1 /* crypto/bn/bn_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 # undef NDEBUG /* avoid conflicting definitions */
66 #include "internal/cryptlib.h"
69 const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
71 /* This stuff appears to be completely unused, so is deprecated */
72 #ifndef OPENSSL_NO_DEPRECATED
74 * For a 32 bit machine
83 static int bn_limit_bits = 0;
84 static int bn_limit_num = 8; /* (1<<bn_limit_bits) */
85 static int bn_limit_bits_low = 0;
86 static int bn_limit_num_low = 8; /* (1<<bn_limit_bits_low) */
87 static int bn_limit_bits_high = 0;
88 static int bn_limit_num_high = 8; /* (1<<bn_limit_bits_high) */
89 static int bn_limit_bits_mont = 0;
90 static int bn_limit_num_mont = 8; /* (1<<bn_limit_bits_mont) */
92 void BN_set_params(int mult, int high, int low, int mont)
95 if (mult > (int)(sizeof(int) * 8) - 1)
96 mult = sizeof(int) * 8 - 1;
98 bn_limit_num = 1 << mult;
101 if (high > (int)(sizeof(int) * 8) - 1)
102 high = sizeof(int) * 8 - 1;
103 bn_limit_bits_high = high;
104 bn_limit_num_high = 1 << high;
107 if (low > (int)(sizeof(int) * 8) - 1)
108 low = sizeof(int) * 8 - 1;
109 bn_limit_bits_low = low;
110 bn_limit_num_low = 1 << low;
113 if (mont > (int)(sizeof(int) * 8) - 1)
114 mont = sizeof(int) * 8 - 1;
115 bn_limit_bits_mont = mont;
116 bn_limit_num_mont = 1 << mont;
120 int BN_get_params(int which)
123 return (bn_limit_bits);
125 return (bn_limit_bits_high);
127 return (bn_limit_bits_low);
129 return (bn_limit_bits_mont);
135 const BIGNUM *BN_value_one(void)
137 static const BN_ULONG data_one = 1L;
138 static const BIGNUM const_one =
139 { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA };
144 int BN_num_bits_word(BN_ULONG l)
146 static const unsigned char bits[256] = {
147 0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4,
148 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
149 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
150 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
151 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
152 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
153 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
154 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
155 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
156 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
157 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
158 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
159 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
160 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
161 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
162 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
165 #if defined(SIXTY_FOUR_BIT_LONG)
166 if (l & 0xffffffff00000000L) {
167 if (l & 0xffff000000000000L) {
168 if (l & 0xff00000000000000L) {
169 return (bits[(int)(l >> 56)] + 56);
171 return (bits[(int)(l >> 48)] + 48);
173 if (l & 0x0000ff0000000000L) {
174 return (bits[(int)(l >> 40)] + 40);
176 return (bits[(int)(l >> 32)] + 32);
180 # ifdef SIXTY_FOUR_BIT
181 if (l & 0xffffffff00000000LL) {
182 if (l & 0xffff000000000000LL) {
183 if (l & 0xff00000000000000LL) {
184 return (bits[(int)(l >> 56)] + 56);
186 return (bits[(int)(l >> 48)] + 48);
188 if (l & 0x0000ff0000000000LL) {
189 return (bits[(int)(l >> 40)] + 40);
191 return (bits[(int)(l >> 32)] + 32);
197 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
198 if (l & 0xffff0000L) {
200 return (bits[(int)(l >> 24L)] + 24);
202 return (bits[(int)(l >> 16L)] + 16);
206 #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
208 return (bits[(int)(l >> 8)] + 8);
211 return (bits[(int)(l)]);
216 int BN_num_bits(const BIGNUM *a)
223 return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
226 void BN_clear_free(BIGNUM *a)
234 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
235 if (!(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
236 if (BN_get_flags(a,BN_FLG_SECURE))
237 OPENSSL_secure_free(a->d);
242 i = BN_get_flags(a, BN_FLG_MALLOCED);
243 OPENSSL_cleanse(a, sizeof(BIGNUM));
248 void BN_free(BIGNUM *a)
253 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
254 if ((a->d != NULL) && !(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
255 if (BN_get_flags(a, BN_FLG_SECURE))
256 OPENSSL_secure_free(a->d);
260 if (a->flags & BN_FLG_MALLOCED)
263 #ifndef OPENSSL_NO_DEPRECATED
264 a->flags |= BN_FLG_FREE;
270 void BN_init(BIGNUM *a)
272 memset(a, 0, sizeof(*a));
280 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
281 BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
284 ret->flags = BN_FLG_MALLOCED;
293 BIGNUM *BN_secure_new(void)
295 BIGNUM *ret = BN_new();
297 ret->flags |= BN_FLG_SECURE;
301 /* This is used both by bn_expand2() and bn_dup_expand() */
302 /* The caller MUST check that words > b->dmax before calling this */
303 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
305 BN_ULONG *A, *a = NULL;
311 if (words > (INT_MAX / (4 * BN_BITS2))) {
312 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
315 if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
316 BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
319 if (BN_get_flags(b,BN_FLG_SECURE))
320 a = A = OPENSSL_secure_malloc(words * sizeof(*a));
322 a = A = OPENSSL_malloc(words * sizeof(*a));
324 BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
329 * Valgrind complains in BN_consttime_swap because we process the whole
330 * array even if it's not initialised yet. This doesn't matter in that
331 * function - what's important is constant time operation (we're not
332 * actually going to use the data)
334 memset(a, 0, sizeof(*a) * words);
339 /* Check if the previous number needs to be copied */
341 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
343 * The fact that the loop is unrolled
344 * 4-wise is a tribute to Intel. It's
345 * the one that doesn't have enough
346 * registers to accomodate more data.
