Change array representation of binary polynomials to make GF2m part of

 Changes between 0.9.8b and 0.9.9  [xx XXX xxxx]

  *) Change the array representation of binary polynomials: the list

     of degrees of non-zero coefficients is now terminated with -1.

     Previously it was terminated with 0, which was also part of the

     value; thus, the array representation was not applicable to

     polynomials where t^0 has coefficient zero.  This change makes

     the array representation useful in a more general context.

     [Douglas Stebila]

  *) Various modifications and fixes to SSL/TLS cipher string

     handling.  For ECC, the code now distinguishes between fixed ECDH

     with RSA certificates on the one hand and with ECDSA certificates

 *     t^p[0] + t^p[1] + ... + t^p[k]

 * where m = p[0] > p[1] > ... > p[k] = 0.

 */

int	BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[]);

int	BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]);

	/* r = a mod p */

int	BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,

	const unsigned int p[], BN_CTX *ctx); /* r = (a * b) mod p */

int	BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],

	const int p[], BN_CTX *ctx); /* r = (a * b) mod p */

int	BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],

	BN_CTX *ctx); /* r = (a * a) mod p */

int	BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const unsigned int p[],

int	BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[],

	BN_CTX *ctx); /* r = (1 / b) mod p */

int	BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,

	const unsigned int p[], BN_CTX *ctx); /* r = (a / b) mod p */

	const int p[], BN_CTX *ctx); /* r = (a / b) mod p */

int	BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,

	const unsigned int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */

	const int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */

int	BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,

	const unsigned int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */

	const int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */

int	BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,

	const unsigned int p[], BN_CTX *ctx); /* r^2 + r = a mod p */

int	BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max);

int	BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a);

	const int p[], BN_CTX *ctx); /* r^2 + r = a mod p */

int	BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max);

int	BN_GF2m_arr2poly(const int p[], BIGNUM *a);

/* faster mod functions for the 'NIST primes' 

 * 0 <= a < p^2 */

/* Performs modular reduction of a and store result in r.  r could be a. */

int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])

int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])

	{

	int j, k;

	int n, dN, d0, d1;

int	BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)

	{

	int ret = 0;

	const int max = BN_num_bits(p);

	unsigned int *arr=NULL;

	const int max = BN_num_bits(p) + 1;

	int *arr=NULL;

	bn_check_top(a);

	bn_check_top(p);

	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;

	if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err;

	ret = BN_GF2m_poly2arr(p, arr, max);

	if (!ret || ret > max)

		{

/* Compute the product of two polynomials a and b, reduce modulo p, and store

 * the result in r.  r could be a or b; a could be b.

 */

int	BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)

int	BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const int p[], BN_CTX *ctx)

	{

	int zlen, i, j, k, ret = 0;

	BIGNUM *s;

int	BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)

	{

	int ret = 0;

	const int max = BN_num_bits(p);

	unsigned int *arr=NULL;

	const int max = BN_num_bits(p) + 1;

	int *arr=NULL;

	bn_check_top(a);

	bn_check_top(b);

	bn_check_top(p);

	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;

	if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err;

	ret = BN_GF2m_poly2arr(p, arr, max);

	if (!ret || ret > max)

		{

/* Square a, reduce the result mod p, and store it in a.  r could be a. */

int	BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)

int	BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[], BN_CTX *ctx)

	{

	int i, ret = 0;

	BIGNUM *s;

int	BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)

	{

	int ret = 0;

	const int max = BN_num_bits(p);

	unsigned int *arr=NULL;

	const int max = BN_num_bits(p) + 1;

	int *arr=NULL;

	bn_check_top(a);

	bn_check_top(p);

	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;

	if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err;

	ret = BN_GF2m_poly2arr(p, arr, max);

	if (!ret || ret > max)

		{

 * function is only provided for convenience; for best performance, use the 

 * BN_GF2m_mod_inv function.

 */

int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)

int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[], BN_CTX *ctx)

	{

	BIGNUM *field;

	int ret = 0;

 * function is only provided for convenience; for best performance, use the 

 * BN_GF2m_mod_div function.

 */

int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)

int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx, const int p[], BN_CTX *ctx)

	{

	BIGNUM *field;

	int ret = 0;

 * the result in r.  r could be a.

 * Uses simple square-and-multiply algorithm A.5.1 from IEEE P1363.

