linux/lib/mpi/mpi-pow.c

/* mpi-pow.c  -  MPI functions
 *	Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
 * GnuPG is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * GnuPG is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
 *
 * Note: This code is heavily based on the GNU MP Library.
 *	 Actually it's the same code with only minor changes in the
 *	 way the data is stored; this is to support the abstraction
 *	 of an optional secure memory allocation which may be used
 *	 to avoid revealing of sensitive data due to paging etc.
 *	 The GNU MP Library itself is published under the LGPL;
 *	 however I decided to publish this code under the plain GPL.
 */

#include <linux/string.h>
#include "mpi-internal.h"
#include "longlong.h"

/****************
 * RES = BASE ^ EXP mod MOD
 */
int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
{
	mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL;
	mpi_ptr_t xp_marker = NULL;
	mpi_ptr_t tspace = NULL;
	mpi_ptr_t rp, ep, mp, bp;
	mpi_size_t esize, msize, bsize, rsize;
	int esign, msign, bsign, rsign;
	mpi_size_t size;
	int mod_shift_cnt;
	int negative_result;
	int assign_rp = 0;
	mpi_size_t tsize = 0;	/* to avoid compiler warning */
	/* fixme: we should check that the warning is void */
	int rc = -ENOMEM;

	esize = exp->nlimbs;
	msize = mod->nlimbs;
	size = 2 * msize;
	esign = exp->sign;
	msign = mod->sign;

	rp = res->d;
	ep = exp->d;

	if (!msize)
		return -EINVAL;

	if (!esize) {
		/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
		 * depending on if MOD equals 1.  */
		res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
		if (res->nlimbs) {
			if (mpi_resize(res, 1) < 0)
				goto enomem;
			rp = res->d;
			rp[0] = 1;
		}
		res->sign = 0;
		goto leave;
	}

	/* Normalize MOD (i.e. make its most significant bit set) as required by
	 * mpn_divrem.  This will make the intermediate values in the calculation
	 * slightly larger, but the correct result is obtained after a final
	 * reduction using the original MOD value.  */
	mp = mp_marker = mpi_alloc_limb_space(msize);
	if (!mp)
		goto enomem;
	mod_shift_cnt = count_leading_zeros(mod->d[msize - 1]);
	if (mod_shift_cnt)
		mpihelp_lshift(mp, mod->d, msize, mod_shift_cnt);
	else
		MPN_COPY(mp, mod->d, msize);

	bsize = base->nlimbs;
	bsign = base->sign;
	if (bsize > msize) {	/* The base is larger than the module. Reduce it. */
		/* Allocate (BSIZE + 1) with space for remainder and quotient.
		 * (The quotient is (bsize - msize + 1) limbs.)  */
		bp = bp_marker = mpi_alloc_limb_space(bsize + 1);
		if (!bp)
			goto enomem;
		MPN_COPY(bp, base->d, bsize);
		/* We don't care about the quotient, store it above the remainder,
		 * at BP + MSIZE.  */
		mpihelp_divrem(bp + msize, 0, bp, bsize, mp, msize);
		bsize = msize;
		/* Canonicalize the base, since we are going to multiply with it
		 * quite a few times.  */
		MPN_NORMALIZE(bp, bsize);
	} else
		bp = base->d;

	if (!bsize) {
		res->nlimbs = 0;
		res->sign = 0;
		goto leave;
	}

	if (res->alloced < size) {
		/* We have to allocate more space for RES.  If any of the input
		 * parameters are identical to RES, defer deallocation of the old
		 * space.  */
		if (rp == ep || rp == mp || rp == bp) {
			rp = mpi_alloc_limb_space(size);
			if (!rp)
				goto enomem;
			assign_rp = 1;
		} else {
			if (mpi_resize(res, size) < 0)
				goto enomem;
			rp = res->d;
		}
	} else {		/* Make BASE, EXP and MOD not overlap with RES.  */
		if (rp == bp) {
			/* RES and BASE are identical.  Allocate temp. space for BASE.  */
			BUG_ON(bp_marker);
			bp = bp_marker = mpi_alloc_limb_space(bsize);
			if (!bp)
				goto enomem;
			MPN_COPY(bp, rp, bsize);
		}
		if (rp == ep) {
			/* RES and EXP are identical.  Allocate temp. space for EXP.  */
			ep = ep_marker = mpi_alloc_limb_space(esize);
			if (!ep)
				goto enomem;
			MPN_COPY(ep, rp, esize);
		}
		if (rp == mp) {
			/* RES and MOD are identical.  Allocate temporary space for MOD. */
			BUG_ON(mp_marker);
			mp = mp_marker = mpi_alloc_limb_space(msize);
			if (!mp)
				goto enomem;
			MPN_COPY(mp, rp, msize);
		}
	}

