1 /*-------------------------------------------------------------------------
5 * Last synchronized from https://github.com/creachadair/imath/tree/v1.29,
6 * using the following procedure:
8 * 1. Download imath.c and imath.h of the last synchronized version. Remove
9 * "#ifdef __cplusplus" blocks, which upset pgindent. Run pgindent on the
10 * two files. Filter the two files through "unexpand -t4 --first-only".
11 * Diff the result against the PostgreSQL versions. As of the last
12 * synchronization, changes were as follows:
14 * - replace malloc(), realloc() and free() with px_ versions
15 * - redirect assert() to Assert()
16 * - #undef MIN, #undef MAX before defining them
17 * - remove includes covered by c.h
18 * - rename DEBUG to IMATH_DEBUG
19 * - replace stdint.h usage with c.h equivalents
20 * - suppress MSVC warning 4146
21 * - add required PG_USED_FOR_ASSERTS_ONLY
23 * 2. Download a newer imath.c and imath.h. Transform them like in step 1.
24 * Apply to these files the diff you saved in step 1. Look for new lines
25 * requiring the same kind of change, such as new malloc() calls.
27 * 3. Configure PostgreSQL using --without-openssl. Run "make -C
28 * contrib/pgcrypto check".
30 * 4. Update this header comment.
32 * Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
35 * contrib/pgcrypto/imath.c
37 * Upstream copyright terms follow.
38 *-------------------------------------------------------------------------
43 Purpose: Arbitrary precision integer arithmetic routines.
44 Author: M. J. Fromberger
46 Copyright (C) 2002-2007 Michael J. Fromberger, All Rights Reserved.
48 Permission is hereby granted, free of charge, to any person obtaining a copy
49 of this software and associated documentation files (the "Software"), to deal
50 in the Software without restriction, including without limitation the rights
51 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
52 copies of the Software, and to permit persons to whom the Software is
53 furnished to do so, subject to the following conditions:
55 The above copyright notice and this permission notice shall be included in
56 all copies or substantial portions of the Software.
58 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
59 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
60 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
61 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
62 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
63 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
73 #define assert(TEST) Assert(TEST)
75 const mp_result MP_OK = 0; /* no error, all is well */
76 const mp_result MP_FALSE = 0; /* boolean false */
77 const mp_result MP_TRUE = -1; /* boolean true */
78 const mp_result MP_MEMORY = -2; /* out of memory */
79 const mp_result MP_RANGE = -3; /* argument out of range */
80 const mp_result MP_UNDEF = -4; /* result undefined */
81 const mp_result MP_TRUNC = -5; /* output truncated */
82 const mp_result MP_BADARG = -6; /* invalid null argument */
83 const mp_result MP_MINERR = -6;
85 const mp_sign MP_NEG = 1; /* value is strictly negative */
86 const mp_sign MP_ZPOS = 0; /* value is non-negative */
88 static const char *s_unknown_err = "unknown result code";
89 static const char *s_error_msg[] = {"error code 0", "boolean true",
90 "out of memory", "argument out of range",
91 "result undefined", "output truncated",
92 "invalid argument", NULL};
94 /* The ith entry of this table gives the value of log_i(2).
96 An integer value n requires ceil(log_i(n)) digits to be represented
97 in base i. Since it is easy to compute lg(n), by counting bits, we
98 can compute log_i(n) = lg(n) * log_i(2).
100 The use of this table eliminates a dependency upon linkage against
101 the standard math libraries.
103 If MP_MAX_RADIX is increased, this table should be expanded too.
105 static const double s_log2[] = {
106 0.000000000, 0.000000000, 1.000000000, 0.630929754, /* (D)(D) 2 3 */
107 0.500000000, 0.430676558, 0.386852807, 0.356207187, /* 4 5 6 7 */
108 0.333333333, 0.315464877, 0.301029996, 0.289064826, /* 8 9 10 11 */
109 0.278942946, 0.270238154, 0.262649535, 0.255958025, /* 12 13 14 15 */
110 0.250000000, 0.244650542, 0.239812467, 0.235408913, /* 16 17 18 19 */
111 0.231378213, 0.227670249, 0.224243824, 0.221064729, /* 20 21 22 23 */
112 0.218104292, 0.215338279, 0.212746054, 0.210309918, /* 24 25 26 27 */
113 0.208014598, 0.205846832, 0.203795047, 0.201849087, /* 28 29 30 31 */
114 0.200000000, 0.198239863, 0.196561632, 0.194959022, /* 32 33 34 35 */
115 0.193426404, /* 36 */
118 /* Return the number of digits needed to represent a static value */
119 #define MP_VALUE_DIGITS(V) \
120 ((sizeof(V) + (sizeof(mp_digit) - 1)) / sizeof(mp_digit))
122 /* Round precision P to nearest word boundary */
123 static inline mp_size
124 s_round_prec(mp_size P)
126 return 2 * ((P + 1) / 2);
129 /* Set array P of S digits to zero */
131 ZERO(mp_digit *P, mp_size S)
133 mp_size i__ = S * sizeof(mp_digit);
139 /* Copy S digits from array P to array Q */
141 COPY(mp_digit *P, mp_digit *Q, mp_size S)
143 mp_size i__ = S * sizeof(mp_digit);
147 memcpy(q__, p__, i__);
150 /* Reverse N elements of unsigned char in A. */
152 REV(unsigned char *A, int N)
154 unsigned char *u_ = A;
155 unsigned char *v_ = u_ + N - 1;
159 unsigned char xch = *u_;
166 /* Strip leading zeroes from z_ in-place. */
170 mp_size uz_ = MP_USED(z_);
171 mp_digit *dz_ = MP_DIGITS(z_) + uz_ - 1;
173 while (uz_ > 1 && (*dz_-- == 0))
178 /* Select min/max. */
184 return (B < A ? B : A);
186 static inline mp_size
187 MAX(mp_size A, mp_size B)
189 return (B > A ? B : A);
192 /* Exchange lvalues A and B of type T, e.g.
193 SWAP(int, x, y) where x and y are variables of type int. */
194 #define SWAP(T, A, B) \
201 /* Declare a block of N temporary mpz_t values.
202 These values are initialized to zero.
203 You must add CLEANUP_TEMP() at the end of the function.
204 Use TEMP(i) to access a pointer to the ith value.
206 #define DECLARE_TEMP(N) \
216 for (int i = 0; i < temp_.len; i++) { \
217 mp_int_init(TEMP(i)); \
221 /* Clear all allocated temp values. */
222 #define CLEANUP_TEMP() \
225 for (int i = 0; i < temp_.len; i++) { \
226 mp_int_clear(TEMP(i)); \
228 if (temp_.err != MP_OK) { \
233 /* A pointer to the kth temp value. */
234 #define TEMP(K) (temp_.value + (K))
236 /* Evaluate E, an expression of type mp_result expected to return MP_OK. If
237 the value is not MP_OK, the error is cached and control resumes at the
238 cleanup handler, which returns it.
243 if (temp_.err != MP_OK) goto CLEANUP; \
246 /* Compare value to zero. */
250 if (Z->used == 1 && Z->digits[0] == 0)
252 return (Z->sign == MP_NEG) ? -1 : 1;
255 static inline mp_word
256 UPPER_HALF(mp_word W)
258 return (W >> MP_DIGIT_BIT);
260 static inline mp_digit
261 LOWER_HALF(mp_word W)
263 return (mp_digit) (W);
266 /* Report whether the highest-order bit of W is 1. */
268 HIGH_BIT_SET(mp_word W)
270 return (W >> (MP_WORD_BIT - 1)) != 0;
273 /* Report whether adding W + V will carry out. */
275 ADD_WILL_OVERFLOW(mp_word W, mp_word V)
277 return ((MP_WORD_MAX - V) < W);
280 /* Default number of digits allocated to a new mp_int */
281 static mp_size default_precision = 8;
284 mp_int_default_precision(mp_size size)
287 default_precision = size;
290 /* Minimum number of digits to invoke recursive multiply */
291 static mp_size multiply_threshold = 32;
294 mp_int_multiply_threshold(mp_size thresh)
296 assert(thresh >= sizeof(mp_word));
297 multiply_threshold = thresh;
300 /* Allocate a buffer of (at least) num digits, or return
301 NULL if that couldn't be done. */
302 static mp_digit *s_alloc(mp_size num);
304 /* Release a buffer of digits allocated by s_alloc(). */
305 static void s_free(void *ptr);
307 /* Insure that z has at least min digits allocated, resizing if
308 necessary. Returns true if successful, false if out of memory. */
309 static bool s_pad(mp_int z, mp_size min);
311 /* Ensure Z has at least N digits allocated. */
312 static inline mp_result
313 GROW(mp_int Z, mp_size N)
315 return s_pad(Z, N) ? MP_OK : MP_MEMORY;
318 /* Fill in a "fake" mp_int on the stack with a given value */
319 static void s_fake(mp_int z, mp_small value, mp_digit vbuf[]);
320 static void s_ufake(mp_int z, mp_usmall value, mp_digit vbuf[]);
322 /* Compare two runs of digits of given length, returns <0, 0, >0 */
323 static int s_cdig(mp_digit *da, mp_digit *db, mp_size len);
325 /* Pack the unsigned digits of v into array t */
326 static int s_uvpack(mp_usmall v, mp_digit t[]);
328 /* Compare magnitudes of a and b, returns <0, 0, >0 */
329 static int s_ucmp(mp_int a, mp_int b);
331 /* Compare magnitudes of a and v, returns <0, 0, >0 */
332 static int s_vcmp(mp_int a, mp_small v);
333 static int s_uvcmp(mp_int a, mp_usmall uv);
335 /* Unsigned magnitude addition; assumes dc is big enough.
