...] */
170 for (k = mlen - 1; k >= 0; k--) {
171 t = (long) q * (long) m[k];
174 if ((unsigned short) t > a[i+k]) c++;
175 a[i+k] -= (unsigned short) t;
178 /* Add back m in case of borrow */
181 for (k = mlen - 1; k >= 0; k--) {
184 a[i+k] = (unsigned short)t;
190 internal_add_shifted(quot, q, qshift + 16 * (alen-mlen-i));
195 * Compute (base ^ exp) % mod.
196 * The base MUST be smaller than the modulus.
197 * The most significant word of mod MUST be non-zero.
198 * We assume that the result array is the same size as the mod array.
200 Bignum modpow(Bignum base, Bignum exp, Bignum mod)
202 unsigned short *a, *b, *n, *m;
207 /* Allocate m of size mlen, copy mod to m */
208 /* We use big endian internally */
210 m = smalloc(mlen * sizeof(unsigned short));
211 for (j = 0; j < mlen; j++) m[j] = mod[mod[0] - j];
213 /* Shift m left to make msb bit set */
214 for (mshift = 0; mshift < 15; mshift++)
215 if ((m[0] << mshift) & 0x8000) break;
217 for (i = 0; i < mlen - 1; i++)
218 m[i] = (m[i] << mshift) | (m[i+1] >> (16-mshift));
219 m[mlen-1] = m[mlen-1] << mshift;
222 /* Allocate n of size mlen, copy base to n */
223 n = smalloc(mlen * sizeof(unsigned short));
225 for (j = 0; j < i; j++) n[j] = 0;
226 for (j = 0; j < base[0]; j++) n[i+j] = base[base[0] - j];
228 /* Allocate a and b of size 2*mlen. Set a = 1 */
229 a = smalloc(2 * mlen * sizeof(unsigned short));
230 b = smalloc(2 * mlen * sizeof(unsigned short));
231 for (i = 0; i < 2*mlen; i++) a[i] = 0;
234 /* Skip leading zero bits of exp. */
236 while (i < exp[0] && (exp[exp[0] - i] & (1 << j)) == 0) {
238 if (j < 0) { i++; j = 15; }
241 /* Main computation */
244 internal_mul(a + mlen, a + mlen, b, mlen);
245 internal_mod(b, mlen*2, m, mlen, NULL, 0);
246 if ((exp[exp[0] - i] & (1 << j)) != 0) {
247 internal_mul(b + mlen, n, a, mlen);
248 internal_mod(a, mlen*2, m, mlen, NULL, 0);
258 /* Fixup result in case the modulus was shifted */
260 for (i = mlen - 1; i < 2*mlen - 1; i++)
261 a[i] = (a[i] << mshift) | (a[i+1] >> (16-mshift));
262 a[2*mlen-1] = a[2*mlen-1] << mshift;
263 internal_mod(a, mlen*2, m, mlen, NULL, 0);
264 for (i = 2*mlen - 1; i >= mlen; i--)
265 a[i] = (a[i] >> mshift) | (a[i-1] << (16-mshift));
268 /* Copy result to buffer */
269 result = newbn(mod[0]);
270 for (i = 0; i < mlen; i++)
271 result[result[0] - i] = a[i+mlen];
272 while (result[0] > 1 && result[result[0]] == 0) result[0]--;
274 /* Free temporary arrays */
275 for (i = 0; i < 2*mlen; i++) a[i] = 0; sfree(a);
276 for (i = 0; i < 2*mlen; i++) b[i] = 0; sfree(b);
277 for (i = 0; i < mlen; i++) m[i] = 0; sfree(m);
278 for (i = 0; i < mlen; i++) n[i] = 0; sfree(n);
284 * Compute (p * q) % mod.
285 * The most significant word of mod MUST be non-zero.
286 * We assume that the result array is the same size as the mod array.
