1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
71 const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT;
73 /* This stuff appears to be completely unused, so is deprecated */
74 #ifndef OPENSSL_NO_DEPRECATED
75 /* For a 32 bit machine
84 static int bn_limit_bits=0;
85 static int bn_limit_num=8; /* (1<<bn_limit_bits) */
86 static int bn_limit_bits_low=0;
87 static int bn_limit_num_low=8; /* (1<<bn_limit_bits_low) */
88 static int bn_limit_bits_high=0;
89 static int bn_limit_num_high=8; /* (1<<bn_limit_bits_high) */
90 static int bn_limit_bits_mont=0;
91 static int bn_limit_num_mont=8; /* (1<<bn_limit_bits_mont) */
93 void BN_set_params(int mult, int high, int low, int mont)
97 if (mult > (int)(sizeof(int)*8)-1)
100 bn_limit_num=1<<mult;
104 if (high > (int)(sizeof(int)*8)-1)
105 high=sizeof(int)*8-1;
106 bn_limit_bits_high=high;
107 bn_limit_num_high=1<<high;
111 if (low > (int)(sizeof(int)*8)-1)
113 bn_limit_bits_low=low;
114 bn_limit_num_low=1<<low;
118 if (mont > (int)(sizeof(int)*8)-1)
119 mont=sizeof(int)*8-1;
120 bn_limit_bits_mont=mont;
121 bn_limit_num_mont=1<<mont;
125 int BN_get_params(int which)
127 if (which == 0) return(bn_limit_bits);
128 else if (which == 1) return(bn_limit_bits_high);
129 else if (which == 2) return(bn_limit_bits_low);
130 else if (which == 3) return(bn_limit_bits_mont);
135 const BIGNUM *BN_value_one(void)
137 static const BN_ULONG data_one=1L;
138 static const BIGNUM const_one={(BN_ULONG *)&data_one,1,1,0,BN_FLG_STATIC_DATA};
143 int BN_num_bits_word(BN_ULONG l)
145 static const unsigned char bits[256]={
146 0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
147 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
148 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
149 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
150 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
151 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
152 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
153 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
154 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
155 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
156 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
157 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
158 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
159 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
160 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
161 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
164 #if defined(SIXTY_FOUR_BIT_LONG)
165 if (l & 0xffffffff00000000L)
167 if (l & 0xffff000000000000L)
169 if (l & 0xff00000000000000L)
171 return(bits[(int)(l>>56)]+56);
173 else return(bits[(int)(l>>48)]+48);
177 if (l & 0x0000ff0000000000L)
179 return(bits[(int)(l>>40)]+40);
181 else return(bits[(int)(l>>32)]+32);
186 #ifdef SIXTY_FOUR_BIT
187 if (l & 0xffffffff00000000LL)
189 if (l & 0xffff000000000000LL)
191 if (l & 0xff00000000000000LL)
193 return(bits[(int)(l>>56)]+56);
195 else return(bits[(int)(l>>48)]+48);
199 if (l & 0x0000ff0000000000LL)
201 return(bits[(int)(l>>40)]+40);
203 else return(bits[(int)(l>>32)]+32);
210 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
214 return(bits[(int)(l>>24L)]+24);
215 else return(bits[(int)(l>>16L)]+16);
220 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
222 return(bits[(int)(l>>8)]+8);
225 return(bits[(int)(l )] );
230 int BN_num_bits(const BIGNUM *a)
235 if (BN_is_zero(a)) return 0;
236 return ((i*BN_BITS2) + BN_num_bits_word(a->d[i]));
239 void BN_clear_free(BIGNUM *a)
243 if (a == NULL) return;
247 OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
248 if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
251 i=BN_get_flags(a,BN_FLG_MALLOCED);
252 OPENSSL_cleanse(a,sizeof(BIGNUM));
257 void BN_free(BIGNUM *a)
259 if (a == NULL) return;
261 if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
263 if (a->flags & BN_FLG_MALLOCED)
267 #ifndef OPENSSL_NO_DEPRECATED
268 a->flags|=BN_FLG_FREE;
274 void BN_init(BIGNUM *a)
276 memset(a,0,sizeof(BIGNUM));
284 if ((ret=(BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL)
286 BNerr(BN_F_BN_NEW,ERR_R_MALLOC_FAILURE);
289 ret->flags=BN_FLG_MALLOCED;
298 /* This is used both by bn_expand2() and bn_dup_expand() */
299 /* The caller MUST check that words > b->dmax before calling this */
300 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
302 BN_ULONG *A,*a = NULL;
308 if (words > (INT_MAX/(4*BN_BITS2)))
310 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
313 if (BN_get_flags(b,BN_FLG_STATIC_DATA))
315 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
318 a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words);
321 BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
325 /* Valgrind complains in BN_consttime_swap because we process the whole
326 * array even if it's not initialised yet. This doesn't matter in that
327 * function - what's important is constant time operation (we're not
328 * actually going to use the data)
330 memset(a, 0, sizeof(BN_ULONG)*words);
335 /* Check if the previous number needs to be copied */
338 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
341 * The fact that the loop is unrolled
342 * 4-wise is a tribute to Intel. It's
343 * the one that doesn't have enough
344 * registers to accomodate more data.