336 Carry out is returned (no memory allocated). */
337 static mp_digit s_uadd(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
340 /* Unsigned magnitude subtraction. Assumes dc is big enough. */
341 static void s_usub(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
344 /* Unsigned recursive multiplication. Assumes dc is big enough. */
345 static int s_kmul(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
348 /* Unsigned magnitude multiplication. Assumes dc is big enough. */
349 static void s_umul(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
352 /* Unsigned recursive squaring. Assumes dc is big enough. */
353 static int s_ksqr(mp_digit *da, mp_digit *dc, mp_size size_a);
355 /* Unsigned magnitude squaring. Assumes dc is big enough. */
356 static void s_usqr(mp_digit *da, mp_digit *dc, mp_size size_a);
358 /* Single digit addition. Assumes a is big enough. */
359 static void s_dadd(mp_int a, mp_digit b);
361 /* Single digit multiplication. Assumes a is big enough. */
362 static void s_dmul(mp_int a, mp_digit b);
364 /* Single digit multiplication on buffers; assumes dc is big enough. */
365 static void s_dbmul(mp_digit *da, mp_digit b, mp_digit *dc, mp_size size_a);
367 /* Single digit division. Replaces a with the quotient,
368 returns the remainder. */
369 static mp_digit s_ddiv(mp_int a, mp_digit b);
371 /* Quick division by a power of 2, replaces z (no allocation) */
372 static void s_qdiv(mp_int z, mp_size p2);
374 /* Quick remainder by a power of 2, replaces z (no allocation) */
375 static void s_qmod(mp_int z, mp_size p2);
377 /* Quick multiplication by a power of 2, replaces z.
378 Allocates if necessary; returns false in case this fails. */
379 static int s_qmul(mp_int z, mp_size p2);
381 /* Quick subtraction from a power of 2, replaces z.
382 Allocates if necessary; returns false in case this fails. */
383 static int s_qsub(mp_int z, mp_size p2);
385 /* Return maximum k such that 2^k divides z. */
386 static int s_dp2k(mp_int z);
388 /* Return k >= 0 such that z = 2^k, or -1 if there is no such k. */
389 static int s_isp2(mp_int z);
391 /* Set z to 2^k. May allocate; returns false in case this fails. */
392 static int s_2expt(mp_int z, mp_small k);
394 /* Normalize a and b for division, returns normalization constant */
395 static int s_norm(mp_int a, mp_int b);
397 /* Compute constant mu for Barrett reduction, given modulus m, result
398 replaces z, m is untouched. */
399 static mp_result s_brmu(mp_int z, mp_int m);
401 /* Reduce a modulo m, using Barrett's algorithm. */
402 static int s_reduce(mp_int x, mp_int m, mp_int mu, mp_int q1, mp_int q2);
404 /* Modular exponentiation, using Barrett reduction */
405 static mp_result s_embar(mp_int a, mp_int b, mp_int m, mp_int mu, mp_int c);
407 /* Unsigned magnitude division. Assumes |a| > |b|. Allocates temporaries;
408 overwrites a with quotient, b with remainder. */
409 static mp_result s_udiv_knuth(mp_int a, mp_int b);
411 /* Compute the number of digits in radix r required to represent the given
412 value. Does not account for sign flags, terminators, etc. */
413 static int s_outlen(mp_int z, mp_size r);
415 /* Guess how many digits of precision will be needed to represent a radix r
416 value of the specified number of digits. Returns a value guaranteed to be
417 no smaller than the actual number required. */
418 static mp_size s_inlen(int len, mp_size r);
420 /* Convert a character to a digit value in radix r, or
421 -1 if out of range */
422 static int s_ch2val(char c, int r);
424 /* Convert a digit value to a character */
425 static char s_val2ch(int v, int caps);
427 /* Take 2's complement of a buffer in place */
428 static void s_2comp(unsigned char *buf, int len);
430 /* Convert a value to binary, ignoring sign. On input, *limpos is the bound on
431 how many bytes should be written to buf; on output, *limpos is set to the
432 number of bytes actually written. */
433 static mp_result s_tobin(mp_int z, unsigned char *buf, int *limpos, int pad);
435 /* Multiply X by Y into Z, ignoring signs. Requires that Z have enough storage
436 preallocated to hold the result. */
438 UMUL(mp_int X, mp_int Y, mp_int Z)
440 mp_size ua_ = MP_USED(X);
441 mp_size ub_ = MP_USED(Y);
442 mp_size o_ = ua_ + ub_;
444 ZERO(MP_DIGITS(Z), o_);
445 (void) s_kmul(MP_DIGITS(X), MP_DIGITS(Y), MP_DIGITS(Z), ua_, ub_);
450 /* Square X into Z. Requires that Z have enough storage to hold the result. */
452 USQR(mp_int X, mp_int Z)
454 mp_size ua_ = MP_USED(X);
455 mp_size o_ = ua_ + ua_;
457 ZERO(MP_DIGITS(Z), o_);
458 (void) s_ksqr(MP_DIGITS(X), MP_DIGITS(Z), ua_);
464 mp_int_init(mp_int z)
470 z->digits = &(z->single);
481 mp_int out = px_alloc(sizeof(mpz_t));
490 mp_int_init_size(mp_int z, mp_size prec)
496 prec = default_precision;
500 return mp_int_init(z);
504 prec = s_round_prec(prec);
507 z->digits = s_alloc(prec);
508 if (MP_DIGITS(z) == NULL)
520 mp_int_init_copy(mp_int z, mp_int old)
522 assert(z != NULL && old != NULL);
524 mp_size uold = MP_USED(old);
532 mp_size target = MAX(uold, default_precision);
533 mp_result res = mp_int_init_size(z, target);
541 COPY(MP_DIGITS(old), MP_DIGITS(z), uold);
547 mp_int_init_value(mp_int z, mp_small value)
550 mp_digit vbuf[MP_VALUE_DIGITS(value)];
552 s_fake(&vtmp, value, vbuf);
553 return mp_int_init_copy(z, &vtmp);
557 mp_int_init_uvalue(mp_int z, mp_usmall uvalue)
560 mp_digit vbuf[MP_VALUE_DIGITS(uvalue)];
562 s_ufake(&vtmp, uvalue, vbuf);
563 return mp_int_init_copy(z, &vtmp);
567 mp_int_set_value(mp_int z, mp_small value)
570 mp_digit vbuf[MP_VALUE_DIGITS(value)];
572 s_fake(&vtmp, value, vbuf);
573 return mp_int_copy(&vtmp, z);
577 mp_int_set_uvalue(mp_int z, mp_usmall uvalue)
580 mp_digit vbuf[MP_VALUE_DIGITS(uvalue)];
582 s_ufake(&vtmp, uvalue, vbuf);
583 return mp_int_copy(&vtmp, z);
587 mp_int_clear(mp_int z)
592 if (MP_DIGITS(z) != NULL)
594 if (MP_DIGITS(z) != &(z->single))
595 s_free(MP_DIGITS(z));
602 mp_int_free(mp_int z)
607 px_free(z); /* note: NOT s_free() */
611 mp_int_copy(mp_int a, mp_int c)
613 assert(a != NULL && c != NULL);
617 mp_size ua = MP_USED(a);
636 mp_int_swap(mp_int a, mp_int c)
645 if (MP_DIGITS(a) == &(c->single))
646 a->digits = &(a->single);
647 if (MP_DIGITS(c) == &(a->single))
648 c->digits = &(c->single);
653 mp_int_zero(mp_int z)
663 mp_int_abs(mp_int a, mp_int c)
665 assert(a != NULL && c != NULL);
669 if ((res = mp_int_copy(a, c)) != MP_OK)
677 mp_int_neg(mp_int a, mp_int c)
679 assert(a != NULL && c != NULL);
683 if ((res = mp_int_copy(a, c)) != MP_OK)
687 c->sign = 1 - MP_SIGN(a);
693 mp_int_add(mp_int a, mp_int b, mp_int c)
695 assert(a != NULL && b != NULL && c != NULL);
697 mp_size ua = MP_USED(a);
698 mp_size ub = MP_USED(b);
699 mp_size max = MAX(ua, ub);
701 if (MP_SIGN(a) == MP_SIGN(b))
703 /* Same sign -- add magnitudes, preserve sign of addends */
707 mp_digit carry = s_uadd(MP_DIGITS(a), MP_DIGITS(b), MP_DIGITS(c), ua, ub);
712 if (!s_pad(c, max + 1))
715 c->digits[max] = carry;
725 /* Different signs -- subtract magnitudes, preserve sign of greater */
726 int cmp = s_ucmp(a, b); /* magnitude comparision, sign ignored */
729 * Set x to max(a, b), y to min(a, b) to simplify later code. A
730 * special case yields zero for equal magnitudes.
