crypto/mpi/mpi-pow.c

*2a598d0bSHerbert Xu// SPDX-License-Identifier: GPL-2.0-or-later
*2a598d0bSHerbert Xu/* mpi-pow.c  -  MPI functions
*2a598d0bSHerbert Xu *	Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc.
*2a598d0bSHerbert Xu *
*2a598d0bSHerbert Xu * This file is part of GnuPG.
*2a598d0bSHerbert Xu *
*2a598d0bSHerbert Xu * Note: This code is heavily based on the GNU MP Library.
*2a598d0bSHerbert Xu *	 Actually it's the same code with only minor changes in the
*2a598d0bSHerbert Xu *	 way the data is stored; this is to support the abstraction
*2a598d0bSHerbert Xu *	 of an optional secure memory allocation which may be used
*2a598d0bSHerbert Xu *	 to avoid revealing of sensitive data due to paging etc.
*2a598d0bSHerbert Xu *	 The GNU MP Library itself is published under the LGPL;
*2a598d0bSHerbert Xu *	 however I decided to publish this code under the plain GPL.
*2a598d0bSHerbert Xu */
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu#include <linux/sched.h>
*2a598d0bSHerbert Xu#include <linux/string.h>
*2a598d0bSHerbert Xu#include "mpi-internal.h"
*2a598d0bSHerbert Xu#include "longlong.h"
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu/****************
*2a598d0bSHerbert Xu * RES = BASE ^ EXP mod MOD
*2a598d0bSHerbert Xu */
*2a598d0bSHerbert Xuint mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
*2a598d0bSHerbert Xu{
*2a598d0bSHerbert Xu	mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL;
*2a598d0bSHerbert Xu	struct karatsuba_ctx karactx = {};
*2a598d0bSHerbert Xu	mpi_ptr_t xp_marker = NULL;
*2a598d0bSHerbert Xu	mpi_ptr_t tspace = NULL;
*2a598d0bSHerbert Xu	mpi_ptr_t rp, ep, mp, bp;
*2a598d0bSHerbert Xu	mpi_size_t esize, msize, bsize, rsize;
*2a598d0bSHerbert Xu	int msign, bsign, rsign;
*2a598d0bSHerbert Xu	mpi_size_t size;
*2a598d0bSHerbert Xu	int mod_shift_cnt;
*2a598d0bSHerbert Xu	int negative_result;
*2a598d0bSHerbert Xu	int assign_rp = 0;
*2a598d0bSHerbert Xu	mpi_size_t tsize = 0;	/* to avoid compiler warning */
*2a598d0bSHerbert Xu	/* fixme: we should check that the warning is void */
*2a598d0bSHerbert Xu	int rc = -ENOMEM;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	esize = exp->nlimbs;
*2a598d0bSHerbert Xu	msize = mod->nlimbs;
*2a598d0bSHerbert Xu	size = 2 * msize;
*2a598d0bSHerbert Xu	msign = mod->sign;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	rp = res->d;
*2a598d0bSHerbert Xu	ep = exp->d;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	if (!msize)
*2a598d0bSHerbert Xu		return -EINVAL;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	if (!esize) {
*2a598d0bSHerbert Xu		/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
*2a598d0bSHerbert Xu		 * depending on if MOD equals 1.  */
*2a598d0bSHerbert Xu		res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
*2a598d0bSHerbert Xu		if (res->nlimbs) {
*2a598d0bSHerbert Xu			if (mpi_resize(res, 1) < 0)
*2a598d0bSHerbert Xu				goto enomem;
*2a598d0bSHerbert Xu			rp = res->d;
*2a598d0bSHerbert Xu			rp[0] = 1;
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu		res->sign = 0;
*2a598d0bSHerbert Xu		goto leave;
*2a598d0bSHerbert Xu	}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	/* Normalize MOD (i.e. make its most significant bit set) as required by
*2a598d0bSHerbert Xu	 * mpn_divrem.  This will make the intermediate values in the calculation
*2a598d0bSHerbert Xu	 * slightly larger, but the correct result is obtained after a final
*2a598d0bSHerbert Xu	 * reduction using the original MOD value.  */
*2a598d0bSHerbert Xu	mp = mp_marker = mpi_alloc_limb_space(msize);
*2a598d0bSHerbert Xu	if (!mp)
*2a598d0bSHerbert Xu		goto enomem;
*2a598d0bSHerbert Xu	mod_shift_cnt = count_leading_zeros(mod->d[msize - 1]);
*2a598d0bSHerbert Xu	if (mod_shift_cnt)
*2a598d0bSHerbert Xu		mpihelp_lshift(mp, mod->d, msize, mod_shift_cnt);
*2a598d0bSHerbert Xu	else
*2a598d0bSHerbert Xu		MPN_COPY(mp, mod->d, msize);
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	bsize = base->nlimbs;
*2a598d0bSHerbert Xu	bsign = base->sign;
*2a598d0bSHerbert Xu	if (bsize > msize) {	/* The base is larger than the module. Reduce it. */
*2a598d0bSHerbert Xu		/* Allocate (BSIZE + 1) with space for remainder and quotient.
