Diffstat (limited to 'frontend/gamma/js/Clipperz/Crypto/BigInt.js') (more/less context) (ignore whitespace changes)
| -rw-r--r-- | frontend/gamma/js/Clipperz/Crypto/BigInt.js | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/frontend/gamma/js/Clipperz/Crypto/BigInt.js b/frontend/gamma/js/Clipperz/Crypto/BigInt.js index 41483a3..031ed30 100644 --- a/frontend/gamma/js/Clipperz/Crypto/BigInt.js +++ b/frontend/gamma/js/Clipperz/Crypto/BigInt.js @@ -1,214 +1,212 @@ /* -Copyright 2008-2011 Clipperz Srl +Copyright 2008-2013 Clipperz Srl -This file is part of Clipperz Community Edition. -Clipperz Community Edition is an online password manager. +This file is part of Clipperz, the online password manager. For further information about its features and functionalities please refer to http://www.clipperz.com. -* Clipperz Community Edition is free software: you can redistribute - it and/or modify it under the terms of the GNU Affero General Public - License as published by the Free Software Foundation, either version - 3 of the License, or (at your option) any later version. +* Clipperz is free software: you can redistribute it and/or modify it + under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. -* Clipperz Community Edition is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +* Clipperz is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. * You should have received a copy of the GNU Affero General Public - License along with Clipperz Community Edition. If not, see - <http://www.gnu.org/licenses/>. + License along with Clipperz. If not, see http://www.gnu.org/licenses/. */ if (typeof(Clipperz) == 'undefined') { Clipperz = {}; } if (typeof(Clipperz.Crypto) == 'undefined') { Clipperz.Crypto = {}; } //############################################################################# // Downloaded on March 05, 2007 from http://www.leemon.com/crypto/BigInt.js //############################################################################# //////////////////////////////////////////////////////////////////////////////////////// // Big Integer Library v. 5.0 // Created 2000, last modified 2006 // Leemon Baird // www.leemon.com // // This file is public domain. You can use it for any purpose without restriction. // I do not guarantee that it is correct, so use it at your own risk. If you use // it for something interesting, I'd appreciate hearing about it. If you find // any bugs or make any improvements, I'd appreciate hearing about those too. // It would also be nice if my name and address were left in the comments. // But none of that is required. // // This code defines a bigInt library for arbitrary-precision integers. // A bigInt is an array of integers storing the value in chunks of bpe bits, // little endian (buff[0] is the least significant word). // Negative bigInts are stored two's complement. // Some functions assume their parameters have at least one leading zero element. // Functions with an underscore at the end of the name have unpredictable behavior in case of overflow, // so the caller must make sure overflow won't happen. // For each function where a parameter is modified, that same // variable must not be used as another argument too. // So, you cannot square x by doing multMod_(x,x,n). // You must use squareMod_(x,n) instead, or do y=dup(x); multMod_(x,y,n). // // These functions are designed to avoid frequent dynamic memory allocation in the inner loop. // For most functions, if it needs a BigInt as a local variable it will actually use // a global, and will only allocate to it when it's not the right size. This ensures // that when a function is called repeatedly with same-sized parameters, it only allocates // memory on the first call. // // Note that for cryptographic purposes, the calls to Math.random() must // be replaced with calls to a better pseudorandom number generator. // // In the following, "bigInt" means a bigInt with at least one leading zero element, // and "integer" means a nonnegative integer less than radix. In some cases, integer // can be negative. Negative bigInts are 2s complement. // // The following functions do not modify their inputs, but dynamically allocate memory every time they are called: // // function bigInt2str(x,base) //convert a bigInt into a string in a given base, from base 2 up to base 95 // function dup(x) //returns