From 425decdf7e9284d15aa726e3ae96b9942fb0e3ea Mon Sep 17 00:00:00 2001 From: IronClawTrem Date: Sun, 16 Feb 2020 03:40:06 +0000 Subject: create tremded branch --- external/nettle-3.3/CMakeLists.txt | 38 + external/nettle-3.3/nettle/bignum-random-prime.c | 533 +++ external/nettle-3.3/nettle/bignum-random.c | 96 + external/nettle-3.3/nettle/bignum.c | 186 + external/nettle-3.3/nettle/bignum.h | 140 + external/nettle-3.3/nettle/buffer-init.c | 48 + external/nettle-3.3/nettle/buffer.c | 142 + external/nettle-3.3/nettle/buffer.h | 106 + external/nettle-3.3/nettle/gmp-glue.c | 326 ++ external/nettle-3.3/nettle/gmp-glue.h | 164 + external/nettle-3.3/nettle/macros.h | 245 ++ external/nettle-3.3/nettle/mini-gmp.c | 4386 ++++++++++++++++++++++ external/nettle-3.3/nettle/mini-gmp.h | 294 ++ external/nettle-3.3/nettle/nettle-internal.h | 92 + external/nettle-3.3/nettle/nettle-meta.h | 230 ++ external/nettle-3.3/nettle/nettle-stdint.h | 6 + external/nettle-3.3/nettle/nettle-types.h | 110 + external/nettle-3.3/nettle/nettle-write.h | 58 + external/nettle-3.3/nettle/pkcs1-rsa-sha256.c | 120 + external/nettle-3.3/nettle/pkcs1.c | 73 + external/nettle-3.3/nettle/pkcs1.h | 114 + external/nettle-3.3/nettle/realloc.c | 69 + external/nettle-3.3/nettle/realloc.h | 48 + external/nettle-3.3/nettle/rsa-keygen.c | 212 ++ external/nettle-3.3/nettle/rsa-sha256-sign.c | 77 + external/nettle-3.3/nettle/rsa-sha256-verify.c | 79 + external/nettle-3.3/nettle/rsa-sign.c | 144 + external/nettle-3.3/nettle/rsa-verify.c | 64 + external/nettle-3.3/nettle/rsa.c | 86 + external/nettle-3.3/nettle/rsa.h | 355 ++ external/nettle-3.3/nettle/rsa2sexp.c | 59 + external/nettle-3.3/nettle/sexp-format.c | 348 ++ external/nettle-3.3/nettle/sexp.c | 399 ++ external/nettle-3.3/nettle/sexp.h | 213 ++ external/nettle-3.3/nettle/sexp2bignum.c | 60 + external/nettle-3.3/nettle/sexp2rsa.c | 115 + external/nettle-3.3/nettle/sha2.h | 206 + external/nettle-3.3/nettle/sha256-compress.c | 199 + external/nettle-3.3/nettle/sha256.c | 162 + external/nettle-3.3/nettle/version.h | 58 + external/nettle-3.3/nettle/write-be32.c | 77 + 41 files changed, 10537 insertions(+) create mode 100644 external/nettle-3.3/CMakeLists.txt create mode 100644 external/nettle-3.3/nettle/bignum-random-prime.c create mode 100644 external/nettle-3.3/nettle/bignum-random.c create mode 100644 external/nettle-3.3/nettle/bignum.c create mode 100644 external/nettle-3.3/nettle/bignum.h create mode 100644 external/nettle-3.3/nettle/buffer-init.c create mode 100644 external/nettle-3.3/nettle/buffer.c create mode 100644 external/nettle-3.3/nettle/buffer.h create mode 100644 external/nettle-3.3/nettle/gmp-glue.c create mode 100644 external/nettle-3.3/nettle/gmp-glue.h create mode 100644 external/nettle-3.3/nettle/macros.h create mode 100644 external/nettle-3.3/nettle/mini-gmp.c create mode 100644 external/nettle-3.3/nettle/mini-gmp.h create mode 100644 external/nettle-3.3/nettle/nettle-internal.h create mode 100644 external/nettle-3.3/nettle/nettle-meta.h create mode 100644 external/nettle-3.3/nettle/nettle-stdint.h create mode 100644 external/nettle-3.3/nettle/nettle-types.h create mode 100644 external/nettle-3.3/nettle/nettle-write.h create mode 100644 external/nettle-3.3/nettle/pkcs1-rsa-sha256.c create mode 100644 external/nettle-3.3/nettle/pkcs1.c create mode 100644 external/nettle-3.3/nettle/pkcs1.h create mode 100644 external/nettle-3.3/nettle/realloc.c create mode 100644 external/nettle-3.3/nettle/realloc.h create mode 100644 external/nettle-3.3/nettle/rsa-keygen.c create mode 100644 external/nettle-3.3/nettle/rsa-sha256-sign.c create mode 100644 external/nettle-3.3/nettle/rsa-sha256-verify.c create mode 100644 external/nettle-3.3/nettle/rsa-sign.c create mode 100644 external/nettle-3.3/nettle/rsa-verify.c create mode 100644 external/nettle-3.3/nettle/rsa.c create mode 100644 external/nettle-3.3/nettle/rsa.h create mode 100644 external/nettle-3.3/nettle/rsa2sexp.c create mode 100644 external/nettle-3.3/nettle/sexp-format.c create mode 100644 external/nettle-3.3/nettle/sexp.c create mode 100644 external/nettle-3.3/nettle/sexp.h create mode 100644 external/nettle-3.3/nettle/sexp2bignum.c create mode 100644 external/nettle-3.3/nettle/sexp2rsa.c create mode 100644 external/nettle-3.3/nettle/sha2.h create mode 100644 external/nettle-3.3/nettle/sha256-compress.c create mode 100644 external/nettle-3.3/nettle/sha256.c create mode 100644 external/nettle-3.3/nettle/version.h create mode 100644 external/nettle-3.3/nettle/write-be32.c (limited to 'external/nettle-3.3') diff --git a/external/nettle-3.3/CMakeLists.txt b/external/nettle-3.3/CMakeLists.txt new file mode 100644 index 0000000..72c7f86 --- /dev/null +++ b/external/nettle-3.3/CMakeLists.txt @@ -0,0 +1,38 @@ +add_library ( nettle STATIC + nettle/bignum.c + nettle/bignum-random.c + nettle/bignum-random-prime.c + nettle/buffer.c + nettle/buffer-init.c + nettle/gmp-glue.c + nettle/mini-gmp.c + nettle/pkcs1.c + nettle/pkcs1-rsa-sha256.c + nettle/realloc.c + nettle/rsa.c + nettle/rsa2sexp.c + nettle/rsa-keygen.c + nettle/rsa-sha256-sign.c + nettle/rsa-sha256-verify.c + nettle/rsa-sign.c + nettle/rsa-verify.c + nettle/sexp.c + nettle/sexp-format.c + nettle/sexp2bignum.c + nettle/sexp2rsa.c + nettle/sha256-compress.c + nettle/sha256.c + nettle/write-be32.c + ) + +add_definitions ( + -DNDEBUG + -mfpmath=sse + -ffast-math + ) +include_directories ( + include + ) + +# command: /usr/bin/clang -Wall -Wextra -DLUA_COMPAT_5_2 -fPIC -fpic -o build/release-darwin-x86_64/nettle/bignum.o -c src/nettle-3.3/nettle/bignum.c + diff --git a/external/nettle-3.3/nettle/bignum-random-prime.c b/external/nettle-3.3/nettle/bignum-random-prime.c new file mode 100644 index 0000000..97d35e4 --- /dev/null +++ b/external/nettle-3.3/nettle/bignum-random-prime.c @@ -0,0 +1,533 @@ +/* bignum-random-prime.c + + Generation of random provable primes. + + Copyright (C) 2010, 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef RANDOM_PRIME_VERBOSE +#define RANDOM_PRIME_VERBOSE 0 +#endif + +#include +#include + +#if RANDOM_PRIME_VERBOSE +#include +#define VERBOSE(x) (fputs((x), stderr)) +#else +#define VERBOSE(x) +#endif + +#include "bignum.h" + +#include "macros.h" + +/* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers + of up to 20 bits. */ + +#define NPRIMES 171 +#define TRIAL_DIV_BITS 20 +#define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1) + +/* A 20-bit number x is divisible by p iff + + ((x * inverse) & TRIAL_DIV_MASK) <= limit +*/ +struct trial_div_info { + uint32_t inverse; /* p^{-1} (mod 2^20) */ + uint32_t limit; /* floor( (2^20 - 1) / p) */ +}; + +static const uint16_t +primes[NPRIMES] = { + 3,5,7,11,13,17,19,23, + 29,31,37,41,43,47,53,59, + 61,67,71,73,79,83,89,97, + 101,103,107,109,113,127,131,137, + 139,149,151,157,163,167,173,179, + 181,191,193,197,199,211,223,227, + 229,233,239,241,251,257,263,269, + 271,277,281,283,293,307,311,313, + 317,331,337,347,349,353,359,367, + 373,379,383,389,397,401,409,419, + 421,431,433,439,443,449,457,461, + 463,467,479,487,491,499,503,509, + 521,523,541,547,557,563,569,571, + 577,587,593,599,601,607,613,617, + 619,631,641,643,647,653,659,661, + 673,677,683,691,701,709,719,727, + 733,739,743,751,757,761,769,773, + 787,797,809,811,821,823,827,829, + 839,853,857,859,863,877,881,883, + 887,907,911,919,929,937,941,947, + 953,967,971,977,983,991,997,1009, + 1013,1019,1021, +}; + +static const uint32_t +prime_square[NPRIMES+1] = { + 9,25,49,121,169,289,361,529, + 841,961,1369,1681,1849,2209,2809,3481, + 3721,4489,5041,5329,6241,6889,7921,9409, + 10201,10609,11449,11881,12769,16129,17161,18769, + 19321,22201,22801,24649,26569,27889,29929,32041, + 32761,36481,37249,38809,39601,44521,49729,51529, + 52441,54289,57121,58081,63001,66049,69169,72361, + 73441,76729,78961,80089,85849,94249,96721,97969, + 100489,109561,113569,120409,121801,124609,128881,134689, + 139129,143641,146689,151321,157609,160801,167281,175561, + 177241,185761,187489,192721,196249,201601,208849,212521, + 214369,218089,229441,237169,241081,249001,253009,259081, + 271441,273529,292681,299209,310249,316969,323761,326041, + 332929,344569,351649,358801,361201,368449,375769,380689, + 383161,398161,410881,413449,418609,426409,434281,436921, + 452929,458329,466489,477481,491401,502681,516961,528529, + 537289,546121,552049,564001,573049,579121,591361,597529, + 619369,635209,654481,657721,674041,677329,683929,687241, + 703921,727609,734449,737881,744769,769129,776161,779689, + 786769,822649,829921,844561,863041,877969,885481,896809, + 908209,935089,942841,954529,966289,982081,994009,1018081, + 1026169,1038361,1042441,1L<<20 +}; + +static const struct trial_div_info +trial_div_table[NPRIMES] = { + {699051,349525},{838861,209715},{748983,149796},{953251,95325}, + {806597,80659},{61681,61680},{772635,55188},{866215,45590}, + {180789,36157},{1014751,33825},{793517,28339},{1023001,25575}, + {48771,24385},{870095,22310},{217629,19784},{710899,17772}, + {825109,17189},{281707,15650},{502135,14768},{258553,14364}, + {464559,13273},{934875,12633},{1001449,11781},{172961,10810}, + {176493,10381},{203607,10180},{568387,9799},{788837,9619}, + {770193,9279},{1032063,8256},{544299,8004},{619961,7653}, + {550691,7543},{182973,7037},{229159,6944},{427445,6678}, + {701195,6432},{370455,6278},{90917,6061},{175739,5857}, + {585117,5793},{225087,5489},{298817,5433},{228877,5322}, + {442615,5269},{546651,4969},{244511,4702},{83147,4619}, + {769261,4578},{841561,4500},{732687,4387},{978961,4350}, + {133683,4177},{65281,4080},{629943,3986},{374213,3898}, + {708079,3869},{280125,3785},{641833,3731},{618771,3705}, + {930477,3578},{778747,3415},{623751,3371},{40201,3350}, + {122389,3307},{950371,3167},{1042353,3111},{18131,3021}, + {285429,3004},{549537,2970},{166487,2920},{294287,2857}, + {919261,2811},{636339,2766},{900735,2737},{118605,2695}, + {10565,2641},{188273,2614},{115369,2563},{735755,2502}, + {458285,2490},{914767,2432},{370513,2421},{1027079,2388}, + {629619,2366},{462401,2335},{649337,2294},{316165,2274}, + {484655,2264},{65115,2245},{326175,2189},{1016279,2153}, + {990915,2135},{556859,2101},{462791,2084},{844629,2060}, + {404537,2012},{457123,2004},{577589,1938},{638347,1916}, + {892325,1882},{182523,1862},{1002505,1842},{624371,1836}, + {69057,1817},{210787,1786},{558769,1768},{395623,1750}, + {992745,1744},{317855,1727},{384877,1710},{372185,1699}, + {105027,1693},{423751,1661},{408961,1635},{908331,1630}, + {74551,1620},{36933,1605},{617371,1591},{506045,1586}, + {24929,1558},{529709,1548},{1042435,1535},{31867,1517}, + {166037,1495},{928781,1478},{508975,1458},{4327,1442}, + {779637,1430},{742091,1418},{258263,1411},{879631,1396}, + {72029,1385},{728905,1377},{589057,1363},{348621,1356}, + {671515,1332},{710453,1315},{84249,1296},{959363,1292}, + {685853,1277},{467591,1274},{646643,1267},{683029,1264}, + {439927,1249},{254461,1229},{660713,1223},{554195,1220}, + {202911,1215},{753253,1195},{941457,1190},{776635,1187}, + {509511,1182},{986147,1156},{768879,1151},{699431,1140}, + {696417,1128},{86169,1119},{808997,1114},{25467,1107}, + {201353,1100},{708087,1084},{1018339,1079},{341297,1073}, + {434151,1066},{96287,1058},{950765,1051},{298257,1039}, + {675933,1035},{167731,1029},{815445,1027}, +}; + +/* Element j gives the index of the first prime of size 3+j bits */ +static uint8_t +prime_by_size[9] = { + 1,3,5,10,17,30,53,96,171 +}; + +/* Combined Miller-Rabin test to the base a, and checking the + conditions from Pocklington's theorem, nm1dq holds (n-1)/q, with q + prime. */ +static int +miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a) +{ + mpz_t r; + mpz_t y; + int is_prime = 0; + + /* Avoid the mp_bitcnt_t type for compatibility with older GMP + versions. */ + unsigned k; + unsigned j; + + VERBOSE("."); + + if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0) + return 0; + + mpz_init(r); + mpz_init(y); + + k = mpz_scan1(nm1, 0); + assert(k > 0); + + mpz_fdiv_q_2exp (r, nm1, k); + + mpz_powm(y, a, r, n); + + if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0) + goto passed_miller_rabin; + + for (j = 1; j < k; j++) + { + mpz_powm_ui (y, y, 2, n); + + if (mpz_cmp_ui (y, 1) == 0) + break; + + if (mpz_cmp (y, nm1) == 0) + { + passed_miller_rabin: + /* We know that a^{n-1} = 1 (mod n) + + Remains to check that gcd(a^{(n-1)/q} - 1, n) == 1 */ + VERBOSE("x"); + + mpz_powm(y, a, nm1dq, n); + mpz_sub_ui(y, y, 1); + mpz_gcd(y, y, n); + is_prime = mpz_cmp_ui (y, 1) == 0; + VERBOSE(is_prime ? "\n" : ""); + break; + } + + } + + mpz_clear(r); + mpz_clear(y); + + return is_prime; +} + +/* The most basic variant of Pocklingtons theorem: + + Assume that q^e | (n-1), with q prime. If we can find an a such that + + a^{n-1} = 1 (mod n) + gcd(a^{(n-1)/q} - 1, n) = 1 + + then any prime divisor p of n satisfies p = 1 (mod q^e). + + Proof (Cohen, 8.3.2): Assume p is a prime factor of n. The central + idea of the proof is to consider the order, modulo p, of a. Denote + this by d. + + a^{n-1} = 1 (mod n) implies a^{n-1} = 1 (mod p), hence d | (n-1). + Next, the condition gcd(a^{(n-1)/q} - 1, n) = 1 implies that + a^{(n-1)/q} != 1, hence d does not divide (n-1)/q. Since q is + prime, this means that q^e | d. + + Finally, we have a^{p-1} = 1 (mod p), hence d | (p-1). So q^e | d | + (p-1), which gives the desired result: p = 1 (mod q^e). + + + * Variant, slightly stronger than Fact 4.59, HAC: + + Assume n = 1 + 2rq, q an odd prime, r <= 2q, and + + a^{n-1} = 1 (mod n) + gcd(a^{(n-1)/q} - 1, n) = 1 + + Then n is prime. + + Proof: By Pocklington's theorem, any prime factor p satisfies p = 1 + (mod q). Neither 1 or q+1 are primes, hence p >= 1 + 2q. If n is + composite, we have n >= (1+2q)^2. But the assumption r <= 2q + implies n <= 1 + 4q^2, a contradiction. + + In bits, the requirement is that #n <= 2 #q, then + + r = (n-1)/2q < 2^{#n - #q} <= 2^#q = 2 2^{#q-1}< 2 q + + + * Another variant with an extra test (Variant of Fact 4.42, HAC): + + Assume n = 1 + 2rq, n odd, q an odd prime, 8 q^3 >= n + + a^{n-1} = 1 (mod n) + gcd(a^{(n-1)/q} - 1, n) = 1 + + Also let x = floor(r / 2q), y = r mod 2q, + + If y^2 - 4x is not a square, then n is prime. + + Proof (adapted from Maurer, Journal of Cryptology, 8 (1995)): + + Assume n is composite. There are at most two factors, both odd, + + n = (1+2m_1 q)(1+2m_2 q) = 1 + 4 m_1 m_2 q^2 + 2 (m_1 + m_2) q + + where we can assume m_1 >= m_2. Then the bound n <= 8 q^3 implies m_1 + m_2 < 2q, restricting (m_1, m_2) to the domain 0 < m_2 < + sqrt(2q), 0 < m_1 < 2q / m_2. + + We have the bound + + m_1 + m_2 < 2q / m_2 + m_2 <= 2q + 1 (maximum value for m_2 = 1) + + And the case m_1 = 2q, m_2 = 1 can be excluded, because it gives n + > 8q^3. So in fact, m_1 + m_2 < 2q. + + Next, write r = (n-1)/2q = 2 m_1 m_2 q + m_1 + m_2. + + If follows that m_1 + m_2 = y and m_1 m_2 = x. m_1 and m_2 are + thus the roots of the equation + + m^2 - y m + x = 0 + + which has integer roots iff y^2 - 4 x is the square of an integer. + + In bits, the requirement is that #n <= 3 #q, then + + n < 2^#n <= 2^{3 #q} = 8 2^{3 (#q-1)} < 8 q^3 +*/ + +/* Generate a prime number p of size bits with 2 p0q dividing (p-1). + p0 must be of size >= ceil(bits/3). The extra factor q can be + omitted (then p0 and p0q should be equal). If top_bits_set is one, + the topmost two bits are set to one, suitable for RSA primes. Also + returns r = (p-1)/p0q. */ +void +_nettle_generate_pocklington_prime (mpz_t p, mpz_t r, + unsigned bits, int top_bits_set, + void *ctx, nettle_random_func *random, + const mpz_t p0, + const mpz_t q, + const mpz_t p0q) +{ + mpz_t r_min, r_range, pm1, a, e; + int need_square_test; + unsigned p0_bits; + mpz_t x, y, p04; + + p0_bits = mpz_sizeinbase (p0, 2); + + assert (bits <= 3*p0_bits); + assert (bits > p0_bits); + + need_square_test = (bits > 2 * p0_bits); + + mpz_init (r_min); + mpz_init (r_range); + mpz_init (pm1); + mpz_init (a); + + if (need_square_test) + { + mpz_init (x); + mpz_init (y); + mpz_init (p04); + mpz_mul_2exp (p04, p0, 2); + } + + if (q) + mpz_init (e); + + if (top_bits_set) + { + /* i = floor (2^{bits-3} / p0q), then 3I + 3 <= r <= 4I, with I + - 2 possible values. */ + mpz_set_ui (r_min, 1); + mpz_mul_2exp (r_min, r_min, bits-3); + mpz_fdiv_q (r_min, r_min, p0q); + mpz_sub_ui (r_range, r_min, 2); + mpz_mul_ui (r_min, r_min, 3); + mpz_add_ui (r_min, r_min, 3); + } + else + { + /* i = floor (2^{bits-2} / p0q), I + 1 <= r <= 2I */ + mpz_set_ui (r_range, 1); + mpz_mul_2exp (r_range, r_range, bits-2); + mpz_fdiv_q (r_range, r_range, p0q); + mpz_add_ui (r_min, r_range, 1); + } + + for (;;) + { + uint8_t buf[1]; + + nettle_mpz_random (r, ctx, random, r_range); + mpz_add (r, r, r_min); + + /* Set p = 2*r*p0q + 1 */ + mpz_mul_2exp(r, r, 1); + mpz_mul (pm1, r, p0q); + mpz_add_ui (p, pm1, 1); + + assert(mpz_sizeinbase(p, 2) == bits); + + /* Should use GMP trial division interface when that + materializes, we don't need any testing beyond trial + division. */ + if (!mpz_probab_prime_p (p, 1)) + continue; + + random(ctx, sizeof(buf), buf); + + mpz_set_ui (a, buf[0] + 2); + + if (q) + { + mpz_mul (e, r, q); + if (!miller_rabin_pocklington(p, pm1, e, a)) + continue; + + if (need_square_test) + { + /* Our e corresponds to 2r in the theorem */ + mpz_tdiv_qr (x, y, e, p04); + goto square_test; + } + } + else + { + if (!miller_rabin_pocklington(p, pm1, r, a)) + continue; + if (need_square_test) + { + mpz_tdiv_qr (x, y, r, p04); + square_test: + /* We have r' = 2r, x = floor (r/2q) = floor(r'/2q), + and y' = r' - x 4q = 2 (r - x 2q) = 2y. + + Then y^2 - 4x is a square iff y'^2 - 16 x is a + square. */ + + mpz_mul (y, y, y); + mpz_submul_ui (y, x, 16); + if (mpz_perfect_square_p (y)) + continue; + } + } + + /* If we passed all the tests, we have found a prime. */ + break; + } + mpz_clear (r_min); + mpz_clear (r_range); + mpz_clear (pm1); + mpz_clear (a); + + if (need_square_test) + { + mpz_clear (x); + mpz_clear (y); + mpz_clear (p04); + } + if (q) + mpz_clear (e); +} + +/* Generate random prime of a given size. Maurer's algorithm (Alg. + 6.42 Handbook of applied cryptography), but with ratio = 1/2 (like + the variant in fips186-3). */ +void +nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, + void *random_ctx, nettle_random_func *random, + void *progress_ctx, nettle_progress_func *progress) +{ + assert (bits >= 3); + if (bits <= 10) + { + unsigned first; + unsigned choices; + uint8_t buf; + + assert (!top_bits_set); + + random (random_ctx, sizeof(buf), &buf); + + first = prime_by_size[bits-3]; + choices = prime_by_size[bits-2] - first; + + mpz_set_ui (p, primes[first + buf % choices]); + } + else if (bits <= 20) + { + unsigned long highbit; + uint8_t buf[3]; + unsigned long x; + unsigned j; + + assert (!top_bits_set); + + highbit = 1L << (bits - 1); + + again: + random (random_ctx, sizeof(buf), buf); + x = READ_UINT24(buf); + x &= (highbit - 1); + x |= highbit | 1; + + for (j = 0; prime_square[j] <= x; j++) + { + unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK; + if (q <= trial_div_table[j].limit) + goto again; + } + mpz_set_ui (p, x); + } + else + { + mpz_t q, r; + + mpz_init (q); + mpz_init (r); + + /* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62 + in Handbook of Applied Cryptography (which seems to be + incorrect for odd k). */ + nettle_random_prime (q, (bits+3)/2, 0, random_ctx, random, + progress_ctx, progress); + + _nettle_generate_pocklington_prime (p, r, bits, top_bits_set, + random_ctx, random, + q, NULL, q); + + if (progress) + progress (progress_ctx, 'x'); + + mpz_clear (q); + mpz_clear (r); + } +} diff --git a/external/nettle-3.3/nettle/bignum-random.c b/external/nettle-3.3/nettle/bignum-random.c new file mode 100644 index 0000000..34a696f --- /dev/null +++ b/external/nettle-3.3/nettle/bignum-random.c @@ -0,0 +1,96 @@ +/* bignum-random.c + + Generating big random numbers + + Copyright (C) 2002, 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "bignum.h" +#include "gmp-glue.h" + +void +nettle_mpz_random_size(mpz_t x, + void *ctx, nettle_random_func *random, + unsigned bits) +{ + unsigned length = (bits + 7) / 8; + TMP_GMP_DECL(data, uint8_t); + + TMP_GMP_ALLOC(data, length); + + random(ctx, length, data); + nettle_mpz_set_str_256_u(x, length, data); + + if (bits % 8) + mpz_fdiv_r_2exp(x, x, bits); + + TMP_GMP_FREE(data); +} + +/* Returns a random number x, 0 <= x < n */ +void +nettle_mpz_random(mpz_t x, + void *ctx, nettle_random_func *random, + const mpz_t n) +{ + /* NOTE: This leaves some bias, which may be bad for DSA. A better + * way might be to generate a random number of mpz_sizeinbase(n, 2) + * bits, and loop until one smaller than n is found. */ + + /* From Daniel Bleichenbacher (via coderpunks): + * + * There is still a theoretical attack possible with 8 extra bits. + * But, the attack would need about 2^66 signatures 2^66 memory and + * 2^66 time (if I remember that correctly). Compare that to DSA, + * where the attack requires 2^22 signatures 2^40 memory and 2^64 + * time. And of course, the numbers above are not a real threat for + * PGP. Using 16 extra bits (i.e. generating a 176 bit random number + * and reducing it modulo q) will defeat even this theoretical + * attack. + * + * More generally log_2(q)/8 extra bits are enough to defeat my + * attack. NIST also plans to update the standard. + */ + + /* Add a few bits extra, to decrease the bias from the final modulo + * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with + * DSA. */ + + nettle_mpz_random_size(x, + ctx, random, + mpz_sizeinbase(n, 2) + 64); + + mpz_fdiv_r(x, x, n); +} diff --git a/external/nettle-3.3/nettle/bignum.c b/external/nettle-3.3/nettle/bignum.c new file mode 100644 index 0000000..b58726f --- /dev/null +++ b/external/nettle-3.3/nettle/bignum.c @@ -0,0 +1,186 @@ +/* bignum.c + + Bignum operations that are missing from gmp. + + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "bignum.h" + +/* Two's complement negation means that -x = ~x + 1, ~x = -(x+1), + * and we use that x = ~~x = ~(-x-1). + * + * Examples: + * + * x ~x = -x+1 ~~x = x + * -1 0 ff + * -2 1 fe + * -7f 7e 81 + * -80 7f 80 + * -81 80 ff7f + */ + +/* Including extra sign bit, if needed. Also one byte for zero. */ +size_t +nettle_mpz_sizeinbase_256_s(const mpz_t x) +{ + if (mpz_sgn(x) >= 0) + return 1 + mpz_sizeinbase(x, 2) / 8; + else + { + /* We'll output ~~x, so we need as many bits as for ~x */ + size_t size; + mpz_t c; + + mpz_init(c); + mpz_com(c, x); /* Same as c = - x - 1 = |x| + 1 */ + size = 1 + mpz_sizeinbase(c,2) / 8; + mpz_clear(c); + + return size; + } +} + +size_t +nettle_mpz_sizeinbase_256_u(const mpz_t x) +{ + return (mpz_sizeinbase(x,2) + 7) / 8; +} + +static void +nettle_mpz_to_octets(size_t length, uint8_t *s, + const mpz_t x, uint8_t sign) +{ + uint8_t *dst = s + length - 1; + size_t size = mpz_size(x); + size_t i; + + for (i = 0; i>= 8; + length--; + } + } + + if (length) + memset(s, sign, length); +} + +void +nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x) +{ + if (!length) + { + /* x must be zero */ + assert(!mpz_sgn(x)); + return; + } + + if (mpz_sgn(x) >= 0) + { + assert(nettle_mpz_sizeinbase_256_u(x) <= length); + nettle_mpz_to_octets(length, s, x, 0); + } + else + { + mpz_t c; + mpz_init(c); + mpz_com(c, x); + + assert(nettle_mpz_sizeinbase_256_u(c) <= length); + nettle_mpz_to_octets(length, s, c, 0xff); + + mpz_clear(c); + } +} + +/* Converting from strings */ + +/* mpz_import was introduced in GMP-4.1 */ +#define nettle_mpz_from_octets(x, length, s) \ + mpz_import((x), (length), 1, 1, 0, 0, (s)) + +void +nettle_mpz_set_str_256_u(mpz_t x, + size_t length, const uint8_t *s) +{ + nettle_mpz_from_octets(x, length, s); +} + +void +nettle_mpz_init_set_str_256_u(mpz_t x, + size_t length, const uint8_t *s) +{ + mpz_init(x); + nettle_mpz_from_octets(x, length, s); +} + +void +nettle_mpz_set_str_256_s(mpz_t x, + size_t length, const uint8_t *s) +{ + if (!length) + { + mpz_set_ui(x, 0); + return; + } + + nettle_mpz_from_octets(x, length, s); + + if (s[0] & 0x80) + { + mpz_t t; + + mpz_init_set_ui(t, 1); + mpz_mul_2exp(t, t, length*8); + mpz_sub(x, x, t); + mpz_clear(t); + } +} + +void +nettle_mpz_init_set_str_256_s(mpz_t x, + size_t length, const uint8_t *s) +{ + mpz_init(x); + nettle_mpz_set_str_256_s(x, length, s); +} diff --git a/external/nettle-3.3/nettle/bignum.h b/external/nettle-3.3/nettle/bignum.h new file mode 100644 index 0000000..188e9e4 --- /dev/null +++ b/external/nettle-3.3/nettle/bignum.h @@ -0,0 +1,140 @@ +/* bignum.h + + Bignum operations that are missing from gmp. + + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_BIGNUM_H_INCLUDED +#define NETTLE_BIGNUM_H_INCLUDED + +#include "nettle-meta.h" + +#include "nettle-types.h" + +/* For NETTLE_USE_MINI_GMP */ +#include "version.h" + +#if NETTLE_USE_MINI_GMP +# include "mini-gmp.h" + +# define GMP_NUMB_MASK (~(mp_limb_t) 0) + +/* Function missing in older gmp versions, and checked for with ifdef */ +# define mpz_limbs_read mpz_limbs_read +/* Side-channel silent powm not available in mini-gmp. */ +# define mpz_powm_sec mpz_powm +#else +# include +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* Size needed for signed encoding, including extra sign byte if + * necessary. */ +size_t +nettle_mpz_sizeinbase_256_s(const mpz_t x); + +/* Size needed for unsigned encoding */ +size_t +nettle_mpz_sizeinbase_256_u(const mpz_t x); + +/* Writes an integer as length octets, using big endian byte order, + * and two's complement for negative numbers. */ +void +nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x); + +/* Reads a big endian, two's complement, integer. */ +void +nettle_mpz_set_str_256_s(mpz_t x, + size_t length, const uint8_t *s); + +void +nettle_mpz_init_set_str_256_s(mpz_t x, + size_t length, const uint8_t *s); + +/* Similar, but for unsigned format. These function don't interpret + * the most significant bit as the sign. */ +void +nettle_mpz_set_str_256_u(mpz_t x, + size_t length, const uint8_t *s); + +void +nettle_mpz_init_set_str_256_u(mpz_t x, + size_t length, const uint8_t *s); + +/* Returns a uniformly distributed random number 0 <= x < 2^n */ +void +nettle_mpz_random_size(mpz_t x, + void *ctx, nettle_random_func *random, + unsigned bits); + +/* Returns a number x, almost uniformly random in the range + * 0 <= x < n. */ +void +nettle_mpz_random(mpz_t x, + void *ctx, nettle_random_func *random, + const mpz_t n); + +void +nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, + void *ctx, nettle_random_func *random, + void *progress_ctx, nettle_progress_func *progress); + +void +_nettle_generate_pocklington_prime (mpz_t p, mpz_t r, + unsigned bits, int top_bits_set, + void *ctx, nettle_random_func *random, + const mpz_t p0, + const mpz_t q, + const mpz_t p0q); + +/* sexp parsing */ +struct sexp_iterator; + +/* If LIMIT is non-zero, the number must be at most LIMIT bits. + * Implies sexp_iterator_next. */ +int +nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i); + + +/* der parsing */ +struct asn1_der_iterator; + +int +nettle_asn1_der_get_bignum(struct asn1_der_iterator *iterator, + mpz_t x, unsigned max_bits); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_BIGNUM_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/buffer-init.c b/external/nettle-3.3/nettle/buffer-init.c new file mode 100644 index 0000000..c953fd1 --- /dev/null +++ b/external/nettle-3.3/nettle/buffer-init.c @@ -0,0 +1,48 @@ +/* buffer-init.