2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/bn.h>
11 #include "internal/cryptlib.h"
14 /* The old slow way */
16 int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
26 BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
30 if (BN_ucmp(m, d) < 0) {
32 if (BN_copy(rem, m) == NULL)
45 rem = BN_CTX_get(ctx);
46 if (D == NULL || dv == NULL || rem == NULL)
51 if (BN_copy(D, d) == NULL)
53 if (BN_copy(rem, m) == NULL)
57 * The next 2 are needed so we can do a dv->d[0]|=1 later since
58 * BN_lshift1 will only work once there is a value :-)
61 if (bn_wexpand(dv, 1) == NULL)
65 if (!BN_lshift(D, D, nm - nd))
67 for (i = nm - nd; i >= 0; i--) {
68 if (!BN_lshift1(dv, dv))
70 if (BN_ucmp(rem, D) >= 0) {
72 if (!BN_usub(rem, rem, D))
75 /* CAN IMPROVE (and have now :=) */
76 if (!BN_rshift1(D, D))
79 rem->neg = BN_is_zero(rem) ? 0 : m->neg;
80 dv->neg = m->neg ^ d->neg;
89 # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
90 && !defined(PEDANTIC) && !defined(BN_DIV3W)
91 # if defined(__GNUC__) && __GNUC__>=2
92 # if defined(__i386) || defined (__i386__)
94 * There were two reasons for implementing this template:
95 * - GNU C generates a call to a function (__udivdi3 to be exact)
96 * in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
98 * - divl doesn't only calculate quotient, but also leaves
99 * remainder in %edx which we can definitely use here:-)
101 * <appro@fy.chalmers.se>
104 # define bn_div_words(n0,n1,d0) \
107 : "=a"(q), "=d"(rem) \
108 : "a"(n1), "d"(n0), "r"(d0) \
112 # define REMAINDER_IS_ALREADY_CALCULATED
113 # elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
115 * Same story here, but it's 128-bit by 64-bit division. Wow!
116 * <appro@fy.chalmers.se>
119 # define bn_div_words(n0,n1,d0) \
122 : "=a"(q), "=d"(rem) \
123 : "a"(n1), "d"(n0), "r"(d0) \
127 # define REMAINDER_IS_ALREADY_CALCULATED
128 # endif /* __<cpu> */
129 # endif /* __GNUC__ */
130 # endif /* OPENSSL_NO_ASM */
133 * BN_div computes dv := num / divisor, rounding towards
134 * zero, and sets up rm such that dv*divisor + rm = num holds.
136 * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
137 * rm->neg == num->neg (unless the remainder is zero)
138 * If 'dv' or 'rm' is NULL, the respective value is not returned.
140 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
143 int norm_shift, i, loop;
144 BIGNUM *tmp, wnum, *snum, *sdiv, *res;
145 BN_ULONG *resp, *wnump;
151 * Invalid zero-padding would have particularly bad consequences so don't
152 * just rely on bn_check_top() here (bn_check_top() works only for
155 if ((num->top > 0 && num->d[num->top - 1] == 0) ||
156 (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
157 BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
162 bn_check_top(divisor);
164 if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
165 || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
171 /*- bn_check_top(num); *//*
172 * 'num' has been checked already
174 /*- bn_check_top(divisor); *//*
175 * 'divisor' has been checked already
178 if (BN_is_zero(divisor)) {
179 BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
183 if (!no_branch && BN_ucmp(num, divisor) < 0) {
185 if (BN_copy(rm, num) == NULL)
194 tmp = BN_CTX_get(ctx);
195 snum = BN_CTX_get(ctx);
196 sdiv = BN_CTX_get(ctx);
198 res = BN_CTX_get(ctx);
201 if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
204 /* First we normalise the numbers */
205 norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
206 if (!(BN_lshift(sdiv, divisor, norm_shift)))
209 norm_shift += BN_BITS2;
210 if (!(BN_lshift(snum, num, norm_shift)))
216 * Since we don't know whether snum is larger than sdiv, we pad snum
217 * with enough zeroes without changing its value.
219 if (snum->top <= sdiv->top + 1) {
220 if (bn_wexpand(snum, sdiv->top + 2) == NULL)
222 for (i = snum->top; i < sdiv->top + 2; i++)
224 snum->top = sdiv->top + 2;
226 if (bn_wexpand(snum, snum->top + 1) == NULL)
228 snum->d[snum->top] = 0;
235 loop = num_n - div_n;
237 * Lets setup a 'window' into snum This is the part that corresponds to
238 * the current 'area' being divided
241 wnum.d = &(snum->d[loop]);
244 * only needed when BN_ucmp messes up the values between top and max
246 wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
248 /* Get the top 2 words of sdiv */
249 /* div_n=sdiv->top; */
250 d0 = sdiv->d[div_n - 1];
251 d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
253 /* pointer to the 'top' of snum */
254 wnump = &(snum->d[num_n - 1]);
257 if (!bn_wexpand(res, (loop + 1)))
259 res->neg = (num->neg ^ divisor->neg);
260 res->top = loop - no_branch;
261 resp = &(res->d[loop - 1]);
264 if (!bn_wexpand(tmp, (div_n + 1)))
268 if (BN_ucmp(&wnum, sdiv) >= 0) {
270 * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
271 * the const bignum arguments => clean the values between top and
274 bn_clear_top2max(&wnum);
275 bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
281 /* Increase the resp pointer so that we never create an invalid pointer. */
285 * if res->top == 0 then clear the neg value otherwise decrease the resp
293 for (i = 0; i < loop - 1; i++, wnump--) {
296 * the first part of the loop uses the top two words of snum and sdiv
297 * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
299 # if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
300 BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
301 q = bn_div_3_words(wnump, d1, d0);
303 BN_ULONG n0, n1, rem = 0;
314 # if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
315 q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
317 q = bn_div_words(n0, n1, d0);
320 # ifndef REMAINDER_IS_ALREADY_CALCULATED
322 * rem doesn't have to be BN_ULLONG. The least we
323 * know it's less that d0, isn't it?
325 rem = (n1 - q * d0) & BN_MASK2;
327 t2 = (BN_ULLONG) d1 *q;
330 if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
335 break; /* don't let rem overflow */
338 # else /* !BN_LLONG */
341 q = bn_div_words(n0, n1, d0);
342 # ifndef REMAINDER_IS_ALREADY_CALCULATED
343 rem = (n1 - q * d0) & BN_MASK2;
346 # if defined(BN_UMULT_LOHI)
347 BN_UMULT_LOHI(t2l, t2h, d1, q);
348 # elif defined(BN_UMULT_HIGH)
350 t2h = BN_UMULT_HIGH(d1, q);
358 mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
363 if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
368 break; /* don't let rem overflow */
373 # endif /* !BN_LLONG */
375 # endif /* !BN_DIV3W */
377 l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
381 * ingore top values of the bignums just sub the two BN_ULONG arrays
384 if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
386 * Note: As we have considered only the leading two BN_ULONGs in
387 * the calculation of q, sdiv * q might be greater than wnum (but
388 * then (q-1) * sdiv is less or equal than wnum)
391 if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
393 * we can't have an overflow here (assuming that q != 0, but
394 * if q == 0 then tmp is zero anyway)
398 /* store part of the result */
402 bn_correct_top(snum);
405 * Keep a copy of the neg flag in num because if rm==num BN_rshift()
409 BN_rshift(rm, snum, norm_shift);