751 if (!s_pad(c, MP_USED(x)))
754 /* Subtract smaller from larger */
755 s_usub(MP_DIGITS(x), MP_DIGITS(y), MP_DIGITS(c), MP_USED(x), MP_USED(y));
759 /* Give result the sign of the larger */
767 mp_int_add_value(mp_int a, mp_small value, mp_int c)
770 mp_digit vbuf[MP_VALUE_DIGITS(value)];
772 s_fake(&vtmp, value, vbuf);
774 return mp_int_add(a, &vtmp, c);
778 mp_int_sub(mp_int a, mp_int b, mp_int c)
780 assert(a != NULL && b != NULL && c != NULL);
782 mp_size ua = MP_USED(a);
783 mp_size ub = MP_USED(b);
784 mp_size max = MAX(ua, ub);
786 if (MP_SIGN(a) != MP_SIGN(b))
788 /* Different signs -- add magnitudes and keep sign of a */
792 mp_digit carry = s_uadd(MP_DIGITS(a), MP_DIGITS(b), MP_DIGITS(c), ua, ub);
797 if (!s_pad(c, max + 1))
800 c->digits[max] = carry;
810 /* Same signs -- subtract magnitudes */
817 int cmp = s_ucmp(a, b);
832 if (MP_SIGN(a) == MP_NEG && cmp != 0)
835 s_usub(MP_DIGITS(x), MP_DIGITS(y), MP_DIGITS(c), MP_USED(x), MP_USED(y));
846 mp_int_sub_value(mp_int a, mp_small value, mp_int c)
849 mp_digit vbuf[MP_VALUE_DIGITS(value)];
851 s_fake(&vtmp, value, vbuf);
853 return mp_int_sub(a, &vtmp, c);
857 mp_int_mul(mp_int a, mp_int b, mp_int c)
859 assert(a != NULL && b != NULL && c != NULL);
861 /* If either input is zero, we can shortcut multiplication */
862 if (mp_int_compare_zero(a) == 0 || mp_int_compare_zero(b) == 0)
868 /* Output is positive if inputs have same sign, otherwise negative */
869 mp_sign osign = (MP_SIGN(a) == MP_SIGN(b)) ? MP_ZPOS : MP_NEG;
872 * If the output is not identical to any of the inputs, we'll write the
873 * results directly; otherwise, allocate a temporary space.
875 mp_size ua = MP_USED(a);
876 mp_size ub = MP_USED(b);
877 mp_size osize = MAX(ua, ub);
879 osize = 4 * ((osize + 1) / 2);
884 if (c == a || c == b)
886 p = MAX(s_round_prec(osize), default_precision);
888 if ((out = s_alloc(p)) == NULL)
893 if (!s_pad(c, osize))
900 if (!s_kmul(MP_DIGITS(a), MP_DIGITS(b), out, ua, ub))
904 * If we allocated a new buffer, get rid of whatever memory c was already
905 * using, and fix up its fields to reflect that.
907 if (out != MP_DIGITS(c))
909 if ((void *) MP_DIGITS(c) != (void *) c)
910 s_free(MP_DIGITS(c));
915 c->used = osize; /* might not be true, but we'll fix it ... */
916 CLAMP(c); /* ... right here */
923 mp_int_mul_value(mp_int a, mp_small value, mp_int c)
926 mp_digit vbuf[MP_VALUE_DIGITS(value)];
928 s_fake(&vtmp, value, vbuf);
930 return mp_int_mul(a, &vtmp, c);
934 mp_int_mul_pow2(mp_int a, mp_small p2, mp_int c)
936 assert(a != NULL && c != NULL && p2 >= 0);
938 mp_result res = mp_int_copy(a, c);
943 if (s_qmul(c, (mp_size) p2))
954 mp_int_sqr(mp_int a, mp_int c)
956 assert(a != NULL && c != NULL);
958 /* Get a temporary buffer big enough to hold the result */
959 mp_size osize = (mp_size) 4 * ((MP_USED(a) + 1) / 2);
965 p = s_round_prec(osize);
966 p = MAX(p, default_precision);
968 if ((out = s_alloc(p)) == NULL)
973 if (!s_pad(c, osize))
980 s_ksqr(MP_DIGITS(a), out, MP_USED(a));
983 * Get rid of whatever memory c was already using, and fix up its fields
984 * to reflect the new digit array it's using
986 if (out != MP_DIGITS(c))
988 if ((void *) MP_DIGITS(c) != (void *) c)
989 s_free(MP_DIGITS(c));
994 c->used = osize; /* might not be true, but we'll fix it ... */
995 CLAMP(c); /* ... right here */
1002 mp_int_div(mp_int a, mp_int b, mp_int q, mp_int r)
1004 assert(a != NULL && b != NULL && q != r);
1007 mp_result res = MP_OK;
1010 mp_sign sa = MP_SIGN(a);
1011 mp_sign sb = MP_SIGN(b);
1017 else if ((cmp = s_ucmp(a, b)) < 0)
1020 * If |a| < |b|, no division is required: q = 0, r = a
1022 if (r && (res = mp_int_copy(a, r)) != MP_OK)
1033 * If |a| = |b|, no division is required: q = 1 or -1, r = 0
1051 * When |a| > |b|, real division is required. We need someplace to store
1052 * quotient and remainder, but q and r are allowed to be NULL or to
1053 * overlap with the inputs.
1058 if ((lg = s_isp2(b)) < 0)
1062 REQUIRE(mp_int_copy(a, q));
1067 REQUIRE(mp_int_copy(a, TEMP(0)));
1073 REQUIRE(mp_int_copy(b, r));
1078 REQUIRE(mp_int_copy(b, TEMP(1)));
1082 REQUIRE(s_udiv_knuth(qout, rout));
1087 REQUIRE(mp_int_copy(a, q));
1089 REQUIRE(mp_int_copy(a, r));
1092 s_qdiv(q, (mp_size) lg);
1095 s_qmod(r, (mp_size) lg);
1099 /* Recompute signs for output */
1103 if (CMPZ(rout) == 0)
1104 rout->sign = MP_ZPOS;
1108 qout->sign = (sa == sb) ? MP_ZPOS : MP_NEG;
1109 if (CMPZ(qout) == 0)
1110 qout->sign = MP_ZPOS;
1114 REQUIRE(mp_int_copy(qout, q));
1116 REQUIRE(mp_int_copy(rout, r));
1122 mp_int_mod(mp_int a, mp_int m, mp_int c)
1125 mp_int out = (m == c) ? TEMP(0) : c;
1127 REQUIRE(mp_int_div(a, m, NULL, out));
1130 REQUIRE(mp_int_add(out, m, c));
1134 REQUIRE(mp_int_copy(out, c));
1141 mp_int_div_value(mp_int a, mp_small value, mp_int q, mp_small *r)
1144 mp_digit vbuf[MP_VALUE_DIGITS(value)];
1146 s_fake(&vtmp, value, vbuf);
1149 REQUIRE(mp_int_div(a, &vtmp, q, TEMP(0)));
1152 (void) mp_int_to_int(TEMP(0), r); /* can't fail */
1159 mp_int_div_pow2(mp_int a, mp_small p2, mp_int q, mp_int r)
1161 assert(a != NULL && p2 >= 0 && q != r);
1163 mp_result res = MP_OK;
1165 if (q != NULL && (res = mp_int_copy(a, q)) == MP_OK)
1167 s_qdiv(q, (mp_size) p2);
1170 if (res == MP_OK && r != NULL && (res = mp_int_copy(a, r)) == MP_OK)
1172 s_qmod(r, (mp_size) p2);
1179 mp_int_expt(mp_int a, mp_small b, mp_int c)
1186 REQUIRE(mp_int_copy(a, TEMP(0)));
1188 (void) mp_int_set_value(c, 1);
1189 unsigned int v = labs(b);
1195 REQUIRE(mp_int_mul(c, TEMP(0), c));
1202 REQUIRE(mp_int_sqr(TEMP(0), TEMP(0)));
1210 mp_int_expt_value(mp_small a, mp_small b, mp_int c)
1217 REQUIRE(mp_int_set_value(TEMP(0), a));
1219 (void) mp_int_set_value(c, 1);
1220 unsigned int v = labs(b);
1226 REQUIRE(mp_int_mul(c, TEMP(0), c));
1233 REQUIRE(mp_int_sqr(TEMP(0), TEMP(0)));
1241 mp_int_expt_full(mp_int a, mp_int b, mp_int c)
1243 assert(a != NULL && b != NULL && c != NULL);
1244 if (MP_SIGN(b) == MP_NEG)
1248 REQUIRE(mp_int_copy(a, TEMP(0)));
1250 (void) mp_int_set_value(c, 1);
1251 for (unsigned ix = 0; ix < MP_USED(b); ++ix)
1253 mp_digit d = b->digits[ix];
1255 for (unsigned jx = 0; jx < MP_DIGIT_BIT; ++jx)
1259 REQUIRE(mp_int_mul(c, TEMP(0), c));
1263 if (d == 0 && ix + 1 == MP_USED(b))
1265 REQUIRE(mp_int_sqr(TEMP(0), TEMP(0)));
1274 mp_int_compare(mp_int a, mp_int b)
1276 assert(a != NULL && b != NULL);
1278 mp_sign sa = MP_SIGN(a);
1280 if (sa == MP_SIGN(b))
1282 int cmp = s_ucmp(a, b);
1285 * If they're both zero or positive, the normal comparison applies; if
1286 * both negative, the sense is reversed.
