1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
59 # undef NDEBUG /* avoid conflicting definitions */
64 #include "internal/cryptlib.h"
67 #if defined(OPENSSL_NO_ASM) || !defined(OPENSSL_BN_ASM_PART_WORDS)
69 * Here follows specialised variants of bn_add_words() and bn_sub_words().
70 * They have the property performing operations on arrays of different sizes.
71 * The sizes of those arrays is expressed through cl, which is the common
72 * length ( basically, min(len(a),len(b)) ), and dl, which is the delta
73 * between the two lengths, calculated as len(a)-len(b). All lengths are the
74 * number of BN_ULONGs... For the operations that require a result array as
75 * parameter, it must have the length cl+abs(dl). These functions should
76 * probably end up in bn_asm.c as soon as there are assembler counterparts
77 * for the systems that use assembler files.
80 BN_ULONG bn_sub_part_words(BN_ULONG *r,
81 const BN_ULONG *a, const BN_ULONG *b,
87 c = bn_sub_words(r, a, b, cl);
99 r[0] = (0 - t - c) & BN_MASK2;
106 r[1] = (0 - t - c) & BN_MASK2;
113 r[2] = (0 - t - c) & BN_MASK2;
120 r[3] = (0 - t - c) & BN_MASK2;
133 r[0] = (t - c) & BN_MASK2;
140 r[1] = (t - c) & BN_MASK2;
147 r[2] = (t - c) & BN_MASK2;
154 r[3] = (t - c) & BN_MASK2;
166 switch (save_dl - dl) {
208 BN_ULONG bn_add_part_words(BN_ULONG *r,
209 const BN_ULONG *a, const BN_ULONG *b,
215 c = bn_add_words(r, a, b, cl);
227 l = (c + b[0]) & BN_MASK2;
233 l = (c + b[1]) & BN_MASK2;
239 l = (c + b[2]) & BN_MASK2;
245 l = (c + b[3]) & BN_MASK2;
257 switch (dl - save_dl) {
297 t = (a[0] + c) & BN_MASK2;
303 t = (a[1] + c) & BN_MASK2;
309 t = (a[2] + c) & BN_MASK2;
315 t = (a[3] + c) & BN_MASK2;
327 switch (save_dl - dl) {
370 * Karatsuba recursive multiplication algorithm (cf. Knuth, The Art of
371 * Computer Programming, Vol. 2)
375 * r is 2*n2 words in size,
376 * a and b are both n2 words in size.
377 * n2 must be a power of 2.
378 * We multiply and return the result.
379 * t must be 2*n2 words in size
382 * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
385 /* dnX may not be positive, but n2/2+dnX has to be */
386 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
387 int dna, int dnb, BN_ULONG *t)
389 int n = n2 / 2, c1, c2;
390 int tna = n + dna, tnb = n + dnb;
391 unsigned int neg, zero;
397 bn_mul_comba4(r, a, b);
402 * Only call bn_mul_comba 8 if n2 == 8 and the two arrays are complete
405 if (n2 == 8 && dna == 0 && dnb == 0) {
406 bn_mul_comba8(r, a, b);
409 # endif /* BN_MUL_COMBA */
410 /* Else do normal multiply */
411 if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
412 bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
414 memset(&r[2 * n2 + dna + dnb], 0,
415 sizeof(BN_ULONG) * -(dna + dnb));
418 /* r=(a[0]-a[1])*(b[1]-b[0]) */
419 c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
420 c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
422 switch (c1 * 3 + c2) {
424 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
425 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
431 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
432 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
441 bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
442 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
449 bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
450 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
455 if (n == 4 && dna == 0 && dnb == 0) { /* XXX: bn_mul_comba4 could take
456 * extra args to do this well */
458 bn_mul_comba4(&(t[n2]), t, &(t[n]));
460 memset(&t[n2], 0, sizeof(*t) * 8);
462 bn_mul_comba4(r, a, b);
463 bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
464 } else if (n == 8 && dna == 0 && dnb == 0) { /* XXX: bn_mul_comba8 could
465 * take extra args to do
468 bn_mul_comba8(&(t[n2]), t, &(t[n]));
470 memset(&t[n2], 0, sizeof(*t) * 16);
472 bn_mul_comba8(r, a, b);
473 bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n]));
475 # endif /* BN_MUL_COMBA */
479 bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
481 memset(&t[n2], 0, sizeof(*t) * n2);
482 bn_mul_recursive(r, a, b, n, 0, 0, p);
