1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
66 #include "internal/cryptlib.h"
69 /* This stuff appears to be completely unused, so is deprecated */
70 #ifndef OPENSSL_NO_DEPRECATED
72 * For a 32 bit machine
81 static int bn_limit_bits = 0;
82 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
83 static int bn_limit_bits_low = 0;
84 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
85 static int bn_limit_bits_high = 0;
86 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
87 static int bn_limit_bits_mont = 0;
88 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
90 void BN_set_params(int mult, int high, int low, int mont)
93 if (mult > (int)(sizeof(int) * 8) - 1)
94 mult = sizeof(int) * 8 - 1;
96 bn_limit_num = 1 << mult;
99 if (high > (int)(sizeof(int) * 8) - 1)
100 high = sizeof(int) * 8 - 1;
101 bn_limit_bits_high = high;
102 bn_limit_num_high = 1 << high;
105 if (low > (int)(sizeof(int) * 8) - 1)
106 low = sizeof(int) * 8 - 1;
107 bn_limit_bits_low = low;
108 bn_limit_num_low = 1 << low;
111 if (mont > (int)(sizeof(int) * 8) - 1)
112 mont = sizeof(int) * 8 - 1;
113 bn_limit_bits_mont = mont;
114 bn_limit_num_mont = 1 << mont;
118 int BN_get_params(int which)
121 return (bn_limit_bits);
123 return (bn_limit_bits_high);
125 return (bn_limit_bits_low);
127 return (bn_limit_bits_mont);
133 const BIGNUM *BN_value_one(void)
135 static const BN_ULONG data_one = 1L;
136 static const BIGNUM const_one =
137 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
142 int BN_num_bits_word(BN_ULONG l)
144 static const unsigned char bits[256] = {
145 0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
146 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
147 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
148 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
149 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
150 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
151 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
152 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
153 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
154 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
155 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
156 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
157 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
158 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
159 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
160 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
163 #if defined(SIXTY_FOUR_BIT_LONG)
164 if (l & 0xffffffff00000000L) {
165 if (l & 0xffff000000000000L) {
166 if (l & 0xff00000000000000L) {
167 return (bits[(int)(l >> 56)] + 56);
169 return (bits[(int)(l >> 48)] + 48);
171 if (l & 0x0000ff0000000000L) {
172 return (bits[(int)(l >> 40)] + 40);
174 return (bits[(int)(l >> 32)] + 32);
178 # ifdef SIXTY_FOUR_BIT
179 if (l & 0xffffffff00000000LL) {
180 if (l & 0xffff000000000000LL) {
181 if (l & 0xff00000000000000LL) {
182 return (bits[(int)(l >> 56)] + 56);
184 return (bits[(int)(l >> 48)] + 48);
186 if (l & 0x0000ff0000000000LL) {
187 return (bits[(int)(l >> 40)] + 40);
189 return (bits[(int)(l >> 32)] + 32);
195 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
196 if (l & 0xffff0000L) {
198 return (bits[(int)(l >> 24L)] + 24);
200 return (bits[(int)(l >> 16L)] + 16);
204 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
206 return (bits[(int)(l >> 8)] + 8);
209 return (bits[(int)(l)]);
214 int BN_num_bits(const BIGNUM *a)
221 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
224 static void bn_free_d(BIGNUM *a)
226 if (BN_get_flags(a,BN_FLG_SECURE))
227 OPENSSL_secure_free(a->d);
233 void BN_clear_free(BIGNUM *a)
241 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
242 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
245 i = BN_get_flags(a, BN_FLG_MALLOCED);
246 OPENSSL_cleanse(a, sizeof(*a));
251 void BN_free(BIGNUM *a)
256 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
258 if (a->flags & BN_FLG_MALLOCED)
261 #ifndef OPENSSL_NO_DEPRECATED
262 a->flags |= BN_FLG_FREE;
268 void BN_init(BIGNUM *a)
270 memset(a, 0, sizeof(*a));
278 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
279 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
282 ret->flags = BN_FLG_MALLOCED;
287 BIGNUM *BN_secure_new(void)
289 BIGNUM *ret = BN_new();
291 ret->flags |= BN_FLG_SECURE;
295 /* This is used both by bn_expand2() and bn_dup_expand() */
296 /* The caller MUST check that words > b->dmax before calling this */
297 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
299 BN_ULONG *A, *a = NULL;
305 if (words > (INT_MAX / (4 * BN_BITS2))) {
306 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
309 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
310 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
313 if (BN_get_flags(b,BN_FLG_SECURE))
314 a = A = OPENSSL_secure_malloc(words * sizeof(*a));
316 a = A = OPENSSL_malloc(words * sizeof(*a));
318 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
323 * Valgrind complains in BN_consttime_swap because we process the whole
324 * array even if it's not initialised yet. This doesn't matter in that
325 * function - what's important is constant time operation (we're not
326 * actually going to use the data)
328 memset(a, 0, sizeof(*a) * words);
333 /* Check if the previous number needs to be copied */
335 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
337 * The fact that the loop is unrolled
338 * 4-wise is a tribute to Intel. It's
339 * the one that doesn't have enough
340 * registers to accomodate more data.