*2a598d0bSHerbert Xu		 * (The quotient is (bsize - msize + 1) limbs.)  */
*2a598d0bSHerbert Xu		bp = bp_marker = mpi_alloc_limb_space(bsize + 1);
*2a598d0bSHerbert Xu		if (!bp)
*2a598d0bSHerbert Xu			goto enomem;
*2a598d0bSHerbert Xu		MPN_COPY(bp, base->d, bsize);
*2a598d0bSHerbert Xu		/* We don't care about the quotient, store it above the remainder,
*2a598d0bSHerbert Xu		 * at BP + MSIZE.  */
*2a598d0bSHerbert Xu		mpihelp_divrem(bp + msize, 0, bp, bsize, mp, msize);
*2a598d0bSHerbert Xu		bsize = msize;
*2a598d0bSHerbert Xu		/* Canonicalize the base, since we are going to multiply with it
*2a598d0bSHerbert Xu		 * quite a few times.  */
*2a598d0bSHerbert Xu		MPN_NORMALIZE(bp, bsize);
*2a598d0bSHerbert Xu	} else
*2a598d0bSHerbert Xu		bp = base->d;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	if (!bsize) {
*2a598d0bSHerbert Xu		res->nlimbs = 0;
*2a598d0bSHerbert Xu		res->sign = 0;
*2a598d0bSHerbert Xu		goto leave;
*2a598d0bSHerbert Xu	}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	if (res->alloced < size) {
*2a598d0bSHerbert Xu		/* We have to allocate more space for RES.  If any of the input
*2a598d0bSHerbert Xu		 * parameters are identical to RES, defer deallocation of the old
*2a598d0bSHerbert Xu		 * space.  */
*2a598d0bSHerbert Xu		if (rp == ep || rp == mp || rp == bp) {
*2a598d0bSHerbert Xu			rp = mpi_alloc_limb_space(size);
*2a598d0bSHerbert Xu			if (!rp)
*2a598d0bSHerbert Xu				goto enomem;
*2a598d0bSHerbert Xu			assign_rp = 1;
*2a598d0bSHerbert Xu		} else {
*2a598d0bSHerbert Xu			if (mpi_resize(res, size) < 0)
*2a598d0bSHerbert Xu				goto enomem;
*2a598d0bSHerbert Xu			rp = res->d;
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu	} else {		/* Make BASE, EXP and MOD not overlap with RES.  */
*2a598d0bSHerbert Xu		if (rp == bp) {
*2a598d0bSHerbert Xu			/* RES and BASE are identical.  Allocate temp. space for BASE.  */
*2a598d0bSHerbert Xu			BUG_ON(bp_marker);
*2a598d0bSHerbert Xu			bp = bp_marker = mpi_alloc_limb_space(bsize);
*2a598d0bSHerbert Xu			if (!bp)
*2a598d0bSHerbert Xu				goto enomem;
*2a598d0bSHerbert Xu			MPN_COPY(bp, rp, bsize);
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu		if (rp == ep) {
*2a598d0bSHerbert Xu			/* RES and EXP are identical.  Allocate temp. space for EXP.  */
*2a598d0bSHerbert Xu			ep = ep_marker = mpi_alloc_limb_space(esize);
*2a598d0bSHerbert Xu			if (!ep)
*2a598d0bSHerbert Xu				goto enomem;
*2a598d0bSHerbert Xu			MPN_COPY(ep, rp, esize);
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu		if (rp == mp) {
*2a598d0bSHerbert Xu			/* RES and MOD are identical.  Allocate temporary space for MOD. */
*2a598d0bSHerbert Xu			BUG_ON(mp_marker);
*2a598d0bSHerbert Xu			mp = mp_marker = mpi_alloc_limb_space(msize);
*2a598d0bSHerbert Xu			if (!mp)
*2a598d0bSHerbert Xu				goto enomem;
*2a598d0bSHerbert Xu			MPN_COPY(mp, rp, msize);
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu	}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	MPN_COPY(rp, bp, bsize);
*2a598d0bSHerbert Xu	rsize = bsize;
*2a598d0bSHerbert Xu	rsign = bsign;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	{
*2a598d0bSHerbert Xu		mpi_size_t i;
*2a598d0bSHerbert Xu		mpi_ptr_t xp;
*2a598d0bSHerbert Xu		int c;
*2a598d0bSHerbert Xu		mpi_limb_t e;
*2a598d0bSHerbert Xu		mpi_limb_t carry_limb;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1));
*2a598d0bSHerbert Xu		if (!xp)
*2a598d0bSHerbert Xu			goto enomem;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		negative_result = (ep[0] & 1) && base->sign;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		i = esize - 1;
*2a598d0bSHerbert Xu		e = ep[i];
*2a598d0bSHerbert Xu		c = count_leading_zeros(e);
*2a598d0bSHerbert Xu		e = (e << c) << 1;	/* shift the exp bits to the left, lose msb */
*2a598d0bSHerbert Xu		c = BITS_PER_MPI_LIMB - 1 - c;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		/* Main loop.
