1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
64 #define OPENSSL_FIPSAPI
73 const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT;
75 /* This stuff appears to be completely unused, so is deprecated */
76 #ifndef OPENSSL_NO_DEPRECATED
77 /* For a 32 bit machine
86 static int bn_limit_bits=0;
87 static int bn_limit_num=8; /* (1<<bn_limit_bits) */
88 static int bn_limit_bits_low=0;
89 static int bn_limit_num_low=8; /* (1<<bn_limit_bits_low) */
90 static int bn_limit_bits_high=0;
91 static int bn_limit_num_high=8; /* (1<<bn_limit_bits_high) */
92 static int bn_limit_bits_mont=0;
93 static int bn_limit_num_mont=8; /* (1<<bn_limit_bits_mont) */
95 void BN_set_params(int mult, int high, int low, int mont)
99 if (mult > (int)(sizeof(int)*8)-1)
100 mult=sizeof(int)*8-1;
102 bn_limit_num=1<<mult;
106 if (high > (int)(sizeof(int)*8)-1)
107 high=sizeof(int)*8-1;
108 bn_limit_bits_high=high;
109 bn_limit_num_high=1<<high;
113 if (low > (int)(sizeof(int)*8)-1)
115 bn_limit_bits_low=low;
116 bn_limit_num_low=1<<low;
120 if (mont > (int)(sizeof(int)*8)-1)
121 mont=sizeof(int)*8-1;
122 bn_limit_bits_mont=mont;
123 bn_limit_num_mont=1<<mont;
127 int BN_get_params(int which)
129 if (which == 0) return(bn_limit_bits);
130 else if (which == 1) return(bn_limit_bits_high);
131 else if (which == 2) return(bn_limit_bits_low);
132 else if (which == 3) return(bn_limit_bits_mont);
137 const BIGNUM *BN_value_one(void)
139 static const BN_ULONG data_one=1L;
140 static const BIGNUM const_one={(BN_ULONG *)&data_one,1,1,0,BN_FLG_STATIC_DATA};
145 int BN_num_bits_word(BN_ULONG l)
148 static const unsigned char bits[256]={
149 0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
150 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
151 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
152 6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
153 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
154 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
155 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
156 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
157 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
158 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
159 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
160 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
161 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
162 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
163 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
164 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
167 #if defined(SIXTY_FOUR_BIT_LONG)
168 if (l & 0xffffffff00000000L)
170 if (l & 0xffff000000000000L)
172 if (l & 0xff00000000000000L)
174 return(bits[(int)(l>>56)]+56);
176 else return(bits[(int)(l>>48)]+48);
180 if (l & 0x0000ff0000000000L)
182 return(bits[(int)(l>>40)]+40);
184 else return(bits[(int)(l>>32)]+32);
189 #ifdef SIXTY_FOUR_BIT
190 if (l & 0xffffffff00000000LL)
192 if (l & 0xffff000000000000LL)
194 if (l & 0xff00000000000000LL)
196 return(bits[(int)(l>>56)]+56);
198 else return(bits[(int)(l>>48)]+48);
202 if (l & 0x0000ff0000000000LL)
204 return(bits[(int)(l>>40)]+40);
206 else return(bits[(int)(l>>32)]+32);
213 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
217 return(bits[(int)(l>>24L)]+24);
218 else return(bits[(int)(l>>16L)]+16);
223 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
225 return(bits[(int)(l>>8)]+8);
228 return(bits[(int)(l )] );
233 int BN_num_bits(const BIGNUM *a)
238 if (BN_is_zero(a)) return 0;
239 return ((i*BN_BITS2) + BN_num_bits_word(a->d[i]));
242 void BN_clear_free(BIGNUM *a)
246 if (a == NULL) return;
250 OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
251 if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
254 i=BN_get_flags(a,BN_FLG_MALLOCED);
255 OPENSSL_cleanse(a,sizeof(BIGNUM));
260 void BN_free(BIGNUM *a)
262 if (a == NULL) return;
264 if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
266 if (a->flags & BN_FLG_MALLOCED)
270 #ifndef OPENSSL_NO_DEPRECATED
271 a->flags|=BN_FLG_FREE;
277 void BN_init(BIGNUM *a)
279 memset(a,0,sizeof(BIGNUM));
287 if ((ret=(BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL)
289 BNerr(BN_F_BN_NEW,ERR_R_MALLOC_FAILURE);
292 ret->flags=BN_FLG_MALLOCED;
301 /* This is used both by bn_expand2() and bn_dup_expand() */
302 /* The caller MUST check that words > b->dmax before calling this */
303 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
305 BN_ULONG *A,*a = NULL;
311 if (words > (INT_MAX/(4*BN_BITS2)))
313 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
316 if (BN_get_flags(b,BN_FLG_STATIC_DATA))
318 BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
321 a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words);
324 BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
328 /* Valgrind complains in BN_consttime_swap because we process the whole
329 * array even if it's not initialised yet. This doesn't matter in that
330 * function - what's important is constant time operation (we're not
331 * actually going to use the data)
333 memset(a, 0, sizeof(BN_ULONG)*words);
338 /* Check if the previous number needs to be copied */
341 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
344 * The fact that the loop is unrolled
345 * 4-wise is a tribute to Intel. It's
346 * the one that doesn't have enough
347 * registers to accomodate more data.
