1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
66 #include "internal/cryptlib.h"
68 #include <openssl/opensslconf.h>
70 /* This stuff appears to be completely unused, so is deprecated */
71 #if OPENSSL_API_COMPAT < 0x00908000L
73 * For a 32 bit machine
82 static int bn_limit_bits = 0;
83 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
84 static int bn_limit_bits_low = 0;
85 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
86 static int bn_limit_bits_high = 0;
87 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
88 static int bn_limit_bits_mont = 0;
89 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
91 void BN_set_params(int mult, int high, int low, int mont)
94 if (mult > (int)(sizeof(int) * 8) - 1)
95 mult = sizeof(int) * 8 - 1;
97 bn_limit_num = 1 << mult;
100 if (high > (int)(sizeof(int) * 8) - 1)
101 high = sizeof(int) * 8 - 1;
102 bn_limit_bits_high = high;
103 bn_limit_num_high = 1 << high;
106 if (low > (int)(sizeof(int) * 8) - 1)
107 low = sizeof(int) * 8 - 1;
108 bn_limit_bits_low = low;
109 bn_limit_num_low = 1 << low;
112 if (mont > (int)(sizeof(int) * 8) - 1)
113 mont = sizeof(int) * 8 - 1;
114 bn_limit_bits_mont = mont;
115 bn_limit_num_mont = 1 << mont;
119 int BN_get_params(int which)
122 return (bn_limit_bits);
124 return (bn_limit_bits_high);
126 return (bn_limit_bits_low);
128 return (bn_limit_bits_mont);
134 const BIGNUM *BN_value_one(void)
136 static const BN_ULONG data_one = 1L;
137 static const BIGNUM const_one =
138 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
143 int BN_num_bits_word(BN_ULONG l)
145 static const unsigned char bits[256] = {
146 0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
147 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
148 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
149 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
150 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
151 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
152 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
153 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
154 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
155 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
156 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
157 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
158 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
159 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
160 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
161 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
164 #if defined(SIXTY_FOUR_BIT_LONG)
165 if (l & 0xffffffff00000000L) {
166 if (l & 0xffff000000000000L) {
167 if (l & 0xff00000000000000L) {
168 return (bits[(int)(l >> 56)] + 56);
170 return (bits[(int)(l >> 48)] + 48);
172 if (l & 0x0000ff0000000000L) {
173 return (bits[(int)(l >> 40)] + 40);
175 return (bits[(int)(l >> 32)] + 32);
179 # ifdef SIXTY_FOUR_BIT
180 if (l & 0xffffffff00000000LL) {
181 if (l & 0xffff000000000000LL) {
182 if (l & 0xff00000000000000LL) {
183 return (bits[(int)(l >> 56)] + 56);
185 return (bits[(int)(l >> 48)] + 48);
187 if (l & 0x0000ff0000000000LL) {
188 return (bits[(int)(l >> 40)] + 40);
190 return (bits[(int)(l >> 32)] + 32);
196 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
197 if (l & 0xffff0000L) {
199 return (bits[(int)(l >> 24L)] + 24);
201 return (bits[(int)(l >> 16L)] + 16);
205 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
207 return (bits[(int)(l >> 8)] + 8);
210 return (bits[(int)(l)]);
215 int BN_num_bits(const BIGNUM *a)
222 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
225 static void bn_free_d(BIGNUM *a)
227 if (BN_get_flags(a,BN_FLG_SECURE))
228 OPENSSL_secure_free(a->d);
234 void BN_clear_free(BIGNUM *a)
242 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
243 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
246 i = BN_get_flags(a, BN_FLG_MALLOCED);
247 OPENSSL_cleanse(a, sizeof(*a));
252 void BN_free(BIGNUM *a)
257 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
259 if (a->flags & BN_FLG_MALLOCED)
262 #if OPENSSL_API_COMPAT < 0x00908000L
263 a->flags |= BN_FLG_FREE;
269 void bn_init(BIGNUM *a)
281 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
282 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
285 ret->flags = BN_FLG_MALLOCED;
290 BIGNUM *BN_secure_new(void)
292 BIGNUM *ret = BN_new();
294 ret->flags |= BN_FLG_SECURE;
298 /* This is used both by bn_expand2() and bn_dup_expand() */
299 /* The caller MUST check that words > b->dmax before calling this */
300 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
302 BN_ULONG *A, *a = NULL;
308 if (words > (INT_MAX / (4 * BN_BITS2))) {
309 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
312 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
313 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
316 if (BN_get_flags(b,BN_FLG_SECURE))
317 a = A = OPENSSL_secure_malloc(words * sizeof(*a));
319 a = A = OPENSSL_malloc(words * sizeof(*a));
321 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
326 * Valgrind complains in BN_consttime_swap because we process the whole
327 * array even if it's not initialised yet. This doesn't matter in that
328 * function - what's important is constant time operation (we're not
329 * actually going to use the data)
331 memset(a, 0, sizeof(*a) * words);
336 /* Check if the previous number needs to be copied */
338 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
340 * The fact that the loop is unrolled
341 * 4-wise is a tribute to Intel. It's
342 * the one that doesn't have enough
343 * registers to accomodate more data.
