summaryrefslogtreecommitdiff
path: root/external/nettle-3.3/nettle
diff options
context:
space:
mode:
authorIronClawTrem <louie.nutman@gmail.com>2020-02-16 03:40:06 +0000
committerIronClawTrem <louie.nutman@gmail.com>2020-02-16 03:40:06 +0000
commit425decdf7e9284d15aa726e3ae96b9942fb0e3ea (patch)
tree6c0dd7edfefff1be7b9e75fe0b3a0a85fe1595f3 /external/nettle-3.3/nettle
parentccb0b2e4d6674a7a00c9bf491f08fc73b6898c54 (diff)
create tremded branch
Diffstat (limited to 'external/nettle-3.3/nettle')
-rw-r--r--external/nettle-3.3/nettle/bignum-random-prime.c533
-rw-r--r--external/nettle-3.3/nettle/bignum-random.c96
-rw-r--r--external/nettle-3.3/nettle/bignum.c186
-rw-r--r--external/nettle-3.3/nettle/bignum.h140
-rw-r--r--external/nettle-3.3/nettle/buffer-init.c48
-rw-r--r--external/nettle-3.3/nettle/buffer.c142
-rw-r--r--external/nettle-3.3/nettle/buffer.h106
-rw-r--r--external/nettle-3.3/nettle/gmp-glue.c326
-rw-r--r--external/nettle-3.3/nettle/gmp-glue.h164
-rw-r--r--external/nettle-3.3/nettle/macros.h245
-rw-r--r--external/nettle-3.3/nettle/mini-gmp.c4386
-rw-r--r--external/nettle-3.3/nettle/mini-gmp.h294
-rw-r--r--external/nettle-3.3/nettle/nettle-internal.h92
-rw-r--r--external/nettle-3.3/nettle/nettle-meta.h230
-rw-r--r--external/nettle-3.3/nettle/nettle-stdint.h6
-rw-r--r--external/nettle-3.3/nettle/nettle-types.h110
-rw-r--r--external/nettle-3.3/nettle/nettle-write.h58
-rw-r--r--external/nettle-3.3/nettle/pkcs1-rsa-sha256.c120
-rw-r--r--external/nettle-3.3/nettle/pkcs1.c73
-rw-r--r--external/nettle-3.3/nettle/pkcs1.h114
-rw-r--r--external/nettle-3.3/nettle/realloc.c69
-rw-r--r--external/nettle-3.3/nettle/realloc.h48
-rw-r--r--external/nettle-3.3/nettle/rsa-keygen.c212
-rw-r--r--external/nettle-3.3/nettle/rsa-sha256-sign.c77
-rw-r--r--external/nettle-3.3/nettle/rsa-sha256-verify.c79
-rw-r--r--external/nettle-3.3/nettle/rsa-sign.c144
-rw-r--r--external/nettle-3.3/nettle/rsa-verify.c64
-rw-r--r--external/nettle-3.3/nettle/rsa.c86
-rw-r--r--external/nettle-3.3/nettle/rsa.h355
-rw-r--r--external/nettle-3.3/nettle/rsa2sexp.c59
-rw-r--r--external/nettle-3.3/nettle/sexp-format.c348
-rw-r--r--external/nettle-3.3/nettle/sexp.c399
-rw-r--r--external/nettle-3.3/nettle/sexp.h213
-rw-r--r--external/nettle-3.3/nettle/sexp2bignum.c60
-rw-r--r--external/nettle-3.3/nettle/sexp2rsa.c115
-rw-r--r--external/nettle-3.3/nettle/sha2.h206
-rw-r--r--external/nettle-3.3/nettle/sha256-compress.c199
-rw-r--r--external/nettle-3.3/nettle/sha256.c162
-rw-r--r--external/nettle-3.3/nettle/version.h58
-rw-r--r--external/nettle-3.3/nettle/write-be32.c77
40 files changed, 10499 insertions, 0 deletions
diff --git a/external/nettle-3.3/nettle/bignum-random-prime.c b/external/nettle-3.3/nettle/bignum-random-prime.c
new file mode 100644
index 0000000..97d35e4
--- /dev/null
+++ b/external/nettle-3.3/nettle/bignum-random-prime.c
@@ -0,0 +1,533 @@
+/* bignum-random-prime.c
+
+ Generation of random provable primes.
+
+ Copyright (C) 2010, 2013 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef RANDOM_PRIME_VERBOSE
+#define RANDOM_PRIME_VERBOSE 0
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+
+#if RANDOM_PRIME_VERBOSE
+#include <stdio.h>
+#define VERBOSE(x) (fputs((x), stderr))
+#else
+#define VERBOSE(x)
+#endif
+
+#include "bignum.h"
+
+#include "macros.h"
+
+/* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers
+ of up to 20 bits. */
+
+#define NPRIMES 171
+#define TRIAL_DIV_BITS 20
+#define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1)
+
+/* A 20-bit number x is divisible by p iff
+
+ ((x * inverse) & TRIAL_DIV_MASK) <= limit
+*/
+struct trial_div_info {
+ uint32_t inverse; /* p^{-1} (mod 2^20) */
+ uint32_t limit; /* floor( (2^20 - 1) / p) */
+};
+
+static const uint16_t
+primes[NPRIMES] = {
+ 3,5,7,11,13,17,19,23,
+ 29,31,37,41,43,47,53,59,
+ 61,67,71,73,79,83,89,97,
+ 101,103,107,109,113,127,131,137,
+ 139,149,151,157,163,167,173,179,
+ 181,191,193,197,199,211,223,227,
+ 229,233,239,241,251,257,263,269,
+ 271,277,281,283,293,307,311,313,
+ 317,331,337,347,349,353,359,367,
+ 373,379,383,389,397,401,409,419,
+ 421,431,433,439,443,449,457,461,
+ 463,467,479,487,491,499,503,509,
+ 521,523,541,547,557,563,569,571,
+ 577,587,593,599,601,607,613,617,
+ 619,631,641,643,647,653,659,661,
+ 673,677,683,691,701,709,719,727,
+ 733,739,743,751,757,761,769,773,
+ 787,797,809,811,821,823,827,829,
+ 839,853,857,859,863,877,881,883,
+ 887,907,911,919,929,937,941,947,
+ 953,967,971,977,983,991,997,1009,
+ 1013,1019,1021,
+};
+
+static const uint32_t
+prime_square[NPRIMES+1] = {
+ 9,25,49,121,169,289,361,529,
+ 841,961,1369,1681,1849,2209,2809,3481,
+ 3721,4489,5041,5329,6241,6889,7921,9409,
+ 10201,10609,11449,11881,12769,16129,17161,18769,
+ 19321,22201,22801,24649,26569,27889,29929,32041,
+ 32761,36481,37249,38809,39601,44521,49729,51529,
+ 52441,54289,57121,58081,63001,66049,69169,72361,
+ 73441,76729,78961,80089,85849,94249,96721,97969,
+ 100489,109561,113569,120409,121801,124609,128881,134689,
+ 139129,143641,146689,151321,157609,160801,167281,175561,
+ 177241,185761,187489,192721,196249,201601,208849,212521,
+ 214369,218089,229441,237169,241081,249001,253009,259081,
+ 271441,273529,292681,299209,310249,316969,323761,326041,
+ 332929,344569,351649,358801,361201,368449,375769,380689,
+ 383161,398161,410881,413449,418609,426409,434281,436921,
+ 452929,458329,466489,477481,491401,502681,516961,528529,
+ 537289,546121,552049,564001,573049,579121,591361,597529,
+ 619369,635209,654481,657721,674041,677329,683929,687241,
+ 703921,727609,734449,737881,744769,769129,776161,779689,
+ 786769,822649,829921,844561,863041,877969,885481,896809,
+ 908209,935089,942841,954529,966289,982081,994009,1018081,
+ 1026169,1038361,1042441,1L<<20
+};
+
+static const struct trial_div_info
+trial_div_table[NPRIMES] = {
+ {699051,349525},{838861,209715},{748983,149796},{953251,95325},
+ {806597,80659},{61681,61680},{772635,55188},{866215,45590},
+ {180789,36157},{1014751,33825},{793517,28339},{1023001,25575},
+ {48771,24385},{870095,22310},{217629,19784},{710899,17772},
+ {825109,17189},{281707,15650},{502135,14768},{258553,14364},
+ {464559,13273},{934875,12633},{1001449,11781},{172961,10810},
+ {176493,10381},{203607,10180},{568387,9799},{788837,9619},
+ {770193,9279},{1032063,8256},{544299,8004},{619961,7653},
+ {550691,7543},{182973,7037},{229159,6944},{427445,6678},
+ {701195,6432},{370455,6278},{90917,6061},{175739,5857},
+ {585117,5793},{225087,5489},{298817,5433},{228877,5322},
+ {442615,5269},{546651,4969},{244511,4702},{83147,4619},
+ {769261,4578},{841561,4500},{732687,4387},{978961,4350},
+ {133683,4177},{65281,4080},{629943,3986},{374213,3898},
+ {708079,3869},{280125,3785},{641833,3731},{618771,3705},
+ {930477,3578},{778747,3415},{623751,3371},{40201,3350},
+ {122389,3307},{950371,3167},{1042353,3111},{18131,3021},
+ {285429,3004},{549537,2970},{166487,2920},{294287,2857},
+ {919261,2811},{636339,2766},{900735,2737},{118605,2695},
+ {10565,2641},{188273,2614},{115369,2563},{735755,2502},
+ {458285,2490},{914767,2432},{370513,2421},{1027079,2388},
+ {629619,2366},{462401,2335},{649337,2294},{316165,2274},
+ {484655,2264},{65115,2245},{326175,2189},{1016279,2153},
+ {990915,2135},{556859,2101},{462791,2084},{844629,2060},
+ {404537,2012},{457123,2004},{577589,1938},{638347,1916},
+ {892325,1882},{182523,1862},{1002505,1842},{624371,1836},
+ {69057,1817},{210787,1786},{558769,1768},{395623,1750},
+ {992745,1744},{317855,1727},{384877,1710},{372185,1699},
+ {105027,1693},{423751,1661},{408961,1635},{908331,1630},
+ {74551,1620},{36933,1605},{617371,1591},{506045,1586},
+ {24929,1558},{529709,1548},{1042435,1535},{31867,1517},
+ {166037,1495},{928781,1478},{508975,1458},{4327,1442},
+ {779637,1430},{742091,1418},{258263,1411},{879631,1396},
+ {72029,1385},{728905,1377},{589057,1363},{348621,1356},
+ {671515,1332},{710453,1315},{84249,1296},{959363,1292},
+ {685853,1277},{467591,1274},{646643,1267},{683029,1264},
+ {439927,1249},{254461,1229},{660713,1223},{554195,1220},
+ {202911,1215},{753253,1195},{941457,1190},{776635,1187},
+ {509511,1182},{986147,1156},{768879,1151},{699431,1140},
+ {696417,1128},{86169,1119},{808997,1114},{25467,1107},
+ {201353,1100},{708087,1084},{1018339,1079},{341297,1073},
+ {434151,1066},{96287,1058},{950765,1051},{298257,1039},
+ {675933,1035},{167731,1029},{815445,1027},
+};
+
+/* Element j gives the index of the first prime of size 3+j bits */
+static uint8_t
+prime_by_size[9] = {
+ 1,3,5,10,17,30,53,96,171
+};
+
+/* Combined Miller-Rabin test to the base a, and checking the
+ conditions from Pocklington's theorem, nm1dq holds (n-1)/q, with q
+ prime. */
+static int
+miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
+{
+ mpz_t r;
+ mpz_t y;
+ int is_prime = 0;
+
+ /* Avoid the mp_bitcnt_t type for compatibility with older GMP
+ versions. */
+ unsigned k;
+ unsigned j;
+
+ VERBOSE(".");
+
+ if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0)
+ return 0;
+
+ mpz_init(r);
+ mpz_init(y);
+
+ k = mpz_scan1(nm1, 0);
+ assert(k > 0);
+
+ mpz_fdiv_q_2exp (r, nm1, k);
+
+ mpz_powm(y, a, r, n);
+
+ if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0)
+ goto passed_miller_rabin;
+
+ for (j = 1; j < k; j++)
+ {
+ mpz_powm_ui (y, y, 2, n);
+
+ if (mpz_cmp_ui (y, 1) == 0)
+ break;
+
+ if (mpz_cmp (y, nm1) == 0)
+ {
+ passed_miller_rabin:
+ /* We know that a^{n-1} = 1 (mod n)
+
+ Remains to check that gcd(a^{(n-1)/q} - 1, n) == 1 */
+ VERBOSE("x");
+
+ mpz_powm(y, a, nm1dq, n);
+ mpz_sub_ui(y, y, 1);
+ mpz_gcd(y, y, n);
+ is_prime = mpz_cmp_ui (y, 1) == 0;
+ VERBOSE(is_prime ? "\n" : "");
+ break;
+ }
+
+ }
+
+ mpz_clear(r);
+ mpz_clear(y);
+
+ return is_prime;
+}
+
+/* The most basic variant of Pocklingtons theorem:
+
+ Assume that q^e | (n-1), with q prime. If we can find an a such that
+
+ a^{n-1} = 1 (mod n)
+ gcd(a^{(n-1)/q} - 1, n) = 1
+
+ then any prime divisor p of n satisfies p = 1 (mod q^e).
+
+ Proof (Cohen, 8.3.2): Assume p is a prime factor of n. The central
+ idea of the proof is to consider the order, modulo p, of a. Denote
+ this by d.
+
+ a^{n-1} = 1 (mod n) implies a^{n-1} = 1 (mod p), hence d | (n-1).
+ Next, the condition gcd(a^{(n-1)/q} - 1, n) = 1 implies that
+ a^{(n-1)/q} != 1, hence d does not divide (n-1)/q. Since q is
+ prime, this means that q^e | d.
+
+ Finally, we have a^{p-1} = 1 (mod p), hence d | (p-1). So q^e | d |
+ (p-1), which gives the desired result: p = 1 (mod q^e).
+
+
+ * Variant, slightly stronger than Fact 4.59, HAC:
+
+ Assume n = 1 + 2rq, q an odd prime, r <= 2q, and
+
+ a^{n-1} = 1 (mod n)
+ gcd(a^{(n-1)/q} - 1, n) = 1
+
+ Then n is prime.
+
+ Proof: By Pocklington's theorem, any prime factor p satisfies p = 1
+ (mod q). Neither 1 or q+1 are primes, hence p >= 1 + 2q. If n is
+ composite, we have n >= (1+2q)^2. But the assumption r <= 2q
+ implies n <= 1 + 4q^2, a contradiction.
+
+ In bits, the requirement is that #n <= 2 #q, then
+
+ r = (n-1)/2q < 2^{#n - #q} <= 2^#q = 2 2^{#q-1}< 2 q
+
+
+ * Another variant with an extra test (Variant of Fact 4.42, HAC):
+
+ Assume n = 1 + 2rq, n odd, q an odd prime, 8 q^3 >= n
+
+ a^{n-1} = 1 (mod n)
+ gcd(a^{(n-1)/q} - 1, n) = 1
+
+ Also let x = floor(r / 2q), y = r mod 2q,
+
+ If y^2 - 4x is not a square, then n is prime.
+
+ Proof (adapted from Maurer, Journal of Cryptology, 8 (1995)):
+
+ Assume n is composite. There are at most two factors, both odd,
+
+ n = (1+2m_1 q)(1+2m_2 q) = 1 + 4 m_1 m_2 q^2 + 2 (m_1 + m_2) q
+
+ where we can assume m_1 >= m_2. Then the bound n <= 8 q^3 implies m_1
+ m_2 < 2q, restricting (m_1, m_2) to the domain 0 < m_2 <
+ sqrt(2q), 0 < m_1 < 2q / m_2.
+
+ We have the bound
+
+ m_1 + m_2 < 2q / m_2 + m_2 <= 2q + 1 (maximum value for m_2 = 1)
+
+ And the case m_1 = 2q, m_2 = 1 can be excluded, because it gives n
+ > 8q^3. So in fact, m_1 + m_2 < 2q.
+
+ Next, write r = (n-1)/2q = 2 m_1 m_2 q + m_1 + m_2.
+
+ If follows that m_1 + m_2 = y and m_1 m_2 = x. m_1 and m_2 are
+ thus the roots of the equation
+
+ m^2 - y m + x = 0
+
+ which has integer roots iff y^2 - 4 x is the square of an integer.
+
+ In bits, the requirement is that #n <= 3 #q, then
+
+ n < 2^#n <= 2^{3 #q} = 8 2^{3 (#q-1)} < 8 q^3
+*/
+
+/* Generate a prime number p of size bits with 2 p0q dividing (p-1).
+ p0 must be of size >= ceil(bits/3). The extra factor q can be
+ omitted (then p0 and p0q should be equal). If top_bits_set is one,
+ the topmost two bits are set to one, suitable for RSA primes. Also
+ returns r = (p-1)/p0q. */
+void
+_nettle_generate_pocklington_prime (mpz_t p, mpz_t r,
+ unsigned bits, int top_bits_set,
+ void *ctx, nettle_random_func *random,
+ const mpz_t p0,
+ const mpz_t q,
+ const mpz_t p0q)
+{
+ mpz_t r_min, r_range, pm1, a, e;
+ int need_square_test;
+ unsigned p0_bits;
+ mpz_t x, y, p04;
+
+ p0_bits = mpz_sizeinbase (p0, 2);
+
+ assert (bits <= 3*p0_bits);
+ assert (bits > p0_bits);
+
+ need_square_test = (bits > 2 * p0_bits);
+
+ mpz_init (r_min);
+ mpz_init (r_range);
+ mpz_init (pm1);
+ mpz_init (a);
+
+ if (need_square_test)
+ {
+ mpz_init (x);
+ mpz_init (y);
+ mpz_init (p04);
+ mpz_mul_2exp (p04, p0, 2);
+ }
+
+ if (q)
+ mpz_init (e);
+
+ if (top_bits_set)
+ {
+ /* i = floor (2^{bits-3} / p0q), then 3I + 3 <= r <= 4I, with I
+ - 2 possible values. */
+ mpz_set_ui (r_min, 1);
+ mpz_mul_2exp (r_min, r_min, bits-3);
+ mpz_fdiv_q (r_min, r_min, p0q);
+ mpz_sub_ui (r_range, r_min, 2);
+ mpz_mul_ui (r_min, r_min, 3);
+ mpz_add_ui (r_min, r_min, 3);
+ }
+ else
+ {
+ /* i = floor (2^{bits-2} / p0q), I + 1 <= r <= 2I */
+ mpz_set_ui (r_range, 1);
+ mpz_mul_2exp (r_range, r_range, bits-2);
+ mpz_fdiv_q (r_range, r_range, p0q);
+ mpz_add_ui (r_min, r_range, 1);
+ }
+
+ for (;;)
+ {
+ uint8_t buf[1];
+
+ nettle_mpz_random (r, ctx, random, r_range);
+ mpz_add (r, r, r_min);
+
+ /* Set p = 2*r*p0q + 1 */
+ mpz_mul_2exp(r, r, 1);
+ mpz_mul (pm1, r, p0q);
+ mpz_add_ui (p, pm1, 1);
+
+ assert(mpz_sizeinbase(p, 2) == bits);
+
+ /* Should use GMP trial division interface when that
+ materializes, we don't need any testing beyond trial
+ division. */
+ if (!mpz_probab_prime_p (p, 1))
+ continue;
+
+ random(ctx, sizeof(buf), buf);
+
+ mpz_set_ui (a, buf[0] + 2);
+
+ if (q)
+ {
+ mpz_mul (e, r, q);
+ if (!miller_rabin_pocklington(p, pm1, e, a))
+ continue;
+
+ if (need_square_test)
+ {
+ /* Our e corresponds to 2r in the theorem */
+ mpz_tdiv_qr (x, y, e, p04);
+ goto square_test;
+ }
+ }
+ else
+ {
+ if (!miller_rabin_pocklington(p, pm1, r, a))
+ continue;
+ if (need_square_test)
+ {
+ mpz_tdiv_qr (x, y, r, p04);
+ square_test:
+ /* We have r' = 2r, x = floor (r/2q) = floor(r'/2q),
+ and y' = r' - x 4q = 2 (r - x 2q) = 2y.
+
+ Then y^2 - 4x is a square iff y'^2 - 16 x is a
+ square. */
+
+ mpz_mul (y, y, y);
+ mpz_submul_ui (y, x, 16);
+ if (mpz_perfect_square_p (y))
+ continue;
+ }
+ }
+
+ /* If we passed all the tests, we have found a prime. */
+ break;
+ }
+ mpz_clear (r_min);
+ mpz_clear (r_range);
+ mpz_clear (pm1);
+ mpz_clear (a);
+
+ if (need_square_test)
+ {
+ mpz_clear (x);
+ mpz_clear (y);
+ mpz_clear (p04);
+ }
+ if (q)
+ mpz_clear (e);
+}
+
+/* Generate random prime of a given size. Maurer's algorithm (Alg.
+ 6.42 Handbook of applied cryptography), but with ratio = 1/2 (like
+ the variant in fips186-3). */
+void
+nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set,
+ void *random_ctx, nettle_random_func *random,
+ void *progress_ctx, nettle_progress_func *progress)
+{
+ assert (bits >= 3);
+ if (bits <= 10)
+ {
+ unsigned first;
+ unsigned choices;
+ uint8_t buf;
+
+ assert (!top_bits_set);
+
+ random (random_ctx, sizeof(buf), &buf);
+
+ first = prime_by_size[bits-3];
+ choices = prime_by_size[bits-2] - first;
+
+ mpz_set_ui (p, primes[first + buf % choices]);
+ }
+ else if (bits <= 20)
+ {
+ unsigned long highbit;
+ uint8_t buf[3];
+ unsigned long x;
+ unsigned j;
+
+ assert (!top_bits_set);
+
+ highbit = 1L << (bits - 1);
+
+ again:
+ random (random_ctx, sizeof(buf), buf);
+ x = READ_UINT24(buf);
+ x &= (highbit - 1);
+ x |= highbit | 1;
+
+ for (j = 0; prime_square[j] <= x; j++)
+ {
+ unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK;
+ if (q <= trial_div_table[j].limit)
+ goto again;
+ }
+ mpz_set_ui (p, x);
+ }
+ else
+ {
+ mpz_t q, r;
+
+ mpz_init (q);
+ mpz_init (r);
+
+ /* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62
+ in Handbook of Applied Cryptography (which seems to be
+ incorrect for odd k). */
+ nettle_random_prime (q, (bits+3)/2, 0, random_ctx, random,
+ progress_ctx, progress);
+
+ _nettle_generate_pocklington_prime (p, r, bits, top_bits_set,
+ random_ctx, random,
+ q, NULL, q);
+
+ if (progress)
+ progress (progress_ctx, 'x');
+
+ mpz_clear (q);
+ mpz_clear (r);
+ }
+}
diff --git a/external/nettle-3.3/nettle/bignum-random.c b/external/nettle-3.3/nettle/bignum-random.c
new file mode 100644
index 0000000..34a696f
--- /dev/null
+++ b/external/nettle-3.3/nettle/bignum-random.c
@@ -0,0 +1,96 @@
+/* bignum-random.c
+
+ Generating big random numbers
+
+ Copyright (C) 2002, 2013 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdlib.h>
+
+#include "bignum.h"
+#include "gmp-glue.h"
+
+void
+nettle_mpz_random_size(mpz_t x,
+ void *ctx, nettle_random_func *random,
+ unsigned bits)
+{
+ unsigned length = (bits + 7) / 8;
+ TMP_GMP_DECL(data, uint8_t);
+
+ TMP_GMP_ALLOC(data, length);
+
+ random(ctx, length, data);
+ nettle_mpz_set_str_256_u(x, length, data);
+
+ if (bits % 8)
+ mpz_fdiv_r_2exp(x, x, bits);
+
+ TMP_GMP_FREE(data);
+}
+
+/* Returns a random number x, 0 <= x < n */
+void
+nettle_mpz_random(mpz_t x,
+ void *ctx, nettle_random_func *random,
+ const mpz_t n)
+{
+ /* NOTE: This leaves some bias, which may be bad for DSA. A better
+ * way might be to generate a random number of mpz_sizeinbase(n, 2)
+ * bits, and loop until one smaller than n is found. */
+
+ /* From Daniel Bleichenbacher (via coderpunks):
+ *
+ * There is still a theoretical attack possible with 8 extra bits.
+ * But, the attack would need about 2^66 signatures 2^66 memory and
+ * 2^66 time (if I remember that correctly). Compare that to DSA,
+ * where the attack requires 2^22 signatures 2^40 memory and 2^64
+ * time. And of course, the numbers above are not a real threat for
+ * PGP. Using 16 extra bits (i.e. generating a 176 bit random number
+ * and reducing it modulo q) will defeat even this theoretical
+ * attack.
+ *
+ * More generally log_2(q)/8 extra bits are enough to defeat my
+ * attack. NIST also plans to update the standard.
+ */
+
+ /* Add a few bits extra, to decrease the bias from the final modulo
+ * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with
+ * DSA. */
+
+ nettle_mpz_random_size(x,
+ ctx, random,
+ mpz_sizeinbase(n, 2) + 64);
+
+ mpz_fdiv_r(x, x, n);
+}
diff --git a/external/nettle-3.3/nettle/bignum.c b/external/nettle-3.3/nettle/bignum.c
new file mode 100644
index 0000000..b58726f
--- /dev/null
+++ b/external/nettle-3.3/nettle/bignum.c
@@ -0,0 +1,186 @@
+/* bignum.c
+
+ Bignum operations that are missing from gmp.
+
+ Copyright (C) 2001 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <string.h>
+
+#include "bignum.h"
+
+/* Two's complement negation means that -x = ~x + 1, ~x = -(x+1),
+ * and we use that x = ~~x = ~(-x-1).
+ *
+ * Examples:
+ *
+ * x ~x = -x+1 ~~x = x
+ * -1 0 ff
+ * -2 1 fe
+ * -7f 7e 81
+ * -80 7f 80
+ * -81 80 ff7f
+ */
+
+/* Including extra sign bit, if needed. Also one byte for zero. */
+size_t
+nettle_mpz_sizeinbase_256_s(const mpz_t x)
+{
+ if (mpz_sgn(x) >= 0)
+ return 1 + mpz_sizeinbase(x, 2) / 8;
+ else
+ {
+ /* We'll output ~~x, so we need as many bits as for ~x */
+ size_t size;
+ mpz_t c;
+
+ mpz_init(c);
+ mpz_com(c, x); /* Same as c = - x - 1 = |x| + 1 */
+ size = 1 + mpz_sizeinbase(c,2) / 8;
+ mpz_clear(c);
+
+ return size;
+ }
+}
+
+size_t
+nettle_mpz_sizeinbase_256_u(const mpz_t x)
+{
+ return (mpz_sizeinbase(x,2) + 7) / 8;
+}
+
+static void
+nettle_mpz_to_octets(size_t length, uint8_t *s,
+ const mpz_t x, uint8_t sign)
+{
+ uint8_t *dst = s + length - 1;
+ size_t size = mpz_size(x);
+ size_t i;
+
+ for (i = 0; i<size; i++)
+ {
+ mp_limb_t limb = mpz_getlimbn(x, i);
+ size_t j;
+
+ for (j = 0; length && j < sizeof(mp_limb_t); j++)
+ {
+ *dst-- = sign ^ (limb & 0xff);
+ limb >>= 8;
+ length--;
+ }
+ }
+
+ if (length)
+ memset(s, sign, length);
+}
+
+void
+nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x)
+{
+ if (!length)
+ {
+ /* x must be zero */
+ assert(!mpz_sgn(x));
+ return;
+ }
+
+ if (mpz_sgn(x) >= 0)
+ {
+ assert(nettle_mpz_sizeinbase_256_u(x) <= length);
+ nettle_mpz_to_octets(length, s, x, 0);
+ }
+ else
+ {
+ mpz_t c;
+ mpz_init(c);
+ mpz_com(c, x);
+
+ assert(nettle_mpz_sizeinbase_256_u(c) <= length);
+ nettle_mpz_to_octets(length, s, c, 0xff);
+
+ mpz_clear(c);
+ }
+}
+
+/* Converting from strings */
+
+/* mpz_import was introduced in GMP-4.1 */
+#define nettle_mpz_from_octets(x, length, s) \
+ mpz_import((x), (length), 1, 1, 0, 0, (s))
+
+void
+nettle_mpz_set_str_256_u(mpz_t x,
+ size_t length, const uint8_t *s)
+{
+ nettle_mpz_from_octets(x, length, s);
+}
+
+void
+nettle_mpz_init_set_str_256_u(mpz_t x,
+ size_t length, const uint8_t *s)
+{
+ mpz_init(x);
+ nettle_mpz_from_octets(x, length, s);
+}
+
+void
+nettle_mpz_set_str_256_s(mpz_t x,
+ size_t length, const uint8_t *s)
+{
+ if (!length)
+ {
+ mpz_set_ui(x, 0);
+ return;
+ }
+
+ nettle_mpz_from_octets(x, length, s);
+
+ if (s[0] & 0x80)
+ {
+ mpz_t t;
+
+ mpz_init_set_ui(t, 1);
+ mpz_mul_2exp(t, t, length*8);
+ mpz_sub(x, x, t);
+ mpz_clear(t);
+ }
+}
+
+void
+nettle_mpz_init_set_str_256_s(mpz_t x,
+ size_t length, const uint8_t *s)
+{
+ mpz_init(x);
+ nettle_mpz_set_str_256_s(x, length, s);
+}
diff --git a/external/nettle-3.3/nettle/bignum.h b/external/nettle-3.3/nettle/bignum.h
new file mode 100644
index 0000000..188e9e4
--- /dev/null
+++ b/external/nettle-3.3/nettle/bignum.h
@@ -0,0 +1,140 @@
+/* bignum.h
+
+ Bignum operations that are missing from gmp.
+
+ Copyright (C) 2001 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_BIGNUM_H_INCLUDED
+#define NETTLE_BIGNUM_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#include "nettle-types.h"
+
+/* For NETTLE_USE_MINI_GMP */
+#include "version.h"
+
+#if NETTLE_USE_MINI_GMP
+# include "mini-gmp.h"
+
+# define GMP_NUMB_MASK (~(mp_limb_t) 0)
+
+/* Function missing in older gmp versions, and checked for with ifdef */
+# define mpz_limbs_read mpz_limbs_read
+/* Side-channel silent powm not available in mini-gmp. */
+# define mpz_powm_sec mpz_powm
+#else
+# include <gmp.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Size needed for signed encoding, including extra sign byte if
+ * necessary. */
+size_t
+nettle_mpz_sizeinbase_256_s(const mpz_t x);
+
+/* Size needed for unsigned encoding */
+size_t
+nettle_mpz_sizeinbase_256_u(const mpz_t x);
+
+/* Writes an integer as length octets, using big endian byte order,
+ * and two's complement for negative numbers. */
+void
+nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x);
+
+/* Reads a big endian, two's complement, integer. */
+void
+nettle_mpz_set_str_256_s(mpz_t x,
+ size_t length, const uint8_t *s);
+
+void
+nettle_mpz_init_set_str_256_s(mpz_t x,
+ size_t length, const uint8_t *s);
+
+/* Similar, but for unsigned format. These function don't interpret
+ * the most significant bit as the sign. */
+void
+nettle_mpz_set_str_256_u(mpz_t x,
+ size_t length, const uint8_t *s);
+
+void
+nettle_mpz_init_set_str_256_u(mpz_t x,
+ size_t length, const uint8_t *s);
+
+/* Returns a uniformly distributed random number 0 <= x < 2^n */
+void
+nettle_mpz_random_size(mpz_t x,
+ void *ctx, nettle_random_func *random,
+ unsigned bits);
+
+/* Returns a number x, almost uniformly random in the range
+ * 0 <= x < n. */
+void
+nettle_mpz_random(mpz_t x,
+ void *ctx, nettle_random_func *random,
+ const mpz_t n);
+
+void
+nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set,
+ void *ctx, nettle_random_func *random,
+ void *progress_ctx, nettle_progress_func *progress);
+
+void
+_nettle_generate_pocklington_prime (mpz_t p, mpz_t r,
+ unsigned bits, int top_bits_set,
+ void *ctx, nettle_random_func *random,
+ const mpz_t p0,
+ const mpz_t q,
+ const mpz_t p0q);
+
+/* sexp parsing */
+struct sexp_iterator;
+
+/* If LIMIT is non-zero, the number must be at most LIMIT bits.
+ * Implies sexp_iterator_next. */
+int
+nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i);
+
+
+/* der parsing */
+struct asn1_der_iterator;
+
+int
+nettle_asn1_der_get_bignum(struct asn1_der_iterator *iterator,
+ mpz_t x, unsigned max_bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BIGNUM_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/buffer-init.c b/external/nettle-3.3/nettle/buffer-init.c
new file mode 100644
index 0000000..c953fd1
--- /dev/null
+++ b/external/nettle-3.3/nettle/buffer-init.c
@@ -0,0 +1,48 @@
+/* buffer-init.c
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdlib.h>
+
+#include "buffer.h"
+#include "realloc.h"
+
+/* This is in a separate file so that we don't link in realloc in
+ * programs that don't need it. */
+
+void
+nettle_buffer_init(struct nettle_buffer *buffer)
+{
+ nettle_buffer_init_realloc(buffer, NULL, nettle_realloc);
+}
diff --git a/external/nettle-3.3/nettle/buffer.c b/external/nettle-3.3/nettle/buffer.c
new file mode 100644
index 0000000..37a7275
--- /dev/null
+++ b/external/nettle-3.3/nettle/buffer.c
@@ -0,0 +1,142 @@
+/* buffer.c
+
+ A bare-bones string stream.
