1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
71 const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT;
73 /* This stuff appears to be completely unused, so is deprecated */
74 #ifndef OPENSSL_NO_DEPRECATED
76 * For a 32 bit machine
85 static int bn_limit_bits=0;
86 static int bn_limit_num=8; /* (1<<bn_limit_bits) */
87 static int bn_limit_bits_low=0;
88 static int bn_limit_num_low=8; /* (1<<bn_limit_bits_low) */
89 static int bn_limit_bits_high=0;
90 static int bn_limit_num_high=8; /* (1<<bn_limit_bits_high) */
91 static int bn_limit_bits_mont=0;
92 static int bn_limit_num_mont=8; /* (1<<bn_limit_bits_mont) */
94 void BN_set_params(int mult, int high, int low, int mont)
98 if (mult > (int)(sizeof(int)*8)-1)
101 bn_limit_num=1<<mult;
105 if (high > (int)(sizeof(int)*8)-1)
106 high=sizeof(int)*8-1;
107 bn_limit_bits_high=high;
108 bn_limit_num_high=1<<high;
112 if (low > (int)(sizeof(int)*8)-1)
114 bn_limit_bits_low=low;
115 bn_limit_num_low=1<<low;
119 if (mont > (int)(sizeof(int)*8)-1)
120 mont=sizeof(int)*8-1;
121 bn_limit_bits_mont=mont;
122 bn_limit_num_mont=1<<mont;
126 int BN_get_params(int which)
128 if (which == 0) return(bn_limit_bits);
129 else if (which == 1) return(bn_limit_bits_high);
130 else if (which == 2) return(bn_limit_bits_low);
131 else if (which == 3) return(bn_limit_bits_mont);
136 const BIGNUM *BN_value_one(void)
138 static const BN_ULONG data_one=1L;
139 static const BIGNUM const_one={(BN_ULONG *)&data_one,1,1,0,BN_FLG_STATIC_DATA};
144 int BN_num_bits_word(BN_ULONG l)
146 static const unsigned char bits[256]={
147 0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
148 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
149 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
150 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
151 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
152 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
153 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
154 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
155 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
156 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
157 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
158 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
159 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
160 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
161 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
162 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
165 #if defined(SIXTY_FOUR_BIT_LONG)
166 if (l & 0xffffffff00000000L)
168 if (l & 0xffff000000000000L)
170 if (l & 0xff00000000000000L)
172 return(bits[(int)(l>>56)]+56);
174 else return(bits[(int)(l>>48)]+48);
178 if (l & 0x0000ff0000000000L)
180 return(bits[(int)(l>>40)]+40);
182 else return(bits[(int)(l>>32)]+32);
187 #ifdef SIXTY_FOUR_BIT
188 if (l & 0xffffffff00000000LL)
190 if (l & 0xffff000000000000LL)
192 if (l & 0xff00000000000000LL)
194 return(bits[(int)(l>>56)]+56);
196 else return(bits[(int)(l>>48)]+48);
200 if (l & 0x0000ff0000000000LL)
202 return(bits[(int)(l>>40)]+40);
204 else return(bits[(int)(l>>32)]+32);
211 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
215 return(bits[(int)(l>>24L)]+24);
216 else return(bits[(int)(l>>16L)]+16);
221 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
223 return(bits[(int)(l>>8)]+8);
226 return(bits[(int)(l )] );
231 int BN_num_bits(const BIGNUM *a)
236 if (BN_is_zero(a)) return 0;
237 return ((i*BN_BITS2) + BN_num_bits_word(a->d[i]));
240 void BN_clear_free(BIGNUM *a)
244 if (a == NULL) return;
248 OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
249 if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
252 i=BN_get_flags(a,BN_FLG_MALLOCED);
253 OPENSSL_cleanse(a,sizeof(BIGNUM));
258 void BN_free(BIGNUM *a)
260 if (a == NULL) return;
262 if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
264 if (a->flags & BN_FLG_MALLOCED)
268 #ifndef OPENSSL_NO_DEPRECATED
269 a->flags|=BN_FLG_FREE;
275 void BN_init(BIGNUM *a)
277 memset(a,0,sizeof(BIGNUM));
285 if ((ret=(BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL)
287 BNerr(BN_F_BN_NEW,ERR_R_MALLOC_FAILURE);
290 ret->flags=BN_FLG_MALLOCED;
299 /* This is used both by bn_expand2() and bn_dup_expand() */
300 /* The caller MUST check that words > b->dmax before calling this */
301 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
303 BN_ULONG *A,*a = NULL;
309 if (words > (INT_MAX/(4*BN_BITS2)))
311 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
314 if (BN_get_flags(b,BN_FLG_STATIC_DATA))
316 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
319 a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words);
322 BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
326 /* Valgrind complains in BN_consttime_swap because we process the whole
327 * array even if it's not initialised yet. This doesn't matter in that
328 * function - what's important is constant time operation (we're not
329 * actually going to use the data)
331 memset(a, 0, sizeof(BN_ULONG)*words);
336 /* Check if the previous number needs to be copied */
339 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
342 * The fact that the loop is unrolled
343 * 4-wise is a tribute to Intel. It's
344 * the one that doesn't have enough
345 * registers to accomodate more data.
