1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
59 # undef NDEBUG /* avoid conflicting definitions */
64 #include <openssl/crypto.h>
65 #include "internal/cryptlib.h"
68 #if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
70 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
79 # ifndef OPENSSL_SMALL_FOOTPRINT
81 mul_add(rp[0], ap[0], w, c1);
82 mul_add(rp[1], ap[1], w, c1);
83 mul_add(rp[2], ap[2], w, c1);
84 mul_add(rp[3], ap[3], w, c1);
91 mul_add(rp[0], ap[0], w, c1);
100 BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
108 # ifndef OPENSSL_SMALL_FOOTPRINT
110 mul(rp[0], ap[0], w, c1);
111 mul(rp[1], ap[1], w, c1);
112 mul(rp[2], ap[2], w, c1);
113 mul(rp[3], ap[3], w, c1);
120 mul(rp[0], ap[0], w, c1);
128 void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
134 # ifndef OPENSSL_SMALL_FOOTPRINT
136 sqr(r[0], r[1], a[0]);
137 sqr(r[2], r[3], a[1]);
138 sqr(r[4], r[5], a[2]);
139 sqr(r[6], r[7], a[3]);
146 sqr(r[0], r[1], a[0]);
153 #else /* !(defined(BN_LLONG) ||
154 * defined(BN_UMULT_HIGH)) */
156 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
164 return ((BN_ULONG)0);
169 # ifndef OPENSSL_SMALL_FOOTPRINT
171 mul_add(rp[0], ap[0], bl, bh, c);
172 mul_add(rp[1], ap[1], bl, bh, c);
173 mul_add(rp[2], ap[2], bl, bh, c);
174 mul_add(rp[3], ap[3], bl, bh, c);
181 mul_add(rp[0], ap[0], bl, bh, c);
189 BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
196 return ((BN_ULONG)0);
201 # ifndef OPENSSL_SMALL_FOOTPRINT
203 mul(rp[0], ap[0], bl, bh, carry);
204 mul(rp[1], ap[1], bl, bh, carry);
205 mul(rp[2], ap[2], bl, bh, carry);
206 mul(rp[3], ap[3], bl, bh, carry);
213 mul(rp[0], ap[0], bl, bh, carry);
221 void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
227 # ifndef OPENSSL_SMALL_FOOTPRINT
229 sqr64(r[0], r[1], a[0]);
230 sqr64(r[2], r[3], a[1]);
231 sqr64(r[4], r[5], a[2]);
232 sqr64(r[6], r[7], a[3]);
239 sqr64(r[0], r[1], a[0]);
246 #endif /* !(defined(BN_LLONG) ||
247 * defined(BN_UMULT_HIGH)) */
249 #if defined(BN_LLONG) && defined(BN_DIV2W)
251 BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
253 return ((BN_ULONG)(((((BN_ULLONG) h) << BN_BITS2) | l) / (BN_ULLONG) d));
258 /* Divide h,l by d and return the result. */
259 /* I need to test this some more :-( */
260 BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
262 BN_ULONG dh, dl, q, ret = 0, th, tl, t;
268 i = BN_num_bits_word(d);
269 assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i));
277 h = (h << i) | (l >> (BN_BITS2 - i));
280 dh = (d & BN_MASK2h) >> BN_BITS4;
281 dl = (d & BN_MASK2l);
283 if ((h >> BN_BITS4) == dh)
292 if ((t & BN_MASK2h) ||
293 ((tl) <= ((t << BN_BITS4) | ((l & BN_MASK2h) >> BN_BITS4))))
299 t = (tl >> BN_BITS4);
300 tl = (tl << BN_BITS4) & BN_MASK2h;
316 h = ((h << BN_BITS4) | (l >> BN_BITS4)) & BN_MASK2;
317 l = (l & BN_MASK2l) << BN_BITS4;
322 #endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */
325 BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
332 return ((BN_ULONG)0);
334 # ifndef OPENSSL_SMALL_FOOTPRINT
336 ll += (BN_ULLONG) a[0] + b[0];
337 r[0] = (BN_ULONG)ll & BN_MASK2;
339 ll += (BN_ULLONG) a[1] + b[1];
340 r[1] = (BN_ULONG)ll & BN_MASK2;
342 ll += (BN_ULLONG) a[2] + b[2];
343 r[2] = (BN_ULONG)ll & BN_MASK2;
345 ll += (BN_ULLONG) a[3] + b[3];
346 r[3] = (BN_ULONG)ll & BN_MASK2;
355 ll += (BN_ULLONG) a[0] + b[0];
356 r[0] = (BN_ULONG)ll & BN_MASK2;