483 bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
487 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
488 * r[10] holds (a[0]*b[0])
489 * r[32] holds (b[1]*b[1])
492 c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
494 if (neg) { /* if t[32] is negative */
495 c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
497 /* Might have a carry */
498 c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
502 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
503 * r[10] holds (a[0]*b[0])
504 * r[32] holds (b[1]*b[1])
505 * c1 holds the carry bits
507 c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
511 ln = (lo + c1) & BN_MASK2;
515 * The overflow will stop before we over write words we should not
518 if (ln < (BN_ULONG)c1) {
522 ln = (lo + 1) & BN_MASK2;
530 * n+tn is the word length t needs to be n*4 is size, as does r
532 /* tnX may not be negative but less than n */
533 void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
534 int tna, int tnb, BN_ULONG *t)
536 int i, j, n2 = n * 2;
541 bn_mul_normal(r, a, n + tna, b, n + tnb);
545 /* r=(a[0]-a[1])*(b[1]-b[0]) */
546 c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
547 c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
549 switch (c1 * 3 + c2) {
551 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
552 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
557 bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
558 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
566 bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
567 bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
573 bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
574 bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
578 * The zero case isn't yet implemented here. The speedup would probably
583 bn_mul_comba4(&(t[n2]), t, &(t[n]));
584 bn_mul_comba4(r, a, b);
585 bn_mul_normal(&(r[n2]), &(a[n]), tn, &(b[n]), tn);
586 memset(&r[n2 + tn * 2], 0, sizeof(*r) * (n2 - tn * 2));
590 bn_mul_comba8(&(t[n2]), t, &(t[n]));
591 bn_mul_comba8(r, a, b);
592 bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
593 memset(&r[n2 + tna + tnb], 0, sizeof(*r) * (n2 - tna - tnb));
596 bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
597 bn_mul_recursive(r, a, b, n, 0, 0, p);
600 * If there is only a bottom half to the number, just do it
607 bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]),
608 i, tna - i, tnb - i, p);
609 memset(&r[n2 + i * 2], 0, sizeof(*r) * (n2 - i * 2));
610 } else if (j > 0) { /* eg, n == 16, i == 8 and tn == 11 */
611 bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]),
612 i, tna - i, tnb - i, p);
613 memset(&(r[n2 + tna + tnb]), 0,
614 sizeof(BN_ULONG) * (n2 - tna - tnb));
615 } else { /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
617 memset(&r[n2], 0, sizeof(*r) * n2);
618 if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
619 && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
620 bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
625 * these simplified conditions work exclusively because
626 * difference between tna and tnb is 1 or 0
628 if (i < tna || i < tnb) {
629 bn_mul_part_recursive(&(r[n2]),
631 i, tna - i, tnb - i, p);
633 } else if (i == tna || i == tnb) {
634 bn_mul_recursive(&(r[n2]),
636 i, tna - i, tnb - i, p);
645 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
646 * r[10] holds (a[0]*b[0])
647 * r[32] holds (b[1]*b[1])
650 c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
652 if (neg) { /* if t[32] is negative */
653 c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
655 /* Might have a carry */
656 c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
660 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
661 * r[10] holds (a[0]*b[0])
662 * r[32] holds (b[1]*b[1])
663 * c1 holds the carry bits
665 c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
669 ln = (lo + c1) & BN_MASK2;
673 * The overflow will stop before we over write words we should not
676 if (ln < (BN_ULONG)c1) {
680 ln = (lo + 1) & BN_MASK2;
688 * a and b must be the same size, which is n2.