348 * I'd unroll it 8-wise otherwise:-)
350 * <appro@fy.chalmers.se>
352 BN_ULONG a0,a1,a2,a3;
353 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
354 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
361 case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
362 * the switch table by doing a=top&3; a--; goto jump_table[a];
363 * which fails for top== 0 */
369 memset(A,0,sizeof(BN_ULONG)*words);
370 memcpy(A,b->d,sizeof(b->d[0])*b->top);
376 /* This is an internal function that can be used instead of bn_expand2()
377 * when there is a need to copy BIGNUMs instead of only expanding the
378 * data part, while still expanding them.
379 * Especially useful when needing to expand BIGNUMs that are declared
380 * 'const' and should therefore not be changed.
381 * The reason to use this instead of a BN_dup() followed by a bn_expand2()
382 * is memory allocation overhead. A BN_dup() followed by a bn_expand2()
383 * will allocate new memory for the BIGNUM data twice, and free it once,
384 * while bn_dup_expand() makes sure allocation is made only once.
387 #ifndef OPENSSL_NO_DEPRECATED
388 BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
394 /* This function does not work if
395 * words <= b->dmax && top < words
396 * because BN_dup() does not preserve 'dmax'!
397 * (But bn_dup_expand() is not used anywhere yet.)
402 BN_ULONG *a = bn_expand_internal(b, words);
416 /* r == NULL, BN_new failure */
420 /* If a == NULL, there was an error in allocation in
421 bn_expand_internal(), and NULL should be returned */
433 /* This is an internal function that should not be used in applications.
434 * It ensures that 'b' has enough room for a 'words' word number
435 * and initialises any unused part of b->d with leading zeros.
436 * It is mostly used by the various BIGNUM routines. If there is an error,
437 * NULL is returned. If not, 'b' is returned. */
439 BIGNUM *bn_expand2(BIGNUM *b, int words)
445 BN_ULONG *a = bn_expand_internal(b, words);
447 if(b->d) OPENSSL_free(b->d);
452 /* None of this should be necessary because of what b->top means! */
454 /* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */
455 if (b->top < b->dmax)
458 BN_ULONG *A = &(b->d[b->top]);
459 for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8)
461 A[0]=0; A[1]=0; A[2]=0; A[3]=0;
462 A[4]=0; A[5]=0; A[6]=0; A[7]=0;
464 for (i=(b->dmax - b->top)&7; i>0; i--,A++)
466 assert(A == &(b->d[b->dmax]));
473 BIGNUM *BN_dup(const BIGNUM *a)
477 if (a == NULL) return NULL;
481 if (t == NULL) return NULL;
491 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
499 if (a == b) return(a);
500 if (bn_wexpand(a,b->top) == NULL) return(NULL);
505 for (i=b->top>>2; i>0; i--,A+=4,B+=4)
507 BN_ULONG a0,a1,a2,a3;
508 a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
509 A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
516 case 0: ; /* ultrix cc workaround, see comments in bn_expand_internal */
519 memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
528 void BN_swap(BIGNUM *a, BIGNUM *b)
530 int flags_old_a, flags_old_b;
532 int tmp_top, tmp_dmax, tmp_neg;
537 flags_old_a = a->flags;
538 flags_old_b = b->flags;
555 a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
556 b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
561 void BN_clear(BIGNUM *a)
565 memset(a->d,0,a->dmax*sizeof(a->d[0]));
570 BN_ULONG BN_get_word(const BIGNUM *a)
574 else if (a->top == 1)
580 int BN_set_word(BIGNUM *a, BN_ULONG w)
583 if (bn_expand(a,(int)sizeof(BN_ULONG)*8) == NULL) return(0);
586 a->top = (w ? 1 : 0);
591 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