288 Bignum modmul(Bignum p, Bignum q, Bignum mod)
290 unsigned short *a, *n, *m, *o;
292 int pqlen, mlen, rlen, i, j;
295 /* Allocate m of size mlen, copy mod to m */
296 /* We use big endian internally */
298 m = smalloc(mlen * sizeof(unsigned short));
299 for (j = 0; j < mlen; j++) m[j] = mod[mod[0] - j];
301 /* Shift m left to make msb bit set */
302 for (mshift = 0; mshift < 15; mshift++)
303 if ((m[0] << mshift) & 0x8000) break;
305 for (i = 0; i < mlen - 1; i++)
306 m[i] = (m[i] << mshift) | (m[i+1] >> (16-mshift));
307 m[mlen-1] = m[mlen-1] << mshift;
310 pqlen = (p[0] > q[0] ? p[0] : q[0]);
312 /* Allocate n of size pqlen, copy p to n */
313 n = smalloc(pqlen * sizeof(unsigned short));
315 for (j = 0; j < i; j++) n[j] = 0;
316 for (j = 0; j < p[0]; j++) n[i+j] = p[p[0] - j];
318 /* Allocate o of size pqlen, copy q to o */
319 o = smalloc(pqlen * sizeof(unsigned short));
321 for (j = 0; j < i; j++) o[j] = 0;
322 for (j = 0; j < q[0]; j++) o[i+j] = q[q[0] - j];
324 /* Allocate a of size 2*pqlen for result */
325 a = smalloc(2 * pqlen * sizeof(unsigned short));
327 /* Main computation */
328 internal_mul(n, o, a, pqlen);
329 internal_mod(a, pqlen*2, m, mlen, NULL, 0);
331 /* Fixup result in case the modulus was shifted */
333 for (i = 2*pqlen - mlen - 1; i < 2*pqlen - 1; i++)
334 a[i] = (a[i] << mshift) | (a[i+1] >> (16-mshift));
335 a[2*pqlen-1] = a[2*pqlen-1] << mshift;
336 internal_mod(a, pqlen*2, m, mlen, NULL, 0);
337 for (i = 2*pqlen - 1; i >= 2*pqlen - mlen; i--)
338 a[i] = (a[i] >> mshift) | (a[i-1] << (16-mshift));
341 /* Copy result to buffer */
342 rlen = (mlen < pqlen*2 ? mlen : pqlen*2);
343 result = newbn(rlen);
344 for (i = 0; i < rlen; i++)
345 result[result[0] - i] = a[i+2*pqlen-rlen];
346 while (result[0] > 1 && result[result[0]] == 0) result[0]--;
348 /* Free temporary arrays */
349 for (i = 0; i < 2*pqlen; i++) a[i] = 0; sfree(a);
350 for (i = 0; i < mlen; i++) m[i] = 0; sfree(m);
351 for (i = 0; i < pqlen; i++) n[i] = 0; sfree(n);
352 for (i = 0; i < pqlen; i++) o[i] = 0; sfree(o);
359 * The most significant word of mod MUST be non-zero.
360 * We assume that the result array is the same size as the mod array.
361 * We optionally write out a quotient.
