[thirdparty/openssl.git] / crypto / bn / bn_div.c

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <openssl/bn.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"

/* The old slow way */
#if 0
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
           BN_CTX *ctx)
{
    int i, nm, nd;
    int ret = 0;
    BIGNUM *D;

    bn_check_top(m);
    bn_check_top(d);
    if (BN_is_zero(d)) {
        BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
        return (0);
    }

    if (BN_ucmp(m, d) < 0) {
        if (rem != NULL) {
            if (BN_copy(rem, m) == NULL)
                return (0);
        }
        if (dv != NULL)
            BN_zero(dv);
        return (1);
    }

    BN_CTX_start(ctx);
    D = BN_CTX_get(ctx);
    if (dv == NULL)
        dv = BN_CTX_get(ctx);
    if (rem == NULL)
        rem = BN_CTX_get(ctx);
    if (D == NULL || dv == NULL || rem == NULL)
        goto end;

    nd = BN_num_bits(d);
    nm = BN_num_bits(m);
    if (BN_copy(D, d) == NULL)
        goto end;
    if (BN_copy(rem, m) == NULL)
        goto end;

    /*
     * The next 2 are needed so we can do a dv->d[0]|=1 later since
     * BN_lshift1 will only work once there is a value :-)
     */
    BN_zero(dv);
    if (bn_wexpand(dv, 1) == NULL)
        goto end;
    dv->top = 1;

    if (!BN_lshift(D, D, nm - nd))
        goto end;
    for (i = nm - nd; i >= 0; i--) {
        if (!BN_lshift1(dv, dv))
            goto end;
        if (BN_ucmp(rem, D) >= 0) {
            dv->d[0] |= 1;
            if (!BN_usub(rem, rem, D))
                goto end;
        }
/* CAN IMPROVE (and have now :=) */
        if (!BN_rshift1(D, D))
            goto end;
    }
    rem->neg = BN_is_zero(rem) ? 0 : m->neg;
    dv->neg = m->neg ^ d->neg;
    ret = 1;
 end:
    BN_CTX_end(ctx);
    return (ret);
}

#else

# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
    && !defined(PEDANTIC) && !defined(BN_DIV3W)
#  if defined(__GNUC__) && __GNUC__>=2
#   if defined(__i386) || defined (__i386__)
   /*-
    * There were two reasons for implementing this template:
    * - GNU C generates a call to a function (__udivdi3 to be exact)
    *   in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
    *   understand why...);
    * - divl doesn't only calculate quotient, but also leaves
    *   remainder in %edx which we can definitely use here:-)
    *
    *                                   <appro@fy.chalmers.se>
    */
#    undef bn_div_words
#    define bn_div_words(n0,n1,d0)                \
        ({  asm volatile (                      \
                "divl   %4"                     \
                : "=a"(q), "=d"(rem)            \
                : "a"(n1), "d"(n0), "g"(d0)     \
                : "cc");                        \
            q;                                  \
        })
#    define REMAINDER_IS_ALREADY_CALCULATED
#   elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
   /*
    * Same story here, but it's 128-bit by 64-bit division. Wow!
    *                                   <appro@fy.chalmers.se>
    */
#    undef bn_div_words
#    define bn_div_words(n0,n1,d0)                \
        ({  asm volatile (                      \
                "divq   %4"                     \
                : "=a"(q), "=d"(rem)            \
                : "a"(n1), "d"(n0), "g"(d0)     \
                : "cc");                        \
            q;                                  \
        })
#    define REMAINDER_IS_ALREADY_CALCULATED
#   endif                       /* __<cpu> */
#  endif                        /* __GNUC__ */
# endif                         /* OPENSSL_NO_ASM */

/*-
 * BN_div computes  dv := num / divisor,  rounding towards
 * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
 * Thus:
 *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
 *     rm->neg == num->neg                 (unless the remainder is zero)
 * If 'dv' or 'rm' is NULL, the respective value is not returned.
 */
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
           BN_CTX *ctx)
{
    int norm_shift, i, loop;
    BIGNUM *tmp, wnum, *snum, *sdiv, *res;
    BN_ULONG *resp, *wnump;
    BN_ULONG d0, d1;
    int num_n, div_n;
    int no_branch = 0;

