2 * Bignum routines for RSA and DH and stuff.
11 unsigned short bnZero[1] = { 0 };
12 unsigned short bnOne[2] = { 1, 1 };
14 Bignum Zero = bnZero, One = bnOne;
16 Bignum newbn(int length) {
17 Bignum b = malloc((length+1)*sizeof(unsigned short));
20 memset(b, 0, (length+1)*sizeof(*b));
25 Bignum copybn(Bignum orig) {
26 Bignum b = malloc((orig[0]+1)*sizeof(unsigned short));
29 memcpy(b, orig, (orig[0]+1)*sizeof(*b));
33 void freebn(Bignum b) {
35 * Burn the evidence, just in case.
37 memset(b, 0, sizeof(b[0]) * (b[0] + 1));
43 * Input is in the first len words of a and b.
44 * Result is returned in the first 2*len words of c.
46 static void internal_mul(unsigned short *a, unsigned short *b,
47 unsigned short *c, int len)
52 for (j = 0; j < 2*len; j++)
55 for (i = len - 1; i >= 0; i--) {
58 for (j = len - 1; j >= 0; j--) {
59 t += ai * (unsigned long) b[j];
60 t += (unsigned long) c[i+j+1];
61 c[i+j+1] = (unsigned short)t;
64 c[i] = (unsigned short)t;
68 static void internal_add_shifted(unsigned short *number,
69 unsigned n, int shift) {
70 int word = 1 + (shift / 16);
71 int bshift = shift % 16;
77 addend += number[word];
78 number[word] = (unsigned short) addend & 0xFFFF;
86 * Input in first alen words of a and first mlen words of m.
87 * Output in first alen words of a
88 * (of which first alen-mlen words will be zero).
89 * The MSW of m MUST have its high bit set.
90 * Quotient is accumulated in the `quotient' array, which is a Bignum
91 * rather than the internal bigendian format. Quotient parts are shifted
92 * left by `qshift' before adding into quot.
94 static void internal_mod(unsigned short *a, int alen,
95 unsigned short *m, int mlen,
96 unsigned short *quot, int qshift)
98 unsigned short m0, m1;
108 for (i = 0; i <= alen-mlen; i++) {
110 unsigned int q, r, c, ai1;
124 /* Find q = h:a[i] / m0 */
125 t = ((unsigned long) h << 16) + a[i];
129 /* Refine our estimate of q by looking at
130 h:a[i]:a[i+1] / m0:m1 */
131 t = (long) m1 * (long) q;
132 if (t > ((unsigned long) r << 16) + ai1) {
135 r = (r + m0) & 0xffff; /* overflow? */
136 if (r >= (unsigned long)m0 &&
137 t > ((unsigned long) r << 16) + ai1)
141 /* Subtract q * m from a[i...] */
143 for (k = mlen - 1; k >= 0; k--) {
144 t = (long) q * (long) m[k];
147 if ((unsigned short) t > a[i+k]) c++;
148 a[i+k] -= (unsigned short) t;
151 /* Add back m in case of borrow */
154 for (k = mlen - 1; k >= 0; k--) {
157 a[i+k] = (unsigned short)t;
163 internal_add_shifted(quot, q, qshift + 16 * (alen-mlen-i));
168 * Compute (base ^ exp) % mod.
169 * The base MUST be smaller than the modulus.
170 * The most significant word of mod MUST be non-zero.
171 * We assume that the result array is the same size as the mod array.