	MPN_COPY(rp, bp, bsize);
	rsize = bsize;
	rsign = bsign;

	{
		mpi_size_t i;
		mpi_ptr_t xp;
		int c;
		mpi_limb_t e;
		mpi_limb_t carry_limb;
		struct karatsuba_ctx karactx;

		xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1));
		if (!xp)
			goto enomem;

		memset(&karactx, 0, sizeof karactx);
		negative_result = (ep[0] & 1) && base->sign;

		i = esize - 1;
		e = ep[i];
		c = count_leading_zeros(e);
		e = (e << c) << 1;	/* shift the exp bits to the left, lose msb */
		c = BITS_PER_MPI_LIMB - 1 - c;

		/* Main loop.
		 *
		 * Make the result be pointed to alternately by XP and RP.  This
		 * helps us avoid block copying, which would otherwise be necessary
		 * with the overlap restrictions of mpihelp_divmod. With 50% probability
		 * the result after this loop will be in the area originally pointed
		 * by RP (==RES->d), and with 50% probability in the area originally
		 * pointed to by XP.
		 */

		for (;;) {
			while (c) {
				mpi_ptr_t tp;
				mpi_size_t xsize;

				/*if (mpihelp_mul_n(xp, rp, rp, rsize) < 0) goto enomem */
				if (rsize < KARATSUBA_THRESHOLD)
					mpih_sqr_n_basecase(xp, rp, rsize);
				else {
					if (!tspace) {
						tsize = 2 * rsize;
						tspace =
						    mpi_alloc_limb_space(tsize);
						if (!tspace)
							goto enomem;
					} else if (tsize < (2 * rsize)) {
						mpi_free_limb_space(tspace);
						tsize = 2 * rsize;
						tspace =
						    mpi_alloc_limb_space(tsize);
						if (!tspace)
							goto enomem;
					}
					mpih_sqr_n(xp, rp, rsize, tspace);
				}

				xsize = 2 * rsize;
				if (xsize > msize) {
					mpihelp_divrem(xp + msize, 0, xp, xsize,
						       mp, msize);
					xsize = msize;
				}

				tp = rp;
				rp = xp;
				xp = tp;
				rsize = xsize;

				if ((mpi_limb_signed_t) e < 0) {
					/*mpihelp_mul( xp, rp, rsize, bp, bsize ); */
					if (bsize < KARATSUBA_THRESHOLD) {
						mpi_limb_t tmp;
						if (mpihelp_mul
						    (xp, rp, rsize, bp, bsize,
						     &tmp) < 0)
							goto enomem;
					} else {
						if (mpihelp_mul_karatsuba_case
						    (xp, rp, rsize, bp, bsize,
						     &karactx) < 0)
							goto enomem;
					}

					xsize = rsize + bsize;
					if (xsize > msize) {
						mpihelp_divrem(xp + msize, 0,
							       xp, xsize, mp,
							       msize);
						xsize = msize;
					}

					tp = rp;
					rp = xp;
					xp = tp;
					rsize = xsize;
				}
				e <<= 1;
				c--;
			}

			i--;
			if (i < 0)
				break;
			e = ep[i];
			c = BITS_PER_MPI_LIMB;
		}

		/* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT
		 * steps.  Adjust the result by reducing it with the original MOD.
		 *
		 * Also make sure the result is put in RES->d (where it already
		 * might be, see above).
		 */
		if (mod_shift_cnt) {
			carry_limb =
			    mpihelp_lshift(res->d, rp, rsize, mod_shift_cnt);
			rp = res->d;
			if (carry_limb) {
				rp[rsize] = carry_limb;
				rsize++;
			}
		} else {
			MPN_COPY(res->d, rp, rsize);
			rp = res->d;
		}

		if (rsize >= msize) {
			mpihelp_divrem(rp + msize, 0, rp, rsize, mp, msize);
			rsize = msize;
		}

