1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
70 const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
72 /* This stuff appears to be completely unused, so is deprecated */
73 #ifndef OPENSSL_NO_DEPRECATED
75 * For a 32 bit machine
84 static int bn_limit_bits = 0;
85 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
86 static int bn_limit_bits_low = 0;
87 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
88 static int bn_limit_bits_high = 0;
89 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
90 static int bn_limit_bits_mont = 0;
91 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
93 void BN_set_params(int mult, int high, int low, int mont)
96 if (mult > (int)(sizeof(int) * 8) - 1)
97 mult = sizeof(int) * 8 - 1;
99 bn_limit_num = 1 << mult;
102 if (high > (int)(sizeof(int) * 8) - 1)
103 high = sizeof(int) * 8 - 1;
104 bn_limit_bits_high = high;
105 bn_limit_num_high = 1 << high;
108 if (low > (int)(sizeof(int) * 8) - 1)
109 low = sizeof(int) * 8 - 1;
110 bn_limit_bits_low = low;
111 bn_limit_num_low = 1 << low;
114 if (mont > (int)(sizeof(int) * 8) - 1)
115 mont = sizeof(int) * 8 - 1;
116 bn_limit_bits_mont = mont;
117 bn_limit_num_mont = 1 << mont;
121 int BN_get_params(int which)
124 return (bn_limit_bits);
126 return (bn_limit_bits_high);
128 return (bn_limit_bits_low);
130 return (bn_limit_bits_mont);
136 const BIGNUM *BN_value_one(void)
138 static const BN_ULONG data_one = 1L;
139 static const BIGNUM const_one =
140 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
145 int BN_num_bits_word(BN_ULONG l)
147 static const unsigned char bits[256] = {
148 0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
149 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
150 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
151 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
152 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
153 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
154 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
155 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
156 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
157 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
158 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
159 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
160 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
161 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
162 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
163 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
166 #if defined(SIXTY_FOUR_BIT_LONG)
167 if (l & 0xffffffff00000000L) {
168 if (l & 0xffff000000000000L) {
169 if (l & 0xff00000000000000L) {
170 return (bits[(int)(l >> 56)] + 56);
172 return (bits[(int)(l >> 48)] + 48);
174 if (l & 0x0000ff0000000000L) {
175 return (bits[(int)(l >> 40)] + 40);
177 return (bits[(int)(l >> 32)] + 32);
181 # ifdef SIXTY_FOUR_BIT
182 if (l & 0xffffffff00000000LL) {
183 if (l & 0xffff000000000000LL) {
184 if (l & 0xff00000000000000LL) {
185 return (bits[(int)(l >> 56)] + 56);
187 return (bits[(int)(l >> 48)] + 48);
189 if (l & 0x0000ff0000000000LL) {
190 return (bits[(int)(l >> 40)] + 40);
192 return (bits[(int)(l >> 32)] + 32);
198 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
199 if (l & 0xffff0000L) {
201 return (bits[(int)(l >> 24L)] + 24);
203 return (bits[(int)(l >> 16L)] + 16);
207 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
209 return (bits[(int)(l >> 8)] + 8);
212 return (bits[(int)(l)]);
217 int BN_num_bits(const BIGNUM *a)
224 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
227 void BN_clear_free(BIGNUM *a)
235 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
236 if (!(BN_get_flags(a, BN_FLG_STATIC_DATA)))
239 i = BN_get_flags(a, BN_FLG_MALLOCED);
240 OPENSSL_cleanse(a, sizeof(BIGNUM));
245 void BN_free(BIGNUM *a)
250 if ((a->d != NULL) && !(BN_get_flags(a, BN_FLG_STATIC_DATA)))
252 if (a->flags & BN_FLG_MALLOCED)
255 #ifndef OPENSSL_NO_DEPRECATED
256 a->flags |= BN_FLG_FREE;
262 void BN_init(BIGNUM *a)
264 memset(a, 0, sizeof(BIGNUM));
272 if ((ret = (BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL) {
273 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
276 ret->flags = BN_FLG_MALLOCED;
285 /* This is used both by bn_expand2() and bn_dup_expand() */
286 /* The caller MUST check that words > b->dmax before calling this */
287 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
289 BN_ULONG *A, *a = NULL;
295 if (words > (INT_MAX / (4 * BN_BITS2))) {
296 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
299 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
300 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
303 a = A = (BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG) * words);
305 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
310 * Valgrind complains in BN_consttime_swap because we process the whole
311 * array even if it's not initialised yet. This doesn't matter in that
312 * function - what's important is constant time operation (we're not
313 * actually going to use the data)
315 memset(a, 0, sizeof(BN_ULONG) * words);
320 /* Check if the previous number needs to be copied */
322 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
324 * The fact that the loop is unrolled
325 * 4-wise is a tribute to Intel. It's
326 * the one that doesn't have enough
327 * registers to accomodate more data.