363 return ((BN_ULONG)ll);
365 #else /* !BN_LLONG */
366 BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
373 return ((BN_ULONG)0);
376 # ifndef OPENSSL_SMALL_FOOTPRINT
379 t = (t + c) & BN_MASK2;
381 l = (t + b[0]) & BN_MASK2;
385 t = (t + c) & BN_MASK2;
387 l = (t + b[1]) & BN_MASK2;
391 t = (t + c) & BN_MASK2;
393 l = (t + b[2]) & BN_MASK2;
397 t = (t + c) & BN_MASK2;
399 l = (t + b[3]) & BN_MASK2;
410 t = (t + c) & BN_MASK2;
412 l = (t + b[0]) & BN_MASK2;
420 return ((BN_ULONG)c);
422 #endif /* !BN_LLONG */
424 BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
432 return ((BN_ULONG)0);
434 #ifndef OPENSSL_SMALL_FOOTPRINT
438 r[0] = (t1 - t2 - c) & BN_MASK2;
443 r[1] = (t1 - t2 - c) & BN_MASK2;
448 r[2] = (t1 - t2 - c) & BN_MASK2;
453 r[3] = (t1 - t2 - c) & BN_MASK2;
465 r[0] = (t1 - t2 - c) & BN_MASK2;
476 #if defined(BN_MUL_COMBA) && !defined(OPENSSL_SMALL_FOOTPRINT)
478 # undef bn_mul_comba8
479 # undef bn_mul_comba4
480 # undef bn_sqr_comba8
481 # undef bn_sqr_comba4
483 /* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */
484 /* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
485 /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
487 * sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number
493 * Keep in mind that additions to multiplication result can not
494 * overflow, because its high half cannot be all-ones.
496 # define mul_add_c(a,b,c0,c1,c2) do { \
498 BN_ULLONG t = (BN_ULLONG)(a)*(b); \
499 t += c0; /* no carry */ \
500 c0 = (BN_ULONG)Lw(t); \
501 hi = (BN_ULONG)Hw(t); \
502 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
505 # define mul_add_c2(a,b,c0,c1,c2) do { \
507 BN_ULLONG t = (BN_ULLONG)(a)*(b); \
508 BN_ULLONG tt = t+c0; /* no carry */ \
509 c0 = (BN_ULONG)Lw(tt); \
510 hi = (BN_ULONG)Hw(tt); \
511 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
512 t += c0; /* no carry */ \
513 c0 = (BN_ULONG)Lw(t); \
514 hi = (BN_ULONG)Hw(t); \
515 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
518 # define sqr_add_c(a,i,c0,c1,c2) do { \
520 BN_ULLONG t = (BN_ULLONG)a[i]*a[i]; \
521 t += c0; /* no carry */ \
522 c0 = (BN_ULONG)Lw(t); \
523 hi = (BN_ULONG)Hw(t); \
524 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
527 # define sqr_add_c2(a,i,j,c0,c1,c2) \
528 mul_add_c2((a)[i],(a)[j],c0,c1,c2)
530 # elif defined(BN_UMULT_LOHI)
532 * Keep in mind that additions to hi can not overflow, because
533 * the high word of a multiplication result cannot be all-ones.
535 # define mul_add_c(a,b,c0,c1,c2) do { \
536 BN_ULONG ta = (a), tb = (b); \
538 BN_UMULT_LOHI(lo,hi,ta,tb); \
539 c0 += lo; hi += (c0<lo)?1:0; \
540 c1 += hi; c2 += (c1<hi)?1:0; \
543 # define mul_add_c2(a,b,c0,c1,c2) do { \
544 BN_ULONG ta = (a), tb = (b); \
545 BN_ULONG lo, hi, tt; \
546 BN_UMULT_LOHI(lo,hi,ta,tb); \
547 c0 += lo; tt = hi+((c0<lo)?1:0); \
548 c1 += tt; c2 += (c1<tt)?1:0; \
549 c0 += lo; hi += (c0<lo)?1:0; \
550 c1 += hi; c2 += (c1<hi)?1:0; \
553 # define sqr_add_c(a,i,c0,c1,c2) do { \
554 BN_ULONG ta = (a)[i]; \
556 BN_UMULT_LOHI(lo,hi,ta,ta); \
557 c0 += lo; hi += (c0<lo)?1:0; \
558 c1 += hi; c2 += (c1<hi)?1:0; \
561 # define sqr_add_c2(a,i,j,c0,c1,c2) \
562 mul_add_c2((a)[i],(a)[j],c0,c1,c2)
564 # elif defined(BN_UMULT_HIGH)
566 * Keep in mind that additions to hi can not overflow, because
567 * the high word of a multiplication result cannot be all-ones.