173 void modpow(Bignum base, Bignum exp, Bignum mod, Bignum result)
175 unsigned short *a, *b, *n, *m;
179 /* Allocate m of size mlen, copy mod to m */
180 /* We use big endian internally */
182 m = malloc(mlen * sizeof(unsigned short));
183 for (j = 0; j < mlen; j++) m[j] = mod[mod[0] - j];
185 /* Shift m left to make msb bit set */
186 for (mshift = 0; mshift < 15; mshift++)
187 if ((m[0] << mshift) & 0x8000) break;
189 for (i = 0; i < mlen - 1; i++)
190 m[i] = (m[i] << mshift) | (m[i+1] >> (16-mshift));
191 m[mlen-1] = m[mlen-1] << mshift;
194 /* Allocate n of size mlen, copy base to n */
195 n = malloc(mlen * sizeof(unsigned short));
197 for (j = 0; j < i; j++) n[j] = 0;
198 for (j = 0; j < base[0]; j++) n[i+j] = base[base[0] - j];
200 /* Allocate a and b of size 2*mlen. Set a = 1 */
201 a = malloc(2 * mlen * sizeof(unsigned short));
202 b = malloc(2 * mlen * sizeof(unsigned short));
203 for (i = 0; i < 2*mlen; i++) a[i] = 0;
206 /* Skip leading zero bits of exp. */
208 while (i < exp[0] && (exp[exp[0] - i] & (1 << j)) == 0) {
210 if (j < 0) { i++; j = 15; }
213 /* Main computation */
216 internal_mul(a + mlen, a + mlen, b, mlen);
217 internal_mod(b, mlen*2, m, mlen, NULL, 0);
218 if ((exp[exp[0] - i] & (1 << j)) != 0) {
219 internal_mul(b + mlen, n, a, mlen);
220 internal_mod(a, mlen*2, m, mlen, NULL, 0);
230 /* Fixup result in case the modulus was shifted */
232 for (i = mlen - 1; i < 2*mlen - 1; i++)
233 a[i] = (a[i] << mshift) | (a[i+1] >> (16-mshift));
234 a[2*mlen-1] = a[2*mlen-1] << mshift;
235 internal_mod(a, mlen*2, m, mlen, NULL, 0);
236 for (i = 2*mlen - 1; i >= mlen; i--)
237 a[i] = (a[i] >> mshift) | (a[i-1] << (16-mshift));
240 /* Copy result to buffer */
241 for (i = 0; i < mlen; i++)
242 result[result[0] - i] = a[i+mlen];
244 /* Free temporary arrays */
245 for (i = 0; i < 2*mlen; i++) a[i] = 0; free(a);
246 for (i = 0; i < 2*mlen; i++) b[i] = 0; free(b);
247 for (i = 0; i < mlen; i++) m[i] = 0; free(m);
248 for (i = 0; i < mlen; i++) n[i] = 0; free(n);
252 * Compute (p * q) % mod.
253 * The most significant word of mod MUST be non-zero.
254 * We assume that the result array is the same size as the mod array.
256 void modmul(Bignum p, Bignum q, Bignum mod, Bignum result)
258 unsigned short *a, *n, *m, *o;
260 int pqlen, mlen, i, j;
262 /* Allocate m of size mlen, copy mod to m */
263 /* We use big endian internally */
265 m = malloc(mlen * sizeof(unsigned short));
266 for (j = 0; j < mlen; j++) m[j] = mod[mod[0] - j];
268 /* Shift m left to make msb bit set */
269 for (mshift = 0; mshift < 15; mshift++)
270 if ((m[0] << mshift) & 0x8000) break;
272 for (i = 0; i < mlen - 1; i++)
273 m[i] = (m[i] << mshift) | (m[i+1] >> (16-mshift));
274 m[mlen-1] = m[mlen-1] << mshift;
277 pqlen = (p[0] > q[0] ? p[0] : q[0]);
279 /* Allocate n of size pqlen, copy p to n */
280 n = malloc(pqlen * sizeof(unsigned short));
282 for (j = 0; j < i; j++) n[j] = 0;
283 for (j = 0; j < p[0]; j++) n[i+j] = p[p[0] - j];
285 /* Allocate o of size pqlen, copy q to o */
286 o = malloc(pqlen * sizeof(unsigned short));
288 for (j = 0; j < i; j++) o[j] = 0;
289 for (j = 0; j < q[0]; j++) o[i+j] = q[q[0] - j];
291 /* Allocate a of size 2*pqlen for result */
292 a = malloc(2 * pqlen * sizeof(unsigned short));
294 /* Main computation */
295 internal_mul(n, o, a, pqlen);
296 internal_mod(a, pqlen*2, m, mlen, NULL, 0);
298 /* Fixup result in case the modulus was shifted */
300 for (i = 2*pqlen - mlen - 1; i < 2*pqlen - 1; i++)
301 a[i] = (a[i] << mshift) | (a[i+1] >> (16-mshift));
302 a[2*pqlen-1] = a[2*pqlen-1] << mshift;
303 internal_mod(a, pqlen*2, m, mlen, NULL, 0);
304 for (i = 2*pqlen - 1; i >= 2*pqlen - mlen; i--)
305 a[i] = (a[i] >> mshift) | (a[i-1] << (16-mshift));
308 /* Copy result to buffer */
309 for (i = 0; i < mlen; i++)
310 result[result[0] - i] = a[i+2*pqlen-mlen];
312 /* Free temporary arrays */
313 for (i = 0; i < 2*pqlen; i++) a[i] = 0; free(a);
314 for (i = 0; i < mlen; i++) m[i] = 0; free(m);
315 for (i = 0; i < pqlen; i++) n[i] = 0; free(n);
316 for (i = 0; i < pqlen; i++) o[i] = 0; free(o);
321 * The most significant word of mod MUST be non-zero.
