1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /* mpi-pow.c - MPI functions
3*4882a593Smuzhiyun * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc.
4*4882a593Smuzhiyun *
5*4882a593Smuzhiyun * This file is part of GnuPG.
6*4882a593Smuzhiyun *
7*4882a593Smuzhiyun * Note: This code is heavily based on the GNU MP Library.
8*4882a593Smuzhiyun * Actually it's the same code with only minor changes in the
9*4882a593Smuzhiyun * way the data is stored; this is to support the abstraction
10*4882a593Smuzhiyun * of an optional secure memory allocation which may be used
11*4882a593Smuzhiyun * to avoid revealing of sensitive data due to paging etc.
12*4882a593Smuzhiyun * The GNU MP Library itself is published under the LGPL;
13*4882a593Smuzhiyun * however I decided to publish this code under the plain GPL.
14*4882a593Smuzhiyun */
15*4882a593Smuzhiyun
16*4882a593Smuzhiyun #include <linux/sched.h>
17*4882a593Smuzhiyun #include <linux/string.h>
18*4882a593Smuzhiyun #include "mpi-internal.h"
19*4882a593Smuzhiyun #include "longlong.h"
20*4882a593Smuzhiyun
21*4882a593Smuzhiyun /****************
22*4882a593Smuzhiyun * RES = BASE ^ EXP mod MOD
23*4882a593Smuzhiyun */
mpi_powm(MPI res,MPI base,MPI exp,MPI mod)24*4882a593Smuzhiyun int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
25*4882a593Smuzhiyun {
26*4882a593Smuzhiyun mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL;
27*4882a593Smuzhiyun struct karatsuba_ctx karactx = {};
28*4882a593Smuzhiyun mpi_ptr_t xp_marker = NULL;
29*4882a593Smuzhiyun mpi_ptr_t tspace = NULL;
30*4882a593Smuzhiyun mpi_ptr_t rp, ep, mp, bp;
31*4882a593Smuzhiyun mpi_size_t esize, msize, bsize, rsize;
32*4882a593Smuzhiyun int msign, bsign, rsign;
33*4882a593Smuzhiyun mpi_size_t size;
34*4882a593Smuzhiyun int mod_shift_cnt;
35*4882a593Smuzhiyun int negative_result;
36*4882a593Smuzhiyun int assign_rp = 0;
37*4882a593Smuzhiyun mpi_size_t tsize = 0; /* to avoid compiler warning */
38*4882a593Smuzhiyun /* fixme: we should check that the warning is void */
39*4882a593Smuzhiyun int rc = -ENOMEM;
40*4882a593Smuzhiyun
41*4882a593Smuzhiyun esize = exp->nlimbs;
42*4882a593Smuzhiyun msize = mod->nlimbs;
43*4882a593Smuzhiyun size = 2 * msize;
44*4882a593Smuzhiyun msign = mod->sign;
45*4882a593Smuzhiyun
46*4882a593Smuzhiyun rp = res->d;
47*4882a593Smuzhiyun ep = exp->d;
48*4882a593Smuzhiyun
49*4882a593Smuzhiyun if (!msize)
50*4882a593Smuzhiyun return -EINVAL;
51*4882a593Smuzhiyun
52*4882a593Smuzhiyun if (!esize) {
53*4882a593Smuzhiyun /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
54*4882a593Smuzhiyun * depending on if MOD equals 1. */
55*4882a593Smuzhiyun res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
56*4882a593Smuzhiyun if (res->nlimbs) {
57*4882a593Smuzhiyun if (mpi_resize(res, 1) < 0)