600 if (ret == NULL) return(NULL);
609 i=((n-1)/BN_BYTES)+1;
610 m=((n-1)%(BN_BYTES));
611 if (bn_wexpand(ret, (int)i) == NULL)
628 /* need to call this due to clear byte at top if avoiding
629 * having the top bit set (-ve number) */
634 /* ignore negative */
635 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
645 *(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff;
650 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
653 BN_ULONG t1,t2,*ap,*bp;
659 if (i != 0) return(i);
662 for (i=a->top-1; i>=0; i--)
667 return((t1 > t2) ? 1 : -1);
672 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
678 if ((a == NULL) || (b == NULL))
691 if (a->neg != b->neg)
699 else { gt= -1; lt=1; }
701 if (a->top > b->top) return(gt);
702 if (a->top < b->top) return(lt);
703 for (i=a->top-1; i>=0; i--)
707 if (t1 > t2) return(gt);
708 if (t1 < t2) return(lt);
713 int BN_set_bit(BIGNUM *a, int n)
724 if (bn_wexpand(a,i+1) == NULL) return(0);
725 for(k=a->top; k<i+1; k++)
730 a->d[i]|=(((BN_ULONG)1)<<j);
735 int BN_clear_bit(BIGNUM *a, int n)
744 if (a->top <= i) return(0);
746 a->d[i]&=(~(((BN_ULONG)1)<<j));
751 int BN_is_bit_set(const BIGNUM *a, int n)
759 if (a->top <= i) return 0;
760 return (int)(((a->d[i])>>j)&((BN_ULONG)1));
763 int BN_mask_bits(BIGNUM *a, int n)
772 if (w >= a->top) return 0;
778 a->d[w]&= ~(BN_MASK2<<b);
784 void BN_set_negative(BIGNUM *a, int b)
786 if (b && !BN_is_zero(a))
792 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
799 if (aa != bb) return((aa > bb)?1:-1);
800 for (i=n-2; i>=0; i--)
804 if (aa != bb) return((aa > bb)?1:-1);
809 /* Here follows a specialised variants of bn_cmp_words(). It has the
810 property of performing the operation on arrays of different sizes.
811 The sizes of those arrays is expressed through cl, which is the
812 common length ( basicall, min(len(a),len(b)) ), and dl, which is the
813 delta between the two lengths, calculated as len(a)-len(b).
814 All lengths are the number of BN_ULONGs... */
816 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
827 return -1; /* a < b */
835 return 1; /* a > b */
838 return bn_cmp_words(a,b,cl);
842 * Constant-time conditional swap of a and b.
843 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
844 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
845 * and that no more than nwords are used by either a or b.
846 * a and b cannot be the same number
848 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
853 bn_wcheck_size(a, nwords);
854 bn_wcheck_size(b, nwords);
857 assert((condition & (condition - 1)) == 0);
858 assert(sizeof(BN_ULONG) >= sizeof(int));
860 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
862 t = (a->top^b->top) & condition;
866 #define BN_CONSTTIME_SWAP(ind) \
868 t = (a->d[ind] ^ b->d[ind]) & condition; \
876 for (i = 10; i < nwords; i++)
877 BN_CONSTTIME_SWAP(i);
879 case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
880 case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
881 case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
882 case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
883 case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
884 case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
885 case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
886 case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
887 case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
888 case 1: BN_CONSTTIME_SWAP(0);
890 #undef BN_CONSTTIME_SWAP
893 /* Bits of security, see SP800-57 */
895 int BN_security_bits(int L, int N)
915 return bits >= secbits ? secbits : bits;