322 * We assume that the result array is the same size as the mod array.
323 * We optionally write out a quotient.
325 void bigmod(Bignum p, Bignum mod, Bignum result, Bignum quotient)
327 unsigned short *n, *m;
329 int plen, mlen, i, j;
331 /* Allocate m of size mlen, copy mod to m */
332 /* We use big endian internally */
334 m = malloc(mlen * sizeof(unsigned short));
335 for (j = 0; j < mlen; j++) m[j] = mod[mod[0] - j];
337 /* Shift m left to make msb bit set */
338 for (mshift = 0; mshift < 15; mshift++)
339 if ((m[0] << mshift) & 0x8000) break;
341 for (i = 0; i < mlen - 1; i++)
342 m[i] = (m[i] << mshift) | (m[i+1] >> (16-mshift));
343 m[mlen-1] = m[mlen-1] << mshift;
347 /* Ensure plen > mlen */
348 if (plen <= mlen) plen = mlen+1;
350 /* Allocate n of size plen, copy p to n */
351 n = malloc(plen * sizeof(unsigned short));
352 for (j = 0; j < plen; j++) n[j] = 0;
353 for (j = 1; j <= p[0]; j++) n[plen-j] = p[j];
355 /* Main computation */
356 internal_mod(n, plen, m, mlen, quotient, mshift);
358 /* Fixup result in case the modulus was shifted */
360 for (i = plen - mlen - 1; i < plen - 1; i++)
361 n[i] = (n[i] << mshift) | (n[i+1] >> (16-mshift));
362 n[plen-1] = n[plen-1] << mshift;
363 internal_mod(n, plen, m, mlen, quotient, 0);
364 for (i = plen - 1; i >= plen - mlen; i--)
365 n[i] = (n[i] >> mshift) | (n[i-1] << (16-mshift));
368 /* Copy result to buffer */
369 for (i = 1; i <= result[0]; i++) {
371 result[i] = j>=0 ? n[j] : 0;
374 /* Free temporary arrays */
375 for (i = 0; i < mlen; i++) m[i] = 0; free(m);
376 for (i = 0; i < plen; i++) n[i] = 0; free(n);
380 * Decrement a number.
382 void decbn(Bignum bn) {
384 while (i < bn[0] && bn[i] == 0)
390 * Read an ssh1-format bignum from a data buffer. Return the number
393 int ssh1_read_bignum(unsigned char *data, Bignum *result) {
394 unsigned char *p = data;
403 b = (w+7)/8; /* bits -> bytes */
404 w = (w+15)/16; /* bits -> words */
406 if (!result) /* just return length */
414 unsigned char byte = *p++;
416 bn[1+i/2] |= byte<<8;
427 * Return the bit count of a bignum, for ssh1 encoding.
429 int ssh1_bignum_bitcount(Bignum bn) {
430 int bitcount = bn[0] * 16 - 1;
432 while (bitcount >= 0 && (bn[bitcount/16+1] >> (bitcount % 16)) == 0)
438 * Return the byte length of a bignum when ssh1 encoded.
440 int ssh1_bignum_length(Bignum bn) {
441 return 2 + (ssh1_bignum_bitcount(bn)+7)/8;
445 * Return a byte from a bignum; 0 is least significant, etc.
447 int bignum_byte(Bignum bn, int i) {
449 return 0; /* beyond the end */
451 return (bn[i/2+1] >> 8) & 0xFF;
453 return (bn[i/2+1] ) & 0xFF;
457 * Return a bit from a bignum; 0 is least significant, etc.