    /*
     * Invalid zero-padding would have particularly bad consequences so don't
     * just rely on bn_check_top() here (bn_check_top() works only for
     * BN_DEBUG builds)
     */
    if ((num->top > 0 && num->d[num->top - 1] == 0) ||
        (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
        BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
        return 0;
    }

    bn_check_top(num);
    bn_check_top(divisor);

    if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
        || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
        no_branch = 1;
    }

    bn_check_top(dv);
    bn_check_top(rm);
    /*- bn_check_top(num); *//*
     * 'num' has been checked already
     */
    /*- bn_check_top(divisor); *//*
     * 'divisor' has been checked already
     */

    if (BN_is_zero(divisor)) {
        BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
        return (0);
    }

    if (!no_branch && BN_ucmp(num, divisor) < 0) {
        if (rm != NULL) {
            if (BN_copy(rm, num) == NULL)
                return (0);
        }
        if (dv != NULL)
            BN_zero(dv);
        return (1);
    }

    BN_CTX_start(ctx);
    tmp = BN_CTX_get(ctx);
    snum = BN_CTX_get(ctx);
    sdiv = BN_CTX_get(ctx);
    if (dv == NULL)
        res = BN_CTX_get(ctx);
    else
        res = dv;
    if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
        goto err;

    /* First we normalise the numbers */
    norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
    if (!(BN_lshift(sdiv, divisor, norm_shift)))
        goto err;
    sdiv->neg = 0;
    norm_shift += BN_BITS2;
    if (!(BN_lshift(snum, num, norm_shift)))
        goto err;
    snum->neg = 0;

    if (no_branch) {
        /*
         * Since we don't know whether snum is larger than sdiv, we pad snum
         * with enough zeroes without changing its value.
         */
        if (snum->top <= sdiv->top + 1) {
            if (bn_wexpand(snum, sdiv->top + 2) == NULL)
                goto err;
            for (i = snum->top; i < sdiv->top + 2; i++)
                snum->d[i] = 0;
            snum->top = sdiv->top + 2;
        } else {
            if (bn_wexpand(snum, snum->top + 1) == NULL)
                goto err;
            snum->d[snum->top] = 0;
            snum->top++;
        }
    }

    div_n = sdiv->top;
    num_n = snum->top;
    loop = num_n - div_n;
    /*
     * Lets setup a 'window' into snum This is the part that corresponds to
     * the current 'area' being divided
     */
    wnum.neg = 0;
    wnum.d = &(snum->d[loop]);
    wnum.top = div_n;
    /*
     * only needed when BN_ucmp messes up the values between top and max
     */
    wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */

    /* Get the top 2 words of sdiv */
    /* div_n=sdiv->top; */
    d0 = sdiv->d[div_n - 1];
    d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];

    /* pointer to the 'top' of snum */
    wnump = &(snum->d[num_n - 1]);

    /* Setup to 'res' */
    res->neg = (num->neg ^ divisor->neg);
    if (!bn_wexpand(res, (loop + 1)))
        goto err;
    res->top = loop - no_branch;
    resp = &(res->d[loop - 1]);

    /* space for temp */
    if (!bn_wexpand(tmp, (div_n + 1)))
        goto err;

    if (!no_branch) {
        if (BN_ucmp(&wnum, sdiv) >= 0) {
            /*
             * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
             * the const bignum arguments => clean the values between top and
             * max again
             */
            bn_clear_top2max(&wnum);
            bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
            *resp = 1;
        } else
            res->top--;
    }

    /*
     * if res->top == 0 then clear the neg value otherwise decrease the resp
     * pointer
     */
    if (res->top == 0)
        res->neg = 0;
    else
        resp--;

    for (i = 0; i < loop - 1; i++, wnump--, resp--) {
        BN_ULONG q, l0;
        /*
         * the first part of the loop uses the top two words of snum and sdiv
         * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
         */
# if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
        BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
        q = bn_div_3_words(wnump, d1, d0);
# else
        BN_ULONG n0, n1, rem = 0;

        n0 = wnump[0];
        n1 = wnump[-1];
        if (n0 == d0)
            q = BN_MASK2;
        else {                  /* n0 < d0 */