341 * I'd unroll it 8-wise otherwise:-)
343 * <appro@fy.chalmers.se>
345 BN_ULONG a0, a1, a2, a3;
356 * workaround for ultrix cc: without 'case 0', the optimizer does
357 * the switch table by doing a=top&3; a--; goto jump_table[a];
358 * which fails for top== 0
360 switch (b->top & 3) {
372 memset(A, 0, sizeof(*A) * words);
373 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
380 * This is an internal function that should not be used in applications. It
381 * ensures that 'b' has enough room for a 'words' word number and initialises
382 * any unused part of b->d with leading zeros. It is mostly used by the
383 * various BIGNUM routines. If there is an error, NULL is returned. If not,
387 BIGNUM *bn_expand2(BIGNUM *b, int words)
391 if (words > b->dmax) {
392 BN_ULONG *a = bn_expand_internal(b, words);
396 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
407 BIGNUM *BN_dup(const BIGNUM *a)
415 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
418 if (!BN_copy(t, a)) {
426 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
436 if (bn_wexpand(a, b->top) == NULL)
442 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
443 BN_ULONG a0, a1, a2, a3;
453 /* ultrix cc workaround, see comments in bn_expand_internal */
454 switch (b->top & 3) {
464 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
473 void BN_swap(BIGNUM *a, BIGNUM *b)
475 int flags_old_a, flags_old_b;
477 int tmp_top, tmp_dmax, tmp_neg;
482 flags_old_a = a->flags;
483 flags_old_b = b->flags;
501 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
503 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
508 void BN_clear(BIGNUM *a)
512 memset(a->d, 0, sizeof(*a->d) * a->dmax);
517 BN_ULONG BN_get_word(const BIGNUM *a)
521 else if (a->top == 1)
527 int BN_set_word(BIGNUM *a, BN_ULONG w)
530 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
534 a->top = (w ? 1 : 0);
539 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
551 /* Skip leading zero's. */
552 for ( ; len > 0 && *s == 0; s++, len--)
559 i = ((n - 1) / BN_BYTES) + 1;
560 m = ((n - 1) % (BN_BYTES));
561 if (bn_wexpand(ret, (int)i) == NULL) {
569 l = (l << 8L) | *(s++);
577 * need to call this due to clear byte at top if avoiding having the top
578 * bit set (-ve number)
584 /* ignore negative */
585 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
591 n = i = BN_num_bytes(a);
593 l = a->d[i / BN_BYTES];
594 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
599 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
602 BN_ULONG t1, t2, *ap, *bp;
612 for (i = a->top - 1; i >= 0; i--) {
616 return ((t1 > t2) ? 1 : -1);
621 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
627 if ((a == NULL) || (b == NULL)) {
639 if (a->neg != b->neg) {
657 for (i = a->top - 1; i >= 0; i--) {
668 int BN_set_bit(BIGNUM *a, int n)
678 if (bn_wexpand(a, i + 1) == NULL)
680 for (k = a->top; k < i + 1; k++)
685 a->d[i] |= (((BN_ULONG)1) << j);
690 int BN_clear_bit(BIGNUM *a, int n)
703 a->d[i] &= (~(((BN_ULONG)1) << j));
708 int BN_is_bit_set(const BIGNUM *a, int n)
719 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
722 int BN_mask_bits(BIGNUM *a, int n)
738 a->d[w] &= ~(BN_MASK2 << b);
744 void BN_set_negative(BIGNUM *a, int b)
746 if (b && !BN_is_zero(a))
752 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
760 return ((aa > bb) ? 1 : -1);
761 for (i = n - 2; i >= 0; i--) {
765 return ((aa > bb) ? 1 : -1);
771 * Here follows a specialised variants of bn_cmp_words(). It has the
772 * property of performing the operation on arrays of different sizes. The
773 * sizes of those arrays is expressed through cl, which is the common length
774 * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
775 * two lengths, calculated as len(a)-len(b). All lengths are the number of
779 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
785 for (i = dl; i < 0; i++) {
787 return -1; /* a < b */
791 for (i = dl; i > 0; i--) {
793 return 1; /* a > b */
796 return bn_cmp_words(a, b, cl);
800 * Constant-time conditional swap of a and b.