363 void bigmod(Bignum p, Bignum mod, Bignum result, Bignum quotient)
365 unsigned short *n, *m;
367 int plen, mlen, i, j;
369 /* Allocate m of size mlen, copy mod to m */
370 /* We use big endian internally */
372 m = smalloc(mlen * sizeof(unsigned short));
373 for (j = 0; j < mlen; j++) m[j] = mod[mod[0] - j];
375 /* Shift m left to make msb bit set */
376 for (mshift = 0; mshift < 15; mshift++)
377 if ((m[0] << mshift) & 0x8000) break;
379 for (i = 0; i < mlen - 1; i++)
380 m[i] = (m[i] << mshift) | (m[i+1] >> (16-mshift));
381 m[mlen-1] = m[mlen-1] << mshift;
385 /* Ensure plen > mlen */
386 if (plen <= mlen) plen = mlen+1;
388 /* Allocate n of size plen, copy p to n */
389 n = smalloc(plen * sizeof(unsigned short));
390 for (j = 0; j < plen; j++) n[j] = 0;
391 for (j = 1; j <= p[0]; j++) n[plen-j] = p[j];
393 /* Main computation */
394 internal_mod(n, plen, m, mlen, quotient, mshift);
396 /* Fixup result in case the modulus was shifted */
398 for (i = plen - mlen - 1; i < plen - 1; i++)
399 n[i] = (n[i] << mshift) | (n[i+1] >> (16-mshift));
400 n[plen-1] = n[plen-1] << mshift;
401 internal_mod(n, plen, m, mlen, quotient, 0);
402 for (i = plen - 1; i >= plen - mlen; i--)
403 n[i] = (n[i] >> mshift) | (n[i-1] << (16-mshift));
406 /* Copy result to buffer */
407 for (i = 1; i <= result[0]; i++) {
409 result[i] = j>=0 ? n[j] : 0;
412 /* Free temporary arrays */
413 for (i = 0; i < mlen; i++) m[i] = 0; sfree(m);
414 for (i = 0; i < plen; i++) n[i] = 0; sfree(n);
418 * Decrement a number.
420 void decbn(Bignum bn) {
422 while (i < bn[0] && bn[i] == 0)
427 Bignum bignum_from_bytes(unsigned char *data, int nbytes) {
431 w = (nbytes+1)/2; /* bytes -> words */
436 for (i=nbytes; i-- ;) {
437 unsigned char byte = *data++;
439 result[1+i/2] |= byte<<8;
441 result[1+i/2] |= byte;
444 while (result[0] > 1 && result[result[0]] == 0) result[0]--;
449 * Read an ssh1-format bignum from a data buffer. Return the number
452 int ssh1_read_bignum(unsigned char *data, Bignum *result) {
453 unsigned char *p = data;
460 b = (w+7)/8; /* bits -> bytes */
462 if (!result) /* just return length */
465 *result = bignum_from_bytes(p, b);
471 * Return the bit count of a bignum, for ssh1 encoding.
473 int ssh1_bignum_bitcount(Bignum bn) {
474 int bitcount = bn[0] * 16 - 1;
475 while (bitcount >= 0 && (bn[bitcount/16+1] >> (bitcount % 16)) == 0)
481 * Return the byte length of a bignum when ssh1 encoded.
483 int ssh1_bignum_length(Bignum bn) {
484 return 2 + (ssh1_bignum_bitcount(bn)+7)/8;
488 * Return a byte from a bignum; 0 is least significant, etc.
490 int bignum_byte(Bignum bn, int i) {
492 return 0; /* beyond the end */
494 return (bn[i/2+1] >> 8) & 0xFF;
496 return (bn[i/2+1] ) & 0xFF;
500 * Return a bit from a bignum; 0 is least significant, etc.
502 int bignum_bit(Bignum bn, int i) {
504 return 0; /* beyond the end */
506 return (bn[i/16+1] >> (i%16)) & 1;
510 * Set a bit in a bignum; 0 is least significant, etc.
512 void bignum_set_bit(Bignum bn, int bitnum, int value) {
513 if (bitnum >= 16*bn[0])
514 abort(); /* beyond the end */
517 int mask = 1 << (bitnum%16);
526 * Write a ssh1-format bignum into a buffer. It is assumed the
527 * buffer is big enough. Returns the number of bytes used.
529 int ssh1_write_bignum(void *data, Bignum bn) {
530 unsigned char *p = data;
531 int len = ssh1_bignum_length(bn);
533 int bitc = ssh1_bignum_bitcount(bn);
535 *p++ = (bitc >> 8) & 0xFF;
536 *p++ = (bitc ) & 0xFF;
537 for (i = len-2; i-- ;)
538 *p++ = bignum_byte(bn, i);
543 * Compare two bignums. Returns like strcmp.