569 # define mul_add_c(a,b,c0,c1,c2) do { \
570 BN_ULONG ta = (a), tb = (b); \
571 BN_ULONG lo = ta * tb; \
572 BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
573 c0 += lo; hi += (c0<lo)?1:0; \
574 c1 += hi; c2 += (c1<hi)?1:0; \
577 # define mul_add_c2(a,b,c0,c1,c2) do { \
578 BN_ULONG ta = (a), tb = (b), tt; \
579 BN_ULONG lo = ta * tb; \
580 BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \
581 c0 += lo; tt = hi + ((c0<lo)?1:0); \
582 c1 += tt; c2 += (c1<tt)?1:0; \
583 c0 += lo; hi += (c0<lo)?1:0; \
584 c1 += hi; c2 += (c1<hi)?1:0; \
587 # define sqr_add_c(a,i,c0,c1,c2) do { \
588 BN_ULONG ta = (a)[i]; \
589 BN_ULONG lo = ta * ta; \
590 BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \
591 c0 += lo; hi += (c0<lo)?1:0; \
592 c1 += hi; c2 += (c1<hi)?1:0; \
595 # define sqr_add_c2(a,i,j,c0,c1,c2) \
596 mul_add_c2((a)[i],(a)[j],c0,c1,c2)
598 # else /* !BN_LLONG */
600 * Keep in mind that additions to hi can not overflow, because
601 * the high word of a multiplication result cannot be all-ones.
603 # define mul_add_c(a,b,c0,c1,c2) do { \
604 BN_ULONG lo = LBITS(a), hi = HBITS(a); \
605 BN_ULONG bl = LBITS(b), bh = HBITS(b); \
606 mul64(lo,hi,bl,bh); \
607 c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
608 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
611 # define mul_add_c2(a,b,c0,c1,c2) do { \
613 BN_ULONG lo = LBITS(a), hi = HBITS(a); \
614 BN_ULONG bl = LBITS(b), bh = HBITS(b); \
615 mul64(lo,hi,bl,bh); \
617 c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \
618 c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \
619 c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
620 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
623 # define sqr_add_c(a,i,c0,c1,c2) do { \
625 sqr64(lo,hi,(a)[i]); \
626 c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
627 c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
630 # define sqr_add_c2(a,i,j,c0,c1,c2) \
631 mul_add_c2((a)[i],(a)[j],c0,c1,c2)
632 # endif /* !BN_LLONG */
634 void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
641 mul_add_c(a[0], b[0], c1, c2, c3);
644 mul_add_c(a[0], b[1], c2, c3, c1);
645 mul_add_c(a[1], b[0], c2, c3, c1);
648 mul_add_c(a[2], b[0], c3, c1, c2);
649 mul_add_c(a[1], b[1], c3, c1, c2);
650 mul_add_c(a[0], b[2], c3, c1, c2);
653 mul_add_c(a[0], b[3], c1, c2, c3);
654 mul_add_c(a[1], b[2], c1, c2, c3);
655 mul_add_c(a[2], b[1], c1, c2, c3);
656 mul_add_c(a[3], b[0], c1, c2, c3);
659 mul_add_c(a[4], b[0], c2, c3, c1);
660 mul_add_c(a[3], b[1], c2, c3, c1);
661 mul_add_c(a[2], b[2], c2, c3, c1);
662 mul_add_c(a[1], b[3], c2, c3, c1);
