1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
57 /* ====================================================================
58 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
86 * 6. Redistributions of any form whatsoever must retain the following
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
111 #include "internal/cryptlib.h"
114 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b);
116 int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
127 if (a == NULL || b == NULL)
130 if (BN_copy(a, in_a) == NULL)
132 if (BN_copy(b, in_b) == NULL)
137 if (BN_cmp(a, b) < 0) {
146 if (BN_copy(r, t) == NULL)
155 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
164 while (!BN_is_zero(b)) {
169 if (!BN_sub(a, a, b))
171 if (!BN_rshift1(a, a))
173 if (BN_cmp(a, b) < 0) {
178 } else { /* a odd - b even */
180 if (!BN_rshift1(b, b))
182 if (BN_cmp(a, b) < 0) {
188 } else { /* a is even */
191 if (!BN_rshift1(a, a))
193 if (BN_cmp(a, b) < 0) {
198 } else { /* a even - b even */
200 if (!BN_rshift1(a, a))
202 if (!BN_rshift1(b, b))
211 if (!BN_lshift(a, a, shifts))
220 /* solves ax == 1 (mod n) */
221 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
222 const BIGNUM *a, const BIGNUM *n,
225 BIGNUM *BN_mod_inverse(BIGNUM *in,
226 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
230 rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
232 BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
236 BIGNUM *int_bn_mod_inverse(BIGNUM *in,
237 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
240 BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
247 if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
248 || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
249 return BN_mod_inverse_no_branch(in, a, n, ctx);
275 if (BN_copy(B, a) == NULL)
277 if (BN_copy(A, n) == NULL)
280 if (B->neg || (BN_ucmp(B, A) >= 0)) {
281 if (!BN_nnmod(B, B, A, ctx))
286 * From B = a mod |n|, A = |n| it follows that
289 * -sign*X*a == B (mod |n|),
290 * sign*Y*a == A (mod |n|).
293 if (BN_is_odd(n) && (BN_num_bits(n) <= 2048)) {
295 * Binary inversion algorithm; requires odd modulus. This is faster
296 * than the general algorithm if the modulus is sufficiently small
297 * (about 400 .. 500 bits on 32-bit systems, but much more on 64-bit
302 while (!BN_is_zero(B)) {
306 * (1) -sign*X*a == B (mod |n|),
307 * (2) sign*Y*a == A (mod |n|)
311 * Now divide B by the maximum possible power of two in the
312 * integers, and divide X by the same value mod |n|. When we're
313 * done, (1) still holds.
316 while (!BN_is_bit_set(B, shift)) { /* note that 0 < B */
320 if (!BN_uadd(X, X, n))
324 * now X is even, so we can easily divide it by two
326 if (!BN_rshift1(X, X))
330 if (!BN_rshift(B, B, shift))
335 * Same for A and Y. Afterwards, (2) still holds.
338 while (!BN_is_bit_set(A, shift)) { /* note that 0 < A */
342 if (!BN_uadd(Y, Y, n))
346 if (!BN_rshift1(Y, Y))
350 if (!BN_rshift(A, A, shift))
355 * We still have (1) and (2).
356 * Both A and B are odd.
357 * The following computations ensure that
361 * (1) -sign*X*a == B (mod |n|),
362 * (2) sign*Y*a == A (mod |n|),
364 * and that either A or B is even in the next iteration.
366 if (BN_ucmp(B, A) >= 0) {
367 /* -sign*(X + Y)*a == B - A (mod |n|) */
368 if (!BN_uadd(X, X, Y))
371 * NB: we could use BN_mod_add_quick(X, X, Y, n), but that
372 * actually makes the algorithm slower
374 if (!BN_usub(B, B, A))
377 /* sign*(X + Y)*a == A - B (mod |n|) */
378 if (!BN_uadd(Y, Y, X))
381 * as above, BN_mod_add_quick(Y, Y, X, n) would slow things
384 if (!BN_usub(A, A, B))
389 /* general inversion algorithm */
391 while (!BN_is_zero(B)) {
396 * (*) -sign*X*a == B (mod |n|),
397 * sign*Y*a == A (mod |n|)
400 /* (D, M) := (A/B, A%B) ... */
401 if (BN_num_bits(A) == BN_num_bits(B)) {
404 if (!BN_sub(M, A, B))
406 } else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
407 /* A/B is 1, 2, or 3 */
408 if (!BN_lshift1(T, B))
410 if (BN_ucmp(A, T) < 0) {
411 /* A < 2*B, so D=1 */
414 if (!BN_sub(M, A, B))
417 /* A >= 2*B, so D=2 or D=3 */
418 if (!BN_sub(M, A, T))
420 if (!BN_add(D, T, B))
421 goto err; /* use D (:= 3*B) as temp */
422 if (BN_ucmp(A, D) < 0) {
423 /* A < 3*B, so D=2 */
424 if (!BN_set_word(D, 2))
427 * M (= A - 2*B) already has the correct value
430 /* only D=3 remains */
431 if (!BN_set_word(D, 3))
434 * currently M = A - 2*B, but we need M = A - 3*B
436 if (!BN_sub(M, M, B))
441 if (!BN_div(D, M, A, B, ctx))
449 * (**) sign*Y*a == D*B + M (mod |n|).
