/* * Copyright (c) 2001 Dima Dorfman. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * This is the traditional Berkeley MP library implemented in terms of * the OpenSSL BIGNUM library. It was written to replace libgmp, and * is meant to be as compatible with the latter as feasible. * * There seems to be a lack of documentation for the Berkeley MP * interface. All I could find was libgmp documentation (which didn't * talk about the semantics of the functions) and an old SunOS 4.1 * manual page from 1989. The latter wasn't very detailed, either, * but at least described what the function's arguments were. In * general the interface seems to be archaic, somewhat poorly * designed, and poorly, if at all, documented. It is considered * harmful. * * Miscellaneous notes on this implementation: * * - The SunOS manual page mentioned above indicates that if an error * occurs, the library should "produce messages and core images." * Given that most of the functions don't have return values (and * thus no sane way of alerting the caller to an error), this seems * reasonable. The MPERR and MPERRX macros call warn and warnx, * respectively, then abort(). * * - All the functions which take an argument to be "filled in" * assume that the argument has been initialized by one of the *tom() * routines before being passed to it. I never saw this documented * anywhere, but this seems to be consistent with the way this * library is used. * * - msqrt() is the only routine which had to be implemented which * doesn't have a close counterpart in the OpenSSL BIGNUM library. * It was implemented by hand using Newton's recursive formula. * Doing it this way, although more error-prone, has the positive * sideaffect of testing a lot of other functions; if msqrt() * produces the correct results, most of the other routines will as * well. * * - Internal-use-only routines (i.e., those defined here statically * and not in mp.h) have an underscore prepended to their name (this * is more for aesthetical reasons than technical). All such * routines take an extra argument, 'msg', that denotes what they * should call themselves in an error message. This is so a user * doesn't get an error message from a function they didn't call. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include "mp.h" #define MPERR(s) do { warn s; abort(); } while (0) #define MPERRX(s) do { warnx s; abort(); } while (0) #define BN_ERRCHECK(msg, expr) do { \ if (!(expr)) _bnerr(msg); \ } while (0) static void _bnerr(const char *); static MINT *_dtom(const char *, const char *); static MINT *_itom(const char *, short); static void _madd(const char *, const MINT *, const MINT *, MINT *); static int _mcmpa(const char *, const MINT *, const MINT *); static void _mdiv(const char *, const MINT *, const MINT *, MINT *, MINT *, BN_CTX *); static void _mfree(const char *, MINT *); static void _moveb(const char *, const BIGNUM *, MINT *); static void _movem(const char *, const MINT *, MINT *); static void _msub(const char *, const MINT *, const MINT *, MINT *); static char *_mtod(const char *, const MINT *); static char *_mtox(const char *, const MINT *); static void _mult(const char *, const MINT *, const MINT *, MINT *, BN_CTX *); static void _sdiv(const char *, const MINT *, short, MINT *, short *, BN_CTX *); static MINT *_xtom(const char *, const char *); /* * Report an error from one of the BN_* functions using MPERRX. */ static void _bnerr(const char *msg) { ERR_load_crypto_strings(); MPERRX(("%s: %s", msg, ERR_reason_error_string(ERR_get_error()))); } /* * Convert a decimal string to an MINT. */ static MINT * _dtom(const char *msg, const char *s) { MINT *mp; mp = malloc(sizeof(*mp)); if (mp == NULL) MPERR(("%s", msg)); mp->bn = BN_new(); if (mp->bn == NULL) _bnerr(msg); BN_ERRCHECK(msg, BN_dec2bn(&mp->bn, s)); return (mp); } /* * Compute the greatest common divisor of mp1 and mp2; result goes in rmp. */ void mp_gcd(const MINT *mp1, const MINT *mp2, MINT *rmp) { BIGNUM b; BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("gcd"); BN_init(&b); BN_ERRCHECK("gcd", BN_gcd(&b, mp1->bn, mp2->bn, c)); _moveb("gcd", &b, rmp); BN_free(&b); BN_CTX_free(c); } /* * Make an MINT out of a short integer. Return value must be mfree()'d. */ static MINT * _itom(const char *msg, short n) { MINT *mp; char *s; asprintf(&s, "%x", n); if (s == NULL) MPERR(("%s", msg)); mp = _xtom(msg, s); free(s); return (mp); } MINT * mp_itom(short n) { return (_itom("itom", n)); } /* * Compute rmp=mp1+mp2. */ static void _madd(const char *msg, const MINT *mp1, const MINT *mp2, MINT *rmp) { BIGNUM b; BN_init(&b); BN_ERRCHECK(msg, BN_add(&b, mp1->bn, mp2->bn)); _moveb(msg, &b, rmp); BN_free(&b); } void mp_madd(const MINT *mp1, const MINT *mp2, MINT *rmp) { _madd("madd", mp1, mp2, rmp); } /* * Return -1, 0, or 1 if mp1mp2, respectivley. */ int mp_mcmp(const MINT *mp1, const MINT *mp2) { return (BN_cmp(mp1->bn, mp2->bn)); } /* * Same as mcmp but compares absolute values. */ static int _mcmpa(const char *msg __unused, const MINT *mp1, const MINT *mp2) { return (BN_ucmp(mp1->bn, mp2->bn)); } /* * Compute qmp=nmp/dmp and rmp=nmp%dmp. */ static void _mdiv(const char *msg, const MINT *nmp, const MINT *dmp, MINT *qmp, MINT *rmp, BN_CTX *c) { BIGNUM q, r; BN_init(&r); BN_init(&q); BN_ERRCHECK(msg, BN_div(&q, &r, nmp->bn, dmp->bn, c)); _moveb(msg, &q, qmp); _moveb(msg, &r, rmp); BN_free(&q); BN_free(&r); } void mp_mdiv(const MINT *nmp, const MINT *dmp, MINT *qmp, MINT *rmp) { BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("mdiv"); _mdiv("mdiv", nmp, dmp, qmp, rmp, c); BN_CTX_free(c); } /* * Free memory associated with an MINT. */ static void _mfree(const char *msg __unused, MINT *mp) { BN_clear(mp->bn); BN_free(mp->bn); free(mp); } void mp_mfree(MINT *mp) { _mfree("mfree", mp); } /* * Read an integer from standard input and stick the result in mp. * The input is treated to be in base 10. This must be the silliest * API in existence; why can't the program read in a string and call * xtom()? (Or if base 10 is desires, perhaps dtom() could be * exported.) */ void mp_min(MINT *mp) { MINT *rmp; char *line, *nline; size_t linelen; line = fgetln(stdin, &linelen); if (line == NULL) MPERR(("min")); nline = malloc(linelen); if (nline == NULL) MPERR(("min")); strncpy(nline, line, linelen); nline[linelen] = '\0'; rmp = _dtom("min", nline); _movem("min", rmp, mp); _mfree("min", rmp); free(nline); } /* * Print the value of mp to standard output in base 10. See blurb * above min() for why this is so useless. */ void mp_mout(const MINT *mp) { char *s; s = _mtod("mout", mp); printf("%s", s); free(s); } /* * Set the value of tmp to the value of smp (i.e., tmp=smp). */ void mp_move(const MINT *smp, MINT *tmp) { _movem("move", smp, tmp); } /* * Internal routine to set the value of tmp to that of sbp. */ static void _moveb(const char *msg, const BIGNUM *sbp, MINT *tmp) { BN_ERRCHECK(msg, BN_copy(tmp->bn, sbp)); } /* * Internal routine to set the value of tmp to that of smp. */ static void _movem(const char *msg, const MINT *smp, MINT *tmp) { BN_ERRCHECK(msg, BN_copy(tmp->bn, smp->bn)); } /* * Compute the square root of nmp and put the result in xmp. The * remainder goes in rmp. Should satisfy: rmp=nmp-(xmp*xmp). * * Note that the OpenSSL BIGNUM library does not have a square root * function, so this had to be implemented by hand using Newton's * recursive formula: * * x = (x + (n / x)) / 2 * * where x is the square root of the positive number n. In the * beginning, x should be a reasonable guess, but the value 1, * although suboptimal, works, too; this is that is used below. */ void mp_msqrt(const MINT *nmp, MINT *xmp, MINT *rmp) { BN_CTX *c; MINT *tolerance; MINT *ox, *x; MINT *z1, *z2, *z3; short i; c = BN_CTX_new(); if (c == NULL) _bnerr("msqrt"); tolerance = _itom("msqrt", 1); x = _itom("msqrt", 1); ox = _itom("msqrt", 0); z1 = _itom("msqrt", 0); z2 = _itom("msqrt", 0); z3 = _itom("msqrt", 0); do { _movem("msqrt", x, ox); _mdiv("msqrt", nmp, x, z1, z2, c); _madd("msqrt", x, z1, z2); _sdiv("msqrt", z2, 2, x, &i, c); _msub("msqrt", ox, x, z3); } while (_mcmpa("msqrt", z3, tolerance) == 1); _movem("msqrt", x, xmp); _mult("msqrt", x, x, z1, c); _msub("msqrt", nmp, z1, z2); _movem("msqrt", z2, rmp); _mfree("msqrt", tolerance); _mfree("msqrt", ox); _mfree("msqrt", x); _mfree("msqrt", z1); _mfree("msqrt", z2); _mfree("msqrt", z3); BN_CTX_free(c); } /* * Compute rmp=mp1-mp2. */ static void _msub(const char *msg, const MINT *mp1, const MINT *mp2, MINT *rmp) { BIGNUM b; BN_init(&b); BN_ERRCHECK(msg, BN_sub(&b, mp1->bn, mp2->bn)); _moveb(msg, &b, rmp); BN_free(&b); } void mp_msub(const MINT *mp1, const MINT *mp2, MINT *rmp) { _msub("msub", mp1, mp2, rmp); } /* * Return a decimal representation of mp. Return value must be * free()'d. */ static char * _mtod(const char *msg, const MINT *mp) { char *s, *s2; s = BN_bn2dec(mp->bn); if (s == NULL) _bnerr(msg); asprintf(&s2, "%s", s); if (s2 == NULL) MPERR(("%s", msg)); OPENSSL_free(s); return (s2); } /* * Return a hexadecimal representation of mp. Return value must be * free()'d. */ static char * _mtox(const char *msg, const MINT *mp) { char *p, *s, *s2; int len; s = BN_bn2hex(mp->bn); if (s == NULL) _bnerr(msg); asprintf(&s2, "%s", s); if (s2 == NULL) MPERR(("%s", msg)); OPENSSL_free(s); /* * This is a kludge for libgmp compatibility. The latter's * implementation of this function returns lower-case letters, * but BN_bn2hex returns upper-case. Some programs (e.g., * newkey(1)) are sensitive to this. Although it's probably * their fault, it's nice to be compatible. */ len = strlen(s2); for (p = s2; p < s2 + len; p++) *p = tolower(*p); return (s2); } char * mp_mtox(const MINT *mp) { return (_mtox("mtox", mp)); } /* * Compute rmp=mp1*mp2. */ static void _mult(const char *msg, const MINT *mp1, const MINT *mp2, MINT *rmp, BN_CTX *c) { BIGNUM b; BN_init(&b); BN_ERRCHECK(msg, BN_mul(&b, mp1->bn, mp2->bn, c)); _moveb(msg, &b, rmp); BN_free(&b); } void mp_mult(const MINT *mp1, const MINT *mp2, MINT *rmp) { BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("mult"); _mult("mult", mp1, mp2, rmp, c); BN_CTX_free(c); } /* * Compute rmp=(bmp^emp)mod mmp. (Note that here and above rpow() '^' * means 'raise to power', not 'bitwise XOR'.) */ void mp_pow(const MINT *bmp, const MINT *emp, const MINT *mmp, MINT *rmp) { BIGNUM b; BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("pow"); BN_init(&b); BN_ERRCHECK("pow", BN_mod_exp(&b, bmp->bn, emp->bn, mmp->bn, c)); _moveb("pow", &b, rmp); BN_free(&b); BN_CTX_free(c); } /* * Compute rmp=bmp^e. (See note above pow().) */ void mp_rpow(const MINT *bmp, short e, MINT *rmp) { MINT *emp; BIGNUM b; BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("rpow"); BN_init(&b); emp = _itom("rpow", e); BN_ERRCHECK("rpow", BN_exp(&b, bmp->bn, emp->bn, c)); _moveb("rpow", &b, rmp); _mfree("rpow", emp); BN_free(&b); BN_CTX_free(c); } /* * Compute qmp=nmp/d and ro=nmp%d. */ static void _sdiv(const char *msg, const MINT *nmp, short d, MINT *qmp, short *ro, BN_CTX *c) { MINT *dmp, *rmp; BIGNUM q, r; char *s; BN_init(&q); BN_init(&r); dmp = _itom(msg, d); rmp = _itom(msg, 0); BN_ERRCHECK(msg, BN_div(&q, &r, nmp->bn, dmp->bn, c)); _moveb(msg, &q, qmp); _moveb(msg, &r, rmp); s = _mtox(msg, rmp); errno = 0; *ro = strtol(s, NULL, 16); if (errno != 0) MPERR(("%s underflow or overflow", msg)); free(s); _mfree(msg, dmp); _mfree(msg, rmp); BN_free(&r); BN_free(&q); } void mp_sdiv(const MINT *nmp, short d, MINT *qmp, short *ro) { BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("sdiv"); _sdiv("sdiv", nmp, d, qmp, ro, c); BN_CTX_free(c); } /* * Convert a hexadecimal string to an MINT. */ static MINT * _xtom(const char *msg, const char *s) { MINT *mp; mp = malloc(sizeof(*mp)); if (mp == NULL) MPERR(("%s", msg)); mp->bn = BN_new(); if (mp->bn == NULL) _bnerr(msg); BN_ERRCHECK(msg, BN_hex2bn(&mp->bn, s)); return (mp); } MINT * mp_xtom(const char *s) { return (_xtom("xtom", s)); }