459 int bignum_bit(Bignum bn, int i) {
461 return 0; /* beyond the end */
463 return (bn[i/16+1] >> (i%16)) & 1;
467 * Set a bit in a bignum; 0 is least significant, etc.
469 void bignum_set_bit(Bignum bn, int bitnum, int value) {
470 if (bitnum >= 16*bn[0])
471 abort(); /* beyond the end */
474 int mask = 1 << (bitnum%16);
483 * Write a ssh1-format bignum into a buffer. It is assumed the
484 * buffer is big enough. Returns the number of bytes used.
486 int ssh1_write_bignum(void *data, Bignum bn) {
487 unsigned char *p = data;
488 int len = ssh1_bignum_length(bn);
490 int bitc = ssh1_bignum_bitcount(bn);
492 *p++ = (bitc >> 8) & 0xFF;
493 *p++ = (bitc ) & 0xFF;
494 for (i = len-2; i-- ;)
495 *p++ = bignum_byte(bn, i);
500 * Compare two bignums. Returns like strcmp.
502 int bignum_cmp(Bignum a, Bignum b) {
503 int amax = a[0], bmax = b[0];
504 int i = (amax > bmax ? amax : bmax);
506 unsigned short aval = (i > amax ? 0 : a[i]);
507 unsigned short bval = (i > bmax ? 0 : b[i]);
508 if (aval < bval) return -1;
509 if (aval > bval) return +1;
516 * Right-shift one bignum to form another.
518 Bignum bignum_rshift(Bignum a, int shift) {
520 int i, shiftw, shiftb, shiftbb, bits;
521 unsigned short ai, ai1;
523 bits = ssh1_bignum_bitcount(a) - shift;
524 ret = newbn((bits+15)/16);
529 shiftbb = 16 - shiftb;
532 for (i = 1; i <= ret[0]; i++) {
534 ai1 = (i+shiftw+1 <= a[0] ? a[i+shiftw+1] : 0);
535 ret[i] = ((ai >> shiftb) | (ai1 << shiftbb)) & 0xFFFF;
543 * Non-modular multiplication and addition.
545 Bignum bigmuladd(Bignum a, Bignum b, Bignum addend) {
546 int alen = a[0], blen = b[0];
547 int mlen = (alen > blen ? alen : blen);
548 int rlen, i, maxspot;
549 unsigned short *workspace;
552 /* mlen space for a, mlen space for b, 2*mlen for result */
553 workspace = malloc(mlen * 4 * sizeof(unsigned short));
554 for (i = 0; i < mlen; i++) {
555 workspace[0*mlen + i] = (mlen-i <= a[0] ? a[mlen-i] : 0);
556 workspace[1*mlen + i] = (mlen-i <= b[0] ? b[mlen-i] : 0);
559 internal_mul(workspace+0*mlen, workspace+1*mlen, workspace+2*mlen, mlen);
561 /* now just copy the result back */
562 rlen = alen + blen + 1;
563 if (addend && rlen <= addend[0])
564 rlen = addend[0] + 1;
567 for (i = 1; i <= ret[0]; i++) {
568 ret[i] = (i <= 2*mlen ? workspace[4*mlen - i] : 0);
574 /* now add in the addend, if any */
576 unsigned long carry = 0;
577 for (i = 1; i <= rlen; i++) {
578 carry += (i <= ret[0] ? ret[i] : 0);
579 carry += (i <= addend[0] ? addend[i] : 0);
580 ret[i] = (unsigned short) carry & 0xFFFF;
582 if (ret[i] != 0 && i > maxspot)
592 * Non-modular multiplication.
594 Bignum bigmul(Bignum a, Bignum b) {
595 return bigmuladd(a, b, NULL);
599 * Convert a (max 16-bit) short into a bignum.
601 Bignum bignum_from_short(unsigned short n) {
606 ret[2] = (n >> 16) & 0xFFFF;
607 ret[0] = (ret[2] ? 2 : 1);
612 * Add a long to a bignum.
614 Bignum bignum_add_long(Bignum number, unsigned long addend) {
615 Bignum ret = newbn(number[0]+1);
617 unsigned long carry = 0;
619 for (i = 1; i <= ret[0]; i++) {
620 carry += addend & 0xFFFF;
621 carry += (i <= number[0] ? number[i] : 0);
623 ret[i] = (unsigned short) carry & 0xFFFF;
633 * Compute the residue of a bignum, modulo a (max 16-bit) short.