a copy of bigInt x // function findPrimes(n) //return array of all primes less than integer n // function int2bigInt(t,n,m) //convert integer t to a bigInt with at least n bits and m array elements // function int2bigInt(s,b,n,m) //convert string s in base b to a bigInt with at least n bits and m array elements // function trim(x,k) //return a copy of x with exactly k leading zero elements // // The following functions do not modify their inputs, so there is never a problem with the result being too big: // // function bitSize(x) //returns how many bits long the bigInt x is, not counting leading zeros // function equals(x,y) //is the bigInt x equal to the bigint y? // function equalsInt(x,y) //is bigint x equal to integer y? // function greater(x,y) //is x>y? (x and y are nonnegative bigInts) // function greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y? // function isZero(x) //is the bigInt x equal to zero? // function millerRabin(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime (as opposed to definitely composite)? // function modInt(x,n) //return x mod n for bigInt x and integer n. // function negative(x) //is bigInt x negative? // // The following functions do not modify their inputs, but allocate memory and call functions with underscores // // function add(x,y) //return (x+y) for bigInts x and y. // function addInt(x,n) //return (x+n) where x is a bigInt and n is an integer. // function expand(x,n) //return a copy of x with at least n elements, adding leading zeros if needed // function inverseMod(x,n) //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null // function mod(x,n) //return a new bigInt equal to (x mod n) for bigInts x and n. // function mult(x,y) //return x*y for bigInts x and y. This is faster when y<x. // function multMod(x,y,n) //return (x*y mod n) for bigInts x,y,n. For greater speed, let y<x. // function powMod(x,y,n) //return (x**y mod n) where x,y,n are bigInts and ** is exponentiation. 0**0=1. Faster for odd n. // function randTruePrime(k) //return a new, random, k-bit, true prime using Maurer's algorithm. // function sub(x,y) //return (x-y) for bigInts x and y. Negative answers will be 2s complement // // The following functions write a bigInt result to one of the parameters, but // the result is never bigger than the original, so there can't be overflow problems: // // function divInt_(x,n) //do x=floor(x/n) for bigInt x and integer n, and return the remainder // function GCD_(x,y) //set x to the greatest common divisor of bigInts x and y, (y is destroyed). // function halve_(x) //do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement // function mod_(x,n) //do x=x mod n for bigInts x and n. // function rightShift_(x,n) //right shift bigInt x by n bits. 0 <= n < bpe. // // The following functions write a bigInt result to one of the parameters. The caller is responsible for // ensuring it is large enough to hold the result. // // function addInt_(x,n) //do x=x+n where x is a bigInt and n is an integer // function add_(x,y) //do x=x+y for bigInts x and y // function addShift_(x,y,ys) //do x=x+(y<<(ys*bpe)) // function copy_(x,y) //do x=y on bigInts x and y // function copyInt_(x,n) //do x=n on bigInt x and integer n // function carry_(x) //do carries and borrows so each element of the bigInt x fits in bpe bits. // function divide_(x,y,q,r) //divide_ x by y giving quotient q and remainder r // function eGCD_(x,y,d,a,b) //sets a,b,d to positive big integers such that d = GCD_(x,y) = a*x-b*y // function inverseMod_(x,n) //do x=x**(-1) mod n, for bigInts x and n. Returns 1 (0) if inverse does (doesn't) exist // function inverseModInt_(x,n) //return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse // function leftShift_(x,n) //left shift bigInt x by n bits. n<bpe. // function linComb_(x,y,a,b) //do x=a*x+b*y for bigInts x and y and integers a and b // function linCombShift_(x,y,b,ys) //do x=x+b*(y<<(ys*bpe)) for bigInts x and y, and integers b and ys // function mont_(x,y,n,np) //Montgomery multiplication (see comments where the function is defined) // function mult_(x,y) //do x=x*y for bigInts x and y. // function multInt_(x,n) //do x=x*n where x is a bigInt and n is an integer. // function multMod_(x,y,n) //do x=x*y mod n for bigInts x,y,n. // function powMod_(x,y,n) //do x=x**y mod n, where x,y,n are bigInts (n is odd) and ** is exponentiation. 