2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
14 #if defined(OPENSSL_NO_ASM) || !defined(OPENSSL_BN_ASM_PART_WORDS)
16 * Here follows specialised variants of bn_add_words() and bn_sub_words().
17 * They have the property performing operations on arrays of different sizes.
18 * The sizes of those arrays is expressed through cl, which is the common
19 * length ( basically, min(len(a),len(b)) ), and dl, which is the delta
20 * between the two lengths, calculated as len(a)-len(b). All lengths are the
21 * number of BN_ULONGs... For the operations that require a result array as
22 * parameter, it must have the length cl+abs(dl). These functions should
23 * probably end up in bn_asm.c as soon as there are assembler counterparts
24 * for the systems that use assembler files.
27 BN_ULONG bn_sub_part_words(BN_ULONG *r,
28 const BN_ULONG *a, const BN_ULONG *b,
34 c = bn_sub_words(r, a, b, cl);
46 r[0] = (0 - t - c) & BN_MASK2;
53 r[1] = (0 - t - c) & BN_MASK2;
60 r[2] = (0 - t - c) & BN_MASK2;
67 r[3] = (0 - t - c) & BN_MASK2;
80 r[0] = (t - c) & BN_MASK2;
87 r[1] = (t - c) & BN_MASK2;
94 r[2] = (t - c) & BN_MASK2;
101 r[3] = (t - c) & BN_MASK2;
113 switch (save_dl - dl) {
155 BN_ULONG bn_add_part_words(BN_ULONG *r,
156 const BN_ULONG *a, const BN_ULONG *b,
162 c = bn_add_words(r, a, b, cl);
174 l = (c + b[0]) & BN_MASK2;
180 l = (c + b[1]) & BN_MASK2;
186 l = (c + b[2]) & BN_MASK2;
192 l = (c + b[3]) & BN_MASK2;
204 switch (dl - save_dl) {
244 t = (a[0] + c) & BN_MASK2;
250 t = (a[1] + c) & BN_MASK2;
256 t = (a[2] + c) & BN_MASK2;
262 t = (a[3] + c) & BN_MASK2;
274 switch (save_dl - dl) {
317 * Karatsuba recursive multiplication algorithm (cf. Knuth, The Art of
318 * Computer Programming, Vol. 2)
322 * r is 2*n2 words in size,
323 * a and b are both n2 words in size.
324 * n2 must be a power of 2.
325 * We multiply and return the result.
326 * t must be 2*n2 words in size
329 * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
332 /* dnX may not be positive, but n2/2+dnX has to be */
333 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
334 int dna, int dnb, BN_ULONG *t)
336 int n = n2 / 2, c1, c2;
337 int tna = n + dna, tnb = n + dnb;
338 unsigned int neg, zero;
344 bn_mul_comba4(r, a, b);
349 * Only call bn_mul_comba 8 if n2 == 8 and the two arrays are complete
352 if (n2 == 8 && dna == 0 && dnb == 0) {
353 bn_mul_comba8(r, a, b);
356 # endif /* BN_MUL_COMBA */
357 /* Else do normal multiply */
358 if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
359 bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
361 memset(&r[2 * n2 + dna + dnb], 0,
362 sizeof(BN_ULONG) * -(dna + dnb));
365 /* r=(a[0]-a[1])*(b[1]-b[0]) */
366 c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
367 c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
369 switch (c1 * 3 + c2) {
371 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
372 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
378 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
379 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
388 bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
389 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
396 bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
397 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
402 if (n == 4 && dna == 0 && dnb == 0) { /* XXX: bn_mul_comba4 could take
403 * extra args to do this well */
405 bn_mul_comba4(&(t[n2]), t, &(t[n]));
407 memset(&t[n2], 0, sizeof(*t) * 8);
409 bn_mul_comba4(r, a, b);
410 bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
411 } else if (n == 8 && dna == 0 && dnb == 0) { /* XXX: bn_mul_comba8 could
412 * take extra args to do
415 bn_mul_comba8(&(t[n2]), t, &(t[n]));
417 memset(&t[n2], 0, sizeof(*t) * 16);
419 bn_mul_comba8(r, a, b);
420 bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n]));
422 # endif /* BN_MUL_COMBA */
426 bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
428 memset(&t[n2], 0, sizeof(*t) * n2);
429 bn_mul_recursive(r, a, b, n, 0, 0, p);
430 bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
434 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
435 * r[10] holds (a[0]*b[0])
436 * r[32] holds (b[1]*b[1])
439 c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
441 if (neg) { /* if t[32] is negative */
442 c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
444 /* Might have a carry */
445 c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