635 unsigned short bignum_mod_short(Bignum number, unsigned short modulus) {
636 unsigned long mod, r;
641 for (i = number[0]; i > 0; i--)
642 r = (r * 65536 + number[i]) % mod;
643 return (unsigned short) r;
646 static void diagbn(char *prefix, Bignum md) {
647 int i, nibbles, morenibbles;
648 static const char hex[] = "0123456789ABCDEF";
650 printf("%s0x", prefix ? prefix : "");
652 nibbles = (3 + ssh1_bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
653 morenibbles = 4*md[0] - nibbles;
654 for (i=0; i<morenibbles; i++) putchar('-');
655 for (i=nibbles; i-- ;)
656 putchar(hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF]);
658 if (prefix) putchar('\n');
662 * Greatest common divisor.
664 Bignum biggcd(Bignum av, Bignum bv) {
665 Bignum a = copybn(av);
666 Bignum b = copybn(bv);
670 while (bignum_cmp(b, Zero) != 0) {
671 Bignum t = newbn(b[0]);
672 bigmod(a, b, t, NULL);
674 while (t[0] > 1 && t[t[0]] == 0) t[0]--;
685 * Modular inverse, using Euclid's extended algorithm.
687 Bignum modinv(Bignum number, Bignum modulus) {
688 Bignum a = copybn(modulus);
689 Bignum b = copybn(number);
690 Bignum xp = copybn(Zero);
691 Bignum x = copybn(One);
694 while (bignum_cmp(b, One) != 0) {
695 Bignum t = newbn(b[0]);
696 Bignum q = newbn(a[0]);
698 while (t[0] > 1 && t[t[0]] == 0) t[0]--;
704 x = bigmuladd(q, xp, t);
713 /* now we know that sign * x == 1, and that x < modulus */
715 /* set a new x to be modulus - x */
716 Bignum newx = newbn(modulus[0]);
717 unsigned short carry = 0;
721 for (i = 1; i <= newx[0]; i++) {
722 unsigned short aword = (i <= modulus[0] ? modulus[i] : 0);
723 unsigned short bword = (i <= x[0] ? x[i] : 0);
724 newx[i] = aword - bword - carry;
726 carry = carry ? (newx[i] >= bword) : (newx[i] > bword);
740 * Render a bignum into decimal. Return a malloced string holding
741 * the decimal representation.
743 char *bignum_decimal(Bignum x) {
748 unsigned short *workspace;
751 * First, estimate the number of digits. Since log(10)/log(2)
752 * is just greater than 93/28 (the joys of continued fraction
753 * approximations...) we know that for every 93 bits, we need
754 * at most 28 digits. This will tell us how much to malloc.
756 * Formally: if x has i bits, that means x is strictly less
757 * than 2^i. Since 2 is less than 10^(28/93), this is less than
758 * 10^(28i/93). We need an integer power of ten, so we must
759 * round up (rounding down might make it less than x again).
760 * Therefore if we multiply the bit count by 28/93, rounding
761 * up, we will have enough digits.
763 i = ssh1_bignum_bitcount(x);
764 ndigits = (28*i + 92)/93; /* multiply by 28/93 and round up */
765 ndigits++; /* allow for trailing \0 */
766 ret = malloc(ndigits);
769 * Now allocate some workspace to hold the binary form as we
770 * repeatedly divide it by ten. Initialise this to the
771 * big-endian form of the number.
773 workspace = malloc(sizeof(unsigned short) * x[0]);
774 for (i = 0; i < x[0]; i++)
775 workspace[i] = x[x[0] - i];
778 * Next, write the decimal number starting with the last digit.
779 * We use ordinary short division, dividing 10 into the
787 for (i = 0; i < x[0]; i++) {
788 carry = (carry << 16) + workspace[i];
789 workspace[i] = (unsigned short) (carry / 10);
794 ret[--ndigit] = (char)(carry + '0');
798 * There's a chance we've fallen short of the start of the
799 * string. Correct if so.
802 memmove(ret, ret+ndigit, ndigits-ndigit);
projects / PuTTY.git / blob