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "buffer.h" +#include "realloc.h" + +/* This is in a separate file so that we don't link in realloc in + * programs that don't need it. */ + +void +nettle_buffer_init(struct nettle_buffer *buffer) +{ + nettle_buffer_init_realloc(buffer, NULL, nettle_realloc); +} diff --git a/external/nettle-3.3/nettle/buffer.c b/external/nettle-3.3/nettle/buffer.c new file mode 100644 index 0000000..37a7275 --- /dev/null +++ b/external/nettle-3.3/nettle/buffer.c @@ -0,0 +1,142 @@ +/* buffer.c + + A bare-bones string stream. + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "buffer.h" + +int +nettle_buffer_grow(struct nettle_buffer *buffer, + size_t length) +{ + assert(buffer->size <= buffer->alloc); + + if (buffer->size + length > buffer->alloc) + { + size_t alloc; + uint8_t *p; + + if (!buffer->realloc) + return 0; + + alloc = buffer->alloc * 2 + length + 100; + p = buffer->realloc(buffer->realloc_ctx, buffer->contents, alloc); + if (!p) + return 0; + + buffer->contents = p; + buffer->alloc = alloc; + } + return 1; +} + +void +nettle_buffer_init_realloc(struct nettle_buffer *buffer, + void *realloc_ctx, + nettle_realloc_func *realloc) +{ + buffer->contents = NULL; + buffer->alloc = 0; + buffer->realloc = realloc; + buffer->realloc_ctx = realloc_ctx; + buffer->size = 0; +} + +void +nettle_buffer_init_size(struct nettle_buffer *buffer, + size_t length, uint8_t *space) +{ + buffer->contents = space; + buffer->alloc = length; + buffer->realloc = NULL; + buffer->realloc_ctx = NULL; + buffer->size = 0; +} + +void +nettle_buffer_clear(struct nettle_buffer *buffer) +{ + if (buffer->realloc) + buffer->realloc(buffer->realloc_ctx, buffer->contents, 0); + + buffer->contents = NULL; + buffer->alloc = 0; + buffer->size = 0; +} + +void +nettle_buffer_reset(struct nettle_buffer *buffer) +{ + buffer->size = 0; +} + +uint8_t * +nettle_buffer_space(struct nettle_buffer *buffer, + size_t length) +{ + uint8_t *p; + + if (!nettle_buffer_grow(buffer, length)) + return NULL; + + p = buffer->contents + buffer->size; + buffer->size += length; + return p; +} + +int +nettle_buffer_write(struct nettle_buffer *buffer, + size_t length, const uint8_t *data) +{ + uint8_t *p = nettle_buffer_space(buffer, length); + if (p) + { + memcpy(p, data, length); + return 1; + } + else + return 0; +} + +int +nettle_buffer_copy(struct nettle_buffer *dst, + const struct nettle_buffer *src) +{ + return nettle_buffer_write(dst, src->size, src->contents); +} diff --git a/external/nettle-3.3/nettle/buffer.h b/external/nettle-3.3/nettle/buffer.h new file mode 100644 index 0000000..0e59d05 --- /dev/null +++ b/external/nettle-3.3/nettle/buffer.h @@ -0,0 +1,106 @@ +/* buffer.h + + A bare-bones string stream. + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_BUFFER_H_INCLUDED +#define NETTLE_BUFFER_H_INCLUDED + +#include "realloc.h" + +#ifdef __cplusplus +extern "C" { +#endif + +struct nettle_buffer +{ + uint8_t *contents; + /* Allocated size */ + size_t alloc; + + void *realloc_ctx; + nettle_realloc_func *realloc; + + /* Current size */ + size_t size; +}; + +/* Initializes a buffer that uses plain realloc */ +void +nettle_buffer_init(struct nettle_buffer *buffer); + +void +nettle_buffer_init_realloc(struct nettle_buffer *buffer, + void *realloc_ctx, + nettle_realloc_func *realloc); + +/* Initializes a buffer of fix size */ +void +nettle_buffer_init_size(struct nettle_buffer *buffer, + size_t length, uint8_t *space); + +void +nettle_buffer_clear(struct nettle_buffer *buffer); + +/* Resets the buffer, without freeing the buffer space. */ +void +nettle_buffer_reset(struct nettle_buffer *buffer); + +int +nettle_buffer_grow(struct nettle_buffer *buffer, + size_t length); + +#define NETTLE_BUFFER_PUTC(buffer, c) \ +( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \ + && ((buffer)->contents[(buffer)->size++] = (c), 1) ) + +int +nettle_buffer_write(struct nettle_buffer *buffer, + size_t length, const uint8_t *data); + +/* Like nettle_buffer_write, but instead of copying data to the + * buffer, it returns a pointer to the area where the caller can copy + * the data. The pointer is valid only until the next call that can + * reallocate the buffer. */ +uint8_t * +nettle_buffer_space(struct nettle_buffer *buffer, + size_t length); + +/* Copy the contents of SRC to the end of DST. */ +int +nettle_buffer_copy(struct nettle_buffer *dst, + const struct nettle_buffer *src); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_BUFFER_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/gmp-glue.c b/external/nettle-3.3/nettle/gmp-glue.c new file mode 100644 index 0000000..4b813b8 --- /dev/null +++ b/external/nettle-3.3/nettle/gmp-glue.c @@ -0,0 +1,326 @@ +/* gmp-glue.c + + Copyright (C) 2013 Niels Möller + Copyright (C) 2013 Red Hat + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gmp-glue.h" + +#if !GMP_HAVE_mpz_limbs_read + +/* This implementation tries to make a minimal use of GMP internals. + We access and _mp_size and _mp_d, but not _mp_alloc. */ + +/* Use macros compatible with gmp-impl.h. */ +#define ABS(x) ((x) >= 0 ? (x) : -(x)) +#define PTR(x) ((x)->_mp_d) +#define SIZ(x) ((x)->_mp_size) +#define ABSIZ(x) ABS (SIZ (x)) + +#define MPN_NORMALIZE(xp, xn) do { \ + while ( (xn) > 0 && (xp)[xn-1] == 0) \ + (xn)--; \ + } while (0) + +/* NOTE: Makes an unnecessary realloc if allocation is already large + enough, but looking at _mp_alloc may break in future GMP + versions. */ +#define MPZ_REALLOC(x, n) \ + (ABSIZ(x) >= (n) ? PTR(x) : (_mpz_realloc ((x),(n)), PTR (x))) + +#define MPZ_NEWALLOC MPZ_REALLOC + +/* Read access to mpz numbers. */ + +/* Return limb pointer, for read-only operations. Use mpz_size to get + the number of limbs. */ +const mp_limb_t * +mpz_limbs_read (mpz_srcptr x) +{ + return PTR (x); +} + +/* Write access to mpz numbers. */ + +/* Get a limb pointer for writing, previous contents may be + destroyed. */ +mp_limb_t * +mpz_limbs_write (mpz_ptr x, mp_size_t n) +{ + assert (n > 0); + return MPZ_NEWALLOC (x, n); +} + +/* Get a limb pointer for writing, previous contents is intact. */ +mp_limb_t * +mpz_limbs_modify (mpz_ptr x, mp_size_t n) +{ + assert (n > 0); + return MPZ_REALLOC (x, n); +} + +void +mpz_limbs_finish (mpz_ptr x, mp_size_t n) +{ + assert (n >= 0); + MPN_NORMALIZE (PTR(x), n); + + SIZ (x) = n; +} + +/* Needs some ugly casts. */ +mpz_srcptr +mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs) +{ + mp_size_t xn = ABS (xs); + + MPN_NORMALIZE (xp, xn); + + x->_mp_size = xs < 0 ? -xn : xn; + x->_mp_alloc = 0; + x->_mp_d = (mp_limb_t *) xp; + return x; +} +#endif /* !GMP_HAVE_mpz_limbs_read */ + +void +cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n) +{ + mp_limb_t mask = - (mp_limb_t) (cnd != 0); + mp_size_t i; + for (i = 0; i < n; i++) + { + mp_limb_t a, b, t; + a = ap[i]; + b = bp[i]; + t = (a ^ b) & mask; + ap[i] = a ^ t; + bp[i] = b ^ t; + } +} + +/* Additional convenience functions. */ + +int +mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn) +{ + mp_size_t an = mpz_size (a); + assert (mpz_sgn (a) >= 0); + assert (bn >= 0); + + if (an < bn) + return -1; + if (an > bn) + return 1; + if (an == 0) + return 0; + + return mpn_cmp (mpz_limbs_read(a), bp, an); +} + +/* Get a pointer to an n limb area, for read-only operation. n must be + greater or equal to the current size, and the mpz is zero-padded if + needed. */ +const mp_limb_t * +mpz_limbs_read_n (mpz_ptr x, mp_size_t n) +{ + mp_size_t xn = mpz_size (x); + mp_ptr xp; + + assert (xn <= n); + + xp = mpz_limbs_modify (x, n); + + if (xn < n) + mpn_zero (xp + xn, n - xn); + + return xp; +} + +void +mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n) +{ + mp_size_t xn = mpz_size (x); + + assert (xn <= n); + mpn_copyi (xp, mpz_limbs_read (x), xn); + if (xn < n) + mpn_zero (xp + xn, n - xn); +} + +void +mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn) +{ + mpn_copyi (mpz_limbs_write (r, xn), xp, xn); + mpz_limbs_finish (r, xn); +} + +void +mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, + const uint8_t *xp, size_t xn) +{ + size_t xi; + mp_limb_t out; + unsigned bits; + for (xi = xn, out = bits = 0; xi > 0 && rn > 0; ) + { + mp_limb_t in = xp[--xi]; + out |= (in << bits) & GMP_NUMB_MASK; + bits += 8; + if (bits >= GMP_NUMB_BITS) + { + *rp++ = out; + rn--; + + bits -= GMP_NUMB_BITS; + out = in >> (8 - bits); + } + } + if (rn > 0) + { + *rp++ = out; + if (--rn > 0) + mpn_zero (rp, rn); + } +} + +void +mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, + const uint8_t *xp, size_t xn) +{ + size_t xi; + mp_limb_t out; + unsigned bits; + for (xi = 0, out = bits = 0; xi < xn && rn > 0; ) + { + mp_limb_t in = xp[xi++]; + out |= (in << bits) & GMP_NUMB_MASK; + bits += 8; + if (bits >= GMP_NUMB_BITS) + { + *rp++ = out; + rn--; + + bits -= GMP_NUMB_BITS; + out = in >> (8 - bits); + } + } + if (rn > 0) + { + *rp++ = out; + if (--rn > 0) + mpn_zero (rp, rn); + } +} + +void +mpn_get_base256_le (uint8_t *rp, size_t rn, + const mp_limb_t *xp, mp_size_t xn) +{ + unsigned bits; + mp_limb_t in; + for (bits = in = 0; xn > 0 && rn > 0; ) + { + if (bits >= 8) + { + *rp++ = in; + rn--; + in >>= 8; + bits -= 8; + } + else + { + uint8_t old = in; + in = *xp++; + xn--; + *rp++ = old | (in << bits); + rn--; + in >>= (8 - bits); + bits += GMP_NUMB_BITS - 8; + } + } + while (rn > 0) + { + *rp++ = in; + rn--; + in >>= 8; + } +} + +mp_limb_t * +gmp_alloc_limbs (mp_size_t n) +{ + + void *(*alloc_func)(size_t); + + assert (n > 0); + + mp_get_memory_functions (&alloc_func, NULL, NULL); + return (mp_limb_t *) alloc_func ( (size_t) n * sizeof(mp_limb_t)); +} + +void +gmp_free_limbs (mp_limb_t *p, mp_size_t n) +{ + void (*free_func)(void *, size_t); + assert (n > 0); + assert (p != 0); + mp_get_memory_functions (NULL, NULL, &free_func); + + free_func (p, (size_t) n * sizeof(mp_limb_t)); +} + +void * +gmp_alloc(size_t n) +{ + void *(*alloc_func)(size_t); + assert (n > 0); + + mp_get_memory_functions(&alloc_func, NULL, NULL); + + return alloc_func (n); +} + +void +gmp_free(void *p, size_t n) +{ + void (*free_func)(void *, size_t); + assert (n > 0); + assert (p != 0); + mp_get_memory_functions (NULL, NULL, &free_func); + + free_func (p, (size_t) n); +} diff --git a/external/nettle-3.3/nettle/gmp-glue.h b/external/nettle-3.3/nettle/gmp-glue.h new file mode 100644 index 0000000..e7a6177 --- /dev/null +++ b/external/nettle-3.3/nettle/gmp-glue.h @@ -0,0 +1,164 @@ +/* gmp-glue.h + + Copyright (C) 2013 Niels Möller + Copyright (C) 2013 Red Hat + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GMP_GLUE_H_INCLUDED +#define NETTLE_GMP_GLUE_H_INCLUDED + +#include "bignum.h" + +#ifdef mpz_limbs_read +#define GMP_HAVE_mpz_limbs_read 1 +#else +#define GMP_HAVE_mpz_limbs_read 0 +#endif + +/* Name mangling. */ +#if !GMP_HAVE_mpz_limbs_read +#define mpz_limbs_read _nettle_mpz_limbs_read +#define mpz_limbs_write _nettle_mpz_limbs_write +#define mpz_limbs_modify _nettle_mpz_limbs_modify +#define mpz_limbs_finish _nettle_mpz_limbs_finish +#define mpz_roinit_n _nettle_mpz_roinit_n +#endif + +#define cnd_swap _nettle_cnd_swap +#define mpz_limbs_cmp _nettle_mpz_limbs_cmp +#define mpz_limbs_read_n _nettle_mpz_limbs_read_n +#define mpz_limbs_copy _nettle_mpz_limbs_copy +#define mpz_set_n _nettle_mpz_set_n +#define mpn_set_base256 _nettle_mpn_set_base256 +#define mpn_set_base256_le _nettle_mpn_set_base256_le +#define mpn_get_base256_le _nettle_mpn_get_base256_le +#define gmp_alloc_limbs _nettle_gmp_alloc_limbs +#define gmp_free_limbs _nettle_gmp_free_limbs +#define gmp_free _nettle_gmp_free +#define gmp_alloc _nettle_gmp_alloc + +#define TMP_GMP_DECL(name, type) type *name; \ + size_t tmp_##name##_size +#define TMP_GMP_ALLOC(name, size) do { \ + tmp_##name##_size = (size); \ + (name) = gmp_alloc(sizeof (*name) * (size)); \ + } while (0) +#define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size)) + + +/* Use only in-place operations, so we can fall back to addmul_1/submul_1 */ +#ifdef mpn_cnd_add_n +# define cnd_add_n(cnd, rp, ap, n) mpn_cnd_add_n ((cnd), (rp), (rp), (ap), (n)) +# define cnd_sub_n(cnd, rp, ap, n) mpn_cnd_sub_n ((cnd), (rp), (rp), (ap), (n)) +#else +# define cnd_add_n(cnd, rp, ap, n) mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0) +# define cnd_sub_n(cnd, rp, ap, n) mpn_submul_1 ((rp), (ap), (n), (cnd) != 0) +#endif + +/* Some functions for interfacing between mpz and mpn code. Signs of + the mpz numbers are generally ignored. */ + +#if !GMP_HAVE_mpz_limbs_read +/* Read access to mpz numbers. */ + +/* Return limb pointer, for read-only operations. Use mpz_size to get + the number of limbs. */ +const mp_limb_t * +mpz_limbs_read (const mpz_srcptr x); + +/* Write access to mpz numbers. */ + +/* Get a limb pointer for writing, previous contents may be + destroyed. */ +mp_limb_t * +mpz_limbs_write (mpz_ptr x, mp_size_t n); + +/* Get a limb pointer for writing, previous contents is intact. */ +mp_limb_t * +mpz_limbs_modify (mpz_ptr x, mp_size_t n); + +/* Update size. */ +void +mpz_limbs_finish (mpz_ptr x, mp_size_t n); + +/* Using an mpn number as an mpz. Can be used for read-only access + only. x must not be cleared or reallocated. */ +mpz_srcptr +mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs); + +#endif /* !GMP_HAVE_mpz_limbs_read */ + +void +cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n); + +/* Convenience functions */ +int +mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn); + +/* Get a pointer to an n limb area, for read-only operation. n must be + greater or equal to the current size, and the mpz is zero-padded if + needed. */ +const mp_limb_t * +mpz_limbs_read_n (mpz_ptr x, mp_size_t n); + +/* Copy limbs, with zero-padding. */ +/* FIXME: Reorder arguments, on the theory that the first argument of + an _mpz_* function should be an mpz_t? Or rename to _mpz_get_limbs, + with argument order consistent with mpz_get_*. */ +void +mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n); + +void +mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn); + +/* Like mpn_set_str, but always writes rn limbs. If input is larger, + higher bits are ignored. */ +void +mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, + const uint8_t *xp, size_t xn); + +void +mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, + const uint8_t *xp, size_t xn); + +void +mpn_get_base256_le (uint8_t *rp, size_t rn, + const mp_limb_t *xp, mp_size_t xn); + + +mp_limb_t * +gmp_alloc_limbs (mp_size_t n); + +void +gmp_free_limbs (mp_limb_t *p, mp_size_t n); + +void *gmp_alloc(size_t n); +void gmp_free(void *p, size_t n); + +#endif /* NETTLE_GMP_GLUE_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/macros.h b/external/nettle-3.3/nettle/macros.h new file mode 100644 index 0000000..af84841 --- /dev/null +++ b/external/nettle-3.3/nettle/macros.h @@ -0,0 +1,245 @@ +/* macros.h + + Copyright (C) 2001, 2010 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_MACROS_H_INCLUDED +#define NETTLE_MACROS_H_INCLUDED + +/* Reads a 64-bit integer, in network, big-endian, byte order */ +#define READ_UINT64(p) \ +( (((uint64_t) (p)[0]) << 56) \ + | (((uint64_t) (p)[1]) << 48) \ + | (((uint64_t) (p)[2]) << 40) \ + | (((uint64_t) (p)[3]) << 32) \ + | (((uint64_t) (p)[4]) << 24) \ + | (((uint64_t) (p)[5]) << 16) \ + | (((uint64_t) (p)[6]) << 8) \ + | ((uint64_t) (p)[7])) + +#define WRITE_UINT64(p, i) \ +do { \ + (p)[0] = ((i) >> 56) & 0xff; \ + (p)[1] = ((i) >> 48) & 0xff; \ + (p)[2] = ((i) >> 40) & 0xff; \ + (p)[3] = ((i) >> 32) & 0xff; \ + (p)[4] = ((i) >> 24) & 0xff; \ + (p)[5] = ((i) >> 16) & 0xff; \ + (p)[6] = ((i) >> 8) & 0xff; \ + (p)[7] = (i) & 0xff; \ +} while(0) + +/* Reads a 32-bit integer, in network, big-endian, byte order */ +#define READ_UINT32(p) \ +( (((uint32_t) (p)[0]) << 24) \ + | (((uint32_t) (p)[1]) << 16) \ + | (((uint32_t) (p)[2]) << 8) \ + | ((uint32_t) (p)[3])) + +#define WRITE_UINT32(p, i) \ +do { \ + (p)[0] = ((i) >> 24) & 0xff; \ + (p)[1] = ((i) >> 16) & 0xff; \ + (p)[2] = ((i) >> 8) & 0xff; \ + (p)[3] = (i) & 0xff; \ +} while(0) + +/* Analogous macros, for 24 and 16 bit numbers */ +#define READ_UINT24(p) \ +( (((uint32_t) (p)[0]) << 16) \ + | (((uint32_t) (p)[1]) << 8) \ + | ((uint32_t) (p)[2])) + +#define WRITE_UINT24(p, i) \ +do { \ + (p)[0] = ((i) >> 16) & 0xff; \ + (p)[1] = ((i) >> 8) & 0xff; \ + (p)[2] = (i) & 0xff; \ +} while(0) + +#define READ_UINT16(p) \ +( (((uint32_t) (p)[0]) << 8) \ + | ((uint32_t) (p)[1])) + +#define WRITE_UINT16(p, i) \ +do { \ + (p)[0] = ((i) >> 8) & 0xff; \ + (p)[1] = (i) & 0xff; \ +} while(0) + +/* And the other, little-endian, byteorder */ +#define LE_READ_UINT64(p) \ +( (((uint64_t) (p)[7]) << 56) \ + | (((uint64_t) (p)[6]) << 48) \ + | (((uint64_t) (p)[5]) << 40) \ + | (((uint64_t) (p)[4]) << 32) \ + | (((uint64_t) (p)[3]) << 24) \ + | (((uint64_t) (p)[2]) << 16) \ + | (((uint64_t) (p)[1]) << 8) \ + | ((uint64_t) (p)[0])) + +#define LE_WRITE_UINT64(p, i) \ +do { \ + (p)[7] = ((i) >> 56) & 0xff; \ + (p)[6] = ((i) >> 48) & 0xff; \ + (p)[5] = ((i) >> 40) & 0xff; \ + (p)[4] = ((i) >> 32) & 0xff; \ + (p)[3] = ((i) >> 24) & 0xff; \ + (p)[2] = ((i) >> 16) & 0xff; \ + (p)[1] = ((i) >> 8) & 0xff; \ + (p)[0] = (i) & 0xff; \ +} while (0) + +#define LE_READ_UINT32(p) \ +( (((uint32_t) (p)[3]) << 24) \ + | (((uint32_t) (p)[2]) << 16) \ + | (((uint32_t) (p)[1]) << 8) \ + | ((uint32_t) (p)[0])) + +#define LE_WRITE_UINT32(p, i) \ +do { \ + (p)[3] = ((i) >> 24) & 0xff; \ + (p)[2] = ((i) >> 16) & 0xff; \ + (p)[1] = ((i) >> 8) & 0xff; \ + (p)[0] = (i) & 0xff; \ +} while(0) + +/* Analogous macros, for 16 bit numbers */ +#define LE_READ_UINT16(p) \ + ( (((uint32_t) (p)[1]) << 8) \ + | ((uint32_t) (p)[0])) + +#define LE_WRITE_UINT16(p, i) \ + do { \ + (p)[1] = ((i) >> 8) & 0xff; \ + (p)[0] = (i) & 0xff; \ + } while(0) + +/* Macro to make it easier to loop over several blocks. */ +#define FOR_BLOCKS(length, dst, src, blocksize) \ + assert( !((length) % (blocksize))); \ + for (; (length); ((length) -= (blocksize), \ + (dst) += (blocksize), \ + (src) += (blocksize)) ) + +/* The masking of the right shift is needed to allow n == 0 (using + just 32 - n and 64 - n results in undefined behaviour). Most uses + of these macros use a constant and non-zero rotation count. */ +#define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31)))) + +#define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63))) + +/* Requires that size > 0 */ +#define INCREMENT(size, ctr) \ + do { \ + unsigned increment_i = (size) - 1; \ + if (++(ctr)[increment_i] == 0) \ + while (increment_i > 0 \ + && ++(ctr)[--increment_i] == 0 ) \ + ; \ + } while (0) + + +/* Helper macro for Merkle-Damgård hash functions. Assumes the context + structs includes the following fields: + + uint8_t block[...]; // Buffer holding one block + unsigned int index; // Index into block +*/ + +/* Currently used by sha512 (and sha384) only. */ +#define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low) + +/* Takes the compression function f as argument. NOTE: also clobbers + length and data. */ +#define MD_UPDATE(ctx, length, data, f, incr) \ + do { \ + if ((ctx)->index) \ + { \ + /* Try to fill partial block */ \ + unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ + if ((length) < __md_left) \ + { \ + memcpy((ctx)->block + (ctx)->index, (data), (length)); \ + (ctx)->index += (length); \ + goto __md_done; /* Finished */ \ + } \ + else \ + { \ + memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ + \ + f((ctx), (ctx)->block); \ + (incr); \ + \ + (data) += __md_left; \ + (length) -= __md_left; \ + } \ + } \ + while ((length) >= sizeof((ctx)->block)) \ + { \ + f((ctx), (data)); \ + (incr); \ + \ + (data) += sizeof((ctx)->block); \ + (length) -= sizeof((ctx)->block); \ + } \ + memcpy ((ctx)->block, (data), (length)); \ + (ctx)->index = (length); \ + __md_done: \ + ; \ + } while (0) + +/* Pads the block to a block boundary with the bit pattern 1 0*, + leaving size octets for the length field at the end. If needed, + compresses the block and starts a new one. */ +#define MD_PAD(ctx, size, f) \ + do { \ + unsigned __md_i; \ + __md_i = (ctx)->index; \ + \ + /* Set the first char of padding to 0x80. This is safe since there \ + is always at least one byte free */ \ + \ + assert(__md_i < sizeof((ctx)->block)); \ + (ctx)->block[__md_i++] = 0x80; \ + \ + if (__md_i > (sizeof((ctx)->block) - (size))) \ + { /* No room for length in this block. Process it and \ + pad with another one */ \ + memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \ + \ + f((ctx), (ctx)->block); \ + __md_i = 0; \ + } \ + memset((ctx)->block + __md_i, 0, \ + sizeof((ctx)->block) - (size) - __md_i); \ + \ + } while (0) + +#endif /* NETTLE_MACROS_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/mini-gmp.c b/external/nettle-3.3/nettle/mini-gmp.c new file mode 100644 index 0000000..e64a3da --- /dev/null +++ b/external/nettle-3.3/nettle/mini-gmp.c @@ -0,0 +1,4386 @@ +/* mini-gmp, a minimalistic implementation of a GNU GMP subset. + + Contributed to the GNU project by Niels Möller + +Copyright 1991-1997, 1999-2014 Free Software Foundation, Inc. + +This file is part of the GNU MP Library. + +The GNU MP Library is free software; you can redistribute it and/or modify +it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + +or + + * the GNU General Public License as published by the Free Software + Foundation; either version 3 of the License, or (at your option) any + later version. + +or both in parallel, as here. + +The GNU MP Library is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received copies of the GNU General Public License and the +GNU Lesser General Public License along with the GNU MP Library. If not, +see https://www.gnu.org/licenses/. */ + +/* NOTE: All functions in this file which are not declared in + mini-gmp.h are internal, and are not intended to be compatible + neither with GMP nor with future versions of mini-gmp. */ + +/* Much of the material copied from GMP files, including: gmp-impl.h, + longlong.h, mpn/generic/add_n.c, mpn/generic/addmul_1.c, + mpn/generic/lshift.c, mpn/generic/mul_1.c, + mpn/generic/mul_basecase.c, mpn/generic/rshift.c, + mpn/generic/sbpi1_div_qr.c, mpn/generic/sub_n.c, + mpn/generic/submul_1.c. */ + +#include +#include +#include +#include +#include +#include + +#include "mini-gmp.h" + + +/* Macros */ +#define GMP_LIMB_BITS (sizeof(mp_limb_t) * CHAR_BIT) + +#define GMP_LIMB_MAX (~ (mp_limb_t) 0) +#define GMP_LIMB_HIGHBIT ((mp_limb_t) 1 << (GMP_LIMB_BITS - 1)) + +#define GMP_HLIMB_BIT ((mp_limb_t) 1 << (GMP_LIMB_BITS / 2)) +#define GMP_LLIMB_MASK (GMP_HLIMB_BIT - 1) + +#define GMP_ULONG_BITS (sizeof(unsigned long) * CHAR_BIT) +#define GMP_ULONG_HIGHBIT ((unsigned long) 1 << (GMP_ULONG_BITS - 1)) + +#define GMP_ABS(x) ((x) >= 0 ? (x) : -(x)) +#define GMP_NEG_CAST(T,x) (-((T)((x) + 1) - 1)) + +#define GMP_MIN(a, b) ((a) < (b) ? (a) : (b)) +#define GMP_MAX(a, b) ((a) > (b) ? (a) : (b)) + +#define gmp_assert_nocarry(x) do { \ + mp_limb_t __cy = x; \ + assert (__cy == 0); \ + } while (0) + +#define gmp_clz(count, x) do { \ + mp_limb_t __clz_x = (x); \ + unsigned __clz_c; \ + for (__clz_c = 0; \ + (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \ + __clz_c += 8) \ + __clz_x <<= 8; \ + for (; (__clz_x & GMP_LIMB_HIGHBIT) == 0; __clz_c++) \ + __clz_x <<= 1; \ + (count) = __clz_c; \ + } while (0) + +#define gmp_ctz(count, x) do { \ + mp_limb_t __ctz_x = (x); \ + unsigned __ctz_c = 0; \ + gmp_clz (__ctz_c, __ctz_x & - __ctz_x); \ + (count) = GMP_LIMB_BITS - 1 - __ctz_c; \ + } while (0) + +#define gmp_add_ssaaaa(sh, sl, ah, al, bh, bl) \ + do { \ + mp_limb_t __x; \ + __x = (al) + (bl); \ + (sh) = (ah) + (bh) + (__x < (al)); \ + (sl) = __x; \ + } while (0) + +#define gmp_sub_ddmmss(sh, sl, ah, al, bh, bl) \ + do { \ + mp_limb_t __x; \ + __x = (al) - (bl); \ + (sh) = (ah) - (bh) - ((al) < (bl)); \ + (sl) = __x; \ + } while (0) + +#define gmp_umul_ppmm(w1, w0, u, v) \ + do { \ + mp_limb_t __x0, __x1, __x2, __x3; \ + unsigned __ul, __vl, __uh, __vh; \ + mp_limb_t __u = (u), __v = (v); \ + \ + __ul = __u & GMP_LLIMB_MASK; \ + __uh = __u >> (GMP_LIMB_BITS / 2); \ + __vl = __v & GMP_LLIMB_MASK; \ + __vh = __v >> (GMP_LIMB_BITS / 2); \ + \ + __x0 = (mp_limb_t) __ul * __vl; \ + __x1 = (mp_limb_t) __ul * __vh; \ + __x2 = (mp_limb_t) __uh * __vl; \ + __x3 = (mp_limb_t) __uh * __vh; \ + \ + __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \ + __x1 += __x2; /* but this indeed can */ \ + if (__x1 < __x2) /* did we get it? */ \ + __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \ + \ + (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \ + (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \ + } while (0) + +#define gmp_udiv_qrnnd_preinv(q, r, nh, nl, d, di) \ + do { \ + mp_limb_t _qh, _ql, _r, _mask; \ + gmp_umul_ppmm (_qh, _ql, (nh), (di)); \ + gmp_add_ssaaaa (_qh, _ql, _qh, _ql, (nh) + 1, (nl)); \ + _r = (nl) - _qh * (d); \ + _mask = -(mp_limb_t) (_r > _ql); /* both > and >= are OK */ \ + _qh += _mask; \ + _r += _mask & (d); \ + if (_r >= (d)) \ + { \ + _r -= (d); \ + _qh++; \ + } \ + \ + (r) = _r; \ + (q) = _qh; \ + } while (0) + +#define gmp_udiv_qr_3by2(q, r1, r0, n2, n1, n0, d1, d0, dinv) \ + do { \ + mp_limb_t _q0, _t1, _t0, _mask; \ + gmp_umul_ppmm ((q), _q0, (n2), (dinv)); \ + gmp_add_ssaaaa ((q), _q0, (q), _q0, (n2), (n1)); \ + \ + /* Compute the two most significant limbs of n - q'd */ \ + (r1) = (n1) - (d1) * (q); \ + gmp_sub_ddmmss ((r1), (r0), (r1), (n0), (d1), (d0)); \ + gmp_umul_ppmm (_t1, _t0, (d0), (q)); \ + gmp_sub_ddmmss ((r1), (r0), (r1), (r0), _t1, _t0); \ + (q)++; \ + \ + /* Conditionally adjust q and the remainders */ \ + _mask = - (mp_limb_t) ((r1) >= _q0); \ + (q) += _mask; \ + gmp_add_ssaaaa ((r1), (r0), (r1), (r0), _mask & (d1), _mask & (d0)); \ + if ((r1) >= (d1)) \ + { \ + if ((r1) > (d1) || (r0) >= (d0)) \ + { \ + (q)++; \ + gmp_sub_ddmmss ((r1), (r0), (r1), (r0), (d1), (d0)); \ + } \ + } \ + } while (0) + +/* Swap macros. */ +#define MP_LIMB_T_SWAP(x, y) \ + do { \ + mp_limb_t __mp_limb_t_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mp_limb_t_swap__tmp; \ + } while (0) +#define MP_SIZE_T_SWAP(x, y) \ + do { \ + mp_size_t __mp_size_t_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mp_size_t_swap__tmp; \ + } while (0) +#define MP_BITCNT_T_SWAP(x,y) \ + do { \ + mp_bitcnt_t __mp_bitcnt_t_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mp_bitcnt_t_swap__tmp; \ + } while (0) +#define MP_PTR_SWAP(x, y) \ + do { \ + mp_ptr __mp_ptr_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mp_ptr_swap__tmp; \ + } while (0) +#define MP_SRCPTR_SWAP(x, y) \ + do { \ + mp_srcptr __mp_srcptr_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mp_srcptr_swap__tmp; \ + } while (0) + +#define MPN_PTR_SWAP(xp,xs, yp,ys) \ + do { \ + MP_PTR_SWAP (xp, yp); \ + MP_SIZE_T_SWAP (xs, ys); \ + } while(0) +#define MPN_SRCPTR_SWAP(xp,xs, yp,ys) \ + do { \ + MP_SRCPTR_SWAP (xp, yp); \ + MP_SIZE_T_SWAP (xs, ys); \ + } while(0) + +#define MPZ_PTR_SWAP(x, y) \ + do { \ + mpz_ptr __mpz_ptr_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mpz_ptr_swap__tmp; \ + } while (0) +#define MPZ_SRCPTR_SWAP(x, y) \ + do { \ + mpz_srcptr __mpz_srcptr_swap__tmp = (x); \ + (x) = (y); \ + (y) = __mpz_srcptr_swap__tmp; \ + } while (0) + +const int mp_bits_per_limb = GMP_LIMB_BITS; + + +/* Memory allocation and other helper functions. */ +static void +gmp_die (const char *msg) +{ + fprintf (stderr, "%s\n", msg); + abort(); +} + +static void * +gmp_default_alloc (size_t size) +{ + void *p; + + assert (size > 0); + + p = malloc (size); + if (!p) + gmp_die("gmp_default_alloc: Virtual memory exhausted."); + + return p; +} + +static void * +gmp_default_realloc (void *old, size_t old_size, size_t new_size) +{ + mp_ptr p; + + p = realloc (old, new_size); + + if (!p) + gmp_die("gmp_default_realoc: Virtual memory exhausted."); + + return p; +} + +static void +gmp_default_free (void *p, size_t size) +{ + free (p); +} + +static void * (*gmp_allocate_func) (size_t) = gmp_default_alloc; +static void * (*gmp_reallocate_func) (void *, size_t, size_t) = gmp_default_realloc; +static void (*gmp_free_func) (void *, size_t) = gmp_default_free; + +void +mp_get_memory_functions (void *(**alloc_func) (size_t), + void *(**realloc_func) (void *, size_t, size_t), + void (**free_func) (void *, size_t)) +{ + if (alloc_func) + *alloc_func = gmp_allocate_func; + + if (realloc_func) + *realloc_func = gmp_reallocate_func; + + if (free_func) + *free_func = gmp_free_func; +} + +void +mp_set_memory_functions (void *(*alloc_func) (size_t), + void *(*realloc_func) (void *, size_t, size_t), + void (*free_func) (void *, size_t)) +{ + if (!alloc_func) + alloc_func = gmp_default_alloc; + if (!realloc_func) + realloc_func = gmp_default_realloc; + if (!free_func) + free_func = gmp_default_free; + + gmp_allocate_func = alloc_func; + gmp_reallocate_func = realloc_func; + gmp_free_func = free_func; +} + +#define gmp_xalloc(size) ((*gmp_allocate_func)((size))) +#define gmp_free(p) ((*gmp_free_func) ((p), 0)) + +static mp_ptr +gmp_xalloc_limbs (mp_size_t size) +{ + return gmp_xalloc (size * sizeof (mp_limb_t)); +} + +static mp_ptr +gmp_xrealloc_limbs (mp_ptr old, mp_size_t size) +{ + assert (size > 0); + return (*gmp_reallocate_func) (old, 0, size * sizeof (mp_limb_t)); +} + + +/* MPN interface */ + +void +mpn_copyi (mp_ptr d, mp_srcptr s, mp_size_t n) +{ + mp_size_t i; + for (i = 0; i < n; i++) + d[i] = s[i]; +} + +void +mpn_copyd (mp_ptr d, mp_srcptr s, mp_size_t n) +{ + while (n-- > 0) + d[n] = s[n]; +} + +int +mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n) +{ + while (--n >= 0) + { + if (ap[n] != bp[n]) + return ap[n] > bp[n] ? 