#  ifdef BN_LLONG
            BN_ULLONG t2;

#   if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
            q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
#   else
            q = bn_div_words(n0, n1, d0);
#    ifdef BN_DEBUG_LEVITTE
            fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
X) -> 0x%08X\n", n0, n1, d0, q);
#    endif
#   endif

#   ifndef REMAINDER_IS_ALREADY_CALCULATED
            /*
             * rem doesn't have to be BN_ULLONG. The least we
             * know it's less that d0, isn't it?
             */
            rem = (n1 - q * d0) & BN_MASK2;
#   endif
            t2 = (BN_ULLONG) d1 *q;

            for (;;) {
                if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
                    break;
                q--;
                rem += d0;
                if (rem < d0)
                    break;      /* don't let rem overflow */
                t2 -= d1;
            }
#  else                         /* !BN_LLONG */
            BN_ULONG t2l, t2h;

            q = bn_div_words(n0, n1, d0);
#   ifdef BN_DEBUG_LEVITTE
            fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
X) -> 0x%08X\n", n0, n1, d0, q);
#   endif
#   ifndef REMAINDER_IS_ALREADY_CALCULATED
            rem = (n1 - q * d0) & BN_MASK2;
#   endif

#   if defined(BN_UMULT_LOHI)
            BN_UMULT_LOHI(t2l, t2h, d1, q);
#   elif defined(BN_UMULT_HIGH)
            t2l = d1 * q;
            t2h = BN_UMULT_HIGH(d1, q);
#   else
            {
                BN_ULONG ql, qh;
                t2l = LBITS(d1);
                t2h = HBITS(d1);
                ql = LBITS(q);
                qh = HBITS(q);
                mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
            }
#   endif

            for (;;) {
                if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
                    break;
                q--;
                rem += d0;
                if (rem < d0)
                    break;      /* don't let rem overflow */
                if (t2l < d1)
                    t2h--;
                t2l -= d1;
            }
#  endif                        /* !BN_LLONG */
        }
# endif                         /* !BN_DIV3W */

