| Index: net/third_party/nss/ssl/mpi/mpprime.c
|
| diff --git a/net/third_party/nss/ssl/mpi/mpprime.c b/net/third_party/nss/ssl/mpi/mpprime.c
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..ae8e4961896a185822272cd403785376744fb894
|
| --- /dev/null
|
| +++ b/net/third_party/nss/ssl/mpi/mpprime.c
|
| @@ -0,0 +1,617 @@
|
| +/*
|
| + * mpprime.c
|
| + *
|
| + * Utilities for finding and working with prime and pseudo-prime
|
| + * integers
|
| + *
|
| + * ***** BEGIN LICENSE BLOCK *****
|
| + * Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
| + *
|
| + * The contents of this file are subject to the Mozilla Public License Version
|
| + * 1.1 (the "License"); you may not use this file except in compliance with
|
| + * the License. You may obtain a copy of the License at
|
| + * http://www.mozilla.org/MPL/
|
| + *
|
| + * Software distributed under the License is distributed on an "AS IS" basis,
|
| + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
| + * for the specific language governing rights and limitations under the
|
| + * License.
|
| + *
|
| + * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
|
| + *
|
| + * The Initial Developer of the Original Code is
|
| + * Michael J. Fromberger.
|
| + * Portions created by the Initial Developer are Copyright (C) 1997
|
| + * the Initial Developer. All Rights Reserved.
|
| + *
|
| + * Contributor(s):
|
| + * Netscape Communications Corporation
|
| + *
|
| + * Alternatively, the contents of this file may be used under the terms of
|
| + * either the GNU General Public License Version 2 or later (the "GPL"), or
|
| + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
| + * in which case the provisions of the GPL or the LGPL are applicable instead
|
| + * of those above. If you wish to allow use of your version of this file only
|
| + * under the terms of either the GPL or the LGPL, and not to allow others to
|
| + * use your version of this file under the terms of the MPL, indicate your
|
| + * decision by deleting the provisions above and replace them with the notice
|
| + * and other provisions required by the GPL or the LGPL. If you do not delete
|
| + * the provisions above, a recipient may use your version of this file under
|
| + * the terms of any one of the MPL, the GPL or the LGPL.
|
| + *
|
| + * ***** END LICENSE BLOCK ***** */
|
| +
|
| +#include "mpi-priv.h"
|
| +#include "mpprime.h"
|
| +#include "mplogic.h"
|
| +#include <stdlib.h>
|
| +#include <string.h>
|
| +
|
| +#define SMALL_TABLE 0 /* determines size of hard-wired prime table */
|
| +
|
| +#define RANDOM() rand()
|
| +
|
| +#include "primes.c" /* pull in the prime digit table */
|
| +
|
| +/*
|
| + Test if any of a given vector of digits divides a. If not, MP_NO
|
| + is returned; otherwise, MP_YES is returned and 'which' is set to
|
| + the index of the integer in the vector which divided a.
|
| + */
|
| +mp_err s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which);
|
| +
|
| +/* {{{ mpp_divis(a, b) */
|
| +
|
| +/*
|
| + mpp_divis(a, b)
|
| +
|
| + Returns MP_YES if a is divisible by b, or MP_NO if it is not.
|
| + */
|
| +
|
| +mp_err mpp_divis(mp_int *a, mp_int *b)
|
| +{
|
| + mp_err res;
|
| + mp_int rem;
|
| +
|
| + if((res = mp_init(&rem)) != MP_OKAY)
|
| + return res;
|
| +
|
| + if((res = mp_mod(a, b, &rem)) != MP_OKAY)
|
| + goto CLEANUP;
|
| +
|
| + if(mp_cmp_z(&rem) == 0)
|
| + res = MP_YES;
|
| + else
|
| + res = MP_NO;
|
| +
|
| +CLEANUP:
|
| + mp_clear(&rem);
|
| + return res;
|
| +
|
| +} /* end mpp_divis() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* {{{ mpp_divis_d(a, d) */
|
| +
|
| +/*
|
| + mpp_divis_d(a, d)
|
| +
|
| + Return MP_YES if a is divisible by d, or MP_NO if it is not.
|
| + */
|
| +
|
| +mp_err mpp_divis_d(mp_int *a, mp_digit d)
|
| +{
|
| + mp_err res;
|
| + mp_digit rem;
|
| +
|
| + ARGCHK(a != NULL, MP_BADARG);
|
| +
|
| + if(d == 0)
|
| + return MP_NO;
|
| +
|
| + if((res = mp_mod_d(a, d, &rem)) != MP_OKAY)
|
| + return res;
|
| +
|
| + if(rem == 0)
|
| + return MP_YES;
|
| + else
|
| + return MP_NO;
|
| +
|
| +} /* end mpp_divis_d() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* {{{ mpp_random(a) */
|
| +
|
| +/*
|
| + mpp_random(a)
|
| +
|
| + Assigns a random value to a. This value is generated using the
|
| + standard C library's rand() function, so it should not be used for
|
| + cryptographic purposes, but it should be fine for primality testing,
|
| + since all we really care about there is good statistical properties.