		/* Remove any leading zero words from the result.  */
		if (mod_shift_cnt)
			mpihelp_rshift(rp, rp, rsize, mod_shift_cnt);
		MPN_NORMALIZE(rp, rsize);

		mpihelp_release_karatsuba_ctx(&karactx);
	}

	if (negative_result && rsize) {
		if (mod_shift_cnt)
			mpihelp_rshift(mp, mp, msize, mod_shift_cnt);
		mpihelp_sub(rp, mp, msize, rp, rsize);
		rsize = msize;
		rsign = msign;
		MPN_NORMALIZE(rp, rsize);
	}
	res->nlimbs = rsize;
	res->sign = rsign;

leave:
	rc = 0;
enomem:
	if (assign_rp)
		mpi_assign_limb_space(res, rp, size);
	if (mp_marker)
		mpi_free_limb_space(mp_marker);
	if (bp_marker)
		mpi_free_limb_space(bp_marker);
	if (ep_marker)
		mpi_free_limb_space(ep_marker);
	if (xp_marker)
		mpi_free_limb_space(xp_marker);
	if (tspace)
		mpi_free_limb_space(tspace);
	return rc;
}
EXPORT_SYMBOL_GPL(mpi_powm);
crypto: GnuPG based MPI lib - source files (part 1) Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. The difference is that checkpatch reported errors and warnings have been fixed. This library is used to implemenet RSA digital signature verification used in IMA/EVM integrity protection subsystem. Due to patch size limitation, the patch is divided into 4 parts. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-08-31 15:05:16 +04:00			`/* mpi-pow.c - MPI functions`
			`* Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc.`
			`*`
			`* This file is part of GnuPG.`
			`*`
			`* GnuPG is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 2 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* GnuPG is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA`
			`*`
			`* Note: This code is heavily based on the GNU MP Library.`
			`* Actually it's the same code with only minor changes in the`
			`* way the data is stored; this is to support the abstraction`
			`* of an optional secure memory allocation which may be used`
			`* to avoid revealing of sensitive data due to paging etc.`
			`* The GNU MP Library itself is published under the LGPL;`
			`* however I decided to publish this code under the plain GPL.`
			`*/`

			`#include <linux/string.h>`
			`#include "mpi-internal.h"`
			`#include "longlong.h"`

			`/****************`
			`* RES = BASE ^ EXP mod MOD`
			`*/`
			`int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)`
			`{`
			`mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL;`
			`mpi_ptr_t xp_marker = NULL;`
			`mpi_ptr_t tspace = NULL;`
			`mpi_ptr_t rp, ep, mp, bp;`
			`mpi_size_t esize, msize, bsize, rsize;`
			`int esign, msign, bsign, rsign;`
			`mpi_size_t size;`
			`int mod_shift_cnt;`
			`int negative_result;`
			`int assign_rp = 0;`
			`mpi_size_t tsize = 0; /* to avoid compiler warning */`
			`/* fixme: we should check that the warning is void */`
			`int rc = -ENOMEM;`

			`esize = exp->nlimbs;`
			`msize = mod->nlimbs;`
			`size = 2 * msize;`
			`esign = exp->sign;`
			`msign = mod->sign;`