*2a598d0bSHerbert Xu		 *
*2a598d0bSHerbert Xu		 * Make the result be pointed to alternately by XP and RP.  This
*2a598d0bSHerbert Xu		 * helps us avoid block copying, which would otherwise be necessary
*2a598d0bSHerbert Xu		 * with the overlap restrictions of mpihelp_divmod. With 50% probability
*2a598d0bSHerbert Xu		 * the result after this loop will be in the area originally pointed
*2a598d0bSHerbert Xu		 * by RP (==RES->d), and with 50% probability in the area originally
*2a598d0bSHerbert Xu		 * pointed to by XP.
*2a598d0bSHerbert Xu		 */
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		for (;;) {
*2a598d0bSHerbert Xu			while (c) {
*2a598d0bSHerbert Xu				mpi_ptr_t tp;
*2a598d0bSHerbert Xu				mpi_size_t xsize;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu				/*if (mpihelp_mul_n(xp, rp, rp, rsize) < 0) goto enomem */
*2a598d0bSHerbert Xu				if (rsize < KARATSUBA_THRESHOLD)
*2a598d0bSHerbert Xu					mpih_sqr_n_basecase(xp, rp, rsize);
*2a598d0bSHerbert Xu				else {
*2a598d0bSHerbert Xu					if (!tspace) {
*2a598d0bSHerbert Xu						tsize = 2 * rsize;
*2a598d0bSHerbert Xu						tspace =
*2a598d0bSHerbert Xu						    mpi_alloc_limb_space(tsize);
*2a598d0bSHerbert Xu						if (!tspace)
*2a598d0bSHerbert Xu							goto enomem;
*2a598d0bSHerbert Xu					} else if (tsize < (2 * rsize)) {
*2a598d0bSHerbert Xu						mpi_free_limb_space(tspace);
*2a598d0bSHerbert Xu						tsize = 2 * rsize;
*2a598d0bSHerbert Xu						tspace =
*2a598d0bSHerbert Xu						    mpi_alloc_limb_space(tsize);
*2a598d0bSHerbert Xu						if (!tspace)
*2a598d0bSHerbert Xu							goto enomem;
*2a598d0bSHerbert Xu					}
*2a598d0bSHerbert Xu					mpih_sqr_n(xp, rp, rsize, tspace);
*2a598d0bSHerbert Xu				}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu				xsize = 2 * rsize;
*2a598d0bSHerbert Xu				if (xsize > msize) {
*2a598d0bSHerbert Xu					mpihelp_divrem(xp + msize, 0, xp, xsize,
*2a598d0bSHerbert Xu						       mp, msize);
*2a598d0bSHerbert Xu					xsize = msize;
*2a598d0bSHerbert Xu				}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu				tp = rp;
*2a598d0bSHerbert Xu				rp = xp;
*2a598d0bSHerbert Xu				xp = tp;
*2a598d0bSHerbert Xu				rsize = xsize;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu				if ((mpi_limb_signed_t) e < 0) {
*2a598d0bSHerbert Xu					/*mpihelp_mul( xp, rp, rsize, bp, bsize ); */
*2a598d0bSHerbert Xu					if (bsize < KARATSUBA_THRESHOLD) {
*2a598d0bSHerbert Xu						mpi_limb_t tmp;
*2a598d0bSHerbert Xu						if (mpihelp_mul
*2a598d0bSHerbert Xu						    (xp, rp, rsize, bp, bsize,
*2a598d0bSHerbert Xu						     &tmp) < 0)
*2a598d0bSHerbert Xu							goto enomem;
*2a598d0bSHerbert Xu					} else {
*2a598d0bSHerbert Xu						if (mpihelp_mul_karatsuba_case
*2a598d0bSHerbert Xu						    (xp, rp, rsize, bp, bsize,
*2a598d0bSHerbert Xu						     &karactx) < 0)
*2a598d0bSHerbert Xu							goto enomem;
*2a598d0bSHerbert Xu					}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu					xsize = rsize + bsize;
*2a598d0bSHerbert Xu					if (xsize > msize) {
*2a598d0bSHerbert Xu						mpihelp_divrem(xp + msize, 0,
*2a598d0bSHerbert Xu							       xp, xsize, mp,
*2a598d0bSHerbert Xu							       msize);
*2a598d0bSHerbert Xu						xsize = msize;
*2a598d0bSHerbert Xu					}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu					tp = rp;
*2a598d0bSHerbert Xu					rp = xp;
*2a598d0bSHerbert Xu					xp = tp;
*2a598d0bSHerbert Xu					rsize = xsize;
*2a598d0bSHerbert Xu				}
*2a598d0bSHerbert Xu				e <<= 1;
*2a598d0bSHerbert Xu				c--;
*2a598d0bSHerbert Xu				cond_resched();
*2a598d0bSHerbert Xu			}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu			i--;
*2a598d0bSHerbert Xu			if (i < 0)
*2a598d0bSHerbert Xu				break;
*2a598d0bSHerbert Xu			e = ep[i];
*2a598d0bSHerbert Xu			c = BITS_PER_MPI_LIMB;
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		/* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT
*2a598d0bSHerbert Xu		 * steps.  Adjust the result by reducing it with the original MOD.