        l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
        tmp->d[div_n] = l0;
        wnum.d--;
        /*
         * ingore top values of the bignums just sub the two BN_ULONG arrays
         * with bn_sub_words
         */
        if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
            /*
             * Note: As we have considered only the leading two BN_ULONGs in
             * the calculation of q, sdiv * q might be greater than wnum (but
             * then (q-1) * sdiv is less or equal than wnum)
             */
            q--;
            if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
                /*
                 * we can't have an overflow here (assuming that q != 0, but
                 * if q == 0 then tmp is zero anyway)
                 */
                (*wnump)++;
        }
        /* store part of the result */
        *resp = q;
    }
    bn_correct_top(snum);
    if (rm != NULL) {
        /*
         * Keep a copy of the neg flag in num because if rm==num BN_rshift()
         * will overwrite it.
         */
        int neg = num->neg;
        BN_rshift(rm, snum, norm_shift);
        if (!BN_is_zero(rm))
            rm->neg = neg;
        bn_check_top(rm);
    }
    if (no_branch)
        bn_correct_top(res);
    BN_CTX_end(ctx);
    return (1);
 err:
    bn_check_top(rm);
    BN_CTX_end(ctx);
    return (0);
}
#endif
Commit	Line	Data
58964a49	1	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6 RE	2	* All rights reserved.
	3	*
	4	* This package is an SSL implementation written
	5	* by Eric Young (eay@cryptsoft.com).
	6	* The implementation was written so as to conform with Netscapes SSL.
0f113f3e	7	*
d02b48c6 RE	8	* This library is free for commercial and non-commercial use as long as
	9	* the following conditions are aheared to. The following conditions
	10	* apply to all code found in this distribution, be it the RC4, RSA,
	11	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	12	* included with this distribution is covered by the same copyright terms
	13	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e	14	*
d02b48c6 RE	15	* Copyright remains Eric Young's, and as such any Copyright notices in
	16	* the code are not to be removed.
	17	* If this package is used in a product, Eric Young should be given attribution
	18	* as the author of the parts of the library used.
	19	* This can be in the form of a textual message at program startup or
	20	* in documentation (online or textual) provided with the package.
0f113f3e	21	*
d02b48c6 RE	22	* Redistribution and use in source and binary forms, with or without
	23	* modification, are permitted provided that the following conditions
	24	* are met:
	25	* 1. Redistributions of source code must retain the copyright
	26	* notice, this list of conditions and the following disclaimer.
	27	* 2. Redistributions in binary form must reproduce the above copyright
	28	* notice, this list of conditions and the following disclaimer in the
	29	* documentation and/or other materials provided with the distribution.
	30	* 3. All advertising materials mentioning features or use of this software
	31	* must display the following acknowledgement:
	32	* "This product includes cryptographic software written by
	33	* Eric Young (eay@cryptsoft.com)"
	34	* The word 'cryptographic' can be left out if the rouines from the library
	35	* being used are not cryptographic related :-).
0f113f3e	36	* 4. If you include any Windows specific code (or a derivative thereof) from
d02b48c6 RE	37	* the apps directory (application code) you must include an acknowledgement:
d02b48c6 RE	38	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e	39	*