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "buffer.h"
+
+int
+nettle_buffer_grow(struct nettle_buffer *buffer,
+ size_t length)
+{
+ assert(buffer->size <= buffer->alloc);
+
+ if (buffer->size + length > buffer->alloc)
+ {
+ size_t alloc;
+ uint8_t *p;
+
+ if (!buffer->realloc)
+ return 0;
+
+ alloc = buffer->alloc * 2 + length + 100;
+ p = buffer->realloc(buffer->realloc_ctx, buffer->contents, alloc);
+ if (!p)
+ return 0;
+
+ buffer->contents = p;
+ buffer->alloc = alloc;
+ }
+ return 1;
+}
+
+void
+nettle_buffer_init_realloc(struct nettle_buffer *buffer,
+ void *realloc_ctx,
+ nettle_realloc_func *realloc)
+{
+ buffer->contents = NULL;
+ buffer->alloc = 0;
+ buffer->realloc = realloc;
+ buffer->realloc_ctx = realloc_ctx;
+ buffer->size = 0;
+}
+
+void
+nettle_buffer_init_size(struct nettle_buffer *buffer,
+ size_t length, uint8_t *space)
+{
+ buffer->contents = space;
+ buffer->alloc = length;
+ buffer->realloc = NULL;
+ buffer->realloc_ctx = NULL;
+ buffer->size = 0;
+}
+
+void
+nettle_buffer_clear(struct nettle_buffer *buffer)
+{
+ if (buffer->realloc)
+ buffer->realloc(buffer->realloc_ctx, buffer->contents, 0);
+
+ buffer->contents = NULL;
+ buffer->alloc = 0;
+ buffer->size = 0;
+}
+
+void
+nettle_buffer_reset(struct nettle_buffer *buffer)
+{
+ buffer->size = 0;
+}
+
+uint8_t *
+nettle_buffer_space(struct nettle_buffer *buffer,
+ size_t length)
+{
+ uint8_t *p;
+
+ if (!nettle_buffer_grow(buffer, length))
+ return NULL;
+
+ p = buffer->contents + buffer->size;
+ buffer->size += length;
+ return p;
+}
+
+int
+nettle_buffer_write(struct nettle_buffer *buffer,
+ size_t length, const uint8_t *data)
+{
+ uint8_t *p = nettle_buffer_space(buffer, length);
+ if (p)
+ {
+ memcpy(p, data, length);
+ return 1;
+ }
+ else
+ return 0;
+}
+
+int
+nettle_buffer_copy(struct nettle_buffer *dst,
+ const struct nettle_buffer *src)
+{
+ return nettle_buffer_write(dst, src->size, src->contents);
+}
diff --git a/external/nettle-3.3/nettle/buffer.h b/external/nettle-3.3/nettle/buffer.h
new file mode 100644
index 0000000..0e59d05
--- /dev/null
+++ b/external/nettle-3.3/nettle/buffer.h
@@ -0,0 +1,106 @@
+/* buffer.h
+
+ A bare-bones string stream.
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_BUFFER_H_INCLUDED
+#define NETTLE_BUFFER_H_INCLUDED
+
+#include "realloc.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct nettle_buffer
+{
+ uint8_t *contents;
+ /* Allocated size */
+ size_t alloc;
+
+ void *realloc_ctx;
+ nettle_realloc_func *realloc;
+
+ /* Current size */
+ size_t size;
+};
+
+/* Initializes a buffer that uses plain realloc */
+void
+nettle_buffer_init(struct nettle_buffer *buffer);
+
+void
+nettle_buffer_init_realloc(struct nettle_buffer *buffer,
+ void *realloc_ctx,
+ nettle_realloc_func *realloc);
+
+/* Initializes a buffer of fix size */
+void
+nettle_buffer_init_size(struct nettle_buffer *buffer,
+ size_t length, uint8_t *space);
+
+void
+nettle_buffer_clear(struct nettle_buffer *buffer);
+
+/* Resets the buffer, without freeing the buffer space. */
+void
+nettle_buffer_reset(struct nettle_buffer *buffer);
+
+int
+nettle_buffer_grow(struct nettle_buffer *buffer,
+ size_t length);
+
+#define NETTLE_BUFFER_PUTC(buffer, c) \
+( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \
+ && ((buffer)->contents[(buffer)->size++] = (c), 1) )
+
+int
+nettle_buffer_write(struct nettle_buffer *buffer,
+ size_t length, const uint8_t *data);
+
+/* Like nettle_buffer_write, but instead of copying data to the
+ * buffer, it returns a pointer to the area where the caller can copy
+ * the data. The pointer is valid only until the next call that can
+ * reallocate the buffer. */
+uint8_t *
+nettle_buffer_space(struct nettle_buffer *buffer,
+ size_t length);
+
+/* Copy the contents of SRC to the end of DST. */
+int
+nettle_buffer_copy(struct nettle_buffer *dst,
+ const struct nettle_buffer *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BUFFER_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/gmp-glue.c b/external/nettle-3.3/nettle/gmp-glue.c
new file mode 100644
index 0000000..4b813b8
--- /dev/null
+++ b/external/nettle-3.3/nettle/gmp-glue.c
@@ -0,0 +1,326 @@
+/* gmp-glue.c
+
+ Copyright (C) 2013 Niels Möller
+ Copyright (C) 2013 Red Hat
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "gmp-glue.h"
+
+#if !GMP_HAVE_mpz_limbs_read
+
+/* This implementation tries to make a minimal use of GMP internals.
+ We access and _mp_size and _mp_d, but not _mp_alloc. */
+
+/* Use macros compatible with gmp-impl.h. */
+#define ABS(x) ((x) >= 0 ? (x) : -(x))
+#define PTR(x) ((x)->_mp_d)
+#define SIZ(x) ((x)->_mp_size)
+#define ABSIZ(x) ABS (SIZ (x))
+
+#define MPN_NORMALIZE(xp, xn) do { \
+ while ( (xn) > 0 && (xp)[xn-1] == 0) \
+ (xn)--; \
+ } while (0)
+
+/* NOTE: Makes an unnecessary realloc if allocation is already large
+ enough, but looking at _mp_alloc may break in future GMP
+ versions. */
+#define MPZ_REALLOC(x, n) \
+ (ABSIZ(x) >= (n) ? PTR(x) : (_mpz_realloc ((x),(n)), PTR (x)))
+
+#define MPZ_NEWALLOC MPZ_REALLOC
+
+/* Read access to mpz numbers. */
+
+/* Return limb pointer, for read-only operations. Use mpz_size to get
+ the number of limbs. */
+const mp_limb_t *
+mpz_limbs_read (mpz_srcptr x)
+{
+ return PTR (x);
+}
+
+/* Write access to mpz numbers. */
+
+/* Get a limb pointer for writing, previous contents may be
+ destroyed. */
+mp_limb_t *
+mpz_limbs_write (mpz_ptr x, mp_size_t n)
+{
+ assert (n > 0);
+ return MPZ_NEWALLOC (x, n);
+}
+
+/* Get a limb pointer for writing, previous contents is intact. */
+mp_limb_t *
+mpz_limbs_modify (mpz_ptr x, mp_size_t n)
+{
+ assert (n > 0);
+ return MPZ_REALLOC (x, n);
+}
+
+void
+mpz_limbs_finish (mpz_ptr x, mp_size_t n)
+{
+ assert (n >= 0);
+ MPN_NORMALIZE (PTR(x), n);
+
+ SIZ (x) = n;
+}
+
+/* Needs some ugly casts. */
+mpz_srcptr
+mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs)
+{
+ mp_size_t xn = ABS (xs);
+
+ MPN_NORMALIZE (xp, xn);
+
+ x->_mp_size = xs < 0 ? -xn : xn;
+ x->_mp_alloc = 0;
+ x->_mp_d = (mp_limb_t *) xp;
+ return x;
+}
+#endif /* !GMP_HAVE_mpz_limbs_read */
+
+void
+cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n)
+{
+ mp_limb_t mask = - (mp_limb_t) (cnd != 0);
+ mp_size_t i;
+ for (i = 0; i < n; i++)
+ {
+ mp_limb_t a, b, t;
+ a = ap[i];
+ b = bp[i];
+ t = (a ^ b) & mask;
+ ap[i] = a ^ t;
+ bp[i] = b ^ t;
+ }
+}
+
+/* Additional convenience functions. */
+
+int
+mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn)
+{
+ mp_size_t an = mpz_size (a);
+ assert (mpz_sgn (a) >= 0);
+ assert (bn >= 0);
+
+ if (an < bn)
+ return -1;
+ if (an > bn)
+ return 1;
+ if (an == 0)
+ return 0;
+
+ return mpn_cmp (mpz_limbs_read(a), bp, an);
+}
+
+/* Get a pointer to an n limb area, for read-only operation. n must be
+ greater or equal to the current size, and the mpz is zero-padded if
+ needed. */
+const mp_limb_t *
+mpz_limbs_read_n (mpz_ptr x, mp_size_t n)
+{
+ mp_size_t xn = mpz_size (x);
+ mp_ptr xp;
+
+ assert (xn <= n);
+
+ xp = mpz_limbs_modify (x, n);
+
+ if (xn < n)
+ mpn_zero (xp + xn, n - xn);
+
+ return xp;
+}
+
+void
+mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n)
+{
+ mp_size_t xn = mpz_size (x);
+
+ assert (xn <= n);
+ mpn_copyi (xp, mpz_limbs_read (x), xn);
+ if (xn < n)
+ mpn_zero (xp + xn, n - xn);
+}
+
+void
+mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn)
+{
+ mpn_copyi (mpz_limbs_write (r, xn), xp, xn);
+ mpz_limbs_finish (r, xn);
+}
+
+void
+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
+ const uint8_t *xp, size_t xn)
+{
+ size_t xi;
+ mp_limb_t out;
+ unsigned bits;
+ for (xi = xn, out = bits = 0; xi > 0 && rn > 0; )
+ {
+ mp_limb_t in = xp[--xi];
+ out |= (in << bits) & GMP_NUMB_MASK;
+ bits += 8;
+ if (bits >= GMP_NUMB_BITS)
+ {
+ *rp++ = out;
+ rn--;
+
+ bits -= GMP_NUMB_BITS;
+ out = in >> (8 - bits);
+ }
+ }
+ if (rn > 0)
+ {
+ *rp++ = out;
+ if (--rn > 0)
+ mpn_zero (rp, rn);
+ }
+}
+
+void
+mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn,
+ const uint8_t *xp, size_t xn)
+{
+ size_t xi;
+ mp_limb_t out;
+ unsigned bits;
+ for (xi = 0, out = bits = 0; xi < xn && rn > 0; )
+ {
+ mp_limb_t in = xp[xi++];
+ out |= (in << bits) & GMP_NUMB_MASK;
+ bits += 8;
+ if (bits >= GMP_NUMB_BITS)
+ {
+ *rp++ = out;
+ rn--;
+
+ bits -= GMP_NUMB_BITS;
+ out = in >> (8 - bits);
+ }
+ }
+ if (rn > 0)
+ {
+ *rp++ = out;
+ if (--rn > 0)
+ mpn_zero (rp, rn);
+ }
+}
+
+void
+mpn_get_base256_le (uint8_t *rp, size_t rn,
+ const mp_limb_t *xp, mp_size_t xn)
+{
+ unsigned bits;
+ mp_limb_t in;
+ for (bits = in = 0; xn > 0 && rn > 0; )
+ {
+ if (bits >= 8)
+ {
+ *rp++ = in;
+ rn--;
+ in >>= 8;
+ bits -= 8;
+ }
+ else
+ {
+ uint8_t old = in;
+ in = *xp++;
+ xn--;
+ *rp++ = old | (in << bits);
+ rn--;
+ in >>= (8 - bits);
+ bits += GMP_NUMB_BITS - 8;
+ }
+ }
+ while (rn > 0)
+ {
+ *rp++ = in;
+ rn--;
+ in >>= 8;
+ }
+}
+
+mp_limb_t *
+gmp_alloc_limbs (mp_size_t n)
+{
+
+ void *(*alloc_func)(size_t);
+
+ assert (n > 0);
+
+ mp_get_memory_functions (&alloc_func, NULL, NULL);
+ return (mp_limb_t *) alloc_func ( (size_t) n * sizeof(mp_limb_t));
+}
+
+void
+gmp_free_limbs (mp_limb_t *p, mp_size_t n)
+{
+ void (*free_func)(void *, size_t);
+ assert (n > 0);
+ assert (p != 0);
+ mp_get_memory_functions (NULL, NULL, &free_func);
+
+ free_func (p, (size_t) n * sizeof(mp_limb_t));
+}
+
+void *
+gmp_alloc(size_t n)
+{
+ void *(*alloc_func)(size_t);
+ assert (n > 0);
+
+ mp_get_memory_functions(&alloc_func, NULL, NULL);
+
+ return alloc_func (n);
+}
+
+void
+gmp_free(void *p, size_t n)
+{
+ void (*free_func)(void *, size_t);
+ assert (n > 0);
+ assert (p != 0);
+ mp_get_memory_functions (NULL, NULL, &free_func);
+
+ free_func (p, (size_t) n);
+}
diff --git a/external/nettle-3.3/nettle/gmp-glue.h b/external/nettle-3.3/nettle/gmp-glue.h
new file mode 100644
index 0000000..e7a6177
--- /dev/null
+++ b/external/nettle-3.3/nettle/gmp-glue.h
@@ -0,0 +1,164 @@
+/* gmp-glue.h
+
+ Copyright (C) 2013 Niels Möller
+ Copyright (C) 2013 Red Hat
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_GMP_GLUE_H_INCLUDED
+#define NETTLE_GMP_GLUE_H_INCLUDED
+
+#include "bignum.h"
+
+#ifdef mpz_limbs_read
+#define GMP_HAVE_mpz_limbs_read 1
+#else
+#define GMP_HAVE_mpz_limbs_read 0
+#endif
+
+/* Name mangling. */
+#if !GMP_HAVE_mpz_limbs_read
+#define mpz_limbs_read _nettle_mpz_limbs_read
+#define mpz_limbs_write _nettle_mpz_limbs_write
+#define mpz_limbs_modify _nettle_mpz_limbs_modify
+#define mpz_limbs_finish _nettle_mpz_limbs_finish
+#define mpz_roinit_n _nettle_mpz_roinit_n
+#endif
+
+#define cnd_swap _nettle_cnd_swap
+#define mpz_limbs_cmp _nettle_mpz_limbs_cmp
+#define mpz_limbs_read_n _nettle_mpz_limbs_read_n
+#define mpz_limbs_copy _nettle_mpz_limbs_copy
+#define mpz_set_n _nettle_mpz_set_n
+#define mpn_set_base256 _nettle_mpn_set_base256
+#define mpn_set_base256_le _nettle_mpn_set_base256_le
+#define mpn_get_base256_le _nettle_mpn_get_base256_le
+#define gmp_alloc_limbs _nettle_gmp_alloc_limbs
+#define gmp_free_limbs _nettle_gmp_free_limbs
+#define gmp_free _nettle_gmp_free
+#define gmp_alloc _nettle_gmp_alloc
+
+#define TMP_GMP_DECL(name, type) type *name; \
+ size_t tmp_##name##_size
+#define TMP_GMP_ALLOC(name, size) do { \
+ tmp_##name##_size = (size); \
+ (name) = gmp_alloc(sizeof (*name) * (size)); \
+ } while (0)
+#define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size))
+
+
+/* Use only in-place operations, so we can fall back to addmul_1/submul_1 */
+#ifdef mpn_cnd_add_n
+# define cnd_add_n(cnd, rp, ap, n) mpn_cnd_add_n ((cnd), (rp), (rp), (ap), (n))
+# define cnd_sub_n(cnd, rp, ap, n) mpn_cnd_sub_n ((cnd), (rp), (rp), (ap), (n))
+#else
+# define cnd_add_n(cnd, rp, ap, n) mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0)
+# define cnd_sub_n(cnd, rp, ap, n) mpn_submul_1 ((rp), (ap), (n), (cnd) != 0)
+#endif
+
+/* Some functions for interfacing between mpz and mpn code. Signs of
+ the mpz numbers are generally ignored. */
+
+#if !GMP_HAVE_mpz_limbs_read
+/* Read access to mpz numbers. */
+
+/* Return limb pointer, for read-only operations. Use mpz_size to get
+ the number of limbs. */
+const mp_limb_t *
+mpz_limbs_read (const mpz_srcptr x);
+
+/* Write access to mpz numbers. */
+
+/* Get a limb pointer for writing, previous contents may be
+ destroyed. */
+mp_limb_t *
+mpz_limbs_write (mpz_ptr x, mp_size_t n);
+
+/* Get a limb pointer for writing, previous contents is intact. */
+mp_limb_t *
+mpz_limbs_modify (mpz_ptr x, mp_size_t n);
+
+/* Update size. */
+void
+mpz_limbs_finish (mpz_ptr x, mp_size_t n);
+
+/* Using an mpn number as an mpz. Can be used for read-only access
+ only. x must not be cleared or reallocated. */
+mpz_srcptr
+mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs);
+
+#endif /* !GMP_HAVE_mpz_limbs_read */
+
+void
+cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n);
+
+/* Convenience functions */
+int
+mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn);
+
+/* Get a pointer to an n limb area, for read-only operation. n must be
+ greater or equal to the current size, and the mpz is zero-padded if
+ needed. */
+const mp_limb_t *
+mpz_limbs_read_n (mpz_ptr x, mp_size_t n);
+
+/* Copy limbs, with zero-padding. */
+/* FIXME: Reorder arguments, on the theory that the first argument of
+ an _mpz_* function should be an mpz_t? Or rename to _mpz_get_limbs,
+ with argument order consistent with mpz_get_*. */
+void
+mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n);
+
+void
+mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn);
+
+/* Like mpn_set_str, but always writes rn limbs. If input is larger,
+ higher bits are ignored. */
+void
+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
+ const uint8_t *xp, size_t xn);
+
+void
+mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn,
+ const uint8_t *xp, size_t xn);
+
+void
+mpn_get_base256_le (uint8_t *rp, size_t rn,
+ const mp_limb_t *xp, mp_size_t xn);
+
+
+mp_limb_t *
+gmp_alloc_limbs (mp_size_t n);
+
+void
+gmp_free_limbs (mp_limb_t *p, mp_size_t n);
+
+void *gmp_alloc(size_t n);
+void gmp_free(void *p, size_t n);
+
+#endif /* NETTLE_GMP_GLUE_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/macros.h b/external/nettle-3.3/nettle/macros.h
new file mode 100644
index 0000000..af84841
--- /dev/null
+++ b/external/nettle-3.3/nettle/macros.h
@@ -0,0 +1,245 @@
+/* macros.h
+
+ Copyright (C) 2001, 2010 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_MACROS_H_INCLUDED
+#define NETTLE_MACROS_H_INCLUDED
+
+/* Reads a 64-bit integer, in network, big-endian, byte order */
+#define READ_UINT64(p) \
+( (((uint64_t) (p)[0]) << 56) \
+ | (((uint64_t) (p)[1]) << 48) \
+ | (((uint64_t) (p)[2]) << 40) \
+ | (((uint64_t) (p)[3]) << 32) \
+ | (((uint64_t) (p)[4]) << 24) \
+ | (((uint64_t) (p)[5]) << 16) \
+ | (((uint64_t) (p)[6]) << 8) \
+ | ((uint64_t) (p)[7]))
+
+#define WRITE_UINT64(p, i) \
+do { \
+ (p)[0] = ((i) >> 56) & 0xff; \
+ (p)[1] = ((i) >> 48) & 0xff; \
+ (p)[2] = ((i) >> 40) & 0xff; \
+ (p)[3] = ((i) >> 32) & 0xff; \
+ (p)[4] = ((i) >> 24) & 0xff; \
+ (p)[5] = ((i) >> 16) & 0xff; \
+ (p)[6] = ((i) >> 8) & 0xff; \
+ (p)[7] = (i) & 0xff; \
+} while(0)
+
+/* Reads a 32-bit integer, in network, big-endian, byte order */
+#define READ_UINT32(p) \
+( (((uint32_t) (p)[0]) << 24) \
+ | (((uint32_t) (p)[1]) << 16) \
+ | (((uint32_t) (p)[2]) << 8) \
+ | ((uint32_t) (p)[3]))
+
+#define WRITE_UINT32(p, i) \
+do { \
+ (p)[0] = ((i) >> 24) & 0xff; \
+ (p)[1] = ((i) >> 16) & 0xff; \
+ (p)[2] = ((i) >> 8) & 0xff; \
+ (p)[3] = (i) & 0xff; \
+} while(0)
+
+/* Analogous macros, for 24 and 16 bit numbers */
+#define READ_UINT24(p) \
+( (((uint32_t) (p)[0]) << 16) \
+ | (((uint32_t) (p)[1]) << 8) \
+ | ((uint32_t) (p)[2]))
+
+#define WRITE_UINT24(p, i) \
+do { \
+ (p)[0] = ((i) >> 16) & 0xff; \
+ (p)[1] = ((i) >> 8) & 0xff; \
+ (p)[2] = (i) & 0xff; \
+} while(0)
+
+#define READ_UINT16(p) \
+( (((uint32_t) (p)[0]) << 8) \
+ | ((uint32_t) (p)[1]))
+
+#define WRITE_UINT16(p, i) \
+do { \
+ (p)[0] = ((i) >> 8) & 0xff; \
+ (p)[1] = (i) & 0xff; \
+} while(0)
+
+/* And the other, little-endian, byteorder */
+#define LE_READ_UINT64(p) \
+( (((uint64_t) (p)[7]) << 56) \
+ | (((uint64_t) (p)[6]) << 48) \
+ | (((uint64_t) (p)[5]) << 40) \
+ | (((uint64_t) (p)[4]) << 32) \
+ | (((uint64_t) (p)[3]) << 24) \
+ | (((uint64_t) (p)[2]) << 16) \
+ | (((uint64_t) (p)[1]) << 8) \
+ | ((uint64_t) (p)[0]))
+
+#define LE_WRITE_UINT64(p, i) \
+do { \
+ (p)[7] = ((i) >> 56) & 0xff; \
+ (p)[6] = ((i) >> 48) & 0xff; \
+ (p)[5] = ((i) >> 40) & 0xff; \
+ (p)[4] = ((i) >> 32) & 0xff; \
+ (p)[3] = ((i) >> 24) & 0xff; \
+ (p)[2] = ((i) >> 16) & 0xff; \
+ (p)[1] = ((i) >> 8) & 0xff; \
+ (p)[0] = (i) & 0xff; \
+} while (0)
+
+#define LE_READ_UINT32(p) \
+( (((uint32_t) (p)[3]) << 24) \
+ | (((uint32_t) (p)[2]) << 16) \
+ | (((uint32_t) (p)[1]) << 8) \
+ | ((uint32_t) (p)[0]))
+
+#define LE_WRITE_UINT32(p, i) \
+do { \
+ (p)[3] = ((i) >> 24) & 0xff; \
+ (p)[2] = ((i) >> 16) & 0xff; \
+ (p)[1] = ((i) >> 8) & 0xff; \
+ (p)[0] = (i) & 0xff; \
+} while(0)
+
+/* Analogous macros, for 16 bit numbers */
+#define LE_READ_UINT16(p) \
+ ( (((uint32_t) (p)[1]) << 8) \
+ | ((uint32_t) (p)[0]))
+
+#define LE_WRITE_UINT16(p, i) \
+ do { \
+ (p)[1] = ((i) >> 8) & 0xff; \
+ (p)[0] = (i) & 0xff; \
+ } while(0)
+
+/* Macro to make it easier to loop over several blocks. */
+#define FOR_BLOCKS(length, dst, src, blocksize) \
+ assert( !((length) % (blocksize))); \
+ for (; (length); ((length) -= (blocksize), \
+ (dst) += (blocksize), \
+ (src) += (blocksize)) )
+
+/* The masking of the right shift is needed to allow n == 0 (using
+ just 32 - n and 64 - n results in undefined behaviour). Most uses
+ of these macros use a constant and non-zero rotation count. */
+#define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31))))
+
+#define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63)))
+
+/* Requires that size > 0 */
+#define INCREMENT(size, ctr) \
+ do { \
+ unsigned increment_i = (size) - 1; \
+ if (++(ctr)[increment_i] == 0) \
+ while (increment_i > 0 \
+ && ++(ctr)[--increment_i] == 0 ) \
+ ; \
+ } while (0)
+
+
+/* Helper macro for Merkle-Damgård hash functions. Assumes the context
+ structs includes the following fields:
+
+ uint8_t block[...]; // Buffer holding one block
+ unsigned int index; // Index into block
+*/
+
+/* Currently used by sha512 (and sha384) only. */
+#define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low)
+
+/* Takes the compression function f as argument. NOTE: also clobbers
+ length and data. */
+#define MD_UPDATE(ctx, length, data, f, incr) \
+ do { \
+ if ((ctx)->index) \
+ { \
+ /* Try to fill partial block */ \
+ unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \
+ if ((length) < __md_left) \
+ { \
+ memcpy((ctx)->block + (ctx)->index, (data), (length)); \
+ (ctx)->index += (length); \
+ goto __md_done; /* Finished */ \
+ } \
+ else \
+ { \
+ memcpy((ctx)->block + (ctx)->index, (data), __md_left); \
+ \
+ f((ctx), (ctx)->block); \
+ (incr); \
+ \
+ (data) += __md_left; \
+ (length) -= __md_left; \
+ } \
+ } \
+ while ((length) >= sizeof((ctx)->block)) \
+ { \
+ f((ctx), (data)); \
+ (incr); \
+ \
+ (data) += sizeof((ctx)->block); \
+ (length) -= sizeof((ctx)->block); \
+ } \
+ memcpy ((ctx)->block, (data), (length)); \
+ (ctx)->index = (length); \
+ __md_done: \
+ ; \
+ } while (0)
+
+/* Pads the block to a block boundary with the bit pattern 1 0*,
+ leaving size octets for the length field at the end. If needed,
+ compresses the block and starts a new one. */
+#define MD_PAD(ctx, size, f) \
+ do { \
+ unsigned __md_i; \
+ __md_i = (ctx)->index; \
+ \
+ /* Set the first char of padding to 0x80. This is safe since there \
+ is always at least one byte free */ \
+ \
+ assert(__md_i < sizeof((ctx)->block)); \
+ (ctx)->block[__md_i++] = 0x80; \
+ \
+ if (__md_i > (sizeof((ctx)->block) - (size))) \
+ { /* No room for length in this block. Process it and \
+ pad with another one */ \
+ memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \
+ \
+ f((ctx), (ctx)->block); \
+ __md_i = 0; \
+ } \
+ memset((ctx)->block + __md_i, 0, \
+ sizeof((ctx)->block) - (size) - __md_i); \
+ \
+ } while (0)
+
+#endif /* NETTLE_MACROS_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/mini-gmp.c b/external/nettle-3.3/nettle/mini-gmp.c
new file mode 100644
index 0000000..e64a3da
--- /dev/null
+++ b/external/nettle-3.3/nettle/mini-gmp.c
@@ -0,0 +1,4386 @@
+/* mini-gmp, a minimalistic implementation of a GNU GMP subset.
+
+ Contributed to the GNU project by Niels Möller
+
+Copyright 1991-1997, 1999-2014 Free Software Foundation, Inc.
+
+This file is part of the GNU MP Library.
+
+The GNU MP Library is free software; you can redistribute it and/or modify
+it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+or
+
+ * the GNU General Public License as published by the Free Software
+ Foundation; either version 3 of the License, or (at your option) any
+ later version.
+
+or both in parallel, as here.
+
+The GNU MP Library is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+for more details.