663 mul_add_c(a[0], b[4], c2, c3, c1);
666 mul_add_c(a[0], b[5], c3, c1, c2);
667 mul_add_c(a[1], b[4], c3, c1, c2);
668 mul_add_c(a[2], b[3], c3, c1, c2);
669 mul_add_c(a[3], b[2], c3, c1, c2);
670 mul_add_c(a[4], b[1], c3, c1, c2);
671 mul_add_c(a[5], b[0], c3, c1, c2);
674 mul_add_c(a[6], b[0], c1, c2, c3);
675 mul_add_c(a[5], b[1], c1, c2, c3);
676 mul_add_c(a[4], b[2], c1, c2, c3);
677 mul_add_c(a[3], b[3], c1, c2, c3);
678 mul_add_c(a[2], b[4], c1, c2, c3);
679 mul_add_c(a[1], b[5], c1, c2, c3);
680 mul_add_c(a[0], b[6], c1, c2, c3);
683 mul_add_c(a[0], b[7], c2, c3, c1);
684 mul_add_c(a[1], b[6], c2, c3, c1);
685 mul_add_c(a[2], b[5], c2, c3, c1);
686 mul_add_c(a[3], b[4], c2, c3, c1);
687 mul_add_c(a[4], b[3], c2, c3, c1);
688 mul_add_c(a[5], b[2], c2, c3, c1);
689 mul_add_c(a[6], b[1], c2, c3, c1);
690 mul_add_c(a[7], b[0], c2, c3, c1);
693 mul_add_c(a[7], b[1], c3, c1, c2);
694 mul_add_c(a[6], b[2], c3, c1, c2);
695 mul_add_c(a[5], b[3], c3, c1, c2);
696 mul_add_c(a[4], b[4], c3, c1, c2);
697 mul_add_c(a[3], b[5], c3, c1, c2);
698 mul_add_c(a[2], b[6], c3, c1, c2);
699 mul_add_c(a[1], b[7], c3, c1, c2);
702 mul_add_c(a[2], b[7], c1, c2, c3);
703 mul_add_c(a[3], b[6], c1, c2, c3);
704 mul_add_c(a[4], b[5], c1, c2, c3);
705 mul_add_c(a[5], b[4], c1, c2, c3);
706 mul_add_c(a[6], b[3], c1, c2, c3);
707 mul_add_c(a[7], b[2], c1, c2, c3);
710 mul_add_c(a[7], b[3], c2, c3, c1);
711 mul_add_c(a[6], b[4], c2, c3, c1);
712 mul_add_c(a[5], b[5], c2, c3, c1);
713 mul_add_c(a[4], b[6], c2, c3, c1);
714 mul_add_c(a[3], b[7], c2, c3, c1);
717 mul_add_c(a[4], b[7], c3, c1, c2);
718 mul_add_c(a[5], b[6], c3, c1, c2);
719 mul_add_c(a[6], b[5], c3, c1, c2);
720 mul_add_c(a[7], b[4], c3, c1, c2);
723 mul_add_c(a[7], b[5], c1, c2, c3);
724 mul_add_c(a[6], b[6], c1, c2, c3);
725 mul_add_c(a[5], b[7], c1, c2, c3);
728 mul_add_c(a[6], b[7], c2, c3, c1);
729 mul_add_c(a[7], b[6], c2, c3, c1);
732 mul_add_c(a[7], b[7], c3, c1, c2);
737 void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
744 mul_add_c(a[0], b[0], c1, c2, c3);
747 mul_add_c(a[0], b[1], c2, c3, c1);
748 mul_add_c(a[1], b[0], c2, c3, c1);
751 mul_add_c(a[2], b[0], c3, c1, c2);
752 mul_add_c(a[1], b[1], c3, c1, c2);
753 mul_add_c(a[0], b[2], c3, c1, c2);
756 mul_add_c(a[0], b[3], c1, c2, c3);
757 mul_add_c(a[1], b[2], c1, c2, c3);
758 mul_add_c(a[2], b[1], c1, c2, c3);
759 mul_add_c(a[3], b[0], c1, c2, c3);
762 mul_add_c(a[3], b[1], c2, c3, c1);
763 mul_add_c(a[2], b[2], c2, c3, c1);
764 mul_add_c(a[1], b[3], c2, c3, c1);
767 mul_add_c(a[2], b[3], c3, c1, c2);
768 mul_add_c(a[3], b[2], c3, c1, c2);
771 mul_add_c(a[3], b[3], c1, c2, c3);
