1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
70 const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
72 /* This stuff appears to be completely unused, so is deprecated */
73 #ifndef OPENSSL_NO_DEPRECATED
75 * For a 32 bit machine
84 static int bn_limit_bits = 0;
85 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
86 static int bn_limit_bits_low = 0;
87 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
88 static int bn_limit_bits_high = 0;
89 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
90 static int bn_limit_bits_mont = 0;
91 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
93 void BN_set_params(int mult, int high, int low, int mont)
96 if (mult > (int)(sizeof(int) * 8) - 1)
97 mult = sizeof(int) * 8 - 1;
99 bn_limit_num = 1 << mult;
102 if (high > (int)(sizeof(int) * 8) - 1)
103 high = sizeof(int) * 8 - 1;
104 bn_limit_bits_high = high;
105 bn_limit_num_high = 1 << high;
108 if (low > (int)(sizeof(int) * 8) - 1)
109 low = sizeof(int) * 8 - 1;
110 bn_limit_bits_low = low;
111 bn_limit_num_low = 1 << low;
114 if (mont > (int)(sizeof(int) * 8) - 1)
115 mont = sizeof(int) * 8 - 1;
116 bn_limit_bits_mont = mont;
117 bn_limit_num_mont = 1 << mont;
121 int BN_get_params(int which)
124 return (bn_limit_bits);
126 return (bn_limit_bits_high);
128 return (bn_limit_bits_low);
130 return (bn_limit_bits_mont);
136 const BIGNUM *BN_value_one(void)
138 static const BN_ULONG data_one = 1L;
139 static const BIGNUM const_one =
140 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
145 int BN_num_bits_word(BN_ULONG l)
152 mask = (0 - x) & BN_MASK2;
153 mask = (0 - (mask >> (BN_BITS2 - 1)));
159 mask = (0 - x) & BN_MASK2;
160 mask = (0 - (mask >> (BN_BITS2 - 1)));
165 mask = (0 - x) & BN_MASK2;
166 mask = (0 - (mask >> (BN_BITS2 - 1)));
171 mask = (0 - x) & BN_MASK2;
172 mask = (0 - (mask >> (BN_BITS2 - 1)));
177 mask = (0 - x) & BN_MASK2;
178 mask = (0 - (mask >> (BN_BITS2 - 1)));
183 mask = (0 - x) & BN_MASK2;
184 mask = (0 - (mask >> (BN_BITS2 - 1)));
190 int BN_num_bits(const BIGNUM *a)
197 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
200 void BN_clear_free(BIGNUM *a)
208 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
209 if (!(BN_get_flags(a, BN_FLG_STATIC_DATA)))
212 i = BN_get_flags(a, BN_FLG_MALLOCED);
213 OPENSSL_cleanse(a, sizeof(BIGNUM));
218 void BN_free(BIGNUM *a)
223 if ((a->d != NULL) && !(BN_get_flags(a, BN_FLG_STATIC_DATA)))
225 if (a->flags & BN_FLG_MALLOCED)
228 #ifndef OPENSSL_NO_DEPRECATED
229 a->flags |= BN_FLG_FREE;
235 void BN_init(BIGNUM *a)
237 memset(a, 0, sizeof(BIGNUM));
245 if ((ret = (BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL) {
246 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
249 ret->flags = BN_FLG_MALLOCED;
258 /* This is used both by bn_expand2() and bn_dup_expand() */
259 /* The caller MUST check that words > b->dmax before calling this */
260 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
262 BN_ULONG *A, *a = NULL;
266 if (words > (INT_MAX / (4 * BN_BITS2))) {
267 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
270 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
271 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
274 a = A = (BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG) * words);
276 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
281 * Valgrind complains in BN_consttime_swap because we process the whole
282 * array even if it's not initialised yet. This doesn't matter in that
283 * function - what's important is constant time operation (we're not
284 * actually going to use the data)
286 memset(a, 0, sizeof(BN_ULONG) * words);
291 /* Check if the previous number needs to be copied */
293 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
295 * The fact that the loop is unrolled
296 * 4-wise is a tribute to Intel. It's
297 * the one that doesn't have enough
298 * registers to accomodate more data.
299 * I'd unroll it 8-wise otherwise:-)
301 * <appro@fy.chalmers.se>
303 BN_ULONG a0, a1, a2, a3;
314 * workaround for ultrix cc: without 'case 0', the optimizer does
315 * the switch table by doing a=top&3; a--; goto jump_table[a];
316 * which fails for top== 0
318 switch (b->top & 3) {
330 memset(A, 0, sizeof(BN_ULONG) * words);
331 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
338 * This is an internal function that can be used instead of bn_expand2() when
339 * there is a need to copy BIGNUMs instead of only expanding the data part,
340 * while still expanding them. Especially useful when needing to expand
341 * BIGNUMs that are declared 'const' and should therefore not be changed. The
342 * reason to use this instead of a BN_dup() followed by a bn_expand2() is
343 * memory allocation overhead. A BN_dup() followed by a bn_expand2() will
344 * allocate new memory for the BIGNUM data twice, and free it once, while
345 * bn_dup_expand() makes sure allocation is made only once.