1297 else if (sa == MP_ZPOS)
1308 mp_int_compare_unsigned(mp_int a, mp_int b)
1310 assert(a != NULL && b != NULL);
1312 return s_ucmp(a, b);
1316 mp_int_compare_zero(mp_int z)
1320 if (MP_USED(z) == 1 && z->digits[0] == 0)
1324 else if (MP_SIGN(z) == MP_ZPOS)
1335 mp_int_compare_value(mp_int z, mp_small value)
1339 mp_sign vsign = (value < 0) ? MP_NEG : MP_ZPOS;
1341 if (vsign == MP_SIGN(z))
1343 int cmp = s_vcmp(z, value);
1345 return (vsign == MP_ZPOS) ? cmp : -cmp;
1349 return (value < 0) ? 1 : -1;
1354 mp_int_compare_uvalue(mp_int z, mp_usmall uv)
1358 if (MP_SIGN(z) == MP_NEG)
1364 return s_uvcmp(z, uv);
1369 mp_int_exptmod(mp_int a, mp_int b, mp_int m, mp_int c)
1371 assert(a != NULL && b != NULL && c != NULL && m != NULL);
1373 /* Zero moduli and negative exponents are not considered. */
1379 mp_size um = MP_USED(m);
1382 REQUIRE(GROW(TEMP(0), 2 * um));
1383 REQUIRE(GROW(TEMP(1), 2 * um));
1387 if (c == b || c == m)
1389 REQUIRE(GROW(TEMP(2), 2 * um));
1397 REQUIRE(mp_int_mod(a, m, TEMP(0)));
1398 REQUIRE(s_brmu(TEMP(1), m));
1399 REQUIRE(s_embar(TEMP(0), b, m, TEMP(1), s));
1400 REQUIRE(mp_int_copy(s, c));
1407 mp_int_exptmod_evalue(mp_int a, mp_small value, mp_int m, mp_int c)
1410 mp_digit vbuf[MP_VALUE_DIGITS(value)];
1412 s_fake(&vtmp, value, vbuf);
1414 return mp_int_exptmod(a, &vtmp, m, c);
1418 mp_int_exptmod_bvalue(mp_small value, mp_int b, mp_int m, mp_int c)
1421 mp_digit vbuf[MP_VALUE_DIGITS(value)];
1423 s_fake(&vtmp, value, vbuf);
1425 return mp_int_exptmod(&vtmp, b, m, c);
1429 mp_int_exptmod_known(mp_int a, mp_int b, mp_int m, mp_int mu,
1432 assert(a && b && m && c);
1434 /* Zero moduli and negative exponents are not considered. */
1441 mp_size um = MP_USED(m);
1443 REQUIRE(GROW(TEMP(0), 2 * um));
1447 if (c == b || c == m)
1449 REQUIRE(GROW(TEMP(1), 2 * um));
1457 REQUIRE(mp_int_mod(a, m, TEMP(0)));
1458 REQUIRE(s_embar(TEMP(0), b, m, mu, s));
1459 REQUIRE(mp_int_copy(s, c));
1466 mp_int_redux_const(mp_int m, mp_int c)
1468 assert(m != NULL && c != NULL && m != c);
1470 return s_brmu(c, m);
1474 mp_int_invmod(mp_int a, mp_int m, mp_int c)
1476 assert(a != NULL && m != NULL && c != NULL);
1478 if (CMPZ(a) == 0 || CMPZ(m) <= 0)
1483 REQUIRE(mp_int_egcd(a, m, TEMP(0), TEMP(1), NULL));
1485 if (mp_int_compare_value(TEMP(0), 1) != 0)
1490 /* It is first necessary to constrain the value to the proper range */
1491 REQUIRE(mp_int_mod(TEMP(1), m, TEMP(1)));
1494 * Now, if 'a' was originally negative, the value we have is actually the
1495 * magnitude of the negative representative; to get the positive value we
1496 * have to subtract from the modulus. Otherwise, the value is okay as it
1499 if (MP_SIGN(a) == MP_NEG)
1501 REQUIRE(mp_int_sub(m, TEMP(1), c));
1505 REQUIRE(mp_int_copy(TEMP(1), c));
1512 /* Binary GCD algorithm due to Josef Stein, 1961 */
1514 mp_int_gcd(mp_int a, mp_int b, mp_int c)
1516 assert(a != NULL && b != NULL && c != NULL);
1521 if (ca == 0 && cb == 0)
1527 return mp_int_abs(b, c);
1531 return mp_int_abs(a, c);
1535 REQUIRE(mp_int_copy(a, TEMP(0)));
1536 REQUIRE(mp_int_copy(b, TEMP(1)));
1538 TEMP(0)->sign = MP_ZPOS;
1539 TEMP(1)->sign = MP_ZPOS;
1543 { /* Divide out common factors of 2 from u and v */
1544 int div2_u = s_dp2k(TEMP(0));
1545 int div2_v = s_dp2k(TEMP(1));
1547 k = MIN(div2_u, div2_v);
1548 s_qdiv(TEMP(0), (mp_size) k);
1549 s_qdiv(TEMP(1), (mp_size) k);
1552 if (mp_int_is_odd(TEMP(0)))
1554 REQUIRE(mp_int_neg(TEMP(1), TEMP(2)));
1558 REQUIRE(mp_int_copy(TEMP(0), TEMP(2)));
1563 s_qdiv(TEMP(2), s_dp2k(TEMP(2)));
1565 if (CMPZ(TEMP(2)) > 0)
1567 REQUIRE(mp_int_copy(TEMP(2), TEMP(0)));
1571 REQUIRE(mp_int_neg(TEMP(2), TEMP(1)));
1574 REQUIRE(mp_int_sub(TEMP(0), TEMP(1), TEMP(2)));
1576 if (CMPZ(TEMP(2)) == 0)
1580 REQUIRE(mp_int_abs(TEMP(0), c));
1581 if (!s_qmul(c, (mp_size) k))
1588 /* This is the binary GCD algorithm again, but this time we keep track of the
1589 elementary matrix operations as we go, so we can get values x and y
1590 satisfying c = ax + by.
1593 mp_int_egcd(mp_int a, mp_int b, mp_int c, mp_int x, mp_int y)
1595 assert(a != NULL && b != NULL && c != NULL && (x != NULL || y != NULL));
1597 mp_result res = MP_OK;
1601 if (ca == 0 && cb == 0)
1607 if ((res = mp_int_abs(b, c)) != MP_OK)
1610 (void) mp_int_set_value(y, 1);
1615 if ((res = mp_int_abs(a, c)) != MP_OK)
1617 (void) mp_int_set_value(x, 1);
1623 * Initialize temporaries: A:0, B:1, C:2, D:3, u:4, v:5, ou:6, ov:7
1626 REQUIRE(mp_int_set_value(TEMP(0), 1));
1627 REQUIRE(mp_int_set_value(TEMP(3), 1));
1628 REQUIRE(mp_int_copy(a, TEMP(4)));
1629 REQUIRE(mp_int_copy(b, TEMP(5)));
1631 /* We will work with absolute values here */
1632 TEMP(4)->sign = MP_ZPOS;
1633 TEMP(5)->sign = MP_ZPOS;
1637 { /* Divide out common factors of 2 from u and v */
1638 int div2_u = s_dp2k(TEMP(4)),
1639 div2_v = s_dp2k(TEMP(5));
1641 k = MIN(div2_u, div2_v);
1646 REQUIRE(mp_int_copy(TEMP(4), TEMP(6)));
1647 REQUIRE(mp_int_copy(TEMP(5), TEMP(7)));
1651 while (mp_int_is_even(TEMP(4)))
1655 if (mp_int_is_odd(TEMP(0)) || mp_int_is_odd(TEMP(1)))
1657 REQUIRE(mp_int_add(TEMP(0), TEMP(7), TEMP(0)));
1658 REQUIRE(mp_int_sub(TEMP(1), TEMP(6), TEMP(1)));
1665 while (mp_int_is_even(TEMP(5)))
1669 if (mp_int_is_odd(TEMP(2)) || mp_int_is_odd(TEMP(3)))
1671 REQUIRE(mp_int_add(TEMP(2), TEMP(7), TEMP(2)));
1672 REQUIRE(mp_int_sub(TEMP(3), TEMP(6), TEMP(3)));
1679 if (mp_int_compare(TEMP(4), TEMP(5)) >= 0)
1681 REQUIRE(mp_int_sub(TEMP(4), TEMP(5), TEMP(4)));
1682 REQUIRE(mp_int_sub(TEMP(0), TEMP(2), TEMP(0)));
1683 REQUIRE(mp_int_sub(TEMP(1), TEMP(3), TEMP(1)));
1687 REQUIRE(mp_int_sub(TEMP(5), TEMP(4), TEMP(5)));
1688 REQUIRE(mp_int_sub(TEMP(2), TEMP(0), TEMP(2)));
1689 REQUIRE(mp_int_sub(TEMP(3), TEMP(1), TEMP(3)));
1692 if (CMPZ(TEMP(4)) == 0)
1695 REQUIRE(mp_int_copy(TEMP(2), x));
1697 REQUIRE(mp_int_copy(TEMP(3), y));
1700 if (!s_qmul(TEMP(5), k))
1704 REQUIRE(mp_int_copy(TEMP(5), c));
1716 mp_int_lcm(mp_int a, mp_int b, mp_int c)
1718 assert(a != NULL && b != NULL && c != NULL);
1721 * Since a * b = gcd(a, b) * lcm(a, b), we can compute lcm(a, b) = (a /
1724 * This formulation insures everything works even if the input variables
1728 REQUIRE(mp_int_gcd(a, b, TEMP(0)));
1729 REQUIRE(mp_int_div(a, TEMP(0), TEMP(0), NULL));
1730 REQUIRE(mp_int_mul(TEMP(0), b, TEMP(0)));
1731 REQUIRE(mp_int_copy(TEMP(0), c));
1738 mp_int_divisible_value(mp_int a, mp_small v)
1742 if (mp_int_div_value(a, v, NULL, &rem) != MP_OK)
1750 mp_int_is_pow2(mp_int z)
1757 /* Implementation of Newton's root finding method, based loosely on a patch
1758 contributed by Hal Finkel <half@halssoftware.com>
1759 modified by M. J. Fromberger.