689 * r needs to be n2 words and t needs to be n2*2
691 void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
696 bn_mul_recursive(r, a, b, n, 0, 0, &(t[0]));
697 if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL) {
698 bn_mul_low_recursive(&(t[0]), &(a[0]), &(b[n]), n, &(t[n2]));
699 bn_add_words(&(r[n]), &(r[n]), &(t[0]), n);
700 bn_mul_low_recursive(&(t[0]), &(a[n]), &(b[0]), n, &(t[n2]));
701 bn_add_words(&(r[n]), &(r[n]), &(t[0]), n);
703 bn_mul_low_normal(&(t[0]), &(a[0]), &(b[n]), n);
704 bn_mul_low_normal(&(t[n]), &(a[n]), &(b[0]), n);
705 bn_add_words(&(r[n]), &(r[n]), &(t[0]), n);
706 bn_add_words(&(r[n]), &(r[n]), &(t[n]), n);
711 * a and b must be the same size, which is n2.
712 * r needs to be n2 words and t needs to be n2*2
713 * l is the low words of the output.
716 void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
722 BN_ULONG ll, lc, *lp, *mp;
726 /* Calculate (al-ah)*(bh-bl) */
728 c1 = bn_cmp_words(&(a[0]), &(a[n]), n);
729 c2 = bn_cmp_words(&(b[n]), &(b[0]), n);
730 switch (c1 * 3 + c2) {
732 bn_sub_words(&(r[0]), &(a[n]), &(a[0]), n);
733 bn_sub_words(&(r[n]), &(b[0]), &(b[n]), n);
739 bn_sub_words(&(r[0]), &(a[n]), &(a[0]), n);
740 bn_sub_words(&(r[n]), &(b[n]), &(b[0]), n);
749 bn_sub_words(&(r[0]), &(a[0]), &(a[n]), n);
750 bn_sub_words(&(r[n]), &(b[0]), &(b[n]), n);
757 bn_sub_words(&(r[0]), &(a[0]), &(a[n]), n);
758 bn_sub_words(&(r[n]), &(b[n]), &(b[0]), n);
763 /* t[10] = (a[0]-a[1])*(b[1]-b[0]) */
764 /* r[10] = (a[1]*b[1]) */
767 bn_mul_comba8(&(t[0]), &(r[0]), &(r[n]));
768 bn_mul_comba8(r, &(a[n]), &(b[n]));
772 bn_mul_recursive(&(t[0]), &(r[0]), &(r[n]), n, 0, 0, &(t[n2]));
773 bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2]));
778 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
779 * We know s0 and s1 so the only unknown is high(al*bl)
780 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
781 * high(al*bl) == s1 - (r[0]+l[0]+t[0])
785 c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n));
792 neg = (int)(bn_sub_words(&(t[n2]), lp, &(t[0]), n));
794 bn_add_words(&(t[n2]), lp, &(t[0]), n);
799 bn_sub_words(&(t[n2 + n]), &(l[n]), &(t[n2]), n);
803 for (i = 0; i < n; i++)
804 lp[i] = ((~mp[i]) + 1) & BN_MASK2;
810 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
811 * r[10] = (a[1]*b[1])
815 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
819 * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
820 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
821 * R[3]=r[1]+(carry/borrow)
825 c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n));
830 c1 += (int)(bn_add_words(&(t[n2]), lp, &(r[0]), n));
832 c1 -= (int)(bn_sub_words(&(t[n2]), &(t[n2]), &(t[0]), n));
834 c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), &(t[0]), n));
836 c2 = (int)(bn_add_words(&(r[0]), &(r[0]), &(t[n2 + n]), n));
837 c2 += (int)(bn_add_words(&(r[0]), &(r[0]), &(r[n]), n));
839 c2 -= (int)(bn_sub_words(&(r[0]), &(r[0]), &(t[n]), n));