d02b48c6 RE	40	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	41	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	43	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	44	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	45	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	46	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	48	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	49	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	50	* SUCH DAMAGE.
0f113f3e	51	*
d02b48c6 RE	52	* The licence and distribution terms for any publically available version or
	53	* derivative of this code cannot be changed. i.e. this code cannot simply be
	54	* copied and put under another distribution licence
	55	* [including the GNU Public Licence.]
	56	*/
	57
84c15db5	58	#include <openssl/bn.h>
b39fc560	59	#include "internal/cryptlib.h"
d02b48c6 RE	60	#include "bn_lcl.h"
	61
	62	/* The old slow way */
4a6222d7	63	#if 0
0bde1089	64	int BN_div(BIGNUM dv, BIGNUM rem, const BIGNUM m, const BIGNUM d,
0f113f3e MC	65	BN_CTX *ctx)
	66	{
	67	int i, nm, nd;
	68	int ret = 0;
	69	BIGNUM *D;
	70
	71	bn_check_top(m);
	72	bn_check_top(d);
	73	if (BN_is_zero(d)) {
	74	BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
	75	return (0);
	76	}
	77
	78	if (BN_ucmp(m, d) < 0) {
	79	if (rem != NULL) {
	80	if (BN_copy(rem, m) == NULL)
	81	return (0);
	82	}
	83	if (dv != NULL)
	84	BN_zero(dv);
	85	return (1);
	86	}
	87
	88	BN_CTX_start(ctx);
	89	D = BN_CTX_get(ctx);
	90	if (dv == NULL)
	91	dv = BN_CTX_get(ctx);
	92	if (rem == NULL)
	93	rem = BN_CTX_get(ctx);
	94	if (D == NULL \|\| dv == NULL \|\| rem == NULL)
	95	goto end;
	96
	97	nd = BN_num_bits(d);
	98	nm = BN_num_bits(m);
	99	if (BN_copy(D, d) == NULL)
	100	goto end;
	101	if (BN_copy(rem, m) == NULL)
	102	goto end;
	103
	104	/*
	105	* The next 2 are needed so we can do a dv->d[0]\|=1 later since
	106	* BN_lshift1 will only work once there is a value :-)
	107	*/
	108	BN_zero(dv);
	109	if (bn_wexpand(dv, 1) == NULL)
	110	goto end;
	111	dv->top = 1;
	112
	113	if (!BN_lshift(D, D, nm - nd))
	114	goto end;
	115	for (i = nm - nd; i >= 0; i--) {
	116	if (!BN_lshift1(dv, dv))
	117	goto end;
	118	if (BN_ucmp(rem, D) >= 0) {
	119	dv->d[0] \|= 1;
	120	if (!BN_usub(rem, rem, D))
	121	goto end;
	122	}
d02b48c6	123	/* CAN IMPROVE (and have now :=) */
0f113f3e MC	124	if (!BN_rshift1(D, D))
	125	goto end;
	126	}
	127	rem->neg = BN_is_zero(rem) ? 0 : m->neg;
	128	dv->neg = m->neg ^ d->neg;
	129	ret = 1;
9b141126	130	end:
0f113f3e MC	131	BN_CTX_end(ctx);
	132	return (ret);
	133	}
d02b48c6 RE	134
	135	#else
	136
0f113f3e	137	# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
cf1b7d96	138	&& !defined(PEDANTIC) && !defined(BN_DIV3W)
0f113f3e MC	139	# if defined(__GNUC__) && __GNUC__>=2
0f113f3e MC	140	# if defined(__i386) \|\| defined (__i386__)
c80fd6b2	141	/*-
4a6222d7 UM	142	* There were two reasons for implementing this template:
	143	* - GNU C generates a call to a function (__udivdi3 to be exact)
	144	* in reply to ((((BN_ULLONG)n0)<<BN_BITS2)\|n1)/d0 (I fail to
	145	* understand why...);
	146	* - divl doesn't only calculate quotient, but also leaves
	147	* remainder in %edx which we can definitely use here:-)
	148	*
0f113f3e	149	* <appro@fy.chalmers.se>
4a6222d7	150	*/
0f113f3e MC	151	# undef bn_div_words
	152	# define bn_div_words(n0,n1,d0) \
	153	({ asm volatile ( \
	154	"divl %4" \
	155	: "=a"(q), "=d"(rem) \
	156	: "a"(n1), "d"(n0), "g"(d0) \
	157	: "cc"); \
	158	q; \
	159	})
	160	# define REMAINDER_IS_ALREADY_CALCULATED
	161	# elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
2f98abbc AP	162	/*
2f98abbc AP	163	* Same story here, but it's 128-bit by 64-bit division. Wow!
0f113f3e	164	* <appro@fy.chalmers.se>
2f98abbc	165	*/
0f113f3e MC	166	# undef bn_div_words
	167	# define bn_div_words(n0,n1,d0) \
	168	({ asm volatile ( \
	169	"divq %4" \
	170	: "=a"(q), "=d"(rem) \
	171	: "a"(n1), "d"(n0), "g"(d0) \
	172	: "cc"); \
	173	q; \
	174	})
	175	# define REMAINDER_IS_ALREADY_CALCULATED
	176	# endif /* __<cpu> */
	177	# endif /* __GNUC__ */
	178	# endif /* OPENSSL_NO_ASM */
78a0c1f1	179
1d97c843 TH	180	/*-