776 void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
783 sqr_add_c(a, 0, c1, c2, c3);
786 sqr_add_c2(a, 1, 0, c2, c3, c1);
789 sqr_add_c(a, 1, c3, c1, c2);
790 sqr_add_c2(a, 2, 0, c3, c1, c2);
793 sqr_add_c2(a, 3, 0, c1, c2, c3);
794 sqr_add_c2(a, 2, 1, c1, c2, c3);
797 sqr_add_c(a, 2, c2, c3, c1);
798 sqr_add_c2(a, 3, 1, c2, c3, c1);
799 sqr_add_c2(a, 4, 0, c2, c3, c1);
802 sqr_add_c2(a, 5, 0, c3, c1, c2);
803 sqr_add_c2(a, 4, 1, c3, c1, c2);
804 sqr_add_c2(a, 3, 2, c3, c1, c2);
807 sqr_add_c(a, 3, c1, c2, c3);
808 sqr_add_c2(a, 4, 2, c1, c2, c3);
809 sqr_add_c2(a, 5, 1, c1, c2, c3);
810 sqr_add_c2(a, 6, 0, c1, c2, c3);
813 sqr_add_c2(a, 7, 0, c2, c3, c1);
814 sqr_add_c2(a, 6, 1, c2, c3, c1);
815 sqr_add_c2(a, 5, 2, c2, c3, c1);
816 sqr_add_c2(a, 4, 3, c2, c3, c1);
819 sqr_add_c(a, 4, c3, c1, c2);
820 sqr_add_c2(a, 5, 3, c3, c1, c2);
821 sqr_add_c2(a, 6, 2, c3, c1, c2);
822 sqr_add_c2(a, 7, 1, c3, c1, c2);
825 sqr_add_c2(a, 7, 2, c1, c2, c3);
826 sqr_add_c2(a, 6, 3, c1, c2, c3);
827 sqr_add_c2(a, 5, 4, c1, c2, c3);
830 sqr_add_c(a, 5, c2, c3, c1);
831 sqr_add_c2(a, 6, 4, c2, c3, c1);
832 sqr_add_c2(a, 7, 3, c2, c3, c1);
835 sqr_add_c2(a, 7, 4, c3, c1, c2);
836 sqr_add_c2(a, 6, 5, c3, c1, c2);
839 sqr_add_c(a, 6, c1, c2, c3);
840 sqr_add_c2(a, 7, 5, c1, c2, c3);
843 sqr_add_c2(a, 7, 6, c2, c3, c1);
846 sqr_add_c(a, 7, c3, c1, c2);
851 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
858 sqr_add_c(a, 0, c1, c2, c3);
861 sqr_add_c2(a, 1, 0, c2, c3, c1);
864 sqr_add_c(a, 1, c3, c1, c2);
865 sqr_add_c2(a, 2, 0, c3, c1, c2);
868 sqr_add_c2(a, 3, 0, c1, c2, c3);
869 sqr_add_c2(a, 2, 1, c1, c2, c3);
872 sqr_add_c(a, 2, c2, c3, c1);
873 sqr_add_c2(a, 3, 1, c2, c3, c1);
876 sqr_add_c2(a, 3, 2, c3, c1, c2);
879 sqr_add_c(a, 3, c1, c2, c3);
884 # ifdef OPENSSL_NO_ASM
885 # ifdef OPENSSL_BN_ASM_MONT
888 * This is essentially reference implementation, which may or may not
889 * result in performance improvement. E.g. on IA-32 this routine was
890 * observed to give 40% faster rsa1024 private key operations and 10%
891 * faster rsa4096 ones, while on AMD64 it improves rsa1024 sign only
892 * by 10% and *worsens* rsa4096 sign by 15%. Once again, it's a
893 * reference implementation, one to be used as starting point for
894 * platform-specific assembler. Mentioned numbers apply to compiler
895 * generated code compiled with and without -DOPENSSL_BN_ASM_MONT and
896 * can vary not only from platform to platform, but even for compiler
897 * versions. Assembler vs. assembler improvement coefficients can
898 * [and are known to] differ and are to be documented elsewhere.