|
| +
|
| + As many digits as a currently has are filled with random digits.
|
| + */
|
| +
|
| +mp_err mpp_random(mp_int *a)
|
| +
|
| +{
|
| + mp_digit next = 0;
|
| + unsigned int ix, jx;
|
| +
|
| + ARGCHK(a != NULL, MP_BADARG);
|
| +
|
| + for(ix = 0; ix < USED(a); ix++) {
|
| + for(jx = 0; jx < sizeof(mp_digit); jx++) {
|
| + next = (next << CHAR_BIT) | (RANDOM() & UCHAR_MAX);
|
| + }
|
| + DIGIT(a, ix) = next;
|
| + }
|
| +
|
| + return MP_OKAY;
|
| +
|
| +} /* end mpp_random() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* {{{ mpp_random_size(a, prec) */
|
| +
|
| +mp_err mpp_random_size(mp_int *a, mp_size prec)
|
| +{
|
| + mp_err res;
|
| +
|
| + ARGCHK(a != NULL && prec > 0, MP_BADARG);
|
| +
|
| + if((res = s_mp_pad(a, prec)) != MP_OKAY)
|
| + return res;
|
| +
|
| + return mpp_random(a);
|
| +
|
| +} /* end mpp_random_size() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* {{{ mpp_divis_vector(a, vec, size, which) */
|
| +
|
| +/*
|
| + mpp_divis_vector(a, vec, size, which)
|
| +
|
| + Determines if a is divisible by any of the 'size' digits in vec.
|
| + Returns MP_YES and sets 'which' to the index of the offending digit,
|
| + if it is; returns MP_NO if it is not.
|
| + */
|
| +
|
| +mp_err mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which)
|
| +{
|
| + ARGCHK(a != NULL && vec != NULL && size > 0, MP_BADARG);
|
| +
|
| + return s_mpp_divp(a, vec, size, which);
|
| +
|
| +} /* end mpp_divis_vector() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* {{{ mpp_divis_primes(a, np) */
|
| +
|
| +/*
|
| + mpp_divis_primes(a, np)
|
| +
|
| + Test whether a is divisible by any of the first 'np' primes. If it
|
| + is, returns MP_YES and sets *np to the value of the digit that did
|
| + it. If not, returns MP_NO.
|
| + */
|
| +mp_err mpp_divis_primes(mp_int *a, mp_digit *np)
|
| +{
|
| + int size, which;
|
| + mp_err res;
|
| +
|
| + ARGCHK(a != NULL && np != NULL, MP_BADARG);
|
| +
|
| + size = (int)*np;
|
| + if(size > prime_tab_size)
|
| + size = prime_tab_size;
|
| +
|
| + res = mpp_divis_vector(a, prime_tab, size, &which);
|
| + if(res == MP_YES)
|
| + *np = prime_tab[which];
|
| +
|
| + return res;
|
| +
|
| +} /* end mpp_divis_primes() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* {{{ mpp_fermat(a, w) */
|
| +
|
| +/*
|
| + Using w as a witness, try pseudo-primality testing based on Fermat's
|
| + little theorem. If a is prime, and (w, a) = 1, then w^a == w (mod
|
| + a). So, we compute z = w^a (mod a) and compare z to w; if they are
|
| + equal, the test passes and we return MP_YES. Otherwise, we return
|
| + MP_NO.
|
| + */
|
| +mp_err mpp_fermat(mp_int *a, mp_digit w)
|
| +{
|
| + mp_int base, test;
|
| + mp_err res;
|
| +
|
| + if((res = mp_init(&base)) != MP_OKAY)
|
| + return res;
|
| +
|
| + mp_set(&base, w);
|
| +
|
| + if((res = mp_init(&test)) != MP_OKAY)
|
| + goto TEST;
|
| +
|
| + /* Compute test = base^a (mod a) */
|
| + if((res = mp_exptmod(&base, a, a, &test)) != MP_OKAY)
|
| + goto CLEANUP;
|
| +
|
| +
|
| + if(mp_cmp(&base, &test) == 0)
|
| + res = MP_YES;
|
| + else
|
| + res = MP_NO;
|
| +
|
| + CLEANUP:
|
| + mp_clear(&test);
|
| + TEST:
|
| + mp_clear(&base);
|
| +
|
| + return res;
|
| +
|
| +} /* end mpp_fermat() */
|
| +
|
| +/* }}} */
|
| +
|
| +/*
|
| + Perform the fermat test on each of the primes in a list until
|
| + a) one of them shows a is not prime, or
|
| + b) the list is exhausted.