1 : -1; + } + return 0; +} + +static int +mpn_cmp4 (mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) +{ + if (an != bn) + return an < bn ? -1 : 1; + else + return mpn_cmp (ap, bp, an); +} + +static mp_size_t +mpn_normalized_size (mp_srcptr xp, mp_size_t n) +{ + for (; n > 0 && xp[n-1] == 0; n--) + ; + return n; +} + +#define mpn_zero_p(xp, n) (mpn_normalized_size ((xp), (n)) == 0) + +void +mpn_zero (mp_ptr rp, mp_size_t n) +{ + mp_size_t i; + + for (i = 0; i < n; i++) + rp[i] = 0; +} + +mp_limb_t +mpn_add_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) +{ + mp_size_t i; + + assert (n > 0); + i = 0; + do + { + mp_limb_t r = ap[i] + b; + /* Carry out */ + b = (r < b); + rp[i] = r; + } + while (++i < n); + + return b; +} + +mp_limb_t +mpn_add_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) +{ + mp_size_t i; + mp_limb_t cy; + + for (i = 0, cy = 0; i < n; i++) + { + mp_limb_t a, b, r; + a = ap[i]; b = bp[i]; + r = a + cy; + cy = (r < cy); + r += b; + cy += (r < b); + rp[i] = r; + } + return cy; +} + +mp_limb_t +mpn_add (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) +{ + mp_limb_t cy; + + assert (an >= bn); + + cy = mpn_add_n (rp, ap, bp, bn); + if (an > bn) + cy = mpn_add_1 (rp + bn, ap + bn, an - bn, cy); + return cy; +} + +mp_limb_t +mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) +{ + mp_size_t i; + + assert (n > 0); + + i = 0; + do + { + mp_limb_t a = ap[i]; + /* Carry out */ + mp_limb_t cy = a < b;; + rp[i] = a - b; + b = cy; + } + while (++i < n); + + return b; +} + +mp_limb_t +mpn_sub_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) +{ + mp_size_t i; + mp_limb_t cy; + + for (i = 0, cy = 0; i < n; i++) + { + mp_limb_t a, b; + a = ap[i]; b = bp[i]; + b += cy; + cy = (b < cy); + cy += (a < b); + rp[i] = a - b; + } + return cy; +} + +mp_limb_t +mpn_sub (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) +{ + mp_limb_t cy; + + assert (an >= bn); + + cy = mpn_sub_n (rp, ap, bp, bn); + if (an > bn) + cy = mpn_sub_1 (rp + bn, ap + bn, an - bn, cy); + return cy; +} + +mp_limb_t +mpn_mul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) +{ + mp_limb_t ul, cl, hpl, lpl; + + assert (n >= 1); + + cl = 0; + do + { + ul = *up++; + gmp_umul_ppmm (hpl, lpl, ul, vl); + + lpl += cl; + cl = (lpl < cl) + hpl; + + *rp++ = lpl; + } + while (--n != 0); + + return cl; +} + +mp_limb_t +mpn_addmul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) +{ + mp_limb_t ul, cl, hpl, lpl, rl; + + assert (n >= 1); + + cl = 0; + do + { + ul = *up++; + gmp_umul_ppmm (hpl, lpl, ul, vl); + + lpl += cl; + cl = (lpl < cl) + hpl; + + rl = *rp; + lpl = rl + lpl; + cl += lpl < rl; + *rp++ = lpl; + } + while (--n != 0); + + return cl; +} + +mp_limb_t +mpn_submul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) +{ + mp_limb_t ul, cl, hpl, lpl, rl; + + assert (n >= 1); + + cl = 0; + do + { + ul = *up++; + gmp_umul_ppmm (hpl, lpl, ul, vl); + + lpl += cl; + cl = (lpl < cl) + hpl; + + rl = *rp; + lpl = rl - lpl; + cl += lpl > rl; + *rp++ = lpl; + } + while (--n != 0); + + return cl; +} + +mp_limb_t +mpn_mul (mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn) +{ + assert (un >= vn); + assert (vn >= 1); + + /* We first multiply by the low order limb. This result can be + stored, not added, to rp. We also avoid a loop for zeroing this + way. */ + + rp[un] = mpn_mul_1 (rp, up, un, vp[0]); + rp += 1, vp += 1, vn -= 1; + + /* Now accumulate the product of up[] and the next higher limb from + vp[]. */ + + while (vn >= 1) + { + rp[un] = mpn_addmul_1 (rp, up, un, vp[0]); + rp += 1, vp += 1, vn -= 1; + } + return rp[un - 1]; +} + +void +mpn_mul_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) +{ + mpn_mul (rp, ap, n, bp, n); +} + +void +mpn_sqr (mp_ptr rp, mp_srcptr ap, mp_size_t n) +{ + mpn_mul (rp, ap, n, ap, n); +} + +mp_limb_t +mpn_lshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) +{ + mp_limb_t high_limb, low_limb; + unsigned int tnc; + mp_size_t i; + mp_limb_t retval; + + assert (n >= 1); + assert (cnt >= 1); + assert (cnt < GMP_LIMB_BITS); + + up += n; + rp += n; + + tnc = GMP_LIMB_BITS - cnt; + low_limb = *--up; + retval = low_limb >> tnc; + high_limb = (low_limb << cnt); + + for (i = n; --i != 0;) + { + low_limb = *--up; + *--rp = high_limb | (low_limb >> tnc); + high_limb = (low_limb << cnt); + } + *--rp = high_limb; + + return retval; +} + +mp_limb_t +mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) +{ + mp_limb_t high_limb, low_limb; + unsigned int tnc; + mp_size_t i; + mp_limb_t retval; + + assert (n >= 1); + assert (cnt >= 1); + assert (cnt < GMP_LIMB_BITS); + + tnc = GMP_LIMB_BITS - cnt; + high_limb = *up++; + retval = (high_limb << tnc); + low_limb = high_limb >> cnt; + + for (i = n; --i != 0;) + { + high_limb = *up++; + *rp++ = low_limb | (high_limb << tnc); + low_limb = high_limb >> cnt; + } + *rp = low_limb; + + return retval; +} + +static mp_bitcnt_t +mpn_common_scan (mp_limb_t limb, mp_size_t i, mp_srcptr up, mp_size_t un, + mp_limb_t ux) +{ + unsigned cnt; + + assert (ux == 0 || ux == GMP_LIMB_MAX); + assert (0 <= i && i <= un ); + + while (limb == 0) + { + i++; + if (i == un) + return (ux == 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS); + limb = ux ^ up[i]; + } + gmp_ctz (cnt, limb); + return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; +} + +mp_bitcnt_t +mpn_scan1 (mp_srcptr ptr, mp_bitcnt_t bit) +{ + mp_size_t i; + i = bit / GMP_LIMB_BITS; + + return mpn_common_scan ( ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), + i, ptr, i, 0); +} + +mp_bitcnt_t +mpn_scan0 (mp_srcptr ptr, mp_bitcnt_t bit) +{ + mp_size_t i; + i = bit / GMP_LIMB_BITS; + + return mpn_common_scan (~ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), + i, ptr, i, GMP_LIMB_MAX); +} + + +/* MPN division interface. */ +mp_limb_t +mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0) +{ + mp_limb_t r, p, m; + unsigned ul, uh; + unsigned ql, qh; + + /* First, do a 2/1 inverse. */ + /* The inverse m is defined as floor( (B^2 - 1 - u1)/u1 ), so that 0 < + * B^2 - (B + m) u1 <= u1 */ + assert (u1 >= GMP_LIMB_HIGHBIT); + + ul = u1 & GMP_LLIMB_MASK; + uh = u1 >> (GMP_LIMB_BITS / 2); + + qh = ~u1 / uh; + r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK; + + p = (mp_limb_t) qh * ul; + /* Adjustment steps taken from udiv_qrnnd_c */ + if (r < p) + { + qh--; + r += u1; + if (r >= u1) /* i.e. we didn't get carry when adding to r */ + if (r < p) + { + qh--; + r += u1; + } + } + r -= p; + + /* Do a 3/2 division (with half limb size) */ + p = (r >> (GMP_LIMB_BITS / 2)) * qh + r; + ql = (p >> (GMP_LIMB_BITS / 2)) + 1; + + /* By the 3/2 method, we don't need the high half limb. */ + r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1; + + if (r >= (p << (GMP_LIMB_BITS / 2))) + { + ql--; + r += u1; + } + m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql; + if (r >= u1) + { + m++; + r -= u1; + } + + if (u0 > 0) + { + mp_limb_t th, tl; + r = ~r; + r += u0; + if (r < u0) + { + m--; + if (r >= u1) + { + m--; + r -= u1; + } + r -= u1; + } + gmp_umul_ppmm (th, tl, u0, m); + r += th; + if (r < th) + { + m--; + m -= ((r > u1) | ((r == u1) & (tl > u0))); + } + } + + return m; +} + +struct gmp_div_inverse +{ + /* Normalization shift count. */ + unsigned shift; + /* Normalized divisor (d0 unused for mpn_div_qr_1) */ + mp_limb_t d1, d0; + /* Inverse, for 2/1 or 3/2. */ + mp_limb_t di; +}; + +static void +mpn_div_qr_1_invert (struct gmp_div_inverse *inv, mp_limb_t d) +{ + unsigned shift; + + assert (d > 0); + gmp_clz (shift, d); + inv->shift = shift; + inv->d1 = d << shift; + inv->di = mpn_invert_limb (inv->d1); +} + +static void +mpn_div_qr_2_invert (struct gmp_div_inverse *inv, + mp_limb_t d1, mp_limb_t d0) +{ + unsigned shift; + + assert (d1 > 0); + gmp_clz (shift, d1); + inv->shift = shift; + if (shift > 0) + { + d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); + d0 <<= shift; + } + inv->d1 = d1; + inv->d0 = d0; + inv->di = mpn_invert_3by2 (d1, d0); +} + +static void +mpn_div_qr_invert (struct gmp_div_inverse *inv, + mp_srcptr dp, mp_size_t dn) +{ + assert (dn > 0); + + if (dn == 1) + mpn_div_qr_1_invert (inv, dp[0]); + else if (dn == 2) + mpn_div_qr_2_invert (inv, dp[1], dp[0]); + else + { + unsigned shift; + mp_limb_t d1, d0; + + d1 = dp[dn-1]; + d0 = dp[dn-2]; + assert (d1 > 0); + gmp_clz (shift, d1); + inv->shift = shift; + if (shift > 0) + { + d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); + d0 = (d0 << shift) | (dp[dn-3] >> (GMP_LIMB_BITS - shift)); + } + inv->d1 = d1; + inv->d0 = d0; + inv->di = mpn_invert_3by2 (d1, d0); + } +} + +/* Not matching current public gmp interface, rather corresponding to + the sbpi1_div_* functions. */ +static mp_limb_t +mpn_div_qr_1_preinv (mp_ptr qp, mp_srcptr np, mp_size_t nn, + const struct gmp_div_inverse *inv) +{ + mp_limb_t d, di; + mp_limb_t r; + mp_ptr tp = NULL; + + if (inv->shift > 0) + { + tp = gmp_xalloc_limbs (nn); + r = mpn_lshift (tp, np, nn, inv->shift); + np = tp; + } + else + r = 0; + + d = inv->d1; + di = inv->di; + while (nn-- > 0) + { + mp_limb_t q; + + gmp_udiv_qrnnd_preinv (q, r, r, np[nn], d, di); + if (qp) + qp[nn] = q; + } + if (inv->shift > 0) + gmp_free (tp); + + return r >> inv->shift; +} + +static mp_limb_t +mpn_div_qr_1 (mp_ptr qp, mp_srcptr np, mp_size_t nn, mp_limb_t d) +{ + assert (d > 0); + + /* Special case for powers of two. */ + if ((d & (d-1)) == 0) + { + mp_limb_t r = np[0] & (d-1); + if (qp) + { + if (d <= 1) + mpn_copyi (qp, np, nn); + else + { + unsigned shift; + gmp_ctz (shift, d); + mpn_rshift (qp, np, nn, shift); + } + } + return r; + } + else + { + struct gmp_div_inverse inv; + mpn_div_qr_1_invert (&inv, d); + return mpn_div_qr_1_preinv (qp, np, nn, &inv); + } +} + +static void +mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, + const struct gmp_div_inverse *inv) +{ + unsigned shift; + mp_size_t i; + mp_limb_t d1, d0, di, r1, r0; + mp_ptr tp; + + assert (nn >= 2); + shift = inv->shift; + d1 = inv->d1; + d0 = inv->d0; + di = inv->di; + + if (shift > 0) + { + tp = gmp_xalloc_limbs (nn); + r1 = mpn_lshift (tp, np, nn, shift); + np = tp; + } + else + r1 = 0; + + r0 = np[nn - 1]; + + i = nn - 2; + do + { + mp_limb_t n0, q; + n0 = np[i]; + gmp_udiv_qr_3by2 (q, r1, r0, r1, r0, n0, d1, d0, di); + + if (qp) + qp[i] = q; + } + while (--i >= 0); + + if (shift > 0) + { + assert ((r0 << (GMP_LIMB_BITS - shift)) == 0); + r0 = (r0 >> shift) | (r1 << (GMP_LIMB_BITS - shift)); + r1 >>= shift; + + gmp_free (tp); + } + + rp[1] = r1; + rp[0] = r0; +} + +#if 0 +static void +mpn_div_qr_2 (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, + mp_limb_t d1, mp_limb_t d0) +{ + struct gmp_div_inverse inv; + assert (nn >= 2); + + mpn_div_qr_2_invert (&inv, d1, d0); + mpn_div_qr_2_preinv (qp, rp, np, nn, &inv); +} +#endif + +static void +mpn_div_qr_pi1 (mp_ptr qp, + mp_ptr np, mp_size_t nn, mp_limb_t n1, + mp_srcptr dp, mp_size_t dn, + mp_limb_t dinv) +{ + mp_size_t i; + + mp_limb_t d1, d0; + mp_limb_t cy, cy1; + mp_limb_t q; + + assert (dn > 2); + assert (nn >= dn); + + d1 = dp[dn - 1]; + d0 = dp[dn - 2]; + + assert ((d1 & GMP_LIMB_HIGHBIT) != 0); + /* Iteration variable is the index of the q limb. + * + * We divide + * by + */ + + i = nn - dn; + do + { + mp_limb_t n0 = np[dn-1+i]; + + if (n1 == d1 && n0 == d0) + { + q = GMP_LIMB_MAX; + mpn_submul_1 (np+i, dp, dn, q); + n1 = np[dn-1+i]; /* update n1, last loop's value will now be invalid */ + } + else + { + gmp_udiv_qr_3by2 (q, n1, n0, n1, n0, np[dn-2+i], d1, d0, dinv); + + cy = mpn_submul_1 (np + i, dp, dn-2, q); + + cy1 = n0 < cy; + n0 = n0 - cy; + cy = n1 < cy1; + n1 = n1 - cy1; + np[dn-2+i] = n0; + + if (cy != 0) + { + n1 += d1 + mpn_add_n (np + i, np + i, dp, dn - 1); + q--; + } + } + + if (qp) + qp[i] = q; + } + while (--i >= 0); + + np[dn - 1] = n1; +} + +static void +mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, + mp_srcptr dp, mp_size_t dn, + const struct gmp_div_inverse *inv) +{ + assert (dn > 0); + assert (nn >= dn); + + if (dn == 1) + np[0] = mpn_div_qr_1_preinv (qp, np, nn, inv); + else if (dn == 2) + mpn_div_qr_2_preinv (qp, np, np, nn, inv); + else + { + mp_limb_t nh; + unsigned shift; + + assert (inv->d1 == dp[dn-1]); + assert (inv->d0 == dp[dn-2]); + assert ((inv->d1 & GMP_LIMB_HIGHBIT) != 0); + + shift = inv->shift; + if (shift > 0) + nh = mpn_lshift (np, np, nn, shift); + else + nh = 0; + + mpn_div_qr_pi1 (qp, np, nn, nh, dp, dn, inv->di); + + if (shift > 0) + gmp_assert_nocarry (mpn_rshift (np, np, dn, shift)); + } +} + +static void +mpn_div_qr (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn) +{ + struct gmp_div_inverse inv; + mp_ptr tp = NULL; + + assert (dn > 0); + assert (nn >= dn); + + mpn_div_qr_invert (&inv, dp, dn); + if (dn > 2 && inv.shift > 0) + { + tp = gmp_xalloc_limbs (dn); + gmp_assert_nocarry (mpn_lshift (tp, dp, dn, inv.shift)); + dp = tp; + } + mpn_div_qr_preinv (qp, np, nn, dp, dn, &inv); + if (tp) + gmp_free (tp); +} + + +/* MPN base conversion. */ +static unsigned +mpn_base_power_of_two_p (unsigned b) +{ + switch (b) + { + case 2: return 1; + case 4: return 2; + case 8: return 3; + case 16: return 4; + case 32: return 5; + case 64: return 6; + case 128: return 7; + case 256: return 8; + default: return 0; + } +} + +struct mpn_base_info +{ + /* bb is the largest power of the base which fits in one limb, and + exp is the corresponding exponent. */ + unsigned exp; + mp_limb_t bb; +}; + +static void +mpn_get_base_info (struct mpn_base_info *info, mp_limb_t b) +{ + mp_limb_t m; + mp_limb_t p; + unsigned exp; + + m = GMP_LIMB_MAX / b; + for (exp = 1, p = b; p <= m; exp++) + p *= b; + + info->exp = exp; + info->bb = p; +} + +static mp_bitcnt_t +mpn_limb_size_in_base_2 (mp_limb_t u) +{ + unsigned shift; + + assert (u > 0); + gmp_clz (shift, u); + return GMP_LIMB_BITS - shift; +} + +static size_t +mpn_get_str_bits (unsigned char *sp, unsigned bits, mp_srcptr up, mp_size_t un) +{ + unsigned char mask; + size_t sn, j; + mp_size_t i; + int shift; + + sn = ((un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]) + + bits - 1) / bits; + + mask = (1U << bits) - 1; + + for (i = 0, j = sn, shift = 0; j-- > 0;) + { + unsigned char digit = up[i] >> shift; + + shift += bits; + + if (shift >= GMP_LIMB_BITS && ++i < un) + { + shift -= GMP_LIMB_BITS; + digit |= up[i] << (bits - shift); + } + sp[j] = digit & mask; + } + return sn; +} + +/* We generate digits from the least significant end, and reverse at + the end. */ +static size_t +mpn_limb_get_str (unsigned char *sp, mp_limb_t w, + const struct gmp_div_inverse *binv) +{ + mp_size_t i; + for (i = 0; w > 0; i++) + { + mp_limb_t h, l, r; + + h = w >> (GMP_LIMB_BITS - binv->shift); + l = w << binv->shift; + + gmp_udiv_qrnnd_preinv (w, r, h, l, binv->d1, binv->di); + assert ( (r << (GMP_LIMB_BITS - binv->shift)) == 0); + r >>= binv->shift; + + sp[i] = r; + } + return i; +} + +static size_t +mpn_get_str_other (unsigned char *sp, + int base, const struct mpn_base_info *info, + mp_ptr up, mp_size_t un) +{ + struct gmp_div_inverse binv; + size_t sn; + size_t i; + + mpn_div_qr_1_invert (&binv, base); + + sn = 0; + + if (un > 1) + { + struct gmp_div_inverse bbinv; + mpn_div_qr_1_invert (&bbinv, info->bb); + + do + { + mp_limb_t w; + size_t done; + w = mpn_div_qr_1_preinv (up, up, un, &bbinv); + un -= (up[un-1] == 0); + done = mpn_limb_get_str (sp + sn, w, &binv); + + for (sn += done; done < info->exp; done++) + sp[sn++] = 0; + } + while (un > 1); + } + sn += mpn_limb_get_str (sp + sn, up[0], &binv); + + /* Reverse order */ + for (i = 0; 2*i + 1 < sn; i++) + { + unsigned char t = sp[i]; + sp[i] = sp[sn - i - 1]; + sp[sn - i - 1] = t; + } + + return sn; +} + +size_t +mpn_get_str (unsigned char *sp, int base, mp_ptr up, mp_size_t un) +{ + unsigned bits; + + assert (un > 0); + assert (up[un-1] > 0); + + bits = mpn_base_power_of_two_p (base); + if (bits) + return mpn_get_str_bits (sp, bits, up, un); + else + { + struct mpn_base_info info; + + mpn_get_base_info (&info, base); + return mpn_get_str_other (sp, base, &info, up, un); + } +} + +static mp_size_t +mpn_set_str_bits (mp_ptr rp, const unsigned char *sp, size_t sn, + unsigned bits) +{ + mp_size_t rn; + size_t j; + unsigned shift; + + for (j = sn, rn = 0, shift = 0; j-- > 0; ) + { + if (shift == 0) + { + rp[rn++] = sp[j]; + shift += bits; + } + else + { + rp[rn-1] |= (mp_limb_t) sp[j] << shift; + shift += bits; + if (shift >= GMP_LIMB_BITS) + { + shift -= GMP_LIMB_BITS; + if (shift > 0) + rp[rn++] = (mp_limb_t) sp[j] >> (bits - shift); + } + } + } + rn = mpn_normalized_size (rp, rn); + return rn; +} + +static mp_size_t +mpn_set_str_other (mp_ptr rp, const unsigned char *sp, size_t sn, + mp_limb_t b, const struct mpn_base_info *info) +{ + mp_size_t rn; + mp_limb_t w; + unsigned k; + size_t j; + + k = 1 + (sn - 1) % info->exp; + + j = 0; + w = sp[j++]; + for (; --k > 0; ) + w = w * b + sp[j++]; + + rp[0] = w; + + for (rn = (w > 0); j < sn;) + { + mp_limb_t cy; + + w = sp[j++]; + for (k = 1; k < info->exp; k++) + w = w * b + sp[j++]; + + cy = mpn_mul_1 (rp, rp, rn, info->bb); + cy += mpn_add_1 (rp, rp, rn, w); + if (cy > 0) + rp[rn++] = cy; + } + assert (j == sn); + + return rn; +} + +mp_size_t +mpn_set_str (mp_ptr rp, const unsigned char *sp, size_t sn, int base) +{ + unsigned bits; + + if (sn == 0) + return 0; + + bits = mpn_base_power_of_two_p (base); + if (bits) + return mpn_set_str_bits (rp, sp, sn, bits); + else + { + struct mpn_base_info info; + + mpn_get_base_info (&info, base); + return mpn_set_str_other (rp, sp, sn, base, &info); + } +} + + +/* MPZ interface */ +void +mpz_init (mpz_t r) +{ + r->_mp_alloc = 1; + r->_mp_size = 0; + r->_mp_d = gmp_xalloc_limbs (1); +} + +/* The utility of this function is a bit limited, since many functions + assigns the result variable using mpz_swap. */ +void +mpz_init2 (mpz_t r, mp_bitcnt_t bits) +{ + mp_size_t rn; + + bits -= (bits != 0); /* Round down, except if 0 */ + rn = 1 + bits / GMP_LIMB_BITS; + + r->_mp_alloc = rn; + r->_mp_size = 0; + r->_mp_d = gmp_xalloc_limbs (rn); +} + +void +mpz_clear (mpz_t r) +{ + gmp_free (r->_mp_d); +} + +static void * +mpz_realloc (mpz_t r, mp_size_t size) +{ + size = GMP_MAX (size, 1); + + r->_mp_d = gmp_xrealloc_limbs (r->_mp_d, size); + r->_mp_alloc = size; + + if (GMP_ABS (r->_mp_size) > size) + r->_mp_size = 0; + + return r->_mp_d; +} + +/* Realloc for an mpz_t WHAT if it has less than NEEDED limbs. */ +#define MPZ_REALLOC(z,n) ((n) > (z)->_mp_alloc \ + ? mpz_realloc(z,n) \ + : (z)->_mp_d) + +/* MPZ assignment and basic conversions. */ +void +mpz_set_si (mpz_t r, signed long int x) +{ + if (x >= 0) + mpz_set_ui (r, x); + else /* (x < 0) */ + { + r->_mp_size = -1; + r->_mp_d[0] = GMP_NEG_CAST (unsigned long int, x); + } +} + +void +mpz_set_ui (mpz_t r, unsigned long int x) +{ + if (x > 0) + { + r->_mp_size = 1; + r->_mp_d[0] = x; + } + else + r->_mp_size = 0; +} + +void +mpz_set (mpz_t r, const mpz_t x) +{ + /* Allow the NOP r == x */ + if (r != x) + { + mp_size_t n; + mp_ptr rp; + + n = GMP_ABS (x->_mp_size); + rp = MPZ_REALLOC (r, n); + + mpn_copyi (rp, x->_mp_d, n); + r->_mp_size = x->_mp_size; + } +} + +void +mpz_init_set_si (mpz_t r, signed long int x) +{ + mpz_init (r); + mpz_set_si (r, x); +} + +void +mpz_init_set_ui (mpz_t r, unsigned long int x) +{ + mpz_init (r); + mpz_set_ui (r, x); +} + +void +mpz_init_set (mpz_t r, const mpz_t x) +{ + mpz_init (r); + mpz_set (r, x); +} + +int +mpz_fits_slong_p (const mpz_t u) +{ + mp_size_t us = u->_mp_size; + + if (us == 0) + return 1; + else if (us == 1) + return u->_mp_d[0] < GMP_LIMB_HIGHBIT; + else if (us == -1) + return u->_mp_d[0] <= GMP_LIMB_HIGHBIT; + else + return 0; +} + +int +mpz_fits_ulong_p (const mpz_t u) +{ + mp_size_t us = u->_mp_size; + + return (us == (us > 0)); +} + +long int +mpz_get_si (const mpz_t u) +{ + mp_size_t us = u->_mp_size; + + if (us > 0) + return (long) (u->_mp_d[0] & ~GMP_LIMB_HIGHBIT); + else if (us < 0) + return (long) (- u->_mp_d[0] | GMP_LIMB_HIGHBIT); + else + return 0; +} + +unsigned long int +mpz_get_ui (const mpz_t u) +{ + return u->_mp_size == 0 ? 