1d97c843 TH	181	* BN_div computes dv := num / divisor, rounding towards
55525742	182	* zero, and sets up rm such that dv*divisor + rm = num holds.
78a0c1f1 BM	183	* Thus:
	184	* dv->neg == num->neg ^ divisor->neg (unless the result is zero)
	185	* rm->neg == num->neg (unless the remainder is zero)
	186	* If 'dv' or 'rm' is NULL, the respective value is not returned.
	187	*/
84c15db5	188	int BN_div(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,
0f113f3e MC	189	BN_CTX *ctx)
	190	{
	191	int norm_shift, i, loop;
	192	BIGNUM tmp, wnum, snum, sdiv, res;
	193	BN_ULONG resp, wnump;
	194	BN_ULONG d0, d1;
	195	int num_n, div_n;
	196	int no_branch = 0;
	197
	198	/*
	199	* Invalid zero-padding would have particularly bad consequences so don't
	200	* just rely on bn_check_top() here (bn_check_top() works only for
	201	* BN_DEBUG builds)
	202	*/
	203	if ((num->top > 0 && num->d[num->top - 1] == 0) \|\|
	204	(divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
	205	BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
	206	return 0;
	207	}
	208
	209	bn_check_top(num);
	210	bn_check_top(divisor);
	211
	212	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
	213	\|\| (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
	214	no_branch = 1;
	215	}
	216
	217	bn_check_top(dv);
	218	bn_check_top(rm);
	219	/- bn_check_top(num); //*
	220	* 'num' has been checked already
	221	*/
	222	/- bn_check_top(divisor); //*
	223	* 'divisor' has been checked already
	224	*/
	225
	226	if (BN_is_zero(divisor)) {
	227	BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
	228	return (0);
	229	}
	230
	231	if (!no_branch && BN_ucmp(num, divisor) < 0) {
	232	if (rm != NULL) {
	233	if (BN_copy(rm, num) == NULL)
	234	return (0);
	235	}
	236	if (dv != NULL)
	237	BN_zero(dv);
	238	return (1);
	239	}
	240
	241	BN_CTX_start(ctx);
	242	tmp = BN_CTX_get(ctx);
	243	snum = BN_CTX_get(ctx);
	244	sdiv = BN_CTX_get(ctx);
	245	if (dv == NULL)
	246	res = BN_CTX_get(ctx);
	247	else
	248	res = dv;
	249	if (sdiv == NULL \|\| res == NULL \|\| tmp == NULL \|\| snum == NULL)
	250	goto err;
	251
	252	/* First we normalise the numbers */
253	norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
254	if (!(BN_lshift(sdiv, divisor, norm_shift)))
255	goto err;
256	sdiv->neg = 0;
257	norm_shift += BN_BITS2;
258	if (!(BN_lshift(snum, num, norm_shift)))
259	goto err;
260	snum->neg = 0;
261
262	if (no_branch) {
263	/*
264	* Since we don't know whether snum is larger than sdiv, we pad snum
265	* with enough zeroes without changing its value.
266	*/
267	if (snum->top <= sdiv->top + 1) {
268	if (bn_wexpand(snum, sdiv->top + 2) == NULL)
269	goto err;
270	for (i = snum->top; i < sdiv->top + 2; i++)
271	snum->d[i] = 0;
272	snum->top = sdiv->top + 2;
273	} else {
274	if (bn_wexpand(snum, snum->top + 1) == NULL)
275	goto err;
276	snum->d[snum->top] = 0;
277	snum->top++;
278	}
279	}
280
281	div_n = sdiv->top;
282	num_n = snum->top;
283	loop = num_n - div_n;
284	/*
285	* Lets setup a 'window' into snum This is the part that corresponds to
286	* the current 'area' being divided
287	*/
288	wnum.neg = 0;
289	wnum.d = &(snum->d[loop]);
290	wnum.top = div_n;
291	/*
292	* only needed when BN_ucmp messes up the values between top and max
293	*/
294	wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
295
296	/* Get the top 2 words of sdiv */
297	/* div_n=sdiv->top; */
298	d0 = sdiv->d[div_n - 1];
299	d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
300
301	/* pointer to the 'top' of snum */
302	wnump = &(snum->d[num_n - 1]);
303
304	/* Setup to 'res' */
305	res->neg = (num->neg ^ divisor->neg);
306	if (!bn_wexpand(res, (loop + 1)))
307	goto err;
308	res->top = loop - no_branch;
309	resp = &(res->d[loop - 1]);
310
311	/* space for temp */
312	if (!bn_wexpand(tmp, (div_n + 1)))
313	goto err;
314
315	if (!no_branch) {
316	if (BN_ucmp(&wnum, sdiv) >= 0) {
317	/*
318	* If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