*2a598d0bSHerbert Xu		 *
*2a598d0bSHerbert Xu		 * Also make sure the result is put in RES->d (where it already
*2a598d0bSHerbert Xu		 * might be, see above).
*2a598d0bSHerbert Xu		 */
*2a598d0bSHerbert Xu		if (mod_shift_cnt) {
*2a598d0bSHerbert Xu			carry_limb =
*2a598d0bSHerbert Xu			    mpihelp_lshift(res->d, rp, rsize, mod_shift_cnt);
*2a598d0bSHerbert Xu			rp = res->d;
*2a598d0bSHerbert Xu			if (carry_limb) {
*2a598d0bSHerbert Xu				rp[rsize] = carry_limb;
*2a598d0bSHerbert Xu				rsize++;
*2a598d0bSHerbert Xu			}
*2a598d0bSHerbert Xu		} else {
*2a598d0bSHerbert Xu			MPN_COPY(res->d, rp, rsize);
*2a598d0bSHerbert Xu			rp = res->d;
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		if (rsize >= msize) {
*2a598d0bSHerbert Xu			mpihelp_divrem(rp + msize, 0, rp, rsize, mp, msize);
*2a598d0bSHerbert Xu			rsize = msize;
*2a598d0bSHerbert Xu		}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu		/* Remove any leading zero words from the result.  */
*2a598d0bSHerbert Xu		if (mod_shift_cnt)
*2a598d0bSHerbert Xu			mpihelp_rshift(rp, rp, rsize, mod_shift_cnt);
*2a598d0bSHerbert Xu		MPN_NORMALIZE(rp, rsize);
*2a598d0bSHerbert Xu	}
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xu	if (negative_result && rsize) {
*2a598d0bSHerbert Xu		if (mod_shift_cnt)
*2a598d0bSHerbert Xu			mpihelp_rshift(mp, mp, msize, mod_shift_cnt);
*2a598d0bSHerbert Xu		mpihelp_sub(rp, mp, msize, rp, rsize);
*2a598d0bSHerbert Xu		rsize = msize;
*2a598d0bSHerbert Xu		rsign = msign;
*2a598d0bSHerbert Xu		MPN_NORMALIZE(rp, rsize);
*2a598d0bSHerbert Xu	}
*2a598d0bSHerbert Xu	res->nlimbs = rsize;
*2a598d0bSHerbert Xu	res->sign = rsign;
*2a598d0bSHerbert Xu
*2a598d0bSHerbert Xuleave:
*2a598d0bSHerbert Xu	rc = 0;
*2a598d0bSHerbert Xuenomem:
*2a598d0bSHerbert Xu	mpihelp_release_karatsuba_ctx(&karactx);
*2a598d0bSHerbert Xu	if (assign_rp)
*2a598d0bSHerbert Xu		mpi_assign_limb_space(res, rp, size);
*2a598d0bSHerbert Xu	if (mp_marker)
*2a598d0bSHerbert Xu		mpi_free_limb_space(mp_marker);
*2a598d0bSHerbert Xu	if (bp_marker)
*2a598d0bSHerbert Xu		mpi_free_limb_space(bp_marker);
*2a598d0bSHerbert Xu	if (ep_marker)
*2a598d0bSHerbert Xu		mpi_free_limb_space(ep_marker);
*2a598d0bSHerbert Xu	if (xp_marker)
*2a598d0bSHerbert Xu		mpi_free_limb_space(xp_marker);
*2a598d0bSHerbert Xu	if (tspace)
*2a598d0bSHerbert Xu		mpi_free_limb_space(tspace);
*2a598d0bSHerbert Xu	return rc;
*2a598d0bSHerbert Xu}
*2a598d0bSHerbert XuEXPORT_SYMBOL_GPL(mpi_powm);