 */

int	BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)

int	BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const int p[], BN_CTX *ctx)

	{

	int ret = 0, i, n;

	BIGNUM *u;

int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)

	{

	int ret = 0;

	const int max = BN_num_bits(p);

	unsigned int *arr=NULL;

	const int max = BN_num_bits(p) + 1;

	int *arr=NULL;

	bn_check_top(a);

	bn_check_top(b);

	bn_check_top(p);

	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;

	if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err;

	ret = BN_GF2m_poly2arr(p, arr, max);

	if (!ret || ret > max)

		{

 * the result in r.  r could be a.

 * Uses exponentiation as in algorithm A.4.1 from IEEE P1363.

 */

int	BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)

int	BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[], BN_CTX *ctx)

	{

	int ret = 0;

	BIGNUM *u;

int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)

	{

	int ret = 0;

	const int max = BN_num_bits(p);

	unsigned int *arr=NULL;

	const int max = BN_num_bits(p) + 1;

	int *arr=NULL;

	bn_check_top(a);

	bn_check_top(p);

	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;

	if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err;

	ret = BN_GF2m_poly2arr(p, arr, max);

	if (!ret || ret > max)

		{

/* Find r such that r^2 + r = a mod p.  r could be a. If no r exists returns 0.

 * Uses algorithms A.4.7 and A.4.6 from IEEE P1363.

 */

int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p[], BN_CTX *ctx)

int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[], BN_CTX *ctx)

	{

	int ret = 0, count = 0;

	unsigned int j;

int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)

	{

	int ret = 0;

	const int max = BN_num_bits(p);

	unsigned int *arr=NULL;

	const int max = BN_num_bits(p) + 1;

	int *arr=NULL;

	bn_check_top(a);

	bn_check_top(p);

	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) *

	if ((arr = (int *)OPENSSL_malloc(sizeof(int) *

						max)) == NULL) goto err;

	ret = BN_GF2m_poly2arr(p, arr, max);

	if (!ret || ret > max)

	}

/* Convert the bit-string representation of a polynomial

 * ( \sum_{i=0}^n a_i * x^i , where a_0 is *not* zero) into an array

 * of integers corresponding to the bits with non-zero coefficient.

 * ( \sum_{i=0}^n a_i * x^i) into an array of integers corresponding 

 * to the bits with non-zero coefficient.  Array is terminated with -1.

 * Up to max elements of the array will be filled.  Return value is total

 * number of coefficients that would be extracted if array was large enough.

 * number of array elements that would be filled if array was large enough.

 */

int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max)

int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)

	{

	int i, j, k = 0;

	BN_ULONG mask;

	if (BN_is_zero(a) || !BN_is_bit_set(a, 0))

		/* a_0 == 0 => return error (the unsigned int array

		 * must be terminated by 0)

		 */

	if (BN_is_zero(a))

		return 0;

	for (i = a->top - 1; i >= 0; i--)

			}

		}

	if (k < max) {

		p[k] = -1;

		k++;

	}

	return k;

	}

/* Convert the coefficient array representation of a polynomial to a 

 * bit-string.  The array must be terminated by 0.

 * bit-string.  The array must be terminated by -1.

 */

int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a)

int BN_GF2m_arr2poly(const int p[], BIGNUM *a)

	{

	int i;

	bn_check_top(a);

	BN_zero(a);

	for (i = 0; p[i] != 0; i++)

	for (i = 0; p[i] != -1; i++)

		{

		if (BN_set_bit(a, p[i]) == 0)

			return 0;

		}

	BN_set_bit(a, 0);

	bn_check_top(a);

	return 1;

	{

	BIGNUM *a,*b[2],*c,*d,*e;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d,*e,*f,*g,*h;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d,*e,*f;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d,*e,*f;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d,*e,*f;

	int i, j, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	{

	BIGNUM *a,*b[2],*c,*d,*e;

	int i, j, s = 0, t, ret = 0;

	unsigned int p0[] = {163,7,6,3,0};

	unsigned int p1[] = {193,15,0};

	int p0[] = {163,7,6,3,0,-1};

	int p1[] = {193,15,0,-1};

	a=BN_new();

	b[0]=BN_new();

	group->poly[2] = 0;

	group->poly[3] = 0;

	group->poly[4] = 0;

	group->poly[5] = -1;

	}

	dest->poly[2] = src->poly[2];

	dest->poly[3] = src->poly[3];

	dest->poly[4] = src->poly[4];

	dest->poly[5] = src->poly[5];

	bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);

	bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);

	for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;

	/* group->field */

	if (!BN_copy(&group->field, p)) goto err;

	i = BN_GF2m_poly2arr(&group->field, group->poly, 5);

	i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1;

	if ((i != 5) && (i != 3))

		{

		ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);