449 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
450 * r[10] holds (a[0]*b[0])
451 * r[32] holds (b[1]*b[1])
452 * c1 holds the carry bits
454 c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
458 ln = (lo + c1) & BN_MASK2;
462 * The overflow will stop before we over write words we should not
465 if (ln < (BN_ULONG)c1) {
469 ln = (lo + 1) & BN_MASK2;
477 * n+tn is the word length t needs to be n*4 is size, as does r
479 /* tnX may not be negative but less than n */
480 void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
481 int tna, int tnb, BN_ULONG *t)
483 int i, j, n2 = n * 2;
488 bn_mul_normal(r, a, n + tna, b, n + tnb);
492 /* r=(a[0]-a[1])*(b[1]-b[0]) */
493 c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
494 c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
496 switch (c1 * 3 + c2) {
498 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
499 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
504 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
505 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
513 bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
514 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
520 bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
521 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
525 * The zero case isn't yet implemented here. The speedup would probably
530 bn_mul_comba4(&(t[n2]), t, &(t[n]));
531 bn_mul_comba4(r, a, b);
532 bn_mul_normal(&(r[n2]), &(a[n]), tn, &(b[n]), tn);
533 memset(&r[n2 + tn * 2], 0, sizeof(*r) * (n2 - tn * 2));
537 bn_mul_comba8(&(t[n2]), t, &(t[n]));
538 bn_mul_comba8(r, a, b);
539 bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
540 memset(&r[n2 + tna + tnb], 0, sizeof(*r) * (n2 - tna - tnb));
543 bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
544 bn_mul_recursive(r, a, b, n, 0, 0, p);
547 * If there is only a bottom half to the number, just do it
554 bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]),
555 i, tna - i, tnb - i, p);
556 memset(&r[n2 + i * 2], 0, sizeof(*r) * (n2 - i * 2));
557 } else if (j > 0) { /* eg, n == 16, i == 8 and tn == 11 */
558 bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]),
559 i, tna - i, tnb - i, p);
560 memset(&(r[n2 + tna + tnb]), 0,
561 sizeof(BN_ULONG) * (n2 - tna - tnb));
562 } else { /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
564 memset(&r[n2], 0, sizeof(*r) * n2);
565 if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
566 && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
567 bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
572 * these simplified conditions work exclusively because
573 * difference between tna and tnb is 1 or 0
575 if (i < tna || i < tnb) {
576 bn_mul_part_recursive(&(r[n2]),
578 i, tna - i, tnb - i, p);
580 } else if (i == tna || i == tnb) {
581 bn_mul_recursive(&(r[n2]),
583 i, tna - i, tnb - i, p);
592 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
593 * r[10] holds (a[0]*b[0])
594 * r[32] holds (b[1]*b[1])
597 c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
599 if (neg) { /* if t[32] is negative */
600 c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
602 /* Might have a carry */
603 c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
607 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
608 * r[10] holds (a[0]*b[0])
609 * r[32] holds (b[1]*b[1])
610 * c1 holds the carry bits
612 c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
616 ln = (lo + c1) & BN_MASK2;
620 * The overflow will stop before we over write words we should not
623 if (ln < (BN_ULONG)c1) {
627 ln = (lo + 1) & BN_MASK2;
635 * a and b must be the same size, which is n2.
636 * r needs to be n2 words and t needs to be n2*2
638 void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
643 bn_mul_recursive(r, a, b, n, 0, 0, &(t[0]));
644 if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL) {
645 bn_mul_low_recursive(&(t[0]), &(a[0]), &(b[n]), n, &(t[n2]));
646 bn_add_words(&(r[n]), &(r[n]), &(t[0]), n);
647 bn_mul_low_recursive(&(t[0]), &(a[n]), &(b[0]), n, &(t[n2]));
648 bn_add_words(&(r[n]), &(r[n]), &(t[0]), n);
650 bn_mul_low_normal(&(t[0]), &(a[0]), &(b[n]), n);
651 bn_mul_low_normal(&(t[n]), &(a[n]), &(b[0]), n);
652 bn_add_words(&(r[n]), &(r[n]), &(t[0]), n);
653 bn_add_words(&(r[n]), &(r[n]), &(t[n]), n);
658 * a and b must be the same size, which is n2.
659 * r needs to be n2 words and t needs to be n2*2
660 * l is the low words of the output.