1762 mp_int_root(mp_int a, mp_small b, mp_int c)
1764 assert(a != NULL && c != NULL && b > 0);
1768 return mp_int_copy(a, c);
1772 if (MP_SIGN(a) == MP_NEG)
1776 return MP_UNDEF; /* root does not exist for negative a with
1786 REQUIRE(mp_int_copy(a, TEMP(0)));
1787 REQUIRE(mp_int_copy(a, TEMP(1)));
1788 TEMP(0)->sign = MP_ZPOS;
1789 TEMP(1)->sign = MP_ZPOS;
1793 REQUIRE(mp_int_expt(TEMP(1), b, TEMP(2)));
1795 if (mp_int_compare_unsigned(TEMP(2), TEMP(0)) <= 0)
1798 REQUIRE(mp_int_sub(TEMP(2), TEMP(0), TEMP(2)));
1799 REQUIRE(mp_int_expt(TEMP(1), b - 1, TEMP(3)));
1800 REQUIRE(mp_int_mul_value(TEMP(3), b, TEMP(3)));
1801 REQUIRE(mp_int_div(TEMP(2), TEMP(3), TEMP(4), NULL));
1802 REQUIRE(mp_int_sub(TEMP(1), TEMP(4), TEMP(4)));
1804 if (mp_int_compare_unsigned(TEMP(1), TEMP(4)) == 0)
1806 REQUIRE(mp_int_sub_value(TEMP(4), 1, TEMP(4)));
1808 REQUIRE(mp_int_copy(TEMP(4), TEMP(1)));
1811 REQUIRE(mp_int_copy(TEMP(1), c));
1813 /* If the original value of a was negative, flip the output sign. */
1815 (void) mp_int_neg(c, c); /* cannot fail */
1822 mp_int_to_int(mp_int z, mp_small *out)
1826 /* Make sure the value is representable as a small integer */
1827 mp_sign sz = MP_SIGN(z);
1829 if ((sz == MP_ZPOS && mp_int_compare_value(z, MP_SMALL_MAX) > 0) ||
1830 mp_int_compare_value(z, MP_SMALL_MIN) < 0)
1835 mp_usmall uz = MP_USED(z);
1836 mp_digit *dz = MP_DIGITS(z) + uz - 1;
1841 uv <<= MP_DIGIT_BIT / 2;
1842 uv = (uv << (MP_DIGIT_BIT / 2)) | *dz--;
1847 *out = (mp_small) ((sz == MP_NEG) ? -uv : uv);
1853 mp_int_to_uint(mp_int z, mp_usmall *out)
1857 /* Make sure the value is representable as an unsigned small integer */
1858 mp_size sz = MP_SIGN(z);
1860 if (sz == MP_NEG || mp_int_compare_uvalue(z, MP_USMALL_MAX) > 0)
1865 mp_size uz = MP_USED(z);
1866 mp_digit *dz = MP_DIGITS(z) + uz - 1;
1871 uv <<= MP_DIGIT_BIT / 2;
1872 uv = (uv << (MP_DIGIT_BIT / 2)) | *dz--;
1883 mp_int_to_string(mp_int z, mp_size radix, char *str, int limit)
1885 assert(z != NULL && str != NULL && limit >= 2);
1886 assert(radix >= MP_MIN_RADIX && radix <= MP_MAX_RADIX);
1892 *str++ = s_val2ch(0, 1);
1901 if ((res = mp_int_init_copy(&tmp, z)) != MP_OK)
1904 if (MP_SIGN(z) == MP_NEG)
1911 /* Generate digits in reverse order until finished or limit reached */
1912 for ( /* */ ; limit > 0; --limit)
1916 if ((cmp = CMPZ(&tmp)) == 0)
1919 d = s_ddiv(&tmp, (mp_digit) radix);
1920 *str++ = s_val2ch(d, 1);
1924 /* Put digits back in correct output order */
1948 mp_int_string_len(mp_int z, mp_size radix)
1951 assert(radix >= MP_MIN_RADIX && radix <= MP_MAX_RADIX);
1953 int len = s_outlen(z, radix) + 1; /* for terminator */
1955 /* Allow for sign marker on negatives */
1956 if (MP_SIGN(z) == MP_NEG)
1962 /* Read zero-terminated string into z */
1964 mp_int_read_string(mp_int z, mp_size radix, const char *str)
1966 return mp_int_read_cstring(z, radix, str, NULL);
1970 mp_int_read_cstring(mp_int z, mp_size radix, const char *str,
1973 assert(z != NULL && str != NULL);
1974 assert(radix >= MP_MIN_RADIX && radix <= MP_MAX_RADIX);
1976 /* Skip leading whitespace */
1977 while (isspace((unsigned char) *str))
1980 /* Handle leading sign tag (+/-, positive default) */
1988 ++str; /* fallthrough */
1994 /* Skip leading zeroes */
1997 while ((ch = s_ch2val(*str, radix)) == 0)
2000 /* Make sure there is enough space for the value */
2001 if (!s_pad(z, s_inlen(strlen(str), radix)))
2007 while (*str != '\0' && ((ch = s_ch2val(*str, radix)) >= 0))
2009 s_dmul(z, (mp_digit) radix);
2010 s_dadd(z, (mp_digit) ch);
2016 /* Override sign for zero, even if negative specified. */
2021 *end = unconstify(char *, str);
2024 * Return a truncation error if the string has unprocessed characters
2025 * remaining, so the caller can tell if the whole string was done
2038 mp_int_count_bits(mp_int z)
2042 mp_size uz = MP_USED(z);
2044 if (uz == 1 && z->digits[0] == 0)
2048 mp_size nbits = uz * MP_DIGIT_BIT;
2049 mp_digit d = z->digits[uz];
2061 mp_int_to_binary(mp_int z, unsigned char *buf, int limit)
2063 static const int PAD_FOR_2C = 1;
2065 assert(z != NULL && buf != NULL);
2068 mp_result res = s_tobin(z, buf, &limpos, PAD_FOR_2C);
2070 if (MP_SIGN(z) == MP_NEG)
2071 s_2comp(buf, limpos);
2077 mp_int_read_binary(mp_int z, unsigned char *buf, int len)
2079 assert(z != NULL && buf != NULL && len > 0);
2081 /* Figure out how many digits are needed to represent this value */
2082 mp_size need = ((len * CHAR_BIT) + (MP_DIGIT_BIT - 1)) / MP_DIGIT_BIT;
2084 if (!s_pad(z, need))
2090 * If the high-order bit is set, take the 2's complement before reading
2091 * the value (it will be restored afterward)
2093 if (buf[0] >> (CHAR_BIT - 1))
2099 mp_digit *dz = MP_DIGITS(z);
2100 unsigned char *tmp = buf;
2102 for (int i = len; i > 0; --i, ++tmp)
2104 s_qmul(z, (mp_size) CHAR_BIT);
2108 /* Restore 2's complement if we took it before */
2109 if (MP_SIGN(z) == MP_NEG)
2116 mp_int_binary_len(mp_int z)
2118 mp_result res = mp_int_count_bits(z);
2123 int bytes = mp_int_unsigned_len(z);
2126 * If the highest-order bit falls exactly on a byte boundary, we need to
2127 * pad with an extra byte so that the sign will be read correctly when
2128 * reading it back in.