0 : u->_mp_d[0]; +} + +size_t +mpz_size (const mpz_t u) +{ + return GMP_ABS (u->_mp_size); +} + +mp_limb_t +mpz_getlimbn (const mpz_t u, mp_size_t n) +{ + if (n >= 0 && n < GMP_ABS (u->_mp_size)) + return u->_mp_d[n]; + else + return 0; +} + +void +mpz_realloc2 (mpz_t x, mp_bitcnt_t n) +{ + mpz_realloc (x, 1 + (n - (n != 0)) / GMP_LIMB_BITS); +} + +mp_srcptr +mpz_limbs_read (mpz_srcptr x) +{ + return x->_mp_d;; +} + +mp_ptr +mpz_limbs_modify (mpz_t x, mp_size_t n) +{ + assert (n > 0); + return MPZ_REALLOC (x, n); +} + +mp_ptr +mpz_limbs_write (mpz_t x, mp_size_t n) +{ + return mpz_limbs_modify (x, n); +} + +void +mpz_limbs_finish (mpz_t x, mp_size_t xs) +{ + mp_size_t xn; + xn = mpn_normalized_size (x->_mp_d, GMP_ABS (xs)); + x->_mp_size = xs < 0 ? -xn : xn; +} + +mpz_srcptr +mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) +{ + x->_mp_alloc = 0; + x->_mp_d = (mp_ptr) xp; + mpz_limbs_finish (x, xs); + return x; +} + + +/* Conversions and comparison to double. */ +void +mpz_set_d (mpz_t r, double x) +{ + int sign; + mp_ptr rp; + mp_size_t rn, i; + double B; + double Bi; + mp_limb_t f; + + /* x != x is true when x is a NaN, and x == x * 0.5 is true when x is + zero or infinity. */ + if (x != x || x == x * 0.5) + { + r->_mp_size = 0; + return; + } + + sign = x < 0.0 ; + if (sign) + x = - x; + + if (x < 1.0) + { + r->_mp_size = 0; + return; + } + B = 2.0 * (double) GMP_LIMB_HIGHBIT; + Bi = 1.0 / B; + for (rn = 1; x >= B; rn++) + x *= Bi; + + rp = MPZ_REALLOC (r, rn); + + f = (mp_limb_t) x; + x -= f; + assert (x < 1.0); + i = rn-1; + rp[i] = f; + while (--i >= 0) + { + x = B * x; + f = (mp_limb_t) x; + x -= f; + assert (x < 1.0); + rp[i] = f; + } + + r->_mp_size = sign ? - rn : rn; +} + +void +mpz_init_set_d (mpz_t r, double x) +{ + mpz_init (r); + mpz_set_d (r, x); +} + +double +mpz_get_d (const mpz_t u) +{ + mp_size_t un; + double x; + double B = 2.0 * (double) GMP_LIMB_HIGHBIT; + + un = GMP_ABS (u->_mp_size); + + if (un == 0) + return 0.0; + + x = u->_mp_d[--un]; + while (un > 0) + x = B*x + u->_mp_d[--un]; + + if (u->_mp_size < 0) + x = -x; + + return x; +} + +int +mpz_cmpabs_d (const mpz_t x, double d) +{ + mp_size_t xn; + double B, Bi; + mp_size_t i; + + xn = x->_mp_size; + d = GMP_ABS (d); + + if (xn != 0) + { + xn = GMP_ABS (xn); + + B = 2.0 * (double) GMP_LIMB_HIGHBIT; + Bi = 1.0 / B; + + /* Scale d so it can be compared with the top limb. */ + for (i = 1; i < xn; i++) + d *= Bi; + + if (d >= B) + return -1; + + /* Compare floor(d) to top limb, subtract and cancel when equal. */ + for (i = xn; i-- > 0;) + { + mp_limb_t f, xl; + + f = (mp_limb_t) d; + xl = x->_mp_d[i]; + if (xl > f) + return 1; + else if (xl < f) + return -1; + d = B * (d - f); + } + } + return - (d > 0.0); +} + +int +mpz_cmp_d (const mpz_t x, double d) +{ + if (x->_mp_size < 0) + { + if (d >= 0.0) + return -1; + else + return -mpz_cmpabs_d (x, d); + } + else + { + if (d < 0.0) + return 1; + else + return mpz_cmpabs_d (x, d); + } +} + + +/* MPZ comparisons and the like. */ +int +mpz_sgn (const mpz_t u) +{ + mp_size_t usize = u->_mp_size; + + return (usize > 0) - (usize < 0); +} + +int +mpz_cmp_si (const mpz_t u, long v) +{ + mp_size_t usize = u->_mp_size; + + if (usize < -1) + return -1; + else if (v >= 0) + return mpz_cmp_ui (u, v); + else if (usize >= 0) + return 1; + else /* usize == -1 */ + { + mp_limb_t ul = u->_mp_d[0]; + if ((mp_limb_t)GMP_NEG_CAST (unsigned long int, v) < ul) + return -1; + else + return (mp_limb_t)GMP_NEG_CAST (unsigned long int, v) > ul; + } +} + +int +mpz_cmp_ui (const mpz_t u, unsigned long v) +{ + mp_size_t usize = u->_mp_size; + + if (usize > 1) + return 1; + else if (usize < 0) + return -1; + else + { + mp_limb_t ul = (usize > 0) ? u->_mp_d[0] : 0; + return (ul > v) - (ul < v); + } +} + +int +mpz_cmp (const mpz_t a, const mpz_t b) +{ + mp_size_t asize = a->_mp_size; + mp_size_t bsize = b->_mp_size; + + if (asize != bsize) + return (asize < bsize) ? -1 : 1; + else if (asize >= 0) + return mpn_cmp (a->_mp_d, b->_mp_d, asize); + else + return mpn_cmp (b->_mp_d, a->_mp_d, -asize); +} + +int +mpz_cmpabs_ui (const mpz_t u, unsigned long v) +{ + mp_size_t un = GMP_ABS (u->_mp_size); + mp_limb_t ul; + + if (un > 1) + return 1; + + ul = (un == 1) ? u->_mp_d[0] : 0; + + return (ul > v) - (ul < v); +} + +int +mpz_cmpabs (const mpz_t u, const mpz_t v) +{ + return mpn_cmp4 (u->_mp_d, GMP_ABS (u->_mp_size), + v->_mp_d, GMP_ABS (v->_mp_size)); +} + +void +mpz_abs (mpz_t r, const mpz_t u) +{ + if (r != u) + mpz_set (r, u); + + r->_mp_size = GMP_ABS (r->_mp_size); +} + +void +mpz_neg (mpz_t r, const mpz_t u) +{ + if (r != u) + mpz_set (r, u); + + r->_mp_size = -r->_mp_size; +} + +void +mpz_swap (mpz_t u, mpz_t v) +{ + MP_SIZE_T_SWAP (u->_mp_size, v->_mp_size); + MP_SIZE_T_SWAP (u->_mp_alloc, v->_mp_alloc); + MP_PTR_SWAP (u->_mp_d, v->_mp_d); +} + + +/* MPZ addition and subtraction */ + +/* Adds to the absolute value. Returns new size, but doesn't store it. */ +static mp_size_t +mpz_abs_add_ui (mpz_t r, const mpz_t a, unsigned long b) +{ + mp_size_t an; + mp_ptr rp; + mp_limb_t cy; + + an = GMP_ABS (a->_mp_size); + if (an == 0) + { + r->_mp_d[0] = b; + return b > 0; + } + + rp = MPZ_REALLOC (r, an + 1); + + cy = mpn_add_1 (rp, a->_mp_d, an, b); + rp[an] = cy; + an += cy; + + return an; +} + +/* Subtract from the absolute value. Returns new size, (or -1 on underflow), + but doesn't store it. */ +static mp_size_t +mpz_abs_sub_ui (mpz_t r, const mpz_t a, unsigned long b) +{ + mp_size_t an = GMP_ABS (a->_mp_size); + mp_ptr rp = MPZ_REALLOC (r, an); + + if (an == 0) + { + rp[0] = b; + return -(b > 0); + } + else if (an == 1 && a->_mp_d[0] < b) + { + rp[0] = b - a->_mp_d[0]; + return -1; + } + else + { + gmp_assert_nocarry (mpn_sub_1 (rp, a->_mp_d, an, b)); + return mpn_normalized_size (rp, an); + } +} + +void +mpz_add_ui (mpz_t r, const mpz_t a, unsigned long b) +{ + if (a->_mp_size >= 0) + r->_mp_size = mpz_abs_add_ui (r, a, b); + else + r->_mp_size = -mpz_abs_sub_ui (r, a, b); +} + +void +mpz_sub_ui (mpz_t r, const mpz_t a, unsigned long b) +{ + if (a->_mp_size < 0) + r->_mp_size = -mpz_abs_add_ui (r, a, b); + else + r->_mp_size = mpz_abs_sub_ui (r, a, b); +} + +void +mpz_ui_sub (mpz_t r, unsigned long a, const mpz_t b) +{ + if (b->_mp_size < 0) + r->_mp_size = mpz_abs_add_ui (r, b, a); + else + r->_mp_size = -mpz_abs_sub_ui (r, b, a); +} + +static mp_size_t +mpz_abs_add (mpz_t r, const mpz_t a, const mpz_t b) +{ + mp_size_t an = GMP_ABS (a->_mp_size); + mp_size_t bn = GMP_ABS (b->_mp_size); + mp_ptr rp; + mp_limb_t cy; + + if (an < bn) + { + MPZ_SRCPTR_SWAP (a, b); + MP_SIZE_T_SWAP (an, bn); + } + + rp = MPZ_REALLOC (r, an + 1); + cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn); + + rp[an] = cy; + + return an + cy; +} + +static mp_size_t +mpz_abs_sub (mpz_t r, const mpz_t a, const mpz_t b) +{ + mp_size_t an = GMP_ABS (a->_mp_size); + mp_size_t bn = GMP_ABS (b->_mp_size); + int cmp; + mp_ptr rp; + + cmp = mpn_cmp4 (a->_mp_d, an, b->_mp_d, bn); + if (cmp > 0) + { + rp = MPZ_REALLOC (r, an); + gmp_assert_nocarry (mpn_sub (rp, a->_mp_d, an, b->_mp_d, bn)); + return mpn_normalized_size (rp, an); + } + else if (cmp < 0) + { + rp = MPZ_REALLOC (r, bn); + gmp_assert_nocarry (mpn_sub (rp, b->_mp_d, bn, a->_mp_d, an)); + return -mpn_normalized_size (rp, bn); + } + else + return 0; +} + +void +mpz_add (mpz_t r, const mpz_t a, const mpz_t b) +{ + mp_size_t rn; + + if ( (a->_mp_size ^ b->_mp_size) >= 0) + rn = mpz_abs_add (r, a, b); + else + rn = mpz_abs_sub (r, a, b); + + r->_mp_size = a->_mp_size >= 0 ? rn : - rn; +} + +void +mpz_sub (mpz_t r, const mpz_t a, const mpz_t b) +{ + mp_size_t rn; + + if ( (a->_mp_size ^ b->_mp_size) >= 0) + rn = mpz_abs_sub (r, a, b); + else + rn = mpz_abs_add (r, a, b); + + r->_mp_size = a->_mp_size >= 0 ? rn : - rn; +} + + +/* MPZ multiplication */ +void +mpz_mul_si (mpz_t r, const mpz_t u, long int v) +{ + if (v < 0) + { + mpz_mul_ui (r, u, GMP_NEG_CAST (unsigned long int, v)); + mpz_neg (r, r); + } + else + mpz_mul_ui (r, u, (unsigned long int) v); +} + +void +mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v) +{ + mp_size_t un, us; + mp_ptr tp; + mp_limb_t cy; + + us = u->_mp_size; + + if (us == 0 || v == 0) + { + r->_mp_size = 0; + return; + } + + un = GMP_ABS (us); + + tp = MPZ_REALLOC (r, un + 1); + cy = mpn_mul_1 (tp, u->_mp_d, un, v); + tp[un] = cy; + + un += (cy > 0); + r->_mp_size = (us < 0) ? - un : un; +} + +void +mpz_mul (mpz_t r, const mpz_t u, const mpz_t v) +{ + int sign; + mp_size_t un, vn, rn; + mpz_t t; + mp_ptr tp; + + un = u->_mp_size; + vn = v->_mp_size; + + if (un == 0 || vn == 0) + { + r->_mp_size = 0; + return; + } + + sign = (un ^ vn) < 0; + + un = GMP_ABS (un); + vn = GMP_ABS (vn); + + mpz_init2 (t, (un + vn) * GMP_LIMB_BITS); + + tp = t->_mp_d; + if (un >= vn) + mpn_mul (tp, u->_mp_d, un, v->_mp_d, vn); + else + mpn_mul (tp, v->_mp_d, vn, u->_mp_d, un); + + rn = un + vn; + rn -= tp[rn-1] == 0; + + t->_mp_size = sign ? - rn : rn; + mpz_swap (r, t); + mpz_clear (t); +} + +void +mpz_mul_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bits) +{ + mp_size_t un, rn; + mp_size_t limbs; + unsigned shift; + mp_ptr rp; + + un = GMP_ABS (u->_mp_size); + if (un == 0) + { + r->_mp_size = 0; + return; + } + + limbs = bits / GMP_LIMB_BITS; + shift = bits % GMP_LIMB_BITS; + + rn = un + limbs + (shift > 0); + rp = MPZ_REALLOC (r, rn); + if (shift > 0) + { + mp_limb_t cy = mpn_lshift (rp + limbs, u->_mp_d, un, shift); + rp[rn-1] = cy; + rn -= (cy == 0); + } + else + mpn_copyd (rp + limbs, u->_mp_d, un); + + while (limbs > 0) + rp[--limbs] = 0; + + r->_mp_size = (u->_mp_size < 0) ? - rn : rn; +} + +void +mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v) +{ + mpz_t t; + mpz_init (t); + mpz_mul_ui (t, u, v); + mpz_add (r, r, t); + mpz_clear (t); +} + +void +mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v) +{ + mpz_t t; + mpz_init (t); + mpz_mul_ui (t, u, v); + mpz_sub (r, r, t); + mpz_clear (t); +} + +void +mpz_addmul (mpz_t r, const mpz_t u, const mpz_t v) +{ + mpz_t t; + mpz_init (t); + mpz_mul (t, u, v); + mpz_add (r, r, t); + mpz_clear (t); +} + +void +mpz_submul (mpz_t r, const mpz_t u, const mpz_t v) +{ + mpz_t t; + mpz_init (t); + mpz_mul (t, u, v); + mpz_sub (r, r, t); + mpz_clear (t); +} + + +/* MPZ division */ +enum mpz_div_round_mode { GMP_DIV_FLOOR, GMP_DIV_CEIL, GMP_DIV_TRUNC }; + +/* Allows q or r to be zero. Returns 1 iff remainder is non-zero. */ +static int +mpz_div_qr (mpz_t q, mpz_t r, + const mpz_t n, const mpz_t d, enum mpz_div_round_mode mode) +{ + mp_size_t ns, ds, nn, dn, qs; + ns = n->_mp_size; + ds = d->_mp_size; + + if (ds == 0) + gmp_die("mpz_div_qr: Divide by zero."); + + if (ns == 0) + { + if (q) + q->_mp_size = 0; + if (r) + r->_mp_size = 0; + return 0; + } + + nn = GMP_ABS (ns); + dn = GMP_ABS (ds); + + qs = ds ^ ns; + + if (nn < dn) + { + if (mode == GMP_DIV_CEIL && qs >= 0) + { + /* q = 1, r = n - d */ + if (r) + mpz_sub (r, n, d); + if (q) + mpz_set_ui (q, 1); + } + else if (mode == GMP_DIV_FLOOR && qs < 0) + { + /* q = -1, r = n + d */ + if (r) + mpz_add (r, n, d); + if (q) + mpz_set_si (q, -1); + } + else + { + /* q = 0, r = d */ + if (r) + mpz_set (r, n); + if (q) + q->_mp_size = 0; + } + return 1; + } + else + { + mp_ptr np, qp; + mp_size_t qn, rn; + mpz_t tq, tr; + + mpz_init_set (tr, n); + np = tr->_mp_d; + + qn = nn - dn + 1; + + if (q) + { + mpz_init2 (tq, qn * GMP_LIMB_BITS); + qp = tq->_mp_d; + } + else + qp = NULL; + + mpn_div_qr (qp, np, nn, d->_mp_d, dn); + + if (qp) + { + qn -= (qp[qn-1] == 0); + + tq->_mp_size = qs < 0 ? -qn : qn; + } + rn = mpn_normalized_size (np, dn); + tr->_mp_size = ns < 0 ? - rn : rn; + + if (mode == GMP_DIV_FLOOR && qs < 0 && rn != 0) + { + if (q) + mpz_sub_ui (tq, tq, 1); + if (r) + mpz_add (tr, tr, d); + } + else if (mode == GMP_DIV_CEIL && qs >= 0 && rn != 0) + { + if (q) + mpz_add_ui (tq, tq, 1); + if (r) + mpz_sub (tr, tr, d); + } + + if (q) + { + mpz_swap (tq, q); + mpz_clear (tq); + } + if (r) + mpz_swap (tr, r); + + mpz_clear (tr); + + return rn != 0; + } +} + +void +mpz_cdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (q, r, n, d, GMP_DIV_CEIL); +} + +void +mpz_fdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (q, r, n, d, GMP_DIV_FLOOR); +} + +void +mpz_tdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (q, r, n, d, GMP_DIV_TRUNC); +} + +void +mpz_cdiv_q (mpz_t q, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (q, NULL, n, d, GMP_DIV_CEIL); +} + +void +mpz_fdiv_q (mpz_t q, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (q, NULL, n, d, GMP_DIV_FLOOR); +} + +void +mpz_tdiv_q (mpz_t q, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC); +} + +void +mpz_cdiv_r (mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (NULL, r, n, d, GMP_DIV_CEIL); +} + +void +mpz_fdiv_r (mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (NULL, r, n, d, GMP_DIV_FLOOR); +} + +void +mpz_tdiv_r (mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (NULL, r, n, d, GMP_DIV_TRUNC); +} + +void +mpz_mod (mpz_t r, const mpz_t n, const mpz_t d) +{ + mpz_div_qr (NULL, r, n, d, d->_mp_size >= 0 ? GMP_DIV_FLOOR : GMP_DIV_CEIL); +} + +static void +mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index, + enum mpz_div_round_mode mode) +{ + mp_size_t un, qn; + mp_size_t limb_cnt; + mp_ptr qp; + int adjust; + + un = u->_mp_size; + if (un == 0) + { + q->_mp_size = 0; + return; + } + limb_cnt = bit_index / GMP_LIMB_BITS; + qn = GMP_ABS (un) - limb_cnt; + bit_index %= GMP_LIMB_BITS; + + if (mode == ((un > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* un != 0 here. */ + /* Note: Below, the final indexing at limb_cnt is valid because at + that point we have qn > 0. */ + adjust = (qn <= 0 + || !mpn_zero_p (u->_mp_d, limb_cnt) + || (u->_mp_d[limb_cnt] + & (((mp_limb_t) 1 << bit_index) - 1))); + else + adjust = 0; + + if (qn <= 0) + qn = 0; + + else + { + qp = MPZ_REALLOC (q, qn); + + if (bit_index != 0) + { + mpn_rshift (qp, u->_mp_d + limb_cnt, qn, bit_index); + qn -= qp[qn - 1] == 0; + } + else + { + mpn_copyi (qp, u->_mp_d + limb_cnt, qn); + } + } + + q->_mp_size = qn; + + if (adjust) + mpz_add_ui (q, q, 1); + if (un < 0) + mpz_neg (q, q); +} + +static void +mpz_div_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bit_index, + enum mpz_div_round_mode mode) +{ + mp_size_t us, un, rn; + mp_ptr rp; + mp_limb_t mask; + + us = u->_mp_size; + if (us == 0 || bit_index == 0) + { + r->_mp_size = 0; + return; + } + rn = (bit_index + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; + assert (rn > 0); + + rp = MPZ_REALLOC (r, rn); + un = GMP_ABS (us); + + mask = GMP_LIMB_MAX >> (rn * GMP_LIMB_BITS - bit_index); + + if (rn > un) + { + /* Quotient (with truncation) is zero, and remainder is + non-zero */ + if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ + { + /* Have to negate and sign extend. */ + mp_size_t i; + mp_limb_t cy; + + for (cy = 1, i = 0; i < un; i++) + { + mp_limb_t s = ~u->_mp_d[i] + cy; + cy = s < cy; + rp[i] = s; + } + assert (cy == 0); + for (; i < rn - 1; i++) + rp[i] = GMP_LIMB_MAX; + + rp[rn-1] = mask; + us = -us; + } + else + { + /* Just copy */ + if (r != u) + mpn_copyi (rp, u->_mp_d, un); + + rn = un; + } + } + else + { + if (r != u) + mpn_copyi (rp, u->_mp_d, rn - 1); + + rp[rn-1] = u->_mp_d[rn-1] & mask; + + if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ + { + /* If r != 0, compute 2^{bit_count} - r. */ + mp_size_t i; + + for (i = 0; i < rn && rp[i] == 0; i++) + ; + if (i < rn) + { + /* r > 0, need to flip sign. */ + rp[i] = ~rp[i] + 1; + while (++i < rn) + rp[i] = ~rp[i]; + + rp[rn-1] &= mask; + + /* us is not used for anything else, so we can modify it + here to indicate flipped sign. */ + us = -us; + } + } + } + rn = mpn_normalized_size (rp, rn); + r->_mp_size = us < 0 ? -rn : rn; +} + +void +mpz_cdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) +{ + mpz_div_q_2exp (r, u, cnt, GMP_DIV_CEIL); +} + +void +mpz_fdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) +{ + mpz_div_q_2exp (r, u, cnt, GMP_DIV_FLOOR); +} + +void +mpz_tdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) +{ + mpz_div_q_2exp (r, u, cnt, GMP_DIV_TRUNC); +} + +void +mpz_cdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) +{ + mpz_div_r_2exp (r, u, cnt, GMP_DIV_CEIL); +} + +void +mpz_fdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) +{ + mpz_div_r_2exp (r, u, cnt, GMP_DIV_FLOOR); +} + +void +mpz_tdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) +{ + mpz_div_r_2exp (r, u, cnt, GMP_DIV_TRUNC); +} + +void +mpz_divexact (mpz_t q, const mpz_t n, const mpz_t d) +{ + gmp_assert_nocarry (mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC)); +} + +int +mpz_divisible_p (const mpz_t n, const mpz_t d) +{ + return mpz_div_qr (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; +} + +int +mpz_congruent_p (const mpz_t a, const mpz_t b, const mpz_t m) +{ + mpz_t t; + int res; + + /* a == b (mod 0) iff a == b */ + if (mpz_sgn (m) == 0) + return (mpz_cmp (a, b) == 0); + + mpz_init (t); + mpz_sub (t, a, b); + res = mpz_divisible_p (t, m); + mpz_clear (t); + + return res; +} + +static unsigned long +mpz_div_qr_ui (mpz_t q, mpz_t r, + const mpz_t n, unsigned long d, enum mpz_div_round_mode mode) +{ + mp_size_t ns, qn; + mp_ptr qp; + mp_limb_t rl; + mp_size_t rs; + + ns = n->_mp_size; + if (ns == 0) + { + if (q) + q->_mp_size = 0; + if (r) + r->_mp_size = 0; + return 0; + } + + qn = GMP_ABS (ns); + if (q) + qp = MPZ_REALLOC (q, qn); + else + qp = NULL; + + rl = mpn_div_qr_1 (qp, n->_mp_d, qn, d); + assert (rl < d); + + rs = rl > 0; + rs = (ns < 0) ? -rs : rs; + + if (rl > 0 && ( (mode == GMP_DIV_FLOOR && ns < 0) + || (mode == GMP_DIV_CEIL && ns >= 0))) + { + if (q) + gmp_assert_nocarry (mpn_add_1 (qp, qp, qn, 1)); + rl = d - rl; + rs = -rs; + } + + if (r) + { + r->_mp_d[0] = rl; + r->_mp_size = rs; + } + if (q) + { + qn -= (qp[qn-1] == 0); + assert (qn == 0 || qp[qn-1] > 0); + + q->_mp_size = (ns < 0) ? - qn : qn; + } + + return rl; +} + +unsigned long +mpz_cdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (q, r, n, d, GMP_DIV_CEIL); +} + +unsigned long +mpz_fdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (q, r, n, d, GMP_DIV_FLOOR); +} + +unsigned long +mpz_tdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (q, r, n, d, GMP_DIV_TRUNC); +} + +unsigned long +mpz_cdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_CEIL); +} + +unsigned long +mpz_fdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_FLOOR); +} + +unsigned long +mpz_tdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC); +} + +unsigned long +mpz_cdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_CEIL); +} +unsigned long +mpz_fdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); +} +unsigned long +mpz_tdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_TRUNC); +} + +unsigned long +mpz_cdiv_ui (const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_CEIL); +} + +unsigned long +mpz_fdiv_ui (const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_FLOOR); +} + +unsigned long +mpz_tdiv_ui (const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC); +} + +unsigned long +mpz_mod_ui (mpz_t r, const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); +} + +void +mpz_divexact_ui (mpz_t q, const mpz_t n, unsigned long d) +{ + gmp_assert_nocarry (mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC)); +} + +int +mpz_divisible_ui_p (const mpz_t n, unsigned long d) +{ + return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; +} + + +/* GCD */ +static mp_limb_t +mpn_gcd_11 (mp_limb_t u, mp_limb_t v) +{ + unsigned shift; + + assert ( (u | v) > 0); + + if (u == 0) + return v; + else if (v == 0) + return u; + + gmp_ctz (shift, u | v); + + u >>= shift; + v >>= shift; + + if ( (u & 1) == 0) + MP_LIMB_T_SWAP (u, v); + + while ( (v & 1) == 0) + v >>= 1; + + while (u != v) + { + if (u > v) + { + u -= v; + do + u >>= 1; + while ( (u & 1) == 0); + } + else + { + v -= u; + do + v >>= 1; + while ( (v & 1) == 0); + } + } + return u << shift; +} + +unsigned long +mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v) +{ + mp_size_t un; + + if (v == 0) + { + if (g) + mpz_abs (g, u); + } + else + { + un = GMP_ABS (u->_mp_size); + if (un != 0) + v = mpn_gcd_11 (mpn_div_qr_1 (NULL, u->_mp_d, un, v), v); + + if (g) + mpz_set_ui (g, v); + } + + return v; +} + +static mp_bitcnt_t +mpz_make_odd (mpz_t r) +{ + mp_bitcnt_t shift; + + assert (r->_mp_size > 0); + /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */ + shift = mpn_common_scan (r->_mp_d[0], 0, r->_mp_d, 0, 0); + mpz_tdiv_q_2exp (r, r, shift); + + return shift; +} + +void +mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v) +{ + mpz_t tu, tv; + mp_bitcnt_t uz, vz, gz; + + if (u->_mp_size == 0) + { + mpz_abs (g, v); + return; + } + if (v->_mp_size == 0) + { + mpz_abs (g, u); + return; + } + + mpz_init (tu); + mpz_init (tv); + + mpz_abs (tu, u); + uz = mpz_make_odd (tu); + mpz_abs (tv, v); + vz = mpz_make_odd (tv); + gz = GMP_MIN (uz, vz); + + if (tu->_mp_size < tv->_mp_size) + mpz_swap (tu, tv); + + mpz_tdiv_r (tu, tu, tv); + if (tu->_mp_size == 0) + { + mpz_swap (g, tv); + } + else + for (;;) + { + int c; + + mpz_make_odd (tu); + c = mpz_cmp (tu, tv); + if (c == 0) + { + mpz_swap (g, tu); + break; + } + if (c < 0) + mpz_swap (tu, tv); + + if (tv->_mp_size == 1) + { + mp_limb_t vl = tv->_mp_d[0]; + mp_limb_t ul = mpz_tdiv_ui (tu, vl); + mpz_set_ui (g, mpn_gcd_11 (ul, vl)); + break; + } + mpz_sub (tu, tu, tv); + } + mpz_clear (tu); + mpz_clear (tv); + mpz_mul_2exp (g, g, gz); +} + +void +mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) +{ + mpz_t tu, tv, s0, s1, t0, t1; + mp_bitcnt_t uz, vz, gz; + mp_bitcnt_t power; + + if (u->_mp_size == 0) + { + /* g = 0 u + sgn(v) v */ + signed long sign = mpz_sgn (v); + mpz_abs (g, v); + if (s) + mpz_set_ui (s, 0); + if (t) + mpz_set_si (t, sign); + return; + } + + if (v->_mp_size == 0) + { + /* g = sgn(u) u + 0 v */ + signed long sign = mpz_sgn (u); + mpz_abs (g, u); + if (s) + mpz_set_si (s, sign); + if (t) + mpz_set_ui (t, 0); + return; + } + + mpz_init (tu); + mpz_init (tv); + mpz_init (s0); + mpz_init (s1); + mpz_init (t0); + mpz_init (t1); + + mpz_abs (tu, u); + uz = mpz_make_odd (tu); + mpz_abs (tv, v); + vz = mpz_make_odd (tv); + gz = GMP_MIN (uz, vz); + + uz -= gz; + vz -= gz; + + /* Cofactors corresponding to odd gcd. gz handled later. */ + if (tu->_mp_size < tv->_mp_size) + { + mpz_swap (tu, tv); + MPZ_SRCPTR_SWAP (u, v); + MPZ_PTR_SWAP (s, t); + MP_BITCNT_T_SWAP (uz, vz); + } + + /* Maintain + * + * u = t0 tu + t1 tv + * v = s0 tu + s1 tv + * + * where u and v denote the inputs with common factors of two + * eliminated, and det (s0, t0; s1, t1) = 2^p. Then + * + * 2^p tu = s1 u - t1 v + * 2^p tv = -s0 u + t0 v + */ + + /* After initial division, tu = q tv + tu', we have + * + * u = 2^uz (tu' + q tv) + * v = 2^vz tv + * + * or + * + * t0 = 2^uz, t1 = 2^uz q + * s0 = 0, s1 = 2^vz + */ + + mpz_setbit (t0, uz); + mpz_tdiv_qr (t1, tu, tu, tv); + mpz_mul_2exp (t1, t1, uz); + + mpz_setbit (s1, vz); + power = uz + vz; + + if (tu->_mp_size > 0) + { + mp_bitcnt_t shift; + shift = mpz_make_odd (tu); + mpz_mul_2exp (t0, t0, shift); + mpz_mul_2exp (s0, s0, shift); + power += shift; + + for (;;) + { + int c; + c = mpz_cmp (tu, tv); + if (c == 0) + break; + + if (c < 0) + { + /* tv = tv' + tu + * + * u = t0 tu + t1 (tv' + tu) = (t0 + t1) tu + t1 tv' + * v = s0 tu + s1 (tv' + tu) = (s0 + s1) tu + s1 tv' */ + + mpz_sub (tv, tv, tu); + mpz_add (t0, t0, t1); + mpz_add (s0, s0, s1); + + shift = mpz_make_odd (tv); + mpz_mul_2exp (t1, t1, shift); + mpz_mul_2exp (s1, s1, shift); + } + else + { + mpz_sub (tu, tu, tv); + mpz_add (t1, t0, t1); + mpz_add (s1, s0, s1); + + shift = mpz_make_odd (tu); + mpz_mul_2exp (t0, t0, shift); + mpz_mul_2exp (s0, s0, shift); + } + power += shift; + } + } + + /* Now tv = odd part of gcd, and -s0 and t0 are corresponding + cofactors. */ + + mpz_mul_2exp (tv, tv, gz); + mpz_neg (s0, s0); + + /* 2^p g = s0 u + t0 v. Eliminate one factor of two at a time. To + adjust cofactors, we need u / g and v / g */ + + mpz_divexact (s1, v, tv); + mpz_abs (s1, s1); + mpz_divexact (t1, u, tv); + mpz_abs (t1, t1); + + while (power-- > 0) + { + /* s0 u + t0 v = (s0 - v/g) u - (t0 + u/g) v */ + if (mpz_odd_p (s0) || mpz_odd_p (t0)) + { + mpz_sub (s0, s0, s1); + mpz_add (t0, t0, t1); + } + mpz_divexact_ui (s0, s0, 2); + mpz_divexact_ui (t0, t0, 2); + } + + /* Arrange so that |s| < |u| / 2g */ + mpz_add (s1, s0, s1); + if (mpz_cmpabs (s0, s1) > 0) + { + mpz_swap (s0, s1); + mpz_sub (t0, t0, t1); + } + if (u->_mp_size < 0) + mpz_neg (s0, s0); + if (v->_mp_size < 0) + mpz_neg (t0, t0); + + mpz_swap (g, tv); + if (s) + mpz_swap (s, s0); + if (t) + mpz_swap (t, t0); + + mpz_clear (tu); + mpz_clear (tv); + mpz_clear (s0); + mpz_clear (s1); + mpz_clear (t0); + mpz_clear (t1); +} + +void +mpz_lcm (mpz_t r, const mpz_t u, const mpz_t v) +{ + mpz_t g; + + if (u->_mp_size == 0 || v->_mp_size == 0) + { + r->_mp_size = 0; + return; + } + + mpz_init (g); + + mpz_gcd (g, u, v); + mpz_divexact (g, u, g); + mpz_mul (r, g, v); + + mpz_clear (g); + mpz_abs (r, r); +} + +void +mpz_lcm_ui (mpz_t r, const mpz_t u, unsigned long v) +{ + if (v == 0 || u->_mp_size == 0) + { + r->_mp_size = 0; + return; + } + + v /= mpz_gcd_ui (NULL, u, v); + mpz_mul_ui (r, u, v); + + mpz_abs (r, r); +} + +int +mpz_invert (mpz_t r, const mpz_t u, const mpz_t m) +{ + mpz_t g, tr; + int invertible; + + if (u->_mp_size == 0 || mpz_cmpabs_ui (m, 1) <= 0) + return 0; + + mpz_init (g); + mpz_init (tr); + + mpz_gcdext (g, tr, NULL, u, m); + invertible = (mpz_cmp_ui (g, 1) == 0); + + if (invertible) + { + if (tr->_mp_size < 0) + { + if (m->_mp_size >= 0) + mpz_add (tr, tr, m); + else + mpz_sub (tr, tr, m); + } + mpz_swap (r, tr); + } + + mpz_clear (g); + mpz_clear (tr); + return invertible; +} + + +/* Higher level operations (sqrt, pow and root) */ + +void +mpz_pow_ui (mpz_t r, const mpz_t b, unsigned long e) +{ + unsigned long bit; + mpz_t tr; + mpz_init_set_ui (tr, 1); + + bit = GMP_ULONG_HIGHBIT; + do + { + mpz_mul (tr, tr, tr); + if (e & bit) + mpz_mul (tr, tr, b); + bit >>= 1; + } + while (bit > 0); + + mpz_swap (r, tr); + mpz_clear (tr); +} + +void +mpz_ui_pow_ui (mpz_t r, unsigned long blimb, unsigned long e) +{ + mpz_t b; + mpz_init_set_ui (b, blimb); + mpz_pow_ui (r, b, e); + mpz_clear (b); +} + +void +mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) +{ + mpz_t tr; + mpz_t base; + mp_size_t en, mn; + mp_srcptr mp; + struct gmp_div_inverse minv; + unsigned shift; + mp_ptr tp = NULL; + + en = GMP_ABS (e->_mp_size); + mn = GMP_ABS (m->_mp_size); + if (mn == 0) + gmp_die ("mpz_powm: Zero modulo."); + + if (en == 0) + { + mpz_set_ui (r, 1); + return; + } + + mp = m->_mp_d; + mpn_div_qr_invert (&minv, mp, mn); + shift = minv.shift; + + if (shift > 0) + { + /* To avoid shifts, we do all our reductions, except the final + one, using a *normalized* m. */ + minv.shift = 0; + + tp = gmp_xalloc_limbs (mn); + gmp_assert_nocarry (mpn_lshift (tp, mp, mn, shift)); + mp = tp; + } + + mpz_init (base); + + if (e->_mp_size < 0) + { + if (!mpz_invert (base, b, m)) + gmp_die ("mpz_powm: Negative exponent and non-invertible base."); + } + else + { + mp_size_t bn; + mpz_abs (base, b); + + bn = base->_mp_size; + if (bn >= mn) + { + mpn_div_qr_preinv (NULL, base->_mp_d, base->_mp_size, mp, mn, &minv); + bn = mn; + } + + /* We have reduced the absolute value. Now take care of the + sign. Note that we get zero represented non-canonically as + m. */ + if (b->_mp_size < 0) + { + mp_ptr bp = MPZ_REALLOC (base, mn); + gmp_assert_nocarry (mpn_sub (bp, mp, mn, bp, bn)); + bn = mn; + } + base->_mp_size = mpn_normalized_size (base->_mp_d, bn); + } + mpz_init_set_ui (tr, 1); + + while (en-- > 0) + { + mp_limb_t w = e->_mp_d[en]; + mp_limb_t bit; + + bit = GMP_LIMB_HIGHBIT; + do + { + mpz_mul (tr, tr, tr); + if (w & bit) + mpz_mul (tr, tr, base); + if (tr->_mp_size > mn) + { + mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); + tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); + } + bit >>= 1; + } + while (bit > 0); + } + + /* Final reduction */ + if (tr->_mp_size >= mn) + { + minv.shift = shift; + mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); + tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); + } + if (tp) + gmp_free (tp); + + mpz_swap (r, tr); + mpz_clear (tr); + mpz_clear (base); +} + +void +mpz_powm_ui (mpz_t r, const mpz_t b, unsigned long elimb, const mpz_t m) +{ + mpz_t e; + mpz_init_set_ui (e, elimb); + mpz_powm (r, b, e, m); + mpz_clear (e); +} + +/* x=trunc(y^(1/z)), r=y-x^z */ +void +mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z) +{ + int sgn; + mpz_t t, u; + + sgn = y->_mp_size < 0; + if ((~z & sgn) != 0) + gmp_die ("mpz_rootrem: Negative argument, with even root."); + if (z == 0) + gmp_die ("mpz_rootrem: Zeroth root."); + + if (mpz_cmpabs_ui (y, 1) <= 0) { + if (x) + mpz_set (x, y); + if (r) + r->_mp_size = 0; + return; + } + + mpz_init (u); + { + mp_bitcnt_t tb; + tb = mpz_sizeinbase (y, 2) / z + 1; + mpz_init2 (t, tb); + mpz_setbit (t, tb); + } + + if (z == 2) /* simplify sqrt loop: z-1 == 1 */ + do { + mpz_swap (u, t); /* u = x */ + mpz_tdiv_q (t, y, u); /* t = y/x */ + mpz_add (t, t, u); /* t = y/x + x */ + mpz_tdiv_q_2exp (t, t, 1); /* x'= (y/x + x)/2 */ + } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ + else /* z != 2 */ { + mpz_t v; + + mpz_init (v); + if (sgn) + mpz_neg (t, t); + + do { + mpz_swap (u, t); /* u = x */ + mpz_pow_ui (t, u, z - 1); /* t = x^(z-1) */ + mpz_tdiv_q (t, y, t); /* t = y/x^(z-1) */ + mpz_mul_ui (v, u, z - 1); /* v = x*(z-1) */ + mpz_add (t, t, v); /* t = y/x^(z-1) + x*(z-1) */ + mpz_tdiv_q_ui (t, t, z); /* x'=(y/x^(z-1) + x*(z-1))/z */ + } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ + + mpz_clear (v); + } + + if (r) { + mpz_pow_ui (t, u, z); + mpz_sub (r, y, t); + } + if (x) + mpz_swap (x, u); + mpz_clear (u); + mpz_clear (t); +} + +int +mpz_root (mpz_t x, const mpz_t y, unsigned long z) +{ + int res; + mpz_t r; + + mpz_init (r); + mpz_rootrem (x, r, y, z); + res = r->_mp_size == 0; + mpz_clear (r); + + return res; +} + +/* Compute s = floor(sqrt(u)) and r = u - s^2. Allows r == NULL */ +void +mpz_sqrtrem (mpz_t s, mpz_t r, const mpz_t u) +{ + mpz_rootrem (s, r, u, 2); +} + +void +mpz_sqrt (mpz_t s, const mpz_t u) +{ + mpz_rootrem (s, NULL, u, 2); +} + +int +mpz_perfect_square_p (const mpz_t u) +{ + if (u->_mp_size <= 0) + return (u->_mp_size == 0); + else + return mpz_root (NULL, u, 2); +} + +int +mpn_perfect_square_p (mp_srcptr p, mp_size_t n) +{ + mpz_t t; + + assert (n > 0); + assert (p [n-1] != 0); + return mpz_root (NULL, mpz_roinit_n (t, p, n), 2); +} + +mp_size_t +mpn_sqrtrem (mp_ptr sp, mp_ptr rp, mp_srcptr p, mp_size_t n) +{ + mpz_t s, r, u; + mp_size_t res; + + assert (n > 0); + assert (p [n-1] != 0); + + mpz_init (r); + mpz_init (s); + mpz_rootrem (s, r, mpz_roinit_n (u, p, n), 2); + + assert (s->_mp_size == (n+1)/2); + mpn_copyd (sp, s->_mp_d, s->_mp_size); + mpz_clear (s); + res = r->_mp_size; + if (rp) + mpn_copyd (rp, r->_mp_d, res); + mpz_clear (r); + return res; +} + +/* Combinatorics */ + +void +mpz_fac_ui (mpz_t x, unsigned long n) +{ + mpz_set_ui (x, n + (n == 0)); + for (;n > 2;) + mpz_mul_ui (x, x, --n); +} + +void +mpz_bin_uiui (mpz_t r, unsigned long n, unsigned long k) +{ + mpz_t t; + + mpz_set_ui (r, k <= n); + + if (k > (n >> 1)) + k = (k <= n) ? n - k : 0; + + mpz_init (t); + mpz_fac_ui (t, k); + + for (; k > 0; k--) + mpz_mul_ui (r, r, n--); + + mpz_divexact (r, r, t); + mpz_clear (t); +} + + +/* Primality testing */ +static int +gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y, + const mpz_t q, mp_bitcnt_t k) +{ + assert (k > 0); + + /* Caller must initialize y to the base. */ + mpz_powm (y, y, q, n); + + if (mpz_cmp_ui (y, 1) == 0 || mpz_cmp (y, nm1) == 0) + return 1; + + while (--k > 0) + { + mpz_powm_ui (y, y, 2, n); + if (mpz_cmp (y, nm1) == 0) + return 1; + /* y == 1 means that the previous y was a non-trivial square root + of 1 (mod n). y == 0 means that n is a power of the base. + In either case, n is not prime. */ + if (mpz_cmp_ui (y, 1) <= 0) + return 0; + } + return 0; +} + +/* This product is 0xc0cfd797, and fits in 32 bits. */ +#define GMP_PRIME_PRODUCT \ + (3UL*5UL*7UL*11UL*13UL*17UL*19UL*23UL*29UL) + +/* Bit (p+1)/2 is set, for each odd prime <= 61 */ +#define GMP_PRIME_MASK 0xc96996dcUL + +int +mpz_probab_prime_p (const mpz_t n, int reps) +{ + mpz_t nm1; + mpz_t q; + mpz_t y; + mp_bitcnt_t k; + int is_prime; + int j; + + /* Note that we use the absolute value of n only, for compatibility + with the real GMP. */ + if (mpz_even_p (n)) + return (mpz_cmpabs_ui (n, 2) == 0) ? 