344 * I'd unroll it 8-wise otherwise:-)
346 * <appro@fy.chalmers.se>
348 BN_ULONG a0, a1, a2, a3;
359 * workaround for ultrix cc: without 'case 0', the optimizer does
360 * the switch table by doing a=top&3; a--; goto jump_table[a];
361 * which fails for top== 0
363 switch (b->top & 3) {
375 memset(A, 0, sizeof(*A) * words);
376 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
383 * This is an internal function that should not be used in applications. It
384 * ensures that 'b' has enough room for a 'words' word number and initialises
385 * any unused part of b->d with leading zeros. It is mostly used by the
386 * various BIGNUM routines. If there is an error, NULL is returned. If not,
390 BIGNUM *bn_expand2(BIGNUM *b, int words)
394 if (words > b->dmax) {
395 BN_ULONG *a = bn_expand_internal(b, words);
399 OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
410 BIGNUM *BN_dup(const BIGNUM *a)
418 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
421 if (!BN_copy(t, a)) {
429 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
439 if (bn_wexpand(a, b->top) == NULL)
445 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
446 BN_ULONG a0, a1, a2, a3;
456 /* ultrix cc workaround, see comments in bn_expand_internal */
457 switch (b->top & 3) {
467 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
476 void BN_swap(BIGNUM *a, BIGNUM *b)
478 int flags_old_a, flags_old_b;
480 int tmp_top, tmp_dmax, tmp_neg;
485 flags_old_a = a->flags;
486 flags_old_b = b->flags;
504 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
506 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
511 void BN_clear(BIGNUM *a)
515 memset(a->d, 0, sizeof(*a->d) * a->dmax);
520 BN_ULONG BN_get_word(const BIGNUM *a)
524 else if (a->top == 1)
530 int BN_set_word(BIGNUM *a, BN_ULONG w)
533 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
537 a->top = (w ? 1 : 0);
542 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
554 /* Skip leading zero's. */
555 for ( ; len > 0 && *s == 0; s++, len--)
562 i = ((n - 1) / BN_BYTES) + 1;
563 m = ((n - 1) % (BN_BYTES));
564 if (bn_wexpand(ret, (int)i) == NULL) {
572 l = (l << 8L) | *(s++);
580 * need to call this due to clear byte at top if avoiding having the top
581 * bit set (-ve number)
587 /* ignore negative */
588 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
594 n = i = BN_num_bytes(a);
596 l = a->d[i / BN_BYTES];
597 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
602 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
605 BN_ULONG t1, t2, *ap, *bp;
615 for (i = a->top - 1; i >= 0; i--) {
619 return ((t1 > t2) ? 1 : -1);
624 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
630 if ((a == NULL) || (b == NULL)) {
642 if (a->neg != b->neg) {
660 for (i = a->top - 1; i >= 0; i--) {
671 int BN_set_bit(BIGNUM *a, int n)
681 if (bn_wexpand(a, i + 1) == NULL)
683 for (k = a->top; k < i + 1; k++)
688 a->d[i] |= (((BN_ULONG)1) << j);
693 int BN_clear_bit(BIGNUM *a, int n)
706 a->d[i] &= (~(((BN_ULONG)1) << j));
711 int BN_is_bit_set(const BIGNUM *a, int n)
722 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
725 int BN_mask_bits(BIGNUM *a, int n)
741 a->d[w] &= ~(BN_MASK2 << b);
747 void BN_set_negative(BIGNUM *a, int b)
749 if (b && !BN_is_zero(a))
755 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
763 return ((aa > bb) ? 1 : -1);
764 for (i = n - 2; i >= 0; i--) {
768 return ((aa > bb) ? 1 : -1);
774 * Here follows a specialised variants of bn_cmp_words(). It has the
775 * property of performing the operation on arrays of different sizes. The
776 * sizes of those arrays is expressed through cl, which is the common length
777 * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
778 * two lengths, calculated as len(a)-len(b). All lengths are the number of
782 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
788 for (i = dl; i < 0; i++) {
790 return -1; /* a < b */
794 for (i = dl; i > 0; i--) {
796 return 1; /* a > b */
799 return bn_cmp_words(a, b, cl);
803 * Constant-time conditional swap of a and b.