+
+You should have received copies of the GNU General Public License and the
+GNU Lesser General Public License along with the GNU MP Library. If not,
+see https://www.gnu.org/licenses/. */
+
+/* NOTE: All functions in this file which are not declared in
+ mini-gmp.h are internal, and are not intended to be compatible
+ neither with GMP nor with future versions of mini-gmp. */
+
+/* Much of the material copied from GMP files, including: gmp-impl.h,
+ longlong.h, mpn/generic/add_n.c, mpn/generic/addmul_1.c,
+ mpn/generic/lshift.c, mpn/generic/mul_1.c,
+ mpn/generic/mul_basecase.c, mpn/generic/rshift.c,
+ mpn/generic/sbpi1_div_qr.c, mpn/generic/sub_n.c,
+ mpn/generic/submul_1.c. */
+
+#include <assert.h>
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mini-gmp.h"
+
+
+/* Macros */
+#define GMP_LIMB_BITS (sizeof(mp_limb_t) * CHAR_BIT)
+
+#define GMP_LIMB_MAX (~ (mp_limb_t) 0)
+#define GMP_LIMB_HIGHBIT ((mp_limb_t) 1 << (GMP_LIMB_BITS - 1))
+
+#define GMP_HLIMB_BIT ((mp_limb_t) 1 << (GMP_LIMB_BITS / 2))
+#define GMP_LLIMB_MASK (GMP_HLIMB_BIT - 1)
+
+#define GMP_ULONG_BITS (sizeof(unsigned long) * CHAR_BIT)
+#define GMP_ULONG_HIGHBIT ((unsigned long) 1 << (GMP_ULONG_BITS - 1))
+
+#define GMP_ABS(x) ((x) >= 0 ? (x) : -(x))
+#define GMP_NEG_CAST(T,x) (-((T)((x) + 1) - 1))
+
+#define GMP_MIN(a, b) ((a) < (b) ? (a) : (b))
+#define GMP_MAX(a, b) ((a) > (b) ? (a) : (b))
+
+#define gmp_assert_nocarry(x) do { \
+ mp_limb_t __cy = x; \
+ assert (__cy == 0); \
+ } while (0)
+
+#define gmp_clz(count, x) do { \
+ mp_limb_t __clz_x = (x); \
+ unsigned __clz_c; \
+ for (__clz_c = 0; \
+ (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \
+ __clz_c += 8) \
+ __clz_x <<= 8; \
+ for (; (__clz_x & GMP_LIMB_HIGHBIT) == 0; __clz_c++) \
+ __clz_x <<= 1; \
+ (count) = __clz_c; \
+ } while (0)
+
+#define gmp_ctz(count, x) do { \
+ mp_limb_t __ctz_x = (x); \
+ unsigned __ctz_c = 0; \
+ gmp_clz (__ctz_c, __ctz_x & - __ctz_x); \
+ (count) = GMP_LIMB_BITS - 1 - __ctz_c; \
+ } while (0)
+
+#define gmp_add_ssaaaa(sh, sl, ah, al, bh, bl) \
+ do { \
+ mp_limb_t __x; \
+ __x = (al) + (bl); \
+ (sh) = (ah) + (bh) + (__x < (al)); \
+ (sl) = __x; \
+ } while (0)
+
+#define gmp_sub_ddmmss(sh, sl, ah, al, bh, bl) \
+ do { \
+ mp_limb_t __x; \
+ __x = (al) - (bl); \
+ (sh) = (ah) - (bh) - ((al) < (bl)); \
+ (sl) = __x; \
+ } while (0)
+
+#define gmp_umul_ppmm(w1, w0, u, v) \
+ do { \
+ mp_limb_t __x0, __x1, __x2, __x3; \
+ unsigned __ul, __vl, __uh, __vh; \
+ mp_limb_t __u = (u), __v = (v); \
+ \
+ __ul = __u & GMP_LLIMB_MASK; \
+ __uh = __u >> (GMP_LIMB_BITS / 2); \
+ __vl = __v & GMP_LLIMB_MASK; \
+ __vh = __v >> (GMP_LIMB_BITS / 2); \
+ \
+ __x0 = (mp_limb_t) __ul * __vl; \
+ __x1 = (mp_limb_t) __ul * __vh; \
+ __x2 = (mp_limb_t) __uh * __vl; \
+ __x3 = (mp_limb_t) __uh * __vh; \
+ \
+ __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \
+ __x1 += __x2; /* but this indeed can */ \
+ if (__x1 < __x2) /* did we get it? */ \
+ __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \
+ \
+ (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \
+ (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \
+ } while (0)
+
+#define gmp_udiv_qrnnd_preinv(q, r, nh, nl, d, di) \
+ do { \
+ mp_limb_t _qh, _ql, _r, _mask; \
+ gmp_umul_ppmm (_qh, _ql, (nh), (di)); \
+ gmp_add_ssaaaa (_qh, _ql, _qh, _ql, (nh) + 1, (nl)); \
+ _r = (nl) - _qh * (d); \
+ _mask = -(mp_limb_t) (_r > _ql); /* both > and >= are OK */ \
+ _qh += _mask; \
+ _r += _mask & (d); \
+ if (_r >= (d)) \
+ { \
+ _r -= (d); \
+ _qh++; \
+ } \
+ \
+ (r) = _r; \
+ (q) = _qh; \
+ } while (0)
+
+#define gmp_udiv_qr_3by2(q, r1, r0, n2, n1, n0, d1, d0, dinv) \
+ do { \
+ mp_limb_t _q0, _t1, _t0, _mask; \
+ gmp_umul_ppmm ((q), _q0, (n2), (dinv)); \
+ gmp_add_ssaaaa ((q), _q0, (q), _q0, (n2), (n1)); \
+ \
+ /* Compute the two most significant limbs of n - q'd */ \
+ (r1) = (n1) - (d1) * (q); \
+ gmp_sub_ddmmss ((r1), (r0), (r1), (n0), (d1), (d0)); \
+ gmp_umul_ppmm (_t1, _t0, (d0), (q)); \
+ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), _t1, _t0); \
+ (q)++; \
+ \
+ /* Conditionally adjust q and the remainders */ \
+ _mask = - (mp_limb_t) ((r1) >= _q0); \
+ (q) += _mask; \
+ gmp_add_ssaaaa ((r1), (r0), (r1), (r0), _mask & (d1), _mask & (d0)); \
+ if ((r1) >= (d1)) \
+ { \
+ if ((r1) > (d1) || (r0) >= (d0)) \
+ { \
+ (q)++; \
+ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), (d1), (d0)); \
+ } \
+ } \
+ } while (0)
+
+/* Swap macros. */
+#define MP_LIMB_T_SWAP(x, y) \
+ do { \
+ mp_limb_t __mp_limb_t_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mp_limb_t_swap__tmp; \
+ } while (0)
+#define MP_SIZE_T_SWAP(x, y) \
+ do { \
+ mp_size_t __mp_size_t_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mp_size_t_swap__tmp; \
+ } while (0)
+#define MP_BITCNT_T_SWAP(x,y) \
+ do { \
+ mp_bitcnt_t __mp_bitcnt_t_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mp_bitcnt_t_swap__tmp; \
+ } while (0)
+#define MP_PTR_SWAP(x, y) \
+ do { \
+ mp_ptr __mp_ptr_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mp_ptr_swap__tmp; \
+ } while (0)
+#define MP_SRCPTR_SWAP(x, y) \
+ do { \
+ mp_srcptr __mp_srcptr_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mp_srcptr_swap__tmp; \
+ } while (0)
+
+#define MPN_PTR_SWAP(xp,xs, yp,ys) \
+ do { \
+ MP_PTR_SWAP (xp, yp); \
+ MP_SIZE_T_SWAP (xs, ys); \
+ } while(0)
+#define MPN_SRCPTR_SWAP(xp,xs, yp,ys) \
+ do { \
+ MP_SRCPTR_SWAP (xp, yp); \
+ MP_SIZE_T_SWAP (xs, ys); \
+ } while(0)
+
+#define MPZ_PTR_SWAP(x, y) \
+ do { \
+ mpz_ptr __mpz_ptr_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mpz_ptr_swap__tmp; \
+ } while (0)
+#define MPZ_SRCPTR_SWAP(x, y) \
+ do { \
+ mpz_srcptr __mpz_srcptr_swap__tmp = (x); \
+ (x) = (y); \
+ (y) = __mpz_srcptr_swap__tmp; \
+ } while (0)
+
+const int mp_bits_per_limb = GMP_LIMB_BITS;
+
+
+/* Memory allocation and other helper functions. */
+static void
+gmp_die (const char *msg)
+{
+ fprintf (stderr, "%s\n", msg);
+ abort();
+}
+
+static void *
+gmp_default_alloc (size_t size)
+{
+ void *p;
+
+ assert (size > 0);
+
+ p = malloc (size);
+ if (!p)
+ gmp_die("gmp_default_alloc: Virtual memory exhausted.");
+
+ return p;
+}
+
+static void *
+gmp_default_realloc (void *old, size_t old_size, size_t new_size)
+{
+ mp_ptr p;
+
+ p = realloc (old, new_size);
+
+ if (!p)
+ gmp_die("gmp_default_realoc: Virtual memory exhausted.");
+
+ return p;
+}
+
+static void
+gmp_default_free (void *p, size_t size)
+{
+ free (p);
+}
+
+static void * (*gmp_allocate_func) (size_t) = gmp_default_alloc;
+static void * (*gmp_reallocate_func) (void *, size_t, size_t) = gmp_default_realloc;
+static void (*gmp_free_func) (void *, size_t) = gmp_default_free;
+
+void
+mp_get_memory_functions (void *(**alloc_func) (size_t),
+ void *(**realloc_func) (void *, size_t, size_t),
+ void (**free_func) (void *, size_t))
+{
+ if (alloc_func)
+ *alloc_func = gmp_allocate_func;
+
+ if (realloc_func)
+ *realloc_func = gmp_reallocate_func;
+
+ if (free_func)
+ *free_func = gmp_free_func;
+}
+
+void
+mp_set_memory_functions (void *(*alloc_func) (size_t),
+ void *(*realloc_func) (void *, size_t, size_t),
+ void (*free_func) (void *, size_t))
+{
+ if (!alloc_func)
+ alloc_func = gmp_default_alloc;
+ if (!realloc_func)
+ realloc_func = gmp_default_realloc;
+ if (!free_func)
+ free_func = gmp_default_free;
+
+ gmp_allocate_func = alloc_func;
+ gmp_reallocate_func = realloc_func;
+ gmp_free_func = free_func;
+}
+
+#define gmp_xalloc(size) ((*gmp_allocate_func)((size)))
+#define gmp_free(p) ((*gmp_free_func) ((p), 0))
+
+static mp_ptr
+gmp_xalloc_limbs (mp_size_t size)
+{
+ return gmp_xalloc (size * sizeof (mp_limb_t));
+}
+
+static mp_ptr
+gmp_xrealloc_limbs (mp_ptr old, mp_size_t size)
+{
+ assert (size > 0);
+ return (*gmp_reallocate_func) (old, 0, size * sizeof (mp_limb_t));
+}
+
+
+/* MPN interface */
+
+void
+mpn_copyi (mp_ptr d, mp_srcptr s, mp_size_t n)
+{
+ mp_size_t i;
+ for (i = 0; i < n; i++)
+ d[i] = s[i];
+}
+
+void
+mpn_copyd (mp_ptr d, mp_srcptr s, mp_size_t n)
+{
+ while (n-- > 0)
+ d[n] = s[n];
+}
+
+int
+mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n)
+{
+ while (--n >= 0)
+ {
+ if (ap[n] != bp[n])
+ return ap[n] > bp[n] ? 1 : -1;
+ }
+ return 0;
+}
+
+static int
+mpn_cmp4 (mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn)
+{
+ if (an != bn)
+ return an < bn ? -1 : 1;
+ else
+ return mpn_cmp (ap, bp, an);
+}
+
+static mp_size_t
+mpn_normalized_size (mp_srcptr xp, mp_size_t n)
+{
+ for (; n > 0 && xp[n-1] == 0; n--)
+ ;
+ return n;
+}
+
+#define mpn_zero_p(xp, n) (mpn_normalized_size ((xp), (n)) == 0)
+
+void
+mpn_zero (mp_ptr rp, mp_size_t n)
+{
+ mp_size_t i;
+
+ for (i = 0; i < n; i++)
+ rp[i] = 0;
+}
+
+mp_limb_t
+mpn_add_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b)
+{
+ mp_size_t i;
+
+ assert (n > 0);
+ i = 0;
+ do
+ {
+ mp_limb_t r = ap[i] + b;
+ /* Carry out */
+ b = (r < b);
+ rp[i] = r;
+ }
+ while (++i < n);
+
+ return b;
+}
+
+mp_limb_t
+mpn_add_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n)
+{
+ mp_size_t i;
+ mp_limb_t cy;
+
+ for (i = 0, cy = 0; i < n; i++)
+ {
+ mp_limb_t a, b, r;
+ a = ap[i]; b = bp[i];
+ r = a + cy;
+ cy = (r < cy);
+ r += b;
+ cy += (r < b);
+ rp[i] = r;
+ }
+ return cy;
+}
+
+mp_limb_t
+mpn_add (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn)
+{
+ mp_limb_t cy;
+
+ assert (an >= bn);
+
+ cy = mpn_add_n (rp, ap, bp, bn);
+ if (an > bn)
+ cy = mpn_add_1 (rp + bn, ap + bn, an - bn, cy);
+ return cy;
+}
+
+mp_limb_t
+mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b)
+{
+ mp_size_t i;
+
+ assert (n > 0);
+
+ i = 0;
+ do
+ {
+ mp_limb_t a = ap[i];
+ /* Carry out */
+ mp_limb_t cy = a < b;;
+ rp[i] = a - b;
+ b = cy;
+ }
+ while (++i < n);
+
+ return b;
+}
+
+mp_limb_t
+mpn_sub_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n)
+{
+ mp_size_t i;
+ mp_limb_t cy;
+
+ for (i = 0, cy = 0; i < n; i++)
+ {
+ mp_limb_t a, b;
+ a = ap[i]; b = bp[i];
+ b += cy;
+ cy = (b < cy);
+ cy += (a < b);
+ rp[i] = a - b;
+ }
+ return cy;
+}
+
+mp_limb_t
+mpn_sub (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn)
+{
+ mp_limb_t cy;
+
+ assert (an >= bn);
+
+ cy = mpn_sub_n (rp, ap, bp, bn);
+ if (an > bn)
+ cy = mpn_sub_1 (rp + bn, ap + bn, an - bn, cy);
+ return cy;
+}
+
+mp_limb_t
+mpn_mul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl)
+{
+ mp_limb_t ul, cl, hpl, lpl;
+
+ assert (n >= 1);
+
+ cl = 0;
+ do
+ {
+ ul = *up++;
+ gmp_umul_ppmm (hpl, lpl, ul, vl);
+
+ lpl += cl;
+ cl = (lpl < cl) + hpl;
+
+ *rp++ = lpl;
+ }
+ while (--n != 0);
+
+ return cl;
+}
+
+mp_limb_t
+mpn_addmul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl)
+{
+ mp_limb_t ul, cl, hpl, lpl, rl;
+
+ assert (n >= 1);
+
+ cl = 0;
+ do
+ {
+ ul = *up++;
+ gmp_umul_ppmm (hpl, lpl, ul, vl);
+
+ lpl += cl;
+ cl = (lpl < cl) + hpl;
+
+ rl = *rp;
+ lpl = rl + lpl;
+ cl += lpl < rl;
+ *rp++ = lpl;
+ }
+ while (--n != 0);
+
+ return cl;
+}
+
+mp_limb_t
+mpn_submul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl)
+{
+ mp_limb_t ul, cl, hpl, lpl, rl;
+
+ assert (n >= 1);
+
+ cl = 0;
+ do
+ {
+ ul = *up++;
+ gmp_umul_ppmm (hpl, lpl, ul, vl);
+
+ lpl += cl;
+ cl = (lpl < cl) + hpl;
+
+ rl = *rp;
+ lpl = rl - lpl;
+ cl += lpl > rl;
+ *rp++ = lpl;
+ }
+ while (--n != 0);
+
+ return cl;
+}
+
+mp_limb_t
+mpn_mul (mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn)
+{
+ assert (un >= vn);
+ assert (vn >= 1);
+
+ /* We first multiply by the low order limb. This result can be
+ stored, not added, to rp. We also avoid a loop for zeroing this
+ way. */
+
+ rp[un] = mpn_mul_1 (rp, up, un, vp[0]);
+ rp += 1, vp += 1, vn -= 1;
+
+ /* Now accumulate the product of up[] and the next higher limb from
+ vp[]. */
+
+ while (vn >= 1)
+ {
+ rp[un] = mpn_addmul_1 (rp, up, un, vp[0]);
+ rp += 1, vp += 1, vn -= 1;
+ }
+ return rp[un - 1];
+}
+
+void
+mpn_mul_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n)
+{
+ mpn_mul (rp, ap, n, bp, n);
+}
+
+void
+mpn_sqr (mp_ptr rp, mp_srcptr ap, mp_size_t n)
+{
+ mpn_mul (rp, ap, n, ap, n);
+}
+
+mp_limb_t
+mpn_lshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt)
+{
+ mp_limb_t high_limb, low_limb;
+ unsigned int tnc;
+ mp_size_t i;
+ mp_limb_t retval;
+
+ assert (n >= 1);
+ assert (cnt >= 1);
+ assert (cnt < GMP_LIMB_BITS);
+
+ up += n;
+ rp += n;
+
+ tnc = GMP_LIMB_BITS - cnt;
+ low_limb = *--up;
+ retval = low_limb >> tnc;
+ high_limb = (low_limb << cnt);
+
+ for (i = n; --i != 0;)
+ {
+ low_limb = *--up;
+ *--rp = high_limb | (low_limb >> tnc);
+ high_limb = (low_limb << cnt);
+ }
+ *--rp = high_limb;
+
+ return retval;
+}
+
+mp_limb_t
+mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt)
+{
+ mp_limb_t high_limb, low_limb;
+ unsigned int tnc;
+ mp_size_t i;
+ mp_limb_t retval;
+
+ assert (n >= 1);
+ assert (cnt >= 1);
+ assert (cnt < GMP_LIMB_BITS);
+
+ tnc = GMP_LIMB_BITS - cnt;
+ high_limb = *up++;
+ retval = (high_limb << tnc);
+ low_limb = high_limb >> cnt;
+
+ for (i = n; --i != 0;)
+ {
+ high_limb = *up++;
+ *rp++ = low_limb | (high_limb << tnc);
+ low_limb = high_limb >> cnt;
+ }
+ *rp = low_limb;
+
+ return retval;
+}
+
+static mp_bitcnt_t
+mpn_common_scan (mp_limb_t limb, mp_size_t i, mp_srcptr up, mp_size_t un,
+ mp_limb_t ux)
+{
+ unsigned cnt;
+
+ assert (ux == 0 || ux == GMP_LIMB_MAX);
+ assert (0 <= i && i <= un );
+
+ while (limb == 0)
+ {
+ i++;
+ if (i == un)
+ return (ux == 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS);
+ limb = ux ^ up[i];
+ }
+ gmp_ctz (cnt, limb);
+ return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt;
+}
+
+mp_bitcnt_t
+mpn_scan1 (mp_srcptr ptr, mp_bitcnt_t bit)
+{
+ mp_size_t i;
+ i = bit / GMP_LIMB_BITS;
+
+ return mpn_common_scan ( ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)),
+ i, ptr, i, 0);
+}
+
+mp_bitcnt_t
+mpn_scan0 (mp_srcptr ptr, mp_bitcnt_t bit)
+{
+ mp_size_t i;
+ i = bit / GMP_LIMB_BITS;
+
+ return mpn_common_scan (~ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)),
+ i, ptr, i, GMP_LIMB_MAX);
+}
+
+
+/* MPN division interface. */
+mp_limb_t
+mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0)
+{
+ mp_limb_t r, p, m;
+ unsigned ul, uh;
+ unsigned ql, qh;
+
+ /* First, do a 2/1 inverse. */
+ /* The inverse m is defined as floor( (B^2 - 1 - u1)/u1 ), so that 0 <
+ * B^2 - (B + m) u1 <= u1 */
+ assert (u1 >= GMP_LIMB_HIGHBIT);
+
+ ul = u1 & GMP_LLIMB_MASK;
+ uh = u1 >> (GMP_LIMB_BITS / 2);
+
+ qh = ~u1 / uh;
+ r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK;
+
+ p = (mp_limb_t) qh * ul;
+ /* Adjustment steps taken from udiv_qrnnd_c */
+ if (r < p)
+ {
+ qh--;
+ r += u1;
+ if (r >= u1) /* i.e. we didn't get carry when adding to r */
+ if (r < p)
+ {
+ qh--;
+ r += u1;
+ }
+ }
+ r -= p;
+
+ /* Do a 3/2 division (with half limb size) */
+ p = (r >> (GMP_LIMB_BITS / 2)) * qh + r;
+ ql = (p >> (GMP_LIMB_BITS / 2)) + 1;
+
+ /* By the 3/2 method, we don't need the high half limb. */
+ r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1;
+
+ if (r >= (p << (GMP_LIMB_BITS / 2)))
+ {
+ ql--;
+ r += u1;
+ }
+ m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql;
+ if (r >= u1)
+ {
+ m++;
+ r -= u1;
+ }
+
+ if (u0 > 0)
+ {
+ mp_limb_t th, tl;
+ r = ~r;
+ r += u0;
+ if (r < u0)
+ {
+ m--;
+ if (r >= u1)
+ {
+ m--;
+ r -= u1;
+ }
+ r -= u1;
+ }
+ gmp_umul_ppmm (th, tl, u0, m);
+ r += th;
+ if (r < th)
+ {
+ m--;
+ m -= ((r > u1) | ((r == u1) & (tl > u0)));
+ }
+ }
+
+ return m;
+}
+
+struct gmp_div_inverse
+{
+ /* Normalization shift count. */
+ unsigned shift;
+ /* Normalized divisor (d0 unused for mpn_div_qr_1) */
+ mp_limb_t d1, d0;
+ /* Inverse, for 2/1 or 3/2. */
+ mp_limb_t di;
+};
+
+static void
+mpn_div_qr_1_invert (struct gmp_div_inverse *inv, mp_limb_t d)
+{
+ unsigned shift;
+
+ assert (d > 0);
+ gmp_clz (shift, d);
+ inv->shift = shift;
+ inv->d1 = d << shift;
+ inv->di = mpn_invert_limb (inv->d1);
+}
+
+static void
+mpn_div_qr_2_invert (struct gmp_div_inverse *inv,
+ mp_limb_t d1, mp_limb_t d0)
+{
+ unsigned shift;
+
+ assert (d1 > 0);
+ gmp_clz (shift, d1);
+ inv->shift = shift;
+ if (shift > 0)
+ {
+ d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift));
+ d0 <<= shift;
+ }
+ inv->d1 = d1;
+ inv->d0 = d0;
+ inv->di = mpn_invert_3by2 (d1, d0);
+}
+
+static void
+mpn_div_qr_invert (struct gmp_div_inverse *inv,
+ mp_srcptr dp, mp_size_t dn)
+{
+ assert (dn > 0);
+
+ if (dn == 1)
+ mpn_div_qr_1_invert (inv, dp[0]);
+ else if (dn == 2)
+ mpn_div_qr_2_invert (inv, dp[1], dp[0]);
+ else
+ {
+ unsigned shift;
+ mp_limb_t d1, d0;
+
+ d1 = dp[dn-1];
+ d0 = dp[dn-2];
+ assert (d1 > 0);
+ gmp_clz (shift, d1);
+ inv->shift = shift;
+ if (shift > 0)
+ {
+ d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift));
+ d0 = (d0 << shift) | (dp[dn-3] >> (GMP_LIMB_BITS - shift));
+ }
+ inv->d1 = d1;
+ inv->d0 = d0;
+ inv->di = mpn_invert_3by2 (d1, d0);
+ }
+}
+
+/* Not matching current public gmp interface, rather corresponding to
+ the sbpi1_div_* functions. */
+static mp_limb_t
+mpn_div_qr_1_preinv (mp_ptr qp, mp_srcptr np, mp_size_t nn,
+ const struct gmp_div_inverse *inv)
+{
+ mp_limb_t d, di;
+ mp_limb_t r;
+ mp_ptr tp = NULL;
+
+ if (inv->shift > 0)
+ {
+ tp = gmp_xalloc_limbs (nn);
+ r = mpn_lshift (tp, np, nn, inv->shift);
+ np = tp;
+ }
+ else
+ r = 0;
+
+ d = inv->d1;
+ di = inv->di;
+ while (nn-- > 0)
+ {
+ mp_limb_t q;
+
+ gmp_udiv_qrnnd_preinv (q, r, r, np[nn], d, di);
+ if (qp)
+ qp[nn] = q;
+ }
+ if (inv->shift > 0)
+ gmp_free (tp);
+
+ return r >> inv->shift;
+}
+
+static mp_limb_t
+mpn_div_qr_1 (mp_ptr qp, mp_srcptr np, mp_size_t nn, mp_limb_t d)
+{
+ assert (d > 0);
+
+ /* Special case for powers of two. */
+ if ((d & (d-1)) == 0)
+ {
+ mp_limb_t r = np[0] & (d-1);
+ if (qp)
+ {
+ if (d <= 1)
+ mpn_copyi (qp, np, nn);
+ else
+ {
+ unsigned shift;
+ gmp_ctz (shift, d);
+ mpn_rshift (qp, np, nn, shift);
+ }
+ }
+ return r;
+ }
+ else
+ {
+ struct gmp_div_inverse inv;
+ mpn_div_qr_1_invert (&inv, d);
+ return mpn_div_qr_1_preinv (qp, np, nn, &inv);
+ }
+}
+
+static void
+mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn,
+ const struct gmp_div_inverse *inv)
+{
+ unsigned shift;
+ mp_size_t i;
+ mp_limb_t d1, d0, di, r1, r0;
+ mp_ptr tp;
+
+ assert (nn >= 2);
+ shift = inv->shift;
+ d1 = inv->d1;
+ d0 = inv->d0;
+ di = inv->di;
+
+ if (shift > 0)
+ {
+ tp = gmp_xalloc_limbs (nn);
+ r1 = mpn_lshift (tp, np, nn, shift);
+ np = tp;
+ }
+ else
+ r1 = 0;
+
+ r0 = np[nn - 1];
+
+ i = nn - 2;
+ do
+ {
+ mp_limb_t n0, q;
+ n0 = np[i];
+ gmp_udiv_qr_3by2 (q, r1, r0, r1, r0, n0, d1, d0, di);
+
+ if (qp)
+ qp[i] = q;
+ }
+ while (--i >= 0);
+
+ if (shift > 0)
+ {
+ assert ((r0 << (GMP_LIMB_BITS - shift)) == 0);
+ r0 = (r0 >> shift) | (r1 << (GMP_LIMB_BITS - shift));
+ r1 >>= shift;
+
+ gmp_free (tp);
+ }
+
+ rp[1] = r1;
+ rp[0] = r0;
+}
+
+#if 0
+static void
+mpn_div_qr_2 (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn,
+ mp_limb_t d1, mp_limb_t d0)
+{
+ struct gmp_div_inverse inv;
+ assert (nn >= 2);
+
+ mpn_div_qr_2_invert (&inv, d1, d0);
+ mpn_div_qr_2_preinv (qp, rp, np, nn, &inv);
+}
+#endif
+
+static void
+mpn_div_qr_pi1 (mp_ptr qp,
+ mp_ptr np, mp_size_t nn, mp_limb_t n1,
+ mp_srcptr dp, mp_size_t dn,
+ mp_limb_t dinv)
+{
+ mp_size_t i;
+
+ mp_limb_t d1, d0;
+ mp_limb_t cy, cy1;
+ mp_limb_t q;
+
+ assert (dn > 2);
+ assert (nn >= dn);
+
+ d1 = dp[dn - 1];
+ d0 = dp[dn - 2];
+
+ assert ((d1 & GMP_LIMB_HIGHBIT) != 0);
+ /* Iteration variable is the index of the q limb.
+ *
+ * We divide <n1, np[dn-1+i], np[dn-2+i], np[dn-3+i],..., np[i]>
+ * by <d1, d0, dp[dn-3], ..., dp[0] >
+ */
+
+ i = nn - dn;
+ do
+ {
+ mp_limb_t n0 = np[dn-1+i];
+
+ if (n1 == d1 && n0 == d0)
+ {
+ q = GMP_LIMB_MAX;
+ mpn_submul_1 (np+i, dp, dn, q);
+ n1 = np[dn-1+i]; /* update n1, last loop's value will now be invalid */
+ }
+ else
+ {
+ gmp_udiv_qr_3by2 (q, n1, n0, n1, n0, np[dn-2+i], d1, d0, dinv);
+
+ cy = mpn_submul_1 (np + i, dp, dn-2, q);
+
+ cy1 = n0 < cy;
+ n0 = n0 - cy;
+ cy = n1 < cy1;
+ n1 = n1 - cy1;
+ np[dn-2+i] = n0;
+
+ if (cy != 0)
+ {
+ n1 += d1 + mpn_add_n (np + i, np + i, dp, dn - 1);
+ q--;
+ }
+ }
+
+ if (qp)
+ qp[i] = q;
+ }
+ while (--i >= 0);
+
+ np[dn - 1] = n1;
+}
+
+static void
+mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn,
+ mp_srcptr dp, mp_size_t dn,
+ const struct gmp_div_inverse *inv)
+{
+ assert (dn > 0);
+ assert (nn >= dn);
+
+ if (dn == 1)
+ np[0] = mpn_div_qr_1_preinv (qp, np, nn, inv);
+ else if (dn == 2)
+ mpn_div_qr_2_preinv (qp, np, np, nn, inv);
+ else
+ {
+ mp_limb_t nh;
+ unsigned shift;
+
+ assert (inv->d1 == dp[dn-1]);
+ assert (inv->d0 == dp[dn-2]);
+ assert ((inv->d1 & GMP_LIMB_HIGHBIT) != 0);
+
+ shift = inv->shift;
+ if (shift > 0)
+ nh = mpn_lshift (np, np, nn, shift);
+ else
+ nh = 0;
+
+ mpn_div_qr_pi1 (qp, np, nn, nh, dp, dn, inv->di);
+
+ if (shift > 0)
+ gmp_assert_nocarry (mpn_rshift (np, np, dn, shift));
+ }
+}
+
+static void
+mpn_div_qr (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn)
+{
+ struct gmp_div_inverse inv;
+ mp_ptr tp = NULL;
+
+ assert (dn > 0);
+ assert (nn >= dn);
+
+ mpn_div_qr_invert (&inv, dp, dn);
+ if (dn > 2 && inv.shift > 0)
+ {
+ tp = gmp_xalloc_limbs (dn);
+ gmp_assert_nocarry (mpn_lshift (tp, dp, dn, inv.shift));
+ dp = tp;
+ }
+ mpn_div_qr_preinv (qp, np, nn, dp, dn, &inv);
+ if (tp)
+ gmp_free (tp);
+}
+
+
+/* MPN base conversion. */
+static unsigned
+mpn_base_power_of_two_p (unsigned b)
+{
+ switch (b)
+ {
+ case 2: return 1;
+ case 4: return 2;
+ case 8: return 3;
+ case 16: return 4;
+ case 32: return 5;
+ case 64: return 6;
+ case 128: return 7;
+ case 256: return 8;
+ default: return 0;
+ }
+}
+
+struct mpn_base_info
+{
+ /* bb is the largest power of the base which fits in one limb, and
+ exp is the corresponding exponent. */
+ unsigned exp;
+ mp_limb_t bb;
+};
+
+static void
+mpn_get_base_info (struct mpn_base_info *info, mp_limb_t b)
+{
+ mp_limb_t m;
+ mp_limb_t p;
+ unsigned exp;
+
+ m = GMP_LIMB_MAX / b;
+ for (exp = 1, p = b; p <= m; exp++)
+ p *= b;
+
+ info->exp = exp;
+ info->bb = p;
+}
+
+static mp_bitcnt_t
+mpn_limb_size_in_base_2 (mp_limb_t u)
+{
+ unsigned shift;
+
+ assert (u > 0);
+ gmp_clz (shift, u);
+ return GMP_LIMB_BITS - shift;
+}
+
+static size_t
+mpn_get_str_bits (unsigned char *sp, unsigned bits, mp_srcptr up, mp_size_t un)
+{
+ unsigned char mask;
+ size_t sn, j;
+ mp_size_t i;
+ int shift;
+
+ sn = ((un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1])
+ + bits - 1) / bits;
+
+ mask = (1U << bits) - 1;
+
+ for (i = 0, j = sn, shift = 0; j-- > 0;)
+ {
+ unsigned char digit = up[i] >> shift;
+
+ shift += bits;
+
+ if (shift >= GMP_LIMB_BITS && ++i < un)
+ {
+ shift -= GMP_LIMB_BITS;
+ digit |= up[i] << (bits - shift);
+ }
+ sp[j] = digit & mask;
+ }
+ return sn;
+}
+
+/* We generate digits from the least significant end, and reverse at
+ the end. */
+static size_t
+mpn_limb_get_str (unsigned char *sp, mp_limb_t w,
+ const struct gmp_div_inverse *binv)
+{
+ mp_size_t i;
+ for (i = 0; w > 0; i++)
+ {
+ mp_limb_t h, l, r;
+
+ h = w >> (GMP_LIMB_BITS - binv->shift);
+ l = w << binv->shift;
+
+ gmp_udiv_qrnnd_preinv (w, r, h, l, binv->d1, binv->di);
+ assert ( (r << (GMP_LIMB_BITS - binv->shift)) == 0);
+ r >>= binv->shift;
+
+ sp[i] = r;
+ }
+ return i;
+}
+
+static size_t
+mpn_get_str_other (unsigned char *sp,
+ int base, const struct mpn_base_info *info,
+ mp_ptr up, mp_size_t un)
+{
+ struct gmp_div_inverse binv;
+ size_t sn;
+ size_t i;
+
+ mpn_div_qr_1_invert (&binv, base);
+
+ sn = 0;
+
+ if (un > 1)
+ {
+ struct gmp_div_inverse bbinv;
+ mpn_div_qr_1_invert (&bbinv, info->bb);
+
+ do
+ {
+ mp_limb_t w;
+ size_t done;
+ w = mpn_div_qr_1_preinv (up, up, un, &bbinv);
+ un -= (up[un-1] == 0);
+ done = mpn_limb_get_str (sp + sn, w, &binv);
+
+ for (sn += done; done < info->exp; done++)
+ sp[sn++] = 0;
+ }
+ while (un > 1);
+ }
+ sn += mpn_limb_get_str (sp + sn, up[0], &binv);
+
+ /* Reverse order */
+ for (i = 0; 2*i + 1 < sn; i++)
+ {
+ unsigned char t = sp[i];
+ sp[i] = sp[sn - i - 1];
+ sp[sn - i - 1] = t;
+ }
+
+ return sn;
+}
+
+size_t
+mpn_get_str (unsigned char *sp, int base, mp_ptr up, mp_size_t un)
+{
+ unsigned bits;
+
+ assert (un > 0);
+ assert (up[un-1] > 0);
+
+ bits = mpn_base_power_of_two_p (base);
+ if (bits)
+ return mpn_get_str_bits (sp, bits, up, un);
+ else
+ {
+ struct mpn_base_info info;
+
+ mpn_get_base_info (&info, base);
+ return mpn_get_str_other (sp, base, &info, up, un);
+ }
+}
+
+static mp_size_t
+mpn_set_str_bits (mp_ptr rp, const unsigned char *sp, size_t sn,
+ unsigned bits)
+{
+ mp_size_t rn;
+ size_t j;
+ unsigned shift;
+
+ for (j = sn, rn = 0, shift = 0; j-- > 0; )
+ {
+ if (shift == 0)
+ {
+ rp[rn++] = sp[j];
+ shift += bits;
+ }
+ else
+ {
+ rp[rn-1] |= (mp_limb_t) sp[j] << shift;
+ shift += bits;
+ if (shift >= GMP_LIMB_BITS)
+ {
+ shift -= GMP_LIMB_BITS;
+ if (shift > 0)
+ rp[rn++] = (mp_limb_t) sp[j] >> (bits - shift);
+ }
+ }
+ }
+ rn = mpn_normalized_size (rp, rn);
+ return rn;
+}
+
+static mp_size_t
+mpn_set_str_other (mp_ptr rp, const unsigned char *sp, size_t sn,
+ mp_limb_t b, const struct mpn_base_info *info)
+{
+ mp_size_t rn;
+ mp_limb_t w;
+ unsigned k;
+ size_t j;
+
+ k = 1 + (sn - 1) % info->exp;
+
+ j = 0;
+ w = sp[j++];
+ for (; --k > 0; )
+ w = w * b + sp[j++];
+
+ rp[0] = w;
+
+ for (rn = (w > 0); j < sn;)
+ {
+ mp_limb_t cy;
+
+ w = sp[j++];
+ for (k = 1; k < info->exp; k++)
+ w = w * b + sp[j++];
+
+ cy = mpn_mul_1 (rp, rp, rn, info->bb);
+ cy += mpn_add_1 (rp, rp, rn, w);
+ if (cy > 0)
+ rp[rn++] = cy;
+ }
+ assert (j == sn);
+
+ return rn;
+}
+
+mp_size_t
+mpn_set_str (mp_ptr rp, const unsigned char *sp, size_t sn, int base)
+{
+ unsigned bits;
+
+ if (sn == 0)
+ return 0;
+
+ bits = mpn_base_power_of_two_p (base);
+ if (bits)
+ return mpn_set_str_bits (rp, sp, sn, bits);
+ else
+ {
+ struct mpn_base_info info;
+
+ mpn_get_base_info (&info, base);
+ return mpn_set_str_other (rp, sp, sn, base, &info);
+ }
+}
+
+
+/* MPZ interface */
+void
+mpz_init (mpz_t r)
+{
+ r->_mp_alloc = 1;
+ r->_mp_size = 0;
+ r->_mp_d = gmp_xalloc_limbs (1);
+}
+
+/* The utility of this function is a bit limited, since many functions
+ assigns the result variable using mpz_swap. */
+void
+mpz_init2 (mpz_t r, mp_bitcnt_t bits)
+{
+ mp_size_t rn;
+
+ bits -= (bits != 0); /* Round down, except if 0 */
+ rn = 1 + bits / GMP_LIMB_BITS;
+
+ r->_mp_alloc = rn;
+ r->_mp_size = 0;
+ r->_mp_d = gmp_xalloc_limbs (rn);
+}
+
+void
+mpz_clear (mpz_t r)
+{
+ gmp_free (r->_mp_d);
+}
+
+static void *
+mpz_realloc (mpz_t r, mp_size_t size)
+{
+ size = GMP_MAX (size, 1);
+
+ r->_mp_d = gmp_xrealloc_limbs (r->_mp_d, size);
+ r->_mp_alloc = size;
+
+ if (GMP_ABS (r->_mp_size) > size)
+ r->_mp_size = 0;
+
+ return r->_mp_d;