348 #ifndef OPENSSL_NO_DEPRECATED
349 BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
356 * This function does not work if words <= b->dmax && top < words because
357 * BN_dup() does not preserve 'dmax'! (But bn_dup_expand() is not used
361 if (words > b->dmax) {
362 BN_ULONG *a = bn_expand_internal(b, words);
372 /* r == NULL, BN_new failure */
377 * If a == NULL, there was an error in allocation in
378 * bn_expand_internal(), and NULL should be returned
390 * This is an internal function that should not be used in applications. It
391 * ensures that 'b' has enough room for a 'words' word number and initialises
392 * any unused part of b->d with leading zeros. It is mostly used by the
393 * various BIGNUM routines. If there is an error, NULL is returned. If not,
397 BIGNUM *bn_expand2(BIGNUM *b, int words)
399 if (words > b->dmax) {
400 BN_ULONG *a = bn_expand_internal(b, words);
409 /* None of this should be necessary because of what b->top means! */
412 * NB: bn_wexpand() calls this only if the BIGNUM really has to grow
414 if (b->top < b->dmax) {
416 BN_ULONG *A = &(b->d[b->top]);
417 for (i = (b->dmax - b->top) >> 3; i > 0; i--, A += 8) {
427 for (i = (b->dmax - b->top) & 7; i > 0; i--, A++)
429 assert(A == &(b->d[b->dmax]));
435 BIGNUM *BN_dup(const BIGNUM *a)
446 if (!BN_copy(t, a)) {
454 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
464 if (bn_wexpand(a, b->top) == NULL)
470 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
471 BN_ULONG a0, a1, a2, a3;
481 /* ultrix cc workaround, see comments in bn_expand_internal */
482 switch (b->top & 3) {
492 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
497 a->flags |= b->flags & BN_FLG_FIXED_TOP;
502 #define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
505 #define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
507 void BN_swap(BIGNUM *a, BIGNUM *b)
509 int flags_old_a, flags_old_b;
511 int tmp_top, tmp_dmax, tmp_neg;
516 flags_old_a = a->flags;
517 flags_old_b = b->flags;
534 a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
535 b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
540 void BN_clear(BIGNUM *a)
544 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
547 a->flags &= ~BN_FLG_FIXED_TOP;
550 BN_ULONG BN_get_word(const BIGNUM *a)
554 else if (a->top == 1)
560 int BN_set_word(BIGNUM *a, BN_ULONG w)
563 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
567 a->top = (w ? 1 : 0);
568 a->flags &= ~BN_FLG_FIXED_TOP;
573 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
591 i = ((n - 1) / BN_BYTES) + 1;
592 m = ((n - 1) % (BN_BYTES));
593 if (bn_wexpand(ret, (int)i) == NULL) {
601 l = (l << 8L) | *(s++);
609 * need to call this due to clear byte at top if avoiding having the top
610 * bit set (-ve number)
616 /* ignore negative */
617 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
623 n = i = BN_num_bytes(a);
625 l = a->d[i / BN_BYTES];
626 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
631 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
634 BN_ULONG t1, t2, *ap, *bp;
644 for (i = a->top - 1; i >= 0; i--) {
648 return ((t1 > t2) ? 1 : -1);
653 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
659 if ((a == NULL) || (b == NULL)) {
671 if (a->neg != b->neg) {
689 for (i = a->top - 1; i >= 0; i--) {
700 int BN_set_bit(BIGNUM *a, int n)
710 if (bn_wexpand(a, i + 1) == NULL)
712 for (k = a->top; k < i + 1; k++)
715 a->flags &= ~BN_FLG_FIXED_TOP;
718 a->d[i] |= (((BN_ULONG)1) << j);
723 int BN_clear_bit(BIGNUM *a, int n)
736 a->d[i] &= (~(((BN_ULONG)1) << j));
741 int BN_is_bit_set(const BIGNUM *a, int n)
752 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
755 int BN_mask_bits(BIGNUM *a, int n)
771 a->d[w] &= ~(BN_MASK2 << b);
777 void BN_set_negative(BIGNUM *a, int b)
779 if (b && !BN_is_zero(a))
785 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
793 return ((aa > bb) ? 1 : -1);
794 for (i = n - 2; i >= 0; i--) {
798 return ((aa > bb) ? 1 : -1);
804 * Here follows a specialised variants of bn_cmp_words(). It has the
805 * property of performing the operation on arrays of different sizes. The
806 * sizes of those arrays is expressed through cl, which is the common length
807 * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
808 * two lengths, calculated as len(a)-len(b). All lengths are the number of
812 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
818 for (i = dl; i < 0; i++) {
820 return -1; /* a < b */
824 for (i = dl; i > 0; i--) {
826 return 1; /* a > b */
829 return bn_cmp_words(a, b, cl);
833 * Constant-time conditional swap of a and b.
834 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
835 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
836 * and that no more than nwords are used by either a or b.
837 * a and b cannot be the same number
839 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
844 bn_wcheck_size(a, nwords);
845 bn_wcheck_size(b, nwords);
848 assert((condition & (condition - 1)) == 0);
849 assert(sizeof(BN_ULONG) >= sizeof(int));
851 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
853 t = (a->top ^ b->top) & condition;
857 #define BN_CONSTTIME_SWAP(ind) \
859 t = (a->d[ind] ^ b->d[ind]) & condition; \
866 for (i = 10; i < nwords; i++)
867 BN_CONSTTIME_SWAP(i);
870 BN_CONSTTIME_SWAP(9); /* Fallthrough */
872 BN_CONSTTIME_SWAP(8); /* Fallthrough */
874 BN_CONSTTIME_SWAP(7); /* Fallthrough */
876 BN_CONSTTIME_SWAP(6); /* Fallthrough */
878 BN_CONSTTIME_SWAP(5); /* Fallthrough */
880 BN_CONSTTIME_SWAP(4); /* Fallthrough */
882 BN_CONSTTIME_SWAP(3); /* Fallthrough */
884 BN_CONSTTIME_SWAP(2); /* Fallthrough */
886 BN_CONSTTIME_SWAP(1); /* Fallthrough */
888 BN_CONSTTIME_SWAP(0);
890 #undef BN_CONSTTIME_SWAP