1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
58 #include <openssl/bn.h>
59 #include "internal/cryptlib.h"
62 /* The old slow way */
64 int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
74 BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
78 if (BN_ucmp(m, d) < 0) {
80 if (BN_copy(rem, m) == NULL)
93 rem = BN_CTX_get(ctx);
94 if (D == NULL || dv == NULL || rem == NULL)
99 if (BN_copy(D, d) == NULL)
101 if (BN_copy(rem, m) == NULL)
105 * The next 2 are needed so we can do a dv->d[0]|=1 later since
106 * BN_lshift1 will only work once there is a value :-)
109 if (bn_wexpand(dv, 1) == NULL)
113 if (!BN_lshift(D, D, nm - nd))
115 for (i = nm - nd; i >= 0; i--) {
116 if (!BN_lshift1(dv, dv))
118 if (BN_ucmp(rem, D) >= 0) {
120 if (!BN_usub(rem, rem, D))
123 /* CAN IMPROVE (and have now :=) */
124 if (!BN_rshift1(D, D))
127 rem->neg = BN_is_zero(rem) ? 0 : m->neg;
128 dv->neg = m->neg ^ d->neg;
137 # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
138 && !defined(PEDANTIC) && !defined(BN_DIV3W)
139 # if defined(__GNUC__) && __GNUC__>=2
140 # if defined(__i386) || defined (__i386__)
142 * There were two reasons for implementing this template:
143 * - GNU C generates a call to a function (__udivdi3 to be exact)
144 * in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
145 * understand why...);
146 * - divl doesn't only calculate quotient, but also leaves
147 * remainder in %edx which we can definitely use here:-)
149 * <appro@fy.chalmers.se>
152 # define bn_div_words(n0,n1,d0) \
155 : "=a"(q), "=d"(rem) \
156 : "a"(n1), "d"(n0), "g"(d0) \
160 # define REMAINDER_IS_ALREADY_CALCULATED
161 # elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
163 * Same story here, but it's 128-bit by 64-bit division. Wow!
164 * <appro@fy.chalmers.se>
167 # define bn_div_words(n0,n1,d0) \
170 : "=a"(q), "=d"(rem) \
171 : "a"(n1), "d"(n0), "g"(d0) \
175 # define REMAINDER_IS_ALREADY_CALCULATED
176 # endif /* __<cpu> */
177 # endif /* __GNUC__ */
178 # endif /* OPENSSL_NO_ASM */
181 * BN_div computes dv := num / divisor, rounding towards
182 * zero, and sets up rm such that dv*divisor + rm = num holds.
184 * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
185 * rm->neg == num->neg (unless the remainder is zero)
186 * If 'dv' or 'rm' is NULL, the respective value is not returned.
188 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
191 int norm_shift, i, loop;
192 BIGNUM *tmp, wnum, *snum, *sdiv, *res;
193 BN_ULONG *resp, *wnump;
199 * Invalid zero-padding would have particularly bad consequences so don't
200 * just rely on bn_check_top() here (bn_check_top() works only for
203 if ((num->top > 0 && num->d[num->top - 1] == 0) ||
204 (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
205 BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
210 bn_check_top(divisor);
212 if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
213 || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
219 /*- bn_check_top(num); *//*
220 * 'num' has been checked already
222 /*- bn_check_top(divisor); *//*
223 * 'divisor' has been checked already
226 if (BN_is_zero(divisor)) {
227 BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
231 if (!no_branch && BN_ucmp(num, divisor) < 0) {
233 if (BN_copy(rm, num) == NULL)
242 tmp = BN_CTX_get(ctx);
243 snum = BN_CTX_get(ctx);
244 sdiv = BN_CTX_get(ctx);
246 res = BN_CTX_get(ctx);
249 if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
252 /* First we normalise the numbers */
253 norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
254 if (!(BN_lshift(sdiv, divisor, norm_shift)))
257 norm_shift += BN_BITS2;
258 if (!(BN_lshift(snum, num, norm_shift)))
264 * Since we don't know whether snum is larger than sdiv, we pad snum
265 * with enough zeroes without changing its value.
267 if (snum->top <= sdiv->top + 1) {
268 if (bn_wexpand(snum, sdiv->top + 2) == NULL)
270 for (i = snum->top; i < sdiv->top + 2; i++)
272 snum->top = sdiv->top + 2;
274 if (bn_wexpand(snum, snum->top + 1) == NULL)
276 snum->d[snum->top] = 0;
283 loop = num_n - div_n;
285 * Lets setup a 'window' into snum This is the part that corresponds to
286 * the current 'area' being divided
289 wnum.d = &(snum->d[loop]);
292 * only needed when BN_ucmp messes up the values between top and max
294 wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
296 /* Get the top 2 words of sdiv */
297 /* div_n=sdiv->top; */
298 d0 = sdiv->d[div_n - 1];
299 d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
301 /* pointer to the 'top' of snum */
302 wnump = &(snum->d[num_n - 1]);
305 res->neg = (num->neg ^ divisor->neg);
306 if (!bn_wexpand(res, (loop + 1)))
308 res->top = loop - no_branch;
309 resp = &(res->d[loop - 1]);
312 if (!bn_wexpand(tmp, (div_n + 1)))
316 if (BN_ucmp(&wnum, sdiv) >= 0) {
318 * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
319 * the const bignum arguments => clean the values between top and
322 bn_clear_top2max(&wnum);
323 bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
330 * if res->top == 0 then clear the neg value otherwise decrease the resp
338 for (i = 0; i < loop - 1; i++, wnump--, resp--) {
341 * the first part of the loop uses the top two words of snum and sdiv
342 * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
344 # if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
345 BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
346 q = bn_div_3_words(wnump, d1, d0);
348 BN_ULONG n0, n1, rem = 0;
359 # if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
360 q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
362 q = bn_div_words(n0, n1, d0);
365 # ifndef REMAINDER_IS_ALREADY_CALCULATED
367 * rem doesn't have to be BN_ULLONG. The least we
368 * know it's less that d0, isn't it?
370 rem = (n1 - q * d0) & BN_MASK2;
372 t2 = (BN_ULLONG) d1 *q;
375 if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
380 break; /* don't let rem overflow */
383 # else /* !BN_LLONG */
386 q = bn_div_words(n0, n1, d0);
387 # ifndef REMAINDER_IS_ALREADY_CALCULATED
388 rem = (n1 - q * d0) & BN_MASK2;
391 # if defined(BN_UMULT_LOHI)
392 BN_UMULT_LOHI(t2l, t2h, d1, q);
393 # elif defined(BN_UMULT_HIGH)
395 t2h = BN_UMULT_HIGH(d1, q);
403 mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
408 if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
413 break; /* don't let rem overflow */
418 # endif /* !BN_LLONG */
420 # endif /* !BN_DIV3W */
422 l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
426 * ingore top values of the bignums just sub the two BN_ULONG arrays
429 if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
431 * Note: As we have considered only the leading two BN_ULONGs in
432 * the calculation of q, sdiv * q might be greater than wnum (but
433 * then (q-1) * sdiv is less or equal than wnum)
436 if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
438 * we can't have an overflow here (assuming that q != 0, but
439 * if q == 0 then tmp is zero anyway)
443 /* store part of the result */
446 bn_correct_top(snum);
449 * Keep a copy of the neg flag in num because if rm==num BN_rshift()
453 BN_rshift(rm, snum, norm_shift);