+}
+
+/* Realloc for an mpz_t WHAT if it has less than NEEDED limbs. */
+#define MPZ_REALLOC(z,n) ((n) > (z)->_mp_alloc \
+ ? mpz_realloc(z,n) \
+ : (z)->_mp_d)
+
+/* MPZ assignment and basic conversions. */
+void
+mpz_set_si (mpz_t r, signed long int x)
+{
+ if (x >= 0)
+ mpz_set_ui (r, x);
+ else /* (x < 0) */
+ {
+ r->_mp_size = -1;
+ r->_mp_d[0] = GMP_NEG_CAST (unsigned long int, x);
+ }
+}
+
+void
+mpz_set_ui (mpz_t r, unsigned long int x)
+{
+ if (x > 0)
+ {
+ r->_mp_size = 1;
+ r->_mp_d[0] = x;
+ }
+ else
+ r->_mp_size = 0;
+}
+
+void
+mpz_set (mpz_t r, const mpz_t x)
+{
+ /* Allow the NOP r == x */
+ if (r != x)
+ {
+ mp_size_t n;
+ mp_ptr rp;
+
+ n = GMP_ABS (x->_mp_size);
+ rp = MPZ_REALLOC (r, n);
+
+ mpn_copyi (rp, x->_mp_d, n);
+ r->_mp_size = x->_mp_size;
+ }
+}
+
+void
+mpz_init_set_si (mpz_t r, signed long int x)
+{
+ mpz_init (r);
+ mpz_set_si (r, x);
+}
+
+void
+mpz_init_set_ui (mpz_t r, unsigned long int x)
+{
+ mpz_init (r);
+ mpz_set_ui (r, x);
+}
+
+void
+mpz_init_set (mpz_t r, const mpz_t x)
+{
+ mpz_init (r);
+ mpz_set (r, x);
+}
+
+int
+mpz_fits_slong_p (const mpz_t u)
+{
+ mp_size_t us = u->_mp_size;
+
+ if (us == 0)
+ return 1;
+ else if (us == 1)
+ return u->_mp_d[0] < GMP_LIMB_HIGHBIT;
+ else if (us == -1)
+ return u->_mp_d[0] <= GMP_LIMB_HIGHBIT;
+ else
+ return 0;
+}
+
+int
+mpz_fits_ulong_p (const mpz_t u)
+{
+ mp_size_t us = u->_mp_size;
+
+ return (us == (us > 0));
+}
+
+long int
+mpz_get_si (const mpz_t u)
+{
+ mp_size_t us = u->_mp_size;
+
+ if (us > 0)
+ return (long) (u->_mp_d[0] & ~GMP_LIMB_HIGHBIT);
+ else if (us < 0)
+ return (long) (- u->_mp_d[0] | GMP_LIMB_HIGHBIT);
+ else
+ return 0;
+}
+
+unsigned long int
+mpz_get_ui (const mpz_t u)
+{
+ return u->_mp_size == 0 ? 0 : u->_mp_d[0];
+}
+
+size_t
+mpz_size (const mpz_t u)
+{
+ return GMP_ABS (u->_mp_size);
+}
+
+mp_limb_t
+mpz_getlimbn (const mpz_t u, mp_size_t n)
+{
+ if (n >= 0 && n < GMP_ABS (u->_mp_size))
+ return u->_mp_d[n];
+ else
+ return 0;
+}
+
+void
+mpz_realloc2 (mpz_t x, mp_bitcnt_t n)
+{
+ mpz_realloc (x, 1 + (n - (n != 0)) / GMP_LIMB_BITS);
+}
+
+mp_srcptr
+mpz_limbs_read (mpz_srcptr x)
+{
+ return x->_mp_d;;
+}
+
+mp_ptr
+mpz_limbs_modify (mpz_t x, mp_size_t n)
+{
+ assert (n > 0);
+ return MPZ_REALLOC (x, n);
+}
+
+mp_ptr
+mpz_limbs_write (mpz_t x, mp_size_t n)
+{
+ return mpz_limbs_modify (x, n);
+}
+
+void
+mpz_limbs_finish (mpz_t x, mp_size_t xs)
+{
+ mp_size_t xn;
+ xn = mpn_normalized_size (x->_mp_d, GMP_ABS (xs));
+ x->_mp_size = xs < 0 ? -xn : xn;
+}
+
+mpz_srcptr
+mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs)
+{
+ x->_mp_alloc = 0;
+ x->_mp_d = (mp_ptr) xp;
+ mpz_limbs_finish (x, xs);
+ return x;
+}
+
+
+/* Conversions and comparison to double. */
+void
+mpz_set_d (mpz_t r, double x)
+{
+ int sign;
+ mp_ptr rp;
+ mp_size_t rn, i;
+ double B;
+ double Bi;
+ mp_limb_t f;
+
+ /* x != x is true when x is a NaN, and x == x * 0.5 is true when x is
+ zero or infinity. */
+ if (x != x || x == x * 0.5)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ sign = x < 0.0 ;
+ if (sign)
+ x = - x;
+
+ if (x < 1.0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+ B = 2.0 * (double) GMP_LIMB_HIGHBIT;
+ Bi = 1.0 / B;
+ for (rn = 1; x >= B; rn++)
+ x *= Bi;
+
+ rp = MPZ_REALLOC (r, rn);
+
+ f = (mp_limb_t) x;
+ x -= f;
+ assert (x < 1.0);
+ i = rn-1;
+ rp[i] = f;
+ while (--i >= 0)
+ {
+ x = B * x;
+ f = (mp_limb_t) x;
+ x -= f;
+ assert (x < 1.0);
+ rp[i] = f;
+ }
+
+ r->_mp_size = sign ? - rn : rn;
+}
+
+void
+mpz_init_set_d (mpz_t r, double x)
+{
+ mpz_init (r);
+ mpz_set_d (r, x);
+}
+
+double
+mpz_get_d (const mpz_t u)
+{
+ mp_size_t un;
+ double x;
+ double B = 2.0 * (double) GMP_LIMB_HIGHBIT;
+
+ un = GMP_ABS (u->_mp_size);
+
+ if (un == 0)
+ return 0.0;
+
+ x = u->_mp_d[--un];
+ while (un > 0)
+ x = B*x + u->_mp_d[--un];
+
+ if (u->_mp_size < 0)
+ x = -x;
+
+ return x;
+}
+
+int
+mpz_cmpabs_d (const mpz_t x, double d)
+{
+ mp_size_t xn;
+ double B, Bi;
+ mp_size_t i;
+
+ xn = x->_mp_size;
+ d = GMP_ABS (d);
+
+ if (xn != 0)
+ {
+ xn = GMP_ABS (xn);
+
+ B = 2.0 * (double) GMP_LIMB_HIGHBIT;
+ Bi = 1.0 / B;
+
+ /* Scale d so it can be compared with the top limb. */
+ for (i = 1; i < xn; i++)
+ d *= Bi;
+
+ if (d >= B)
+ return -1;
+
+ /* Compare floor(d) to top limb, subtract and cancel when equal. */
+ for (i = xn; i-- > 0;)
+ {
+ mp_limb_t f, xl;
+
+ f = (mp_limb_t) d;
+ xl = x->_mp_d[i];
+ if (xl > f)
+ return 1;
+ else if (xl < f)
+ return -1;
+ d = B * (d - f);
+ }
+ }
+ return - (d > 0.0);
+}
+
+int
+mpz_cmp_d (const mpz_t x, double d)
+{
+ if (x->_mp_size < 0)
+ {
+ if (d >= 0.0)
+ return -1;
+ else
+ return -mpz_cmpabs_d (x, d);
+ }
+ else
+ {
+ if (d < 0.0)
+ return 1;
+ else
+ return mpz_cmpabs_d (x, d);
+ }
+}
+
+
+/* MPZ comparisons and the like. */
+int
+mpz_sgn (const mpz_t u)
+{
+ mp_size_t usize = u->_mp_size;
+
+ return (usize > 0) - (usize < 0);
+}
+
+int
+mpz_cmp_si (const mpz_t u, long v)
+{
+ mp_size_t usize = u->_mp_size;
+
+ if (usize < -1)
+ return -1;
+ else if (v >= 0)
+ return mpz_cmp_ui (u, v);
+ else if (usize >= 0)
+ return 1;
+ else /* usize == -1 */
+ {
+ mp_limb_t ul = u->_mp_d[0];
+ if ((mp_limb_t)GMP_NEG_CAST (unsigned long int, v) < ul)
+ return -1;
+ else
+ return (mp_limb_t)GMP_NEG_CAST (unsigned long int, v) > ul;
+ }
+}
+
+int
+mpz_cmp_ui (const mpz_t u, unsigned long v)
+{
+ mp_size_t usize = u->_mp_size;
+
+ if (usize > 1)
+ return 1;
+ else if (usize < 0)
+ return -1;
+ else
+ {
+ mp_limb_t ul = (usize > 0) ? u->_mp_d[0] : 0;
+ return (ul > v) - (ul < v);
+ }
+}
+
+int
+mpz_cmp (const mpz_t a, const mpz_t b)
+{
+ mp_size_t asize = a->_mp_size;
+ mp_size_t bsize = b->_mp_size;
+
+ if (asize != bsize)
+ return (asize < bsize) ? -1 : 1;
+ else if (asize >= 0)
+ return mpn_cmp (a->_mp_d, b->_mp_d, asize);
+ else
+ return mpn_cmp (b->_mp_d, a->_mp_d, -asize);
+}
+
+int
+mpz_cmpabs_ui (const mpz_t u, unsigned long v)
+{
+ mp_size_t un = GMP_ABS (u->_mp_size);
+ mp_limb_t ul;
+
+ if (un > 1)
+ return 1;
+
+ ul = (un == 1) ? u->_mp_d[0] : 0;
+
+ return (ul > v) - (ul < v);
+}
+
+int
+mpz_cmpabs (const mpz_t u, const mpz_t v)
+{
+ return mpn_cmp4 (u->_mp_d, GMP_ABS (u->_mp_size),
+ v->_mp_d, GMP_ABS (v->_mp_size));
+}
+
+void
+mpz_abs (mpz_t r, const mpz_t u)
+{
+ if (r != u)
+ mpz_set (r, u);
+
+ r->_mp_size = GMP_ABS (r->_mp_size);
+}
+
+void
+mpz_neg (mpz_t r, const mpz_t u)
+{
+ if (r != u)
+ mpz_set (r, u);
+
+ r->_mp_size = -r->_mp_size;
+}
+
+void
+mpz_swap (mpz_t u, mpz_t v)
+{
+ MP_SIZE_T_SWAP (u->_mp_size, v->_mp_size);
+ MP_SIZE_T_SWAP (u->_mp_alloc, v->_mp_alloc);
+ MP_PTR_SWAP (u->_mp_d, v->_mp_d);
+}
+
+
+/* MPZ addition and subtraction */
+
+/* Adds to the absolute value. Returns new size, but doesn't store it. */
+static mp_size_t
+mpz_abs_add_ui (mpz_t r, const mpz_t a, unsigned long b)
+{
+ mp_size_t an;
+ mp_ptr rp;
+ mp_limb_t cy;
+
+ an = GMP_ABS (a->_mp_size);
+ if (an == 0)
+ {
+ r->_mp_d[0] = b;
+ return b > 0;
+ }
+
+ rp = MPZ_REALLOC (r, an + 1);
+
+ cy = mpn_add_1 (rp, a->_mp_d, an, b);
+ rp[an] = cy;
+ an += cy;
+
+ return an;
+}
+
+/* Subtract from the absolute value. Returns new size, (or -1 on underflow),
+ but doesn't store it. */
+static mp_size_t
+mpz_abs_sub_ui (mpz_t r, const mpz_t a, unsigned long b)
+{
+ mp_size_t an = GMP_ABS (a->_mp_size);
+ mp_ptr rp = MPZ_REALLOC (r, an);
+
+ if (an == 0)
+ {
+ rp[0] = b;
+ return -(b > 0);
+ }
+ else if (an == 1 && a->_mp_d[0] < b)
+ {
+ rp[0] = b - a->_mp_d[0];
+ return -1;
+ }
+ else
+ {
+ gmp_assert_nocarry (mpn_sub_1 (rp, a->_mp_d, an, b));
+ return mpn_normalized_size (rp, an);
+ }
+}
+
+void
+mpz_add_ui (mpz_t r, const mpz_t a, unsigned long b)
+{
+ if (a->_mp_size >= 0)
+ r->_mp_size = mpz_abs_add_ui (r, a, b);
+ else
+ r->_mp_size = -mpz_abs_sub_ui (r, a, b);
+}
+
+void
+mpz_sub_ui (mpz_t r, const mpz_t a, unsigned long b)
+{
+ if (a->_mp_size < 0)
+ r->_mp_size = -mpz_abs_add_ui (r, a, b);
+ else
+ r->_mp_size = mpz_abs_sub_ui (r, a, b);
+}
+
+void
+mpz_ui_sub (mpz_t r, unsigned long a, const mpz_t b)
+{
+ if (b->_mp_size < 0)
+ r->_mp_size = mpz_abs_add_ui (r, b, a);
+ else
+ r->_mp_size = -mpz_abs_sub_ui (r, b, a);
+}
+
+static mp_size_t
+mpz_abs_add (mpz_t r, const mpz_t a, const mpz_t b)
+{
+ mp_size_t an = GMP_ABS (a->_mp_size);
+ mp_size_t bn = GMP_ABS (b->_mp_size);
+ mp_ptr rp;
+ mp_limb_t cy;
+
+ if (an < bn)
+ {
+ MPZ_SRCPTR_SWAP (a, b);
+ MP_SIZE_T_SWAP (an, bn);
+ }
+
+ rp = MPZ_REALLOC (r, an + 1);
+ cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn);
+
+ rp[an] = cy;
+
+ return an + cy;
+}
+
+static mp_size_t
+mpz_abs_sub (mpz_t r, const mpz_t a, const mpz_t b)
+{
+ mp_size_t an = GMP_ABS (a->_mp_size);
+ mp_size_t bn = GMP_ABS (b->_mp_size);
+ int cmp;
+ mp_ptr rp;
+
+ cmp = mpn_cmp4 (a->_mp_d, an, b->_mp_d, bn);
+ if (cmp > 0)
+ {
+ rp = MPZ_REALLOC (r, an);
+ gmp_assert_nocarry (mpn_sub (rp, a->_mp_d, an, b->_mp_d, bn));
+ return mpn_normalized_size (rp, an);
+ }
+ else if (cmp < 0)
+ {
+ rp = MPZ_REALLOC (r, bn);
+ gmp_assert_nocarry (mpn_sub (rp, b->_mp_d, bn, a->_mp_d, an));
+ return -mpn_normalized_size (rp, bn);
+ }
+ else
+ return 0;
+}
+
+void
+mpz_add (mpz_t r, const mpz_t a, const mpz_t b)
+{
+ mp_size_t rn;
+
+ if ( (a->_mp_size ^ b->_mp_size) >= 0)
+ rn = mpz_abs_add (r, a, b);
+ else
+ rn = mpz_abs_sub (r, a, b);
+
+ r->_mp_size = a->_mp_size >= 0 ? rn : - rn;
+}
+
+void
+mpz_sub (mpz_t r, const mpz_t a, const mpz_t b)
+{
+ mp_size_t rn;
+
+ if ( (a->_mp_size ^ b->_mp_size) >= 0)
+ rn = mpz_abs_sub (r, a, b);
+ else
+ rn = mpz_abs_add (r, a, b);
+
+ r->_mp_size = a->_mp_size >= 0 ? rn : - rn;
+}
+
+
+/* MPZ multiplication */
+void
+mpz_mul_si (mpz_t r, const mpz_t u, long int v)
+{
+ if (v < 0)
+ {
+ mpz_mul_ui (r, u, GMP_NEG_CAST (unsigned long int, v));
+ mpz_neg (r, r);
+ }
+ else
+ mpz_mul_ui (r, u, (unsigned long int) v);
+}
+
+void
+mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v)
+{
+ mp_size_t un, us;
+ mp_ptr tp;
+ mp_limb_t cy;
+
+ us = u->_mp_size;
+
+ if (us == 0 || v == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ un = GMP_ABS (us);
+
+ tp = MPZ_REALLOC (r, un + 1);
+ cy = mpn_mul_1 (tp, u->_mp_d, un, v);
+ tp[un] = cy;
+
+ un += (cy > 0);
+ r->_mp_size = (us < 0) ? - un : un;
+}
+
+void
+mpz_mul (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ int sign;
+ mp_size_t un, vn, rn;
+ mpz_t t;
+ mp_ptr tp;
+
+ un = u->_mp_size;
+ vn = v->_mp_size;
+
+ if (un == 0 || vn == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ sign = (un ^ vn) < 0;
+
+ un = GMP_ABS (un);
+ vn = GMP_ABS (vn);
+
+ mpz_init2 (t, (un + vn) * GMP_LIMB_BITS);
+
+ tp = t->_mp_d;
+ if (un >= vn)
+ mpn_mul (tp, u->_mp_d, un, v->_mp_d, vn);
+ else
+ mpn_mul (tp, v->_mp_d, vn, u->_mp_d, un);
+
+ rn = un + vn;
+ rn -= tp[rn-1] == 0;
+
+ t->_mp_size = sign ? - rn : rn;
+ mpz_swap (r, t);
+ mpz_clear (t);
+}
+
+void
+mpz_mul_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bits)
+{
+ mp_size_t un, rn;
+ mp_size_t limbs;
+ unsigned shift;
+ mp_ptr rp;
+
+ un = GMP_ABS (u->_mp_size);
+ if (un == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ limbs = bits / GMP_LIMB_BITS;
+ shift = bits % GMP_LIMB_BITS;
+
+ rn = un + limbs + (shift > 0);
+ rp = MPZ_REALLOC (r, rn);
+ if (shift > 0)
+ {
+ mp_limb_t cy = mpn_lshift (rp + limbs, u->_mp_d, un, shift);
+ rp[rn-1] = cy;
+ rn -= (cy == 0);
+ }
+ else
+ mpn_copyd (rp + limbs, u->_mp_d, un);
+
+ while (limbs > 0)
+ rp[--limbs] = 0;
+
+ r->_mp_size = (u->_mp_size < 0) ? - rn : rn;
+}
+
+void
+mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v)
+{
+ mpz_t t;
+ mpz_init (t);
+ mpz_mul_ui (t, u, v);
+ mpz_add (r, r, t);
+ mpz_clear (t);
+}
+
+void
+mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v)
+{
+ mpz_t t;
+ mpz_init (t);
+ mpz_mul_ui (t, u, v);
+ mpz_sub (r, r, t);
+ mpz_clear (t);
+}
+
+void
+mpz_addmul (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ mpz_t t;
+ mpz_init (t);
+ mpz_mul (t, u, v);
+ mpz_add (r, r, t);
+ mpz_clear (t);
+}
+
+void
+mpz_submul (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ mpz_t t;
+ mpz_init (t);
+ mpz_mul (t, u, v);
+ mpz_sub (r, r, t);
+ mpz_clear (t);
+}
+
+
+/* MPZ division */
+enum mpz_div_round_mode { GMP_DIV_FLOOR, GMP_DIV_CEIL, GMP_DIV_TRUNC };
+
+/* Allows q or r to be zero. Returns 1 iff remainder is non-zero. */
+static int
+mpz_div_qr (mpz_t q, mpz_t r,
+ const mpz_t n, const mpz_t d, enum mpz_div_round_mode mode)
+{
+ mp_size_t ns, ds, nn, dn, qs;
+ ns = n->_mp_size;
+ ds = d->_mp_size;
+
+ if (ds == 0)
+ gmp_die("mpz_div_qr: Divide by zero.");
+
+ if (ns == 0)
+ {
+ if (q)
+ q->_mp_size = 0;
+ if (r)
+ r->_mp_size = 0;
+ return 0;
+ }
+
+ nn = GMP_ABS (ns);
+ dn = GMP_ABS (ds);
+
+ qs = ds ^ ns;
+
+ if (nn < dn)
+ {
+ if (mode == GMP_DIV_CEIL && qs >= 0)
+ {
+ /* q = 1, r = n - d */
+ if (r)
+ mpz_sub (r, n, d);
+ if (q)
+ mpz_set_ui (q, 1);
+ }
+ else if (mode == GMP_DIV_FLOOR && qs < 0)
+ {
+ /* q = -1, r = n + d */
+ if (r)
+ mpz_add (r, n, d);
+ if (q)
+ mpz_set_si (q, -1);
+ }
+ else
+ {
+ /* q = 0, r = d */
+ if (r)
+ mpz_set (r, n);
+ if (q)
+ q->_mp_size = 0;
+ }
+ return 1;
+ }
+ else
+ {
+ mp_ptr np, qp;
+ mp_size_t qn, rn;
+ mpz_t tq, tr;
+
+ mpz_init_set (tr, n);
+ np = tr->_mp_d;
+
+ qn = nn - dn + 1;
+
+ if (q)
+ {
+ mpz_init2 (tq, qn * GMP_LIMB_BITS);
+ qp = tq->_mp_d;
+ }
+ else
+ qp = NULL;
+
+ mpn_div_qr (qp, np, nn, d->_mp_d, dn);
+
+ if (qp)
+ {
+ qn -= (qp[qn-1] == 0);
+
+ tq->_mp_size = qs < 0 ? -qn : qn;
+ }
+ rn = mpn_normalized_size (np, dn);
+ tr->_mp_size = ns < 0 ? - rn : rn;
+
+ if (mode == GMP_DIV_FLOOR && qs < 0 && rn != 0)
+ {
+ if (q)
+ mpz_sub_ui (tq, tq, 1);
+ if (r)
+ mpz_add (tr, tr, d);
+ }
+ else if (mode == GMP_DIV_CEIL && qs >= 0 && rn != 0)
+ {
+ if (q)
+ mpz_add_ui (tq, tq, 1);
+ if (r)
+ mpz_sub (tr, tr, d);
+ }
+
+ if (q)
+ {
+ mpz_swap (tq, q);
+ mpz_clear (tq);
+ }
+ if (r)
+ mpz_swap (tr, r);
+
+ mpz_clear (tr);
+
+ return rn != 0;
+ }
+}
+
+void
+mpz_cdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (q, r, n, d, GMP_DIV_CEIL);
+}
+
+void
+mpz_fdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (q, r, n, d, GMP_DIV_FLOOR);
+}
+
+void
+mpz_tdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (q, r, n, d, GMP_DIV_TRUNC);
+}
+
+void
+mpz_cdiv_q (mpz_t q, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (q, NULL, n, d, GMP_DIV_CEIL);
+}
+
+void
+mpz_fdiv_q (mpz_t q, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (q, NULL, n, d, GMP_DIV_FLOOR);
+}
+
+void
+mpz_tdiv_q (mpz_t q, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC);
+}
+
+void
+mpz_cdiv_r (mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (NULL, r, n, d, GMP_DIV_CEIL);
+}
+
+void
+mpz_fdiv_r (mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (NULL, r, n, d, GMP_DIV_FLOOR);
+}
+
+void
+mpz_tdiv_r (mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (NULL, r, n, d, GMP_DIV_TRUNC);
+}
+
+void
+mpz_mod (mpz_t r, const mpz_t n, const mpz_t d)
+{
+ mpz_div_qr (NULL, r, n, d, d->_mp_size >= 0 ? GMP_DIV_FLOOR : GMP_DIV_CEIL);
+}
+
+static void
+mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index,
+ enum mpz_div_round_mode mode)
+{
+ mp_size_t un, qn;
+ mp_size_t limb_cnt;
+ mp_ptr qp;
+ int adjust;
+
+ un = u->_mp_size;
+ if (un == 0)
+ {
+ q->_mp_size = 0;
+ return;
+ }
+ limb_cnt = bit_index / GMP_LIMB_BITS;
+ qn = GMP_ABS (un) - limb_cnt;
+ bit_index %= GMP_LIMB_BITS;
+
+ if (mode == ((un > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* un != 0 here. */
+ /* Note: Below, the final indexing at limb_cnt is valid because at
+ that point we have qn > 0. */
+ adjust = (qn <= 0
+ || !mpn_zero_p (u->_mp_d, limb_cnt)
+ || (u->_mp_d[limb_cnt]
+ & (((mp_limb_t) 1 << bit_index) - 1)));
+ else
+ adjust = 0;
+
+ if (qn <= 0)
+ qn = 0;
+
+ else
+ {
+ qp = MPZ_REALLOC (q, qn);
+
+ if (bit_index != 0)
+ {
+ mpn_rshift (qp, u->_mp_d + limb_cnt, qn, bit_index);
+ qn -= qp[qn - 1] == 0;
+ }
+ else
+ {
+ mpn_copyi (qp, u->_mp_d + limb_cnt, qn);
+ }
+ }
+
+ q->_mp_size = qn;
+
+ if (adjust)
+ mpz_add_ui (q, q, 1);
+ if (un < 0)
+ mpz_neg (q, q);
+}
+
+static void
+mpz_div_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bit_index,
+ enum mpz_div_round_mode mode)
+{
+ mp_size_t us, un, rn;
+ mp_ptr rp;
+ mp_limb_t mask;
+
+ us = u->_mp_size;
+ if (us == 0 || bit_index == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+ rn = (bit_index + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS;
+ assert (rn > 0);
+
+ rp = MPZ_REALLOC (r, rn);
+ un = GMP_ABS (us);
+
+ mask = GMP_LIMB_MAX >> (rn * GMP_LIMB_BITS - bit_index);
+
+ if (rn > un)
+ {
+ /* Quotient (with truncation) is zero, and remainder is
+ non-zero */
+ if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */
+ {
+ /* Have to negate and sign extend. */
+ mp_size_t i;
+ mp_limb_t cy;
+
+ for (cy = 1, i = 0; i < un; i++)
+ {
+ mp_limb_t s = ~u->_mp_d[i] + cy;
+ cy = s < cy;
+ rp[i] = s;
+ }
+ assert (cy == 0);
+ for (; i < rn - 1; i++)
+ rp[i] = GMP_LIMB_MAX;
+
+ rp[rn-1] = mask;
+ us = -us;
+ }
+ else
+ {
+ /* Just copy */
+ if (r != u)
+ mpn_copyi (rp, u->_mp_d, un);
+
+ rn = un;
+ }
+ }
+ else
+ {
+ if (r != u)
+ mpn_copyi (rp, u->_mp_d, rn - 1);
+
+ rp[rn-1] = u->_mp_d[rn-1] & mask;
+
+ if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */
+ {
+ /* If r != 0, compute 2^{bit_count} - r. */
+ mp_size_t i;
+
+ for (i = 0; i < rn && rp[i] == 0; i++)
+ ;
+ if (i < rn)
+ {
+ /* r > 0, need to flip sign. */
+ rp[i] = ~rp[i] + 1;
+ while (++i < rn)
+ rp[i] = ~rp[i];
+
+ rp[rn-1] &= mask;
+
+ /* us is not used for anything else, so we can modify it
+ here to indicate flipped sign. */
+ us = -us;
+ }
+ }
+ }
+ rn = mpn_normalized_size (rp, rn);
+ r->_mp_size = us < 0 ? -rn : rn;
+}
+
+void
+mpz_cdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt)
+{
+ mpz_div_q_2exp (r, u, cnt, GMP_DIV_CEIL);
+}
+
+void
+mpz_fdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt)
+{
+ mpz_div_q_2exp (r, u, cnt, GMP_DIV_FLOOR);
+}
+
+void
+mpz_tdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt)
+{
+ mpz_div_q_2exp (r, u, cnt, GMP_DIV_TRUNC);
+}
+
+void
+mpz_cdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt)
+{
+ mpz_div_r_2exp (r, u, cnt, GMP_DIV_CEIL);
+}
+
+void
+mpz_fdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt)
+{
+ mpz_div_r_2exp (r, u, cnt, GMP_DIV_FLOOR);
+}
+
+void
+mpz_tdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt)
+{
+ mpz_div_r_2exp (r, u, cnt, GMP_DIV_TRUNC);
+}
+
+void
+mpz_divexact (mpz_t q, const mpz_t n, const mpz_t d)
+{
+ gmp_assert_nocarry (mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC));
+}
+
+int
+mpz_divisible_p (const mpz_t n, const mpz_t d)
+{
+ return mpz_div_qr (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0;
+}
+
+int
+mpz_congruent_p (const mpz_t a, const mpz_t b, const mpz_t m)
+{
+ mpz_t t;
+ int res;
+
+ /* a == b (mod 0) iff a == b */
+ if (mpz_sgn (m) == 0)
+ return (mpz_cmp (a, b) == 0);
+
+ mpz_init (t);
+ mpz_sub (t, a, b);
+ res = mpz_divisible_p (t, m);
+ mpz_clear (t);
+
+ return res;
+}
+
+static unsigned long
+mpz_div_qr_ui (mpz_t q, mpz_t r,
+ const mpz_t n, unsigned long d, enum mpz_div_round_mode mode)
+{
+ mp_size_t ns, qn;
+ mp_ptr qp;
+ mp_limb_t rl;
+ mp_size_t rs;
+
+ ns = n->_mp_size;
+ if (ns == 0)
+ {
+ if (q)
+ q->_mp_size = 0;
+ if (r)
+ r->_mp_size = 0;
+ return 0;
+ }
+
+ qn = GMP_ABS (ns);
+ if (q)
+ qp = MPZ_REALLOC (q, qn);
+ else
+ qp = NULL;
+
+ rl = mpn_div_qr_1 (qp, n->_mp_d, qn, d);
+ assert (rl < d);
+
+ rs = rl > 0;
+ rs = (ns < 0) ? -rs : rs;
+
+ if (rl > 0 && ( (mode == GMP_DIV_FLOOR && ns < 0)
+ || (mode == GMP_DIV_CEIL && ns >= 0)))
+ {
+ if (q)
+ gmp_assert_nocarry (mpn_add_1 (qp, qp, qn, 1));
+ rl = d - rl;
+ rs = -rs;
+ }
+
+ if (r)
+ {
+ r->_mp_d[0] = rl;
+ r->_mp_size = rs;
+ }
+ if (q)
+ {
+ qn -= (qp[qn-1] == 0);
+ assert (qn == 0 || qp[qn-1] > 0);
+
+ q->_mp_size = (ns < 0) ? - qn : qn;
+ }
+
+ return rl;
+}
+
+unsigned long
+mpz_cdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (q, r, n, d, GMP_DIV_CEIL);
+}
+
+unsigned long
+mpz_fdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (q, r, n, d, GMP_DIV_FLOOR);
+}
+
+unsigned long
+mpz_tdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (q, r, n, d, GMP_DIV_TRUNC);
+}
+
+unsigned long
+mpz_cdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_CEIL);
+}
+
+unsigned long
+mpz_fdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_FLOOR);
+}
+
+unsigned long
+mpz_tdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC);
+}
+
+unsigned long
+mpz_cdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_CEIL);
+}
+unsigned long
+mpz_fdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR);
+}
+unsigned long
+mpz_tdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_TRUNC);
+}
+
+unsigned long
+mpz_cdiv_ui (const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_CEIL);
+}
+
+unsigned long
+mpz_fdiv_ui (const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_FLOOR);
+}
+
+unsigned long
+mpz_tdiv_ui (const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC);
+}
+
+unsigned long
+mpz_mod_ui (mpz_t r, const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR);
+}
+
+void
+mpz_divexact_ui (mpz_t q, const mpz_t n, unsigned long d)
+{
+ gmp_assert_nocarry (mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC));
+}
+
+int
+mpz_divisible_ui_p (const mpz_t n, unsigned long d)
+{
+ return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0;
+}
+
+
+/* GCD */
+static mp_limb_t
+mpn_gcd_11 (mp_limb_t u, mp_limb_t v)
+{
+ unsigned shift;
+
+ assert ( (u | v) > 0);
+
+ if (u == 0)
+ return v;
+ else if (v == 0)
+ return u;
+
+ gmp_ctz (shift, u | v);
+
+ u >>= shift;
+ v >>= shift;
+
+ if ( (u & 1) == 0)
+ MP_LIMB_T_SWAP (u, v);
+
+ while ( (v & 1) == 0)
+ v >>= 1;
+
+ while (u != v)
+ {
+ if (u > v)
+ {
+ u -= v;
+ do
+ u >>= 1;
+ while ( (u & 1) == 0);
+ }
+ else
+ {
+ v -= u;
+ do
+ v >>= 1;
+ while ( (v & 1) == 0);
+ }
+ }
+ return u << shift;
+}
+
+unsigned long
+mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v)
+{
+ mp_size_t un;
+
+ if (v == 0)
+ {
+ if (g)
+ mpz_abs (g, u);
+ }
+ else
+ {
+ un = GMP_ABS (u->_mp_size);
+ if (un != 0)
+ v = mpn_gcd_11 (mpn_div_qr_1 (NULL, u->_mp_d, un, v), v);
+
+ if (g)
+ mpz_set_ui (g, v);
+ }
+
+ return v;
+}
+
+static mp_bitcnt_t
+mpz_make_odd (mpz_t r)
+{
+ mp_bitcnt_t shift;
+
+ assert (r->_mp_size > 0);
+ /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */
+ shift = mpn_common_scan (r->_mp_d[0], 0, r->_mp_d, 0, 0);
+ mpz_tdiv_q_2exp (r, r, shift);
+
+ return shift;
+}
+
+void
+mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v)
+{
+ mpz_t tu, tv;
+ mp_bitcnt_t uz, vz, gz;
+
+ if (u->_mp_size == 0)
+ {
+ mpz_abs (g, v);
+ return;
+ }
+ if (v->_mp_size == 0)
+ {
+ mpz_abs (g, u);
+ return;
+ }
+
+ mpz_init (tu);
+ mpz_init (tv);
+
+ mpz_abs (tu, u);
+ uz = mpz_make_odd (tu);
+ mpz_abs (tv, v);
+ vz = mpz_make_odd (tv);
+ gz = GMP_MIN (uz, vz);
+
+ if (tu->_mp_size < tv->_mp_size)
+ mpz_swap (tu, tv);
+
+ mpz_tdiv_r (tu, tu, tv);
+ if (tu->_mp_size == 0)
+ {
+ mpz_swap (g, tv);
+ }
+ else
+ for (;;)
+ {
+ int c;
+
+ mpz_make_odd (tu);
+ c = mpz_cmp (tu, tv);
+ if (c == 0)
+ {
+ mpz_swap (g, tu);
+ break;
+ }
+ if (c < 0)
+ mpz_swap (tu, tv);
+
+ if (tv->_mp_size == 1)
+ {
+ mp_limb_t vl = tv->_mp_d[0];
+ mp_limb_t ul = mpz_tdiv_ui (tu, vl);
+ mpz_set_ui (g, mpn_gcd_11 (ul, vl));
+ break;
+ }
+ mpz_sub (tu, tu, tv);
+ }
+ mpz_clear (tu);
+ mpz_clear (tv);
+ mpz_mul_2exp (g, g, gz);
+}
+
+void
+mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v)
+{
+ mpz_t tu, tv, s0, s1, t0, t1;
+ mp_bitcnt_t uz, vz, gz;
+ mp_bitcnt_t power;
+
+ if (u->_mp_size == 0)
+ {
+ /* g = 0 u + sgn(v) v */
+ signed long sign = mpz_sgn (v);
+ mpz_abs (g, v);
+ if (s)
+ mpz_set_ui (s, 0);
+ if (t)
+ mpz_set_si (t, sign);
+ return;
+ }
+
+ if (v->_mp_size == 0)
+ {
+ /* g = sgn(u) u + 0 v */
+ signed long sign = mpz_sgn (u);
+ mpz_abs (g, u);
+ if (s)
+ mpz_set_si (s, sign);
+ if (t)
+ mpz_set_ui (t, 0);
+ return;
+ }
+
+ mpz_init (tu);
+ mpz_init (tv);
+ mpz_init (s0);
+ mpz_init (s1);
+ mpz_init (t0);
+ mpz_init (t1);
+
+ mpz_abs (tu, u);
+ uz = mpz_make_odd (tu);
+ mpz_abs (tv, v);
+ vz = mpz_make_odd (tv);
+ gz = GMP_MIN (uz, vz);
+
+ uz -= gz;
+ vz -= gz;
+
+ /* Cofactors corresponding to odd gcd. gz handled later. */
+ if (tu->_mp_size < tv->_mp_size)
+ {
+ mpz_swap (tu, tv);
+ MPZ_SRCPTR_SWAP (u, v);
+ MPZ_PTR_SWAP (s, t);
+ MP_BITCNT_T_SWAP (uz, vz);
+ }
+
+ /* Maintain
+ *
+ * u = t0 tu + t1 tv
+ * v = s0 tu + s1 tv
+ *
+ * where u and v denote the inputs with common factors of two
+ * eliminated, and det (s0, t0; s1, t1) = 2^p. Then
+ *
+ * 2^p tu = s1 u - t1 v
+ * 2^p tv = -s0 u + t0 v
+ */
+
+ /* After initial division, tu = q tv + tu', we have
+ *
+ * u = 2^uz (tu' + q tv)
+ * v = 2^vz tv
+ *
+ * or
+ *
+ * t0 = 2^uz, t1 = 2^uz q
+ * s0 = 0, s1 = 2^vz
+ */
+
+ mpz_setbit (t0, uz);
+ mpz_tdiv_qr (t1, tu, tu, tv);
+ mpz_mul_2exp (t1, t1, uz);
+
+ mpz_setbit (s1, vz);
+ power = uz + vz;
+
+ if (tu->_mp_size > 0)
+ {
+ mp_bitcnt_t shift;
+ shift = mpz_make_odd (tu);
+ mpz_mul_2exp (t0, t0, shift);
+ mpz_mul_2exp (s0, s0, shift);
+ power += shift;
+
+ for (;;)
+ {
+ int c;
+ c = mpz_cmp (tu, tv);
+ if (c == 0)
+ break;
+
+ if (c < 0)
+ {
+ /* tv = tv' + tu
+ *
+ * u = t0 tu + t1 (tv' + tu) = (t0 + t1) tu + t1 tv'
+ * v = s0 tu + s1 (tv' + tu) = (s0 + s1) tu + s1 tv' */
+
+ mpz_sub (tv, tv, tu);
+ mpz_add (t0, t0, t1);
+ mpz_add (s0, s0, s1);
+
+ shift = mpz_make_odd (tv);
+ mpz_mul_2exp (t1, t1, shift);
+ mpz_mul_2exp (s1, s1, shift);
+ }
+ else
+ {
+ mpz_sub (tu, tu, tv);
+ mpz_add (t1, t0, t1);
+ mpz_add (s1, s0, s1);
+
+ shift = mpz_make_odd (tu);
+ mpz_mul_2exp (t0, t0, shift);
+ mpz_mul_2exp (s0, s0, shift);
+ }
+ power += shift;
+ }
+ }
+
+ /* Now tv = odd part of gcd, and -s0 and t0 are corresponding
+ cofactors. */
+
+ mpz_mul_2exp (tv, tv, gz);
+ mpz_neg (s0, s0);
+
+ /* 2^p g = s0 u + t0 v. Eliminate one factor of two at a time. To
+ adjust cofactors, we need u / g and v / g */
+
+ mpz_divexact (s1, v, tv);
+ mpz_abs (s1, s1);
+ mpz_divexact (t1, u, tv);
+ mpz_abs (t1, t1);
+
+ while (power-- > 0)
+ {
+ /* s0 u + t0 v = (s0 - v/g) u - (t0 + u/g) v */
+ if (mpz_odd_p (s0) || mpz_odd_p (t0))
+ {
+ mpz_sub (s0, s0, s1);
+ mpz_add (t0, t0, t1);
+ }
+ mpz_divexact_ui (s0, s0, 2);
+ mpz_divexact_ui (t0, t0, 2);
+ }
+
+ /* Arrange so that |s| < |u| / 2g */
+ mpz_add (s1, s0, s1);
+ if (mpz_cmpabs (s0, s1) > 0)
+ {
+ mpz_swap (s0, s1);
+ mpz_sub (t0, t0, t1);
+ }
+ if (u->_mp_size < 0)
+ mpz_neg (s0, s0);
+ if (v->_mp_size < 0)
+ mpz_neg (t0, t0);
+
+ mpz_swap (g, tv);
+ if (s)
+ mpz_swap (s, s0);
+ if (t)