545 int bignum_cmp(Bignum a, Bignum b) {
546 int amax = a[0], bmax = b[0];
547 int i = (amax > bmax ? amax : bmax);
549 unsigned short aval = (i > amax ? 0 : a[i]);
550 unsigned short bval = (i > bmax ? 0 : b[i]);
551 if (aval < bval) return -1;
552 if (aval > bval) return +1;
559 * Right-shift one bignum to form another.
561 Bignum bignum_rshift(Bignum a, int shift) {
563 int i, shiftw, shiftb, shiftbb, bits;
564 unsigned short ai, ai1;
566 bits = ssh1_bignum_bitcount(a) - shift;
567 ret = newbn((bits+15)/16);
572 shiftbb = 16 - shiftb;
575 for (i = 1; i <= ret[0]; i++) {
577 ai1 = (i+shiftw+1 <= a[0] ? a[i+shiftw+1] : 0);
578 ret[i] = ((ai >> shiftb) | (ai1 << shiftbb)) & 0xFFFF;
586 * Non-modular multiplication and addition.
588 Bignum bigmuladd(Bignum a, Bignum b, Bignum addend) {
589 int alen = a[0], blen = b[0];
590 int mlen = (alen > blen ? alen : blen);
591 int rlen, i, maxspot;
592 unsigned short *workspace;
595 /* mlen space for a, mlen space for b, 2*mlen for result */
596 workspace = smalloc(mlen * 4 * sizeof(unsigned short));
597 for (i = 0; i < mlen; i++) {
598 workspace[0*mlen + i] = (mlen-i <= a[0] ? a[mlen-i] : 0);
599 workspace[1*mlen + i] = (mlen-i <= b[0] ? b[mlen-i] : 0);
602 internal_mul(workspace+0*mlen, workspace+1*mlen, workspace+2*mlen, mlen);
604 /* now just copy the result back */
605 rlen = alen + blen + 1;
606 if (addend && rlen <= addend[0])
607 rlen = addend[0] + 1;
610 for (i = 1; i <= ret[0]; i++) {
611 ret[i] = (i <= 2*mlen ? workspace[4*mlen - i] : 0);
617 /* now add in the addend, if any */
619 unsigned long carry = 0;
620 for (i = 1; i <= rlen; i++) {
621 carry += (i <= ret[0] ? ret[i] : 0);
622 carry += (i <= addend[0] ? addend[i] : 0);
623 ret[i] = (unsigned short) carry & 0xFFFF;
625 if (ret[i] != 0 && i > maxspot)
635 * Non-modular multiplication.
637 Bignum bigmul(Bignum a, Bignum b) {
638 return bigmuladd(a, b, NULL);
642 * Create a bignum which is the bitmask covering another one. That
643 * is, the smallest integer which is >= N and is also one less than
646 Bignum bignum_bitmask(Bignum n) {
647 Bignum ret = copybn(n);
652 while (n[i] == 0 && i > 0)
655 return ret; /* input was zero */
666 * Convert a (max 16-bit) short into a bignum.
668 Bignum bignum_from_short(unsigned short n) {
673 ret[2] = (n >> 16) & 0xFFFF;
674 ret[0] = (ret[2] ? 2 : 1);
679 * Add a long to a bignum.
681 Bignum bignum_add_long(Bignum number, unsigned long addend) {
682 Bignum ret = newbn(number[0]+1);
684 unsigned long carry = 0;
686 for (i = 1; i <= ret[0]; i++) {
687 carry += addend & 0xFFFF;
688 carry += (i <= number[0] ? number[i] : 0);
690 ret[i] = (unsigned short) carry & 0xFFFF;
700 * Compute the residue of a bignum, modulo a (max 16-bit) short.