2 : 0; + + /* Above test excludes n == 0 */ + assert (n->_mp_size != 0); + + if (mpz_cmpabs_ui (n, 64) < 0) + return (GMP_PRIME_MASK >> (n->_mp_d[0] >> 1)) & 2; + + if (mpz_gcd_ui (NULL, n, GMP_PRIME_PRODUCT) != 1) + return 0; + + /* All prime factors are >= 31. */ + if (mpz_cmpabs_ui (n, 31*31) < 0) + return 2; + + /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = + j^2 + j + 41 using Euler's polynomial. We potentially stop early, + if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > + 30 (a[30] == 971 > 31*31 == 961). */ + + mpz_init (nm1); + mpz_init (q); + mpz_init (y); + + /* Find q and k, where q is odd and n = 1 + 2**k * q. */ + nm1->_mp_size = mpz_abs_sub_ui (nm1, n, 1); + k = mpz_scan1 (nm1, 0); + mpz_tdiv_q_2exp (q, nm1, k); + + for (j = 0, is_prime = 1; is_prime & (j < reps); j++) + { + mpz_set_ui (y, (unsigned long) j*j+j+41); + if (mpz_cmp (y, nm1) >= 0) + { + /* Don't try any further bases. This "early" break does not affect + the result for any reasonable reps value (<=5000 was tested) */ + assert (j >= 30); + break; + } + is_prime = gmp_millerrabin (n, nm1, y, q, k); + } + mpz_clear (nm1); + mpz_clear (q); + mpz_clear (y); + + return is_prime; +} + + +/* Logical operations and bit manipulation. */ + +/* Numbers are treated as if represented in two's complement (and + infinitely sign extended). For a negative values we get the two's + complement from -x = ~x + 1, where ~ is bitwise complement. + Negation transforms + + xxxx10...0 + + into + + yyyy10...0 + + where yyyy is the bitwise complement of xxxx. So least significant + bits, up to and including the first one bit, are unchanged, and + the more significant bits are all complemented. + + To change a bit from zero to one in a negative number, subtract the + corresponding power of two from the absolute value. This can never + underflow. To change a bit from one to zero, add the corresponding + power of two, and this might overflow. E.g., if x = -001111, the + two's complement is 110001. Clearing the least significant bit, we + get two's complement 110000, and -010000. */ + +int +mpz_tstbit (const mpz_t d, mp_bitcnt_t bit_index) +{ + mp_size_t limb_index; + unsigned shift; + mp_size_t ds; + mp_size_t dn; + mp_limb_t w; + int bit; + + ds = d->_mp_size; + dn = GMP_ABS (ds); + limb_index = bit_index / GMP_LIMB_BITS; + if (limb_index >= dn) + return ds < 0; + + shift = bit_index % GMP_LIMB_BITS; + w = d->_mp_d[limb_index]; + bit = (w >> shift) & 1; + + if (ds < 0) + { + /* d < 0. Check if any of the bits below is set: If so, our bit + must be complemented. */ + if (shift > 0 && (w << (GMP_LIMB_BITS - shift)) > 0) + return bit ^ 1; + while (limb_index-- > 0) + if (d->_mp_d[limb_index] > 0) + return bit ^ 1; + } + return bit; +} + +static void +mpz_abs_add_bit (mpz_t d, mp_bitcnt_t bit_index) +{ + mp_size_t dn, limb_index; + mp_limb_t bit; + mp_ptr dp; + + dn = GMP_ABS (d->_mp_size); + + limb_index = bit_index / GMP_LIMB_BITS; + bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); + + if (limb_index >= dn) + { + mp_size_t i; + /* The bit should be set outside of the end of the number. + We have to increase the size of the number. */ + dp = MPZ_REALLOC (d, limb_index + 1); + + dp[limb_index] = bit; + for (i = dn; i < limb_index; i++) + dp[i] = 0; + dn = limb_index + 1; + } + else + { + mp_limb_t cy; + + dp = d->_mp_d; + + cy = mpn_add_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit); + if (cy > 0) + { + dp = MPZ_REALLOC (d, dn + 1); + dp[dn++] = cy; + } + } + + d->_mp_size = (d->_mp_size < 0) ? - dn : dn; +} + +static void +mpz_abs_sub_bit (mpz_t d, mp_bitcnt_t bit_index) +{ + mp_size_t dn, limb_index; + mp_ptr dp; + mp_limb_t bit; + + dn = GMP_ABS (d->_mp_size); + dp = d->_mp_d; + + limb_index = bit_index / GMP_LIMB_BITS; + bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); + + assert (limb_index < dn); + + gmp_assert_nocarry (mpn_sub_1 (dp + limb_index, dp + limb_index, + dn - limb_index, bit)); + dn = mpn_normalized_size (dp, dn); + d->_mp_size = (d->_mp_size < 0) ? - dn : dn; +} + +void +mpz_setbit (mpz_t d, mp_bitcnt_t bit_index) +{ + if (!mpz_tstbit (d, bit_index)) + { + if (d->_mp_size >= 0) + mpz_abs_add_bit (d, bit_index); + else + mpz_abs_sub_bit (d, bit_index); + } +} + +void +mpz_clrbit (mpz_t d, mp_bitcnt_t bit_index) +{ + if (mpz_tstbit (d, bit_index)) + { + if (d->_mp_size >= 0) + mpz_abs_sub_bit (d, bit_index); + else + mpz_abs_add_bit (d, bit_index); + } +} + +void +mpz_combit (mpz_t d, mp_bitcnt_t bit_index) +{ + if (mpz_tstbit (d, bit_index) ^ (d->_mp_size < 0)) + mpz_abs_sub_bit (d, bit_index); + else + mpz_abs_add_bit (d, bit_index); +} + +void +mpz_com (mpz_t r, const mpz_t u) +{ + mpz_neg (r, u); + mpz_sub_ui (r, r, 1); +} + +void +mpz_and (mpz_t r, const mpz_t u, const mpz_t v) +{ + mp_size_t un, vn, rn, i; + mp_ptr up, vp, rp; + + mp_limb_t ux, vx, rx; + mp_limb_t uc, vc, rc; + mp_limb_t ul, vl, rl; + + un = GMP_ABS (u->_mp_size); + vn = GMP_ABS (v->_mp_size); + if (un < vn) + { + MPZ_SRCPTR_SWAP (u, v); + MP_SIZE_T_SWAP (un, vn); + } + if (vn == 0) + { + r->_mp_size = 0; + return; + } + + uc = u->_mp_size < 0; + vc = v->_mp_size < 0; + rc = uc & vc; + + ux = -uc; + vx = -vc; + rx = -rc; + + /* If the smaller input is positive, higher limbs don't matter. */ + rn = vx ? un : vn; + + rp = MPZ_REALLOC (r, rn + rc); + + up = u->_mp_d; + vp = v->_mp_d; + + i = 0; + do + { + ul = (up[i] ^ ux) + uc; + uc = ul < uc; + + vl = (vp[i] ^ vx) + vc; + vc = vl < vc; + + rl = ( (ul & vl) ^ rx) + rc; + rc = rl < rc; + rp[i] = rl; + } + while (++i < vn); + assert (vc == 0); + + for (; i < rn; i++) + { + ul = (up[i] ^ ux) + uc; + uc = ul < uc; + + rl = ( (ul & vx) ^ rx) + rc; + rc = rl < rc; + rp[i] = rl; + } + if (rc) + rp[rn++] = rc; + else + rn = mpn_normalized_size (rp, rn); + + r->_mp_size = rx ? -rn : rn; +} + +void +mpz_ior (mpz_t r, const mpz_t u, const mpz_t v) +{ + mp_size_t un, vn, rn, i; + mp_ptr up, vp, rp; + + mp_limb_t ux, vx, rx; + mp_limb_t uc, vc, rc; + mp_limb_t ul, vl, rl; + + un = GMP_ABS (u->_mp_size); + vn = GMP_ABS (v->_mp_size); + if (un < vn) + { + MPZ_SRCPTR_SWAP (u, v); + MP_SIZE_T_SWAP (un, vn); + } + if (vn == 0) + { + mpz_set (r, u); + return; + } + + uc = u->_mp_size < 0; + vc = v->_mp_size < 0; + rc = uc | vc; + + ux = -uc; + vx = -vc; + rx = -rc; + + /* If the smaller input is negative, by sign extension higher limbs + don't matter. */ + rn = vx ? vn : un; + + rp = MPZ_REALLOC (r, rn + rc); + + up = u->_mp_d; + vp = v->_mp_d; + + i = 0; + do + { + ul = (up[i] ^ ux) + uc; + uc = ul < uc; + + vl = (vp[i] ^ vx) + vc; + vc = vl < vc; + + rl = ( (ul | vl) ^ rx) + rc; + rc = rl < rc; + rp[i] = rl; + } + while (++i < vn); + assert (vc == 0); + + for (; i < rn; i++) + { + ul = (up[i] ^ ux) + uc; + uc = ul < uc; + + rl = ( (ul | vx) ^ rx) + rc; + rc = rl < rc; + rp[i] = rl; + } + if (rc) + rp[rn++] = rc; + else + rn = mpn_normalized_size (rp, rn); + + r->_mp_size = rx ? -rn : rn; +} + +void +mpz_xor (mpz_t r, const mpz_t u, const mpz_t v) +{ + mp_size_t un, vn, i; + mp_ptr up, vp, rp; + + mp_limb_t ux, vx, rx; + mp_limb_t uc, vc, rc; + mp_limb_t ul, vl, rl; + + un = GMP_ABS (u->_mp_size); + vn = GMP_ABS (v->_mp_size); + if (un < vn) + { + MPZ_SRCPTR_SWAP (u, v); + MP_SIZE_T_SWAP (un, vn); + } + if (vn == 0) + { + mpz_set (r, u); + return; + } + + uc = u->_mp_size < 0; + vc = v->_mp_size < 0; + rc = uc ^ vc; + + ux = -uc; + vx = -vc; + rx = -rc; + + rp = MPZ_REALLOC (r, un + rc); + + up = u->_mp_d; + vp = v->_mp_d; + + i = 0; + do + { + ul = (up[i] ^ ux) + uc; + uc = ul < uc; + + vl = (vp[i] ^ vx) + vc; + vc = vl < vc; + + rl = (ul ^ vl ^ rx) + rc; + rc = rl < rc; + rp[i] = rl; + } + while (++i < vn); + assert (vc == 0); + + for (; i < un; i++) + { + ul = (up[i] ^ ux) + uc; + uc = ul < uc; + + rl = (ul ^ ux) + rc; + rc = rl < rc; + rp[i] = rl; + } + if (rc) + rp[un++] = rc; + else + un = mpn_normalized_size (rp, un); + + r->_mp_size = rx ? -un : un; +} + +static unsigned +gmp_popcount_limb (mp_limb_t x) +{ + unsigned c; + + /* Do 16 bits at a time, to avoid limb-sized constants. */ + for (c = 0; x > 0; x >>= 16) + { + unsigned w = ((x >> 1) & 0x5555) + (x & 0x5555); + w = ((w >> 2) & 0x3333) + (w & 0x3333); + w = ((w >> 4) & 0x0f0f) + (w & 0x0f0f); + w = (w >> 8) + (w & 0x00ff); + c += w; + } + return c; +} + +mp_bitcnt_t +mpn_popcount (mp_srcptr p, mp_size_t n) +{ + mp_size_t i; + mp_bitcnt_t c; + + for (c = 0, i = 0; i < n; i++) + c += gmp_popcount_limb (p[i]); + + return c; +} + +mp_bitcnt_t +mpz_popcount (const mpz_t u) +{ + mp_size_t un; + + un = u->_mp_size; + + if (un < 0) + return ~(mp_bitcnt_t) 0; + + return mpn_popcount (u->_mp_d, un); +} + +mp_bitcnt_t +mpz_hamdist (const mpz_t u, const mpz_t v) +{ + mp_size_t un, vn, i; + mp_limb_t uc, vc, ul, vl, comp; + mp_srcptr up, vp; + mp_bitcnt_t c; + + un = u->_mp_size; + vn = v->_mp_size; + + if ( (un ^ vn) < 0) + return ~(mp_bitcnt_t) 0; + + comp = - (uc = vc = (un < 0)); + if (uc) + { + assert (vn < 0); + un = -un; + vn = -vn; + } + + up = u->_mp_d; + vp = v->_mp_d; + + if (un < vn) + MPN_SRCPTR_SWAP (up, un, vp, vn); + + for (i = 0, c = 0; i < vn; i++) + { + ul = (up[i] ^ comp) + uc; + uc = ul < uc; + + vl = (vp[i] ^ comp) + vc; + vc = vl < vc; + + c += gmp_popcount_limb (ul ^ vl); + } + assert (vc == 0); + + for (; i < un; i++) + { + ul = (up[i] ^ comp) + uc; + uc = ul < uc; + + c += gmp_popcount_limb (ul ^ comp); + } + + return c; +} + +mp_bitcnt_t +mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit) +{ + mp_ptr up; + mp_size_t us, un, i; + mp_limb_t limb, ux; + + us = u->_mp_size; + un = GMP_ABS (us); + i = starting_bit / GMP_LIMB_BITS; + + /* Past the end there's no 1 bits for u>=0, or an immediate 1 bit + for u<0. Notice this test picks up any u==0 too. */ + if (i >= un) + return (us >= 0 ? ~(mp_bitcnt_t) 0 : starting_bit); + + up = u->_mp_d; + ux = 0; + limb = up[i]; + + if (starting_bit != 0) + { + if (us < 0) + { + ux = mpn_zero_p (up, i); + limb = ~ limb + ux; + ux = - (mp_limb_t) (limb >= ux); + } + + /* Mask to 0 all bits before starting_bit, thus ignoring them. */ + limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + } + + return mpn_common_scan (limb, i, up, un, ux); +} + +mp_bitcnt_t +mpz_scan0 (const mpz_t u, mp_bitcnt_t starting_bit) +{ + mp_ptr up; + mp_size_t us, un, i; + mp_limb_t limb, ux; + + us = u->_mp_size; + ux = - (mp_limb_t) (us >= 0); + un = GMP_ABS (us); + i = starting_bit / GMP_LIMB_BITS; + + /* When past end, there's an immediate 0 bit for u>=0, or no 0 bits for + u<0. Notice this test picks up all cases of u==0 too. */ + if (i >= un) + return (ux ? starting_bit : ~(mp_bitcnt_t) 0); + + up = u->_mp_d; + limb = up[i] ^ ux; + + if (ux == 0) + limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */ + + /* Mask all bits before starting_bit, thus ignoring them. */ + limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + + return mpn_common_scan (limb, i, up, un, ux); +} + + +/* MPZ base conversion. */ + +size_t +mpz_sizeinbase (const mpz_t u, int base) +{ + mp_size_t un; + mp_srcptr up; + mp_ptr tp; + mp_bitcnt_t bits; + struct gmp_div_inverse bi; + size_t ndigits; + + assert (base >= 2); + assert (base <= 36); + + un = GMP_ABS (u->_mp_size); + if (un == 0) + return 1; + + up = u->_mp_d; + + bits = (un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]); + switch (base) + { + case 2: + return bits; + case 4: + return (bits + 1) / 2; + case 8: + return (bits + 2) / 3; + case 16: + return (bits + 3) / 4; + case 32: + return (bits + 4) / 5; + /* FIXME: Do something more clever for the common case of base + 10. */ + } + + tp = gmp_xalloc_limbs (un); + mpn_copyi (tp, up, un); + mpn_div_qr_1_invert (&bi, base); + + ndigits = 0; + do + { + ndigits++; + mpn_div_qr_1_preinv (tp, tp, un, &bi); + un -= (tp[un-1] == 0); + } + while (un > 0); + + gmp_free (tp); + return ndigits; +} + +char * +mpz_get_str (char *sp, int base, const mpz_t u) +{ + unsigned bits; + const char *digits; + mp_size_t un; + size_t i, sn; + + if (base >= 0) + { + digits = "0123456789abcdefghijklmnopqrstuvwxyz"; + } + else + { + base = -base; + digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + } + if (base <= 1) + base = 10; + if (base > 36) + return NULL; + + sn = 1 + mpz_sizeinbase (u, base); + if (!sp) + sp = gmp_xalloc (1 + sn); + + un = GMP_ABS (u->_mp_size); + + if (un == 0) + { + sp[0] = '0'; + sp[1] = '\0'; + return sp; + } + + i = 0; + + if (u->_mp_size < 0) + sp[i++] = '-'; + + bits = mpn_base_power_of_two_p (base); + + if (bits) + /* Not modified in this case. */ + sn = i + mpn_get_str_bits ((unsigned char *) sp + i, bits, u->_mp_d, un); + else + { + struct mpn_base_info info; + mp_ptr tp; + + mpn_get_base_info (&info, base); + tp = gmp_xalloc_limbs (un); + mpn_copyi (tp, u->_mp_d, un); + + sn = i + mpn_get_str_other ((unsigned char *) sp + i, base, &info, tp, un); + gmp_free (tp); + } + + for (; i < sn; i++) + sp[i] = digits[(unsigned char) sp[i]]; + + sp[sn] = '\0'; + return sp; +} + +int +mpz_set_str (mpz_t r, const char *sp, int base) +{ + unsigned bits; + mp_size_t rn, alloc; + mp_ptr rp; + size_t sn; + int sign; + unsigned char *dp; + + assert (base == 0 || (base >= 2 && base <= 36)); + + while (isspace( (unsigned char) *sp)) + sp++; + + sign = (*sp == '-'); + sp += sign; + + if (base == 0) + { + if (*sp == '0') + { + sp++; + if (*sp == 'x' || *sp == 'X') + { + base = 16; + sp++; + } + else if (*sp == 'b' || *sp == 'B') + { + base = 2; + sp++; + } + else + base = 8; + } + else + base = 10; + } + + sn = strlen (sp); + dp = gmp_xalloc (sn + (sn == 0)); + + for (sn = 0; *sp; sp++) + { + unsigned digit; + + if (isspace ((unsigned char) *sp)) + continue; + if (*sp >= '0' && *sp <= '9') + digit = *sp - '0'; + else if (*sp >= 'a' && *sp <= 'z') + digit = *sp - 'a' + 10; + else if (*sp >= 'A' && *sp <= 'Z') + digit = *sp - 'A' + 10; + else + digit = base; /* fail */ + + if (digit >= base) + { + gmp_free (dp); + r->_mp_size = 0; + return -1; + } + + dp[sn++] = digit; + } + + bits = mpn_base_power_of_two_p (base); + + if (bits > 0) + { + alloc = (sn * bits + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; + rp = MPZ_REALLOC (r, alloc); + rn = mpn_set_str_bits (rp, dp, sn, bits); + } + else + { + struct mpn_base_info info; + mpn_get_base_info (&info, base); + alloc = (sn + info.exp - 1) / info.exp; + rp = MPZ_REALLOC (r, alloc); + rn = mpn_set_str_other (rp, dp, sn, base, &info); + } + assert (rn <= alloc); + gmp_free (dp); + + r->_mp_size = sign ? - rn : rn; + + return 0; +} + +int +mpz_init_set_str (mpz_t r, const char *sp, int base) +{ + mpz_init (r); + return mpz_set_str (r, sp, base); +} + +size_t +mpz_out_str (FILE *stream, int base, const mpz_t x) +{ + char *str; + size_t len; + + str = mpz_get_str (NULL, base, x); + len = strlen (str); + len = fwrite (str, 1, len, stream); + gmp_free (str); + return len; +} + + +static int +gmp_detect_endian (void) +{ + static const int i = 2; + const unsigned char *p = (const unsigned char *) &i; + return 1 - *p; +} + +/* Import and export. Does not support nails. */ +void +mpz_import (mpz_t r, size_t count, int order, size_t size, int endian, + size_t nails, const void *src) +{ + const unsigned char *p; + ptrdiff_t word_step; + mp_ptr rp; + mp_size_t rn; + + /* The current (partial) limb. */ + mp_limb_t limb; + /* The number of bytes already copied to this limb (starting from + the low end). */ + size_t bytes; + /* The index where the limb should be stored, when completed. */ + mp_size_t i; + + if (nails != 0) + gmp_die ("mpz_import: Nails not supported."); + + assert (order == 1 || order == -1); + assert (endian >= -1 && endian <= 1); + + if (endian == 0) + endian = gmp_detect_endian (); + + p = (unsigned char *) src; + + word_step = (order != endian) ? 2 * size : 0; + + /* Process bytes from the least significant end, so point p at the + least significant word. */ + if (order == 1) + { + p += size * (count - 1); + word_step = - word_step; + } + + /* And at least significant byte of that word. */ + if (endian == 1) + p += (size - 1); + + rn = (size * count + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); + rp = MPZ_REALLOC (r, rn); + + for (limb = 0, bytes = 0, i = 0; count > 0; count--, p += word_step) + { + size_t j; + for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) + { + limb |= (mp_limb_t) *p << (bytes++ * CHAR_BIT); + if (bytes == sizeof(mp_limb_t)) + { + rp[i++] = limb; + bytes = 0; + limb = 0; + } + } + } + assert (i + (bytes > 0) == rn); + if (limb != 0) + rp[i++] = limb; + else + i = mpn_normalized_size (rp, i); + + r->_mp_size = i; +} + +void * +mpz_export (void *r, size_t *countp, int order, size_t size, int endian, + size_t nails, const mpz_t u) +{ + size_t count; + mp_size_t un; + + if (nails != 0) + gmp_die ("mpz_import: Nails not supported."); + + assert (order == 1 || order == -1); + assert (endian >= -1 && endian <= 1); + assert (size > 0 || u->_mp_size == 0); + + un = u->_mp_size; + count = 0; + if (un != 0) + { + size_t k; + unsigned char *p; + ptrdiff_t word_step; + /* The current (partial) limb. */ + mp_limb_t limb; + /* The number of bytes left to to in this limb. */ + size_t bytes; + /* The index where the limb was read. */ + mp_size_t i; + + un = GMP_ABS (un); + + /* Count bytes in top limb. */ + limb = u->_mp_d[un-1]; + assert (limb != 0); + + k = 0; + do { + k++; limb >>= CHAR_BIT; + } while (limb != 0); + + count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; + + if (!r) + r = gmp_xalloc (count * size); + + if (endian == 0) + endian = gmp_detect_endian (); + + p = (unsigned char *) r; + + word_step = (order != endian) ? 2 * size : 0; + + /* Process bytes from the least significant end, so point p at the + least significant word. */ + if (order == 1) + { + p += size * (count - 1); + word_step = - word_step; + } + + /* And at least significant byte of that word. */ + if (endian == 1) + p += (size - 1); + + for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) + { + size_t j; + for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) + { + if (bytes == 0) + { + if (i < un) + limb = u->_mp_d[i++]; + bytes = sizeof (mp_limb_t); + } + *p = limb; + limb >>= CHAR_BIT; + bytes--; + } + } + assert (i == un); + assert (k == count); + } + + if (countp) + *countp = count; + + return r; +} diff --git a/external/nettle-3.3/nettle/mini-gmp.h b/external/nettle-3.3/nettle/mini-gmp.h new file mode 100644 index 0000000..cdcb83b --- /dev/null +++ b/external/nettle-3.3/nettle/mini-gmp.h @@ -0,0 +1,294 @@ +/* mini-gmp, a minimalistic implementation of a GNU GMP subset. + +Copyright 2011-2014 Free Software Foundation, Inc. + +This file is part of the GNU MP Library. + +The GNU MP Library is free software; you can redistribute it and/or modify +it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + +or + + * the GNU General Public License as published by the Free Software + Foundation; either version 3 of the License, or (at your option) any + later version. + +or both in parallel, as here. + +The GNU MP Library is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received copies of the GNU General Public License and the +GNU Lesser General Public License along with the GNU MP Library. If not, +see https://www.gnu.org/licenses/. */ + +/* About mini-gmp: This is a minimal implementation of a subset of the + GMP interface. It is intended for inclusion into applications which + have modest bignums needs, as a fallback when the real GMP library + is not installed. + + This file defines the public interface. */ + +#ifndef __MINI_GMP_H__ +#define __MINI_GMP_H__ + +/* For size_t */ +#include + +#if defined (__cplusplus) +extern "C" { +#endif + +void mp_set_memory_functions (void *(*) (size_t), + void *(*) (void *, size_t, size_t), + void (*) (void *, size_t)); + +void mp_get_memory_functions (void *(**) (size_t), + void *(**) (void *, size_t, size_t), + void (**) (void *, size_t)); + +typedef unsigned long mp_limb_t; +typedef long mp_size_t; +typedef unsigned long mp_bitcnt_t; + +typedef mp_limb_t *mp_ptr; +typedef const mp_limb_t *mp_srcptr; + +typedef struct +{ + int _mp_alloc; /* Number of *limbs* allocated and pointed + to by the _mp_d field. */ + int _mp_size; /* abs(_mp_size) is the number of limbs the + last field points to. If _mp_size is + negative this is a negative number. */ + mp_limb_t *_mp_d; /* Pointer to the limbs. */ +} __mpz_struct; + +typedef __mpz_struct mpz_t[1]; + +typedef __mpz_struct *mpz_ptr; +typedef const __mpz_struct *mpz_srcptr; + +extern const int mp_bits_per_limb; + +void mpn_copyi (mp_ptr, mp_srcptr, mp_size_t); +void mpn_copyd (mp_ptr, mp_srcptr, mp_size_t); +void mpn_zero (mp_ptr, mp_size_t); + +int mpn_cmp (mp_srcptr, mp_srcptr, mp_size_t); + +mp_limb_t mpn_add_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); +mp_limb_t mpn_add_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); +mp_limb_t mpn_add (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); + +mp_limb_t mpn_sub_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); +mp_limb_t mpn_sub_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); +mp_limb_t mpn_sub (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); + +mp_limb_t mpn_mul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); +mp_limb_t mpn_addmul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); +mp_limb_t mpn_submul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); + +mp_limb_t mpn_mul (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); +void mpn_mul_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); +void mpn_sqr (mp_ptr, mp_srcptr, mp_size_t); +int mpn_perfect_square_p (mp_srcptr, mp_size_t); +mp_size_t mpn_sqrtrem (mp_ptr, mp_ptr, mp_srcptr, mp_size_t); + +mp_limb_t mpn_lshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); +mp_limb_t mpn_rshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); + +mp_bitcnt_t mpn_scan0 (mp_srcptr, mp_bitcnt_t); +mp_bitcnt_t mpn_scan1 (mp_srcptr, mp_bitcnt_t); + +mp_bitcnt_t mpn_popcount (mp_srcptr, mp_size_t); + +mp_limb_t mpn_invert_3by2 (mp_limb_t, mp_limb_t); +#define mpn_invert_limb(x) mpn_invert_3by2 ((x), 0) + +size_t mpn_get_str (unsigned char *, int, mp_ptr, mp_size_t); +mp_size_t mpn_set_str (mp_ptr, const unsigned char *, size_t, int); + +void mpz_init (mpz_t); +void mpz_init2 (mpz_t, mp_bitcnt_t); +void mpz_clear (mpz_t); + +#define mpz_odd_p(z) (((z)->_mp_size != 0) & (int) (z)->_mp_d[0]) +#define mpz_even_p(z) (! mpz_odd_p (z)) + +int mpz_sgn (const mpz_t); +int mpz_cmp_si (const mpz_t, long); +int mpz_cmp_ui (const mpz_t, unsigned long); +int mpz_cmp (const mpz_t, const mpz_t); +int mpz_cmpabs_ui (const mpz_t, unsigned long); +int mpz_cmpabs (const mpz_t, const mpz_t); +int mpz_cmp_d (const mpz_t, double); +int mpz_cmpabs_d (const mpz_t, double); + +void mpz_abs (mpz_t, const mpz_t); +void mpz_neg (mpz_t, const mpz_t); +void mpz_swap (mpz_t, mpz_t); + +void mpz_add_ui (mpz_t, const mpz_t, unsigned long); +void mpz_add (mpz_t, const mpz_t, const mpz_t); +void mpz_sub_ui (mpz_t, const mpz_t, unsigned long); +void mpz_ui_sub (mpz_t, unsigned long, const mpz_t); +void mpz_sub (mpz_t, const mpz_t, const mpz_t); + +void mpz_mul_si (mpz_t, const mpz_t, long int); +void mpz_mul_ui (mpz_t, const mpz_t, unsigned long int); +void mpz_mul (mpz_t, const mpz_t, const mpz_t); +void mpz_mul_2exp (mpz_t, const mpz_t, mp_bitcnt_t); +void mpz_addmul_ui (mpz_t, const mpz_t, unsigned long int); +void mpz_addmul (mpz_t, const mpz_t, const mpz_t); +void mpz_submul_ui (mpz_t, const mpz_t, unsigned long int); +void mpz_submul (mpz_t, const mpz_t, const mpz_t); + +void mpz_cdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); +void mpz_fdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); +void mpz_tdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); +void mpz_cdiv_q (mpz_t, const mpz_t, const mpz_t); +void mpz_fdiv_q (mpz_t, const mpz_t, const mpz_t); +void mpz_tdiv_q (mpz_t, const mpz_t, const mpz_t); +void mpz_cdiv_r (mpz_t, const mpz_t, const mpz_t); +void mpz_fdiv_r (mpz_t, const mpz_t, const mpz_t); +void mpz_tdiv_r (mpz_t, const mpz_t, const mpz_t); + +void mpz_cdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); +void mpz_fdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); +void mpz_tdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); +void