|
| + Returns: MP_YES if it passes tests.
|
| + MP_NO if fermat test reveals it is composite
|
| + Some MP error code if some other error occurs.
|
| + */
|
| +mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes)
|
| +{
|
| + mp_err rv = MP_YES;
|
| +
|
| + while (nPrimes-- > 0 && rv == MP_YES) {
|
| + rv = mpp_fermat(a, *primes++);
|
| + }
|
| + return rv;
|
| +}
|
| +
|
| +/* {{{ mpp_pprime(a, nt) */
|
| +
|
| +/*
|
| + mpp_pprime(a, nt)
|
| +
|
| + Performs nt iteration of the Miller-Rabin probabilistic primality
|
| + test on a. Returns MP_YES if the tests pass, MP_NO if one fails.
|
| + If MP_NO is returned, the number is definitely composite. If MP_YES
|
| + is returned, it is probably prime (but that is not guaranteed).
|
| + */
|
| +
|
| +mp_err mpp_pprime(mp_int *a, int nt)
|
| +{
|
| + mp_err res;
|
| + mp_int x, amo, m, z; /* "amo" = "a minus one" */
|
| + int iter;
|
| + unsigned int jx;
|
| + mp_size b;
|
| +
|
| + ARGCHK(a != NULL, MP_BADARG);
|
| +
|
| + MP_DIGITS(&x) = 0;
|
| + MP_DIGITS(&amo) = 0;
|
| + MP_DIGITS(&m) = 0;
|
| + MP_DIGITS(&z) = 0;
|
| +
|
| + /* Initialize temporaries... */
|
| + MP_CHECKOK( mp_init(&amo));
|
| + /* Compute amo = a - 1 for what follows... */
|
| + MP_CHECKOK( mp_sub_d(a, 1, &amo) );
|
| +
|
| + b = mp_trailing_zeros(&amo);
|
| + if (!b) { /* a was even ? */
|
| + res = MP_NO;
|
| + goto CLEANUP;
|
| + }
|
| +
|
| + MP_CHECKOK( mp_init_size(&x, MP_USED(a)) );
|
| + MP_CHECKOK( mp_init(&z) );
|
| + MP_CHECKOK( mp_init(&m) );
|
| + MP_CHECKOK( mp_div_2d(&amo, b, &m, 0) );
|
| +
|
| + /* Do the test nt times... */
|
| + for(iter = 0; iter < nt; iter++) {
|
| +
|
| + /* Choose a random value for 1 < x < a */
|
| + s_mp_pad(&x, USED(a));
|
| + mpp_random(&x);
|
| + MP_CHECKOK( mp_mod(&x, a, &x) );
|
| + if(mp_cmp_d(&x, 1) <= 0) {
|
| + iter--; /* don't count this iteration */
|
| + continue; /* choose a new x */
|
| + }
|
| +
|
| + /* Compute z = (x ** m) mod a */
|
| + MP_CHECKOK( mp_exptmod(&x, &m, a, &z) );
|
| +
|
| + if(mp_cmp_d(&z, 1) == 0 || mp_cmp(&z, &amo) == 0) {
|
| + res = MP_YES;
|
| + continue;
|
| + }
|
| +
|
| + res = MP_NO; /* just in case the following for loop never executes. */
|
| + for (jx = 1; jx < b; jx++) {
|
| + /* z = z^2 (mod a) */
|
| + MP_CHECKOK( mp_sqrmod(&z, a, &z) );
|
| + res = MP_NO; /* previous line set res to MP_YES */
|
| +
|
| + if(mp_cmp_d(&z, 1) == 0) {
|
| + break;
|
| + }
|
| + if(mp_cmp(&z, &amo) == 0) {
|
| + res = MP_YES;
|
| + break;
|
| + }
|
| + } /* end testing loop */
|
| +
|
| + /* If the test passes, we will continue iterating, but a failed
|
| + test means the candidate is definitely NOT prime, so we will
|
| + immediately break out of this loop
|
| + */
|
| + if(res == MP_NO)
|
| + break;
|
| +
|
| + } /* end iterations loop */
|
| +
|
| +CLEANUP:
|
| + mp_clear(&m);
|
| + mp_clear(&z);
|
| + mp_clear(&x);
|
| + mp_clear(&amo);
|
| + return res;
|
| +
|
| +} /* end mpp_pprime() */
|
| +
|
| +/* }}} */
|
| +
|
| +/* Produce table of composites from list of primes and trial value.