804 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
805 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
806 * and that no more than nwords are used by either a or b.
807 * a and b cannot be the same number
809 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
814 bn_wcheck_size(a, nwords);
815 bn_wcheck_size(b, nwords);
818 assert((condition & (condition - 1)) == 0);
819 assert(sizeof(BN_ULONG) >= sizeof(int));
821 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
823 t = (a->top ^ b->top) & condition;
827 #define BN_CONSTTIME_SWAP(ind) \
829 t = (a->d[ind] ^ b->d[ind]) & condition; \
836 for (i = 10; i < nwords; i++)
837 BN_CONSTTIME_SWAP(i);
840 BN_CONSTTIME_SWAP(9); /* Fallthrough */
842 BN_CONSTTIME_SWAP(8); /* Fallthrough */
844 BN_CONSTTIME_SWAP(7); /* Fallthrough */
846 BN_CONSTTIME_SWAP(6); /* Fallthrough */
848 BN_CONSTTIME_SWAP(5); /* Fallthrough */
850 BN_CONSTTIME_SWAP(4); /* Fallthrough */
852 BN_CONSTTIME_SWAP(3); /* Fallthrough */
854 BN_CONSTTIME_SWAP(2); /* Fallthrough */
856 BN_CONSTTIME_SWAP(1); /* Fallthrough */
858 BN_CONSTTIME_SWAP(0);
860 #undef BN_CONSTTIME_SWAP
863 /* Bits of security, see SP800-57 */
865 int BN_security_bits(int L, int N)
885 return bits >= secbits ? secbits : bits;
888 void BN_zero_ex(BIGNUM *a)
894 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
896 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
899 int BN_is_zero(const BIGNUM *a)
904 int BN_is_one(const BIGNUM *a)
906 return BN_abs_is_word(a, 1) && !a->neg;
909 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
911 return BN_abs_is_word(a, w) && (!w || !a->neg);
914 int BN_is_odd(const BIGNUM *a)
916 return (a->top > 0) && (a->d[0] & 1);
919 int BN_is_negative(const BIGNUM *a)
921 return (a->neg != 0);
924 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
927 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
930 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
934 dest->dmax = b->dmax;
936 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
937 | (b->flags & ~BN_FLG_MALLOCED)
938 | BN_FLG_STATIC_DATA | flags);
941 BN_GENCB *BN_GENCB_new(void)
945 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
946 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
953 void BN_GENCB_free(BN_GENCB *cb)
960 void BN_set_flags(BIGNUM *b, int n)
965 int BN_get_flags(const BIGNUM *b, int n)
970 /* Populate a BN_GENCB structure with an "old"-style callback */
971 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
974 BN_GENCB *tmp_gencb = gencb;
976 tmp_gencb->arg = cb_arg;
977 tmp_gencb->cb.cb_1 = callback;
980 /* Populate a BN_GENCB structure with a "new"-style callback */
981 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
984 BN_GENCB *tmp_gencb = gencb;
986 tmp_gencb->arg = cb_arg;
987 tmp_gencb->cb.cb_2 = callback;
990 void *BN_GENCB_get_arg(BN_GENCB *cb)
995 BIGNUM *bn_wexpand(BIGNUM *a, int words)
997 return (words <= a->dmax) ? a : bn_expand2(a, words);
1000 void bn_correct_top(BIGNUM *a)
1003 int tmp_top = a->top;
1006 for (ftl = &(a->d[tmp_top - 1]); tmp_top > 0; tmp_top--)