			`rp = res->d;`
			`ep = exp->d;`

			`if (!msize)`
lib/mpi: return error code on dividing by zero Definitely better to return error code than to divide by zero. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org> 2012-01-26 21:13:21 +04:00			`return -EINVAL;`
crypto: GnuPG based MPI lib - source files (part 1) Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. The difference is that checkpatch reported errors and warnings have been fixed. This library is used to implemenet RSA digital signature verification used in IMA/EVM integrity protection subsystem. Due to patch size limitation, the patch is divided into 4 parts. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-08-31 15:05:16 +04:00
			`if (!esize) {`
			`/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0`
			`* depending on if MOD equals 1. */`
			`res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;`
mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] This fixes CVE-2016-8650. If mpi_powm() is given a zero exponent, it wants to immediately return either 1 or 0, depending on the modulus. However, if the result was initalised with zero limb space, no limbs space is allocated and a NULL-pointer exception ensues. Fix this by allocating a minimal amount of limb space for the result when the 0-exponent case when the result is 1 and not touching the limb space when the result is 0. This affects the use of RSA keys and X.509 certificates that carry them. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 task: ffff8804011944c0 task.stack: ffff880401294000 RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 Stack: ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 Call Trace: [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 [<ffffffff8132a95c>] rsa_verify+0x9d/0xee [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 [<ffffffff812fe227>] SyS_add_key+0x154/0x19e [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP <ffff880401297ad8> CR2: 0000000000000000 ---[ end trace d82015255d4a5d8d ]--- Basically, this is a backport of a libgcrypt patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com> 2016-11-24 16:23:10 +03:00			`if (res->nlimbs) {`
			`if (mpi_resize(res, 1) < 0)`
			`goto enomem;`
			`rp = res->d;`
			`rp[0] = 1;`
			`}`
crypto: GnuPG based MPI lib - source files (part 1) Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. The difference is that checkpatch reported errors and warnings have been fixed. This library is used to implemenet RSA digital signature verification used in IMA/EVM integrity protection subsystem. Due to patch size limitation, the patch is divided into 4 parts. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-08-31 15:05:16 +04:00			`res->sign = 0;`
			`goto leave;`
			`}`

			`/* Normalize MOD (i.e. make its most significant bit set) as required by`
			`* mpn_divrem. This will make the intermediate values in the calculation`
			`* slightly larger, but the correct result is obtained after a final`
			`* reduction using the original MOD value. */`
			`mp = mp_marker = mpi_alloc_limb_space(msize);`
			`if (!mp)`
			`goto enomem;`
MPILIB: Provide count_leading/trailing_zeros() based on arch functions Provide count_leading/trailing_zeros() macros based on extant arch bit scanning functions rather than reimplementing from scratch in MPILIB. Whilst we're at it, turn count_foo_zeros(n, x) into n = count_foo_zeros(x). Also move the definition to asm-generic as other people may be interested in using it. Signed-off-by: David Howells <dhowells@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Cc: Arnd Bergmann <arnd@arndb.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2012-09-13 16:09:33 +04:00			`mod_shift_cnt = count_leading_zeros(mod->d[msize - 1]);`
crypto: GnuPG based MPI lib - source files (part 1) Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. The difference is that checkpatch reported errors and warnings have been fixed. This library is used to implemenet RSA digital signature verification used in IMA/EVM integrity protection subsystem. Due to patch size limitation, the patch is divided into 4 parts. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-08-31 15:05:16 +04:00			`if (mod_shift_cnt)`
			`mpihelp_lshift(mp, mod->d, msize, mod_shift_cnt);`
			`else`
			`MPN_COPY(mp, mod->d, msize);`

			`bsize = base->nlimbs;`
			`bsign = base->sign;`
			`if (bsize > msize) { /* The base is larger than the module. Reduce it. */`
			`/* Allocate (BSIZE + 1) with space for remainder and quotient.`
			`* (The quotient is (bsize - msize + 1) limbs.) */`
			`bp = bp_marker = mpi_alloc_limb_space(bsize + 1);`
			`if (!bp)`
			`goto enomem;`
			`MPN_COPY(bp, base->d, bsize);`
			`/* We don't care about the quotient, store it above the remainder,`
			`* at BP + MSIZE. */`
			`mpihelp_divrem(bp + msize, 0, bp, bsize, mp, msize);`
			`bsize = msize;`
			`/* Canonicalize the base, since we are going to multiply with it`
			`* quite a few times. */`
			`MPN_NORMALIZE(bp, bsize);`
			`} else`
			`bp = base->d;`

			`if (!bsize) {`
			`res->nlimbs = 0;`
			`res->sign = 0;`
			`goto leave;`
			`}`