|
| +** trial must be odd. List of primes must not include 2.
|
| +** sieve should have dimension >= MAXPRIME/2, where MAXPRIME is largest
|
| +** prime in list of primes. After this function is finished,
|
| +** if sieve[i] is non-zero, then (trial + 2*i) is composite.
|
| +** Each prime used in the sieve costs one division of trial, and eliminates
|
| +** one or more values from the search space. (3 eliminates 1/3 of the values
|
| +** alone!) Each value left in the search space costs 1 or more modular
|
| +** exponentations. So, these divisions are a bargain!
|
| +*/
|
| +mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes,
|
| + unsigned char *sieve, mp_size nSieve)
|
| +{
|
| + mp_err res;
|
| + mp_digit rem;
|
| + mp_size ix;
|
| + unsigned long offset;
|
| +
|
| + memset(sieve, 0, nSieve);
|
| +
|
| + for(ix = 0; ix < nPrimes; ix++) {
|
| + mp_digit prime = primes[ix];
|
| + mp_size i;
|
| + if((res = mp_mod_d(trial, prime, &rem)) != MP_OKAY)
|
| + return res;
|
| +
|
| + if (rem == 0) {
|
| + offset = 0;
|
| + } else {
|
| + offset = prime - (rem / 2);
|
| + }
|
| + for (i = offset; i < nSieve ; i += prime) {
|
| + sieve[i] = 1;
|
| + }
|
| + }
|
| +
|
| + return MP_OKAY;
|
| +}
|
| +
|
| +#define SIEVE_SIZE 32*1024
|
| +
|
| +mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
|
| + unsigned long * nTries)
|
| +{
|
| + mp_digit np;
|
| + mp_err res;
|
| + int i = 0;
|
| + mp_int trial;
|
| + mp_int q;
|
| + mp_size num_tests;
|
| + unsigned char *sieve;
|
| +
|
| + ARGCHK(start != 0, MP_BADARG);
|
| + ARGCHK(nBits > 16, MP_RANGE);
|
| +
|
| + sieve = malloc(SIEVE_SIZE);
|
| + ARGCHK(sieve != NULL, MP_MEM);
|
| +
|
| + MP_DIGITS(&trial) = 0;
|
| + MP_DIGITS(&q) = 0;
|
| + MP_CHECKOK( mp_init(&trial) );
|
| + MP_CHECKOK( mp_init(&q) );
|
| + /* values taken from table 4.4, HandBook of Applied Cryptography */
|
| + if (nBits >= 1300) {
|
| + num_tests = 2;
|
| + } else if (nBits >= 850) {
|
| + num_tests = 3;
|
| + } else if (nBits >= 650) {
|
| + num_tests = 4;
|
| + } else if (nBits >= 550) {
|
| + num_tests = 5;
|
| + } else if (nBits >= 450) {
|
| + num_tests = 6;
|
| + } else if (nBits >= 400) {
|
| + num_tests = 7;
|
| + } else if (nBits >= 350) {
|
| + num_tests = 8;
|
| + } else if (nBits >= 300) {
|
| + num_tests = 9;
|
| + } else if (nBits >= 250) {
|
| + num_tests = 12;
|
| + } else if (nBits >= 200) {
|
| + num_tests = 15;
|
| + } else if (nBits >= 150) {
|
| + num_tests = 18;
|
| + } else if (nBits >= 100) {
|
| + num_tests = 27;
|
| + } else
|
| + num_tests = 50;
|
| +
|
| + if (strong)
|
| + --nBits;
|
| + MP_CHECKOK( mpl_set_bit(start, nBits - 1, 1) );
|
| + MP_CHECKOK( mpl_set_bit(start, 0, 1) );
|
| + for (i = mpl_significant_bits(start) - 1; i >= nBits; --i) {
|
| + MP_CHECKOK( mpl_set_bit(start, i, 0) );
|
| + }
|
| + /* start sieveing with prime value of 3. */
|
| + MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1,
|
| + sieve, SIEVE_SIZE) );
|
| +
|
| +#ifdef DEBUG_SIEVE
|
| + res = 0;
|
| + for (i = 0; i < SIEVE_SIZE; ++i) {
|
| + if (!sieve[i])
|
| + ++res;
|
| + }
|
| + fprintf(stderr,"sieve found %d potential primes.\n", res);
|
| +#define FPUTC(x,y) fputc(x,y)
|
| +#else
|
| +#define FPUTC(x,y)
|
| +#endif
|
| +
|
| + res = MP_NO;
|
| + for(i = 0; i < SIEVE_SIZE; ++i) {
|
| + if (sieve[i]) /* this number is composite */
|
| + continue;
|
| + MP_CHECKOK( mp_add_d(start, 2 * i, &trial) );
|
| + FPUTC('.', stderr);
|
| + /* run a Fermat test */
|
| + res = mpp_fermat(&trial, 2);
|
| + if (res != MP_OKAY) {
|
| + if (res == MP_NO)
|
| + continue; /* was composite */
|
| + goto CLEANUP;
|
| + }
|
| +
|
| + FPUTC('+', stderr);
|
| + /* If that passed, run some Miller-Rabin tests */
|
| + res = mpp_pprime(&trial, num_tests);
|
| + if (res != MP_OKAY) {
|
| + if (res == MP_NO)
|
| + continue; /* was composite */
|
| + goto CLEANUP;
|
| + }
|
| + FPUTC('!', stderr);
|
| +
|
| + if (!strong)
|
| + break; /* success !! */
|
| +
|
| + /* At this point, we have strong evidence that our candidate
|
| + is itself prime. If we want a strong prime, we need now
|
| + to test q = 2p + 1 for primality...