900 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
901 const BN_ULONG *np, const BN_ULONG *n0p, int num)
903 BN_ULONG c0, c1, ml, *tp, n0;
907 volatile BN_ULONG *vp;
910 # if 0 /* template for platform-specific
913 return bn_sqr_mont(rp, ap, np, n0p, num);
915 vp = tp = alloca((num + 2) * sizeof(BN_ULONG));
924 for (j = 0; j < num; ++j)
925 mul(tp[j], ap[j], ml, mh, c0);
927 for (j = 0; j < num; ++j)
928 mul(tp[j], ap[j], ml, c0);
935 for (i = 0; i < num; i++) {
941 for (j = 0; j < num; ++j)
942 mul_add(tp[j], ap[j], ml, mh, c0);
944 for (j = 0; j < num; ++j)
945 mul_add(tp[j], ap[j], ml, c0);
947 c1 = (tp[num] + c0) & BN_MASK2;
949 tp[num + 1] = (c1 < c0 ? 1 : 0);
952 ml = (c1 * n0) & BN_MASK2;
957 mul_add(c1, np[0], ml, mh, c0);
959 mul_add(c1, ml, np[0], c0);
961 for (j = 1; j < num; j++) {
964 mul_add(c1, np[j], ml, mh, c0);
966 mul_add(c1, ml, np[j], c0);
968 tp[j - 1] = c1 & BN_MASK2;
970 c1 = (tp[num] + c0) & BN_MASK2;
972 tp[num] = tp[num + 1] + (c1 < c0 ? 1 : 0);
975 if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) {
976 c0 = bn_sub_words(rp, tp, np, num);
977 if (tp[num] != 0 || c0 == 0) {
978 for (i = 0; i < num + 2; i++)
983 for (i = 0; i < num; i++)
984 rp[i] = tp[i], vp[i] = 0;
991 * Return value of 0 indicates that multiplication/convolution was not
992 * performed to signal the caller to fall down to alternative/original
995 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
996 const BN_ULONG *np, const BN_ULONG *n0, int num)
1000 # endif /* OPENSSL_BN_ASM_MONT */
1003 #else /* !BN_MUL_COMBA */
1005 /* hmm... is it faster just to do a multiply? */
1006 # undef bn_sqr_comba4
1007 # undef bn_sqr_comba8
1008 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
1011 bn_sqr_normal(r, a, 4, t);
1014 void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
1017 bn_sqr_normal(r, a, 8, t);
1020 void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
1022 r[4] = bn_mul_words(&(r[0]), a, 4, b[0]);
1023 r[5] = bn_mul_add_words(&(r[1]), a, 4, b[1]);
1024 r[6] = bn_mul_add_words(&(r[2]), a, 4, b[2]);
1025 r[7] = bn_mul_add_words(&(r[3]), a, 4, b[3]);
1028 void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
1030 r[8] = bn_mul_words(&(r[0]), a, 8, b[0]);
1031 r[9] = bn_mul_add_words(&(r[1]), a, 8, b[1]);
1032 r[10] = bn_mul_add_words(&(r[2]), a, 8, b[2]);
1033 r[11] = bn_mul_add_words(&(r[3]), a, 8, b[3]);
1034 r[12] = bn_mul_add_words(&(r[4]), a, 8, b[4]);
1035 r[13] = bn_mul_add_words(&(r[5]), a, 8, b[5]);
1036 r[14] = bn_mul_add_words(&(r[6]), a, 8, b[6]);
1037 r[15] = bn_mul_add_words(&(r[7]), a, 8, b[7]);
1040 # ifdef OPENSSL_NO_ASM
1041 # ifdef OPENSSL_BN_ASM_MONT
1042 # include <alloca.h>
1043 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
1044 const BN_ULONG *np, const BN_ULONG *n0p, int num)
1046 BN_ULONG c0, c1, *tp, n0 = *n0p;
1047 volatile BN_ULONG *vp;
1050 vp = tp = alloca((num + 2) * sizeof(BN_ULONG));
1052 for (i = 0; i <= num; i++)
1055 for (i = 0; i < num; i++) {
1056 c0 = bn_mul_add_words(tp, ap, num, bp[i]);
1057 c1 = (tp[num] + c0) & BN_MASK2;
1059 tp[num + 1] = (c1 < c0 ? 1 : 0);
1061 c0 = bn_mul_add_words(tp, np, num, tp[0] * n0);
1062 c1 = (tp[num] + c0) & BN_MASK2;
1064 tp[num + 1] += (c1 < c0 ? 1 : 0);
1065 for (j = 0; j <= num; j++)
1069 if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) {
1070 c0 = bn_sub_words(rp, tp, np, num);
1071 if (tp[num] != 0 || c0 == 0) {
1072 for (i = 0; i < num + 2; i++)
1077 for (i = 0; i < num; i++)
1078 rp[i] = tp[i], vp[i] = 0;
1084 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
1085 const BN_ULONG *np, const BN_ULONG *n0, int num)
1089 # endif /* OPENSSL_BN_ASM_MONT */
1092 #endif /* !BN_MUL_COMBA */