0**0=1. // function randBigInt_(b,n,s) //do b = an n-bit random BigInt. if s=1, then nth bit (most significant bit) is set to 1. n>=1. // function randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb. // function squareMod_(x,n) //do x=x*x mod n for bigInts x,n // function sub_(x,y) //do x=x-y for bigInts x and y. Negative answers will be 2s complement. // function subShift_(x,y,ys) //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement. // // The following functions are based on algorithms from the _Handbook of Applied Cryptography_ // powMod_() = algorithm 14.94, Montgomery exponentiation // eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_ // GCD_() = algorothm 14.57, Lehmer's algorithm // mont_() = algorithm 14.36, Montgomery multiplication // divide_() = algorithm 14.20 Multiple-precision division // squareMod_() = algorithm 14.16 Multiple-precision squaring // randTruePrime_() = algorithm 4.62, Maurer's algorithm // millerRabin() = algorithm 4.24, Miller-Rabin algorithm // // Profiling shows: // randTruePrime_() spends: // 10% of its time in calls to powMod_() // 85% of its time in calls to millerRabin() // millerRabin() spends: // 99% of its time in calls to powMod_() (always with a base of 2) // powMod_() spends: // 94% of its time in calls to mont_() (almost always with x==y) // // This suggests there are several ways to speed up this library slightly: // - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window) // -- this should especially focus on being fast when raising 2 to a power mod n // - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test // - tune the parameters in randTruePrime_(), including c, m, and recLimit // - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking // within the loop when all the parameters are the same length. // // There are several ideas that look like they wouldn't help much at all: // - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway) // - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32) // - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square // followed by a Montgomery reduction. The intermediate answer will be twice as long as x, so that // method would be slower. This is unfortunate because the code currently spends almost all of its time // doing mont_(x,x,...), both for randTruePrime_() and powMod_(). A faster method for Montgomery squaring // would have a large impact on the speed of randTruePrime_() and powMod_(). HAC has a couple of poorly-worded // sentences that seem to imply it's faster to do a non-modular square followed by a single // Montgomery reduction, but that's obviously wrong. //////////////////////////////////////////////////////////////////////////////////////// //globals bpe=0; //bits stored per array element mask=0; //AND this with an array element to chop it down to bpe bits radix=mask+1; //equals 2^bpe. A single 1 bit to the left of the last bit of mask. //the digits for converting to different bases digitsStr='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-'; //initialize the global variables for (bpe=0; (1<<(bpe+1)) > (1<<bpe); bpe++); //bpe=number of bits in the mantissa on this platform bpe>>=1; //bpe=number of bits in one element of the array representing the bigInt mask=(1<<bpe)-1; //AND the mask with an integer to get its bpe least significant bits radix=mask+1; //2^bpe. a single 1 bit to the left of the first bit of mask one=int2bigInt(1,1,1); //constant used in powMod_() //the following global variables are scratchpad memory to //reduce dynamic memory allocation in the inner loop t=new Array(0); ss=t; //used in mult_() s0=t; //used in multMod_(), squareMod_() s1=t; //used in powMod_(), multMod_(), squareMod_() s2=t; //used in powMod_(), multMod_() s3=t; //used in powMod_() s4=t; s5=t; //used in mod_() s6=t; //used in bigInt2str() s7=t; //used in powMod_() T=t; //used in GCD_() sa=t; //used in mont_() mr_x1=t; mr_r=t; mr_a=t; //used in millerRabin() eg_v=t; eg_u=t; eg_A=t; eg_B=t; eg_C=t; eg_D=t; //used in eGCD_(), inverseMod_() md_q1=t; md_q2=t; md_q3=t; md_r=t; md_r1=t; md_r2=t; md_tt=t; //used in mod_() primes=t; pows=t; s_i=t; s_i2=t; s_R=t; s_rm=t; s_q=t; s_n1=t; s_a=t; s_r2=t; s_n=t; s_b=t; s_d=t; s_x1=t; s_x2=t, s_aa=t; //used in randTruePrime_() @@ -1288,385 +1286,384 @@ function trim(x,k) { y=new Array(i+k); copy_(y,x); return y; } //do x=x**y mod n, where x,y,n are bigInts and ** is exponentiation. 