702 unsigned short bignum_mod_short(Bignum number, unsigned short modulus) {
703 unsigned long mod, r;
708 for (i = number[0]; i > 0; i--)
709 r = (r * 65536 + number[i]) % mod;
710 return (unsigned short) r;
713 void diagbn(char *prefix, Bignum md) {
714 int i, nibbles, morenibbles;
715 static const char hex[] = "0123456789ABCDEF";
717 printf("%s0x", prefix ? prefix : "");
719 nibbles = (3 + ssh1_bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
720 morenibbles = 4*md[0] - nibbles;
721 for (i=0; i<morenibbles; i++) putchar('-');
722 for (i=nibbles; i-- ;)
723 putchar(hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF]);
725 if (prefix) putchar('\n');
729 * Greatest common divisor.
731 Bignum biggcd(Bignum av, Bignum bv) {
732 Bignum a = copybn(av);
733 Bignum b = copybn(bv);
737 while (bignum_cmp(b, Zero) != 0) {
738 Bignum t = newbn(b[0]);
739 bigmod(a, b, t, NULL);
741 while (t[0] > 1 && t[t[0]] == 0) t[0]--;
752 * Modular inverse, using Euclid's extended algorithm.
754 Bignum modinv(Bignum number, Bignum modulus) {
755 Bignum a = copybn(modulus);
756 Bignum b = copybn(number);
757 Bignum xp = copybn(Zero);
758 Bignum x = copybn(One);
761 while (bignum_cmp(b, One) != 0) {
762 Bignum t = newbn(b[0]);
763 Bignum q = newbn(a[0]);
765 while (t[0] > 1 && t[t[0]] == 0) t[0]--;
771 x = bigmuladd(q, xp, t);
780 /* now we know that sign * x == 1, and that x < modulus */
782 /* set a new x to be modulus - x */
783 Bignum newx = newbn(modulus[0]);
784 unsigned short carry = 0;
788 for (i = 1; i <= newx[0]; i++) {
789 unsigned short aword = (i <= modulus[0] ? modulus[i] : 0);
790 unsigned short bword = (i <= x[0] ? x[i] : 0);
791 newx[i] = aword - bword - carry;
793 carry = carry ? (newx[i] >= bword) : (newx[i] > bword);
807 * Render a bignum into decimal. Return a malloced string holding
808 * the decimal representation.
810 char *bignum_decimal(Bignum x) {
815 unsigned short *workspace;
818 * First, estimate the number of digits. Since log(10)/log(2)
819 * is just greater than 93/28 (the joys of continued fraction
820 * approximations...) we know that for every 93 bits, we need
821 * at most 28 digits. This will tell us how much to malloc.
823 * Formally: if x has i bits, that means x is strictly less
824 * than 2^i. Since 2 is less than 10^(28/93), this is less than
825 * 10^(28i/93). We need an integer power of ten, so we must
826 * round up (rounding down might make it less than x again).
827 * Therefore if we multiply the bit count by 28/93, rounding
828 * up, we will have enough digits.
830 i = ssh1_bignum_bitcount(x);
831 ndigits = (28*i + 92)/93; /* multiply by 28/93 and round up */
832 ndigits++; /* allow for trailing \0 */
833 ret = smalloc(ndigits);
836 * Now allocate some workspace to hold the binary form as we
837 * repeatedly divide it by ten. Initialise this to the
838 * big-endian form of the number.
840 workspace = smalloc(sizeof(unsigned short) * x[0]);
841 for (i = 0; i < x[0]; i++)
842 workspace[i] = x[x[0] - i];
845 * Next, write the decimal number starting with the last digit.
846 * We use ordinary short division, dividing 10 into the
854 for (i = 0; i < x[0]; i++) {
855 carry = (carry << 16) + workspace[i];
856 workspace[i] = (unsigned short) (carry / 10);
861 ret[--ndigit] = (char)(carry + '0');
865 * There's a chance we've fallen short of the start of the
866 * string. Correct if so.
869 memmove(ret, ret+ndigit, ndigits-ndigit);
projects / PuTTY.git / blob