mpz_cdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); +void mpz_fdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); +void mpz_tdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); + +void mpz_mod (mpz_t, const mpz_t, const mpz_t); + +void mpz_divexact (mpz_t, const mpz_t, const mpz_t); + +int mpz_divisible_p (const mpz_t, const mpz_t); +int mpz_congruent_p (const mpz_t, const mpz_t, const mpz_t); + +unsigned long mpz_cdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); +unsigned long mpz_fdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); +unsigned long mpz_tdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); +unsigned long mpz_cdiv_q_ui (mpz_t, const mpz_t, unsigned long); +unsigned long mpz_fdiv_q_ui (mpz_t, const mpz_t, unsigned long); +unsigned long mpz_tdiv_q_ui (mpz_t, const mpz_t, unsigned long); +unsigned long mpz_cdiv_r_ui (mpz_t, const mpz_t, unsigned long); +unsigned long mpz_fdiv_r_ui (mpz_t, const mpz_t, unsigned long); +unsigned long mpz_tdiv_r_ui (mpz_t, const mpz_t, unsigned long); +unsigned long mpz_cdiv_ui (const mpz_t, unsigned long); +unsigned long mpz_fdiv_ui (const mpz_t, unsigned long); +unsigned long mpz_tdiv_ui (const mpz_t, unsigned long); + +unsigned long mpz_mod_ui (mpz_t, const mpz_t, unsigned long); + +void mpz_divexact_ui (mpz_t, const mpz_t, unsigned long); + +int mpz_divisible_ui_p (const mpz_t, unsigned long); + +unsigned long mpz_gcd_ui (mpz_t, const mpz_t, unsigned long); +void mpz_gcd (mpz_t, const mpz_t, const mpz_t); +void mpz_gcdext (mpz_t, mpz_t, mpz_t, const mpz_t, const mpz_t); +void mpz_lcm_ui (mpz_t, const mpz_t, unsigned long); +void mpz_lcm (mpz_t, const mpz_t, const mpz_t); +int mpz_invert (mpz_t, const mpz_t, const mpz_t); + +void mpz_sqrtrem (mpz_t, mpz_t, const mpz_t); +void mpz_sqrt (mpz_t, const mpz_t); +int mpz_perfect_square_p (const mpz_t); + +void mpz_pow_ui (mpz_t, const mpz_t, unsigned long); +void mpz_ui_pow_ui (mpz_t, unsigned long, unsigned long); +void mpz_powm (mpz_t, const mpz_t, const mpz_t, const mpz_t); +void mpz_powm_ui (mpz_t, const mpz_t, unsigned long, const mpz_t); + +void mpz_rootrem (mpz_t, mpz_t, const mpz_t, unsigned long); +int mpz_root (mpz_t, const mpz_t, unsigned long); + +void mpz_fac_ui (mpz_t, unsigned long); +void mpz_bin_uiui (mpz_t, unsigned long, unsigned long); + +int mpz_probab_prime_p (const mpz_t, int); + +int mpz_tstbit (const mpz_t, mp_bitcnt_t); +void mpz_setbit (mpz_t, mp_bitcnt_t); +void mpz_clrbit (mpz_t, mp_bitcnt_t); +void mpz_combit (mpz_t, mp_bitcnt_t); + +void mpz_com (mpz_t, const mpz_t); +void mpz_and (mpz_t, const mpz_t, const mpz_t); +void mpz_ior (mpz_t, const mpz_t, const mpz_t); +void mpz_xor (mpz_t, const mpz_t, const mpz_t); + +mp_bitcnt_t mpz_popcount (const mpz_t); +mp_bitcnt_t mpz_hamdist (const mpz_t, const mpz_t); +mp_bitcnt_t mpz_scan0 (const mpz_t, mp_bitcnt_t); +mp_bitcnt_t mpz_scan1 (const mpz_t, mp_bitcnt_t); + +int mpz_fits_slong_p (const mpz_t); +int mpz_fits_ulong_p (const mpz_t); +long int mpz_get_si (const mpz_t); +unsigned long int mpz_get_ui (const mpz_t); +double mpz_get_d (const mpz_t); +size_t mpz_size (const mpz_t); +mp_limb_t mpz_getlimbn (const mpz_t, mp_size_t); + +void mpz_realloc2 (mpz_t, mp_bitcnt_t); +mp_srcptr mpz_limbs_read (mpz_srcptr); +mp_ptr mpz_limbs_modify (mpz_t, mp_size_t); +mp_ptr mpz_limbs_write (mpz_t, mp_size_t); +void mpz_limbs_finish (mpz_t, mp_size_t); +mpz_srcptr mpz_roinit_n (mpz_t, mp_srcptr, mp_size_t); + +#define MPZ_ROINIT_N(xp, xs) {{0, (xs),(xp) }} + +void mpz_set_si (mpz_t, signed long int); +void mpz_set_ui (mpz_t, unsigned long int); +void mpz_set (mpz_t, const mpz_t); +void mpz_set_d (mpz_t, double); + +void mpz_init_set_si (mpz_t, signed long int); +void mpz_init_set_ui (mpz_t, unsigned long int); +void mpz_init_set (mpz_t, const mpz_t); +void mpz_init_set_d (mpz_t, double); + +size_t mpz_sizeinbase (const mpz_t, int); +char *mpz_get_str (char *, int, const mpz_t); +int mpz_set_str (mpz_t, const char *, int); +int mpz_init_set_str (mpz_t, const char *, int); + +/* This long list taken from gmp.h. */ +/* For reference, "defined(EOF)" cannot be used here. In g++ 2.95.4, + defines EOF but not FILE. */ +#if defined (FILE) \ + || defined (H_STDIO) \ + || defined (_H_STDIO) /* AIX */ \ + || defined (_STDIO_H) /* glibc, Sun, SCO */ \ + || defined (_STDIO_H_) /* BSD, OSF */ \ + || defined (__STDIO_H) /* Borland */ \ + || defined (__STDIO_H__) /* IRIX */ \ + || defined (_STDIO_INCLUDED) /* HPUX */ \ + || defined (__dj_include_stdio_h_) /* DJGPP */ \ + || defined (_FILE_DEFINED) /* Microsoft */ \ + || defined (__STDIO__) /* Apple MPW MrC */ \ + || defined (_MSL_STDIO_H) /* Metrowerks */ \ + || defined (_STDIO_H_INCLUDED) /* QNX4 */ \ + || defined (_ISO_STDIO_ISO_H) /* Sun C++ */ \ + || defined (__STDIO_LOADED) /* VMS */ +size_t mpz_out_str (FILE *, int, const mpz_t); +#endif + +void mpz_import (mpz_t, size_t, int, size_t, int, size_t, const void *); +void *mpz_export (void *, size_t *, int, size_t, int, size_t, const mpz_t); + +#if defined (__cplusplus) +} +#endif +#endif /* __MINI_GMP_H__ */ diff --git a/external/nettle-3.3/nettle/nettle-internal.h b/external/nettle-3.3/nettle/nettle-internal.h new file mode 100644 index 0000000..cf776fe --- /dev/null +++ b/external/nettle-3.3/nettle/nettle-internal.h @@ -0,0 +1,92 @@ +/* nettle-internal.h + + Things that are used only by the testsuite and benchmark, and + not included in the library. + + Copyright (C) 2002, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_INTERNAL_H_INCLUDED +#define NETTLE_INTERNAL_H_INCLUDED + +#include "nettle-meta.h" + +/* Temporary allocation, for systems that don't support alloca. Note + * that the allocation requests should always be reasonably small, so + * that they can fit on the stack. For non-alloca systems, we use a + * fix maximum size, and abort if we ever need anything larger. */ + +#if HAVE_ALLOCA +# define TMP_DECL(name, type, max) type *name +# define TMP_ALLOC(name, size) (name = alloca(sizeof (*name) * (size))) +#else /* !HAVE_ALLOCA */ +# define TMP_DECL(name, type, max) type name[max] +# define TMP_ALLOC(name, size) \ + do { if ((size) > (sizeof(name) / sizeof(name[0]))) abort(); } while (0) +#endif + +/* Arbitrary limits which apply to systems that don't have alloca */ +#define NETTLE_MAX_HASH_BLOCK_SIZE 128 +#define NETTLE_MAX_HASH_DIGEST_SIZE 64 +#define NETTLE_MAX_SEXP_ASSOC 17 +#define NETTLE_MAX_CIPHER_BLOCK_SIZE 32 + +/* Doesn't quite fit with the other algorithms, because of the weak + * keys. Weak keys are not reported, the functions will simply crash + * if you try to use a weak key. */ + +extern const struct nettle_cipher nettle_des; +extern const struct nettle_cipher nettle_des3; + +extern const struct nettle_cipher nettle_blowfish128; + +extern const struct nettle_cipher nettle_unified_aes128; +extern const struct nettle_cipher nettle_unified_aes192; +extern const struct nettle_cipher nettle_unified_aes256; + +/* Stream ciphers treated as aead algorithms with no authentication. */ +extern const struct nettle_aead nettle_arcfour128; +extern const struct nettle_aead nettle_chacha; +extern const struct nettle_aead nettle_salsa20; +extern const struct nettle_aead nettle_salsa20r12; + +/* Glue to openssl, for comparative benchmarking. Code in + * examples/nettle-openssl.c. */ +extern const struct nettle_cipher nettle_openssl_aes128; +extern const struct nettle_cipher nettle_openssl_aes192; +extern const struct nettle_cipher nettle_openssl_aes256; +extern const struct nettle_cipher nettle_openssl_blowfish128; +extern const struct nettle_cipher nettle_openssl_des; +extern const struct nettle_cipher nettle_openssl_cast128; +extern const struct nettle_aead nettle_openssl_arcfour128; + +extern const struct nettle_hash nettle_openssl_md5; +extern const struct nettle_hash nettle_openssl_sha1; + +#endif /* NETTLE_INTERNAL_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/nettle-meta.h b/external/nettle-3.3/nettle/nettle-meta.h new file mode 100644 index 0000000..d27369c --- /dev/null +++ b/external/nettle-3.3/nettle/nettle-meta.h @@ -0,0 +1,230 @@ +/* nettle-meta.h + + Information about algorithms. + + Copyright (C) 2002, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_META_H_INCLUDED +#define NETTLE_META_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + + +struct nettle_cipher +{ + const char *name; + + unsigned context_size; + + /* Zero for stream ciphers */ + unsigned block_size; + + /* Suggested key size; other sizes are sometimes possible. */ + unsigned key_size; + + nettle_set_key_func *set_encrypt_key; + nettle_set_key_func *set_decrypt_key; + + nettle_cipher_func *encrypt; + nettle_cipher_func *decrypt; +}; + +/* null-terminated list of ciphers implemented by this version of nettle */ +extern const struct nettle_cipher * const nettle_ciphers[]; + +extern const struct nettle_cipher nettle_aes128; +extern const struct nettle_cipher nettle_aes192; +extern const struct nettle_cipher nettle_aes256; + +extern const struct nettle_cipher nettle_camellia128; +extern const struct nettle_cipher nettle_camellia192; +extern const struct nettle_cipher nettle_camellia256; + +extern const struct nettle_cipher nettle_cast128; + +extern const struct nettle_cipher nettle_serpent128; +extern const struct nettle_cipher nettle_serpent192; +extern const struct nettle_cipher nettle_serpent256; + +extern const struct nettle_cipher nettle_twofish128; +extern const struct nettle_cipher nettle_twofish192; +extern const struct nettle_cipher nettle_twofish256; + +extern const struct nettle_cipher nettle_arctwo40; +extern const struct nettle_cipher nettle_arctwo64; +extern const struct nettle_cipher nettle_arctwo128; +extern const struct nettle_cipher nettle_arctwo_gutmann128; + +struct nettle_hash +{ + const char *name; + + /* Size of the context struct */ + unsigned context_size; + + /* Size of digests */ + unsigned digest_size; + + /* Internal block size */ + unsigned block_size; + + nettle_hash_init_func *init; + nettle_hash_update_func *update; + nettle_hash_digest_func *digest; +}; + +#define _NETTLE_HASH(name, NAME) { \ + #name, \ + sizeof(struct name##_ctx), \ + NAME##_DIGEST_SIZE, \ + NAME##_BLOCK_SIZE, \ + (nettle_hash_init_func *) name##_init, \ + (nettle_hash_update_func *) name##_update, \ + (nettle_hash_digest_func *) name##_digest \ +} + +/* null-terminated list of digests implemented by this version of nettle */ +extern const struct nettle_hash * const nettle_hashes[]; + +extern const struct nettle_hash nettle_md2; +extern const struct nettle_hash nettle_md4; +extern const struct nettle_hash nettle_md5; +extern const struct nettle_hash nettle_gosthash94; +extern const struct nettle_hash nettle_ripemd160; +extern const struct nettle_hash nettle_sha1; +extern const struct nettle_hash nettle_sha224; +extern const struct nettle_hash nettle_sha256; +extern const struct nettle_hash nettle_sha384; +extern const struct nettle_hash nettle_sha512; +extern const struct nettle_hash nettle_sha512_224; +extern const struct nettle_hash nettle_sha512_256; +extern const struct nettle_hash nettle_sha3_224; +extern const struct nettle_hash nettle_sha3_256; +extern const struct nettle_hash nettle_sha3_384; +extern const struct nettle_hash nettle_sha3_512; + +struct nettle_aead +{ + const char *name; + + unsigned context_size; + /* Block size for encrypt and decrypt. */ + unsigned block_size; + unsigned key_size; + unsigned nonce_size; + unsigned digest_size; + + nettle_set_key_func *set_encrypt_key; + nettle_set_key_func *set_decrypt_key; + nettle_set_key_func *set_nonce; + nettle_hash_update_func *update; + nettle_crypt_func *encrypt; + nettle_crypt_func *decrypt; + /* FIXME: Drop length argument? */ + nettle_hash_digest_func *digest; +}; + +/* null-terminated list of aead constructions implemented by this + version of nettle */ +extern const struct nettle_aead * const nettle_aeads[]; + +extern const struct nettle_aead nettle_gcm_aes128; +extern const struct nettle_aead nettle_gcm_aes192; +extern const struct nettle_aead nettle_gcm_aes256; +extern const struct nettle_aead nettle_gcm_camellia128; +extern const struct nettle_aead nettle_gcm_camellia256; +extern const struct nettle_aead nettle_eax_aes128; +extern const struct nettle_aead nettle_chacha_poly1305; + +struct nettle_armor +{ + const char *name; + unsigned encode_context_size; + unsigned decode_context_size; + + unsigned encode_final_length; + + nettle_armor_init_func *encode_init; + nettle_armor_length_func *encode_length; + nettle_armor_encode_update_func *encode_update; + nettle_armor_encode_final_func *encode_final; + + nettle_armor_init_func *decode_init; + nettle_armor_length_func *decode_length; + nettle_armor_decode_update_func *decode_update; + nettle_armor_decode_final_func *decode_final; +}; + +#define _NETTLE_ARMOR(name, NAME) { \ + #name, \ + sizeof(struct name##_encode_ctx), \ + sizeof(struct name##_decode_ctx), \ + NAME##_ENCODE_FINAL_LENGTH, \ + (nettle_armor_init_func *) name##_encode_init, \ + (nettle_armor_length_func *) name##_encode_length, \ + (nettle_armor_encode_update_func *) name##_encode_update, \ + (nettle_armor_encode_final_func *) name##_encode_final, \ + (nettle_armor_init_func *) name##_decode_init, \ + (nettle_armor_length_func *) name##_decode_length, \ + (nettle_armor_decode_update_func *) name##_decode_update, \ + (nettle_armor_decode_final_func *) name##_decode_final, \ +} + +#define _NETTLE_ARMOR_0(name, NAME) { \ + #name, \ + 0, \ + sizeof(struct name##_decode_ctx), \ + NAME##_ENCODE_FINAL_LENGTH, \ + (nettle_armor_init_func *) name##_encode_init, \ + (nettle_armor_length_func *) name##_encode_length, \ + (nettle_armor_encode_update_func *) name##_encode_update, \ + (nettle_armor_encode_final_func *) name##_encode_final, \ + (nettle_armor_init_func *) name##_decode_init, \ + (nettle_armor_length_func *) name##_decode_length, \ + (nettle_armor_decode_update_func *) name##_decode_update, \ + (nettle_armor_decode_final_func *) name##_decode_final, \ +} + +/* null-terminated list of armor schemes implemented by this version of nettle */ +extern const struct nettle_armor * const nettle_armors[]; + +extern const struct nettle_armor nettle_base64; +extern const struct nettle_armor nettle_base64url; +extern const struct nettle_armor nettle_base16; + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_META_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/nettle-stdint.h b/external/nettle-3.3/nettle/nettle-stdint.h new file mode 100644 index 0000000..3298fa6 --- /dev/null +++ b/external/nettle-3.3/nettle/nettle-stdint.h @@ -0,0 +1,6 @@ +#ifndef __NETTLE_STDINT_H +#define __NETTLE_STDINT_H + +#include + +#endif /* __NETTLE_STDINT_H */ diff --git a/external/nettle-3.3/nettle/nettle-types.h b/external/nettle-3.3/nettle/nettle-types.h new file mode 100644 index 0000000..8f77ea9 --- /dev/null +++ b/external/nettle-3.3/nettle/nettle-types.h @@ -0,0 +1,110 @@ +/* nettle-types.h + + Copyright (C) 2005, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_TYPES_H +#define NETTLE_TYPES_H + +/* For size_t */ +#include + +/* Pretend these types always exists. Nettle doesn't use them. */ +#define _STDINT_HAVE_INT_FAST32_T 1 +#include "nettle-stdint.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* An aligned 16-byte block. */ +union nettle_block16 +{ + uint8_t b[16]; + unsigned long w[16 / sizeof(unsigned long)]; +}; + +/* Randomness. Used by key generation and dsa signature creation. */ +typedef void nettle_random_func(void *ctx, + size_t length, uint8_t *dst); + +/* Progress report function, mainly for key generation. */ +typedef void nettle_progress_func(void *ctx, int c); + +/* Realloc function, used by struct nettle_buffer. */ +typedef void *nettle_realloc_func(void *ctx, void *p, size_t length); + +/* Ciphers */ +typedef void nettle_set_key_func(void *ctx, const uint8_t *key); + +/* For block ciphers, const context. */ +typedef void nettle_cipher_func(const void *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); + + +/* Uses a void * for cipher contexts. Used for crypt operations where + the internal state changes during the encryption. */ +typedef void nettle_crypt_func(void *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); + +/* Hash algorithms */ +typedef void nettle_hash_init_func(void *ctx); +typedef void nettle_hash_update_func(void *ctx, + size_t length, + const uint8_t *src); +typedef void nettle_hash_digest_func(void *ctx, + size_t length, uint8_t *dst); + +/* ASCII armor codecs. NOTE: Experimental and subject to change. */ + +typedef size_t nettle_armor_length_func(size_t length); +typedef void nettle_armor_init_func(void *ctx); + +typedef size_t nettle_armor_encode_update_func(void *ctx, + uint8_t *dst, + size_t src_length, + const uint8_t *src); + +typedef size_t nettle_armor_encode_final_func(void *ctx, uint8_t *dst); + +typedef int nettle_armor_decode_update_func(void *ctx, + size_t *dst_length, + uint8_t *dst, + size_t src_length, + const uint8_t *src); + +typedef int nettle_armor_decode_final_func(void *ctx); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_TYPES_H */ diff --git a/external/nettle-3.3/nettle/nettle-write.h b/external/nettle-3.3/nettle/nettle-write.h new file mode 100644 index 0000000..54152bd --- /dev/null +++ b/external/nettle-3.3/nettle/nettle-write.h @@ -0,0 +1,58 @@ +/* nettle-write.h + + Internal functions to write out word-sized data to byte arrays. + + Copyright (C) 2010 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_WRITE_H_INCLUDED +#define NETTLE_WRITE_H_INCLUDED + +/* For size_t */ +#include + +#include "nettle-stdint.h" + +/* Write the word array at SRC to the byte array at DST, using little + endian (le) or big endian (be) byte order, and truncating the + result to LENGTH bytes. */ + +/* FIXME: Use a macro shortcut to memcpy for native endianness. */ +void +_nettle_write_be32(size_t length, uint8_t *dst, + uint32_t *src); +void +_nettle_write_le32(size_t length, uint8_t *dst, + uint32_t *src); + +void +_nettle_write_le64(size_t length, uint8_t *dst, + uint64_t *src); + +#endif /* NETTLE_WRITE_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/pkcs1-rsa-sha256.c b/external/nettle-3.3/nettle/pkcs1-rsa-sha256.c new file mode 100644 index 0000000..2c2b5c0 --- /dev/null +++ b/external/nettle-3.3/nettle/pkcs1-rsa-sha256.c @@ -0,0 +1,120 @@ +/* pkcs1-rsa-sha256.c + + PKCS stuff for rsa-sha256. + + Copyright (C) 2001, 2003, 2006 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "rsa.h" + +#include "bignum.h" +#include "pkcs1.h" + +#include "gmp-glue.h" + +/* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA + * Cryptography Specifications Version 2.1. + * + * id-sha256 OBJECT IDENTIFIER ::= + * {joint-iso-itu-t(2) country(16) us(840) organization(1) + * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1} + */ + +static const uint8_t +sha256_prefix[] = +{ + /* 19 octets prefix, 32 octets hash, total 51 */ + 0x30, 49, /* SEQUENCE */ + 0x30, 13, /* SEQUENCE */ + 0x06, 9, /* OBJECT IDENTIFIER */ + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, + 0x05, 0, /* NULL */ + 0x04, 32 /* OCTET STRING */ + /* Here comes the raw hash value */ +}; + +int +pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash) +{ + uint8_t *p; + TMP_GMP_DECL(em, uint8_t); + + TMP_GMP_ALLOC(em, key_size); + + p = _pkcs1_signature_prefix(key_size, em, + sizeof(sha256_prefix), + sha256_prefix, + SHA256_DIGEST_SIZE); + if (p) + { + sha256_digest(hash, SHA256_DIGEST_SIZE, p); + nettle_mpz_set_str_256_u(m, key_size, em); + TMP_GMP_FREE(em); + return 1; + } + else + { + TMP_GMP_FREE(em); + return 0; + } +} + +int +pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) +{ + uint8_t *p; + TMP_GMP_DECL(em, uint8_t); + + TMP_GMP_ALLOC(em, key_size); + + p = _pkcs1_signature_prefix(key_size, em, + sizeof(sha256_prefix), + sha256_prefix, + SHA256_DIGEST_SIZE); + if (p) + { + memcpy(p, digest, SHA256_DIGEST_SIZE); + nettle_mpz_set_str_256_u(m, key_size, em); + TMP_GMP_FREE(em); + return 1; + } + else + { + TMP_GMP_FREE(em); + return 0; + } +} diff --git a/external/nettle-3.3/nettle/pkcs1.c b/external/nettle-3.3/nettle/pkcs1.c new file mode 100644 index 0000000..87a2d2e --- /dev/null +++ b/external/nettle-3.3/nettle/pkcs1.c @@ -0,0 +1,73 @@ +/* pkcs1.c + + PKCS1 embedding. + + Copyright (C) 2003 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "pkcs1.h" + +/* Formats the PKCS#1 padding, of the form + * + * 0x00 0x01 0xff ... 0xff 0x00 id ...digest... + * + * where the 0xff ... 0xff part consists of at least 8 octets. The + * total size equals the octet size of n. + */ +uint8_t * +_pkcs1_signature_prefix(unsigned key_size, + uint8_t *buffer, + unsigned id_size, + const uint8_t *id, + unsigned digest_size) +{ + unsigned j; + + if (key_size < 11 + id_size + digest_size) + return NULL; + + j = key_size - digest_size - id_size; + + memcpy (buffer + j, id, id_size); + buffer[0] = 0; + buffer[1] = 1; + buffer[j-1] = 0; + + assert(j >= 11); + memset(buffer + 2, 0xff, j - 3); + + return buffer + j + id_size; +} diff --git a/external/nettle-3.3/nettle/pkcs1.h b/external/nettle-3.3/nettle/pkcs1.h new file mode 100644 index 0000000..7391804 --- /dev/null +++ b/external/nettle-3.3/nettle/pkcs1.h @@ -0,0 +1,114 @@ +/* pkcs1.h + + PKCS1 embedding. + + Copyright (C) 2003 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_PKCS1_H_INCLUDED +#define NETTLE_PKCS1_H_INCLUDED + +#include "nettle-types.h" +#include "bignum.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix +#define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode +#define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode +#define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest +#define pkcs1_rsa_sha1_encode nettle_pkcs1_rsa_sha1_encode +#define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest +#define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode +#define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest +#define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode +#define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest +#define pkcs1_encrypt nettle_pkcs1_encrypt +#define pkcs1_decrypt nettle_pkcs1_decrypt + +struct md5_ctx; +struct sha1_ctx; +struct sha256_ctx; +struct sha512_ctx; + +uint8_t * +_pkcs1_signature_prefix(unsigned key_size, + uint8_t *buffer, + unsigned id_size, + const uint8_t *id, + unsigned digest_size); + +int +pkcs1_encrypt (size_t key_size, + /* For padding */ + void *random_ctx, nettle_random_func *random, + size_t length, const uint8_t *message, + mpz_t m); + +int +pkcs1_decrypt (size_t key_size, + const mpz_t m, + size_t *length, uint8_t *message); + +int +pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, + size_t di_length, const uint8_t *digest_info); + +int +pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash); + +int +pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest); + +int +pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash); + +int +pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest); + +int +pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash); + +int +pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest); + +int +pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash); + +int +pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_PKCS1_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/realloc.c b/external/nettle-3.3/nettle/realloc.c new file mode 100644 index 0000000..4e9a4b7 --- /dev/null +++ b/external/nettle-3.3/nettle/realloc.c @@ -0,0 +1,69 @@ +/* realloc.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "realloc.h" + +/* NOTE: Calling libc realloc with size == 0 is not required to + totally free the object, it is allowed to return a valid + pointer. */ +void * +nettle_realloc(void *ctx, void *p, size_t length) +{ + if (length > 0) + return realloc(p, length); + + free(p); + return NULL; +} + +void * +nettle_xrealloc(void *ctx, void *p, size_t length) +{ + if (length > 0) + { + void *n = realloc(p, length); + if (!n) + { + fprintf(stderr, "Virtual memory exhausted.