2 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bn.h>
11 #include "internal/cryptlib.h"
14 /* The old slow way */
16 int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
26 BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
30 if (BN_ucmp(m, d) < 0) {
32 if (BN_copy(rem, m) == NULL)
45 rem = BN_CTX_get(ctx);
46 if (D == NULL || dv == NULL || rem == NULL)
51 if (BN_copy(D, d) == NULL)
53 if (BN_copy(rem, m) == NULL)
57 * The next 2 are needed so we can do a dv->d[0]|=1 later since
58 * BN_lshift1 will only work once there is a value :-)
61 if (bn_wexpand(dv, 1) == NULL)
65 if (!BN_lshift(D, D, nm - nd))
67 for (i = nm - nd; i >= 0; i--) {
68 if (!BN_lshift1(dv, dv))
70 if (BN_ucmp(rem, D) >= 0) {
72 if (!BN_usub(rem, rem, D))
75 /* CAN IMPROVE (and have now :=) */
76 if (!BN_rshift1(D, D))
79 rem->neg = BN_is_zero(rem) ? 0 : m->neg;
80 dv->neg = m->neg ^ d->neg;
89 # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
90 && !defined(PEDANTIC) && !defined(BN_DIV3W)
91 # if defined(__GNUC__) && __GNUC__>=2
92 # if defined(__i386) || defined (__i386__)
94 * There were two reasons for implementing this template:
95 * - GNU C generates a call to a function (__udivdi3 to be exact)
96 * in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
98 * - divl doesn't only calculate quotient, but also leaves
99 * remainder in %edx which we can definitely use here:-)
102 # define bn_div_words(n0,n1,d0) \
105 : "=a"(q), "=d"(rem) \
106 : "a"(n1), "d"(n0), "r"(d0) \
110 # define REMAINDER_IS_ALREADY_CALCULATED
111 # elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
113 * Same story here, but it's 128-bit by 64-bit division. Wow!
116 # define bn_div_words(n0,n1,d0) \
119 : "=a"(q), "=d"(rem) \
120 : "a"(n1), "d"(n0), "r"(d0) \
124 # define REMAINDER_IS_ALREADY_CALCULATED
125 # endif /* __<cpu> */
126 # endif /* __GNUC__ */
127 # endif /* OPENSSL_NO_ASM */
130 * BN_div computes dv := num / divisor, rounding towards
131 * zero, and sets up rm such that dv*divisor + rm = num holds.
133 * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
134 * rm->neg == num->neg (unless the remainder is zero)
135 * If 'dv' or 'rm' is NULL, the respective value is not returned.
137 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
140 int norm_shift, i, loop;
141 BIGNUM *tmp, wnum, *snum, *sdiv, *res;
142 BN_ULONG *resp, *wnump;
148 * Invalid zero-padding would have particularly bad consequences so don't
149 * just rely on bn_check_top() here (bn_check_top() works only for
152 if ((num->top > 0 && num->d[num->top - 1] == 0) ||
153 (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
154 BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
159 bn_check_top(divisor);
161 if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
162 || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
168 /*- bn_check_top(num); *//*
169 * 'num' has been checked already
171 /*- bn_check_top(divisor); *//*
172 * 'divisor' has been checked already
175 if (BN_is_zero(divisor)) {
176 BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
180 if (!no_branch && BN_ucmp(num, divisor) < 0) {
182 if (BN_copy(rm, num) == NULL)
191 res = (dv == NULL) ? BN_CTX_get(ctx) : dv;
192 tmp = BN_CTX_get(ctx);
193 snum = BN_CTX_get(ctx);
194 sdiv = BN_CTX_get(ctx);
198 /* First we normalise the numbers */
199 norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
200 if (!(BN_lshift(sdiv, divisor, norm_shift)))
203 norm_shift += BN_BITS2;
204 if (!(BN_lshift(snum, num, norm_shift)))
210 * Since we don't know whether snum is larger than sdiv, we pad snum
211 * with enough zeroes without changing its value.
213 if (snum->top <= sdiv->top + 1) {
214 if (bn_wexpand(snum, sdiv->top + 2) == NULL)
216 for (i = snum->top; i < sdiv->top + 2; i++)
218 snum->top = sdiv->top + 2;
220 if (bn_wexpand(snum, snum->top + 1) == NULL)
222 snum->d[snum->top] = 0;
229 loop = num_n - div_n;
231 * Lets setup a 'window' into snum This is the part that corresponds to
232 * the current 'area' being divided
235 wnum.d = &(snum->d[loop]);
237 wnum.flags = BN_FLG_STATIC_DATA;
239 * only needed when BN_ucmp messes up the values between top and max
241 wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
243 /* Get the top 2 words of sdiv */
244 /* div_n=sdiv->top; */
245 d0 = sdiv->d[div_n - 1];
246 d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
248 /* pointer to the 'top' of snum */
249 wnump = &(snum->d[num_n - 1]);
252 if (!bn_wexpand(res, (loop + 1)))
254 res->neg = (num->neg ^ divisor->neg);
255 res->top = loop - no_branch;
256 resp = &(res->d[loop - 1]);
259 if (!bn_wexpand(tmp, (div_n + 1)))
263 if (BN_ucmp(&wnum, sdiv) >= 0) {
265 * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
266 * the const bignum arguments => clean the values between top and
269 bn_clear_top2max(&wnum);
270 bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
276 /* Increase the resp pointer so that we never create an invalid pointer. */
280 * if res->top == 0 then clear the neg value otherwise decrease the resp
288 for (i = 0; i < loop - 1; i++, wnump--) {
291 * the first part of the loop uses the top two words of snum and sdiv
292 * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
294 # if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
295 BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
296 q = bn_div_3_words(wnump, d1, d0);
298 BN_ULONG n0, n1, rem = 0;
309 # if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
310 q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
312 q = bn_div_words(n0, n1, d0);
315 # ifndef REMAINDER_IS_ALREADY_CALCULATED
317 * rem doesn't have to be BN_ULLONG. The least we
318 * know it's less that d0, isn't it?
320 rem = (n1 - q * d0) & BN_MASK2;
322 t2 = (BN_ULLONG) d1 *q;
325 if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
330 break; /* don't let rem overflow */
333 # else /* !BN_LLONG */
336 q = bn_div_words(n0, n1, d0);
337 # ifndef REMAINDER_IS_ALREADY_CALCULATED
338 rem = (n1 - q * d0) & BN_MASK2;
341 # if defined(BN_UMULT_LOHI)
342 BN_UMULT_LOHI(t2l, t2h, d1, q);
343 # elif defined(BN_UMULT_HIGH)
345 t2h = BN_UMULT_HIGH(d1, q);
353 mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
358 if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
363 break; /* don't let rem overflow */
368 # endif /* !BN_LLONG */
370 # endif /* !BN_DIV3W */
372 l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
376 * ingore top values of the bignums just sub the two BN_ULONG arrays
379 if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
381 * Note: As we have considered only the leading two BN_ULONGs in
382 * the calculation of q, sdiv * q might be greater than wnum (but
383 * then (q-1) * sdiv is less or equal than wnum)
386 if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
388 * we can't have an overflow here (assuming that q != 0, but
389 * if q == 0 then tmp is zero anyway)
393 /* store part of the result */
397 bn_correct_top(snum);
400 * Keep a copy of the neg flag in num because if rm==num BN_rshift()
404 BN_rshift(rm, snum, norm_shift);