328 * I'd unroll it 8-wise otherwise:-)
330 * <appro@fy.chalmers.se>
332 BN_ULONG a0, a1, a2, a3;
343 * workaround for ultrix cc: without 'case 0', the optimizer does
344 * the switch table by doing a=top&3; a--; goto jump_table[a];
345 * which fails for top== 0
347 switch (b->top & 3) {
359 memset(A, 0, sizeof(BN_ULONG) * words);
360 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
367 * This is an internal function that can be used instead of bn_expand2() when
368 * there is a need to copy BIGNUMs instead of only expanding the data part,
369 * while still expanding them. Especially useful when needing to expand
370 * BIGNUMs that are declared 'const' and should therefore not be changed. The
371 * reason to use this instead of a BN_dup() followed by a bn_expand2() is
372 * memory allocation overhead. A BN_dup() followed by a bn_expand2() will
373 * allocate new memory for the BIGNUM data twice, and free it once, while
374 * bn_dup_expand() makes sure allocation is made only once.
377 #ifndef OPENSSL_NO_DEPRECATED
378 BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
385 * This function does not work if words <= b->dmax && top < words because
386 * BN_dup() does not preserve 'dmax'! (But bn_dup_expand() is not used
390 if (words > b->dmax) {
391 BN_ULONG *a = bn_expand_internal(b, words);
401 /* r == NULL, BN_new failure */
406 * If a == NULL, there was an error in allocation in
407 * bn_expand_internal(), and NULL should be returned
419 * This is an internal function that should not be used in applications. It
420 * ensures that 'b' has enough room for a 'words' word number and initialises
421 * any unused part of b->d with leading zeros. It is mostly used by the
422 * various BIGNUM routines. If there is an error, NULL is returned. If not,
426 BIGNUM *bn_expand2(BIGNUM *b, int words)
430 if (words > b->dmax) {
431 BN_ULONG *a = bn_expand_internal(b, words);
440 /* None of this should be necessary because of what b->top means! */
443 * NB: bn_wexpand() calls this only if the BIGNUM really has to grow
445 if (b->top < b->dmax) {
447 BN_ULONG *A = &(b->d[b->top]);
448 for (i = (b->dmax - b->top) >> 3; i > 0; i--, A += 8) {
458 for (i = (b->dmax - b->top) & 7; i > 0; i--, A++)
460 assert(A == &(b->d[b->dmax]));
467 BIGNUM *BN_dup(const BIGNUM *a)
478 if (!BN_copy(t, a)) {
486 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
496 if (bn_wexpand(a, b->top) == NULL)
502 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
503 BN_ULONG a0, a1, a2, a3;
513 /* ultrix cc workaround, see comments in bn_expand_internal */
514 switch (b->top & 3) {
524 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
533 void BN_swap(BIGNUM *a, BIGNUM *b)
535 int flags_old_a, flags_old_b;
537 int tmp_top, tmp_dmax, tmp_neg;
542 flags_old_a = a->flags;
543 flags_old_b = b->flags;
561 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
563 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
568 void BN_clear(BIGNUM *a)
572 memset(a->d, 0, a->dmax * sizeof(a->d[0]));
577 BN_ULONG BN_get_word(const BIGNUM *a)
581 else if (a->top == 1)
587 int BN_set_word(BIGNUM *a, BN_ULONG w)
590 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
594 a->top = (w ? 1 : 0);