+ mpz_swap (t, t0);
+
+ mpz_clear (tu);
+ mpz_clear (tv);
+ mpz_clear (s0);
+ mpz_clear (s1);
+ mpz_clear (t0);
+ mpz_clear (t1);
+}
+
+void
+mpz_lcm (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ mpz_t g;
+
+ if (u->_mp_size == 0 || v->_mp_size == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ mpz_init (g);
+
+ mpz_gcd (g, u, v);
+ mpz_divexact (g, u, g);
+ mpz_mul (r, g, v);
+
+ mpz_clear (g);
+ mpz_abs (r, r);
+}
+
+void
+mpz_lcm_ui (mpz_t r, const mpz_t u, unsigned long v)
+{
+ if (v == 0 || u->_mp_size == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ v /= mpz_gcd_ui (NULL, u, v);
+ mpz_mul_ui (r, u, v);
+
+ mpz_abs (r, r);
+}
+
+int
+mpz_invert (mpz_t r, const mpz_t u, const mpz_t m)
+{
+ mpz_t g, tr;
+ int invertible;
+
+ if (u->_mp_size == 0 || mpz_cmpabs_ui (m, 1) <= 0)
+ return 0;
+
+ mpz_init (g);
+ mpz_init (tr);
+
+ mpz_gcdext (g, tr, NULL, u, m);
+ invertible = (mpz_cmp_ui (g, 1) == 0);
+
+ if (invertible)
+ {
+ if (tr->_mp_size < 0)
+ {
+ if (m->_mp_size >= 0)
+ mpz_add (tr, tr, m);
+ else
+ mpz_sub (tr, tr, m);
+ }
+ mpz_swap (r, tr);
+ }
+
+ mpz_clear (g);
+ mpz_clear (tr);
+ return invertible;
+}
+
+
+/* Higher level operations (sqrt, pow and root) */
+
+void
+mpz_pow_ui (mpz_t r, const mpz_t b, unsigned long e)
+{
+ unsigned long bit;
+ mpz_t tr;
+ mpz_init_set_ui (tr, 1);
+
+ bit = GMP_ULONG_HIGHBIT;
+ do
+ {
+ mpz_mul (tr, tr, tr);
+ if (e & bit)
+ mpz_mul (tr, tr, b);
+ bit >>= 1;
+ }
+ while (bit > 0);
+
+ mpz_swap (r, tr);
+ mpz_clear (tr);
+}
+
+void
+mpz_ui_pow_ui (mpz_t r, unsigned long blimb, unsigned long e)
+{
+ mpz_t b;
+ mpz_init_set_ui (b, blimb);
+ mpz_pow_ui (r, b, e);
+ mpz_clear (b);
+}
+
+void
+mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m)
+{
+ mpz_t tr;
+ mpz_t base;
+ mp_size_t en, mn;
+ mp_srcptr mp;
+ struct gmp_div_inverse minv;
+ unsigned shift;
+ mp_ptr tp = NULL;
+
+ en = GMP_ABS (e->_mp_size);
+ mn = GMP_ABS (m->_mp_size);
+ if (mn == 0)
+ gmp_die ("mpz_powm: Zero modulo.");
+
+ if (en == 0)
+ {
+ mpz_set_ui (r, 1);
+ return;
+ }
+
+ mp = m->_mp_d;
+ mpn_div_qr_invert (&minv, mp, mn);
+ shift = minv.shift;
+
+ if (shift > 0)
+ {
+ /* To avoid shifts, we do all our reductions, except the final
+ one, using a *normalized* m. */
+ minv.shift = 0;
+
+ tp = gmp_xalloc_limbs (mn);
+ gmp_assert_nocarry (mpn_lshift (tp, mp, mn, shift));
+ mp = tp;
+ }
+
+ mpz_init (base);
+
+ if (e->_mp_size < 0)
+ {
+ if (!mpz_invert (base, b, m))
+ gmp_die ("mpz_powm: Negative exponent and non-invertible base.");
+ }
+ else
+ {
+ mp_size_t bn;
+ mpz_abs (base, b);
+
+ bn = base->_mp_size;
+ if (bn >= mn)
+ {
+ mpn_div_qr_preinv (NULL, base->_mp_d, base->_mp_size, mp, mn, &minv);
+ bn = mn;
+ }
+
+ /* We have reduced the absolute value. Now take care of the
+ sign. Note that we get zero represented non-canonically as
+ m. */
+ if (b->_mp_size < 0)
+ {
+ mp_ptr bp = MPZ_REALLOC (base, mn);
+ gmp_assert_nocarry (mpn_sub (bp, mp, mn, bp, bn));
+ bn = mn;
+ }
+ base->_mp_size = mpn_normalized_size (base->_mp_d, bn);
+ }
+ mpz_init_set_ui (tr, 1);
+
+ while (en-- > 0)
+ {
+ mp_limb_t w = e->_mp_d[en];
+ mp_limb_t bit;
+
+ bit = GMP_LIMB_HIGHBIT;
+ do
+ {
+ mpz_mul (tr, tr, tr);
+ if (w & bit)
+ mpz_mul (tr, tr, base);
+ if (tr->_mp_size > mn)
+ {
+ mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv);
+ tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn);
+ }
+ bit >>= 1;
+ }
+ while (bit > 0);
+ }
+
+ /* Final reduction */
+ if (tr->_mp_size >= mn)
+ {
+ minv.shift = shift;
+ mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv);
+ tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn);
+ }
+ if (tp)
+ gmp_free (tp);
+
+ mpz_swap (r, tr);
+ mpz_clear (tr);
+ mpz_clear (base);
+}
+
+void
+mpz_powm_ui (mpz_t r, const mpz_t b, unsigned long elimb, const mpz_t m)
+{
+ mpz_t e;
+ mpz_init_set_ui (e, elimb);
+ mpz_powm (r, b, e, m);
+ mpz_clear (e);
+}
+
+/* x=trunc(y^(1/z)), r=y-x^z */
+void
+mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z)
+{
+ int sgn;
+ mpz_t t, u;
+
+ sgn = y->_mp_size < 0;
+ if ((~z & sgn) != 0)
+ gmp_die ("mpz_rootrem: Negative argument, with even root.");
+ if (z == 0)
+ gmp_die ("mpz_rootrem: Zeroth root.");
+
+ if (mpz_cmpabs_ui (y, 1) <= 0) {
+ if (x)
+ mpz_set (x, y);
+ if (r)
+ r->_mp_size = 0;
+ return;
+ }
+
+ mpz_init (u);
+ {
+ mp_bitcnt_t tb;
+ tb = mpz_sizeinbase (y, 2) / z + 1;
+ mpz_init2 (t, tb);
+ mpz_setbit (t, tb);
+ }
+
+ if (z == 2) /* simplify sqrt loop: z-1 == 1 */
+ do {
+ mpz_swap (u, t); /* u = x */
+ mpz_tdiv_q (t, y, u); /* t = y/x */
+ mpz_add (t, t, u); /* t = y/x + x */
+ mpz_tdiv_q_2exp (t, t, 1); /* x'= (y/x + x)/2 */
+ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */
+ else /* z != 2 */ {
+ mpz_t v;
+
+ mpz_init (v);
+ if (sgn)
+ mpz_neg (t, t);
+
+ do {
+ mpz_swap (u, t); /* u = x */
+ mpz_pow_ui (t, u, z - 1); /* t = x^(z-1) */
+ mpz_tdiv_q (t, y, t); /* t = y/x^(z-1) */
+ mpz_mul_ui (v, u, z - 1); /* v = x*(z-1) */
+ mpz_add (t, t, v); /* t = y/x^(z-1) + x*(z-1) */
+ mpz_tdiv_q_ui (t, t, z); /* x'=(y/x^(z-1) + x*(z-1))/z */
+ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */
+
+ mpz_clear (v);
+ }
+
+ if (r) {
+ mpz_pow_ui (t, u, z);
+ mpz_sub (r, y, t);
+ }
+ if (x)
+ mpz_swap (x, u);
+ mpz_clear (u);
+ mpz_clear (t);
+}
+
+int
+mpz_root (mpz_t x, const mpz_t y, unsigned long z)
+{
+ int res;
+ mpz_t r;
+
+ mpz_init (r);
+ mpz_rootrem (x, r, y, z);
+ res = r->_mp_size == 0;
+ mpz_clear (r);
+
+ return res;
+}
+
+/* Compute s = floor(sqrt(u)) and r = u - s^2. Allows r == NULL */
+void
+mpz_sqrtrem (mpz_t s, mpz_t r, const mpz_t u)
+{
+ mpz_rootrem (s, r, u, 2);
+}
+
+void
+mpz_sqrt (mpz_t s, const mpz_t u)
+{
+ mpz_rootrem (s, NULL, u, 2);
+}
+
+int
+mpz_perfect_square_p (const mpz_t u)
+{
+ if (u->_mp_size <= 0)
+ return (u->_mp_size == 0);
+ else
+ return mpz_root (NULL, u, 2);
+}
+
+int
+mpn_perfect_square_p (mp_srcptr p, mp_size_t n)
+{
+ mpz_t t;
+
+ assert (n > 0);
+ assert (p [n-1] != 0);
+ return mpz_root (NULL, mpz_roinit_n (t, p, n), 2);
+}
+
+mp_size_t
+mpn_sqrtrem (mp_ptr sp, mp_ptr rp, mp_srcptr p, mp_size_t n)
+{
+ mpz_t s, r, u;
+ mp_size_t res;
+
+ assert (n > 0);
+ assert (p [n-1] != 0);
+
+ mpz_init (r);
+ mpz_init (s);
+ mpz_rootrem (s, r, mpz_roinit_n (u, p, n), 2);
+
+ assert (s->_mp_size == (n+1)/2);
+ mpn_copyd (sp, s->_mp_d, s->_mp_size);
+ mpz_clear (s);
+ res = r->_mp_size;
+ if (rp)
+ mpn_copyd (rp, r->_mp_d, res);
+ mpz_clear (r);
+ return res;
+}
+
+/* Combinatorics */
+
+void
+mpz_fac_ui (mpz_t x, unsigned long n)
+{
+ mpz_set_ui (x, n + (n == 0));
+ for (;n > 2;)
+ mpz_mul_ui (x, x, --n);
+}
+
+void
+mpz_bin_uiui (mpz_t r, unsigned long n, unsigned long k)
+{
+ mpz_t t;
+
+ mpz_set_ui (r, k <= n);
+
+ if (k > (n >> 1))
+ k = (k <= n) ? n - k : 0;
+
+ mpz_init (t);
+ mpz_fac_ui (t, k);
+
+ for (; k > 0; k--)
+ mpz_mul_ui (r, r, n--);
+
+ mpz_divexact (r, r, t);
+ mpz_clear (t);
+}
+
+
+/* Primality testing */
+static int
+gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y,
+ const mpz_t q, mp_bitcnt_t k)
+{
+ assert (k > 0);
+
+ /* Caller must initialize y to the base. */
+ mpz_powm (y, y, q, n);
+
+ if (mpz_cmp_ui (y, 1) == 0 || mpz_cmp (y, nm1) == 0)
+ return 1;
+
+ while (--k > 0)
+ {
+ mpz_powm_ui (y, y, 2, n);
+ if (mpz_cmp (y, nm1) == 0)
+ return 1;
+ /* y == 1 means that the previous y was a non-trivial square root
+ of 1 (mod n). y == 0 means that n is a power of the base.
+ In either case, n is not prime. */
+ if (mpz_cmp_ui (y, 1) <= 0)
+ return 0;
+ }
+ return 0;
+}
+
+/* This product is 0xc0cfd797, and fits in 32 bits. */
+#define GMP_PRIME_PRODUCT \
+ (3UL*5UL*7UL*11UL*13UL*17UL*19UL*23UL*29UL)
+
+/* Bit (p+1)/2 is set, for each odd prime <= 61 */
+#define GMP_PRIME_MASK 0xc96996dcUL
+
+int
+mpz_probab_prime_p (const mpz_t n, int reps)
+{
+ mpz_t nm1;
+ mpz_t q;
+ mpz_t y;
+ mp_bitcnt_t k;
+ int is_prime;
+ int j;
+
+ /* Note that we use the absolute value of n only, for compatibility
+ with the real GMP. */
+ if (mpz_even_p (n))
+ return (mpz_cmpabs_ui (n, 2) == 0) ? 2 : 0;
+
+ /* Above test excludes n == 0 */
+ assert (n->_mp_size != 0);
+
+ if (mpz_cmpabs_ui (n, 64) < 0)
+ return (GMP_PRIME_MASK >> (n->_mp_d[0] >> 1)) & 2;
+
+ if (mpz_gcd_ui (NULL, n, GMP_PRIME_PRODUCT) != 1)
+ return 0;
+
+ /* All prime factors are >= 31. */
+ if (mpz_cmpabs_ui (n, 31*31) < 0)
+ return 2;
+
+ /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] =
+ j^2 + j + 41 using Euler's polynomial. We potentially stop early,
+ if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps >
+ 30 (a[30] == 971 > 31*31 == 961). */
+
+ mpz_init (nm1);
+ mpz_init (q);
+ mpz_init (y);
+
+ /* Find q and k, where q is odd and n = 1 + 2**k * q. */
+ nm1->_mp_size = mpz_abs_sub_ui (nm1, n, 1);
+ k = mpz_scan1 (nm1, 0);
+ mpz_tdiv_q_2exp (q, nm1, k);
+
+ for (j = 0, is_prime = 1; is_prime & (j < reps); j++)
+ {
+ mpz_set_ui (y, (unsigned long) j*j+j+41);
+ if (mpz_cmp (y, nm1) >= 0)
+ {
+ /* Don't try any further bases. This "early" break does not affect
+ the result for any reasonable reps value (<=5000 was tested) */
+ assert (j >= 30);
+ break;
+ }
+ is_prime = gmp_millerrabin (n, nm1, y, q, k);
+ }
+ mpz_clear (nm1);
+ mpz_clear (q);
+ mpz_clear (y);
+
+ return is_prime;
+}
+
+
+/* Logical operations and bit manipulation. */
+
+/* Numbers are treated as if represented in two's complement (and
+ infinitely sign extended). For a negative values we get the two's
+ complement from -x = ~x + 1, where ~ is bitwise complement.
+ Negation transforms
+
+ xxxx10...0
+
+ into
+
+ yyyy10...0
+
+ where yyyy is the bitwise complement of xxxx. So least significant
+ bits, up to and including the first one bit, are unchanged, and
+ the more significant bits are all complemented.
+
+ To change a bit from zero to one in a negative number, subtract the
+ corresponding power of two from the absolute value. This can never
+ underflow. To change a bit from one to zero, add the corresponding
+ power of two, and this might overflow. E.g., if x = -001111, the
+ two's complement is 110001. Clearing the least significant bit, we
+ get two's complement 110000, and -010000. */
+
+int
+mpz_tstbit (const mpz_t d, mp_bitcnt_t bit_index)
+{
+ mp_size_t limb_index;
+ unsigned shift;
+ mp_size_t ds;
+ mp_size_t dn;
+ mp_limb_t w;
+ int bit;
+
+ ds = d->_mp_size;
+ dn = GMP_ABS (ds);
+ limb_index = bit_index / GMP_LIMB_BITS;
+ if (limb_index >= dn)
+ return ds < 0;
+
+ shift = bit_index % GMP_LIMB_BITS;
+ w = d->_mp_d[limb_index];
+ bit = (w >> shift) & 1;
+
+ if (ds < 0)
+ {
+ /* d < 0. Check if any of the bits below is set: If so, our bit
+ must be complemented. */
+ if (shift > 0 && (w << (GMP_LIMB_BITS - shift)) > 0)
+ return bit ^ 1;
+ while (limb_index-- > 0)
+ if (d->_mp_d[limb_index] > 0)
+ return bit ^ 1;
+ }
+ return bit;
+}
+
+static void
+mpz_abs_add_bit (mpz_t d, mp_bitcnt_t bit_index)
+{
+ mp_size_t dn, limb_index;
+ mp_limb_t bit;
+ mp_ptr dp;
+
+ dn = GMP_ABS (d->_mp_size);
+
+ limb_index = bit_index / GMP_LIMB_BITS;
+ bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS);
+
+ if (limb_index >= dn)
+ {
+ mp_size_t i;
+ /* The bit should be set outside of the end of the number.
+ We have to increase the size of the number. */
+ dp = MPZ_REALLOC (d, limb_index + 1);
+
+ dp[limb_index] = bit;
+ for (i = dn; i < limb_index; i++)
+ dp[i] = 0;
+ dn = limb_index + 1;
+ }
+ else
+ {
+ mp_limb_t cy;
+
+ dp = d->_mp_d;
+
+ cy = mpn_add_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit);
+ if (cy > 0)
+ {
+ dp = MPZ_REALLOC (d, dn + 1);
+ dp[dn++] = cy;
+ }
+ }
+
+ d->_mp_size = (d->_mp_size < 0) ? - dn : dn;
+}
+
+static void
+mpz_abs_sub_bit (mpz_t d, mp_bitcnt_t bit_index)
+{
+ mp_size_t dn, limb_index;
+ mp_ptr dp;
+ mp_limb_t bit;
+
+ dn = GMP_ABS (d->_mp_size);
+ dp = d->_mp_d;
+
+ limb_index = bit_index / GMP_LIMB_BITS;
+ bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS);
+
+ assert (limb_index < dn);
+
+ gmp_assert_nocarry (mpn_sub_1 (dp + limb_index, dp + limb_index,
+ dn - limb_index, bit));
+ dn = mpn_normalized_size (dp, dn);
+ d->_mp_size = (d->_mp_size < 0) ? - dn : dn;
+}
+
+void
+mpz_setbit (mpz_t d, mp_bitcnt_t bit_index)
+{
+ if (!mpz_tstbit (d, bit_index))
+ {
+ if (d->_mp_size >= 0)
+ mpz_abs_add_bit (d, bit_index);
+ else
+ mpz_abs_sub_bit (d, bit_index);
+ }
+}
+
+void
+mpz_clrbit (mpz_t d, mp_bitcnt_t bit_index)
+{
+ if (mpz_tstbit (d, bit_index))
+ {
+ if (d->_mp_size >= 0)
+ mpz_abs_sub_bit (d, bit_index);
+ else
+ mpz_abs_add_bit (d, bit_index);
+ }
+}
+
+void
+mpz_combit (mpz_t d, mp_bitcnt_t bit_index)
+{
+ if (mpz_tstbit (d, bit_index) ^ (d->_mp_size < 0))
+ mpz_abs_sub_bit (d, bit_index);
+ else
+ mpz_abs_add_bit (d, bit_index);
+}
+
+void
+mpz_com (mpz_t r, const mpz_t u)
+{
+ mpz_neg (r, u);
+ mpz_sub_ui (r, r, 1);
+}
+
+void
+mpz_and (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ mp_size_t un, vn, rn, i;
+ mp_ptr up, vp, rp;
+
+ mp_limb_t ux, vx, rx;
+ mp_limb_t uc, vc, rc;
+ mp_limb_t ul, vl, rl;
+
+ un = GMP_ABS (u->_mp_size);
+ vn = GMP_ABS (v->_mp_size);
+ if (un < vn)
+ {
+ MPZ_SRCPTR_SWAP (u, v);
+ MP_SIZE_T_SWAP (un, vn);
+ }
+ if (vn == 0)
+ {
+ r->_mp_size = 0;
+ return;
+ }
+
+ uc = u->_mp_size < 0;
+ vc = v->_mp_size < 0;
+ rc = uc & vc;
+
+ ux = -uc;
+ vx = -vc;
+ rx = -rc;
+
+ /* If the smaller input is positive, higher limbs don't matter. */
+ rn = vx ? un : vn;
+
+ rp = MPZ_REALLOC (r, rn + rc);
+
+ up = u->_mp_d;
+ vp = v->_mp_d;
+
+ i = 0;
+ do
+ {
+ ul = (up[i] ^ ux) + uc;
+ uc = ul < uc;
+
+ vl = (vp[i] ^ vx) + vc;
+ vc = vl < vc;
+
+ rl = ( (ul & vl) ^ rx) + rc;
+ rc = rl < rc;
+ rp[i] = rl;
+ }
+ while (++i < vn);
+ assert (vc == 0);
+
+ for (; i < rn; i++)
+ {
+ ul = (up[i] ^ ux) + uc;
+ uc = ul < uc;
+
+ rl = ( (ul & vx) ^ rx) + rc;
+ rc = rl < rc;
+ rp[i] = rl;
+ }
+ if (rc)
+ rp[rn++] = rc;
+ else
+ rn = mpn_normalized_size (rp, rn);
+
+ r->_mp_size = rx ? -rn : rn;
+}
+
+void
+mpz_ior (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ mp_size_t un, vn, rn, i;
+ mp_ptr up, vp, rp;
+
+ mp_limb_t ux, vx, rx;
+ mp_limb_t uc, vc, rc;
+ mp_limb_t ul, vl, rl;
+
+ un = GMP_ABS (u->_mp_size);
+ vn = GMP_ABS (v->_mp_size);
+ if (un < vn)
+ {
+ MPZ_SRCPTR_SWAP (u, v);
+ MP_SIZE_T_SWAP (un, vn);
+ }
+ if (vn == 0)
+ {
+ mpz_set (r, u);
+ return;
+ }
+
+ uc = u->_mp_size < 0;
+ vc = v->_mp_size < 0;
+ rc = uc | vc;
+
+ ux = -uc;
+ vx = -vc;
+ rx = -rc;
+
+ /* If the smaller input is negative, by sign extension higher limbs
+ don't matter. */
+ rn = vx ? vn : un;
+
+ rp = MPZ_REALLOC (r, rn + rc);
+
+ up = u->_mp_d;
+ vp = v->_mp_d;
+
+ i = 0;
+ do
+ {
+ ul = (up[i] ^ ux) + uc;
+ uc = ul < uc;
+
+ vl = (vp[i] ^ vx) + vc;
+ vc = vl < vc;
+
+ rl = ( (ul | vl) ^ rx) + rc;
+ rc = rl < rc;
+ rp[i] = rl;
+ }
+ while (++i < vn);
+ assert (vc == 0);
+
+ for (; i < rn; i++)
+ {
+ ul = (up[i] ^ ux) + uc;
+ uc = ul < uc;
+
+ rl = ( (ul | vx) ^ rx) + rc;
+ rc = rl < rc;
+ rp[i] = rl;
+ }
+ if (rc)
+ rp[rn++] = rc;
+ else
+ rn = mpn_normalized_size (rp, rn);
+
+ r->_mp_size = rx ? -rn : rn;
+}
+
+void
+mpz_xor (mpz_t r, const mpz_t u, const mpz_t v)
+{
+ mp_size_t un, vn, i;
+ mp_ptr up, vp, rp;
+
+ mp_limb_t ux, vx, rx;
+ mp_limb_t uc, vc, rc;
+ mp_limb_t ul, vl, rl;
+
+ un = GMP_ABS (u->_mp_size);
+ vn = GMP_ABS (v->_mp_size);
+ if (un < vn)
+ {
+ MPZ_SRCPTR_SWAP (u, v);
+ MP_SIZE_T_SWAP (un, vn);
+ }
+ if (vn == 0)
+ {
+ mpz_set (r, u);
+ return;
+ }
+
+ uc = u->_mp_size < 0;
+ vc = v->_mp_size < 0;
+ rc = uc ^ vc;
+
+ ux = -uc;
+ vx = -vc;
+ rx = -rc;
+
+ rp = MPZ_REALLOC (r, un + rc);
+
+ up = u->_mp_d;
+ vp = v->_mp_d;
+
+ i = 0;
+ do
+ {
+ ul = (up[i] ^ ux) + uc;
+ uc = ul < uc;
+
+ vl = (vp[i] ^ vx) + vc;
+ vc = vl < vc;
+
+ rl = (ul ^ vl ^ rx) + rc;
+ rc = rl < rc;
+ rp[i] = rl;
+ }
+ while (++i < vn);
+ assert (vc == 0);
+
+ for (; i < un; i++)
+ {
+ ul = (up[i] ^ ux) + uc;
+ uc = ul < uc;
+
+ rl = (ul ^ ux) + rc;
+ rc = rl < rc;
+ rp[i] = rl;
+ }
+ if (rc)
+ rp[un++] = rc;
+ else
+ un = mpn_normalized_size (rp, un);
+
+ r->_mp_size = rx ? -un : un;
+}
+
+static unsigned
+gmp_popcount_limb (mp_limb_t x)
+{
+ unsigned c;
+
+ /* Do 16 bits at a time, to avoid limb-sized constants. */
+ for (c = 0; x > 0; x >>= 16)
+ {
+ unsigned w = ((x >> 1) & 0x5555) + (x & 0x5555);
+ w = ((w >> 2) & 0x3333) + (w & 0x3333);
+ w = ((w >> 4) & 0x0f0f) + (w & 0x0f0f);
+ w = (w >> 8) + (w & 0x00ff);
+ c += w;
+ }
+ return c;
+}
+
+mp_bitcnt_t
+mpn_popcount (mp_srcptr p, mp_size_t n)
+{
+ mp_size_t i;
+ mp_bitcnt_t c;
+
+ for (c = 0, i = 0; i < n; i++)
+ c += gmp_popcount_limb (p[i]);
+
+ return c;
+}
+
+mp_bitcnt_t
+mpz_popcount (const mpz_t u)
+{
+ mp_size_t un;
+
+ un = u->_mp_size;
+
+ if (un < 0)
+ return ~(mp_bitcnt_t) 0;
+
+ return mpn_popcount (u->_mp_d, un);
+}
+
+mp_bitcnt_t
+mpz_hamdist (const mpz_t u, const mpz_t v)
+{
+ mp_size_t un, vn, i;
+ mp_limb_t uc, vc, ul, vl, comp;
+ mp_srcptr up, vp;
+ mp_bitcnt_t c;
+
+ un = u->_mp_size;
+ vn = v->_mp_size;
+
+ if ( (un ^ vn) < 0)
+ return ~(mp_bitcnt_t) 0;
+
+ comp = - (uc = vc = (un < 0));
+ if (uc)
+ {
+ assert (vn < 0);
+ un = -un;
+ vn = -vn;
+ }
+
+ up = u->_mp_d;
+ vp = v->_mp_d;
+
+ if (un < vn)
+ MPN_SRCPTR_SWAP (up, un, vp, vn);
+
+ for (i = 0, c = 0; i < vn; i++)
+ {
+ ul = (up[i] ^ comp) + uc;
+ uc = ul < uc;
+
+ vl = (vp[i] ^ comp) + vc;
+ vc = vl < vc;
+
+ c += gmp_popcount_limb (ul ^ vl);
+ }
+ assert (vc == 0);
+
+ for (; i < un; i++)
+ {
+ ul = (up[i] ^ comp) + uc;
+ uc = ul < uc;
+
+ c += gmp_popcount_limb (ul ^ comp);
+ }
+
+ return c;
+}
+
+mp_bitcnt_t
+mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit)
+{
+ mp_ptr up;
+ mp_size_t us, un, i;
+ mp_limb_t limb, ux;
+
+ us = u->_mp_size;
+ un = GMP_ABS (us);
+ i = starting_bit / GMP_LIMB_BITS;
+
+ /* Past the end there's no 1 bits for u>=0, or an immediate 1 bit
+ for u<0. Notice this test picks up any u==0 too. */
+ if (i >= un)
+ return (us >= 0 ? ~(mp_bitcnt_t) 0 : starting_bit);
+
+ up = u->_mp_d;
+ ux = 0;
+ limb = up[i];
+
+ if (starting_bit != 0)
+ {
+ if (us < 0)
+ {
+ ux = mpn_zero_p (up, i);
+ limb = ~ limb + ux;
+ ux = - (mp_limb_t) (limb >= ux);
+ }
+
+ /* Mask to 0 all bits before starting_bit, thus ignoring them. */
+ limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS));
+ }
+
+ return mpn_common_scan (limb, i, up, un, ux);
+}
+
+mp_bitcnt_t
+mpz_scan0 (const mpz_t u, mp_bitcnt_t starting_bit)
+{
+ mp_ptr up;
+ mp_size_t us, un, i;
+ mp_limb_t limb, ux;
+
+ us = u->_mp_size;
+ ux = - (mp_limb_t) (us >= 0);
+ un = GMP_ABS (us);
+ i = starting_bit / GMP_LIMB_BITS;
+
+ /* When past end, there's an immediate 0 bit for u>=0, or no 0 bits for
+ u<0. Notice this test picks up all cases of u==0 too. */
+ if (i >= un)
+ return (ux ? starting_bit : ~(mp_bitcnt_t) 0);
+
+ up = u->_mp_d;
+ limb = up[i] ^ ux;
+
+ if (ux == 0)
+ limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */
+
+ /* Mask all bits before starting_bit, thus ignoring them. */
+ limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS));
+
+ return mpn_common_scan (limb, i, up, un, ux);
+}
+
+
+/* MPZ base conversion. */
+
+size_t
+mpz_sizeinbase (const mpz_t u, int base)
+{
+ mp_size_t un;
+ mp_srcptr up;
+ mp_ptr tp;
+ mp_bitcnt_t bits;
+ struct gmp_div_inverse bi;
+ size_t ndigits;
+
+ assert (base >= 2);
+ assert (base <= 36);
+
+ un = GMP_ABS (u->_mp_size);
+ if (un == 0)
+ return 1;
+
+ up = u->_mp_d;
+
+ bits = (un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]);
+ switch (base)
+ {
+ case 2:
+ return bits;
+ case 4:
+ return (bits + 1) / 2;
+ case 8:
+ return (bits + 2) / 3;
+ case 16:
+ return (bits + 3) / 4;
+ case 32:
+ return (bits + 4) / 5;
+ /* FIXME: Do something more clever for the common case of base
+ 10. */
+ }
+
+ tp = gmp_xalloc_limbs (un);
+ mpn_copyi (tp, up, un);
+ mpn_div_qr_1_invert (&bi, base);
+
+ ndigits = 0;
+ do
+ {
+ ndigits++;
+ mpn_div_qr_1_preinv (tp, tp, un, &bi);
+ un -= (tp[un-1] == 0);
+ }
+ while (un > 0);
+
+ gmp_free (tp);
+ return ndigits;
+}
+
+char *
+mpz_get_str (char *sp, int base, const mpz_t u)
+{
+ unsigned bits;
+ const char *digits;
+ mp_size_t un;
+ size_t i, sn;
+
+ if (base >= 0)
+ {
+ digits = "0123456789abcdefghijklmnopqrstuvwxyz";
+ }
+ else
+ {
+ base = -base;
+ digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ }
+ if (base <= 1)
+ base = 10;
+ if (base > 36)
+ return NULL;
+
+ sn = 1 + mpz_sizeinbase (u, base);
+ if (!sp)
+ sp = gmp_xalloc (1 + sn);
+
+ un = GMP_ABS (u->_mp_size);
+
+ if (un == 0)
+ {
+ sp[0] = '0';
+ sp[1] = '\0';
+ return sp;
+ }
+
+ i = 0;
+
+ if (u->_mp_size < 0)
+ sp[i++] = '-';
+
+ bits = mpn_base_power_of_two_p (base);
+
+ if (bits)
+ /* Not modified in this case. */
+ sn = i + mpn_get_str_bits ((unsigned char *) sp + i, bits, u->_mp_d, un);
+ else
+ {
+ struct mpn_base_info info;
+ mp_ptr tp;
+
+ mpn_get_base_info (&info, base);
+ tp = gmp_xalloc_limbs (un);
+ mpn_copyi (tp, u->_mp_d, un);
+
+ sn = i + mpn_get_str_other ((unsigned char *) sp + i, base, &info, tp, un);
+ gmp_free (tp);
+ }
+
+ for (; i < sn; i++)
+ sp[i] = digits[(unsigned char) sp[i]];
+
+ sp[sn] = '\0';
+ return sp;
+}
+
+int
+mpz_set_str (mpz_t r, const char *sp, int base)
+{
+ unsigned bits;
+ mp_size_t rn, alloc;
+ mp_ptr rp;
+ size_t sn;
+ int sign;
+ unsigned char *dp;
+
+ assert (base == 0 || (base >= 2 && base <= 36));
+
+ while (isspace( (unsigned char) *sp))
+ sp++;
+
+ sign = (*sp == '-');
+ sp += sign;
+
+ if (base == 0)
+ {
+ if (*sp == '0')
+ {
+ sp++;
+ if (*sp == 'x' || *sp == 'X')
+ {
+ base = 16;
+ sp++;
+ }
+ else if (*sp == 'b' || *sp == 'B')
+ {
+ base = 2;
+ sp++;
+ }
+ else
+ base = 8;
+ }
+ else
+ base = 10;
+ }
+
+ sn = strlen (sp);
+ dp = gmp_xalloc (sn + (sn == 0));
+
+ for (sn = 0; *sp; sp++)
+ {
+ unsigned digit;
+
+ if (isspace ((unsigned char) *sp))
+ continue;
+ if (*sp >= '0' && *sp <= '9')
+ digit = *sp - '0';
+ else if (*sp >= 'a' && *sp <= 'z')
+ digit = *sp - 'a' + 10;
+ else if (*sp >= 'A' && *sp <= 'Z')
+ digit = *sp - 'A' + 10;
+ else
+ digit = base; /* fail */
+
+ if (digit >= base)
+ {
+ gmp_free (dp);
+ r->_mp_size = 0;
+ return -1;
+ }
+
+ dp[sn++] = digit;
+ }
+
+ bits = mpn_base_power_of_two_p (base);
+
+ if (bits > 0)
+ {
+ alloc = (sn * bits + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS;
+ rp = MPZ_REALLOC (r, alloc);
+ rn = mpn_set_str_bits (rp, dp, sn, bits);
+ }
+ else
+ {
+ struct mpn_base_info info;
+ mpn_get_base_info (&info, base);
+ alloc = (sn + info.exp - 1) / info.exp;
+ rp = MPZ_REALLOC (r, alloc);
+ rn = mpn_set_str_other (rp, dp, sn, base, &info);
+ }
+ assert (rn <= alloc);
+ gmp_free (dp);
+
+ r->_mp_size = sign ? - rn : rn;
+
+ return 0;
+}
+
+int
+mpz_init_set_str (mpz_t r, const char *sp, int base)
+{
+ mpz_init (r);
+ return mpz_set_str (r, sp, base);
+}
+
+size_t
+mpz_out_str (FILE *stream, int base, const mpz_t x)
+{
+ char *str;
+ size_t len;
+
+ str = mpz_get_str (NULL, base, x);
+ len = strlen (str);
+ len = fwrite (str, 1, len, stream);
+ gmp_free (str);
+ return len;
+}
+
+
+static int
+gmp_detect_endian (void)
+{
+ static const int i = 2;
+ const unsigned char *p = (const unsigned char *) &i;
+ return 1 - *p;
+}
+
+/* Import and export. Does not support nails. */
+void
+mpz_import (mpz_t r, size_t count, int order, size_t size, int endian,
+ size_t nails, const void *src)
+{
+ const unsigned char *p;
+ ptrdiff_t word_step;
+ mp_ptr rp;
+ mp_size_t rn;
+
+ /* The current (partial) limb. */
+ mp_limb_t limb;
+ /* The number of bytes already copied to this limb (starting from
+ the low end). */
+ size_t bytes;
+ /* The index where the limb should be stored, when completed. */
+ mp_size_t i;
+
+ if (nails != 0)
+ gmp_die ("mpz_import: Nails not supported.");
+
+ assert (order == 1 || order == -1);
+ assert (endian >= -1 && endian <= 1);
+
+ if (endian == 0)
+ endian = gmp_detect_endian ();
+
+ p = (unsigned char *) src;
+
+ word_step = (order != endian) ? 2 * size : 0;
+
+ /* Process bytes from the least significant end, so point p at the
+ least significant word. */
+ if (order == 1)
+ {
+ p += size * (count - 1);
+ word_step = - word_step;
+ }
+
+ /* And at least significant byte of that word. */
+ if (endian == 1)
+ p += (size - 1);
+
+ rn = (size * count + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t);
+ rp = MPZ_REALLOC (r, rn);
+
+ for (limb = 0, bytes = 0, i = 0; count > 0; count--, p += word_step)
+ {
+ size_t j;
+ for (j = 0; j < size; j++, p -= (ptrdiff_t) endian)
+ {
+ limb |= (mp_limb_t) *p << (bytes++ * CHAR_BIT);
+ if (bytes == sizeof(mp_limb_t))
+ {
+ rp[i++] = limb;
+ bytes = 0;
+ limb = 0;
+ }
+ }
+ }
+ assert (i + (bytes > 0) == rn);
+ if (limb != 0)
+ rp[i++] = limb;
+ else
+ i = mpn_normalized_size (rp, i);
+
+ r->_mp_size = i;
+}
+
+void *
+mpz_export (void *r, size_t *countp, int order, size_t size, int endian,
+ size_t nails, const mpz_t u)
+{
+ size_t count;
+ mp_size_t un;
+
+ if (nails != 0)
+ gmp_die ("mpz_import: Nails not supported.");
+
+ assert (order == 1 || order == -1);
+ assert (endian >= -1 && endian <= 1);
+ assert (size > 0 || u->_mp_size == 0);
+
+ un = u->_mp_size;
+ count = 0;
+ if (un != 0)
+ {
+ size_t k;
+ unsigned char *p;
+ ptrdiff_t word_step;
+ /* The current (partial) limb. */
+ mp_limb_t limb;
+ /* The number of bytes left to to in this limb. */
+ size_t bytes;
+ /* The index where the limb was read. */
+ mp_size_t i;
+
+ un = GMP_ABS (un);
+
+ /* Count bytes in top limb. */
+ limb = u->_mp_d[un-1];
+ assert (limb != 0);
+
+ k = 0;
+ do {
+ k++; limb >>= CHAR_BIT;
+ } while (limb != 0);
+
+ count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size;
+
+ if (!r)
+ r = gmp_xalloc (count * size);
+
+ if (endian == 0)
+ endian = gmp_detect_endian ();
+
+ p = (unsigned char *) r;
+
+ word_step = (order != endian) ? 2 * size : 0;
+
+ /* Process bytes from the least significant end, so point p at the
+ least significant word. */
+ if (order == 1)
+ {
+ p += size * (count - 1);
+ word_step = - word_step;
+ }
+
+ /* And at least significant byte of that word. */
+ if (endian == 1)
+ p += (size - 1);
+
+ for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step)
+ {
+ size_t j;
+ for (j = 0; j < size; j++, p -= (ptrdiff_t) endian)
+ {
+ if (bytes == 0)
+ {
+ if (i < un)
+ limb = u->_mp_d[i++];
+ bytes = sizeof (mp_limb_t);
+ }
+ *p = limb;
+ limb >>= CHAR_BIT;
+ bytes--;
+ }
+ }
+ assert (i == un);
+ assert (k == count);
+ }
+
+ if (countp)
+ *countp = count;
+
+ return r;
+}
diff --git a/external/nettle-3.3/nettle/mini-gmp.h b/external/nettle-3.3/nettle/mini-gmp.h
new file mode 100644
index 0000000..cdcb83b
--- /dev/null
+++ b/external/nettle-3.3/nettle/mini-gmp.h
@@ -0,0 +1,294 @@
+/* mini-gmp, a minimalistic implementation of a GNU GMP subset.