663 void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
669 BN_ULONG ll, lc, *lp, *mp;
673 /* Calculate (al-ah)*(bh-bl) */
675 c1 = bn_cmp_words(&(a[0]), &(a[n]), n);
676 c2 = bn_cmp_words(&(b[n]), &(b[0]), n);
677 switch (c1 * 3 + c2) {
679 bn_sub_words(&(r[0]), &(a[n]), &(a[0]), n);
680 bn_sub_words(&(r[n]), &(b[0]), &(b[n]), n);
686 bn_sub_words(&(r[0]), &(a[n]), &(a[0]), n);
687 bn_sub_words(&(r[n]), &(b[n]), &(b[0]), n);
696 bn_sub_words(&(r[0]), &(a[0]), &(a[n]), n);
697 bn_sub_words(&(r[n]), &(b[0]), &(b[n]), n);
704 bn_sub_words(&(r[0]), &(a[0]), &(a[n]), n);
705 bn_sub_words(&(r[n]), &(b[n]), &(b[0]), n);
710 /* t[10] = (a[0]-a[1])*(b[1]-b[0]) */
711 /* r[10] = (a[1]*b[1]) */
714 bn_mul_comba8(&(t[0]), &(r[0]), &(r[n]));
715 bn_mul_comba8(r, &(a[n]), &(b[n]));
719 bn_mul_recursive(&(t[0]), &(r[0]), &(r[n]), n, 0, 0, &(t[n2]));
720 bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2]));
725 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
726 * We know s0 and s1 so the only unknown is high(al*bl)
727 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
728 * high(al*bl) == s1 - (r[0]+l[0]+t[0])
732 bn_add_words(lp, &(r[0]), &(l[0]), n);
738 neg = (int)(bn_sub_words(&(t[n2]), lp, &(t[0]), n));
740 bn_add_words(&(t[n2]), lp, &(t[0]), n);
745 bn_sub_words(&(t[n2 + n]), &(l[n]), &(t[n2]), n);
749 for (i = 0; i < n; i++)
750 lp[i] = ((~mp[i]) + 1) & BN_MASK2;
756 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
757 * r[10] = (a[1]*b[1])
761 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
765 * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
766 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
767 * R[3]=r[1]+(carry/borrow)
771 c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n));
776 c1 += (int)(bn_add_words(&(t[n2]), lp, &(r[0]), n));
778 c1 -= (int)(bn_sub_words(&(t[n2]), &(t[n2]), &(t[0]), n));
780 c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), &(t[0]), n));
782 c2 = (int)(bn_add_words(&(r[0]), &(r[0]), &(t[n2 + n]), n));
783 c2 += (int)(bn_add_words(&(r[0]), &(r[0]), &(r[n]), n));
785 c2 -= (int)(bn_sub_words(&(r[0]), &(r[0]), &(t[n]), n));
787 c2 += (int)(bn_add_words(&(r[0]), &(r[0]), &(t[n]), n));
789 if (c1 != 0) { /* Add starting at r[0], could be +ve or -ve */
794 ll = (r[i] + lc) & BN_MASK2;
802 r[i++] = (ll - lc) & BN_MASK2;
807 if (c2 != 0) { /* Add starting at r[1] */
812 ll = (r[i] + lc) & BN_MASK2;
820 r[i++] = (ll - lc) & BN_MASK2;
826 #endif /* BN_RECURSION */
828 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
833 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
848 if ((al == 0) || (bl == 0)) {
855 if ((r == a) || (r == b)) {
856 if ((rr = BN_CTX_get(ctx)) == NULL)
860 rr->neg = a->neg ^ b->neg;
862 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
869 if (bn_wexpand(rr, 8) == NULL)
872 bn_mul_comba4(rr->d, a->d, b->d);
877 if (bn_wexpand(rr, 16) == NULL)
880 bn_mul_comba8(rr->d, a->d, b->d);
884 #endif /* BN_MUL_COMBA */
886 if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL)) {
887 if (i >= -1 && i <= 1) {
889 * Find out the power of two lower or equal to the longest of the
893 j = BN_num_bits_word((BN_ULONG)al);
896 j = BN_num_bits_word((BN_ULONG)bl);
899 assert(j <= al || j <= bl);
904 if (al > j || bl > j) {
905 if (bn_wexpand(t, k * 4) == NULL)
907 if (bn_wexpand(rr, k * 4) == NULL)
909 bn_mul_part_recursive(rr->d, a->d, b->d,
910 j, al - j, bl - j, t->d);
911 } else { /* al <= j || bl <= j */
913 if (bn_wexpand(t, k * 2) == NULL)
915 if (bn_wexpand(rr, k * 2) == NULL)
917 bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
923 if (i == 1 && !BN_get_flags(b, BN_FLG_STATIC_DATA)) {
924 BIGNUM *tmp_bn = (BIGNUM *)b;
925 if (bn_wexpand(tmp_bn, al) == NULL)
930 } else if (i == -1 && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
931 BIGNUM *tmp_bn = (BIGNUM *)a;
932 if (bn_wexpand(tmp_bn, bl) == NULL)
939 /* symmetric and > 4 */
941 j = BN_num_bits_word((BN_ULONG)al);
945 if (al == j) { /* exact multiple */
946 if (bn_wexpand(t, k * 2) == NULL)
948 if (bn_wexpand(rr, k * 2) == NULL)
950 bn_mul_recursive(rr->d, a->d, b->d, al, t->d);
952 if (bn_wexpand(t, k * 4) == NULL)
954 if (bn_wexpand(rr, k * 4) == NULL)
956 bn_mul_part_recursive(rr->d, a->d, b->d, al - j, j, t->d);
963 #endif /* BN_RECURSION */
964 if (bn_wexpand(rr, top) == NULL)
967 bn_mul_normal(rr->d, a->d, al, b->d, bl);
969 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
982 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
1000 (void)bn_mul_words(r, a, na, 0);
1003 rr[0] = bn_mul_words(r, a, na, b[0]);
1008 rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]);
1011 rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]);
1014 rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]);
1017 rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]);
1024 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
1026 bn_mul_words(r, a, n, b[0]);
1031 bn_mul_add_words(&(r[1]), a, n, b[1]);
1034 bn_mul_add_words(&(r[2]), a, n, b[2]);
1037 bn_mul_add_words(&(r[3]), a, n, b[3]);
1040 bn_mul_add_words(&(r[4]), a, n, b[4]);
projects / openssl.git / blob