599 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
617 i = ((n - 1) / BN_BYTES) + 1;
618 m = ((n - 1) % (BN_BYTES));
619 if (bn_wexpand(ret, (int)i) == NULL) {
627 l = (l << 8L) | *(s++);
635 * need to call this due to clear byte at top if avoiding having the top
636 * bit set (-ve number)
642 /* ignore negative */
643 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
649 n = i = BN_num_bytes(a);
651 l = a->d[i / BN_BYTES];
652 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
657 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
660 BN_ULONG t1, t2, *ap, *bp;
670 for (i = a->top - 1; i >= 0; i--) {
674 return ((t1 > t2) ? 1 : -1);
679 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
685 if ((a == NULL) || (b == NULL)) {
697 if (a->neg != b->neg) {
715 for (i = a->top - 1; i >= 0; i--) {
726 int BN_set_bit(BIGNUM *a, int n)
736 if (bn_wexpand(a, i + 1) == NULL)
738 for (k = a->top; k < i + 1; k++)
743 a->d[i] |= (((BN_ULONG)1) << j);
748 int BN_clear_bit(BIGNUM *a, int n)
761 a->d[i] &= (~(((BN_ULONG)1) << j));
766 int BN_is_bit_set(const BIGNUM *a, int n)
777 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
780 int BN_mask_bits(BIGNUM *a, int n)
796 a->d[w] &= ~(BN_MASK2 << b);
802 void BN_set_negative(BIGNUM *a, int b)
804 if (b && !BN_is_zero(a))
810 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
818 return ((aa > bb) ? 1 : -1);
819 for (i = n - 2; i >= 0; i--) {
823 return ((aa > bb) ? 1 : -1);
829 * Here follows a specialised variants of bn_cmp_words(). It has the
830 * property of performing the operation on arrays of different sizes. The
831 * sizes of those arrays is expressed through cl, which is the common length
832 * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
833 * two lengths, calculated as len(a)-len(b). All lengths are the number of
837 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
843 for (i = dl; i < 0; i++) {
845 return -1; /* a < b */
849 for (i = dl; i > 0; i--) {
851 return 1; /* a > b */
854 return bn_cmp_words(a, b, cl);
858 * Constant-time conditional swap of a and b.
859 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
860 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
861 * and that no more than nwords are used by either a or b.
862 * a and b cannot be the same number
864 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
869 bn_wcheck_size(a, nwords);
870 bn_wcheck_size(b, nwords);
873 assert((condition & (condition - 1)) == 0);
874 assert(sizeof(BN_ULONG) >= sizeof(int));
876 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
878 t = (a->top ^ b->top) & condition;
882 #define BN_CONSTTIME_SWAP(ind) \
884 t = (a->d[ind] ^ b->d[ind]) & condition; \
891 for (i = 10; i < nwords; i++)
892 BN_CONSTTIME_SWAP(i);
895 BN_CONSTTIME_SWAP(9); /* Fallthrough */
897 BN_CONSTTIME_SWAP(8); /* Fallthrough */
899 BN_CONSTTIME_SWAP(7); /* Fallthrough */
901 BN_CONSTTIME_SWAP(6); /* Fallthrough */
903 BN_CONSTTIME_SWAP(5); /* Fallthrough */
905 BN_CONSTTIME_SWAP(4); /* Fallthrough */
907 BN_CONSTTIME_SWAP(3); /* Fallthrough */
909 BN_CONSTTIME_SWAP(2); /* Fallthrough */
911 BN_CONSTTIME_SWAP(1); /* Fallthrough */
913 BN_CONSTTIME_SWAP(0);
915 #undef BN_CONSTTIME_SWAP