345 * I'd unroll it 8-wise otherwise:-)
347 * <appro@fy.chalmers.se>
349 BN_ULONG a0,a1,a2,a3;
350 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
351 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
358 case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
359 * the switch table by doing a=top&3; a--; goto jump_table[a];
360 * which fails for top== 0 */
366 memset(A,0,sizeof(BN_ULONG)*words);
367 memcpy(A,b->d,sizeof(b->d[0])*b->top);
373 /* This is an internal function that should not be used in applications.
374 * It ensures that 'b' has enough room for a 'words' word number
375 * and initialises any unused part of b->d with leading zeros.
376 * It is mostly used by the various BIGNUM routines. If there is an error,
377 * NULL is returned. If not, 'b' is returned. */
379 BIGNUM *bn_expand2(BIGNUM *b, int words)
385 BN_ULONG *a = bn_expand_internal(b, words);
387 if(b->d) OPENSSL_free(b->d);
392 /* None of this should be necessary because of what b->top means! */
394 /* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */
395 if (b->top < b->dmax)
398 BN_ULONG *A = &(b->d[b->top]);
399 for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8)
401 A[0]=0; A[1]=0; A[2]=0; A[3]=0;
402 A[4]=0; A[5]=0; A[6]=0; A[7]=0;
404 for (i=(b->dmax - b->top)&7; i>0; i--,A++)
406 assert(A == &(b->d[b->dmax]));
413 BIGNUM *BN_dup(const BIGNUM *a)
417 if (a == NULL) return NULL;
421 if (t == NULL) return NULL;
431 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
439 if (a == b) return(a);
440 if (bn_wexpand(a,b->top) == NULL) return(NULL);
445 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
447 BN_ULONG a0,a1,a2,a3;
448 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
449 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
456 case 0: ; /* ultrix cc workaround, see comments in bn_expand_internal */
459 memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
468 void BN_swap(BIGNUM *a, BIGNUM *b)
470 int flags_old_a, flags_old_b;
472 int tmp_top, tmp_dmax, tmp_neg;
477 flags_old_a = a->flags;
478 flags_old_b = b->flags;
495 a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
496 b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
501 void BN_clear(BIGNUM *a)
505 memset(a->d,0,a->dmax*sizeof(a->d[0]));
510 BN_ULONG BN_get_word(const BIGNUM *a)
514 else if (a->top == 1)
520 int BN_set_word(BIGNUM *a, BN_ULONG w)
523 if (bn_expand(a,(int)sizeof(BN_ULONG)*8) == NULL) return(0);
526 a->top = (w ? 1 : 0);
531 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
540 if (ret == NULL) return(NULL);
549 i=((n-1)/BN_BYTES)+1;
550 m=((n-1)%(BN_BYTES));
551 if (bn_wexpand(ret, (int)i) == NULL)
568 /* need to call this due to clear byte at top if avoiding
569 * having the top bit set (-ve number) */
574 /* ignore negative */
575 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
585 *(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff;
590 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
593 BN_ULONG t1,t2,*ap,*bp;
599 if (i != 0) return(i);
602 for (i=a->top-1; i>=0; i--)
607 return((t1 > t2) ? 1 : -1);
612 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
618 if ((a == NULL) || (b == NULL))
631 if (a->neg != b->neg)
639 else { gt= -1; lt=1; }
641 if (a->top > b->top) return(gt);
642 if (a->top < b->top) return(lt);
643 for (i=a->top-1; i>=0; i--)
647 if (t1 > t2) return(gt);
648 if (t1 < t2) return(lt);
653 int BN_set_bit(BIGNUM *a, int n)
664 if (bn_wexpand(a,i+1) == NULL) return(0);
665 for(k=a->top; k<i+1; k++)
670 a->d[i]|=(((BN_ULONG)1)<<j);
675 int BN_clear_bit(BIGNUM *a, int n)
684 if (a->top <= i) return(0);
686 a->d[i]&=(~(((BN_ULONG)1)<<j));
691 int BN_is_bit_set(const BIGNUM *a, int n)
699 if (a->top <= i) return 0;
700 return (int)(((a->d[i])>>j)&((BN_ULONG)1));
703 int BN_mask_bits(BIGNUM *a, int n)
712 if (w >= a->top) return 0;
718 a->d[w]&= ~(BN_MASK2<<b);
724 void BN_set_negative(BIGNUM *a, int b)
726 if (b && !BN_is_zero(a))
732 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
739 if (aa != bb) return((aa > bb)?1:-1);
740 for (i=n-2; i>=0; i--)
744 if (aa != bb) return((aa > bb)?1:-1);
749 /* Here follows a specialised variants of bn_cmp_words(). It has the
750 property of performing the operation on arrays of different sizes.