2130 if (bytes * CHAR_BIT == res)
2137 mp_int_to_unsigned(mp_int z, unsigned char *buf, int limit)
2139 static const int NO_PADDING = 0;
2141 assert(z != NULL && buf != NULL);
2143 return s_tobin(z, buf, &limit, NO_PADDING);
2147 mp_int_read_unsigned(mp_int z, unsigned char *buf, int len)
2149 assert(z != NULL && buf != NULL && len > 0);
2151 /* Figure out how many digits are needed to represent this value */
2152 mp_size need = ((len * CHAR_BIT) + (MP_DIGIT_BIT - 1)) / MP_DIGIT_BIT;
2154 if (!s_pad(z, need))
2159 unsigned char *tmp = buf;
2161 for (int i = len; i > 0; --i, ++tmp)
2163 (void) s_qmul(z, CHAR_BIT);
2164 *MP_DIGITS(z) |= *tmp;
2171 mp_int_unsigned_len(mp_int z)
2173 mp_result res = mp_int_count_bits(z);
2178 int bytes = (res + (CHAR_BIT - 1)) / CHAR_BIT;
2184 mp_error_string(mp_result res)
2187 return s_unknown_err;
2192 for (ix = 0; ix < res && s_error_msg[ix] != NULL; ++ix)
2195 if (s_error_msg[ix] != NULL)
2197 return s_error_msg[ix];
2201 return s_unknown_err;
2205 /*------------------------------------------------------------------------*/
2206 /* Private functions for internal use. These make assumptions. */
2209 static const mp_digit fill = (mp_digit) 0xdeadbeefabad1dea;
2213 s_alloc(mp_size num)
2215 mp_digit *out = px_alloc(num * sizeof(mp_digit));
2217 assert(out != NULL);
2220 for (mp_size ix = 0; ix < num; ++ix)
2227 s_realloc(mp_digit *old, mp_size osize, mp_size nsize)
2230 mp_digit *new = s_alloc(nsize);
2232 assert(new != NULL);
2234 for (mp_size ix = 0; ix < nsize; ++ix)
2236 memcpy(new, old, osize * sizeof(mp_digit));
2238 mp_digit *new = px_realloc(old, nsize * sizeof(mp_digit));
2240 assert(new != NULL);
2253 s_pad(mp_int z, mp_size min)
2255 if (MP_ALLOC(z) < min)
2257 mp_size nsize = s_round_prec(min);
2260 if (z->digits == &(z->single))
2262 if ((tmp = s_alloc(nsize)) == NULL)
2266 else if ((tmp = s_realloc(MP_DIGITS(z), MP_ALLOC(z), nsize)) == NULL)
2278 /* Note: This will not work correctly when value == MP_SMALL_MIN */
2280 s_fake(mp_int z, mp_small value, mp_digit vbuf[])
2282 mp_usmall uv = (mp_usmall) (value < 0) ? -value : value;
2284 s_ufake(z, uv, vbuf);
2290 s_ufake(mp_int z, mp_usmall value, mp_digit vbuf[])
2292 mp_size ndig = (mp_size) s_uvpack(value, vbuf);
2295 z->alloc = MP_VALUE_DIGITS(value);
2301 s_cdig(mp_digit *da, mp_digit *db, mp_size len)
2303 mp_digit *dat = da + len - 1,
2304 *dbt = db + len - 1;
2306 for ( /* */ ; len != 0; --len, --dat, --dbt)
2312 else if (*dat < *dbt)
2322 s_uvpack(mp_usmall uv, mp_digit t[])
2332 t[ndig++] = (mp_digit) uv;
2333 uv >>= MP_DIGIT_BIT / 2;
2334 uv >>= MP_DIGIT_BIT / 2;
2342 s_ucmp(mp_int a, mp_int b)
2344 mp_size ua = MP_USED(a),
2357 return s_cdig(MP_DIGITS(a), MP_DIGITS(b), ua);
2362 s_vcmp(mp_int a, mp_small v)
2365 #pragma warning(push)
2366 #pragma warning(disable: 4146)
2368 mp_usmall uv = (v < 0) ? -(mp_usmall) v : (mp_usmall) v;
2370 #pragma warning(pop)
2373 return s_uvcmp(a, uv);
2377 s_uvcmp(mp_int a, mp_usmall uv)
2380 mp_digit vdig[MP_VALUE_DIGITS(uv)];
2382 s_ufake(&vtmp, uv, vdig);
2383 return s_ucmp(a, &vtmp);
2387 s_uadd(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
2393 /* Insure that da is the longer of the two to simplify later code */
2394 if (size_b > size_a)
2396 SWAP(mp_digit *, da, db);
2397 SWAP(mp_size, size_a, size_b);
2400 /* Add corresponding digits until the shorter number runs out */
2401 for (pos = 0; pos < size_b; ++pos, ++da, ++db, ++dc)
2403 w = w + (mp_word) *da + (mp_word) *db;
2404 *dc = LOWER_HALF(w);
2408 /* Propagate carries as far as necessary */
2409 for ( /* */ ; pos < size_a; ++pos, ++da, ++dc)
2413 *dc = LOWER_HALF(w);
2417 /* Return carry out */
2418 return (mp_digit) w;
2422 s_usub(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
2428 /* We assume that |a| >= |b| so this should definitely hold */
2429 assert(size_a >= size_b);
2431 /* Subtract corresponding digits and propagate borrow */
2432 for (pos = 0; pos < size_b; ++pos, ++da, ++db, ++dc)
2434 w = ((mp_word) MP_DIGIT_MAX + 1 + /* MP_RADIX */
2438 *dc = LOWER_HALF(w);
2439 w = (UPPER_HALF(w) == 0);
2442 /* Finish the subtraction for remaining upper digits of da */
2443 for ( /* */ ; pos < size_a; ++pos, ++da, ++dc)
2445 w = ((mp_word) MP_DIGIT_MAX + 1 + /* MP_RADIX */
2449 *dc = LOWER_HALF(w);
2450 w = (UPPER_HALF(w) == 0);
2453 /* If there is a borrow out at the end, it violates the precondition */
2458 s_kmul(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
2463 /* Make sure b is the smaller of the two input values */
2464 if (size_b > size_a)
2466 SWAP(mp_digit *, da, db);
2467 SWAP(mp_size, size_a, size_b);
2471 * Insure that the bottom is the larger half in an odd-length split; the
2472 * code below relies on this being true.
2474 bot_size = (size_a + 1) / 2;
2477 * If the values are big enough to bother with recursion, use the
2478 * Karatsuba algorithm to compute the product; otherwise use the normal
2479 * multiplication algorithm
2481 if (multiply_threshold && size_a >= multiply_threshold && size_b > bot_size)
2488 mp_digit *a_top = da + bot_size;
2489 mp_digit *b_top = db + bot_size;
2491 mp_size at_size = size_a - bot_size;
2492 mp_size bt_size = size_b - bot_size;
2493 mp_size buf_size = 2 * bot_size;
2496 * Do a single allocation for all three temporary buffers needed; each
2497 * buffer must be big enough to hold the product of two bottom halves,
2498 * and one buffer needs space for the completed product; twice the
2501 if ((t1 = s_alloc(4 * buf_size)) == NULL)
2505 ZERO(t1, 4 * buf_size);
2508 * t1 and t2 are initially used as temporaries to compute the inner
2509 * product (a1 + a0)(b1 + b0) = a1b1 + a1b0 + a0b1 + a0b0
2511 carry = s_uadd(da, a_top, t1, bot_size, at_size); /* t1 = a1 + a0 */
2512 t1[bot_size] = carry;
2514 carry = s_uadd(db, b_top, t2, bot_size, bt_size); /* t2 = b1 + b0 */
2515 t2[bot_size] = carry;
2517 (void) s_kmul(t1, t2, t3, bot_size + 1, bot_size + 1); /* t3 = t1 * t2 */
2520 * Now we'll get t1 = a0b0 and t2 = a1b1, and subtract them out so
2521 * that we're left with only the pieces we want: t3 = a1b0 + a0b1
2525 (void) s_kmul(da, db, t1, bot_size, bot_size); /* t1 = a0 * b0 */
2526 (void) s_kmul(a_top, b_top, t2, at_size, bt_size); /* t2 = a1 * b1 */
2528 /* Subtract out t1 and t2 to get the inner product */
2529 s_usub(t3, t1, t3, buf_size + 2, buf_size);
2530 s_usub(t3, t2, t3, buf_size + 2, buf_size);
2532 /* Assemble the output value */
2533 COPY(t1, dc, buf_size);
2534 carry = s_uadd(t3, dc + bot_size, dc + bot_size, buf_size + 1, buf_size);
2538 s_uadd(t2, dc + 2 * bot_size, dc + 2 * bot_size, buf_size, buf_size);
2541 s_free(t1); /* note t2 and t3 are just internal pointers
2546 s_umul(da, db, dc, size_a, size_b);
2553 s_umul(mp_digit *da, mp_digit *db, mp_digit *dc, mp_size size_a,
2560 for (a = 0; a < size_a; ++a, ++dc, ++da)
2569 for (b = 0; b < size_b; ++b, ++dbt, ++dct)
2571 w = (mp_word) *da * (mp_word) *dbt + w + (mp_word) *dct;
2573 *dct = LOWER_HALF(w);
2577 *dct = (mp_digit) w;
2582 s_ksqr(mp_digit *da, mp_digit *dc, mp_size size_a)
2584 if (multiply_threshold && size_a > multiply_threshold)
2586 mp_size bot_size = (size_a + 1) / 2;
2587 mp_digit *a_top = da + bot_size;
2591 carry PG_USED_FOR_ASSERTS_ONLY;
2592 mp_size at_size = size_a - bot_size;
2593 mp_size buf_size = 2 * bot_size;
2595 if ((t1 = s_alloc(4 * buf_size)) == NULL)
2599 ZERO(t1, 4 * buf_size);
2601 (void) s_ksqr(da, t1, bot_size); /* t1 = a0 ^ 2 */
2602 (void) s_ksqr(a_top, t2, at_size); /* t2 = a1 ^ 2 */
2604 (void) s_kmul(da, a_top, t3, bot_size, at_size); /* t3 = a0 * a1 */
2606 /* Quick multiply t3 by 2, shifting left (can't overflow) */
2609 top = bot_size + at_size;
2613 for (i = 0; i < top; ++i)