\n"); + abort(); + } + return n; + } + free(p); + return NULL; +} diff --git a/external/nettle-3.3/nettle/realloc.h b/external/nettle-3.3/nettle/realloc.h new file mode 100644 index 0000000..e696a84 --- /dev/null +++ b/external/nettle-3.3/nettle/realloc.h @@ -0,0 +1,48 @@ +/* realloc.h + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_REALLOC_H_INCLUDED +#define NETTLE_REALLOC_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +nettle_realloc_func nettle_realloc; +nettle_realloc_func nettle_xrealloc; + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_REALLOC_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/rsa-keygen.c b/external/nettle-3.3/nettle/rsa-keygen.c new file mode 100644 index 0000000..5260239 --- /dev/null +++ b/external/nettle-3.3/nettle/rsa-keygen.c @@ -0,0 +1,212 @@ +/* rsa-keygen.c + + Generation of RSA keypairs + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "rsa.h" +#include "bignum.h" + +#ifndef DEBUG +# define DEBUG 0 +#endif + +#if DEBUG +# include +#endif + + +int +rsa_generate_keypair(struct rsa_public_key *pub, + struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + void *progress_ctx, nettle_progress_func *progress, + unsigned n_size, + unsigned e_size) +{ + mpz_t p1; + mpz_t q1; + mpz_t phi; + mpz_t tmp; + + if (e_size) + { + /* We should choose e randomly. Is the size reasonable? */ + if ((e_size < 16) || (e_size >= n_size) ) + return 0; + } + else + { + /* We have a fixed e. Check that it makes sense */ + + /* It must be odd */ + if (!mpz_tstbit(pub->e, 0)) + return 0; + + /* And 3 or larger */ + if (mpz_cmp_ui(pub->e, 3) < 0) + return 0; + + /* And size less than n */ + if (mpz_sizeinbase(pub->e, 2) >= n_size) + return 0; + } + + if (n_size < RSA_MINIMUM_N_BITS) + return 0; + + mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp); + + /* Generate primes */ + for (;;) + { + /* Generate p, such that gcd(p-1, e) = 1 */ + for (;;) + { + nettle_random_prime(key->p, (n_size+1)/2, 1, + random_ctx, random, + progress_ctx, progress); + + mpz_sub_ui(p1, key->p, 1); + + /* If e was given, we must chose p such that p-1 has no factors in + * common with e. */ + if (e_size) + break; + + mpz_gcd(tmp, pub->e, p1); + + if (mpz_cmp_ui(tmp, 1) == 0) + break; + else if (progress) progress(progress_ctx, 'c'); + } + + if (progress) + progress(progress_ctx, '\n'); + + /* Generate q, such that gcd(q-1, e) = 1 */ + for (;;) + { + nettle_random_prime(key->q, n_size/2, 1, + random_ctx, random, + progress_ctx, progress); + + /* Very unlikely. */ + if (mpz_cmp (key->q, key->p) == 0) + continue; + + mpz_sub_ui(q1, key->q, 1); + + /* If e was given, we must chose q such that q-1 has no factors in + * common with e. */ + if (e_size) + break; + + mpz_gcd(tmp, pub->e, q1); + + if (mpz_cmp_ui(tmp, 1) == 0) + break; + else if (progress) progress(progress_ctx, 'c'); + } + + /* Now we have the primes. Is the product of the right size? */ + mpz_mul(pub->n, key->p, key->q); + + assert (mpz_sizeinbase(pub->n, 2) == n_size); + + if (progress) + progress(progress_ctx, '\n'); + + /* c = q^{-1} (mod p) */ + if (mpz_invert(key->c, key->q, key->p)) + /* This should succeed everytime. But if it doesn't, + * we try again. */ + break; + else if (progress) progress(progress_ctx, '?'); + } + + mpz_mul(phi, p1, q1); + + /* If we didn't have a given e, generate one now. */ + if (e_size) + { + int retried = 0; + for (;;) + { + nettle_mpz_random_size(pub->e, + random_ctx, random, + e_size); + + /* Make sure it's odd and that the most significant bit is + * set */ + mpz_setbit(pub->e, 0); + mpz_setbit(pub->e, e_size - 1); + + /* Needs gmp-3, or inverse might be negative. */ + if (mpz_invert(key->d, pub->e, phi)) + break; + + if (progress) progress(progress_ctx, 'e'); + retried = 1; + } + if (retried && progress) + progress(progress_ctx, '\n'); + } + else + { + /* Must always succeed, as we already that e + * doesn't have any common factor with p-1 or q-1. */ + int res = mpz_invert(key->d, pub->e, phi); + assert(res); + } + + /* Done! Almost, we must compute the auxillary private values. */ + /* a = d % (p-1) */ + mpz_fdiv_r(key->a, key->d, p1); + + /* b = d % (q-1) */ + mpz_fdiv_r(key->b, key->d, q1); + + /* c was computed earlier */ + + pub->size = key->size = (n_size + 7) / 8; + assert(pub->size >= RSA_MINIMUM_N_OCTETS); + + mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp); + + return 1; +} diff --git a/external/nettle-3.3/nettle/rsa-sha256-sign.c b/external/nettle-3.3/nettle/rsa-sha256-sign.c new file mode 100644 index 0000000..5daffbf --- /dev/null +++ b/external/nettle-3.3/nettle/rsa-sha256-sign.c @@ -0,0 +1,77 @@ +/* rsa-sha256-sign.c + + Signatures using RSA and SHA256. + + Copyright (C) 2001, 2003, 2006 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "rsa.h" + +#include "bignum.h" +#include "pkcs1.h" + +int +rsa_sha256_sign(const struct rsa_private_key *key, + struct sha256_ctx *hash, + mpz_t s) +{ + if (pkcs1_rsa_sha256_encode(s, key->size, hash)) + { + rsa_compute_root(key, s, s); + return 1; + } + else + { + mpz_set_ui(s, 0); + return 0; + } +} + +int +rsa_sha256_sign_digest(const struct rsa_private_key *key, + const uint8_t *digest, + mpz_t s) +{ + if (pkcs1_rsa_sha256_encode_digest(s, key->size, digest)) + { + rsa_compute_root(key, s, s); + return 1; + } + else + { + mpz_set_ui(s, 0); + return 0; + } +} diff --git a/external/nettle-3.3/nettle/rsa-sha256-verify.c b/external/nettle-3.3/nettle/rsa-sha256-verify.c new file mode 100644 index 0000000..33ecbc1 --- /dev/null +++ b/external/nettle-3.3/nettle/rsa-sha256-verify.c @@ -0,0 +1,79 @@ +/* rsa-sha256-verify.c + + Verifying signatures created with RSA and SHA256. + + Copyright (C) 2001, 2003, 2006 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "rsa.h" + +#include "bignum.h" +#include "pkcs1.h" + +int +rsa_sha256_verify(const struct rsa_public_key *key, + struct sha256_ctx *hash, + const mpz_t s) +{ + int res; + mpz_t m; + + mpz_init(m); + + res = (pkcs1_rsa_sha256_encode(m, key->size, hash) + &&_rsa_verify(key, m, s)); + + mpz_clear(m); + + return res; +} + +int +rsa_sha256_verify_digest(const struct rsa_public_key *key, + const uint8_t *digest, + const mpz_t s) +{ + int res; + mpz_t m; + + mpz_init(m); + + res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) + && _rsa_verify(key, m, s)); + + mpz_clear(m); + + return res; +} diff --git a/external/nettle-3.3/nettle/rsa-sign.c b/external/nettle-3.3/nettle/rsa-sign.c new file mode 100644 index 0000000..5cae041 --- /dev/null +++ b/external/nettle-3.3/nettle/rsa-sign.c @@ -0,0 +1,144 @@ +/* rsa-sign.c + + Creating RSA signatures. + + Copyright (C) 2001, 2003 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" + +void +rsa_private_key_init(struct rsa_private_key *key) +{ + mpz_init(key->d); + mpz_init(key->p); + mpz_init(key->q); + mpz_init(key->a); + mpz_init(key->b); + mpz_init(key->c); + + /* Not really necessary, but it seems cleaner to initialize all the + * storage. */ + key->size = 0; +} + +void +rsa_private_key_clear(struct rsa_private_key *key) +{ + mpz_clear(key->d); + mpz_clear(key->p); + mpz_clear(key->q); + mpz_clear(key->a); + mpz_clear(key->b); + mpz_clear(key->c); +} + +int +rsa_private_key_prepare(struct rsa_private_key *key) +{ + mpz_t n; + + /* The size of the product is the sum of the sizes of the factors, + * or sometimes one less. It's possible but tricky to compute the + * size without computing the full product. */ + + mpz_init(n); + mpz_mul(n, key->p, key->q); + + key->size = _rsa_check_size(n); + + mpz_clear(n); + + return (key->size > 0); +} + +/* Computing an rsa root. */ +void +rsa_compute_root(const struct rsa_private_key *key, + mpz_t x, const mpz_t m) +{ + mpz_t xp; /* modulo p */ + mpz_t xq; /* modulo q */ + + mpz_init(xp); mpz_init(xq); + + /* Compute xq = m^d % q = (m%q)^b % q */ + mpz_fdiv_r(xq, m, key->q); + mpz_powm_sec(xq, xq, key->b, key->q); + + /* Compute xp = m^d % p = (m%p)^a % p */ + mpz_fdiv_r(xp, m, key->p); + mpz_powm_sec(xp, xp, key->a, key->p); + + /* Set xp' = (xp - xq) c % p. */ + mpz_sub(xp, xp, xq); + mpz_mul(xp, xp, key->c); + mpz_fdiv_r(xp, xp, key->p); + + /* Finally, compute x = xq + q xp' + * + * To prove that this works, note that + * + * xp = x + i p, + * xq = x + j q, + * c q = 1 + k p + * + * for some integers i, j and k. Now, for some integer l, + * + * xp' = (xp - xq) c + l p + * = (x + i p - (x + j q)) c + l p + * = (i p - j q) c + l p + * = (i c + l) p - j (c q) + * = (i c + l) p - j (1 + kp) + * = (i c + l - j k) p - j + * + * which shows that xp' = -j (mod p). We get + * + * xq + q xp' = x + j q + (i c + l - j k) p q - j q + * = x + (i c + l - j k) p q + * + * so that + * + * xq + q xp' = x (mod pq) + * + * We also get 0 <= xq + q xp' < p q, because + * + * 0 <= xq < q and 0 <= xp' < p. + */ + mpz_mul(x, key->q, xp); + mpz_add(x, x, xq); + + mpz_clear(xp); mpz_clear(xq); +} diff --git a/external/nettle-3.3/nettle/rsa-verify.c b/external/nettle-3.3/nettle/rsa-verify.c new file mode 100644 index 0000000..8484a85 --- /dev/null +++ b/external/nettle-3.3/nettle/rsa-verify.c @@ -0,0 +1,64 @@ +/* rsa-verify.c + + Verifying RSA signatures. + + Copyright (C) 2001, 2003 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" + +int +_rsa_verify(const struct rsa_public_key *key, + const mpz_t m, + const mpz_t s) +{ + int res; + + mpz_t m1; + + if ( (mpz_sgn(s) <= 0) + || (mpz_cmp(s, key->n) >= 0) ) + return 0; + + mpz_init(m1); + + mpz_powm(m1, s, key->e, key->n); + + res = !mpz_cmp(m, m1); + + mpz_clear(m1); + + return res; +} diff --git a/external/nettle-3.3/nettle/rsa.c b/external/nettle-3.3/nettle/rsa.c new file mode 100644 index 0000000..22fae77 --- /dev/null +++ b/external/nettle-3.3/nettle/rsa.c @@ -0,0 +1,86 @@ +/* rsa.c + + The RSA publickey algorithm. + + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" + +void +rsa_public_key_init(struct rsa_public_key *key) +{ + mpz_init(key->n); + mpz_init(key->e); + + /* Not really necessary, but it seems cleaner to initialize all the + * storage. */ + key->size = 0; +} + +void +rsa_public_key_clear(struct rsa_public_key *key) +{ + mpz_clear(key->n); + mpz_clear(key->e); +} + +/* Computes the size, in octets, of a the modulo. Returns 0 if the + * modulo is too small to be useful, or otherwise appears invalid. */ +size_t +_rsa_check_size(mpz_t n) +{ + /* Round upwards */ + size_t size; + + /* Even moduli are invalid, and not supported by mpz_powm_sec. */ + if (mpz_even_p (n)) + return 0; + + size = (mpz_sizeinbase(n, 2) + 7) / 8; + + if (size < RSA_MINIMUM_N_OCTETS) + return 0; + + return size; +} + +int +rsa_public_key_prepare(struct rsa_public_key *key) +{ + key->size = _rsa_check_size(key->n); + + return (key->size > 0); +} diff --git a/external/nettle-3.3/nettle/rsa.h b/external/nettle-3.3/nettle/rsa.h new file mode 100644 index 0000000..1ceda2d --- /dev/null +++ b/external/nettle-3.3/nettle/rsa.h @@ -0,0 +1,355 @@ +/* rsa.h + + The RSA publickey algorithm. + + Copyright (C) 2001, 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_RSA_H_INCLUDED +#define NETTLE_RSA_H_INCLUDED + +#include "nettle-types.h" +#include "bignum.h" + +#include "sha2.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define rsa_public_key_init nettle_rsa_public_key_init +#define rsa_public_key_clear nettle_rsa_public_key_clear +#define rsa_public_key_prepare nettle_rsa_public_key_prepare +#define rsa_private_key_init nettle_rsa_private_key_init +#define rsa_private_key_clear nettle_rsa_private_key_clear +#define rsa_private_key_prepare nettle_rsa_private_key_prepare +#define rsa_sha256_sign nettle_rsa_sha256_sign +#define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr +#define rsa_sha256_verify nettle_rsa_sha256_verify +#define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest +#define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr +#define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest +#define rsa_encrypt nettle_rsa_encrypt +#define rsa_decrypt nettle_rsa_decrypt +#define rsa_decrypt_tr nettle_rsa_decrypt_tr +#define rsa_compute_root nettle_rsa_compute_root +#define rsa_compute_root_tr nettle_rsa_compute_root_tr +#define rsa_generate_keypair nettle_rsa_generate_keypair +#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp +#define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist +#define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp +#define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator +#define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator +#define rsa_keypair_from_der nettle_rsa_keypair_from_der +#define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp +#define _rsa_verify _nettle_rsa_verify +#define _rsa_check_size _nettle_rsa_check_size +#define _rsa_blind _nettle_rsa_blind +#define _rsa_unblind _nettle_rsa_unblind + +/* This limit is somewhat arbitrary. Technically, the smallest modulo + which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But + for ridiculously small keys, not all odd e are possible (e.g., for + 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e = + 3 don't work). The smallest size that makes sense with pkcs#1, and + which allows RSA encryption of one byte messages, is 12 octets, 89 + bits. */ + +#define RSA_MINIMUM_N_OCTETS 12 +#define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7) + +struct rsa_public_key +{ + /* Size of the modulo, in octets. This is also the size of all + * signatures that are created or verified with this key. */ + size_t size; + + /* Modulo */ + mpz_t n; + + /* Public exponent */ + mpz_t e; +}; + +struct rsa_private_key +{ + size_t size; + + /* d is filled in by the key generation function; otherwise it's + * completely unused. */ + mpz_t d; + + /* The two factors */ + mpz_t p; mpz_t q; + + /* d % (p-1), i.e. a e = 1 (mod (p-1)) */ + mpz_t a; + + /* d % (q-1), i.e. b e = 1 (mod (q-1)) */ + mpz_t b; + + /* modular inverse of q , i.e. c q = 1 (mod p) */ + mpz_t c; +}; + +/* Signing a message works as follows: + * + * Store the private key in a rsa_private_key struct. + * + * Call rsa_private_key_prepare. This initializes the size attribute + * to the length of a signature. + * + * Initialize a hashing context, by callling + * md5_init + * + * Hash the message by calling + * md5_update + * + * Create the signature by calling + * rsa_md5_sign + * + * The signature is represented as a mpz_t bignum. This call also + * resets the hashing context. + * + * When done with the key and signature, don't forget to call + * mpz_clear. + */ + +/* Calls mpz_init to initialize bignum storage. */ +void +rsa_public_key_init(struct rsa_public_key *key); + +/* Calls mpz_clear to deallocate bignum storage. */ +void +rsa_public_key_clear(struct rsa_public_key *key); + +int +rsa_public_key_prepare(struct rsa_public_key *key); + +/* Calls mpz_init to initialize bignum storage. */ +void +rsa_private_key_init(struct rsa_private_key *key); + +/* Calls mpz_clear to deallocate bignum storage. */ +void +rsa_private_key_clear(struct rsa_private_key *key); + +int +rsa_private_key_prepare(struct rsa_private_key *key); + +int +rsa_sha256_sign(const struct rsa_private_key *key, + struct sha256_ctx *hash, + mpz_t signature); + +int +rsa_sha256_sign_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + struct sha256_ctx *hash, + mpz_t s); + +int +rsa_sha256_verify(const struct rsa_public_key *key, + struct sha256_ctx *hash, + const mpz_t signature); + +int +rsa_sha256_sign_digest(const struct rsa_private_key *key, + const uint8_t *digest, + mpz_t s); + +int +rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + const uint8_t *digest, + mpz_t s); + +int +rsa_sha256_verify_digest(const struct rsa_public_key *key, + const uint8_t *digest, + const mpz_t signature); + +/* RSA encryption, using PKCS#1 */ +/* These functions uses the v1.5 padding. What should the v2 (OAEP) + * functions be called? */ + +/* Returns 1 on success, 0 on failure, which happens if the + * message is too long for the key. */ +int +rsa_encrypt(const struct rsa_public_key *key, + /* For padding */ + void *random_ctx, nettle_random_func *random, + size_t length, const uint8_t *cleartext, + mpz_t cipher); + +/* Message must point to a buffer of size *LENGTH. KEY->size is enough + * for all valid messages. On success, *LENGTH is updated to reflect + * the actual length of the message. Returns 1 on success, 0 on + * failure, which happens if decryption failed or if the message + * didn't fit. */ +int +rsa_decrypt(const struct rsa_private_key *key, + size_t *length, uint8_t *cleartext, + const mpz_t ciphertext); + +/* Timing-resistant version, using randomized RSA blinding. */ +int +rsa_decrypt_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + size_t *length, uint8_t *message, + const mpz_t gibberish); + +/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ +void +rsa_compute_root(const struct rsa_private_key *key, + mpz_t x, const mpz_t m); + +/* Safer variant, using RSA blinding, and checking the result after + CRT. */ +int +rsa_compute_root_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + mpz_t x, const mpz_t m); + +/* Key generation */ + +/* Note that the key structs must be initialized first. */ +int +rsa_generate_keypair(struct rsa_public_key *pub, + struct rsa_private_key *key, + + void *random_ctx, nettle_random_func *random, + void *progress_ctx, nettle_progress_func *progress, + + /* Desired size of modulo, in bits */ + unsigned n_size, + + /* Desired size of public exponent, in bits. If + * zero, the passed in value pub->e is used. */ + unsigned e_size); + + +#define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \ + algorithm##_update(ctx, length, data), \ + rsa_##algorithm##_sign(key, ctx, signature) \ +) + +#define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \ + algorithm##_update(ctx, length, data), \ + rsa_##algorithm##_verify(key, ctx, signature) \ +) + + +/* Keys in sexp form. */ + +struct nettle_buffer; + +/* Generates a public-key expression if PRIV is NULL .*/ +int +rsa_keypair_to_sexp(struct nettle_buffer *buffer, + const char *algorithm_name, /* NULL means "rsa" */ + const struct rsa_public_key *pub, + const struct rsa_private_key *priv); + +struct sexp_iterator; + +int +rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, + struct rsa_private_key *priv, + unsigned limit, + struct sexp_iterator *i); + +/* If PRIV is NULL, expect a public-key expression. If PUB is NULL, + * expect a private key expression and ignore the parts not needed for + * the public key. */ +/* Keys must be initialized before calling this function, as usual. */ +int +rsa_keypair_from_sexp(struct rsa_public_key *pub, + struct rsa_private_key *priv, + unsigned limit, + size_t length, const uint8_t *expr); + + +/* Keys in PKCS#1 format. */ +struct asn1_der_iterator; + +int +rsa_public_key_from_der_iterator(struct rsa_public_key *pub, + unsigned limit, + struct asn1_der_iterator *i); + +int +rsa_private_key_from_der_iterator(struct rsa_public_key *pub, + struct rsa_private_key *priv, + unsigned limit, + struct asn1_der_iterator *i); + +/* For public keys, use PRIV == NULL */ +int +rsa_keypair_from_der(struct rsa_public_key *pub, + struct rsa_private_key *priv, + unsigned limit, + size_t length, const uint8_t *data); + +/* OpenPGP format. Experimental interface, subject to change. */ +int +rsa_keypair_to_openpgp(struct nettle_buffer *buffer, + const struct rsa_public_key *pub, + const struct rsa_private_key *priv, + /* A single user id. NUL-terminated utf8. */ + const char *userid); + +/* Internal functions. */ +int +_rsa_verify(const struct rsa_public_key *key, + const mpz_t m, + const mpz_t s); + +size_t +_rsa_check_size(mpz_t n); + +/* _rsa_blind and _rsa_unblind are deprecated, unused in the library, + and will likely be removed with the next ABI break. */ +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, + mpz_t c, mpz_t ri); +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_RSA_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/rsa2sexp.c b/external/nettle-3.3/nettle/rsa2sexp.c new file mode 100644 index 0000000..95e029b --- /dev/null +++ b/external/nettle-3.3/nettle/rsa2sexp.c @@ -0,0 +1,59 @@ +/* rsa2sexp.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "sexp.h" + +int +rsa_keypair_to_sexp(struct nettle_buffer *buffer, + const char *algorithm_name, + const struct rsa_public_key *pub, + const struct rsa_private_key *priv) +{ + if (!algorithm_name) + algorithm_name = "rsa-pkcs1"; + + if (priv) + return sexp_format(buffer, + "(private-key(%0s(n%b)(e%b)" + "(d%b)(p%b)(q%b)(a%b)(b%b)(c%b)))", + algorithm_name, pub->n, pub->e, + priv->d, priv->p, priv->q, + priv->a, priv->b, priv->c); + else + return sexp_format(buffer, "(public-key(%0s(n%b)(e%b)))", + algorithm_name, pub->n, pub->e); +} diff --git a/external/nettle-3.3/nettle/sexp-format.c b/external/nettle-3.3/nettle/sexp-format.c new file mode 100644 index 0000000..e59b8f3 --- /dev/null +++ b/external/nettle-3.3/nettle/sexp-format.c @@ -0,0 +1,348 @@ +/* sexp-format.c + + Writing s-expressions. + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include +#include +#include + +#include "sexp.h" +#include "buffer.h" + +#include "bignum.h" + +static unsigned +format_prefix(struct nettle_buffer *buffer, + size_t length) +{ + size_t digit = 1; + unsigned prefix_length = 1; + + for (;;) + { + size_t next = digit * 10; + if (next > length) + break; + + prefix_length++; + digit = next; + } + + if (buffer) + { + for (; digit; length %= digit, digit /= 10) + if (!NETTLE_BUFFER_PUTC(buffer, '0' + length / digit)) + return 0; + + if (!NETTLE_BUFFER_PUTC(buffer, ':')) + return 0; + } + + return prefix_length + 1; +} + +static size_t +format_string(struct nettle_buffer *buffer, + size_t length, const uint8_t *s) +{ + unsigned prefix_length = format_prefix(buffer, length); + if (!prefix_length) + return 0; + + if (buffer && !nettle_buffer_write(buffer, length, s)) + return 0; + + return prefix_length + length; +} + +static inline size_t +strlen_u8 (const uint8_t *s) +{ + return strlen((const char*) s); +} + +size_t +sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) +{ + unsigned nesting = 0; + size_t done = 0; + + for (;;) + switch (*format++) + { + default: + { + const char *start = format - 1; + size_t length = 1 + strcspn(format, "()% \t"); + size_t output_length + = format_string(buffer, length, (const uint8_t *) start); + if (!output_length) + return 0; + + done += output_length; + format = start + length; + + break; + } + case ' ': case '\t': + break; + + case '\0': + assert(!nesting); + + return done; + + case '(': + if (buffer && !NETTLE_BUFFER_PUTC(buffer, '(')) + return 0; + + done++; + nesting++; + break; + + case ')': + assert (nesting); + if (buffer && !NETTLE_BUFFER_PUTC(buffer, ')')) + return 0; + + done++; + nesting--; + break; + + case '%': + { + int nul_flag = 0; + + if (*format == '0') + { + format++; + nul_flag = 1; + } + switch (*format++) + { + default: + abort(); + + case '(': + case ')': + /* Allow unbalanced parenthesis */ + if (buffer && !NETTLE_BUFFER_PUTC(buffer, format[-1])) + return 0; + done++; + break; + + case 's': + { + const uint8_t *s; + size_t length; + size_t output_length; + + if (nul_flag) + { + s = va_arg(args, const uint8_t *); + length = strlen_u8(s); + } + else + { + length = va_arg(args, size_t); + s = va_arg(args, const uint8_t *); + } + + output_length = format_string(buffer, length, s); + if (!output_length) + return 0; + + done += output_length; + break; + } + case 't': + { + const uint8_t *s; + size_t length; + size_t output_length; + + if (nul_flag) + { + s = va_arg(args, const uint8_t *); + if (!s) + break; + + length = strlen_u8(s); + } + else + { + length = va_arg(args, size_t); + s = va_arg(args, const uint8_t *); + if (!s) + break; + } + + if (buffer && !NETTLE_BUFFER_PUTC(buffer, '[')) + return 0; + done++; + + output_length = format_string(buffer, length, s); + + if (!output_length) + return 0; + + done += output_length; + + if (buffer && !NETTLE_BUFFER_PUTC(buffer, ']')) + return 0; + done++; + + break; + } + + case 'l': + { + const uint8_t *s; + size_t length; + + if (nul_flag) + { + s = va_arg(args, const uint8_t *); + length = strlen_u8(s); + } + else + { + length = va_arg(args, size_t); + s = va_arg(args, const uint8_t *); + } + + if (buffer && !nettle_buffer_write(buffer, length, s)) + return 0; + + done += length; + break; + } + case 'i': + { + uint32_t x = va_arg(args, uint32_t); + unsigned length; + + if (x < 0x80) + length = 1; + else if (x < 0x8000L) + length = 2; + else if (x < 0x800000L) + length = 3; + else if (x < 0x80000000L) + length = 4; + else + length = 5; + + if (buffer && !(NETTLE_BUFFER_PUTC(buffer, '0' + length) + && NETTLE_BUFFER_PUTC(buffer, ':'))) + return 0; + + done += (2 + length); + + if (buffer) + switch(length) + { + case 5: + /* Leading byte needed for the sign. */ + if (!NETTLE_BUFFER_PUTC(buffer, 0)) + return 0; + /* Fall through */ + case 4: + if (!NETTLE_BUFFER_PUTC(buffer, x >> 24)) + return 0; + /* Fall through */ + case 3: + if (!NETTLE_BUFFER_PUTC(buffer, (x >> 16) & 0xff)) + return 0; + /* Fall through */ + case 2: + if (!NETTLE_BUFFER_PUTC(buffer, (x >> 8) & 0xff)) + return 0; + /* Fall through */ + case 1: + if (!NETTLE_BUFFER_PUTC(buffer, x & 0xff)) + return 0; + break; + default: + abort(); + } + break; + } + case 'b': + { + mpz_srcptr n = va_arg(args, mpz_srcptr); + size_t length; + unsigned prefix_length; + + length = nettle_mpz_sizeinbase_256_s(n); + prefix_length = format_prefix(buffer, length); + if (!prefix_length) + return 0; + + done += prefix_length; + + if (buffer) + { + uint8_t *space = nettle_buffer_space(buffer, length); + if (!space) + return 0; + + nettle_mpz_get_str_256(length, space, n); + } + + done += length; + + break; + } + } + } + } +} + +size_t +sexp_format(struct nettle_buffer *buffer, const char *format, ...) +{ + va_list args; + size_t done; + + va_start(args, format); + done = sexp_vformat(buffer, format, args); + va_end(args); + + return done; +} diff --git a/external/nettle-3.3/nettle/sexp.c b/external/nettle-3.3/nettle/sexp.c new file mode 100644 index 0000000..eb5c211 --- /dev/null +++ b/external/nettle-3.3/nettle/sexp.c @@ -0,0 +1,399 @@ +/* sexp.c + + Parsing s-expressions. + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "sexp.h" + +#include "macros.h" +#include "nettle-internal.h" + +/* Initializes the iterator, but one has to call next to get to the + * first element. */ +static void +sexp_iterator_init(struct sexp_iterator *iterator, + unsigned length, const uint8_t *input) +{ + iterator->length = length; + iterator->buffer = input; + iterator->pos = 0; + iterator->level = 0; + iterator->type = SEXP_END; /* Value doesn't matter */ + iterator->display_length = 0; + iterator->display = NULL; + iterator->atom_length = 0; + iterator->atom = NULL; +} + +#define EMPTY(i) ((i)->pos == (i)->length) +#define NEXT(i) ((i)->buffer[(i)->pos++]) + +static int +sexp_iterator_simple(struct sexp_iterator *iterator, + size_t *size, + const uint8_t **string) +{ + unsigned length = 0; + uint8_t c; + + if (EMPTY(iterator)) return 0; + c = NEXT(iterator); + if (EMPTY(iterator)) return 0; + + if (c >= '1' && c <= '9') + do + { + length = length * 10 + (c - '0'); + if (length > (iterator->length - iterator->pos)) + return 0; + + if (EMPTY(iterator)) return 0; + c = NEXT(iterator); + } + while (c >= '0' && c <= '9'); + + else if (c == '0') + /* There can be only one */ + c = NEXT(iterator); + else + return 0; + + if (c != ':') + return 0; + + *size = length; + *string = iterator->buffer + iterator->pos; + iterator->pos += length; + + return 1; +} + +/* All these functions return 1 on success, 0 on failure */ + +/* Look at the current position in the data. Sets iterator->type, and + * ignores the old value. */ + +static int +sexp_iterator_parse(struct sexp_iterator *iterator) +{ + iterator->start = iterator->pos; + + if (EMPTY(iterator)) + { + if (iterator->level) + return 0; + + iterator->type = SEXP_END; + return 1; + } + switch (iterator->buffer[iterator->pos]) + { + case '(': /* A list */ + iterator->type = SEXP_LIST; + return 1; + + case ')': + if (!iterator->level) + return 0; + + iterator->pos++; + iterator->type = SEXP_END; + return 1; + + case '[': /* Atom with display type */ + iterator->pos++; + if (!sexp_iterator_simple(iterator, + &iterator->display_length, + &iterator->display)) + return 0; + if (EMPTY(iterator) || NEXT(iterator) != ']') + return 0; + + break; + + default: + /* Must be either a decimal digit or a syntax error. + * Errors are detected by sexp_iterator_simple. */ + iterator->display_length = 0; + iterator->display = NULL; + + break; + } + + iterator->type = SEXP_ATOM; + + return sexp_iterator_simple(iterator, + &iterator->atom_length, + &iterator->atom); +} + +int +sexp_iterator_first(struct sexp_iterator *iterator, + size_t length, const uint8_t *input) +{ + sexp_iterator_init(iterator, length, input); + return sexp_iterator_parse(iterator); +} + +int +sexp_iterator_next(struct sexp_iterator *iterator) +{ + switch (iterator->type) + { + case SEXP_END: + return 1; + case SEXP_LIST: + /* Skip this list */ + return sexp_iterator_enter_list(iterator) + && sexp_iterator_exit_list(iterator); + case SEXP_ATOM: + /* iterator->pos should already point at the start of the next + * element. */ + return sexp_iterator_parse(iterator); + } + /* If we get here, we have a bug. */ + abort(); +} + +/* Current element must be a list. */ +int +sexp_iterator_enter_list(struct sexp_iterator *iterator) +{ + if (iterator->type != SEXP_LIST) + return 0; + + if (EMPTY(iterator) || NEXT(iterator) != '(') + /* Internal error */ + abort(); + + iterator->level++; + + return sexp_iterator_parse(iterator); +} + +/* Skips the rest of the current list */ +int +sexp_iterator_exit_list(struct sexp_iterator *iterator) +{ + if (!iterator->level) + return 0; + + while(iterator->type != SEXP_END) + if (!sexp_iterator_next(iterator)) + return 0; + + iterator->level--; + + return sexp_iterator_parse(iterator); +} + +#if 0 +/* What's a reasonable interface for this? */ +int +sexp_iterator_exit_lists(struct sexp_iterator *iterator, + unsigned level) +{ + assert(iterator->level >= level); + + while (iterator->level > level) + if (!sexp_iterator_exit_list(iterator)) + return 0; + + return 1; +} +#endif + +const uint8_t * +sexp_iterator_subexpr(struct sexp_iterator *iterator, + size_t *length) +{ + size_t start = iterator->start; + if (!sexp_iterator_next(iterator)) + return 0; + + *length = iterator->start - start; + return iterator->buffer + start; +} + +int +sexp_iterator_get_uint32(struct sexp_iterator *iterator, + uint32_t *x) +{ + if (iterator->type == SEXP_ATOM + && !iterator->display + && iterator->atom_length + && iterator->atom[0] < 0x80) + { + size_t length = iterator->atom_length; + const uint8_t *p = iterator->atom; + + /* Skip leading zeros. */ + while(length && !