			`if (res->alloced < size) {`
			`/* We have to allocate more space for RES. If any of the input`
			`* parameters are identical to RES, defer deallocation of the old`
			`* space. */`
			`if (rp == ep \|\| rp == mp \|\| rp == bp) {`
			`rp = mpi_alloc_limb_space(size);`
			`if (!rp)`
			`goto enomem;`
			`assign_rp = 1;`
			`} else {`
			`if (mpi_resize(res, size) < 0)`
			`goto enomem;`
			`rp = res->d;`
			`}`
			`} else { /* Make BASE, EXP and MOD not overlap with RES. */`
			`if (rp == bp) {`
			`/* RES and BASE are identical. Allocate temp. space for BASE. */`
			`BUG_ON(bp_marker);`
			`bp = bp_marker = mpi_alloc_limb_space(bsize);`
			`if (!bp)`
			`goto enomem;`
			`MPN_COPY(bp, rp, bsize);`
			`}`
			`if (rp == ep) {`
			`/* RES and EXP are identical. Allocate temp. space for EXP. */`
			`ep = ep_marker = mpi_alloc_limb_space(esize);`
			`if (!ep)`
			`goto enomem;`
			`MPN_COPY(ep, rp, esize);`
			`}`
			`if (rp == mp) {`
			`/* RES and MOD are identical. Allocate temporary space for MOD. */`
			`BUG_ON(mp_marker);`
			`mp = mp_marker = mpi_alloc_limb_space(msize);`
			`if (!mp)`
			`goto enomem;`
			`MPN_COPY(mp, rp, msize);`
			`}`
			`}`

			`MPN_COPY(rp, bp, bsize);`
			`rsize = bsize;`
			`rsign = bsign;`

			`{`
			`mpi_size_t i;`
			`mpi_ptr_t xp;`
			`int c;`
			`mpi_limb_t e;`
			`mpi_limb_t carry_limb;`
			`struct karatsuba_ctx karactx;`

			`xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1));`
			`if (!xp)`
			`goto enomem;`

			`memset(&karactx, 0, sizeof karactx);`
			`negative_result = (ep[0] & 1) && base->sign;`

			`i = esize - 1;`
			`e = ep[i];`
MPILIB: Provide count_leading/trailing_zeros() based on arch functions Provide count_leading/trailing_zeros() macros based on extant arch bit scanning functions rather than reimplementing from scratch in MPILIB. Whilst we're at it, turn count_foo_zeros(n, x) into n = count_foo_zeros(x). Also move the definition to asm-generic as other people may be interested in using it. Signed-off-by: David Howells <dhowells@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Cc: Arnd Bergmann <arnd@arndb.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2012-09-13 16:09:33 +04:00			`c = count_leading_zeros(e);`
crypto: GnuPG based MPI lib - source files (part 1) Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. The difference is that checkpatch reported errors and warnings have been fixed. This library is used to implemenet RSA digital signature verification used in IMA/EVM integrity protection subsystem. Due to patch size limitation, the patch is divided into 4 parts. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-08-31 15:05:16 +04:00			`e = (e << c) << 1; /* shift the exp bits to the left, lose msb */`
			`c = BITS_PER_MPI_LIMB - 1 - c;`

			`/* Main loop.`
			`*`
			`* Make the result be pointed to alternately by XP and RP. This`
			`* helps us avoid block copying, which would otherwise be necessary`
			`* with the overlap restrictions of mpihelp_divmod. With 50% probability`
			`* the result after this loop will be in the area originally pointed`
			`* by RP (==RES->d), and with 50% probability in the area originally`
			`* pointed to by XP.`
			`*/`

			`for (;;) {`
			`while (c) {`
			`mpi_ptr_t tp;`
			`mpi_size_t xsize;`

			`/if (mpihelp_mul_n(xp, rp, rp, rsize) < 0) goto enomem /`
			`if (rsize < KARATSUBA_THRESHOLD)`
			`mpih_sqr_n_basecase(xp, rp, rsize);`
			`else {`
			`if (!tspace) {`
			`tsize = 2 * rsize;`
			`tspace =`
			`mpi_alloc_limb_space(tsize);`
			`if (!tspace)`
			`goto enomem;`
			`} else if (tsize < (2 * rsize)) {`
			`mpi_free_limb_space(tspace);`
			`tsize = 2 * rsize;`
			`tspace =`
			`mpi_alloc_limb_space(tsize);`
			`if (!tspace)`
			`goto enomem;`
			`}`
			`mpih_sqr_n(xp, rp, rsize, tspace);`
			`}`

