/*
* g := g mod x1OrderPlus. Result may be zero.
*/
void x1OrderPlusMod(giant g, curveParams *cp)
{
CKASSERT(!isZero(cp->x1OrderPlus));
/*
* Calculate reciprocal if we don't have it
*/
calcX1OrderPlusRecip(cp);
modg_via_recip(cp->x1OrderPlus, cp->x1OrderPlusRecip, g);
}
void modg(giant d, giant n)
/* n becomes n%d. n is arbitrary, but the denominator d must be positive! */
{
if (cur_recip == NULL) {
cur_recip = newgiant(current_max_size);
cur_den = newgiant(current_max_size);
gtog(d, cur_den);
make_recip(d, cur_recip);
}
else if (gcompg(d, cur_den)) {
gtog(d, cur_den);
make_recip(d, cur_recip);
}
modg_via_recip(d, cur_recip, n);
}
/*
* New optimzation of curveOrderJustify using known reciprocal, 11 June 1997.
* g is set to be within [2, curveOrder-2].
*/
static void curveOrderJustifyWithRecip(giant g, giant curveOrder, giant recip)
{
giant tmp;
CKASSERT(!isZero(curveOrder));
modg_via_recip(curveOrder, recip, g); // g now in [0, curveOrder-1]
if(isZero(g)) {
/*
* First degenerate case - (g == 0) : set g := 2
*/
dbgLog(("curveOrderJustify: case 1\n"));
int_to_giant(2, g);
return;
}
if(isone(g)) {
/*
* Second case - (g == 1) : set g := 2
*/
dbgLog(("curveOrderJustify: case 2\n"));
int_to_giant(2, g);
return;
}
tmp = borrowGiant(g->capacity);
gtog(g, tmp);
iaddg(1, tmp);
if(gcompg(tmp, curveOrder) == 0) {
/*
* Third degenerate case - (g == (curveOrder-1)) : set g -= 1
*/
dbgLog(("curveOrderJustify: case 3\n"));
int_to_giant(1, tmp);
subg(tmp, g);
}
returnGiant(tmp);
return;
}
/*
* Sign specified block of data (most likely a hash result) using
* specified feePubKey.
*/
feeReturn feeSigSign(feeSig sig,
const unsigned char *data, // data to be signed
unsigned dataLen, // in bytes
feePubKey pubKey)
{
sigInst *sinst = (sigInst*) sig;
giant messageGiant = NULL;
unsigned maxlen;
giant privGiant;
unsigned privGiantBytes;
feeReturn frtn = FR_Success;
unsigned randBytesLen;
unsigned uDigits; // alloc'd digits in sinst->u
curveParams *cp;
if(pubKey == NULL) {
return FR_BadPubKey;
}
cp = feePubKeyCurveParams(pubKey);
if(cp == NULL) {
return FR_BadPubKey;
}
privGiant = feePubKeyPrivData(pubKey);
if(privGiant == NULL) {
dbgLog(("Attempt to Sign without private data\n"));
frtn = FR_IllegalArg;
goto abort;
}
privGiantBytes = abs(privGiant->sign) * GIANT_BYTES_PER_DIGIT;
/*
* Note PmX = m 'o' P1.
* Get message/digest as giant. May be significantly different
* in size from pubKey's basePrime.
*/
messageGiant = giant_with_data(data, dataLen); // M(text)
randBytesLen = feePubKeyBitsize(pubKey) / 8;
maxlen = max(randBytesLen, dataLen);
/* leave plenty of room.... */
uDigits = (3 * (privGiantBytes + maxlen)) / GIANT_BYTES_PER_DIGIT;
sinst->u = newGiant(uDigits);
gtog(privGiant, sinst->u); // u := ourPri
mulg(messageGiant, sinst->u); // u *= M(text)
addg(sinst->randGiant, sinst->u); // u += m
/*
* Paranoia: we're using the curveParams from the caller's pubKey;
* this cp will have a valid x1OrderPlusRecip if pubKey is the same
* as the one passed to feeSigNewWithKey() (since feeSigNewWithKey
* called x1OrderPlusJustify()). But the caller could conceivably be
* using a different instance of their pubKey, in which case
* the key's cp->x1OrderPlusRecip may not be valid.
*/
calcX1OrderPlusRecip(cp);
/* u := u mod x1OrderPlus */
#if SIG_DEBUG
if(sigDebug) {
printf("sigSign:\n");
printf("u pre-modg : ");
printGiant(sinst->u);
}
#endif
modg_via_recip(cp->x1OrderPlus, cp->x1OrderPlusRecip, sinst->u);
#if SIG_DEBUG
if(sigDebug) {
printf("privGiant : ");
printGiant(privGiant);
printf("u : ");
printGiant(sinst->u);
printf("messageGiant: ");
printGiant(messageGiant);
printf("curveParams :\n");
printCurveParams(cp);
}
#endif // SIG_DEBUG
abort:
if(messageGiant) {
freeGiant(messageGiant);
}
return frtn;
}