58*4882a593Smuzhiyun goto enomem;
59*4882a593Smuzhiyun rp = res->d;
60*4882a593Smuzhiyun rp[0] = 1;
61*4882a593Smuzhiyun }
62*4882a593Smuzhiyun res->sign = 0;
63*4882a593Smuzhiyun goto leave;
64*4882a593Smuzhiyun }
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun /* Normalize MOD (i.e. make its most significant bit set) as required by
67*4882a593Smuzhiyun * mpn_divrem. This will make the intermediate values in the calculation
68*4882a593Smuzhiyun * slightly larger, but the correct result is obtained after a final
69*4882a593Smuzhiyun * reduction using the original MOD value. */
70*4882a593Smuzhiyun mp = mp_marker = mpi_alloc_limb_space(msize);
71*4882a593Smuzhiyun if (!mp)
72*4882a593Smuzhiyun goto enomem;
73*4882a593Smuzhiyun mod_shift_cnt = count_leading_zeros(mod->d[msize - 1]);
74*4882a593Smuzhiyun if (mod_shift_cnt)
75*4882a593Smuzhiyun mpihelp_lshift(mp, mod->d, msize, mod_shift_cnt);
76*4882a593Smuzhiyun else
77*4882a593Smuzhiyun MPN_COPY(mp, mod->d, msize);
78*4882a593Smuzhiyun
79*4882a593Smuzhiyun bsize = base->nlimbs;
80*4882a593Smuzhiyun bsign = base->sign;
81*4882a593Smuzhiyun if (bsize > msize) { /* The base is larger than the module. Reduce it. */
82*4882a593Smuzhiyun /* Allocate (BSIZE + 1) with space for remainder and quotient.
83*4882a593Smuzhiyun * (The quotient is (bsize - msize + 1) limbs.) */
84*4882a593Smuzhiyun bp = bp_marker = mpi_alloc_limb_space(bsize + 1);
85*4882a593Smuzhiyun if (!bp)
86*4882a593Smuzhiyun goto enomem;
87*4882a593Smuzhiyun MPN_COPY(bp, base->d, bsize);
88*4882a593Smuzhiyun /* We don't care about the quotient, store it above the remainder,
89*4882a593Smuzhiyun * at BP + MSIZE. */
90*4882a593Smuzhiyun mpihelp_divrem(bp + msize, 0, bp, bsize, mp, msize);
91*4882a593Smuzhiyun bsize = msize;
92*4882a593Smuzhiyun /* Canonicalize the base, since we are going to multiply with it
93*4882a593Smuzhiyun * quite a few times. */
94*4882a593Smuzhiyun MPN_NORMALIZE(bp, bsize);
95*4882a593Smuzhiyun } else
96*4882a593Smuzhiyun bp = base->d;
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun if (!bsize) {
99*4882a593Smuzhiyun res->nlimbs = 0;
100*4882a593Smuzhiyun res->sign = 0;
101*4882a593Smuzhiyun goto leave;
102*4882a593Smuzhiyun }
103*4882a593Smuzhiyun
104*4882a593Smuzhiyun if (res->alloced < size) {
105*4882a593Smuzhiyun /* We have to allocate more space for RES. If any of the input
106*4882a593Smuzhiyun * parameters are identical to RES, defer deallocation of the old
107*4882a593Smuzhiyun * space. */
108*4882a593Smuzhiyun if (rp == ep || rp == mp || rp == bp) {
109*4882a593Smuzhiyun rp = mpi_alloc_limb_space(size);
110*4882a593Smuzhiyun if (!rp)
111*4882a593Smuzhiyun goto enomem;
112*4882a593Smuzhiyun assign_rp = 1;
113*4882a593Smuzhiyun } else {
114*4882a593Smuzhiyun if (mpi_resize(res, size) < 0)