319	* the const bignum arguments => clean the values between top and
320	* max again
321	*/
322	bn_clear_top2max(&wnum);
323	bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
324	*resp = 1;
325	} else
326	res->top--;
327	}
328
329	/*
330	* if res->top == 0 then clear the neg value otherwise decrease the resp
331	* pointer
332	*/
333	if (res->top == 0)
334	res->neg = 0;
335	else
336	resp--;
337
338	for (i = 0; i < loop - 1; i++, wnump--, resp--) {
339	BN_ULONG q, l0;
340	/*
341	* the first part of the loop uses the top two words of snum and sdiv
342	* to calculate a BN_ULONG q such that \| wnum - sdiv * q \| < sdiv
343	*/
344	# if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
345	BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
346	q = bn_div_3_words(wnump, d1, d0);
347	# else
348	BN_ULONG n0, n1, rem = 0;
349
350	n0 = wnump[0];
351	n1 = wnump[-1];
352	if (n0 == d0)
353	q = BN_MASK2;
354	else { /* n0 < d0 */
355
356	# ifdef BN_LLONG
357	BN_ULLONG t2;
358
359	# if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
360	q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) \| n1) / d0);
361	# else
362	q = bn_div_words(n0, n1, d0);
363	# ifdef BN_DEBUG_LEVITTE
364	fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
365	X) -> 0x%08X\n", n0, n1, d0, q);
366	# endif
367	# endif
368
369	# ifndef REMAINDER_IS_ALREADY_CALCULATED
370	/*
371	* rem doesn't have to be BN_ULLONG. The least we
372	* know it's less that d0, isn't it?
373	*/
374	rem = (n1 - q * d0) & BN_MASK2;
375	# endif
376	t2 = (BN_ULLONG) d1 *q;
377
378	for (;;) {
379	if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) \| wnump[-2]))
380	break;
381	q--;
382	rem += d0;
383	if (rem < d0)
384	break; /* don't let rem overflow */
385	t2 -= d1;
386	}
387	# else /* !BN_LLONG */
388	BN_ULONG t2l, t2h;
389
390	q = bn_div_words(n0, n1, d0);
391	# ifdef BN_DEBUG_LEVITTE
392	fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
393	X) -> 0x%08X\n", n0, n1, d0, q);
394	# endif
395	# ifndef REMAINDER_IS_ALREADY_CALCULATED
396	rem = (n1 - q * d0) & BN_MASK2;
397	# endif
398
399	# if defined(BN_UMULT_LOHI)
400	BN_UMULT_LOHI(t2l, t2h, d1, q);
401	# elif defined(BN_UMULT_HIGH)
402	t2l = d1 * q;
403	t2h = BN_UMULT_HIGH(d1, q);
404	# else
405	{
406	BN_ULONG ql, qh;
407	t2l = LBITS(d1);
408	t2h = HBITS(d1);
409	ql = LBITS(q);
410	qh = HBITS(q);
411	mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1q; /
412	}
413	# endif
414
415	for (;;) {
416	if ((t2h < rem) \|\| ((t2h == rem) && (t2l <= wnump[-2])))
417	break;
418	q--;
419	rem += d0;
420	if (rem < d0)
421	break; /* don't let rem overflow */
422	if (t2l < d1)
423	t2h--;
424	t2l -= d1;
425	}
426	# endif /* !BN_LLONG */
427	}
428	# endif /* !BN_DIV3W */
429
430	l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
431	tmp->d[div_n] = l0;
432	wnum.d--;
433	/*
434	* ingore top values of the bignums just sub the two BN_ULONG arrays
435	* with bn_sub_words
436	*/
437	if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
438	/*
439	* Note: As we have considered only the leading two BN_ULONGs in
440	* the calculation of q, sdiv * q might be greater than wnum (but
441	* then (q-1) * sdiv is less or equal than wnum)
442	*/
443	q--;
444	if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
445	/*
446	* we can't have an overflow here (assuming that q != 0, but
447	* if q == 0 then tmp is zero anyway)
448	*/
449	(*wnump)++;
450	}
451	/* store part of the result */
452	*resp = q;
453	}
454	bn_correct_top(snum);
455	if (rm != NULL) {
456	/*
457	* Keep a copy of the neg flag in num because if rm==num BN_rshift()
458	* will overwrite it.
459	*/
460	int neg = num->neg;
461	BN_rshift(rm, snum, norm_shift);
462	if (!BN_is_zero(rm))
463	rm->neg = neg;
464	bn_check_top(rm);
465	}
466	if (no_branch)
467	bn_correct_top(res);
468	BN_CTX_end(ctx);
469	return (1);
470	err:
471	bn_check_top(rm);
472	BN_CTX_end(ctx);
473	return (0);
474	}
d02b48c6	475	#endif