|
| + */
|
| + MP_CHECKOK( mp_mul_2(&trial, &q) );
|
| + MP_CHECKOK( mp_add_d(&q, 1, &q) );
|
| +
|
| + /* Test q for small prime divisors ... */
|
| + np = prime_tab_size;
|
| + res = mpp_divis_primes(&q, &np);
|
| + if (res == MP_YES) { /* is composite */
|
| + mp_clear(&q);
|
| + continue;
|
| + }
|
| + if (res != MP_NO)
|
| + goto CLEANUP;
|
| +
|
| + /* And test with Fermat, as with its parent ... */
|
| + res = mpp_fermat(&q, 2);
|
| + if (res != MP_YES) {
|
| + mp_clear(&q);
|
| + if (res == MP_NO)
|
| + continue; /* was composite */
|
| + goto CLEANUP;
|
| + }
|
| +
|
| + /* And test with Miller-Rabin, as with its parent ... */
|
| + res = mpp_pprime(&q, num_tests);
|
| + if (res != MP_YES) {
|
| + mp_clear(&q);
|
| + if (res == MP_NO)
|
| + continue; /* was composite */
|
| + goto CLEANUP;
|
| + }
|
| +
|
| + /* If it passed, we've got a winner */
|
| + mp_exch(&q, &trial);
|
| + mp_clear(&q);
|
| + break;
|
| +
|
| + } /* end of loop through sieved values */
|
| + if (res == MP_YES)
|
| + mp_exch(&trial, start);
|
| +CLEANUP:
|
| + mp_clear(&trial);
|
| + mp_clear(&q);
|
| + if (nTries)
|
| + *nTries += i;
|
| + if (sieve != NULL) {
|
| + memset(sieve, 0, SIEVE_SIZE);
|
| + free (sieve);
|
| + }
|
| + return res;
|
| +}
|
| +
|
| +/*========================================================================*/
|
| +/*------------------------------------------------------------------------*/
|
| +/* Static functions visible only to the library internally */
|
| +
|
| +/* {{{ s_mpp_divp(a, vec, size, which) */
|
| +
|
| +/*
|
| + Test for divisibility by members of a vector of digits. Returns
|
| + MP_NO if a is not divisible by any of them; returns MP_YES and sets
|
| + 'which' to the index of the offender, if it is. Will stop on the
|
| + first digit against which a is divisible.
|
| + */
|
| +
|
| +mp_err s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which)
|
| +{
|
| + mp_err res;
|
| + mp_digit rem;
|
| +
|
| + int ix;
|
| +
|
| + for(ix = 0; ix < size; ix++) {
|
| + if((res = mp_mod_d(a, vec[ix], &rem)) != MP_OKAY)
|
| + return res;
|
| +
|
| + if(rem == 0) {
|
| + if(which)
|
| + *which = ix;
|
| + return MP_YES;
|
| + }
|
| + }
|
| +
|
| + return MP_NO;
|
| +
|
| +} /* end s_mpp_divp() */
|
| +
|
| +/* }}} */
|
| +
|
| +/*------------------------------------------------------------------------*/
|
| +/* HERE THERE BE DRAGONS */
|
|
|
Chromium Code Reviews
Issue 6804032:
Add TLS-SRP (RFC 5054) support
Base URL: http://git.chromium.org/git/chromium.git@trunk