115*4882a593Smuzhiyun goto enomem;
116*4882a593Smuzhiyun rp = res->d;
117*4882a593Smuzhiyun }
118*4882a593Smuzhiyun } else { /* Make BASE, EXP and MOD not overlap with RES. */
119*4882a593Smuzhiyun if (rp == bp) {
120*4882a593Smuzhiyun /* RES and BASE are identical. Allocate temp. space for BASE. */
121*4882a593Smuzhiyun BUG_ON(bp_marker);
122*4882a593Smuzhiyun bp = bp_marker = mpi_alloc_limb_space(bsize);
123*4882a593Smuzhiyun if (!bp)
124*4882a593Smuzhiyun goto enomem;
125*4882a593Smuzhiyun MPN_COPY(bp, rp, bsize);
126*4882a593Smuzhiyun }
127*4882a593Smuzhiyun if (rp == ep) {
128*4882a593Smuzhiyun /* RES and EXP are identical. Allocate temp. space for EXP. */
129*4882a593Smuzhiyun ep = ep_marker = mpi_alloc_limb_space(esize);
130*4882a593Smuzhiyun if (!ep)
131*4882a593Smuzhiyun goto enomem;
132*4882a593Smuzhiyun MPN_COPY(ep, rp, esize);
133*4882a593Smuzhiyun }
134*4882a593Smuzhiyun if (rp == mp) {
135*4882a593Smuzhiyun /* RES and MOD are identical. Allocate temporary space for MOD. */
136*4882a593Smuzhiyun BUG_ON(mp_marker);
137*4882a593Smuzhiyun mp = mp_marker = mpi_alloc_limb_space(msize);
138*4882a593Smuzhiyun if (!mp)
139*4882a593Smuzhiyun goto enomem;
140*4882a593Smuzhiyun MPN_COPY(mp, rp, msize);
141*4882a593Smuzhiyun }
142*4882a593Smuzhiyun }
143*4882a593Smuzhiyun
144*4882a593Smuzhiyun MPN_COPY(rp, bp, bsize);
145*4882a593Smuzhiyun rsize = bsize;
146*4882a593Smuzhiyun rsign = bsign;
147*4882a593Smuzhiyun
148*4882a593Smuzhiyun {
149*4882a593Smuzhiyun mpi_size_t i;
150*4882a593Smuzhiyun mpi_ptr_t xp;
151*4882a593Smuzhiyun int c;
152*4882a593Smuzhiyun mpi_limb_t e;
153*4882a593Smuzhiyun mpi_limb_t carry_limb;
154*4882a593Smuzhiyun
155*4882a593Smuzhiyun xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1));
156*4882a593Smuzhiyun if (!xp)
157*4882a593Smuzhiyun goto enomem;
158*4882a593Smuzhiyun
159*4882a593Smuzhiyun negative_result = (ep[0] & 1) && base->sign;
160*4882a593Smuzhiyun
161*4882a593Smuzhiyun i = esize - 1;
162*4882a593Smuzhiyun e = ep[i];
163*4882a593Smuzhiyun c = count_leading_zeros(e);
164*4882a593Smuzhiyun e = (e << c) << 1; /* shift the exp bits to the left, lose msb */
165*4882a593Smuzhiyun c = BITS_PER_MPI_LIMB - 1 - c;
166*4882a593Smuzhiyun
167*4882a593Smuzhiyun /* Main loop.
168*4882a593Smuzhiyun *
169*4882a593Smuzhiyun * Make the result be pointed to alternately by XP and RP. This
170*4882a593Smuzhiyun * helps us avoid block copying, which would otherwise be necessary
171*4882a593Smuzhiyun * with the overlap restrictions of mpihelp_divmod. With 50% probability
172*4882a593Smuzhiyun * the result after this loop will be in the area originally pointed
173*4882a593Smuzhiyun * by RP (==RES->d), and with 50% probability in the area originally
174*4882a593Smuzhiyun * pointed to by XP.