2616 w = (w << 1) | save;
2617 t3[i] = LOWER_HALF(w);
2618 save = UPPER_HALF(w);
2620 t3[i] = LOWER_HALF(save);
2623 /* Assemble the output value */
2624 COPY(t1, dc, 2 * bot_size);
2625 carry = s_uadd(t3, dc + bot_size, dc + bot_size, buf_size + 1, buf_size);
2629 s_uadd(t2, dc + 2 * bot_size, dc + 2 * bot_size, buf_size, buf_size);
2632 s_free(t1); /* note that t2 and t2 are internal pointers
2638 s_usqr(da, dc, size_a);
2645 s_usqr(mp_digit *da, mp_digit *dc, mp_size size_a)
2651 for (i = 0; i < size_a; ++i, dc += 2, ++da)
2659 /* Take care of the first digit, no rollover */
2660 w = (mp_word) *dat * (mp_word) *dat + (mp_word) *dct;
2661 *dct = LOWER_HALF(w);
2666 for (j = i + 1; j < size_a; ++j, ++dat, ++dct)
2668 mp_word t = (mp_word) *da * (mp_word) *dat;
2669 mp_word u = w + (mp_word) *dct,
2672 /* Check if doubling t will overflow a word */
2673 if (HIGH_BIT_SET(t))
2678 /* Check if adding u to w will overflow a word */
2679 if (ADD_WILL_OVERFLOW(w, u))
2684 *dct = LOWER_HALF(w);
2688 w += MP_DIGIT_MAX; /* MP_RADIX */
2694 *dct = (mp_digit) w;
2695 while ((w = UPPER_HALF(w)) != 0)
2699 *dct = LOWER_HALF(w);
2707 s_dadd(mp_int a, mp_digit b)
2710 mp_digit *da = MP_DIGITS(a);
2711 mp_size ua = MP_USED(a);
2713 w = (mp_word) *da + b;
2714 *da++ = LOWER_HALF(w);
2717 for (ua -= 1; ua > 0; --ua, ++da)
2719 w = (mp_word) *da + w;
2721 *da = LOWER_HALF(w);
2733 s_dmul(mp_int a, mp_digit b)
2736 mp_digit *da = MP_DIGITS(a);
2737 mp_size ua = MP_USED(a);
2741 w = (mp_word) *da * b + w;
2742 *da++ = LOWER_HALF(w);
2755 s_dbmul(mp_digit *da, mp_digit b, mp_digit *dc, mp_size size_a)
2761 w = (mp_word) *da++ * (mp_word) b + w;
2763 *dc++ = LOWER_HALF(w);
2769 *dc = LOWER_HALF(w);
2773 s_ddiv(mp_int a, mp_digit b)
2777 mp_size ua = MP_USED(a);
2778 mp_digit *da = MP_DIGITS(a) + ua - 1;
2780 for ( /* */ ; ua > 0; --ua, --da)
2782 w = (w << MP_DIGIT_BIT) | *da;
2794 *da = (mp_digit) qdigit;
2798 return (mp_digit) w;
2802 s_qdiv(mp_int z, mp_size p2)
2804 mp_size ndig = p2 / MP_DIGIT_BIT,
2805 nbits = p2 % MP_DIGIT_BIT;
2806 mp_size uz = MP_USED(z);
2823 for (mark = ndig; mark < uz; ++mark)
2828 z->used = uz - ndig;
2836 mp_size up = MP_DIGIT_BIT - nbits;
2839 dz = MP_DIGITS(z) + uz - 1;
2841 for ( /* */ ; uz > 0; --uz, --dz)
2845 *dz = (*dz >> nbits) | (d << up);
2852 if (MP_USED(z) == 1 && z->digits[0] == 0)
2857 s_qmod(mp_int z, mp_size p2)
2859 mp_size start = p2 / MP_DIGIT_BIT + 1,
2860 rest = p2 % MP_DIGIT_BIT;
2861 mp_size uz = MP_USED(z);
2862 mp_digit mask = (1u << rest) - 1;
2867 z->digits[start - 1] &= mask;
2873 s_qmul(mp_int z, mp_size p2)
2888 need = p2 / MP_DIGIT_BIT;
2889 rest = p2 % MP_DIGIT_BIT;
2892 * Figure out if we need an extra digit at the top end; this occurs if the
2893 * topmost `rest' bits of the high-order digit of z are not zero, meaning
2894 * they will be shifted off the end if not preserved
2899 mp_digit *dz = MP_DIGITS(z) + uz - 1;
2901 if ((*dz >> (MP_DIGIT_BIT - rest)) != 0)
2905 if (!s_pad(z, uz + need + extra))
2909 * If we need to shift by whole digits, do that in one pass, then to back
2910 * and shift by partial digits.
2914 from = MP_DIGITS(z) + uz - 1;
2917 for (i = 0; i < uz; ++i)
2920 ZERO(MP_DIGITS(z), need);
2927 for (i = need, from = MP_DIGITS(z) + need; i < uz; ++i, ++from)
2929 mp_digit save = *from;
2931 *from = (*from << rest) | (d >> (MP_DIGIT_BIT - rest));
2935 d >>= (MP_DIGIT_BIT - rest);
2949 /* Compute z = 2^p2 - |z|; requires that 2^p2 >= |z|
2950 The sign of the result is always zero/positive.
2953 s_qsub(mp_int z, mp_size p2)
2955 mp_digit hi = (1u << (p2 % MP_DIGIT_BIT)),
2957 mp_size tdig = (p2 / MP_DIGIT_BIT),
2961 if (!s_pad(z, tdig + 1))
2964 for (pos = 0, zp = MP_DIGITS(z); pos < tdig; ++pos, ++zp)
2966 w = ((mp_word) MP_DIGIT_MAX + 1) - w - (mp_word) *zp;
2968 *zp = LOWER_HALF(w);
2969 w = UPPER_HALF(w) ? 0 : 1;
2972 w = ((mp_word) MP_DIGIT_MAX + 1 + hi) - w - (mp_word) *zp;
2973 *zp = LOWER_HALF(w);
2975 assert(UPPER_HALF(w) != 0); /* no borrow out should be possible */
2987 mp_digit *dp = MP_DIGITS(z),
2990 if (MP_USED(z) == 1 && *dp == 0)
3000 while ((d & 1) == 0)
3012 mp_size uz = MP_USED(z),
3014 mp_digit *dz = MP_DIGITS(z),
3038 s_2expt(mp_int z, mp_small k)
3044 ndig = (k + MP_DIGIT_BIT) / MP_DIGIT_BIT;
3045 rest = k % MP_DIGIT_BIT;
3047 if (!s_pad(z, ndig))
3052 *(dz + ndig - 1) = (1u << rest);
3059 s_norm(mp_int a, mp_int b)
3061 mp_digit d = b->digits[MP_USED(b) - 1];
3064 while (d < (1u << (mp_digit) (MP_DIGIT_BIT - 1)))
3065 { /* d < (MP_RADIX / 2) */
3070 /* These multiplications can't fail */
3073 (void) s_qmul(a, (mp_size) k);
3074 (void) s_qmul(b, (mp_size) k);
3081 s_brmu(mp_int z, mp_int m)
3083 mp_size um = MP_USED(m) * 2;
3088 s_2expt(z, MP_DIGIT_BIT * um);
3089 return mp_int_div(z, m, z, NULL);
3093 s_reduce(mp_int x, mp_int m, mp_int mu, mp_int q1, mp_int q2)
3095 mp_size um = MP_USED(m),
3099 umb_p1 = (um + 1) * MP_DIGIT_BIT;
3100 umb_m1 = (um - 1) * MP_DIGIT_BIT;
3102 if (mp_int_copy(x, q1) != MP_OK)
3105 /* Compute q2 = floor((floor(x / b^(k-1)) * mu) / b^(k+1)) */
3110 /* Set x = x mod b^(k+1) */
3114 * Now, q is a guess for the quotient a / m. Compute x - q * m mod
3115 * b^(k+1), replacing x. This may be off by a factor of 2m, but no more
3120 (void) mp_int_sub(x, q1, x); /* can't fail */
3123 * The result may be < 0; if it is, add b^(k+1) to pin it in the proper
3126 if ((CMPZ(x) < 0) && !s_qsub(x, umb_p1))
3130 * If x > m, we need to back it off until it is in range. This will be
3131 * required at most twice.
3133 if (mp_int_compare(x, m) >= 0)
3135 (void) mp_int_sub(x, m, x);
3136 if (mp_int_compare(x, m) >= 0)
3138 (void) mp_int_sub(x, m, x);
3142 /* At this point, x has been properly reduced. */
3146 /* Perform modular exponentiation using Barrett's method, where mu is the
3147 reduction constant for m. Assumes a < m, b > 0. */
3149 s_embar(mp_int a, mp_int b, mp_int m, mp_int mu, mp_int c)
3151 mp_digit umu = MP_USED(mu);
3152 mp_digit *db = MP_DIGITS(b);
3153 mp_digit *dbt = db + MP_USED(b) - 1;
3156 REQUIRE(GROW(TEMP(0), 4 * umu));
3157 REQUIRE(GROW(TEMP(1), 4 * umu));
3158 REQUIRE(GROW(TEMP(2), 4 * umu));
3159 ZERO(TEMP(0)->digits, TEMP(0)->alloc);
3160 ZERO(TEMP(1)->digits, TEMP(1)->alloc);
3161 ZERO(TEMP(2)->digits, TEMP(2)->alloc);
3163 (void) mp_int_set_value(c, 1);
3165 /* Take care of low-order digits */
3170 for (int i = MP_DIGIT_BIT; i > 0; --i, d >>= 1)
3174 /* The use of a second temporary avoids allocation */
3175 UMUL(c, a, TEMP(0));
3176 if (!s_reduce(TEMP(0), m, mu, TEMP(1), TEMP(2)))
3180 mp_int_copy(TEMP(0), c);
3184 assert(MP_SIGN(TEMP(0)) == MP_ZPOS);
3185 if (!s_reduce(TEMP(0), m, mu, TEMP(1), TEMP(2)))
3189 assert(MP_SIGN(TEMP(0)) == MP_ZPOS);
3190 mp_int_copy(TEMP(0), a);
3196 /* Take care of highest-order digit */
3203 UMUL(c, a, TEMP(0));
3204 if (!s_reduce(TEMP(0), m, mu, TEMP(1), TEMP(2)))
3208 mp_int_copy(TEMP(0), c);
3216 if (!s_reduce(TEMP(0), m, mu, TEMP(1), TEMP(2)))
3220 (void) mp_int_copy(TEMP(0), a);
3227 /* Division of nonnegative integers
3229 This function implements division algorithm for unsigned multi-precision
3230 integers. The algorithm is based on Algorithm D from Knuth's "The Art of
3231 Computer Programming", 3rd ed. 1998, pg 272-273.
3233 We diverge from Knuth's algorithm in that we do not perform the subtraction
3234 from the remainder until we have determined that we have the correct
3235 quotient digit. This makes our algorithm less efficient that Knuth because
3236 we might have to perform multiple multiplication and comparison steps before
3237 the subtraction. The advantage is that it is easy to implement and ensure
3238 correctness without worrying about underflow from the subtraction.