751 The sizes of those arrays is expressed through cl, which is the
752 common length ( basicall, min(len(a),len(b)) ), and dl, which is the
753 delta between the two lengths, calculated as len(a)-len(b).
754 All lengths are the number of BN_ULONGs... */
756 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
767 return -1; /* a < b */
775 return 1; /* a > b */
778 return bn_cmp_words(a,b,cl);
782 * Constant-time conditional swap of a and b.
783 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
784 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
785 * and that no more than nwords are used by either a or b.
786 * a and b cannot be the same number
788 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
793 bn_wcheck_size(a, nwords);
794 bn_wcheck_size(b, nwords);
797 assert((condition & (condition - 1)) == 0);
798 assert(sizeof(BN_ULONG) >= sizeof(int));
800 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
802 t = (a->top^b->top) & condition;
806 #define BN_CONSTTIME_SWAP(ind) \
808 t = (a->d[ind] ^ b->d[ind]) & condition; \
816 for (i = 10; i < nwords; i++)
817 BN_CONSTTIME_SWAP(i);
819 case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
820 case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
821 case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
822 case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
823 case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
824 case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
825 case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
826 case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
827 case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
828 case 1: BN_CONSTTIME_SWAP(0);
830 #undef BN_CONSTTIME_SWAP
833 /* Bits of security, see SP800-57 */
835 int BN_security_bits(int L, int N)
855 return bits >= secbits ? secbits : bits;
859 void BN_zero_ex(BIGNUM *a)
865 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
867 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
870 int BN_is_zero(const BIGNUM *a)
875 int BN_is_one(const BIGNUM *a)
877 return BN_abs_is_word(a, 1) && !a->neg;
880 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
882 return BN_abs_is_word(a, w) && (!w || !a->neg);
885 int BN_is_odd(const BIGNUM *a)
887 return (a->top > 0) && (a->d[0] & 1);
890 int BN_is_negative(const BIGNUM *a)
892 return (a->neg != 0);
895 int BN_to_montgomery(BIGNUM *r,const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx)
897 return BN_mod_mul_montgomery(r,a,&(mont->RR),mont,ctx);
900 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
906 dest->flags=((dest->flags & BN_FLG_MALLOCED)
907 | (b->flags & ~BN_FLG_MALLOCED)
912 BN_GENCB *BN_GENCB_new(void)
916 if ((ret=(BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) == NULL)
918 BNerr(BN_F_BN_GENCB_NEW,ERR_R_MALLOC_FAILURE);
925 void BN_GENCB_free(BN_GENCB *cb)
927 if (cb == NULL) return;
931 void BN_set_flags(BIGNUM *b, int n)
936 int BN_get_flags(const BIGNUM *b, int n)
941 /* Populate a BN_GENCB structure with an "old"-style callback */
942 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback)(int, int, void *), void *cb_arg)
944 BN_GENCB *tmp_gencb = gencb;
946 tmp_gencb->arg = cb_arg;
947 tmp_gencb->cb.cb_1 = callback;
950 /* Populate a BN_GENCB structure with a "new"-style callback */
951 void BN_GENCB_set(BN_GENCB *gencb, int (*callback)(int, int, BN_GENCB *), void *cb_arg)
953 BN_GENCB *tmp_gencb = gencb;
955 tmp_gencb->arg = cb_arg;
956 tmp_gencb->cb.cb_2 = callback;
959 void *BN_GENCB_get_arg(BN_GENCB *cb)
965 BIGNUM *bn_wexpand(BIGNUM *a, int words)
967 return (words <= a->dmax)?a:bn_expand2(a,words);
970 void bn_correct_top(BIGNUM *a)
973 int tmp_top = a->top;
977 for (ftl= &(a->d[tmp_top-1]); tmp_top > 0; tmp_top--)