175*4882a593Smuzhiyun */
176*4882a593Smuzhiyun
177*4882a593Smuzhiyun for (;;) {
178*4882a593Smuzhiyun while (c) {
179*4882a593Smuzhiyun mpi_ptr_t tp;
180*4882a593Smuzhiyun mpi_size_t xsize;
181*4882a593Smuzhiyun
182*4882a593Smuzhiyun /*if (mpihelp_mul_n(xp, rp, rp, rsize) < 0) goto enomem */
183*4882a593Smuzhiyun if (rsize < KARATSUBA_THRESHOLD)
184*4882a593Smuzhiyun mpih_sqr_n_basecase(xp, rp, rsize);
185*4882a593Smuzhiyun else {
186*4882a593Smuzhiyun if (!tspace) {
187*4882a593Smuzhiyun tsize = 2 * rsize;
188*4882a593Smuzhiyun tspace =
189*4882a593Smuzhiyun mpi_alloc_limb_space(tsize);
190*4882a593Smuzhiyun if (!tspace)
191*4882a593Smuzhiyun goto enomem;
192*4882a593Smuzhiyun } else if (tsize < (2 * rsize)) {
193*4882a593Smuzhiyun mpi_free_limb_space(tspace);
194*4882a593Smuzhiyun tsize = 2 * rsize;
195*4882a593Smuzhiyun tspace =
196*4882a593Smuzhiyun mpi_alloc_limb_space(tsize);
197*4882a593Smuzhiyun if (!tspace)
198*4882a593Smuzhiyun goto enomem;
199*4882a593Smuzhiyun }
200*4882a593Smuzhiyun mpih_sqr_n(xp, rp, rsize, tspace);
201*4882a593Smuzhiyun }
202*4882a593Smuzhiyun
203*4882a593Smuzhiyun xsize = 2 * rsize;
204*4882a593Smuzhiyun if (xsize > msize) {
205*4882a593Smuzhiyun mpihelp_divrem(xp + msize, 0, xp, xsize,
206*4882a593Smuzhiyun mp, msize);
207*4882a593Smuzhiyun xsize = msize;
208*4882a593Smuzhiyun }
209*4882a593Smuzhiyun
210*4882a593Smuzhiyun tp = rp;
211*4882a593Smuzhiyun rp = xp;
212*4882a593Smuzhiyun xp = tp;
213*4882a593Smuzhiyun rsize = xsize;
214*4882a593Smuzhiyun
215*4882a593Smuzhiyun if ((mpi_limb_signed_t) e < 0) {
216*4882a593Smuzhiyun /*mpihelp_mul( xp, rp, rsize, bp, bsize ); */
217*4882a593Smuzhiyun if (bsize < KARATSUBA_THRESHOLD) {
218*4882a593Smuzhiyun mpi_limb_t tmp;
219*4882a593Smuzhiyun if (mpihelp_mul
220*4882a593Smuzhiyun (xp, rp, rsize, bp, bsize,
221*4882a593Smuzhiyun &tmp) < 0)
222*4882a593Smuzhiyun goto enomem;
223*4882a593Smuzhiyun } else {
224*4882a593Smuzhiyun if (mpihelp_mul_karatsuba_case
225*4882a593Smuzhiyun (xp, rp, rsize, bp, bsize,
226*4882a593Smuzhiyun &karactx) < 0)
227*4882a593Smuzhiyun goto enomem;
228*4882a593Smuzhiyun }
229*4882a593Smuzhiyun
230*4882a593Smuzhiyun xsize = rsize + bsize;
231*4882a593Smuzhiyun if (xsize > msize) {
232*4882a593Smuzhiyun mpihelp_divrem(xp + msize, 0,
233*4882a593Smuzhiyun xp, xsize, mp,
234*4882a593Smuzhiyun msize);
235*4882a593Smuzhiyun xsize = msize;
236*4882a593Smuzhiyun }
237*4882a593Smuzhiyun
238*4882a593Smuzhiyun tp = rp;
239*4882a593Smuzhiyun rp = xp;
240*4882a593Smuzhiyun xp = tp;
241*4882a593Smuzhiyun rsize = xsize;
242*4882a593Smuzhiyun }
243*4882a593Smuzhiyun e <<= 1;
244*4882a593Smuzhiyun c--;
245*4882a593Smuzhiyun cond_resched();
246*4882a593Smuzhiyun }
247*4882a593Smuzhiyun
248*4882a593Smuzhiyun i--;
249*4882a593Smuzhiyun if (i < 0)
250*4882a593Smuzhiyun break;
251*4882a593Smuzhiyun e = ep[i];
252*4882a593Smuzhiyun c = BITS_PER_MPI_LIMB;
253*4882a593Smuzhiyun }
254*4882a593Smuzhiyun
255*4882a593Smuzhiyun /* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT
256*4882a593Smuzhiyun * steps. Adjust the result by reducing it with the original MOD.