841 c2 += (int)(bn_add_words(&(r[0]), &(r[0]), &(t[n]), n));
843 if (c1 != 0) { /* Add starting at r[0], could be +ve or -ve */
848 ll = (r[i] + lc) & BN_MASK2;
856 r[i++] = (ll - lc) & BN_MASK2;
861 if (c2 != 0) { /* Add starting at r[1] */
866 ll = (r[i] + lc) & BN_MASK2;
874 r[i++] = (ll - lc) & BN_MASK2;
880 #endif /* BN_RECURSION */
882 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
887 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
902 if ((al == 0) || (bl == 0)) {
909 if ((r == a) || (r == b)) {
910 if ((rr = BN_CTX_get(ctx)) == NULL)
914 rr->neg = a->neg ^ b->neg;
916 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
923 if (bn_wexpand(rr, 8) == NULL)
926 bn_mul_comba4(rr->d, a->d, b->d);
931 if (bn_wexpand(rr, 16) == NULL)
934 bn_mul_comba8(rr->d, a->d, b->d);
938 #endif /* BN_MUL_COMBA */
940 if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL)) {
941 if (i >= -1 && i <= 1) {
943 * Find out the power of two lower or equal to the longest of the
947 j = BN_num_bits_word((BN_ULONG)al);
950 j = BN_num_bits_word((BN_ULONG)bl);
953 assert(j <= al || j <= bl);
958 if (al > j || bl > j) {
959 if (bn_wexpand(t, k * 4) == NULL)
961 if (bn_wexpand(rr, k * 4) == NULL)
963 bn_mul_part_recursive(rr->d, a->d, b->d,
964 j, al - j, bl - j, t->d);
965 } else { /* al <= j || bl <= j */
967 if (bn_wexpand(t, k * 2) == NULL)
969 if (bn_wexpand(rr, k * 2) == NULL)
971 bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
977 if (i == 1 && !BN_get_flags(b, BN_FLG_STATIC_DATA)) {
978 BIGNUM *tmp_bn = (BIGNUM *)b;
979 if (bn_wexpand(tmp_bn, al) == NULL)
984 } else if (i == -1 && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
985 BIGNUM *tmp_bn = (BIGNUM *)a;
986 if (bn_wexpand(tmp_bn, bl) == NULL)
993 /* symmetric and > 4 */
995 j = BN_num_bits_word((BN_ULONG)al);
999 if (al == j) { /* exact multiple */
1000 if (bn_wexpand(t, k * 2) == NULL)
1002 if (bn_wexpand(rr, k * 2) == NULL)
1004 bn_mul_recursive(rr->d, a->d, b->d, al, t->d);
1006 if (bn_wexpand(t, k * 4) == NULL)
1008 if (bn_wexpand(rr, k * 4) == NULL)
1010 bn_mul_part_recursive(rr->d, a->d, b->d, al - j, j, t->d);
1017 #endif /* BN_RECURSION */
1018 if (bn_wexpand(rr, top) == NULL)
1021 bn_mul_normal(rr->d, a->d, al, b->d, bl);
1023 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
1036 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
1054 (void)bn_mul_words(r, a, na, 0);
1057 rr[0] = bn_mul_words(r, a, na, b[0]);
1062 rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]);
1065 rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]);
1068 rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]);
1071 rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]);
1078 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
1080 bn_mul_words(r, a, n, b[0]);
1085 bn_mul_add_words(&(r[1]), a, n, b[1]);
1088 bn_mul_add_words(&(r[2]), a, n, b[2]);
1091 bn_mul_add_words(&(r[3]), a, n, b[3]);
1094 bn_mul_add_words(&(r[4]), a, n, b[4]);
projects / openssl.git / blob