347 * I'd unroll it 8-wise otherwise:-)
349 * <appro@fy.chalmers.se>
351 BN_ULONG a0, a1, a2, a3;
362 * workaround for ultrix cc: without 'case 0', the optimizer does
363 * the switch table by doing a=top&3; a--; goto jump_table[a];
364 * which fails for top== 0
366 switch (b->top & 3) {
378 memset(A, 0, sizeof(*A) * words);
379 memcpy(A, b->d, sizeof(b->d[0]) * b->top);
386 * This is an internal function that should not be used in applications. It
387 * ensures that 'b' has enough room for a 'words' word number and initialises
388 * any unused part of b->d with leading zeros. It is mostly used by the
389 * various BIGNUM routines. If there is an error, NULL is returned. If not,
393 BIGNUM *bn_expand2(BIGNUM *b, int words)
397 if (words > b->dmax) {
398 BN_ULONG *a = bn_expand_internal(b, words);
402 if (BN_get_flags(b,BN_FLG_SECURE))
403 OPENSSL_secure_free(b->d);
415 BIGNUM *BN_dup(const BIGNUM *a)
423 t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
426 if (!BN_copy(t, a)) {
434 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
444 if (bn_wexpand(a, b->top) == NULL)
450 for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) {
451 BN_ULONG a0, a1, a2, a3;
461 /* ultrix cc workaround, see comments in bn_expand_internal */
462 switch (b->top & 3) {
472 memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
481 void BN_swap(BIGNUM *a, BIGNUM *b)
483 int flags_old_a, flags_old_b;
485 int tmp_top, tmp_dmax, tmp_neg;
490 flags_old_a = a->flags;
491 flags_old_b = b->flags;
509 (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
511 (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
516 void BN_clear(BIGNUM *a)
520 memset(a->d, 0, sizeof(*a->d) * a->dmax);
525 BN_ULONG BN_get_word(const BIGNUM *a)
529 else if (a->top == 1)
535 int BN_set_word(BIGNUM *a, BN_ULONG w)
538 if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL)
542 a->top = (w ? 1 : 0);
547 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
565 i = ((n - 1) / BN_BYTES) + 1;
566 m = ((n - 1) % (BN_BYTES));
567 if (bn_wexpand(ret, (int)i) == NULL) {
574 l = (l << 8L) | *(s++);
582 * need to call this due to clear byte at top if avoiding having the top
583 * bit set (-ve number)
589 /* ignore negative */
590 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
596 n = i = BN_num_bytes(a);
598 l = a->d[i / BN_BYTES];
599 *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
604 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
607 BN_ULONG t1, t2, *ap, *bp;
617 for (i = a->top - 1; i >= 0; i--) {
621 return ((t1 > t2) ? 1 : -1);
626 int BN_cmp(const BIGNUM *a, const BIGNUM *b)
632 if ((a == NULL) || (b == NULL)) {
644 if (a->neg != b->neg) {
662 for (i = a->top - 1; i >= 0; i--) {
673 int BN_set_bit(BIGNUM *a, int n)
683 if (bn_wexpand(a, i + 1) == NULL)
685 for (k = a->top; k < i + 1; k++)
690 a->d[i] |= (((BN_ULONG)1) << j);
695 int BN_clear_bit(BIGNUM *a, int n)
708 a->d[i] &= (~(((BN_ULONG)1) << j));
713 int BN_is_bit_set(const BIGNUM *a, int n)
724 return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
727 int BN_mask_bits(BIGNUM *a, int n)
743 a->d[w] &= ~(BN_MASK2 << b);
749 void BN_set_negative(BIGNUM *a, int b)
751 if (b && !BN_is_zero(a))
757 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
765 return ((aa > bb) ? 1 : -1);
766 for (i = n - 2; i >= 0; i--) {
770 return ((aa > bb) ? 1 : -1);
776 * Here follows a specialised variants of bn_cmp_words(). It has the
777 * property of performing the operation on arrays of different sizes. The
778 * sizes of those arrays is expressed through cl, which is the common length
779 * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
780 * two lengths, calculated as len(a)-len(b). All lengths are the number of
784 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
790 for (i = dl; i < 0; i++) {
792 return -1; /* a < b */
796 for (i = dl; i > 0; i--) {
798 return 1; /* a > b */
801 return bn_cmp_words(a, b, cl);
805 * Constant-time conditional swap of a and b.