257*4882a593Smuzhiyun *
258*4882a593Smuzhiyun * Also make sure the result is put in RES->d (where it already
259*4882a593Smuzhiyun * might be, see above).
260*4882a593Smuzhiyun */
261*4882a593Smuzhiyun if (mod_shift_cnt) {
262*4882a593Smuzhiyun carry_limb =
263*4882a593Smuzhiyun mpihelp_lshift(res->d, rp, rsize, mod_shift_cnt);
264*4882a593Smuzhiyun rp = res->d;
265*4882a593Smuzhiyun if (carry_limb) {
266*4882a593Smuzhiyun rp[rsize] = carry_limb;
267*4882a593Smuzhiyun rsize++;
268*4882a593Smuzhiyun }
269*4882a593Smuzhiyun } else {
270*4882a593Smuzhiyun MPN_COPY(res->d, rp, rsize);
271*4882a593Smuzhiyun rp = res->d;
272*4882a593Smuzhiyun }
273*4882a593Smuzhiyun
274*4882a593Smuzhiyun if (rsize >= msize) {
275*4882a593Smuzhiyun mpihelp_divrem(rp + msize, 0, rp, rsize, mp, msize);
276*4882a593Smuzhiyun rsize = msize;
277*4882a593Smuzhiyun }
278*4882a593Smuzhiyun
279*4882a593Smuzhiyun /* Remove any leading zero words from the result. */
280*4882a593Smuzhiyun if (mod_shift_cnt)
281*4882a593Smuzhiyun mpihelp_rshift(rp, rp, rsize, mod_shift_cnt);
282*4882a593Smuzhiyun MPN_NORMALIZE(rp, rsize);
283*4882a593Smuzhiyun }
284*4882a593Smuzhiyun
285*4882a593Smuzhiyun if (negative_result && rsize) {
286*4882a593Smuzhiyun if (mod_shift_cnt)
287*4882a593Smuzhiyun mpihelp_rshift(mp, mp, msize, mod_shift_cnt);
288*4882a593Smuzhiyun mpihelp_sub(rp, mp, msize, rp, rsize);
289*4882a593Smuzhiyun rsize = msize;
290*4882a593Smuzhiyun rsign = msign;
291*4882a593Smuzhiyun MPN_NORMALIZE(rp, rsize);
292*4882a593Smuzhiyun }
293*4882a593Smuzhiyun res->nlimbs = rsize;
294*4882a593Smuzhiyun res->sign = rsign;
295*4882a593Smuzhiyun
296*4882a593Smuzhiyun leave:
297*4882a593Smuzhiyun rc = 0;
298*4882a593Smuzhiyun enomem:
299*4882a593Smuzhiyun mpihelp_release_karatsuba_ctx(&karactx);
300*4882a593Smuzhiyun if (assign_rp)
301*4882a593Smuzhiyun mpi_assign_limb_space(res, rp, size);
302*4882a593Smuzhiyun if (mp_marker)
303*4882a593Smuzhiyun mpi_free_limb_space(mp_marker);
304*4882a593Smuzhiyun if (bp_marker)
305*4882a593Smuzhiyun mpi_free_limb_space(bp_marker);
306*4882a593Smuzhiyun if (ep_marker)
307*4882a593Smuzhiyun mpi_free_limb_space(ep_marker);
308*4882a593Smuzhiyun if (xp_marker)
309*4882a593Smuzhiyun mpi_free_limb_space(xp_marker);
310*4882a593Smuzhiyun if (tspace)
311*4882a593Smuzhiyun mpi_free_limb_space(tspace);
312*4882a593Smuzhiyun return rc;
313*4882a593Smuzhiyun }
314*4882a593Smuzhiyun EXPORT_SYMBOL_GPL(mpi_powm);
315