0**0=1. //this is faster when n is odd. x usually needs to have as many elements as n. function powMod_(x,y,n) { var k1,k2,kn,np; if(s7.length!=n.length) s7=dup(n); //for even modulus, use a simple square-and-multiply algorithm, //rather than using the more complex Montgomery algorithm. if ((n[0]&1)==0) { copy_(s7,x); copyInt_(x,1); while(!equalsInt(y,0)) { if (y[0]&1) multMod_(x,s7,n); divInt_(y,2); squareMod_(s7,n); } return; } //calculate np from n for the Montgomery multiplications copyInt_(s7,0); for (kn=n.length;kn>0 && !n[kn-1];kn--); np=radix-inverseModInt_(modInt(n,radix),radix); s7[kn]=1; multMod_(x ,s7,n); // x = x * 2**(kn*bp) mod n if (s3.length!=x.length) s3=dup(x); else copy_(s3,x); for (k1=y.length-1;k1>0 & !y[k1]; k1--); //k1=first nonzero element of y if (y[k1]==0) { //anything to the 0th power is 1 copyInt_(x,1); return; } for (k2=1<<(bpe-1);k2 && !(y[k1] & k2); k2>>=1); //k2=position of first 1 bit in y[k1] for (;;) { if (!(k2>>=1)) { //look at next bit of y k1--; if (k1<0) { mont_(x,one,n,np); return; } k2=1<<(bpe-1); } mont_(x,x,n,np); if (k2 & y[k1]) //if next bit is a 1 mont_(x,s3,n,np); } } //do x=x*y*Ri mod n for bigInts x,y,n, // where Ri = 2**(-kn*bpe) mod n, and kn is the // number of elements in the n array, not // counting leading zeros. //x must be large enough to hold the answer. //It's OK if x and y are the same variable. //must have: // x,y < n // n is odd // np = -(n^(-1)) mod radix function mont_(x,y,n,np) { var i,j,c,ui,t; var kn=n.length; var ky=y.length; if (sa.length!=kn) sa=new Array(kn); for (;kn>0 && n[kn-1]==0;kn--); //ignore leading zeros of n //this function sometimes gives wrong answers when the next line is uncommented //for (;ky>0 && y[ky-1]==0;ky--); //ignore leading zeros of y copyInt_(sa,0); //the following loop consumes 95% of the runtime for randTruePrime_() and powMod_() for large keys for (i=0; i<kn; i++) { t=sa[0]+x[i]*y[0]; ui=((t & mask) * np) & mask; //the inner "& mask" is needed on Macintosh MSIE, but not windows MSIE c=(t+ui*n[0]) >> bpe; t=x[i]; //do sa=(sa+x[i]*y+ui*n)/b where b=2**bpe for (j=1;j<ky;j++) { c+=sa[j]+t*y[j]+ui*n[j]; sa[j-1]=c & mask; c>>=bpe; } for (;j<kn;j++) { c+=sa[j]+ui*n[j]; sa[j-1]=c & mask; c>>=bpe; } sa[j-1]=c & mask; } if (!greater(n,sa)) sub_(sa,n); copy_(x,sa); } //############################################################################# //############################################################################# //############################################################################# //############################################################################# //############################################################################# //############################################################################# //############################################################################# //############################################################################# Clipperz.Crypto.BigInt = function (aValue, aBase) { var base; var value; if (typeof(aValue) == 'object') { this._internalValue = aValue; } else { if (typeof(aValue) == 'undefined') { value = "0"; } else { value = aValue + ""; } if (typeof(aBase) == 'undefined') { base = 10; } else { base = aBase; } this._internalValue = str2bigInt(value, base, 1, 1); } return this; } //============================================================================= MochiKit.Base.update(Clipperz.Crypto.BigInt.prototype, { 'clone': function() { return new Clipperz.Crypto.BigInt(this.internalValue()); }, //------------------------------------------------------------------------- 'internalValue': function () { return this._internalValue; }, //------------------------------------------------------------------------- 'isBigInt': true, //------------------------------------------------------------------------- 'toString': function(aBase) { return this.asString(aBase); }, //------------------------------------------------------------------------- 'asString': function (aBase, minimumLength) { var result; var base; if (typeof(aBase) == 'undefined') { base = 10; } else { base = aBase; } result = bigInt2str(this.internalValue(), base).toLowerCase(); if ((typeof(minimumLength) != 'undefined') && (result.length < minimumLength)) { var i, c; -//MochiKit.Logging.logDebug(">>> FIXING BigInt.asString length issue") c = (minimumLength - result.length); for (i=0; i<c; i++) { result = '0' + result; } } return result; }, //------------------------------------------------------------------------- 'asByteArray': function() { return new Clipperz.ByteArray("0x" + this.asString(16), 16); }, //------------------------------------------------------------------------- 'equals': function (aValue) { var result; if (aValue.isBigInt) { result = equals(this.internalValue(), aValue.internalValue()); } else if (typeof(aValue) == "number") { result = equalsInt(this.internalValue(), aValue); } else { throw Clipperz.Crypt.BigInt.exception.UnknownType; } return result; }, //------------------------------------------------------------------------- 'compare': function(aValue) { /* var result; var thisAsString; var aValueAsString; thisAsString = this.asString(10); aValueAsString = aValue.asString(10); result = MochiKit.Base.compare(thisAsString.length, aValueAsString.length); if (result == 0) { result = MochiKit.Base.compare(thisAsString, aValueAsString); } return result; */ var result; if (equals(this.internalValue(), aValue.internalValue())) { result = 0; } else if (greater(this.internalValue(), aValue.internalValue())) { result = 1; } else { result = -1; } return result; }, //------------------------------------------------------------------------- 'add': function (aValue) { var result; if (aValue.isBigInt) { result = add(this.internalValue(), aValue.internalValue()); } else { result = addInt(this.internalValue(), aValue); } return new Clipperz.Crypto.BigInt(result); }, //------------------------------------------------------------------------- 'subtract': function (aValue) { var result; var value; if (aValue.isBigInt) { value = aValue; } else { value = new Clipperz.Crypto.BigInt(aValue); } result = sub(this.internalValue(), value.internalValue()); return new Clipperz.Crypto.BigInt(result); }, //------------------------------------------------------------------------- 'multiply': function (aValue, aModule) { var result; var value; if (aValue.isBigInt) { value = aValue; } else { value = new Clipperz.Crypto.BigInt(aValue); } if (typeof(aModule) == 'undefined') { result = mult(this.internalValue(), value.internalValue()); } else { if (greater(this.internalValue(), value.internalValue())) { result = multMod(this.internalValue(), value.internalValue(), aModule); } else { result = multMod(value.internalValue(), this.internalValue(), aModule); } } return new Clipperz.Crypto.BigInt(result); }, //------------------------------------------------------------------------- 'module': function (aModule) { var result; var module; if (aModule.isBigInt) { module = aModule; } else { module = new Clipperz.Crypto.BigInt(aModule); } result = mod(this.internalValue(), module.internalValue()); return new Clipperz.Crypto.BigInt(result); }, //------------------------------------------------------------------------- 'powerModule': function(aValue, aModule) { var result; var value; var module; if (aValue.isBigInt) { value = aValue; } else { value = new Clipperz.Crypto.BigInt(aValue); } if (aModule.isBigInt) { module = aModule; } else { module = new Clipperz.Crypto.BigInt(aModule); } if (aValue == -1) { result = inverseMod(this.internalValue(), module.internalValue()); } else { result = powMod(this.internalValue(), value.internalValue(), module.internalValue()); } return new Clipperz.Crypto.BigInt(result); }, //------------------------------------------------------------------------- 'xor': function(aValue) { var result; var thisByteArray; var aValueByteArray; var xorArray; thisByteArray = new Clipperz.ByteArray("0x" + this.asString(16), 16); aValueByteArray = new Clipperz.ByteArray("0x" + aValue.asString(16), 16); xorArray = thisByteArray.xorMergeWithBlock(aValueByteArray, 'right'); result = new Clipperz.Crypto.BigInt(xorArray.toHexString(), 16); return result; }, //------------------------------------------------------------------------- 'shiftLeft': function(aNumberOfBitsToShift) { var result; var internalResult; var wholeByteToShift; var bitsLeftToShift; wholeByteToShift = Math.floor(aNumberOfBitsToShift / 8); bitsLeftToShift = aNumberOfBitsToShift % 8; if (wholeByteToShift == 0) { internalResult = this.internalValue(); |