*p) + { + length--; p++; + } + + switch(length) + { + case 0: + *x = 0; + break; + case 1: + *x = p[0]; + break; + case 2: + *x = READ_UINT16(p); + break; + case 3: + *x = READ_UINT24(p); + break; + case 4: + *x = READ_UINT32(p); + break; + default: + return 0; + } + return sexp_iterator_next(iterator); + } + return 0; +} + +int +sexp_iterator_check_type(struct sexp_iterator *iterator, + const char *type) +{ + return (sexp_iterator_enter_list(iterator) + && iterator->type == SEXP_ATOM + && !iterator->display + && strlen(type) == iterator->atom_length + && !memcmp(type, iterator->atom, iterator->atom_length) + && sexp_iterator_next(iterator)); +} + +const char * +sexp_iterator_check_types(struct sexp_iterator *iterator, + unsigned ntypes, + const char * const *types) +{ + if (sexp_iterator_enter_list(iterator) + && iterator->type == SEXP_ATOM + && !iterator->display) + { + unsigned i; + for (i = 0; iatom_length + && !memcmp(types[i], iterator->atom, + iterator->atom_length)) + return sexp_iterator_next(iterator) ? types[i] : NULL; + } + return NULL; +} + +int +sexp_iterator_assoc(struct sexp_iterator *iterator, + unsigned nkeys, + const char * const *keys, + struct sexp_iterator *values) +{ + TMP_DECL(found, int, NETTLE_MAX_SEXP_ASSOC); + unsigned nfound; + unsigned i; + + TMP_ALLOC(found, nkeys); + for (i = 0; itype) + { + case SEXP_LIST: + + if (!sexp_iterator_enter_list(iterator)) + return 0; + + if (iterator->type == SEXP_ATOM + && !iterator->display) + { + /* Compare to the given keys */ + for (i = 0; iatom_length + && !memcmp(keys[i], iterator->atom, + iterator->atom_length)) + { + if (found[i]) + /* We don't allow duplicates */ + return 0; + + /* Advance to point to value */ + if (!sexp_iterator_next(iterator)) + return 0; + + found[i] = 1; + nfound++; + + /* Record this position. */ + values[i] = *iterator; + + break; + } + } + } + if (!sexp_iterator_exit_list(iterator)) + return 0; + break; + case SEXP_ATOM: + /* Just ignore */ + if (!sexp_iterator_next(iterator)) + return 0; + break; + + case SEXP_END: + return sexp_iterator_exit_list(iterator) + && (nfound == nkeys); + + default: + abort(); + } + } +} diff --git a/external/nettle-3.3/nettle/sexp.h b/external/nettle-3.3/nettle/sexp.h new file mode 100644 index 0000000..58b089c --- /dev/null +++ b/external/nettle-3.3/nettle/sexp.h @@ -0,0 +1,213 @@ +/* sexp.h + + Parsing s-expressions. + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SEXP_H_INCLUDED +#define NETTLE_SEXP_H_INCLUDED + +#include +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define sexp_iterator_first nettle_sexp_iterator_first +#define sexp_transport_iterator_first nettle_sexp_transport_iterator_first +#define sexp_iterator_next nettle_sexp_iterator_next +#define sexp_iterator_enter_list nettle_sexp_iterator_enter_list +#define sexp_iterator_exit_list nettle_sexp_iterator_exit_list +#define sexp_iterator_subexpr nettle_sexp_iterator_subexpr +#define sexp_iterator_get_uint32 nettle_sexp_iterator_get_uint32 +#define sexp_iterator_check_type nettle_sexp_iterator_check_type +#define sexp_iterator_check_types nettle_sexp_iterator_check_types +#define sexp_iterator_assoc nettle_sexp_iterator_assoc +#define sexp_format nettle_sexp_format +#define sexp_vformat nettle_sexp_vformat +#define sexp_transport_format nettle_sexp_transport_format +#define sexp_transport_vformat nettle_sexp_transport_vformat +#define sexp_token_chars nettle_sexp_token_chars + +enum sexp_type + { SEXP_ATOM, SEXP_LIST, SEXP_END }; + +struct sexp_iterator +{ + size_t length; + const uint8_t *buffer; + + /* Points at the start of the current sub expression. */ + size_t start; + /* If type is SEXP_LIST, pos points at the start of the current + * element. Otherwise, it points at the end. */ + size_t pos; + unsigned level; + + enum sexp_type type; + + size_t display_length; + const uint8_t *display; + + size_t atom_length; + const uint8_t *atom; +}; + + +/* All these functions return 1 on success, 0 on failure */ + +/* Initializes the iterator. */ +int +sexp_iterator_first(struct sexp_iterator *iterator, + size_t length, const uint8_t *input); + +/* NOTE: Decodes the input string in place */ +int +sexp_transport_iterator_first(struct sexp_iterator *iterator, + size_t length, uint8_t *input); + +int +sexp_iterator_next(struct sexp_iterator *iterator); + +/* Current element must be a list. */ +int +sexp_iterator_enter_list(struct sexp_iterator *iterator); + +/* Skips the rest of the current list */ +int +sexp_iterator_exit_list(struct sexp_iterator *iterator); + +#if 0 +/* Skips out of as many lists as necessary to get back to the given + * level. */ +int +sexp_iterator_exit_lists(struct sexp_iterator *iterator, + unsigned level); +#endif + +/* Gets start and length of the current subexpression. Implies + * sexp_iterator_next. */ +const uint8_t * +sexp_iterator_subexpr(struct sexp_iterator *iterator, + size_t *length); + +int +sexp_iterator_get_uint32(struct sexp_iterator *iterator, + uint32_t *x); + + +/* Checks the type of the current expression, which should be a list + * + * ( ...) + */ +int +sexp_iterator_check_type(struct sexp_iterator *iterator, + const char *type); + +const char * +sexp_iterator_check_types(struct sexp_iterator *iterator, + unsigned ntypes, + const char * const *types); + +/* Current element must be a list. Looks up element of type + * + * (key rest...) + * + * For a matching key, the corresponding iterator is initialized + * pointing at the start of REST. + * + * On success, exits the current list. + */ +int +sexp_iterator_assoc(struct sexp_iterator *iterator, + unsigned nkeys, + const char * const *keys, + struct sexp_iterator *values); + + +/* Output functions. What is a reasonable API for this? It seems + * ugly to have to reimplement string streams. */ + +/* Declared for real in buffer.h */ +struct nettle_buffer; + +/* Returns the number of output characters, or 0 on out of memory. If + * buffer == NULL, just compute length. + * + * Format strings can contained matched parentheses, tokens ("foo" in + * the format string is formatted as "3:foo"), whitespace (which + * separates tokens but is otherwise ignored) and the following + * formatting specifiers: + * + * %s String represented as size_t length, const uint8_t *data. + * + * %t Optional display type, represented as + * size_t display_length, const uint8_t *display, + * display == NULL means no display type. + * + * %i Non-negative small integer, uint32_t. + * + * %b Non-negative bignum, mpz_t. + * + * %l Literal string (no length added), typically a balanced + * subexpression. Represented as size_t length, const uint8_t + * *data. + * + * %(, %) Allows insertion of unbalanced parenthesis. + * + * Modifiers: + * + * %0 For %s, %t and %l, says that there's no length argument, + * instead the string is NUL-terminated, and there's only one + * const uint8_t * argument. + */ + +size_t +sexp_format(struct nettle_buffer *buffer, + const char *format, ...); + +size_t +sexp_vformat(struct nettle_buffer *buffer, + const char *format, va_list args); + +size_t +sexp_transport_format(struct nettle_buffer *buffer, + const char *format, ...); + +size_t +sexp_transport_vformat(struct nettle_buffer *buffer, + const char *format, va_list args); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_SEXP_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/sexp2bignum.c b/external/nettle-3.3/nettle/sexp2bignum.c new file mode 100644 index 0000000..692ee42 --- /dev/null +++ b/external/nettle-3.3/nettle/sexp2bignum.c @@ -0,0 +1,60 @@ +/* sexp2bignum.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "sexp.h" +#include "bignum.h" + +int +nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i) +{ + if (i->type == SEXP_ATOM + && i->atom_length + && !i->display) + { + /* Allow some extra here, for leading sign octets. */ + if (limit && (8 * i->atom_length > (16 + limit))) + return 0; + + nettle_mpz_set_str_256_s(x, i->atom_length, i->atom); + + /* FIXME: How to interpret a limit for negative numbers? */ + if (limit && mpz_sizeinbase(x, 2) > limit) + return 0; + + return sexp_iterator_next(i); + } + else + return 0; +} diff --git a/external/nettle-3.3/nettle/sexp2rsa.c b/external/nettle-3.3/nettle/sexp2rsa.c new file mode 100644 index 0000000..b42a3d4 --- /dev/null +++ b/external/nettle-3.3/nettle/sexp2rsa.c @@ -0,0 +1,115 @@ +/* sexp2rsa.c + + Copyright (C) 2002 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "rsa.h" + +#include "bignum.h" +#include "sexp.h" + +#define GET(x, l, v) \ +do { \ + if (!nettle_mpz_set_sexp((x), (l), (v)) \ + || mpz_sgn(x) <= 0) \ + return 0; \ +} while(0) + +/* Iterator should point past the algorithm tag, e.g. + * + * (public-key (rsa (n |xxxx|) (e |xxxx|)) + * ^ here + */ + +int +rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, + struct rsa_private_key *priv, + unsigned limit, + struct sexp_iterator *i) +{ + static const char * const names[8] + = { "n", "e", "d", "p", "q", "a", "b", "c" }; + struct sexp_iterator values[8]; + unsigned nvalues = priv ? 8 : 2; + + if (!sexp_iterator_assoc(i, nvalues, names, values)) + return 0; + + if (priv) + { + GET(priv->d, limit, &values[2]); + GET(priv->p, limit, &values[3]); + GET(priv->q, limit, &values[4]); + GET(priv->a, limit, &values[5]); + GET(priv->b, limit, &values[6]); + GET(priv->c, limit, &values[7]); + + if (!rsa_private_key_prepare(priv)) + return 0; + } + + if (pub) + { + GET(pub->n, limit, &values[0]); + GET(pub->e, limit, &values[1]); + + if (!rsa_public_key_prepare(pub)) + return 0; + } + + return 1; +} + +int +rsa_keypair_from_sexp(struct rsa_public_key *pub, + struct rsa_private_key *priv, + unsigned limit, + size_t length, const uint8_t *expr) +{ + struct sexp_iterator i; + static const char * const names[3] + = { "rsa", "rsa-pkcs1", "rsa-pkcs1-sha1" }; + + if (!sexp_iterator_first(&i, length, expr)) + return 0; + + if (!sexp_iterator_check_type(&i, priv ? "private-key" : "public-key")) + return 0; + + if (!sexp_iterator_check_types(&i, 3, names)) + return 0; + + return rsa_keypair_from_sexp_alist(pub, priv, limit, &i); +} diff --git a/external/nettle-3.3/nettle/sha2.h b/external/nettle-3.3/nettle/sha2.h new file mode 100644 index 0000000..d0426d7 --- /dev/null +++ b/external/nettle-3.3/nettle/sha2.h @@ -0,0 +1,206 @@ +/* sha2.h + + The sha2 family of hash functions. + + Copyright (C) 2001, 2012 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SHA2_H_INCLUDED +#define NETTLE_SHA2_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define sha224_init nettle_sha224_init +#define sha224_digest nettle_sha224_digest +#define sha256_init nettle_sha256_init +#define sha256_update nettle_sha256_update +#define sha256_digest nettle_sha256_digest +#define sha384_init nettle_sha384_init +#define sha384_digest nettle_sha384_digest +#define sha512_init nettle_sha512_init +#define sha512_update nettle_sha512_update +#define sha512_digest nettle_sha512_digest +#define sha512_224_init nettle_sha512_224_init +#define sha512_224_digest nettle_sha512_224_digest +#define sha512_256_init nettle_sha512_256_init +#define sha512_256_digest nettle_sha512_256_digest + +/* For backwards compatibility */ +#define SHA224_DATA_SIZE SHA256_BLOCK_SIZE +#define SHA256_DATA_SIZE SHA256_BLOCK_SIZE +#define SHA512_DATA_SIZE SHA512_BLOCK_SIZE +#define SHA384_DATA_SIZE SHA512_BLOCK_SIZE + +/* SHA256 */ + +#define SHA256_DIGEST_SIZE 32 +#define SHA256_BLOCK_SIZE 64 + +/* Digest is kept internally as 8 32-bit words. */ +#define _SHA256_DIGEST_LENGTH 8 + +struct sha256_ctx +{ + uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ + uint64_t count; /* 64-bit block count */ + uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ + unsigned int index; /* index into buffer */ +}; + +void +sha256_init(struct sha256_ctx *ctx); + +void +sha256_update(struct sha256_ctx *ctx, + size_t length, + const uint8_t *data); + +void +sha256_digest(struct sha256_ctx *ctx, + size_t length, + uint8_t *digest); + +/* Internal compression function. STATE points to 8 uint32_t words, + DATA points to 64 bytes of input data, possibly unaligned, and K + points to the table of constants. */ +void +_nettle_sha256_compress(uint32_t *state, const uint8_t *data, const uint32_t *k); + + +/* SHA224, a truncated SHA256 with different initial state. */ + +#define SHA224_DIGEST_SIZE 28 +#define SHA224_BLOCK_SIZE SHA256_BLOCK_SIZE +#define sha224_ctx sha256_ctx + +void +sha224_init(struct sha256_ctx *ctx); + +#define sha224_update nettle_sha256_update + +void +sha224_digest(struct sha256_ctx *ctx, + size_t length, + uint8_t *digest); + + +/* SHA512 */ + +#define SHA512_DIGEST_SIZE 64 +#define SHA512_BLOCK_SIZE 128 + +/* Digest is kept internally as 8 64-bit words. */ +#define _SHA512_DIGEST_LENGTH 8 + +struct sha512_ctx +{ + uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */ + uint64_t count_low, count_high; /* 128-bit block count */ + uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ + unsigned int index; /* index into buffer */ +}; + +void +sha512_init(struct sha512_ctx *ctx); + +void +sha512_update(struct sha512_ctx *ctx, + size_t length, + const uint8_t *data); + +void +sha512_digest(struct sha512_ctx *ctx, + size_t length, + uint8_t *digest); + +/* Internal compression function. STATE points to 8 uint64_t words, + DATA points to 128 bytes of input data, possibly unaligned, and K + points to the table of constants. */ +void +_nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k); + + +/* SHA384, a truncated SHA512 with different initial state. */ + +#define SHA384_DIGEST_SIZE 48 +#define SHA384_BLOCK_SIZE SHA512_BLOCK_SIZE +#define sha384_ctx sha512_ctx + +void +sha384_init(struct sha512_ctx *ctx); + +#define sha384_update nettle_sha512_update + +void +sha384_digest(struct sha512_ctx *ctx, + size_t length, + uint8_t *digest); + + +/* SHA512_224 and SHA512_256, two truncated versions of SHA512 + with different initial states. */ + +#define SHA512_224_DIGEST_SIZE 28 +#define SHA512_224_BLOCK_SIZE SHA512_BLOCK_SIZE +#define sha512_224_ctx sha512_ctx + +void +sha512_224_init(struct sha512_224_ctx *ctx); + +#define sha512_224_update nettle_sha512_update + +void +sha512_224_digest(struct sha512_224_ctx *ctx, + size_t length, + uint8_t *digest); + +#define SHA512_256_DIGEST_SIZE 32 +#define SHA512_256_BLOCK_SIZE SHA512_BLOCK_SIZE +#define sha512_256_ctx sha512_ctx + +void +sha512_256_init(struct sha512_256_ctx *ctx); + +#define sha512_256_update nettle_sha512_update + +void +sha512_256_digest(struct sha512_256_ctx *ctx, + size_t length, + uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_SHA2_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/sha256-compress.c b/external/nettle-3.3/nettle/sha256-compress.c new file mode 100644 index 0000000..8b82d70 --- /dev/null +++ b/external/nettle-3.3/nettle/sha256-compress.c @@ -0,0 +1,199 @@ +/* sha256-compress.c + + The compression function of the sha256 hash function. + + Copyright (C) 2001, 2010 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef SHA256_DEBUG +# define SHA256_DEBUG 0 +#endif + +#if SHA256_DEBUG +# include +# define DEBUG(i) \ + fprintf(stderr, "%2d: %8x %8x %8x %8x %8x %8x %8x %8x\n", \ + i, A, B, C, D ,E, F, G, H) +#else +# define DEBUG(i) +#endif + +#include +#include +#include + +#include "sha2.h" + +#include "macros.h" + +/* A block, treated as a sequence of 32-bit words. */ +#define SHA256_DATA_LENGTH 16 + +/* The SHA256 functions. The Choice function is the same as the SHA1 + function f1, and the majority function is the same as the SHA1 f3 + function. They can be optimized to save one boolean operation each + - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering + this */ + +/* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */ +#define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) +/* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ +#define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) + +#define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x))) +#define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x))) + +#define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3)) +#define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10)) + +/* The initial expanding function. The hash function is defined over an + 64-word expanded input array W, where the first 16 are copies of the input + data, and the remaining 64 are defined by + + W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] + + This implementation generates these values on the fly in a circular + buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this + optimization. +*/ + +#define EXPAND(W,i) \ +( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) + +/* The prototype SHA sub-round. The fundamental sub-round is: + + T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] + T2 = S0(a) + Majority(a,b,c) + a' = T1+T2 + b' = a + c' = b + d' = c + e' = d + T1 + f' = e + g' = f + h' = g + + but this is implemented by unrolling the loop 8 times and renaming + the variables + ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each + iteration. */ + +/* It's crucial that DATA is only used once, as that argument will + * have side effects. */ +#define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ + h += S1(e) + Choice(e,f,g) + k + data; \ + d += h; \ + h += S0(a) + Majority(a,b,c); \ + } while (0) + +/* For fat builds */ +#if HAVE_NATIVE_sha256_compress +void +_nettle_sha256_compress_c(uint32_t *state, const uint8_t *input, const uint32_t *k); +#define _nettle_sha256_compress _nettle_sha256_compress_c +#endif + +void +_nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) +{ + uint32_t data[SHA256_DATA_LENGTH]; + uint32_t A, B, C, D, E, F, G, H; /* Local vars */ + unsigned i; + uint32_t *d; + + for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4) + { + data[i] = READ_UINT32(input); + } + + /* Set up first buffer and local data buffer */ + A = state[0]; + B = state[1]; + C = state[2]; + D = state[3]; + E = state[4]; + F = state[5]; + G = state[6]; + H = state[7]; + + /* Heavy mangling */ + /* First 16 subrounds that act on the original data */ + + DEBUG(-1); + for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8) + { + ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); + ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); + ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); + ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); + ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); + ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); + ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); + ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); + } + + for (; i<64; i += 16, k+= 16) + { + ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); + ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); + ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); + ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); DEBUG(i+3); + ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); DEBUG(i+4); + ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); DEBUG(i+5); + ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); DEBUG(i+6); + ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); DEBUG(i+7); + ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); DEBUG(i+8); + ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); DEBUG(i+9); + ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); DEBUG(i+10); + ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); DEBUG(i+11); + ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); DEBUG(i+12); + ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); DEBUG(i+13); + ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); + ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); + } + + /* Update state */ + state[0] += A; + state[1] += B; + state[2] += C; + state[3] += D; + state[4] += E; + state[5] += F; + state[6] += G; + state[7] += H; +#if SHA256_DEBUG + fprintf(stderr, "99: %8x %8x %8x %8x %8x %8x %8x %8x\n", + state[0], state[1], state[2], state[3], + state[4], state[5], state[6], state[7]); +#endif +} diff --git a/external/nettle-3.3/nettle/sha256.c b/external/nettle-3.3/nettle/sha256.c new file mode 100644 index 0000000..0cb3559 --- /dev/null +++ b/external/nettle-3.3/nettle/sha256.c @@ -0,0 +1,162 @@ +/* sha256.c + + The sha256 hash function. + See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf + + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Modelled after the sha1.c code by Peter Gutmann. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "sha2.h" + +#include "macros.h" +#include "nettle-write.h" + +/* Generated by the shadata program. */ +static const uint32_t +K[64] = +{ + 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, + 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, + 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, + 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, + 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, + 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, + 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, + 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, + 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, + 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, + 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, + 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, + 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, + 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, + 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, + 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, +}; + +#define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K)) + +/* Initialize the SHA values */ + +void +sha256_init(struct sha256_ctx *ctx) +{ + /* Initial values, also generated by the shadata program. */ + static const uint32_t H0[_SHA256_DIGEST_LENGTH] = + { + 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, + 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, + }; + + memcpy(ctx->state, H0, sizeof(H0)); + + /* Initialize bit count */ + ctx->count = 0; + + /* Initialize buffer */ + ctx->index = 0; +} + +void +sha256_update(struct sha256_ctx *ctx, + size_t length, const uint8_t *data) +{ + MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); +} + +static void +sha256_write_digest(struct sha256_ctx *ctx, + size_t length, + uint8_t *digest) +{ + uint64_t bit_count; + + assert(length <= SHA256_DIGEST_SIZE); + + MD_PAD(ctx, 8, COMPRESS); + + /* There are 512 = 2^9 bits in one block */ + bit_count = (ctx->count << 9) | (ctx->index << 3); + + /* This is slightly inefficient, as the numbers are converted to + big-endian format, and will be converted back by the compression + function. It's probably not worth the effort to fix this. */ + WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); + COMPRESS(ctx, ctx->block); + + _nettle_write_be32(length, digest, ctx->state); +} + +void +sha256_digest(struct sha256_ctx *ctx, + size_t length, + uint8_t *digest) +{ + sha256_write_digest(ctx, length, digest); + sha256_init(ctx); +} + +/* sha224 variant. */ + +void +sha224_init(struct sha256_ctx *ctx) +{ + /* Initial values. Low 32 bits of the initial values for sha384. */ + static const uint32_t H0[_SHA256_DIGEST_LENGTH] = + { + 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, + 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4, + }; + + memcpy(ctx->state, H0, sizeof(H0)); + + /* Initialize bit count */ + ctx->count = 0; + + /* Initialize buffer */ + ctx->index = 0; +} + +void +sha224_digest(struct sha256_ctx *ctx, + size_t length, + uint8_t *digest) +{ + sha256_write_digest(ctx, length, digest); + sha224_init(ctx); +} diff --git a/external/nettle-3.3/nettle/version.h b/external/nettle-3.3/nettle/version.h new file mode 100644 index 0000000..3a1d20c --- /dev/null +++ b/external/nettle-3.3/nettle/version.h @@ -0,0 +1,58 @@ +/* version.h + + Information about library version. + + Copyright (C) 2015 Red Hat, Inc. + Copyright (C) 2015 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_VERSION_H_INCLUDED +#define NETTLE_VERSION_H_INCLUDED + +#ifdef __cplusplus +extern "C" { +#endif + +/* Individual version numbers in decimal */ +#define NETTLE_VERSION_MAJOR 3 +#define NETTLE_VERSION_MINOR 3 + +#define NETTLE_USE_MINI_GMP 1 + +/* We need a preprocessor constant for GMP_NUMB_BITS, simply using + sizeof(mp_limb_t) * CHAR_BIT is not good enough. */ +#if NETTLE_USE_MINI_GMP +# define GMP_NUMB_BITS (sizeof(unsigned long) * 8) +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_VERSION_H_INCLUDED */ diff --git a/external/nettle-3.3/nettle/write-be32.c b/external/nettle-3.3/nettle/write-be32.c new file mode 100644 index 0000000..7d68905 --- /dev/null +++ b/external/nettle-3.3/nettle/write-be32.c @@ -0,0 +1,77 @@ +/* write-be32.c + + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-write.h" + +#include "macros.h" + +void +_nettle_write_be32(size_t length, uint8_t *dst, + uint32_t *src) +{ + size_t i; + size_t words; + unsigned leftover; + + words = length / 4; + leftover = length % 4; + + for (i = 0; i < words; i++, dst += 4) + WRITE_UINT32(dst, src[i]); + + if (leftover) + { + uint32_t word; + unsigned j = leftover; + + word = src[i]; + + switch (leftover) + { + default: + abort(); + case 3: + dst[--j] = (word >> 8) & 0xff; + /* Fall through */ + case 2: + dst[--j] = (word >> 16) & 0xff; + /* Fall through */ + case 1: + dst[--j] = (word >> 24) & 0xff; + } + } +} -- cgit