346 * I'd unroll it 8-wise otherwise:-)
348 * <appro@fy.chalmers.se>
350 BN_ULONG a0,a1,a2,a3;
351 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
352 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
359 case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
360 * the switch table by doing a=top&3; a--; goto jump_table[a];
361 * which fails for top== 0 */
367 memset(A,0,sizeof(BN_ULONG)*words);
368 memcpy(A,b->d,sizeof(b->d[0])*b->top);
374 /* This is an internal function that should not be used in applications.
375 * It ensures that 'b' has enough room for a 'words' word number
376 * and initialises any unused part of b->d with leading zeros.
377 * It is mostly used by the various BIGNUM routines. If there is an error,
378 * NULL is returned. If not, 'b' is returned. */
380 BIGNUM *bn_expand2(BIGNUM *b, int words)
386 BN_ULONG *a = bn_expand_internal(b, words);
388 if(b->d) OPENSSL_free(b->d);
393 /* None of this should be necessary because of what b->top means! */
395 /* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */
396 if (b->top < b->dmax)
399 BN_ULONG *A = &(b->d[b->top]);
400 for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8)
402 A[0]=0; A[1]=0; A[2]=0; A[3]=0;
403 A[4]=0; A[5]=0; A[6]=0; A[7]=0;
405 for (i=(b->dmax - b->top)&7; i>0; i--,A++)
407 assert(A == &(b->d[b->dmax]));
414 BIGNUM *BN_dup(const BIGNUM *a)
418 if (a == NULL) return NULL;
422 if (t == NULL) return NULL;
432 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
440 if (a == b) return(a);
441 if (bn_wexpand(a,b->top) == NULL) return(NULL);
446 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
448 BN_ULONG a0,a1,a2,a3;
449 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
450 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
457 case 0: ; /* ultrix cc workaround, see comments in bn_expand_internal */
460 memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
469 void BN_swap(BIGNUM *a, BIGNUM *b)
471 int flags_old_a, flags_old_b;
473 int tmp_top, tmp_dmax, tmp_neg;
478 flags_old_a = a->flags;
479 flags_old_b = b->flags;
496 a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
497 b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
502 void BN_clear(BIGNUM *a)
506 memset(a->d,0,a->dmax*sizeof(a->d[0]));
511 BN_ULONG BN_get_word(const BIGNUM *a)
515 else if (a->top == 1)
521 int BN_set_word(BIGNUM *a, BN_ULONG w)
524 if (bn_expand(a,(int)sizeof(BN_ULONG)*8) == NULL) return(0);
527 a->top = (w ? 1 : 0);
532 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
541 if (ret == NULL) return(NULL);
550 i=((n-1)/BN_BYTES)+1;
551 m=((n-1)%(BN_BYTES));
552 if (bn_wexpand(ret, (int)i) == NULL)
569 /* need to call this due to clear byte at top if avoiding
570 * having the top bit set (-ve number) */
575 /* ignore negative */
576 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
586 *(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff;
591 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
594 BN_ULONG t1,t2,*ap,*bp;
600 if (i != 0) return(i);
603 for (i=a->top-1; i>=0; i--)
608 return((t1 > t2) ? 1 : -1);
613 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
619 if ((a == NULL) || (b == NULL))
632 if (a->neg != b->neg)
640 else { gt= -1; lt=1; }
642 if (a->top > b->top) return(gt);
643 if (a->top < b->top) return(lt);
644 for (i=a->top-1; i>=0; i--)
648 if (t1 > t2) return(gt);
649 if (t1 < t2) return(lt);
654 int BN_set_bit(BIGNUM *a, int n)
665 if (bn_wexpand(a,i+1) == NULL) return(0);
666 for(k=a->top; k<i+1; k++)
671 a->d[i]|=(((BN_ULONG)1)<<j);
676 int BN_clear_bit(BIGNUM *a, int n)
685 if (a->top <= i) return(0);
687 a->d[i]&=(~(((BN_ULONG)1)<<j));
692 int BN_is_bit_set(const BIGNUM *a, int n)
700 if (a->top <= i) return 0;
701 return (int)(((a->d[i])>>j)&((BN_ULONG)1));
704 int BN_mask_bits(BIGNUM *a, int n)
713 if (w >= a->top) return 0;
719 a->d[w]&= ~(BN_MASK2<<b);
725 void BN_set_negative(BIGNUM *a, int b)
727 if (b && !BN_is_zero(a))
733 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
740 if (aa != bb) return((aa > bb)?1:-1);
741 for (i=n-2; i>=0; i--)
745 if (aa != bb) return((aa > bb)?1:-1);
750 /* Here follows a specialised variants of bn_cmp_words(). It has the
751 property of performing the operation on arrays of different sizes.