801 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
802 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
803 * and that no more than nwords are used by either a or b.
804 * a and b cannot be the same number
806 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
811 bn_wcheck_size(a, nwords);
812 bn_wcheck_size(b, nwords);
815 assert((condition & (condition - 1)) == 0);
816 assert(sizeof(BN_ULONG) >= sizeof(int));
818 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
820 t = (a->top ^ b->top) & condition;
824 #define BN_CONSTTIME_SWAP(ind) \
826 t = (a->d[ind] ^ b->d[ind]) & condition; \
833 for (i = 10; i < nwords; i++)
834 BN_CONSTTIME_SWAP(i);
837 BN_CONSTTIME_SWAP(9); /* Fallthrough */
839 BN_CONSTTIME_SWAP(8); /* Fallthrough */
841 BN_CONSTTIME_SWAP(7); /* Fallthrough */
843 BN_CONSTTIME_SWAP(6); /* Fallthrough */
845 BN_CONSTTIME_SWAP(5); /* Fallthrough */
847 BN_CONSTTIME_SWAP(4); /* Fallthrough */
849 BN_CONSTTIME_SWAP(3); /* Fallthrough */
851 BN_CONSTTIME_SWAP(2); /* Fallthrough */
853 BN_CONSTTIME_SWAP(1); /* Fallthrough */
855 BN_CONSTTIME_SWAP(0);
857 #undef BN_CONSTTIME_SWAP
860 /* Bits of security, see SP800-57 */
862 int BN_security_bits(int L, int N)
882 return bits >= secbits ? secbits : bits;
885 void BN_zero_ex(BIGNUM *a)
891 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
893 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
896 int BN_is_zero(const BIGNUM *a)
901 int BN_is_one(const BIGNUM *a)
903 return BN_abs_is_word(a, 1) && !a->neg;
906 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
908 return BN_abs_is_word(a, w) && (!w || !a->neg);
911 int BN_is_odd(const BIGNUM *a)
913 return (a->top > 0) && (a->d[0] & 1);
916 int BN_is_negative(const BIGNUM *a)
918 return (a->neg != 0);
921 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
924 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
927 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
931 dest->dmax = b->dmax;
933 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
934 | (b->flags & ~BN_FLG_MALLOCED)
935 | BN_FLG_STATIC_DATA | n);
938 BN_GENCB *BN_GENCB_new(void)
942 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
943 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
950 void BN_GENCB_free(BN_GENCB *cb)
957 void BN_set_flags(BIGNUM *b, int n)
962 int BN_get_flags(const BIGNUM *b, int n)
967 /* Populate a BN_GENCB structure with an "old"-style callback */
968 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
971 BN_GENCB *tmp_gencb = gencb;
973 tmp_gencb->arg = cb_arg;
974 tmp_gencb->cb.cb_1 = callback;
977 /* Populate a BN_GENCB structure with a "new"-style callback */
978 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
981 BN_GENCB *tmp_gencb = gencb;
983 tmp_gencb->arg = cb_arg;
984 tmp_gencb->cb.cb_2 = callback;
987 void *BN_GENCB_get_arg(BN_GENCB *cb)
992 BIGNUM *bn_wexpand(BIGNUM *a, int words)
994 return (words <= a->dmax) ? a : bn_expand2(a, words);
997 void bn_correct_top(BIGNUM *a)
1000 int tmp_top = a->top;
1003 for (ftl = &(a->d[tmp_top - 1]); tmp_top > 0; tmp_top--)