			`xsize = 2 * rsize;`
			`if (xsize > msize) {`
			`mpihelp_divrem(xp + msize, 0, xp, xsize,`
			`mp, msize);`
			`xsize = msize;`
			`}`

			`tp = rp;`
			`rp = xp;`
			`xp = tp;`
			`rsize = xsize;`

			`if ((mpi_limb_signed_t) e < 0) {`
			`/mpihelp_mul( xp, rp, rsize, bp, bsize ); /`
			`if (bsize < KARATSUBA_THRESHOLD) {`
			`mpi_limb_t tmp;`
			`if (mpihelp_mul`
			`(xp, rp, rsize, bp, bsize,`
			`&tmp) < 0)`
			`goto enomem;`
			`} else {`
			`if (mpihelp_mul_karatsuba_case`
			`(xp, rp, rsize, bp, bsize,`
			`&karactx) < 0)`
			`goto enomem;`
			`}`

			`xsize = rsize + bsize;`
			`if (xsize > msize) {`
			`mpihelp_divrem(xp + msize, 0,`
			`xp, xsize, mp,`
			`msize);`
			`xsize = msize;`
			`}`

			`tp = rp;`
			`rp = xp;`
			`xp = tp;`
			`rsize = xsize;`
			`}`
			`e <<= 1;`
			`c--;`
			`}`

			`i--;`
			`if (i < 0)`
			`break;`
			`e = ep[i];`
			`c = BITS_PER_MPI_LIMB;`
			`}`

			`/* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT`
			`* steps. Adjust the result by reducing it with the original MOD.`
			`*`
			`* Also make sure the result is put in RES->d (where it already`
			`* might be, see above).`
			`*/`
			`if (mod_shift_cnt) {`
			`carry_limb =`
			`mpihelp_lshift(res->d, rp, rsize, mod_shift_cnt);`
			`rp = res->d;`
			`if (carry_limb) {`
			`rp[rsize] = carry_limb;`
			`rsize++;`
			`}`
			`} else {`
			`MPN_COPY(res->d, rp, rsize);`
			`rp = res->d;`
			`}`

			`if (rsize >= msize) {`
			`mpihelp_divrem(rp + msize, 0, rp, rsize, mp, msize);`
			`rsize = msize;`
			`}`

			`/* Remove any leading zero words from the result. */`
			`if (mod_shift_cnt)`
			`mpihelp_rshift(rp, rp, rsize, mod_shift_cnt);`
			`MPN_NORMALIZE(rp, rsize);`

			`mpihelp_release_karatsuba_ctx(&karactx);`
			`}`

			`if (negative_result && rsize) {`
			`if (mod_shift_cnt)`
			`mpihelp_rshift(mp, mp, msize, mod_shift_cnt);`
			`mpihelp_sub(rp, mp, msize, rp, rsize);`
			`rsize = msize;`
			`rsign = msign;`
			`MPN_NORMALIZE(rp, rsize);`
			`}`
			`res->nlimbs = rsize;`
			`res->sign = rsign;`

			`leave:`
			`rc = 0;`
			`enomem:`
			`if (assign_rp)`
			`mpi_assign_limb_space(res, rp, size);`
			`if (mp_marker)`
			`mpi_free_limb_space(mp_marker);`
			`if (bp_marker)`
			`mpi_free_limb_space(bp_marker);`
			`if (ep_marker)`
			`mpi_free_limb_space(ep_marker);`
			`if (xp_marker)`
			`mpi_free_limb_space(xp_marker);`
			`if (tspace)`
			`mpi_free_limb_space(tspace);`
			`return rc;`
			`}`
			`EXPORT_SYMBOL_GPL(mpi_powm);`