452 tmp = A; /* keep the BIGNUM object, the value does not
455 /* (A, B) := (B, A mod B) ... */
458 /* ... so we have 0 <= B < A again */
461 * Since the former M is now B and the former B is now A,
462 * (**) translates into
463 * sign*Y*a == D*A + B (mod |n|),
465 * sign*Y*a - D*A == B (mod |n|).
466 * Similarly, (*) translates into
467 * -sign*X*a == A (mod |n|).
470 * sign*Y*a + D*sign*X*a == B (mod |n|),
472 * sign*(Y + D*X)*a == B (mod |n|).
474 * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
475 * -sign*X*a == B (mod |n|),
476 * sign*Y*a == A (mod |n|).
477 * Note that X and Y stay non-negative all the time.
481 * most of the time D is very small, so we can optimize tmp :=
485 if (!BN_add(tmp, X, Y))
488 if (BN_is_word(D, 2)) {
489 if (!BN_lshift1(tmp, X))
491 } else if (BN_is_word(D, 4)) {
492 if (!BN_lshift(tmp, X, 2))
494 } else if (D->top == 1) {
495 if (!BN_copy(tmp, X))
497 if (!BN_mul_word(tmp, D->d[0]))
500 if (!BN_mul(tmp, D, X, ctx))
503 if (!BN_add(tmp, tmp, Y))
507 M = Y; /* keep the BIGNUM object, the value does not
516 * The while loop (Euclid's algorithm) ends when
519 * sign*Y*a == A (mod |n|),
520 * where Y is non-negative.
524 if (!BN_sub(Y, n, Y))
527 /* Now Y*a == A (mod |n|). */
530 /* Y*a == 1 (mod |n|) */
531 if (!Y->neg && BN_ucmp(Y, n) < 0) {
535 if (!BN_nnmod(R, Y, n, ctx))
545 if ((ret == NULL) && (in == NULL))
553 * BN_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
554 * not contain branches that may leak sensitive information.
556 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
557 const BIGNUM *a, const BIGNUM *n,
560 BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
587 if (BN_copy(B, a) == NULL)
589 if (BN_copy(A, n) == NULL)
593 if (B->neg || (BN_ucmp(B, A) >= 0)) {
595 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
596 * BN_div_no_branch will be called eventually.
601 BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
602 if (!BN_nnmod(B, &local_B, A, ctx))
604 /* Ensure local_B goes out of scope before any further use of B */
609 * From B = a mod |n|, A = |n| it follows that
612 * -sign*X*a == B (mod |n|),
613 * sign*Y*a == A (mod |n|).
616 while (!BN_is_zero(B)) {
621 * (*) -sign*X*a == B (mod |n|),
622 * sign*Y*a == A (mod |n|)
626 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
627 * BN_div_no_branch will be called eventually.
632 BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
634 /* (D, M) := (A/B, A%B) ... */
635 if (!BN_div(D, M, &local_A, B, ctx))
637 /* Ensure local_A goes out of scope before any further use of A */
644 * (**) sign*Y*a == D*B + M (mod |n|).
647 tmp = A; /* keep the BIGNUM object, the value does not
650 /* (A, B) := (B, A mod B) ... */
653 /* ... so we have 0 <= B < A again */
656 * Since the former M is now B and the former B is now A,
657 * (**) translates into
658 * sign*Y*a == D*A + B (mod |n|),
660 * sign*Y*a - D*A == B (mod |n|).
661 * Similarly, (*) translates into
662 * -sign*X*a == A (mod |n|).
665 * sign*Y*a + D*sign*X*a == B (mod |n|),
667 * sign*(Y + D*X)*a == B (mod |n|).
669 * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
670 * -sign*X*a == B (mod |n|),
671 * sign*Y*a == A (mod |n|).
672 * Note that X and Y stay non-negative all the time.
675 if (!BN_mul(tmp, D, X, ctx))
677 if (!BN_add(tmp, tmp, Y))
680 M = Y; /* keep the BIGNUM object, the value does not
688 * The while loop (Euclid's algorithm) ends when
691 * sign*Y*a == A (mod |n|),
692 * where Y is non-negative.
696 if (!BN_sub(Y, n, Y))
699 /* Now Y*a == A (mod |n|). */
702 /* Y*a == 1 (mod |n|) */
703 if (!Y->neg && BN_ucmp(Y, n) < 0) {
707 if (!BN_nnmod(R, Y, n, ctx))
711 BNerr(BN_F_BN_MOD_INVERSE_NO_BRANCH, BN_R_NO_INVERSE);
716 if ((ret == NULL) && (in == NULL))
projects / openssl.git / blob