+
+Copyright 2011-2014 Free Software Foundation, Inc.
+
+This file is part of the GNU MP Library.
+
+The GNU MP Library is free software; you can redistribute it and/or modify
+it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+or
+
+ * the GNU General Public License as published by the Free Software
+ Foundation; either version 3 of the License, or (at your option) any
+ later version.
+
+or both in parallel, as here.
+
+The GNU MP Library is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+for more details.
+
+You should have received copies of the GNU General Public License and the
+GNU Lesser General Public License along with the GNU MP Library. If not,
+see https://www.gnu.org/licenses/. */
+
+/* About mini-gmp: This is a minimal implementation of a subset of the
+ GMP interface. It is intended for inclusion into applications which
+ have modest bignums needs, as a fallback when the real GMP library
+ is not installed.
+
+ This file defines the public interface. */
+
+#ifndef __MINI_GMP_H__
+#define __MINI_GMP_H__
+
+/* For size_t */
+#include <stddef.h>
+
+#if defined (__cplusplus)
+extern "C" {
+#endif
+
+void mp_set_memory_functions (void *(*) (size_t),
+ void *(*) (void *, size_t, size_t),
+ void (*) (void *, size_t));
+
+void mp_get_memory_functions (void *(**) (size_t),
+ void *(**) (void *, size_t, size_t),
+ void (**) (void *, size_t));
+
+typedef unsigned long mp_limb_t;
+typedef long mp_size_t;
+typedef unsigned long mp_bitcnt_t;
+
+typedef mp_limb_t *mp_ptr;
+typedef const mp_limb_t *mp_srcptr;
+
+typedef struct
+{
+ int _mp_alloc; /* Number of *limbs* allocated and pointed
+ to by the _mp_d field. */
+ int _mp_size; /* abs(_mp_size) is the number of limbs the
+ last field points to. If _mp_size is
+ negative this is a negative number. */
+ mp_limb_t *_mp_d; /* Pointer to the limbs. */
+} __mpz_struct;
+
+typedef __mpz_struct mpz_t[1];
+
+typedef __mpz_struct *mpz_ptr;
+typedef const __mpz_struct *mpz_srcptr;
+
+extern const int mp_bits_per_limb;
+
+void mpn_copyi (mp_ptr, mp_srcptr, mp_size_t);
+void mpn_copyd (mp_ptr, mp_srcptr, mp_size_t);
+void mpn_zero (mp_ptr, mp_size_t);
+
+int mpn_cmp (mp_srcptr, mp_srcptr, mp_size_t);
+
+mp_limb_t mpn_add_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t);
+mp_limb_t mpn_add_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t);
+mp_limb_t mpn_add (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t);
+
+mp_limb_t mpn_sub_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t);
+mp_limb_t mpn_sub_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t);
+mp_limb_t mpn_sub (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t);
+
+mp_limb_t mpn_mul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t);
+mp_limb_t mpn_addmul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t);
+mp_limb_t mpn_submul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t);
+
+mp_limb_t mpn_mul (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t);
+void mpn_mul_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t);
+void mpn_sqr (mp_ptr, mp_srcptr, mp_size_t);
+int mpn_perfect_square_p (mp_srcptr, mp_size_t);
+mp_size_t mpn_sqrtrem (mp_ptr, mp_ptr, mp_srcptr, mp_size_t);
+
+mp_limb_t mpn_lshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int);
+mp_limb_t mpn_rshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int);
+
+mp_bitcnt_t mpn_scan0 (mp_srcptr, mp_bitcnt_t);
+mp_bitcnt_t mpn_scan1 (mp_srcptr, mp_bitcnt_t);
+
+mp_bitcnt_t mpn_popcount (mp_srcptr, mp_size_t);
+
+mp_limb_t mpn_invert_3by2 (mp_limb_t, mp_limb_t);
+#define mpn_invert_limb(x) mpn_invert_3by2 ((x), 0)
+
+size_t mpn_get_str (unsigned char *, int, mp_ptr, mp_size_t);
+mp_size_t mpn_set_str (mp_ptr, const unsigned char *, size_t, int);
+
+void mpz_init (mpz_t);
+void mpz_init2 (mpz_t, mp_bitcnt_t);
+void mpz_clear (mpz_t);
+
+#define mpz_odd_p(z) (((z)->_mp_size != 0) & (int) (z)->_mp_d[0])
+#define mpz_even_p(z) (! mpz_odd_p (z))
+
+int mpz_sgn (const mpz_t);
+int mpz_cmp_si (const mpz_t, long);
+int mpz_cmp_ui (const mpz_t, unsigned long);
+int mpz_cmp (const mpz_t, const mpz_t);
+int mpz_cmpabs_ui (const mpz_t, unsigned long);
+int mpz_cmpabs (const mpz_t, const mpz_t);
+int mpz_cmp_d (const mpz_t, double);
+int mpz_cmpabs_d (const mpz_t, double);
+
+void mpz_abs (mpz_t, const mpz_t);
+void mpz_neg (mpz_t, const mpz_t);
+void mpz_swap (mpz_t, mpz_t);
+
+void mpz_add_ui (mpz_t, const mpz_t, unsigned long);
+void mpz_add (mpz_t, const mpz_t, const mpz_t);
+void mpz_sub_ui (mpz_t, const mpz_t, unsigned long);
+void mpz_ui_sub (mpz_t, unsigned long, const mpz_t);
+void mpz_sub (mpz_t, const mpz_t, const mpz_t);
+
+void mpz_mul_si (mpz_t, const mpz_t, long int);
+void mpz_mul_ui (mpz_t, const mpz_t, unsigned long int);
+void mpz_mul (mpz_t, const mpz_t, const mpz_t);
+void mpz_mul_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+void mpz_addmul_ui (mpz_t, const mpz_t, unsigned long int);
+void mpz_addmul (mpz_t, const mpz_t, const mpz_t);
+void mpz_submul_ui (mpz_t, const mpz_t, unsigned long int);
+void mpz_submul (mpz_t, const mpz_t, const mpz_t);
+
+void mpz_cdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t);
+void mpz_fdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t);
+void mpz_tdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t);
+void mpz_cdiv_q (mpz_t, const mpz_t, const mpz_t);
+void mpz_fdiv_q (mpz_t, const mpz_t, const mpz_t);
+void mpz_tdiv_q (mpz_t, const mpz_t, const mpz_t);
+void mpz_cdiv_r (mpz_t, const mpz_t, const mpz_t);
+void mpz_fdiv_r (mpz_t, const mpz_t, const mpz_t);
+void mpz_tdiv_r (mpz_t, const mpz_t, const mpz_t);
+
+void mpz_cdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+void mpz_fdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+void mpz_tdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+void mpz_cdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+void mpz_fdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+void mpz_tdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t);
+
+void mpz_mod (mpz_t, const mpz_t, const mpz_t);
+
+void mpz_divexact (mpz_t, const mpz_t, const mpz_t);
+
+int mpz_divisible_p (const mpz_t, const mpz_t);
+int mpz_congruent_p (const mpz_t, const mpz_t, const mpz_t);
+
+unsigned long mpz_cdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_fdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_tdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_cdiv_q_ui (mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_fdiv_q_ui (mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_tdiv_q_ui (mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_cdiv_r_ui (mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_fdiv_r_ui (mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_tdiv_r_ui (mpz_t, const mpz_t, unsigned long);
+unsigned long mpz_cdiv_ui (const mpz_t, unsigned long);
+unsigned long mpz_fdiv_ui (const mpz_t, unsigned long);
+unsigned long mpz_tdiv_ui (const mpz_t, unsigned long);
+
+unsigned long mpz_mod_ui (mpz_t, const mpz_t, unsigned long);
+
+void mpz_divexact_ui (mpz_t, const mpz_t, unsigned long);
+
+int mpz_divisible_ui_p (const mpz_t, unsigned long);
+
+unsigned long mpz_gcd_ui (mpz_t, const mpz_t, unsigned long);
+void mpz_gcd (mpz_t, const mpz_t, const mpz_t);
+void mpz_gcdext (mpz_t, mpz_t, mpz_t, const mpz_t, const mpz_t);
+void mpz_lcm_ui (mpz_t, const mpz_t, unsigned long);
+void mpz_lcm (mpz_t, const mpz_t, const mpz_t);
+int mpz_invert (mpz_t, const mpz_t, const mpz_t);
+
+void mpz_sqrtrem (mpz_t, mpz_t, const mpz_t);
+void mpz_sqrt (mpz_t, const mpz_t);
+int mpz_perfect_square_p (const mpz_t);
+
+void mpz_pow_ui (mpz_t, const mpz_t, unsigned long);
+void mpz_ui_pow_ui (mpz_t, unsigned long, unsigned long);
+void mpz_powm (mpz_t, const mpz_t, const mpz_t, const mpz_t);
+void mpz_powm_ui (mpz_t, const mpz_t, unsigned long, const mpz_t);
+
+void mpz_rootrem (mpz_t, mpz_t, const mpz_t, unsigned long);
+int mpz_root (mpz_t, const mpz_t, unsigned long);
+
+void mpz_fac_ui (mpz_t, unsigned long);
+void mpz_bin_uiui (mpz_t, unsigned long, unsigned long);
+
+int mpz_probab_prime_p (const mpz_t, int);
+
+int mpz_tstbit (const mpz_t, mp_bitcnt_t);
+void mpz_setbit (mpz_t, mp_bitcnt_t);
+void mpz_clrbit (mpz_t, mp_bitcnt_t);
+void mpz_combit (mpz_t, mp_bitcnt_t);
+
+void mpz_com (mpz_t, const mpz_t);
+void mpz_and (mpz_t, const mpz_t, const mpz_t);
+void mpz_ior (mpz_t, const mpz_t, const mpz_t);
+void mpz_xor (mpz_t, const mpz_t, const mpz_t);
+
+mp_bitcnt_t mpz_popcount (const mpz_t);
+mp_bitcnt_t mpz_hamdist (const mpz_t, const mpz_t);
+mp_bitcnt_t mpz_scan0 (const mpz_t, mp_bitcnt_t);
+mp_bitcnt_t mpz_scan1 (const mpz_t, mp_bitcnt_t);
+
+int mpz_fits_slong_p (const mpz_t);
+int mpz_fits_ulong_p (const mpz_t);
+long int mpz_get_si (const mpz_t);
+unsigned long int mpz_get_ui (const mpz_t);
+double mpz_get_d (const mpz_t);
+size_t mpz_size (const mpz_t);
+mp_limb_t mpz_getlimbn (const mpz_t, mp_size_t);
+
+void mpz_realloc2 (mpz_t, mp_bitcnt_t);
+mp_srcptr mpz_limbs_read (mpz_srcptr);
+mp_ptr mpz_limbs_modify (mpz_t, mp_size_t);
+mp_ptr mpz_limbs_write (mpz_t, mp_size_t);
+void mpz_limbs_finish (mpz_t, mp_size_t);
+mpz_srcptr mpz_roinit_n (mpz_t, mp_srcptr, mp_size_t);
+
+#define MPZ_ROINIT_N(xp, xs) {{0, (xs),(xp) }}
+
+void mpz_set_si (mpz_t, signed long int);
+void mpz_set_ui (mpz_t, unsigned long int);
+void mpz_set (mpz_t, const mpz_t);
+void mpz_set_d (mpz_t, double);
+
+void mpz_init_set_si (mpz_t, signed long int);
+void mpz_init_set_ui (mpz_t, unsigned long int);
+void mpz_init_set (mpz_t, const mpz_t);
+void mpz_init_set_d (mpz_t, double);
+
+size_t mpz_sizeinbase (const mpz_t, int);
+char *mpz_get_str (char *, int, const mpz_t);
+int mpz_set_str (mpz_t, const char *, int);
+int mpz_init_set_str (mpz_t, const char *, int);
+
+/* This long list taken from gmp.h. */
+/* For reference, "defined(EOF)" cannot be used here. In g++ 2.95.4,
+ <iostream> defines EOF but not FILE. */
+#if defined (FILE) \
+ || defined (H_STDIO) \
+ || defined (_H_STDIO) /* AIX */ \
+ || defined (_STDIO_H) /* glibc, Sun, SCO */ \
+ || defined (_STDIO_H_) /* BSD, OSF */ \
+ || defined (__STDIO_H) /* Borland */ \
+ || defined (__STDIO_H__) /* IRIX */ \
+ || defined (_STDIO_INCLUDED) /* HPUX */ \
+ || defined (__dj_include_stdio_h_) /* DJGPP */ \
+ || defined (_FILE_DEFINED) /* Microsoft */ \
+ || defined (__STDIO__) /* Apple MPW MrC */ \
+ || defined (_MSL_STDIO_H) /* Metrowerks */ \
+ || defined (_STDIO_H_INCLUDED) /* QNX4 */ \
+ || defined (_ISO_STDIO_ISO_H) /* Sun C++ */ \
+ || defined (__STDIO_LOADED) /* VMS */
+size_t mpz_out_str (FILE *, int, const mpz_t);
+#endif
+
+void mpz_import (mpz_t, size_t, int, size_t, int, size_t, const void *);
+void *mpz_export (void *, size_t *, int, size_t, int, size_t, const mpz_t);
+
+#if defined (__cplusplus)
+}
+#endif
+#endif /* __MINI_GMP_H__ */
diff --git a/external/nettle-3.3/nettle/nettle-internal.h b/external/nettle-3.3/nettle/nettle-internal.h
new file mode 100644
index 0000000..cf776fe
--- /dev/null
+++ b/external/nettle-3.3/nettle/nettle-internal.h
@@ -0,0 +1,92 @@
+/* nettle-internal.h
+
+ Things that are used only by the testsuite and benchmark, and
+ not included in the library.
+
+ Copyright (C) 2002, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_INTERNAL_H_INCLUDED
+#define NETTLE_INTERNAL_H_INCLUDED
+
+#include "nettle-meta.h"
+
+/* Temporary allocation, for systems that don't support alloca. Note
+ * that the allocation requests should always be reasonably small, so
+ * that they can fit on the stack. For non-alloca systems, we use a
+ * fix maximum size, and abort if we ever need anything larger. */
+
+#if HAVE_ALLOCA
+# define TMP_DECL(name, type, max) type *name
+# define TMP_ALLOC(name, size) (name = alloca(sizeof (*name) * (size)))
+#else /* !HAVE_ALLOCA */
+# define TMP_DECL(name, type, max) type name[max]
+# define TMP_ALLOC(name, size) \
+ do { if ((size) > (sizeof(name) / sizeof(name[0]))) abort(); } while (0)
+#endif
+
+/* Arbitrary limits which apply to systems that don't have alloca */
+#define NETTLE_MAX_HASH_BLOCK_SIZE 128
+#define NETTLE_MAX_HASH_DIGEST_SIZE 64
+#define NETTLE_MAX_SEXP_ASSOC 17
+#define NETTLE_MAX_CIPHER_BLOCK_SIZE 32
+
+/* Doesn't quite fit with the other algorithms, because of the weak
+ * keys. Weak keys are not reported, the functions will simply crash
+ * if you try to use a weak key. */
+
+extern const struct nettle_cipher nettle_des;
+extern const struct nettle_cipher nettle_des3;
+
+extern const struct nettle_cipher nettle_blowfish128;
+
+extern const struct nettle_cipher nettle_unified_aes128;
+extern const struct nettle_cipher nettle_unified_aes192;
+extern const struct nettle_cipher nettle_unified_aes256;
+
+/* Stream ciphers treated as aead algorithms with no authentication. */
+extern const struct nettle_aead nettle_arcfour128;
+extern const struct nettle_aead nettle_chacha;
+extern const struct nettle_aead nettle_salsa20;
+extern const struct nettle_aead nettle_salsa20r12;
+
+/* Glue to openssl, for comparative benchmarking. Code in
+ * examples/nettle-openssl.c. */
+extern const struct nettle_cipher nettle_openssl_aes128;
+extern const struct nettle_cipher nettle_openssl_aes192;
+extern const struct nettle_cipher nettle_openssl_aes256;
+extern const struct nettle_cipher nettle_openssl_blowfish128;
+extern const struct nettle_cipher nettle_openssl_des;
+extern const struct nettle_cipher nettle_openssl_cast128;
+extern const struct nettle_aead nettle_openssl_arcfour128;
+
+extern const struct nettle_hash nettle_openssl_md5;
+extern const struct nettle_hash nettle_openssl_sha1;
+
+#endif /* NETTLE_INTERNAL_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/nettle-meta.h b/external/nettle-3.3/nettle/nettle-meta.h
new file mode 100644
index 0000000..d27369c
--- /dev/null
+++ b/external/nettle-3.3/nettle/nettle-meta.h
@@ -0,0 +1,230 @@
+/* nettle-meta.h
+
+ Information about algorithms.
+
+ Copyright (C) 2002, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_META_H_INCLUDED
+#define NETTLE_META_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+struct nettle_cipher
+{
+ const char *name;
+
+ unsigned context_size;
+
+ /* Zero for stream ciphers */
+ unsigned block_size;
+
+ /* Suggested key size; other sizes are sometimes possible. */
+ unsigned key_size;
+
+ nettle_set_key_func *set_encrypt_key;
+ nettle_set_key_func *set_decrypt_key;
+
+ nettle_cipher_func *encrypt;
+ nettle_cipher_func *decrypt;
+};
+
+/* null-terminated list of ciphers implemented by this version of nettle */
+extern const struct nettle_cipher * const nettle_ciphers[];
+
+extern const struct nettle_cipher nettle_aes128;
+extern const struct nettle_cipher nettle_aes192;
+extern const struct nettle_cipher nettle_aes256;
+
+extern const struct nettle_cipher nettle_camellia128;
+extern const struct nettle_cipher nettle_camellia192;
+extern const struct nettle_cipher nettle_camellia256;
+
+extern const struct nettle_cipher nettle_cast128;
+
+extern const struct nettle_cipher nettle_serpent128;
+extern const struct nettle_cipher nettle_serpent192;
+extern const struct nettle_cipher nettle_serpent256;
+
+extern const struct nettle_cipher nettle_twofish128;
+extern const struct nettle_cipher nettle_twofish192;
+extern const struct nettle_cipher nettle_twofish256;
+
+extern const struct nettle_cipher nettle_arctwo40;
+extern const struct nettle_cipher nettle_arctwo64;
+extern const struct nettle_cipher nettle_arctwo128;
+extern const struct nettle_cipher nettle_arctwo_gutmann128;
+
+struct nettle_hash
+{
+ const char *name;
+
+ /* Size of the context struct */
+ unsigned context_size;
+
+ /* Size of digests */
+ unsigned digest_size;
+
+ /* Internal block size */
+ unsigned block_size;
+
+ nettle_hash_init_func *init;
+ nettle_hash_update_func *update;
+ nettle_hash_digest_func *digest;
+};
+
+#define _NETTLE_HASH(name, NAME) { \
+ #name, \
+ sizeof(struct name##_ctx), \
+ NAME##_DIGEST_SIZE, \
+ NAME##_BLOCK_SIZE, \
+ (nettle_hash_init_func *) name##_init, \
+ (nettle_hash_update_func *) name##_update, \
+ (nettle_hash_digest_func *) name##_digest \
+}
+
+/* null-terminated list of digests implemented by this version of nettle */
+extern const struct nettle_hash * const nettle_hashes[];
+
+extern const struct nettle_hash nettle_md2;
+extern const struct nettle_hash nettle_md4;
+extern const struct nettle_hash nettle_md5;
+extern const struct nettle_hash nettle_gosthash94;
+extern const struct nettle_hash nettle_ripemd160;
+extern const struct nettle_hash nettle_sha1;
+extern const struct nettle_hash nettle_sha224;
+extern const struct nettle_hash nettle_sha256;
+extern const struct nettle_hash nettle_sha384;
+extern const struct nettle_hash nettle_sha512;
+extern const struct nettle_hash nettle_sha512_224;
+extern const struct nettle_hash nettle_sha512_256;
+extern const struct nettle_hash nettle_sha3_224;
+extern const struct nettle_hash nettle_sha3_256;
+extern const struct nettle_hash nettle_sha3_384;
+extern const struct nettle_hash nettle_sha3_512;
+
+struct nettle_aead
+{
+ const char *name;
+
+ unsigned context_size;
+ /* Block size for encrypt and decrypt. */
+ unsigned block_size;
+ unsigned key_size;
+ unsigned nonce_size;
+ unsigned digest_size;
+
+ nettle_set_key_func *set_encrypt_key;
+ nettle_set_key_func *set_decrypt_key;
+ nettle_set_key_func *set_nonce;
+ nettle_hash_update_func *update;
+ nettle_crypt_func *encrypt;
+ nettle_crypt_func *decrypt;
+ /* FIXME: Drop length argument? */
+ nettle_hash_digest_func *digest;
+};
+
+/* null-terminated list of aead constructions implemented by this
+ version of nettle */
+extern const struct nettle_aead * const nettle_aeads[];
+
+extern const struct nettle_aead nettle_gcm_aes128;
+extern const struct nettle_aead nettle_gcm_aes192;
+extern const struct nettle_aead nettle_gcm_aes256;
+extern const struct nettle_aead nettle_gcm_camellia128;
+extern const struct nettle_aead nettle_gcm_camellia256;
+extern const struct nettle_aead nettle_eax_aes128;
+extern const struct nettle_aead nettle_chacha_poly1305;
+
+struct nettle_armor
+{
+ const char *name;
+ unsigned encode_context_size;
+ unsigned decode_context_size;
+
+ unsigned encode_final_length;
+
+ nettle_armor_init_func *encode_init;
+ nettle_armor_length_func *encode_length;
+ nettle_armor_encode_update_func *encode_update;
+ nettle_armor_encode_final_func *encode_final;
+
+ nettle_armor_init_func *decode_init;
+ nettle_armor_length_func *decode_length;
+ nettle_armor_decode_update_func *decode_update;
+ nettle_armor_decode_final_func *decode_final;
+};
+
+#define _NETTLE_ARMOR(name, NAME) { \
+ #name, \
+ sizeof(struct name##_encode_ctx), \
+ sizeof(struct name##_decode_ctx), \
+ NAME##_ENCODE_FINAL_LENGTH, \
+ (nettle_armor_init_func *) name##_encode_init, \
+ (nettle_armor_length_func *) name##_encode_length, \
+ (nettle_armor_encode_update_func *) name##_encode_update, \
+ (nettle_armor_encode_final_func *) name##_encode_final, \
+ (nettle_armor_init_func *) name##_decode_init, \
+ (nettle_armor_length_func *) name##_decode_length, \
+ (nettle_armor_decode_update_func *) name##_decode_update, \
+ (nettle_armor_decode_final_func *) name##_decode_final, \
+}
+
+#define _NETTLE_ARMOR_0(name, NAME) { \
+ #name, \
+ 0, \
+ sizeof(struct name##_decode_ctx), \
+ NAME##_ENCODE_FINAL_LENGTH, \
+ (nettle_armor_init_func *) name##_encode_init, \
+ (nettle_armor_length_func *) name##_encode_length, \
+ (nettle_armor_encode_update_func *) name##_encode_update, \
+ (nettle_armor_encode_final_func *) name##_encode_final, \
+ (nettle_armor_init_func *) name##_decode_init, \
+ (nettle_armor_length_func *) name##_decode_length, \
+ (nettle_armor_decode_update_func *) name##_decode_update, \
+ (nettle_armor_decode_final_func *) name##_decode_final, \
+}
+
+/* null-terminated list of armor schemes implemented by this version of nettle */
+extern const struct nettle_armor * const nettle_armors[];
+
+extern const struct nettle_armor nettle_base64;
+extern const struct nettle_armor nettle_base64url;
+extern const struct nettle_armor nettle_base16;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_META_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/nettle-stdint.h b/external/nettle-3.3/nettle/nettle-stdint.h
new file mode 100644
index 0000000..3298fa6
--- /dev/null
+++ b/external/nettle-3.3/nettle/nettle-stdint.h
@@ -0,0 +1,6 @@
+#ifndef __NETTLE_STDINT_H
+#define __NETTLE_STDINT_H
+
+#include <stdint.h>
+
+#endif /* __NETTLE_STDINT_H */
diff --git a/external/nettle-3.3/nettle/nettle-types.h b/external/nettle-3.3/nettle/nettle-types.h
new file mode 100644
index 0000000..8f77ea9
--- /dev/null
+++ b/external/nettle-3.3/nettle/nettle-types.h
@@ -0,0 +1,110 @@
+/* nettle-types.h
+
+ Copyright (C) 2005, 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_TYPES_H
+#define NETTLE_TYPES_H
+
+/* For size_t */
+#include <stddef.h>
+
+/* Pretend these types always exists. Nettle doesn't use them. */
+#define _STDINT_HAVE_INT_FAST32_T 1
+#include "nettle-stdint.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* An aligned 16-byte block. */
+union nettle_block16
+{
+ uint8_t b[16];
+ unsigned long w[16 / sizeof(unsigned long)];
+};
+
+/* Randomness. Used by key generation and dsa signature creation. */
+typedef void nettle_random_func(void *ctx,
+ size_t length, uint8_t *dst);
+
+/* Progress report function, mainly for key generation. */
+typedef void nettle_progress_func(void *ctx, int c);
+
+/* Realloc function, used by struct nettle_buffer. */
+typedef void *nettle_realloc_func(void *ctx, void *p, size_t length);
+
+/* Ciphers */
+typedef void nettle_set_key_func(void *ctx, const uint8_t *key);
+
+/* For block ciphers, const context. */
+typedef void nettle_cipher_func(const void *ctx,
+ size_t length, uint8_t *dst,
+ const uint8_t *src);
+
+
+/* Uses a void * for cipher contexts. Used for crypt operations where
+ the internal state changes during the encryption. */
+typedef void nettle_crypt_func(void *ctx,
+ size_t length, uint8_t *dst,
+ const uint8_t *src);
+
+/* Hash algorithms */
+typedef void nettle_hash_init_func(void *ctx);
+typedef void nettle_hash_update_func(void *ctx,
+ size_t length,
+ const uint8_t *src);
+typedef void nettle_hash_digest_func(void *ctx,
+ size_t length, uint8_t *dst);
+
+/* ASCII armor codecs. NOTE: Experimental and subject to change. */
+
+typedef size_t nettle_armor_length_func(size_t length);
+typedef void nettle_armor_init_func(void *ctx);
+
+typedef size_t nettle_armor_encode_update_func(void *ctx,
+ uint8_t *dst,
+ size_t src_length,
+ const uint8_t *src);
+
+typedef size_t nettle_armor_encode_final_func(void *ctx, uint8_t *dst);
+
+typedef int nettle_armor_decode_update_func(void *ctx,
+ size_t *dst_length,
+ uint8_t *dst,
+ size_t src_length,
+ const uint8_t *src);
+
+typedef int nettle_armor_decode_final_func(void *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_TYPES_H */
diff --git a/external/nettle-3.3/nettle/nettle-write.h b/external/nettle-3.3/nettle/nettle-write.h
new file mode 100644
index 0000000..54152bd
--- /dev/null
+++ b/external/nettle-3.3/nettle/nettle-write.h
@@ -0,0 +1,58 @@
+/* nettle-write.h
+
+ Internal functions to write out word-sized data to byte arrays.
+
+ Copyright (C) 2010 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_WRITE_H_INCLUDED
+#define NETTLE_WRITE_H_INCLUDED
+
+/* For size_t */
+#include <stddef.h>
+
+#include "nettle-stdint.h"
+
+/* Write the word array at SRC to the byte array at DST, using little
+ endian (le) or big endian (be) byte order, and truncating the
+ result to LENGTH bytes. */
+
+/* FIXME: Use a macro shortcut to memcpy for native endianness. */
+void
+_nettle_write_be32(size_t length, uint8_t *dst,
+ uint32_t *src);
+void
+_nettle_write_le32(size_t length, uint8_t *dst,
+ uint32_t *src);
+
+void
+_nettle_write_le64(size_t length, uint8_t *dst,
+ uint64_t *src);
+
+#endif /* NETTLE_WRITE_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/pkcs1-rsa-sha256.c b/external/nettle-3.3/nettle/pkcs1-rsa-sha256.c
new file mode 100644
index 0000000..2c2b5c0
--- /dev/null
+++ b/external/nettle-3.3/nettle/pkcs1-rsa-sha256.c
@@ -0,0 +1,120 @@
+/* pkcs1-rsa-sha256.c
+
+ PKCS stuff for rsa-sha256.
+
+ Copyright (C) 2001, 2003, 2006 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+#include "gmp-glue.h"
+
+/* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA
+ * Cryptography Specifications Version 2.1.