752 The sizes of those arrays is expressed through cl, which is the
753 common length ( basicall, min(len(a),len(b)) ), and dl, which is the
754 delta between the two lengths, calculated as len(a)-len(b).
755 All lengths are the number of BN_ULONGs... */
757 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
768 return -1; /* a < b */
776 return 1; /* a > b */
779 return bn_cmp_words(a,b,cl);
783 * Constant-time conditional swap of a and b.
784 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
785 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
786 * and that no more than nwords are used by either a or b.
787 * a and b cannot be the same number
789 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
794 bn_wcheck_size(a, nwords);
795 bn_wcheck_size(b, nwords);
798 assert((condition & (condition - 1)) == 0);
799 assert(sizeof(BN_ULONG) >= sizeof(int));
801 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
803 t = (a->top^b->top) & condition;
807 #define BN_CONSTTIME_SWAP(ind) \
809 t = (a->d[ind] ^ b->d[ind]) & condition; \
817 for (i = 10; i < nwords; i++)
818 BN_CONSTTIME_SWAP(i);
820 case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
821 case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
822 case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
823 case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
824 case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
825 case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
826 case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
827 case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
828 case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
829 case 1: BN_CONSTTIME_SWAP(0);
831 #undef BN_CONSTTIME_SWAP
834 /* Bits of security, see SP800-57 */
836 int BN_security_bits(int L, int N)
856 return bits >= secbits ? secbits : bits;
860 void BN_zero_ex(BIGNUM *a)
866 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
868 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
871 int BN_is_zero(const BIGNUM *a)
876 int BN_is_one(const BIGNUM *a)
878 return BN_abs_is_word(a, 1) && !a->neg;
881 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
883 return BN_abs_is_word(a, w) && (!w || !a->neg);
886 int BN_is_odd(const BIGNUM *a)
888 return (a->top > 0) && (a->d[0] & 1);
891 int BN_is_negative(const BIGNUM *a)
893 return (a->neg != 0);
896 int BN_to_montgomery(BIGNUM *r,const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx)
898 return BN_mod_mul_montgomery(r,a,&(mont->RR),mont,ctx);
901 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
907 dest->flags=((dest->flags & BN_FLG_MALLOCED)
908 | (b->flags & ~BN_FLG_MALLOCED)
913 BN_GENCB *BN_GENCB_new(void)
917 if ((ret=(BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) == NULL)
919 BNerr(BN_F_BN_GENCB_NEW,ERR_R_MALLOC_FAILURE);
926 void BN_GENCB_free(BN_GENCB *cb)
928 if (cb == NULL) return;
932 void BN_set_flags(BIGNUM *b, int n)
937 int BN_get_flags(const BIGNUM *b, int n)
942 /* Populate a BN_GENCB structure with an "old"-style callback */
943 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback)(int, int, void *), void *cb_arg)
945 BN_GENCB *tmp_gencb = gencb;
947 tmp_gencb->arg = cb_arg;
948 tmp_gencb->cb.cb_1 = callback;
951 /* Populate a BN_GENCB structure with a "new"-style callback */
952 void BN_GENCB_set(BN_GENCB *gencb, int (*callback)(int, int, BN_GENCB *), void *cb_arg)
954 BN_GENCB *tmp_gencb = gencb;
956 tmp_gencb->arg = cb_arg;
957 tmp_gencb->cb.cb_2 = callback;
960 void *BN_GENCB_get_arg(BN_GENCB *cb)
966 BIGNUM *bn_wexpand(BIGNUM *a, int words)
968 return (words <= a->dmax)?a:bn_expand2(a,words);
971 void bn_correct_top(BIGNUM *a)
974 int tmp_top = a->top;
978 for (ftl= &(a->d[tmp_top-1]); tmp_top > 0; tmp_top--)