3240 inputs: u a n+m digit integer in base b (b is 2^MP_DIGIT_BIT)
3241 v a n digit integer in base b (b is 2^MP_DIGIT_BIT)
3244 outputs: u / v stored in u
3248 s_udiv_knuth(mp_int u, mp_int v)
3250 /* Force signs to positive */
3254 /* Use simple division algorithm when v is only one digit long */
3255 if (MP_USED(v) == 1)
3262 mp_int_set_value(v, rem);
3269 * The n and m variables are defined as used by Knuth. u is an n digit
3270 * number with digits u_{n-1}..u_0. v is an n+m digit number with digits
3271 * from v_{m+n-1}..v_0. We require that n > 1 and m >= 0
3273 mp_size n = MP_USED(v);
3274 mp_size m = MP_USED(u) - n;
3277 /* assert(m >= 0) follows because m is unsigned. */
3280 * D1: Normalize. The normalization step provides the necessary condition
3281 * for Theorem B, which states that the quotient estimate for q_j, call it
3284 * qhat = u_{j+n}u_{j+n-1} / v_{n-1}
3288 * qhat - 2 <= q_j <= qhat.
3290 * That is, qhat is always greater than the actual quotient digit q, and
3291 * it is never more than two larger than the actual quotient digit.
3293 int k = s_norm(u, v);
3296 * Extend size of u by one if needed.
3298 * The algorithm begins with a value of u that has one more digit of
3299 * input. The normalization step sets u_{m+n}..u_0 = 2^k * u_{m+n-1}..u_0.
3300 * If the multiplication did not increase the number of digits of u, we
3301 * need to add a leading zero here.
3303 if (k == 0 || MP_USED(u) != m + n + 1)
3305 if (!s_pad(u, m + n + 1))
3307 u->digits[m + n] = 0;
3308 u->used = m + n + 1;
3312 * Add a leading 0 to v.
3314 * The multiplication in step D4 multiplies qhat * 0v_{n-1}..v_0. We need
3315 * to add the leading zero to v here to ensure that the multiplication
3316 * will produce the full n+1 digit result.
3318 if (!s_pad(v, n + 1))
3323 * Initialize temporary variables q and t. q allocates space for m+1
3324 * digits to store the quotient digits t allocates space for n+1 digits to
3325 * hold the result of q_j*v
3328 REQUIRE(GROW(TEMP(0), m + 1));
3329 REQUIRE(GROW(TEMP(1), n + 1));
3331 /* D2: Initialize j */
3335 r.digits = MP_DIGITS(u) + j; /* The contents of r are shared with u */
3338 r.alloc = MP_ALLOC(u);
3339 ZERO(TEMP(1)->digits, TEMP(1)->alloc);
3341 /* Calculate the m+1 digits of the quotient result */
3344 /* D3: Calculate q' */
3345 /* r->digits is aligned to position j of the number u */
3350 pfx <<= MP_DIGIT_BIT / 2;
3351 pfx <<= MP_DIGIT_BIT / 2;
3352 pfx |= r.digits[n - 1]; /* pfx = u_{j+n}{j+n-1} */
3354 qhat = pfx / v->digits[n - 1];
3357 * Check to see if qhat > b, and decrease qhat if so. Theorem B
3358 * guarantess that qhat is at most 2 larger than the actual value, so
3359 * it is possible that qhat is greater than the maximum value that
3360 * will fit in a digit
3362 if (qhat > MP_DIGIT_MAX)
3363 qhat = MP_DIGIT_MAX;
3366 * D4,D5,D6: Multiply qhat * v and test for a correct value of q
3368 * We proceed a bit different than the way described by Knuth. This
3369 * way is simpler but less efficent. Instead of doing the multiply and
3370 * subtract then checking for underflow, we first do the multiply of
3371 * qhat * v and see if it is larger than the current remainder r. If
3372 * it is larger, we decrease qhat by one and try again. We may need to
3373 * decrease qhat one more time before we get a value that is smaller
3376 * This way is less efficent than Knuth becuase we do more multiplies,
3377 * but we do not need to worry about underflow this way.
3380 s_dbmul(MP_DIGITS(v), (mp_digit) qhat, TEMP(1)->digits, n + 1);
3381 TEMP(1)->used = n + 1;
3384 /* Clamp r for the comparison. Comparisons do not like leading zeros. */
3386 if (s_ucmp(TEMP(1), &r) > 0)
3387 { /* would the remainder be negative? */
3388 qhat -= 1; /* try a smaller q */
3389 s_dbmul(MP_DIGITS(v), (mp_digit) qhat, TEMP(1)->digits, n + 1);
3390 TEMP(1)->used = n + 1;
3392 if (s_ucmp(TEMP(1), &r) > 0)
3393 { /* would the remainder be negative? */
3395 qhat -= 1; /* try a smaller q */
3396 s_dbmul(MP_DIGITS(v), (mp_digit) qhat, TEMP(1)->digits, n + 1);
3397 TEMP(1)->used = n + 1;
3400 assert(s_ucmp(TEMP(1), &r) <= 0 && "The mathematics failed us.");
3404 * Unclamp r. The D algorithm expects r = u_{j+n}..u_j to always be
3410 * D4: Multiply and subtract
3412 * Note: The multiply was completed above so we only need to subtract
3415 s_usub(r.digits, TEMP(1)->digits, r.digits, r.used, TEMP(1)->used);
3418 * D5: Test remainder
3420 * Note: Not needed because we always check that qhat is the correct
3421 * value before performing the subtract. Value cast to mp_digit to
3422 * prevent warning, qhat has been clamped to MP_DIGIT_MAX
3424 TEMP(0)->digits[j] = (mp_digit) qhat;
3427 * D6: Add back Note: Not needed because we always check that qhat is
3428 * the correct value before performing the subtract.
3433 ZERO(TEMP(1)->digits, TEMP(1)->alloc);
3436 /* Get rid of leading zeros in q */
3437 TEMP(0)->used = m + 1;
3440 /* Denormalize the remainder */
3441 CLAMP(u); /* use u here because the r.digits pointer is
3446 mp_int_copy(u, v); /* ok: 0 <= r < v */
3447 mp_int_copy(TEMP(0), u); /* ok: q <= u */
3454 s_outlen(mp_int z, mp_size r)
3456 assert(r >= MP_MIN_RADIX && r <= MP_MAX_RADIX);
3458 mp_result bits = mp_int_count_bits(z);
3459 double raw = (double) bits * s_log2[r];
3461 return (int) (raw + 0.999999);
3465 s_inlen(int len, mp_size r)
3467 double raw = (double) len / s_log2[r];
3468 mp_size bits = (mp_size) (raw + 0.5);
3470 return (mp_size) ((bits + (MP_DIGIT_BIT - 1)) / MP_DIGIT_BIT) + 1;
3474 s_ch2val(char c, int r)
3479 * In some locales, isalpha() accepts characters outside the range A-Z,
3480 * producing out<0 or out>=36. The "out >= r" check will always catch
3481 * out>=36. Though nothing explicitly catches out<0, our caller reacts
3482 * the same way to every negative return value.
3484 if (isdigit((unsigned char) c))
3486 else if (r > 10 && isalpha((unsigned char) c))
3487 out = toupper((unsigned char) c) - 'A' + 10;
3491 return (out >= r) ? -1 : out;
3495 s_val2ch(int v, int caps)
3505 char out = (v - 10) + 'a';
3509 return toupper((unsigned char) out);
3519 s_2comp(unsigned char *buf, int len)
3521 unsigned short s = 1;
3523 for (int i = len - 1; i >= 0; --i)
3525 unsigned char c = ~buf[i];
3534 /* last carry out is ignored */
3538 s_tobin(mp_int z, unsigned char *buf, int *limpos, int pad)
3542 mp_size uz = MP_USED(z);
3543 mp_digit *dz = MP_DIGITS(z);
3545 while (uz > 0 && pos < limit)
3550 for (i = sizeof(mp_digit); i > 0 && pos < limit; --i)
3552 buf[pos++] = (unsigned char) d;
3555 /* Don't write leading zeroes */
3556 if (d == 0 && uz == 1)
3557 i = 0; /* exit loop without signaling truncation */
3560 /* Detect truncation (loop exited with pos >= limit) */
3567 if (pad != 0 && (buf[pos - 1] >> (CHAR_BIT - 1)))
3579 /* Digits are in reverse order, fix that */
3582 /* Return the number of bytes actually written */
3585 return (uz == 0) ? MP_OK : MP_TRUNC;
3588 /* Here there be dragons */