+ *
+ * id-sha256 OBJECT IDENTIFIER ::=
+ * {joint-iso-itu-t(2) country(16) us(840) organization(1)
+ * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1}
+ */
+
+static const uint8_t
+sha256_prefix[] =
+{
+ /* 19 octets prefix, 32 octets hash, total 51 */
+ 0x30, 49, /* SEQUENCE */
+ 0x30, 13, /* SEQUENCE */
+ 0x06, 9, /* OBJECT IDENTIFIER */
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+ 0x05, 0, /* NULL */
+ 0x04, 32 /* OCTET STRING */
+ /* Here comes the raw hash value */
+};
+
+int
+pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash)
+{
+ uint8_t *p;
+ TMP_GMP_DECL(em, uint8_t);
+
+ TMP_GMP_ALLOC(em, key_size);
+
+ p = _pkcs1_signature_prefix(key_size, em,
+ sizeof(sha256_prefix),
+ sha256_prefix,
+ SHA256_DIGEST_SIZE);
+ if (p)
+ {
+ sha256_digest(hash, SHA256_DIGEST_SIZE, p);
+ nettle_mpz_set_str_256_u(m, key_size, em);
+ TMP_GMP_FREE(em);
+ return 1;
+ }
+ else
+ {
+ TMP_GMP_FREE(em);
+ return 0;
+ }
+}
+
+int
+pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest)
+{
+ uint8_t *p;
+ TMP_GMP_DECL(em, uint8_t);
+
+ TMP_GMP_ALLOC(em, key_size);
+
+ p = _pkcs1_signature_prefix(key_size, em,
+ sizeof(sha256_prefix),
+ sha256_prefix,
+ SHA256_DIGEST_SIZE);
+ if (p)
+ {
+ memcpy(p, digest, SHA256_DIGEST_SIZE);
+ nettle_mpz_set_str_256_u(m, key_size, em);
+ TMP_GMP_FREE(em);
+ return 1;
+ }
+ else
+ {
+ TMP_GMP_FREE(em);
+ return 0;
+ }
+}
diff --git a/external/nettle-3.3/nettle/pkcs1.c b/external/nettle-3.3/nettle/pkcs1.c
new file mode 100644
index 0000000..87a2d2e
--- /dev/null
+++ b/external/nettle-3.3/nettle/pkcs1.c
@@ -0,0 +1,73 @@
+/* pkcs1.c
+
+ PKCS1 embedding.
+
+ Copyright (C) 2003 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <string.h>
+
+#include "pkcs1.h"
+
+/* Formats the PKCS#1 padding, of the form
+ *
+ * 0x00 0x01 0xff ... 0xff 0x00 id ...digest...
+ *
+ * where the 0xff ... 0xff part consists of at least 8 octets. The
+ * total size equals the octet size of n.
+ */
+uint8_t *
+_pkcs1_signature_prefix(unsigned key_size,
+ uint8_t *buffer,
+ unsigned id_size,
+ const uint8_t *id,
+ unsigned digest_size)
+{
+ unsigned j;
+
+ if (key_size < 11 + id_size + digest_size)
+ return NULL;
+
+ j = key_size - digest_size - id_size;
+
+ memcpy (buffer + j, id, id_size);
+ buffer[0] = 0;
+ buffer[1] = 1;
+ buffer[j-1] = 0;
+
+ assert(j >= 11);
+ memset(buffer + 2, 0xff, j - 3);
+
+ return buffer + j + id_size;
+}
diff --git a/external/nettle-3.3/nettle/pkcs1.h b/external/nettle-3.3/nettle/pkcs1.h
new file mode 100644
index 0000000..7391804
--- /dev/null
+++ b/external/nettle-3.3/nettle/pkcs1.h
@@ -0,0 +1,114 @@
+/* pkcs1.h
+
+ PKCS1 embedding.
+
+ Copyright (C) 2003 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PKCS1_H_INCLUDED
+#define NETTLE_PKCS1_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix
+#define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode
+#define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode
+#define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest
+#define pkcs1_rsa_sha1_encode nettle_pkcs1_rsa_sha1_encode
+#define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest
+#define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode
+#define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest
+#define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode
+#define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest
+#define pkcs1_encrypt nettle_pkcs1_encrypt
+#define pkcs1_decrypt nettle_pkcs1_decrypt
+
+struct md5_ctx;
+struct sha1_ctx;
+struct sha256_ctx;
+struct sha512_ctx;
+
+uint8_t *
+_pkcs1_signature_prefix(unsigned key_size,
+ uint8_t *buffer,
+ unsigned id_size,
+ const uint8_t *id,
+ unsigned digest_size);
+
+int
+pkcs1_encrypt (size_t key_size,
+ /* For padding */
+ void *random_ctx, nettle_random_func *random,
+ size_t length, const uint8_t *message,
+ mpz_t m);
+
+int
+pkcs1_decrypt (size_t key_size,
+ const mpz_t m,
+ size_t *length, uint8_t *message);
+
+int
+pkcs1_rsa_digest_encode(mpz_t m, size_t key_size,
+ size_t di_length, const uint8_t *digest_info);
+
+int
+pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash);
+
+int
+pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+int
+pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash);
+
+int
+pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+int
+pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash);
+
+int
+pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+int
+pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash);
+
+int
+pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PKCS1_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/realloc.c b/external/nettle-3.3/nettle/realloc.c
new file mode 100644
index 0000000..4e9a4b7
--- /dev/null
+++ b/external/nettle-3.3/nettle/realloc.c
@@ -0,0 +1,69 @@
+/* realloc.c
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "realloc.h"
+
+/* NOTE: Calling libc realloc with size == 0 is not required to
+ totally free the object, it is allowed to return a valid
+ pointer. */
+void *
+nettle_realloc(void *ctx, void *p, size_t length)
+{
+ if (length > 0)
+ return realloc(p, length);
+
+ free(p);
+ return NULL;
+}
+
+void *
+nettle_xrealloc(void *ctx, void *p, size_t length)
+{
+ if (length > 0)
+ {
+ void *n = realloc(p, length);
+ if (!n)
+ {
+ fprintf(stderr, "Virtual memory exhausted.\n");
+ abort();
+ }
+ return n;
+ }
+ free(p);
+ return NULL;
+}
diff --git a/external/nettle-3.3/nettle/realloc.h b/external/nettle-3.3/nettle/realloc.h
new file mode 100644
index 0000000..e696a84
--- /dev/null
+++ b/external/nettle-3.3/nettle/realloc.h
@@ -0,0 +1,48 @@
+/* realloc.h
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_REALLOC_H_INCLUDED
+#define NETTLE_REALLOC_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+nettle_realloc_func nettle_realloc;
+nettle_realloc_func nettle_xrealloc;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_REALLOC_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/rsa-keygen.c b/external/nettle-3.3/nettle/rsa-keygen.c
new file mode 100644
index 0000000..5260239
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa-keygen.c
@@ -0,0 +1,212 @@
+/* rsa-keygen.c
+
+ Generation of RSA keypairs
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "rsa.h"
+#include "bignum.h"
+
+#ifndef DEBUG
+# define DEBUG 0
+#endif
+
+#if DEBUG
+# include <stdio.h>
+#endif
+
+
+int
+rsa_generate_keypair(struct rsa_public_key *pub,
+ struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ void *progress_ctx, nettle_progress_func *progress,
+ unsigned n_size,
+ unsigned e_size)
+{
+ mpz_t p1;
+ mpz_t q1;
+ mpz_t phi;
+ mpz_t tmp;
+
+ if (e_size)
+ {
+ /* We should choose e randomly. Is the size reasonable? */
+ if ((e_size < 16) || (e_size >= n_size) )
+ return 0;
+ }
+ else
+ {
+ /* We have a fixed e. Check that it makes sense */
+
+ /* It must be odd */
+ if (!mpz_tstbit(pub->e, 0))
+ return 0;
+
+ /* And 3 or larger */
+ if (mpz_cmp_ui(pub->e, 3) < 0)
+ return 0;
+
+ /* And size less than n */
+ if (mpz_sizeinbase(pub->e, 2) >= n_size)
+ return 0;
+ }
+
+ if (n_size < RSA_MINIMUM_N_BITS)
+ return 0;
+
+ mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp);
+
+ /* Generate primes */
+ for (;;)
+ {
+ /* Generate p, such that gcd(p-1, e) = 1 */
+ for (;;)
+ {
+ nettle_random_prime(key->p, (n_size+1)/2, 1,
+ random_ctx, random,
+ progress_ctx, progress);
+
+ mpz_sub_ui(p1, key->p, 1);
+
+ /* If e was given, we must chose p such that p-1 has no factors in
+ * common with e. */
+ if (e_size)
+ break;
+
+ mpz_gcd(tmp, pub->e, p1);
+
+ if (mpz_cmp_ui(tmp, 1) == 0)
+ break;
+ else if (progress) progress(progress_ctx, 'c');
+ }
+
+ if (progress)
+ progress(progress_ctx, '\n');
+
+ /* Generate q, such that gcd(q-1, e) = 1 */
+ for (;;)
+ {
+ nettle_random_prime(key->q, n_size/2, 1,
+ random_ctx, random,
+ progress_ctx, progress);
+
+ /* Very unlikely. */
+ if (mpz_cmp (key->q, key->p) == 0)
+ continue;
+
+ mpz_sub_ui(q1, key->q, 1);
+
+ /* If e was given, we must chose q such that q-1 has no factors in
+ * common with e. */
+ if (e_size)
+ break;
+
+ mpz_gcd(tmp, pub->e, q1);
+
+ if (mpz_cmp_ui(tmp, 1) == 0)
+ break;
+ else if (progress) progress(progress_ctx, 'c');
+ }
+
+ /* Now we have the primes. Is the product of the right size? */
+ mpz_mul(pub->n, key->p, key->q);
+
+ assert (mpz_sizeinbase(pub->n, 2) == n_size);
+
+ if (progress)
+ progress(progress_ctx, '\n');
+
+ /* c = q^{-1} (mod p) */
+ if (mpz_invert(key->c, key->q, key->p))
+ /* This should succeed everytime. But if it doesn't,
+ * we try again. */
+ break;
+ else if (progress) progress(progress_ctx, '?');
+ }
+
+ mpz_mul(phi, p1, q1);
+
+ /* If we didn't have a given e, generate one now. */
+ if (e_size)
+ {
+ int retried = 0;
+ for (;;)
+ {
+ nettle_mpz_random_size(pub->e,
+ random_ctx, random,
+ e_size);
+
+ /* Make sure it's odd and that the most significant bit is
+ * set */
+ mpz_setbit(pub->e, 0);
+ mpz_setbit(pub->e, e_size - 1);
+
+ /* Needs gmp-3, or inverse might be negative. */
+ if (mpz_invert(key->d, pub->e, phi))
+ break;
+
+ if (progress) progress(progress_ctx, 'e');
+ retried = 1;
+ }
+ if (retried && progress)
+ progress(progress_ctx, '\n');
+ }
+ else
+ {
+ /* Must always succeed, as we already that e
+ * doesn't have any common factor with p-1 or q-1. */
+ int res = mpz_invert(key->d, pub->e, phi);
+ assert(res);
+ }
+
+ /* Done! Almost, we must compute the auxillary private values. */
+ /* a = d % (p-1) */
+ mpz_fdiv_r(key->a, key->d, p1);
+
+ /* b = d % (q-1) */
+ mpz_fdiv_r(key->b, key->d, q1);
+
+ /* c was computed earlier */
+
+ pub->size = key->size = (n_size + 7) / 8;
+ assert(pub->size >= RSA_MINIMUM_N_OCTETS);
+
+ mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp);
+
+ return 1;
+}
diff --git a/external/nettle-3.3/nettle/rsa-sha256-sign.c b/external/nettle-3.3/nettle/rsa-sha256-sign.c
new file mode 100644
index 0000000..5daffbf
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa-sha256-sign.c
@@ -0,0 +1,77 @@
+/* rsa-sha256-sign.c
+
+ Signatures using RSA and SHA256.
+
+ Copyright (C) 2001, 2003, 2006 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+int
+rsa_sha256_sign(const struct rsa_private_key *key,
+ struct sha256_ctx *hash,
+ mpz_t s)
+{
+ if (pkcs1_rsa_sha256_encode(s, key->size, hash))
+ {
+ rsa_compute_root(key, s, s);
+ return 1;
+ }
+ else
+ {
+ mpz_set_ui(s, 0);
+ return 0;
+ }
+}
+
+int
+rsa_sha256_sign_digest(const struct rsa_private_key *key,
+ const uint8_t *digest,
+ mpz_t s)
+{
+ if (pkcs1_rsa_sha256_encode_digest(s, key->size, digest))
+ {
+ rsa_compute_root(key, s, s);
+ return 1;
+ }
+ else
+ {
+ mpz_set_ui(s, 0);
+ return 0;
+ }
+}
diff --git a/external/nettle-3.3/nettle/rsa-sha256-verify.c b/external/nettle-3.3/nettle/rsa-sha256-verify.c
new file mode 100644
index 0000000..33ecbc1
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa-sha256-verify.c
@@ -0,0 +1,79 @@
+/* rsa-sha256-verify.c
+
+ Verifying signatures created with RSA and SHA256.
+
+ Copyright (C) 2001, 2003, 2006 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+int
+rsa_sha256_verify(const struct rsa_public_key *key,
+ struct sha256_ctx *hash,
+ const mpz_t s)
+{
+ int res;
+ mpz_t m;
+
+ mpz_init(m);
+
+ res = (pkcs1_rsa_sha256_encode(m, key->size, hash)
+ &&_rsa_verify(key, m, s));
+
+ mpz_clear(m);
+
+ return res;
+}
+
+int
+rsa_sha256_verify_digest(const struct rsa_public_key *key,
+ const uint8_t *digest,
+ const mpz_t s)
+{
+ int res;
+ mpz_t m;
+
+ mpz_init(m);
+
+ res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest)
+ && _rsa_verify(key, m, s));
+
+ mpz_clear(m);
+
+ return res;
+}
diff --git a/external/nettle-3.3/nettle/rsa-sign.c b/external/nettle-3.3/nettle/rsa-sign.c
new file mode 100644
index 0000000..5cae041
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa-sign.c
@@ -0,0 +1,144 @@
+/* rsa-sign.c
+
+ Creating RSA signatures.
+
+ Copyright (C) 2001, 2003 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+
+void
+rsa_private_key_init(struct rsa_private_key *key)
+{
+ mpz_init(key->d);
+ mpz_init(key->p);
+ mpz_init(key->q);
+ mpz_init(key->a);
+ mpz_init(key->b);
+ mpz_init(key->c);
+
+ /* Not really necessary, but it seems cleaner to initialize all the
+ * storage. */
+ key->size = 0;
+}
+
+void
+rsa_private_key_clear(struct rsa_private_key *key)
+{
+ mpz_clear(key->d);
+ mpz_clear(key->p);
+ mpz_clear(key->q);
+ mpz_clear(key->a);
+ mpz_clear(key->b);
+ mpz_clear(key->c);
+}
+
+int
+rsa_private_key_prepare(struct rsa_private_key *key)
+{
+ mpz_t n;
+
+ /* The size of the product is the sum of the sizes of the factors,
+ * or sometimes one less. It's possible but tricky to compute the
+ * size without computing the full product. */
+
+ mpz_init(n);
+ mpz_mul(n, key->p, key->q);
+
+ key->size = _rsa_check_size(n);
+
+ mpz_clear(n);
+
+ return (key->size > 0);
+}
+
+/* Computing an rsa root. */
+void
+rsa_compute_root(const struct rsa_private_key *key,
+ mpz_t x, const mpz_t m)
+{
+ mpz_t xp; /* modulo p */
+ mpz_t xq; /* modulo q */
+
+ mpz_init(xp); mpz_init(xq);
+
+ /* Compute xq = m^d % q = (m%q)^b % q */
+ mpz_fdiv_r(xq, m, key->q);
+ mpz_powm_sec(xq, xq, key->b, key->q);
+
+ /* Compute xp = m^d % p = (m%p)^a % p */
+ mpz_fdiv_r(xp, m, key->p);
+ mpz_powm_sec(xp, xp, key->a, key->p);
+
+ /* Set xp' = (xp - xq) c % p. */
+ mpz_sub(xp, xp, xq);
+ mpz_mul(xp, xp, key->c);
+ mpz_fdiv_r(xp, xp, key->p);
+
+ /* Finally, compute x = xq + q xp'
+ *
+ * To prove that this works, note that
+ *
+ * xp = x + i p,
+ * xq = x + j q,
+ * c q = 1 + k p
+ *
+ * for some integers i, j and k. Now, for some integer l,
+ *
+ * xp' = (xp - xq) c + l p
+ * = (x + i p - (x + j q)) c + l p
+ * = (i p - j q) c + l p
+ * = (i c + l) p - j (c q)
+ * = (i c + l) p - j (1 + kp)
+ * = (i c + l - j k) p - j
+ *
+ * which shows that xp' = -j (mod p). We get
+ *
+ * xq + q xp' = x + j q + (i c + l - j k) p q - j q
+ * = x + (i c + l - j k) p q
+ *
+ * so that
+ *
+ * xq + q xp' = x (mod pq)
+ *
+ * We also get 0 <= xq + q xp' < p q, because
+ *
+ * 0 <= xq < q and 0 <= xp' < p.
+ */
+ mpz_mul(x, key->q, xp);
+ mpz_add(x, x, xq);
+
+ mpz_clear(xp); mpz_clear(xq);
+}
diff --git a/external/nettle-3.3/nettle/rsa-verify.c b/external/nettle-3.3/nettle/rsa-verify.c
new file mode 100644
index 0000000..8484a85
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa-verify.c
@@ -0,0 +1,64 @@
+/* rsa-verify.c
+
+ Verifying RSA signatures.
+
+ Copyright (C) 2001, 2003 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+
+int
+_rsa_verify(const struct rsa_public_key *key,
+ const mpz_t m,
+ const mpz_t s)
+{
+ int res;
+
+ mpz_t m1;
+
+ if ( (mpz_sgn(s) <= 0)
+ || (mpz_cmp(s, key->n) >= 0) )
+ return 0;
+
+ mpz_init(m1);
+
+ mpz_powm(m1, s, key->e, key->n);
+
+ res = !mpz_cmp(m, m1);
+
+ mpz_clear(m1);
+
+ return res;
+}
diff --git a/external/nettle-3.3/nettle/rsa.c b/external/nettle-3.3/nettle/rsa.c
new file mode 100644
index 0000000..22fae77
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa.c
@@ -0,0 +1,86 @@
+/* rsa.c
+
+ The RSA publickey algorithm.
+
+ Copyright (C) 2001 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+
+void
+rsa_public_key_init(struct rsa_public_key *key)
+{
+ mpz_init(key->n);
+ mpz_init(key->e);
+
+ /* Not really necessary, but it seems cleaner to initialize all the
+ * storage. */
+ key->size = 0;
+}
+
+void
+rsa_public_key_clear(struct rsa_public_key *key)
+{
+ mpz_clear(key->n);
+ mpz_clear(key->e);
+}
+
+/* Computes the size, in octets, of a the modulo. Returns 0 if the
+ * modulo is too small to be useful, or otherwise appears invalid. */
+size_t
+_rsa_check_size(mpz_t n)
+{
+ /* Round upwards */
+ size_t size;
+
+ /* Even moduli are invalid, and not supported by mpz_powm_sec. */
+ if (mpz_even_p (n))
+ return 0;
+
+ size = (mpz_sizeinbase(n, 2) + 7) / 8;
+
+ if (size < RSA_MINIMUM_N_OCTETS)
+ return 0;
+
+ return size;
+}
+
+int
+rsa_public_key_prepare(struct rsa_public_key *key)
+{
+ key->size = _rsa_check_size(key->n);
+
+ return (key->size > 0);
+}
diff --git a/external/nettle-3.3/nettle/rsa.h b/external/nettle-3.3/nettle/rsa.h
new file mode 100644
index 0000000..1ceda2d
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa.h
@@ -0,0 +1,355 @@
+/* rsa.h
+
+ The RSA publickey algorithm.
+
+ Copyright (C) 2001, 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_RSA_H_INCLUDED
+#define NETTLE_RSA_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#include "sha2.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define rsa_public_key_init nettle_rsa_public_key_init
+#define rsa_public_key_clear nettle_rsa_public_key_clear
+#define rsa_public_key_prepare nettle_rsa_public_key_prepare
+#define rsa_private_key_init nettle_rsa_private_key_init
+#define rsa_private_key_clear nettle_rsa_private_key_clear
+#define rsa_private_key_prepare nettle_rsa_private_key_prepare
+#define rsa_sha256_sign nettle_rsa_sha256_sign
+#define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr
+#define rsa_sha256_verify nettle_rsa_sha256_verify
+#define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
+#define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr
+#define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
+#define rsa_encrypt nettle_rsa_encrypt
+#define rsa_decrypt nettle_rsa_decrypt
+#define rsa_decrypt_tr nettle_rsa_decrypt_tr
+#define rsa_compute_root nettle_rsa_compute_root
+#define rsa_compute_root_tr nettle_rsa_compute_root_tr
+#define rsa_generate_keypair nettle_rsa_generate_keypair
+#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
+#define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
+#define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
+#define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
+#define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
+#define rsa_keypair_from_der nettle_rsa_keypair_from_der
+#define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
+#define _rsa_verify _nettle_rsa_verify
+#define _rsa_check_size _nettle_rsa_check_size
+#define _rsa_blind _nettle_rsa_blind
+#define _rsa_unblind _nettle_rsa_unblind
+
+/* This limit is somewhat arbitrary. Technically, the smallest modulo
+ which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
+ for ridiculously small keys, not all odd e are possible (e.g., for
+ 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
+ 3 don't work). The smallest size that makes sense with pkcs#1, and
+ which allows RSA encryption of one byte messages, is 12 octets, 89
+ bits. */
+
+#define RSA_MINIMUM_N_OCTETS 12
+#define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
+
+struct rsa_public_key
+{
+ /* Size of the modulo, in octets. This is also the size of all
+ * signatures that are created or verified with this key. */
+ size_t size;
+
+ /* Modulo */
+ mpz_t n;
+
+ /* Public exponent */
+ mpz_t e;
+};
+
+struct rsa_private_key
+{
+ size_t size;
+
+ /* d is filled in by the key generation function; otherwise it's
+ * completely unused. */
+ mpz_t d;
+
+ /* The two factors */
+ mpz_t p; mpz_t q;
+
+ /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
+ mpz_t a;
+
+ /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
+ mpz_t b;
+
+ /* modular inverse of q , i.e. c q = 1 (mod p) */
+ mpz_t c;
+};
+
+/* Signing a message works as follows:
+ *
+ * Store the private key in a rsa_private_key struct.
+ *
+ * Call rsa_private_key_prepare. This initializes the size attribute
+ * to the length of a signature.
+ *
+ * Initialize a hashing context, by callling
+ * md5_init
+ *
+ * Hash the message by calling
+ * md5_update
+ *
+ * Create the signature by calling
+ * rsa_md5_sign
+ *
+ * The signature is represented as a mpz_t bignum. This call also
+ * resets the hashing context.
+ *
+ * When done with the key and signature, don't forget to call
+ * mpz_clear.
+ */
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+rsa_public_key_init(struct rsa_public_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+rsa_public_key_clear(struct rsa_public_key *key);
+
+int
+rsa_public_key_prepare(struct rsa_public_key *key);
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+rsa_private_key_init(struct rsa_private_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+rsa_private_key_clear(struct rsa_private_key *key);
+
+int
+rsa_private_key_prepare(struct rsa_private_key *key);
+
+int
+rsa_sha256_sign(const struct rsa_private_key *key,
+ struct sha256_ctx *hash,
+ mpz_t signature);
+
+int
+rsa_sha256_sign_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ struct sha256_ctx *hash,
+ mpz_t s);
+
+int
+rsa_sha256_verify(const struct rsa_public_key *key,
+ struct sha256_ctx *hash,
+ const mpz_t signature);
+
+int
+rsa_sha256_sign_digest(const struct rsa_private_key *key,
+ const uint8_t *digest,
+ mpz_t s);
+
+int
+rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ const uint8_t *digest,
+ mpz_t s);
+
+int
+rsa_sha256_verify_digest(const struct rsa_public_key *key,
+ const uint8_t *digest,
+ const mpz_t signature);
+
+/* RSA encryption, using PKCS#1 */
+/* These functions uses the v1.5 padding. What should the v2 (OAEP)
+ * functions be called? */
+
+/* Returns 1 on success, 0 on failure, which happens if the
+ * message is too long for the key. */
+int
+rsa_encrypt(const struct rsa_public_key *key,
+ /* For padding */
+ void *random_ctx, nettle_random_func *random,
+ size_t length, const uint8_t *cleartext,
+ mpz_t cipher);
+
+/* Message must point to a buffer of size *LENGTH. KEY->size is enough
+ * for all valid messages. On success, *LENGTH is updated to reflect
+ * the actual length of the message. Returns 1 on success, 0 on
+ * failure, which happens if decryption failed or if the message
+ * didn't fit. */
+int
+rsa_decrypt(const struct rsa_private_key *key,
+ size_t *length, uint8_t *cleartext,
+ const mpz_t ciphertext);
+
+/* Timing-resistant version, using randomized RSA blinding. */
+int
+rsa_decrypt_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t *length, uint8_t *message,
+ const mpz_t gibberish);
+
+/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
+void
+rsa_compute_root(const struct rsa_private_key *key,
+ mpz_t x, const mpz_t m);
+
+/* Safer variant, using RSA blinding, and checking the result after
+ CRT. */
+int
+rsa_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ mpz_t x, const mpz_t m);
+
+/* Key generation */
+
+/* Note that the key structs must be initialized first. */
+int
+rsa_generate_keypair(struct rsa_public_key *pub,
+ struct rsa_private_key *key,
+
+ void *random_ctx, nettle_random_func *random,
+ void *progress_ctx, nettle_progress_func *progress,
+
+ /* Desired size of modulo, in bits */
+ unsigned n_size,
+
+ /* Desired size of public exponent, in bits. If
+ * zero, the passed in value pub->e is used. */
+ unsigned e_size);
+
+
+#define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
+ algorithm##_update(ctx, length, data), \
+ rsa_##algorithm##_sign(key, ctx, signature) \
+)
+
+#define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
+ algorithm##_update(ctx, length, data), \
+ rsa_##algorithm##_verify(key, ctx, signature) \
+)
+
+
+/* Keys in sexp form. */
+
+struct nettle_buffer;
+
+/* Generates a public-key expression if PRIV is NULL .*/
+int
+rsa_keypair_to_sexp(struct nettle_buffer *buffer,
+ const char *algorithm_name, /* NULL means "rsa" */
+ const struct rsa_public_key *pub,
+ const struct rsa_private_key *priv);
+
+struct sexp_iterator;
+
+int
+rsa_keypair_from_sexp_alist(struct rsa_public_key *pub,
+ struct rsa_private_key *priv,
+ unsigned limit,
+ struct sexp_iterator *i);
+
+/* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
+ * expect a private key expression and ignore the parts not needed for
+ * the public key. */
+/* Keys must be initialized before calling this function, as usual. */
+int
+rsa_keypair_from_sexp(struct rsa_public_key *pub,
+ struct rsa_private_key *priv,
+ unsigned limit,
+ size_t length, const uint8_t *expr);
+
+
+/* Keys in PKCS#1 format. */
+struct asn1_der_iterator;
+
+int
+rsa_public_key_from_der_iterator(struct rsa_public_key *pub,
+ unsigned limit,
+ struct asn1_der_iterator *i);
+
+int
+rsa_private_key_from_der_iterator(struct rsa_public_key *pub,
+ struct rsa_private_key *priv,
+ unsigned limit,
+ struct asn1_der_iterator *i);
+
+/* For public keys, use PRIV == NULL */
+int
+rsa_keypair_from_der(struct rsa_public_key *pub,
+ struct rsa_private_key *priv,
+ unsigned limit,
+ size_t length, const uint8_t *data);
+
+/* OpenPGP format. Experimental interface, subject to change. */
+int
+rsa_keypair_to_openpgp(struct nettle_buffer *buffer,
+ const struct rsa_public_key *pub,
+ const struct rsa_private_key *priv,
+ /* A single user id. NUL-terminated utf8. */
+ const char *userid);
+
+/* Internal functions. */
+int
+_rsa_verify(const struct rsa_public_key *key,
+ const mpz_t m,
+ const mpz_t s);
+
+size_t
+_rsa_check_size(mpz_t n);
+
+/* _rsa_blind and _rsa_unblind are deprecated, unused in the library,
+ and will likely be removed with the next ABI break. */
+void
+_rsa_blind (const struct rsa_public_key *pub,
+ void *random_ctx, nettle_random_func *random,
+ mpz_t c, mpz_t ri);
+void
+_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_RSA_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/rsa2sexp.c b/external/nettle-3.3/nettle/rsa2sexp.c
new file mode 100644
index 0000000..95e029b
--- /dev/null
+++ b/external/nettle-3.3/nettle/rsa2sexp.c
@@ -0,0 +1,59 @@
+/* rsa2sexp.c
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "sexp.h"
+
+int
+rsa_keypair_to_sexp(struct nettle_buffer *buffer,
+ const char *algorithm_name,
+ const struct rsa_public_key *pub,
+ const struct rsa_private_key *priv)
+{
+ if (!algorithm_name)
+ algorithm_name = "rsa-pkcs1";
+
+ if (priv)
+ return sexp_format(buffer,
+ "(private-key(%0s(n%b)(e%b)"
+ "(d%b)(p%b)(q%b)(a%b)(b%b)(c%b)))",
+ algorithm_name, pub->n, pub->e,
+ priv->d, priv->p, priv->q,
+ priv->a, priv->b, priv->c);
+ else
+ return sexp_format(buffer, "(public-key(%0s(n%b)(e%b)))",
+ algorithm_name, pub->n, pub->e);
+}
diff --git a/external/nettle-3.3/nettle/sexp-format.c b/external/nettle-3.3/nettle/sexp-format.c
new file mode 100644
index 0000000..e59b8f3
--- /dev/null
+++ b/external/nettle-3.3/nettle/sexp-format.c
@@ -0,0 +1,348 @@
+/* sexp-format.c
+
+ Writing s-expressions.
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sexp.h"
+#include "buffer.h"
+
+#include "bignum.h"
+
+static unsigned
+format_prefix(struct nettle_buffer *buffer,
+ size_t length)
+{
+ size_t digit = 1;
+ unsigned prefix_length = 1;
+
+ for (;;)
+ {
+ size_t next = digit * 10;
+ if (next > length)
+ break;
+
+ prefix_length++;
+ digit = next;
+ }
+
+ if (buffer)
+ {
+ for (; digit; length %= digit, digit /= 10)
+ if (!NETTLE_BUFFER_PUTC(buffer, '0' + length / digit))
+ return 0;
+
+ if (!NETTLE_BUFFER_PUTC(buffer, ':'))
+ return 0;
+ }
+
+ return prefix_length + 1;
+}
+
+static size_t
+format_string(struct nettle_buffer *buffer,
+ size_t length, const uint8_t *s)
+{
+ unsigned prefix_length = format_prefix(buffer, length);
+ if (!prefix_length)
+ return 0;
+
+ if (buffer && !nettle_buffer_write(buffer, length, s))
+ return 0;
+
+ return prefix_length + length;
+}
+
+static inline size_t
+strlen_u8 (const uint8_t *s)
+{
+ return strlen((const char*) s);
+}
+
+size_t
+sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args)
+{
+ unsigned nesting = 0;
+ size_t done = 0;
+
+ for (;;)
+ switch (*format++)
+ {
+ default:
+ {
+ const char *start = format - 1;
+ size_t length = 1 + strcspn(format, "()% \t");
+ size_t output_length
+ = format_string(buffer, length, (const uint8_t *) start);
+ if (!output_length)
+ return 0;
+
+ done += output_length;
+ format = start + length;
+
+ break;
+ }
+ case ' ': case '\t':
+ break;
+
+ case '\0':
+ assert(!nesting);
+
+ return done;
+
+ case '(':
+ if (buffer && !NETTLE_BUFFER_PUTC(buffer, '('))
+ return 0;
+
+ done++;
+ nesting++;
+ break;
+
+ case ')':
+ assert (nesting);
+ if (buffer && !NETTLE_BUFFER_PUTC(buffer, ')'))
+ return 0;
+
+ done++;
+ nesting--;
+ break;
+
+ case '%':
+ {
+ int nul_flag = 0;
+
+ if (*format == '0')
+ {
+ format++;
+ nul_flag = 1;
+ }
+ switch (*format++)
+ {
+ default:
+ abort();
+
+ case '(':
+ case ')':
+ /* Allow unbalanced parenthesis */
+ if (buffer && !NETTLE_BUFFER_PUTC(buffer, format[-1]))
+ return 0;
+ done++;
+ break;
+
+ case 's':
+ {
+ const uint8_t *s;
+ size_t length;
+ size_t output_length;
+
+ if (nul_flag)
+ {
+ s = va_arg(args, const uint8_t *);
+ length = strlen_u8(s);
+ }
+ else
+ {
+ length = va_arg(args, size_t);
+ s = va_arg(args, const uint8_t *);
+ }
+
+ output_length = format_string(buffer, length, s);
+ if (!output_length)
+ return 0;
+
+ done += output_length;
+ break;
+ }
+ case 't':
+ {
+ const uint8_t *s;
+ size_t length;
+ size_t output_length;
+
+ if (nul_flag)
+ {
+ s = va_arg(args, const uint8_t *);
+ if (!s)
+ break;
+
+ length = strlen_u8(s);
+ }
+ else
+ {
+ length = va_arg(args, size_t);
+ s = va_arg(args, const uint8_t *);
+ if (!s)
+ break;
+ }
+
+ if (buffer && !NETTLE_BUFFER_PUTC(buffer, '['))
+ return 0;
+ done++;
+
+ output_length = format_string(buffer, length, s);
+
+ if (!output_length)
+ return 0;
+
+ done += output_length;
+
+ if (buffer && !NETTLE_BUFFER_PUTC(buffer, ']'))
+ return 0;
+ done++;
+
+ break;
+ }
+
+ case 'l':
+ {
+ const uint8_t *s;
+ size_t length;
+
+ if (nul_flag)
+ {
+ s = va_arg(args, const uint8_t *);
+ length = strlen_u8(s);
+ }
+ else
+ {
+ length = va_arg(args, size_t);
+ s = va_arg(args, const uint8_t *);
+ }
+
+ if (buffer && !nettle_buffer_write(buffer, length, s))
+ return 0;
+
+ done += length;
+ break;
+ }
+ case 'i':
+ {
+ uint32_t x = va_arg(args, uint32_t);
+ unsigned length;
+
+ if (x < 0x80)
+ length = 1;
+ else if (x < 0x8000L)
+ length = 2;
+ else if (x < 0x800000L)
+ length = 3;
+ else if (x < 0x80000000L)
+ length = 4;
+ else
+ length = 5;
+
+ if (buffer && !(NETTLE_BUFFER_PUTC(buffer, '0' + length)
+ && NETTLE_BUFFER_PUTC(buffer, ':')))
+ return 0;
+
+ done += (2 + length);
+
+ if (buffer)
+ switch(length)
+ {
+ case 5:
+ /* Leading byte needed for the sign. */
+ if (!NETTLE_BUFFER_PUTC(buffer, 0))
+ return 0;
+ /* Fall through */
+ case 4:
+ if (!NETTLE_BUFFER_PUTC(buffer, x >> 24))
+ return 0;
+ /* Fall through */
+ case 3:
+ if (!NETTLE_BUFFER_PUTC(buffer, (x >> 16) & 0xff))
+ return 0;
+ /* Fall through */
+ case 2:
+ if (!NETTLE_BUFFER_PUTC(buffer, (x >> 8) & 0xff))
+ return 0;
+ /* Fall through */
+ case 1:
+ if (!NETTLE_BUFFER_PUTC(buffer, x & 0xff))
+ return 0;
+ break;
+ default:
+ abort();
+ }
+ break;
+ }
+ case 'b':
+ {
+ mpz_srcptr n = va_arg(args, mpz_srcptr);
+ size_t length;
+ unsigned prefix_length;
+
+ length = nettle_mpz_sizeinbase_256_s(n);
+ prefix_length = format_prefix(buffer, length);
+ if (!prefix_length)
+ return 0;
+
+ done += prefix_length;
+
+ if (buffer)
+ {
+ uint8_t *space = nettle_buffer_space(buffer, length);
+ if (!space)
+ return 0;
+
+ nettle_mpz_get_str_256(length, space, n);
+ }
+
+ done += length;
+
+ break;
+ }
+ }
+ }
+ }
+}
+
+size_t
+sexp_format(struct nettle_buffer *buffer, const char *format, ...)