806 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
807 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
808 * and that no more than nwords are used by either a or b.
809 * a and b cannot be the same number
811 void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
816 bn_wcheck_size(a, nwords);
817 bn_wcheck_size(b, nwords);
820 assert((condition & (condition - 1)) == 0);
821 assert(sizeof(BN_ULONG) >= sizeof(int));
823 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
825 t = (a->top ^ b->top) & condition;
829 #define BN_CONSTTIME_SWAP(ind) \
831 t = (a->d[ind] ^ b->d[ind]) & condition; \
838 for (i = 10; i < nwords; i++)
839 BN_CONSTTIME_SWAP(i);
842 BN_CONSTTIME_SWAP(9); /* Fallthrough */
844 BN_CONSTTIME_SWAP(8); /* Fallthrough */
846 BN_CONSTTIME_SWAP(7); /* Fallthrough */
848 BN_CONSTTIME_SWAP(6); /* Fallthrough */
850 BN_CONSTTIME_SWAP(5); /* Fallthrough */
852 BN_CONSTTIME_SWAP(4); /* Fallthrough */
854 BN_CONSTTIME_SWAP(3); /* Fallthrough */
856 BN_CONSTTIME_SWAP(2); /* Fallthrough */
858 BN_CONSTTIME_SWAP(1); /* Fallthrough */
860 BN_CONSTTIME_SWAP(0);
862 #undef BN_CONSTTIME_SWAP
865 /* Bits of security, see SP800-57 */
867 int BN_security_bits(int L, int N)
887 return bits >= secbits ? secbits : bits;
890 void BN_zero_ex(BIGNUM *a)
896 int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
898 return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
901 int BN_is_zero(const BIGNUM *a)
906 int BN_is_one(const BIGNUM *a)
908 return BN_abs_is_word(a, 1) && !a->neg;
911 int BN_is_word(const BIGNUM *a, const BN_ULONG w)
913 return BN_abs_is_word(a, w) && (!w || !a->neg);
916 int BN_is_odd(const BIGNUM *a)
918 return (a->top > 0) && (a->d[0] & 1);
921 int BN_is_negative(const BIGNUM *a)
923 return (a->neg != 0);
926 int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
929 return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
932 void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
936 dest->dmax = b->dmax;
938 dest->flags = ((dest->flags & BN_FLG_MALLOCED)
939 | (b->flags & ~BN_FLG_MALLOCED)
940 | BN_FLG_STATIC_DATA | n);
943 BN_GENCB *BN_GENCB_new(void)
947 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
948 BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
955 void BN_GENCB_free(BN_GENCB *cb)
962 void BN_set_flags(BIGNUM *b, int n)
967 int BN_get_flags(const BIGNUM *b, int n)
972 /* Populate a BN_GENCB structure with an "old"-style callback */
973 void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
976 BN_GENCB *tmp_gencb = gencb;
978 tmp_gencb->arg = cb_arg;
979 tmp_gencb->cb.cb_1 = callback;
982 /* Populate a BN_GENCB structure with a "new"-style callback */
983 void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
986 BN_GENCB *tmp_gencb = gencb;
988 tmp_gencb->arg = cb_arg;
989 tmp_gencb->cb.cb_2 = callback;
992 void *BN_GENCB_get_arg(BN_GENCB *cb)
997 BIGNUM *bn_wexpand(BIGNUM *a, int words)
999 return (words <= a->dmax) ? a : bn_expand2(a, words);
1002 void bn_correct_top(BIGNUM *a)
1005 int tmp_top = a->top;
1008 for (ftl = &(a->d[tmp_top - 1]); tmp_top > 0; tmp_top--)