+{
+ va_list args;
+ size_t done;
+
+ va_start(args, format);
+ done = sexp_vformat(buffer, format, args);
+ va_end(args);
+
+ return done;
+}
diff --git a/external/nettle-3.3/nettle/sexp.c b/external/nettle-3.3/nettle/sexp.c
new file mode 100644
index 0000000..eb5c211
--- /dev/null
+++ b/external/nettle-3.3/nettle/sexp.c
@@ -0,0 +1,399 @@
+/* sexp.c
+
+ Parsing s-expressions.
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "sexp.h"
+
+#include "macros.h"
+#include "nettle-internal.h"
+
+/* Initializes the iterator, but one has to call next to get to the
+ * first element. */
+static void
+sexp_iterator_init(struct sexp_iterator *iterator,
+ unsigned length, const uint8_t *input)
+{
+ iterator->length = length;
+ iterator->buffer = input;
+ iterator->pos = 0;
+ iterator->level = 0;
+ iterator->type = SEXP_END; /* Value doesn't matter */
+ iterator->display_length = 0;
+ iterator->display = NULL;
+ iterator->atom_length = 0;
+ iterator->atom = NULL;
+}
+
+#define EMPTY(i) ((i)->pos == (i)->length)
+#define NEXT(i) ((i)->buffer[(i)->pos++])
+
+static int
+sexp_iterator_simple(struct sexp_iterator *iterator,
+ size_t *size,
+ const uint8_t **string)
+{
+ unsigned length = 0;
+ uint8_t c;
+
+ if (EMPTY(iterator)) return 0;
+ c = NEXT(iterator);
+ if (EMPTY(iterator)) return 0;
+
+ if (c >= '1' && c <= '9')
+ do
+ {
+ length = length * 10 + (c - '0');
+ if (length > (iterator->length - iterator->pos))
+ return 0;
+
+ if (EMPTY(iterator)) return 0;
+ c = NEXT(iterator);
+ }
+ while (c >= '0' && c <= '9');
+
+ else if (c == '0')
+ /* There can be only one */
+ c = NEXT(iterator);
+ else
+ return 0;
+
+ if (c != ':')
+ return 0;
+
+ *size = length;
+ *string = iterator->buffer + iterator->pos;
+ iterator->pos += length;
+
+ return 1;
+}
+
+/* All these functions return 1 on success, 0 on failure */
+
+/* Look at the current position in the data. Sets iterator->type, and
+ * ignores the old value. */
+
+static int
+sexp_iterator_parse(struct sexp_iterator *iterator)
+{
+ iterator->start = iterator->pos;
+
+ if (EMPTY(iterator))
+ {
+ if (iterator->level)
+ return 0;
+
+ iterator->type = SEXP_END;
+ return 1;
+ }
+ switch (iterator->buffer[iterator->pos])
+ {
+ case '(': /* A list */
+ iterator->type = SEXP_LIST;
+ return 1;
+
+ case ')':
+ if (!iterator->level)
+ return 0;
+
+ iterator->pos++;
+ iterator->type = SEXP_END;
+ return 1;
+
+ case '[': /* Atom with display type */
+ iterator->pos++;
+ if (!sexp_iterator_simple(iterator,
+ &iterator->display_length,
+ &iterator->display))
+ return 0;
+ if (EMPTY(iterator) || NEXT(iterator) != ']')
+ return 0;
+
+ break;
+
+ default:
+ /* Must be either a decimal digit or a syntax error.
+ * Errors are detected by sexp_iterator_simple. */
+ iterator->display_length = 0;
+ iterator->display = NULL;
+
+ break;
+ }
+
+ iterator->type = SEXP_ATOM;
+
+ return sexp_iterator_simple(iterator,
+ &iterator->atom_length,
+ &iterator->atom);
+}
+
+int
+sexp_iterator_first(struct sexp_iterator *iterator,
+ size_t length, const uint8_t *input)
+{
+ sexp_iterator_init(iterator, length, input);
+ return sexp_iterator_parse(iterator);
+}
+
+int
+sexp_iterator_next(struct sexp_iterator *iterator)
+{
+ switch (iterator->type)
+ {
+ case SEXP_END:
+ return 1;
+ case SEXP_LIST:
+ /* Skip this list */
+ return sexp_iterator_enter_list(iterator)
+ && sexp_iterator_exit_list(iterator);
+ case SEXP_ATOM:
+ /* iterator->pos should already point at the start of the next
+ * element. */
+ return sexp_iterator_parse(iterator);
+ }
+ /* If we get here, we have a bug. */
+ abort();
+}
+
+/* Current element must be a list. */
+int
+sexp_iterator_enter_list(struct sexp_iterator *iterator)
+{
+ if (iterator->type != SEXP_LIST)
+ return 0;
+
+ if (EMPTY(iterator) || NEXT(iterator) != '(')
+ /* Internal error */
+ abort();
+
+ iterator->level++;
+
+ return sexp_iterator_parse(iterator);
+}
+
+/* Skips the rest of the current list */
+int
+sexp_iterator_exit_list(struct sexp_iterator *iterator)
+{
+ if (!iterator->level)
+ return 0;
+
+ while(iterator->type != SEXP_END)
+ if (!sexp_iterator_next(iterator))
+ return 0;
+
+ iterator->level--;
+
+ return sexp_iterator_parse(iterator);
+}
+
+#if 0
+/* What's a reasonable interface for this? */
+int
+sexp_iterator_exit_lists(struct sexp_iterator *iterator,
+ unsigned level)
+{
+ assert(iterator->level >= level);
+
+ while (iterator->level > level)
+ if (!sexp_iterator_exit_list(iterator))
+ return 0;
+
+ return 1;
+}
+#endif
+
+const uint8_t *
+sexp_iterator_subexpr(struct sexp_iterator *iterator,
+ size_t *length)
+{
+ size_t start = iterator->start;
+ if (!sexp_iterator_next(iterator))
+ return 0;
+
+ *length = iterator->start - start;
+ return iterator->buffer + start;
+}
+
+int
+sexp_iterator_get_uint32(struct sexp_iterator *iterator,
+ uint32_t *x)
+{
+ if (iterator->type == SEXP_ATOM
+ && !iterator->display
+ && iterator->atom_length
+ && iterator->atom[0] < 0x80)
+ {
+ size_t length = iterator->atom_length;
+ const uint8_t *p = iterator->atom;
+
+ /* Skip leading zeros. */
+ while(length && !*p)
+ {
+ length--; p++;
+ }
+
+ switch(length)
+ {
+ case 0:
+ *x = 0;
+ break;
+ case 1:
+ *x = p[0];
+ break;
+ case 2:
+ *x = READ_UINT16(p);
+ break;
+ case 3:
+ *x = READ_UINT24(p);
+ break;
+ case 4:
+ *x = READ_UINT32(p);
+ break;
+ default:
+ return 0;
+ }
+ return sexp_iterator_next(iterator);
+ }
+ return 0;
+}
+
+int
+sexp_iterator_check_type(struct sexp_iterator *iterator,
+ const char *type)
+{
+ return (sexp_iterator_enter_list(iterator)
+ && iterator->type == SEXP_ATOM
+ && !iterator->display
+ && strlen(type) == iterator->atom_length
+ && !memcmp(type, iterator->atom, iterator->atom_length)
+ && sexp_iterator_next(iterator));
+}
+
+const char *
+sexp_iterator_check_types(struct sexp_iterator *iterator,
+ unsigned ntypes,
+ const char * const *types)
+{
+ if (sexp_iterator_enter_list(iterator)
+ && iterator->type == SEXP_ATOM
+ && !iterator->display)
+ {
+ unsigned i;
+ for (i = 0; i<ntypes; i++)
+ if (strlen(types[i]) == iterator->atom_length
+ && !memcmp(types[i], iterator->atom,
+ iterator->atom_length))
+ return sexp_iterator_next(iterator) ? types[i] : NULL;
+ }
+ return NULL;
+}
+
+int
+sexp_iterator_assoc(struct sexp_iterator *iterator,
+ unsigned nkeys,
+ const char * const *keys,
+ struct sexp_iterator *values)
+{
+ TMP_DECL(found, int, NETTLE_MAX_SEXP_ASSOC);
+ unsigned nfound;
+ unsigned i;
+
+ TMP_ALLOC(found, nkeys);
+ for (i = 0; i<nkeys; i++)
+ found[i] = 0;
+
+ nfound = 0;
+
+ for (;;)
+ {
+ switch (iterator->type)
+ {
+ case SEXP_LIST:
+
+ if (!sexp_iterator_enter_list(iterator))
+ return 0;
+
+ if (iterator->type == SEXP_ATOM
+ && !iterator->display)
+ {
+ /* Compare to the given keys */
+ for (i = 0; i<nkeys; i++)
+ {
+ /* NOTE: The strlen could be put outside of the
+ * loop */
+ if (strlen(keys[i]) == iterator->atom_length
+ && !memcmp(keys[i], iterator->atom,
+ iterator->atom_length))
+ {
+ if (found[i])
+ /* We don't allow duplicates */
+ return 0;
+
+ /* Advance to point to value */
+ if (!sexp_iterator_next(iterator))
+ return 0;
+
+ found[i] = 1;
+ nfound++;
+
+ /* Record this position. */
+ values[i] = *iterator;
+
+ break;
+ }
+ }
+ }
+ if (!sexp_iterator_exit_list(iterator))
+ return 0;
+ break;
+ case SEXP_ATOM:
+ /* Just ignore */
+ if (!sexp_iterator_next(iterator))
+ return 0;
+ break;
+
+ case SEXP_END:
+ return sexp_iterator_exit_list(iterator)
+ && (nfound == nkeys);
+
+ default:
+ abort();
+ }
+ }
+}
diff --git a/external/nettle-3.3/nettle/sexp.h b/external/nettle-3.3/nettle/sexp.h
new file mode 100644
index 0000000..58b089c
--- /dev/null
+++ b/external/nettle-3.3/nettle/sexp.h
@@ -0,0 +1,213 @@
+/* sexp.h
+
+ Parsing s-expressions.
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_SEXP_H_INCLUDED
+#define NETTLE_SEXP_H_INCLUDED
+
+#include <stdarg.h>
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define sexp_iterator_first nettle_sexp_iterator_first
+#define sexp_transport_iterator_first nettle_sexp_transport_iterator_first
+#define sexp_iterator_next nettle_sexp_iterator_next
+#define sexp_iterator_enter_list nettle_sexp_iterator_enter_list
+#define sexp_iterator_exit_list nettle_sexp_iterator_exit_list
+#define sexp_iterator_subexpr nettle_sexp_iterator_subexpr
+#define sexp_iterator_get_uint32 nettle_sexp_iterator_get_uint32
+#define sexp_iterator_check_type nettle_sexp_iterator_check_type
+#define sexp_iterator_check_types nettle_sexp_iterator_check_types
+#define sexp_iterator_assoc nettle_sexp_iterator_assoc
+#define sexp_format nettle_sexp_format
+#define sexp_vformat nettle_sexp_vformat
+#define sexp_transport_format nettle_sexp_transport_format
+#define sexp_transport_vformat nettle_sexp_transport_vformat
+#define sexp_token_chars nettle_sexp_token_chars
+
+enum sexp_type
+ { SEXP_ATOM, SEXP_LIST, SEXP_END };
+
+struct sexp_iterator
+{
+ size_t length;
+ const uint8_t *buffer;
+
+ /* Points at the start of the current sub expression. */
+ size_t start;
+ /* If type is SEXP_LIST, pos points at the start of the current
+ * element. Otherwise, it points at the end. */
+ size_t pos;
+ unsigned level;
+
+ enum sexp_type type;
+
+ size_t display_length;
+ const uint8_t *display;
+
+ size_t atom_length;
+ const uint8_t *atom;
+};
+
+
+/* All these functions return 1 on success, 0 on failure */
+
+/* Initializes the iterator. */
+int
+sexp_iterator_first(struct sexp_iterator *iterator,
+ size_t length, const uint8_t *input);
+
+/* NOTE: Decodes the input string in place */
+int
+sexp_transport_iterator_first(struct sexp_iterator *iterator,
+ size_t length, uint8_t *input);
+
+int
+sexp_iterator_next(struct sexp_iterator *iterator);
+
+/* Current element must be a list. */
+int
+sexp_iterator_enter_list(struct sexp_iterator *iterator);
+
+/* Skips the rest of the current list */
+int
+sexp_iterator_exit_list(struct sexp_iterator *iterator);
+
+#if 0
+/* Skips out of as many lists as necessary to get back to the given
+ * level. */
+int
+sexp_iterator_exit_lists(struct sexp_iterator *iterator,
+ unsigned level);
+#endif
+
+/* Gets start and length of the current subexpression. Implies
+ * sexp_iterator_next. */
+const uint8_t *
+sexp_iterator_subexpr(struct sexp_iterator *iterator,
+ size_t *length);
+
+int
+sexp_iterator_get_uint32(struct sexp_iterator *iterator,
+ uint32_t *x);
+
+
+/* Checks the type of the current expression, which should be a list
+ *
+ * (<type> ...)
+ */
+int
+sexp_iterator_check_type(struct sexp_iterator *iterator,
+ const char *type);
+
+const char *
+sexp_iterator_check_types(struct sexp_iterator *iterator,
+ unsigned ntypes,
+ const char * const *types);
+
+/* Current element must be a list. Looks up element of type
+ *
+ * (key rest...)
+ *
+ * For a matching key, the corresponding iterator is initialized
+ * pointing at the start of REST.
+ *
+ * On success, exits the current list.
+ */
+int
+sexp_iterator_assoc(struct sexp_iterator *iterator,
+ unsigned nkeys,
+ const char * const *keys,
+ struct sexp_iterator *values);
+
+
+/* Output functions. What is a reasonable API for this? It seems
+ * ugly to have to reimplement string streams. */
+
+/* Declared for real in buffer.h */
+struct nettle_buffer;
+
+/* Returns the number of output characters, or 0 on out of memory. If
+ * buffer == NULL, just compute length.
+ *
+ * Format strings can contained matched parentheses, tokens ("foo" in
+ * the format string is formatted as "3:foo"), whitespace (which
+ * separates tokens but is otherwise ignored) and the following
+ * formatting specifiers:
+ *
+ * %s String represented as size_t length, const uint8_t *data.
+ *
+ * %t Optional display type, represented as
+ * size_t display_length, const uint8_t *display,
+ * display == NULL means no display type.
+ *
+ * %i Non-negative small integer, uint32_t.
+ *
+ * %b Non-negative bignum, mpz_t.
+ *
+ * %l Literal string (no length added), typically a balanced
+ * subexpression. Represented as size_t length, const uint8_t
+ * *data.
+ *
+ * %(, %) Allows insertion of unbalanced parenthesis.
+ *
+ * Modifiers:
+ *
+ * %0 For %s, %t and %l, says that there's no length argument,
+ * instead the string is NUL-terminated, and there's only one
+ * const uint8_t * argument.
+ */
+
+size_t
+sexp_format(struct nettle_buffer *buffer,
+ const char *format, ...);
+
+size_t
+sexp_vformat(struct nettle_buffer *buffer,
+ const char *format, va_list args);
+
+size_t
+sexp_transport_format(struct nettle_buffer *buffer,
+ const char *format, ...);
+
+size_t
+sexp_transport_vformat(struct nettle_buffer *buffer,
+ const char *format, va_list args);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_SEXP_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/sexp2bignum.c b/external/nettle-3.3/nettle/sexp2bignum.c
new file mode 100644
index 0000000..692ee42
--- /dev/null
+++ b/external/nettle-3.3/nettle/sexp2bignum.c
@@ -0,0 +1,60 @@
+/* sexp2bignum.c
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "sexp.h"
+#include "bignum.h"
+
+int
+nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i)
+{
+ if (i->type == SEXP_ATOM
+ && i->atom_length
+ && !i->display)
+ {
+ /* Allow some extra here, for leading sign octets. */
+ if (limit && (8 * i->atom_length > (16 + limit)))
+ return 0;
+
+ nettle_mpz_set_str_256_s(x, i->atom_length, i->atom);
+
+ /* FIXME: How to interpret a limit for negative numbers? */
+ if (limit && mpz_sizeinbase(x, 2) > limit)
+ return 0;
+
+ return sexp_iterator_next(i);
+ }
+ else
+ return 0;
+}
diff --git a/external/nettle-3.3/nettle/sexp2rsa.c b/external/nettle-3.3/nettle/sexp2rsa.c
new file mode 100644
index 0000000..b42a3d4
--- /dev/null
+++ b/external/nettle-3.3/nettle/sexp2rsa.c
@@ -0,0 +1,115 @@
+/* sexp2rsa.c
+
+ Copyright (C) 2002 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <string.h>
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "sexp.h"
+
+#define GET(x, l, v) \
+do { \
+ if (!nettle_mpz_set_sexp((x), (l), (v)) \
+ || mpz_sgn(x) <= 0) \
+ return 0; \
+} while(0)
+
+/* Iterator should point past the algorithm tag, e.g.
+ *
+ * (public-key (rsa (n |xxxx|) (e |xxxx|))
+ * ^ here
+ */
+
+int
+rsa_keypair_from_sexp_alist(struct rsa_public_key *pub,
+ struct rsa_private_key *priv,
+ unsigned limit,
+ struct sexp_iterator *i)
+{
+ static const char * const names[8]
+ = { "n", "e", "d", "p", "q", "a", "b", "c" };
+ struct sexp_iterator values[8];
+ unsigned nvalues = priv ? 8 : 2;
+
+ if (!sexp_iterator_assoc(i, nvalues, names, values))
+ return 0;
+
+ if (priv)
+ {
+ GET(priv->d, limit, &values[2]);
+ GET(priv->p, limit, &values[3]);
+ GET(priv->q, limit, &values[4]);
+ GET(priv->a, limit, &values[5]);
+ GET(priv->b, limit, &values[6]);
+ GET(priv->c, limit, &values[7]);
+
+ if (!rsa_private_key_prepare(priv))
+ return 0;
+ }
+
+ if (pub)
+ {
+ GET(pub->n, limit, &values[0]);
+ GET(pub->e, limit, &values[1]);
+
+ if (!rsa_public_key_prepare(pub))
+ return 0;
+ }
+
+ return 1;
+}
+
+int
+rsa_keypair_from_sexp(struct rsa_public_key *pub,
+ struct rsa_private_key *priv,
+ unsigned limit,
+ size_t length, const uint8_t *expr)
+{
+ struct sexp_iterator i;
+ static const char * const names[3]
+ = { "rsa", "rsa-pkcs1", "rsa-pkcs1-sha1" };
+
+ if (!sexp_iterator_first(&i, length, expr))
+ return 0;
+
+ if (!sexp_iterator_check_type(&i, priv ? "private-key" : "public-key"))
+ return 0;
+
+ if (!sexp_iterator_check_types(&i, 3, names))
+ return 0;
+
+ return rsa_keypair_from_sexp_alist(pub, priv, limit, &i);
+}
diff --git a/external/nettle-3.3/nettle/sha2.h b/external/nettle-3.3/nettle/sha2.h
new file mode 100644
index 0000000..d0426d7
--- /dev/null
+++ b/external/nettle-3.3/nettle/sha2.h
@@ -0,0 +1,206 @@
+/* sha2.h
+
+ The sha2 family of hash functions.
+
+ Copyright (C) 2001, 2012 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_SHA2_H_INCLUDED
+#define NETTLE_SHA2_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define sha224_init nettle_sha224_init
+#define sha224_digest nettle_sha224_digest
+#define sha256_init nettle_sha256_init
+#define sha256_update nettle_sha256_update
+#define sha256_digest nettle_sha256_digest
+#define sha384_init nettle_sha384_init
+#define sha384_digest nettle_sha384_digest
+#define sha512_init nettle_sha512_init
+#define sha512_update nettle_sha512_update
+#define sha512_digest nettle_sha512_digest
+#define sha512_224_init nettle_sha512_224_init
+#define sha512_224_digest nettle_sha512_224_digest
+#define sha512_256_init nettle_sha512_256_init
+#define sha512_256_digest nettle_sha512_256_digest
+
+/* For backwards compatibility */
+#define SHA224_DATA_SIZE SHA256_BLOCK_SIZE
+#define SHA256_DATA_SIZE SHA256_BLOCK_SIZE
+#define SHA512_DATA_SIZE SHA512_BLOCK_SIZE
+#define SHA384_DATA_SIZE SHA512_BLOCK_SIZE
+
+/* SHA256 */
+
+#define SHA256_DIGEST_SIZE 32
+#define SHA256_BLOCK_SIZE 64
+
+/* Digest is kept internally as 8 32-bit words. */
+#define _SHA256_DIGEST_LENGTH 8
+
+struct sha256_ctx
+{
+ uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */
+ uint64_t count; /* 64-bit block count */
+ uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */
+ unsigned int index; /* index into buffer */
+};
+
+void
+sha256_init(struct sha256_ctx *ctx);
+
+void
+sha256_update(struct sha256_ctx *ctx,
+ size_t length,
+ const uint8_t *data);
+
+void
+sha256_digest(struct sha256_ctx *ctx,
+ size_t length,
+ uint8_t *digest);
+
+/* Internal compression function. STATE points to 8 uint32_t words,
+ DATA points to 64 bytes of input data, possibly unaligned, and K
+ points to the table of constants. */
+void
+_nettle_sha256_compress(uint32_t *state, const uint8_t *data, const uint32_t *k);
+
+
+/* SHA224, a truncated SHA256 with different initial state. */
+
+#define SHA224_DIGEST_SIZE 28
+#define SHA224_BLOCK_SIZE SHA256_BLOCK_SIZE
+#define sha224_ctx sha256_ctx
+
+void
+sha224_init(struct sha256_ctx *ctx);
+
+#define sha224_update nettle_sha256_update
+
+void
+sha224_digest(struct sha256_ctx *ctx,
+ size_t length,
+ uint8_t *digest);
+
+
+/* SHA512 */
+
+#define SHA512_DIGEST_SIZE 64
+#define SHA512_BLOCK_SIZE 128
+
+/* Digest is kept internally as 8 64-bit words. */
+#define _SHA512_DIGEST_LENGTH 8
+
+struct sha512_ctx
+{
+ uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */
+ uint64_t count_low, count_high; /* 128-bit block count */
+ uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */
+ unsigned int index; /* index into buffer */
+};
+
+void
+sha512_init(struct sha512_ctx *ctx);
+
+void
+sha512_update(struct sha512_ctx *ctx,
+ size_t length,
+ const uint8_t *data);
+
+void
+sha512_digest(struct sha512_ctx *ctx,
+ size_t length,
+ uint8_t *digest);
+
+/* Internal compression function. STATE points to 8 uint64_t words,
+ DATA points to 128 bytes of input data, possibly unaligned, and K
+ points to the table of constants. */
+void
+_nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k);
+
+
+/* SHA384, a truncated SHA512 with different initial state. */
+
+#define SHA384_DIGEST_SIZE 48
+#define SHA384_BLOCK_SIZE SHA512_BLOCK_SIZE
+#define sha384_ctx sha512_ctx
+
+void
+sha384_init(struct sha512_ctx *ctx);
+
+#define sha384_update nettle_sha512_update
+
+void
+sha384_digest(struct sha512_ctx *ctx,
+ size_t length,
+ uint8_t *digest);
+
+
+/* SHA512_224 and SHA512_256, two truncated versions of SHA512
+ with different initial states. */
+
+#define SHA512_224_DIGEST_SIZE 28
+#define SHA512_224_BLOCK_SIZE SHA512_BLOCK_SIZE
+#define sha512_224_ctx sha512_ctx
+
+void
+sha512_224_init(struct sha512_224_ctx *ctx);
+
+#define sha512_224_update nettle_sha512_update
+
+void
+sha512_224_digest(struct sha512_224_ctx *ctx,
+ size_t length,
+ uint8_t *digest);
+
+#define SHA512_256_DIGEST_SIZE 32
+#define SHA512_256_BLOCK_SIZE SHA512_BLOCK_SIZE
+#define sha512_256_ctx sha512_ctx
+
+void
+sha512_256_init(struct sha512_256_ctx *ctx);
+
+#define sha512_256_update nettle_sha512_update
+
+void
+sha512_256_digest(struct sha512_256_ctx *ctx,
+ size_t length,
+ uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_SHA2_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/sha256-compress.c b/external/nettle-3.3/nettle/sha256-compress.c
new file mode 100644
index 0000000..8b82d70
--- /dev/null
+++ b/external/nettle-3.3/nettle/sha256-compress.c
@@ -0,0 +1,199 @@
+/* sha256-compress.c
+
+ The compression function of the sha256 hash function.
+
+ Copyright (C) 2001, 2010 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef SHA256_DEBUG
+# define SHA256_DEBUG 0
+#endif
+
+#if SHA256_DEBUG
+# include <stdio.h>
+# define DEBUG(i) \
+ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x %8x %8x %8x\n", \
+ i, A, B, C, D ,E, F, G, H)
+#else
+# define DEBUG(i)
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sha2.h"
+
+#include "macros.h"
+
+/* A block, treated as a sequence of 32-bit words. */
+#define SHA256_DATA_LENGTH 16
+
+/* The SHA256 functions. The Choice function is the same as the SHA1
+ function f1, and the majority function is the same as the SHA1 f3
+ function. They can be optimized to save one boolean operation each
+ - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering
+ this */
+
+/* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
+#define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) )
+/* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
+#define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
+
+#define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x)))
+#define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x)))
+
+#define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3))
+#define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10))
+
+/* The initial expanding function. The hash function is defined over an
+ 64-word expanded input array W, where the first 16 are copies of the input
+ data, and the remaining 64 are defined by
+
+ W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16]
+
+ This implementation generates these values on the fly in a circular
+ buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
+ optimization.
+*/
+
+#define EXPAND(W,i) \
+( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) )
+
+/* The prototype SHA sub-round. The fundamental sub-round is:
+
+ T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t]
+ T2 = S0(a) + Majority(a,b,c)
+ a' = T1+T2
+ b' = a
+ c' = b
+ d' = c
+ e' = d + T1
+ f' = e
+ g' = f
+ h' = g
+
+ but this is implemented by unrolling the loop 8 times and renaming
+ the variables
+ ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each
+ iteration. */
+
+/* It's crucial that DATA is only used once, as that argument will
+ * have side effects. */
+#define ROUND(a,b,c,d,e,f,g,h,k,data) do { \
+ h += S1(e) + Choice(e,f,g) + k + data; \
+ d += h; \
+ h += S0(a) + Majority(a,b,c); \
+ } while (0)
+
+/* For fat builds */
+#if HAVE_NATIVE_sha256_compress
+void
+_nettle_sha256_compress_c(uint32_t *state, const uint8_t *input, const uint32_t *k);
+#define _nettle_sha256_compress _nettle_sha256_compress_c
+#endif
+
+void
+_nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k)
+{
+ uint32_t data[SHA256_DATA_LENGTH];
+ uint32_t A, B, C, D, E, F, G, H; /* Local vars */
+ unsigned i;
+ uint32_t *d;
+
+ for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4)
+ {
+ data[i] = READ_UINT32(input);
+ }
+
+ /* Set up first buffer and local data buffer */
+ A = state[0];
+ B = state[1];
+ C = state[2];
+ D = state[3];
+ E = state[4];
+ F = state[5];
+ G = state[6];
+ H = state[7];
+
+ /* Heavy mangling */
+ /* First 16 subrounds that act on the original data */
+
+ DEBUG(-1);
+ for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8)
+ {
+ ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i);
+ ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1);
+ ROUND(G, H, A, B, C, D, E, F, k[2], d[2]);
+ ROUND(F, G, H, A, B, C, D, E, k[3], d[3]);
+ ROUND(E, F, G, H, A, B, C, D, k[4], d[4]);
+ ROUND(D, E, F, G, H, A, B, C, k[5], d[5]);
+ ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6);
+ ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7);
+ }
+
+ for (; i<64; i += 16, k+= 16)
+ {
+ ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i);
+ ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1);
+ ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2);
+ ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); DEBUG(i+3);
+ ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); DEBUG(i+4);
+ ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); DEBUG(i+5);
+ ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); DEBUG(i+6);
+ ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); DEBUG(i+7);
+ ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); DEBUG(i+8);
+ ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); DEBUG(i+9);
+ ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); DEBUG(i+10);
+ ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); DEBUG(i+11);
+ ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); DEBUG(i+12);
+ ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); DEBUG(i+13);
+ ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14);
+ ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15);
+ }
+
+ /* Update state */
+ state[0] += A;
+ state[1] += B;
+ state[2] += C;
+ state[3] += D;
+ state[4] += E;
+ state[5] += F;
+ state[6] += G;
+ state[7] += H;
+#if SHA256_DEBUG
+ fprintf(stderr, "99: %8x %8x %8x %8x %8x %8x %8x %8x\n",
+ state[0], state[1], state[2], state[3],
+ state[4], state[5], state[6], state[7]);
+#endif
+}
diff --git a/external/nettle-3.3/nettle/sha256.c b/external/nettle-3.3/nettle/sha256.c
new file mode 100644
index 0000000..0cb3559
--- /dev/null
+++ b/external/nettle-3.3/nettle/sha256.c
@@ -0,0 +1,162 @@
+/* sha256.c
+
+ The sha256 hash function.
+ See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+
+ Copyright (C) 2001 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+/* Modelled after the sha1.c code by Peter Gutmann. */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sha2.h"
+
+#include "macros.h"
+#include "nettle-write.h"
+
+/* Generated by the shadata program. */
+static const uint32_t
+K[64] =
+{
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+ 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+ 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+ 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+ 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+ 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+ 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+ 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+ 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+ 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+ 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+ 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+ 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
+};
+
+#define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K))
+
+/* Initialize the SHA values */
+
+void
+sha256_init(struct sha256_ctx *ctx)
+{
+ /* Initial values, also generated by the shadata program. */
+ static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
+ {
+ 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
+ 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
+ };
+
+ memcpy(ctx->state, H0, sizeof(H0));
+
+ /* Initialize bit count */
+ ctx->count = 0;
+
+ /* Initialize buffer */
+ ctx->index = 0;
+}
+
+void
+sha256_update(struct sha256_ctx *ctx,
+ size_t length, const uint8_t *data)
+{
+ MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++);
+}
+
+static void
+sha256_write_digest(struct sha256_ctx *ctx,
+ size_t length,
+ uint8_t *digest)
+{
+ uint64_t bit_count;
+
+ assert(length <= SHA256_DIGEST_SIZE);
+
+ MD_PAD(ctx, 8, COMPRESS);
+
+ /* There are 512 = 2^9 bits in one block */
+ bit_count = (ctx->count << 9) | (ctx->index << 3);
+
+ /* This is slightly inefficient, as the numbers are converted to
+ big-endian format, and will be converted back by the compression
+ function. It's probably not worth the effort to fix this. */
+ WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
+ COMPRESS(ctx, ctx->block);
+
+ _nettle_write_be32(length, digest, ctx->state);
+}
+
+void
+sha256_digest(struct sha256_ctx *ctx,
+ size_t length,
+ uint8_t *digest)
+{
+ sha256_write_digest(ctx, length, digest);
+ sha256_init(ctx);
+}
+
+/* sha224 variant. */
+
+void
+sha224_init(struct sha256_ctx *ctx)
+{
+ /* Initial values. Low 32 bits of the initial values for sha384. */
+ static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
+ {
+ 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
+ 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
+ };
+
+ memcpy(ctx->state, H0, sizeof(H0));
+
+ /* Initialize bit count */
+ ctx->count = 0;
+
+ /* Initialize buffer */
+ ctx->index = 0;
+}
+
+void
+sha224_digest(struct sha256_ctx *ctx,
+ size_t length,
+ uint8_t *digest)
+{
+ sha256_write_digest(ctx, length, digest);
+ sha224_init(ctx);
+}
diff --git a/external/nettle-3.3/nettle/version.h b/external/nettle-3.3/nettle/version.h
new file mode 100644
index 0000000..3a1d20c
--- /dev/null
+++ b/external/nettle-3.3/nettle/version.h
@@ -0,0 +1,58 @@
+/* version.h
+
+ Information about library version.
+
+ Copyright (C) 2015 Red Hat, Inc.
+ Copyright (C) 2015 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_VERSION_H_INCLUDED
+#define NETTLE_VERSION_H_INCLUDED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Individual version numbers in decimal */
+#define NETTLE_VERSION_MAJOR 3
+#define NETTLE_VERSION_MINOR 3
+
+#define NETTLE_USE_MINI_GMP 1
+
+/* We need a preprocessor constant for GMP_NUMB_BITS, simply using
+ sizeof(mp_limb_t) * CHAR_BIT is not good enough. */
+#if NETTLE_USE_MINI_GMP
+# define GMP_NUMB_BITS (sizeof(unsigned long) * 8)
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_VERSION_H_INCLUDED */
diff --git a/external/nettle-3.3/nettle/write-be32.c b/external/nettle-3.3/nettle/write-be32.c
new file mode 100644
index 0000000..7d68905
--- /dev/null
+++ b/external/nettle-3.3/nettle/write-be32.c
@@ -0,0 +1,77 @@
+/* write-be32.c
+
+ Copyright (C) 2001 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdlib.h>
+
+#include "nettle-write.h"
+
+#include "macros.h"
+
+void
+_nettle_write_be32(size_t length, uint8_t *dst,
+ uint32_t *src)
+{
+ size_t i;
+ size_t words;
+ unsigned leftover;
+
+ words = length / 4;
+ leftover = length % 4;
+
+ for (i = 0; i < words; i++, dst += 4)
+ WRITE_UINT32(dst, src[i]);
+
+ if (leftover)
+ {
+ uint32_t word;
+ unsigned j = leftover;
+
+ word = src[i];
+
+ switch (leftover)
+ {
+ default:
+ abort();
+ case 3:
+ dst[--j] = (word >> 8) & 0xff;
+ /* Fall through */
+ case 2:
+ dst[--j] = (word >> 16) & 0xff;
+ /* Fall through */
+ case 1:
+ dst[--j] = (word >> 24) & 0xff;
+ }
+ }
+}