]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/bn/bn_mont.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Changes needed for Tandem NSK, supplied by Scott Uroff (scott@xypro.com).
[thirdparty/openssl.git] / crypto / bn / bn_mont.c
1 /* crypto/bn/bn_mont.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 /*
60 * Details about Montgomery multiplication algorithms can be found at
61 * http://security.ece.orst.edu/publications.html, e.g.
62 * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and
63 * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
64 */
65
66 #include <stdio.h>
67 #include "cryptlib.h"
68 #include "bn_lcl.h"
69
70 #define MONT_WORD /* use the faster word-based algorithm */
71
72 int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
73 BN_MONT_CTX *mont, BN_CTX *ctx)
74 {
75 BIGNUM *tmp,*tmp2;
76 int ret=0;
77
78 BN_CTX_start(ctx);
79 tmp = BN_CTX_get(ctx);
80 tmp2 = BN_CTX_get(ctx);
81 if (tmp == NULL || tmp2 == NULL) goto err;
82
83 bn_check_top(tmp);
84 bn_check_top(tmp2);
85
86 if (a == b)
87 {
88 #if 1
89 bn_wexpand(tmp,a->top*2);
90 bn_wexpand(tmp2,a->top*4);
91 bn_sqr_recursive(tmp->d,a->d,a->top,tmp2->d);
92 tmp->top=a->top*2;
93 if (tmp->top > 0 && tmp->d[tmp->top-1] == 0)
94 tmp->top--;
95 #else
96 if (!BN_sqr(tmp,a,ctx)) goto err;
97 #endif
98 }
99 else
100 {
101 if (!BN_mul(tmp,a,b,ctx)) goto err;
102 }
103 /* reduce from aRR to aR */
104 if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
105 ret=1;
106 err:
107 BN_CTX_end(ctx);
108 return(ret);
109 }
110
111 int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,
112 BN_CTX *ctx)
113 {
114 int retn=0;
115
116 #ifdef MONT_WORD
117 BIGNUM *n,*r;
118 BN_ULONG *ap,*np,*rp,n0,v,*nrp;
119 int al,nl,max,i,x,ri;
120
121 BN_CTX_start(ctx);
122 if ((r = BN_CTX_get(ctx)) == NULL) goto err;
123
124 if (!BN_copy(r,a)) goto err;
125 n= &(mont->N);
126
127 ap=a->d;
128 /* mont->ri is the size of mont->N in bits (rounded up
129 to the word size) */
130 al=ri=mont->ri/BN_BITS2;
131
132 nl=n->top;
133 if ((al == 0) || (nl == 0)) { r->top=0; return(1); }
134
135 max=(nl+al+1); /* allow for overflow (no?) XXX */
136 if (bn_wexpand(r,max) == NULL) goto err;
137 if (bn_wexpand(ret,max) == NULL) goto err;
138
139 r->neg=a->neg^n->neg;
140 np=n->d;
141 rp=r->d;
142 nrp= &(r->d[nl]);
143
144 /* clear the top words of T */
145 #if 1
146 for (i=r->top; i<max; i++) /* memset? XXX */
147 r->d[i]=0;
148 #else
149 memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG));
150 #endif
151
152 r->top=max;
153 n0=mont->n0;
154
155 #ifdef BN_COUNT
156 printf("word BN_from_montgomery %d * %d\n",nl,nl);
157 #endif
158 for (i=0; i<nl; i++)
159 {
160 #ifdef __TANDEM
161 {
162 long long t1;
163 long long t2;
164 long long t3;
165 t1 = rp[0] * (n0 & 0177777);
166 t2 = 037777600000l;
167 t2 = n0 & t2;
168 t3 = rp[0] & 0177777;
169 t2 = (t3 * t2) & BN_MASK2;
170 t1 = t1 + t2;
171 v=bn_mul_add_words(rp,np,nl,(BN_ULONG) t1);
172 }
173 #else
174 v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
175 #endif
176 nrp++;
177 rp++;
178 if (((nrp[-1]+=v)&BN_MASK2) >= v)
179 continue;
180 else
181 {
182 if (((++nrp[0])&BN_MASK2) != 0) continue;
183 if (((++nrp[1])&BN_MASK2) != 0) continue;
184 for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
185 }
186 }
187 bn_fix_top(r);
188
189 /* mont->ri will be a multiple of the word size */
190 #if 0
191 BN_rshift(ret,r,mont->ri);
192 #else
193 x=ri;
194 rp=ret->d;
195 ap= &(r->d[x]);
196 if (r->top < x)
197 al=0;
198 else
199 al=r->top-x;
200 ret->top=al;
201 al-=4;
202 for (i=0; i<al; i+=4)
203 {
204 BN_ULONG t1,t2,t3,t4;
205
206 t1=ap[i+0];
207 t2=ap[i+1];
208 t3=ap[i+2];
209 t4=ap[i+3];
210 rp[i+0]=t1;
211 rp[i+1]=t2;
212 rp[i+2]=t3;
213 rp[i+3]=t4;
214 }
215 al+=4;
216 for (; i<al; i++)
217 rp[i]=ap[i];
218 #endif
219 #else /* !MONT_WORD */
220 BIGNUM *t1,*t2;
221
222 BN_CTX_start(ctx);
223 t1 = BN_CTX_get(ctx);
224 t2 = BN_CTX_get(ctx);
225 if (t1 == NULL || t2 == NULL) goto err;
226
227 if (!BN_copy(t1,a)) goto err;
228 BN_mask_bits(t1,mont->ri);
229
230 if (!BN_mul(t2,t1,&mont->Ni,ctx)) goto err;
231 BN_mask_bits(t2,mont->ri);
232
233 if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
234 if (!BN_add(t2,a,t1)) goto err;
235 BN_rshift(ret,t2,mont->ri);
236 #endif /* MONT_WORD */
237
238 if (BN_ucmp(ret, &(mont->N)) >= 0)
239 {
240 BN_usub(ret,ret,&(mont->N));
241 }
242 retn=1;
243 err:
244 BN_CTX_end(ctx);
245 return(retn);
246 }
247
248 BN_MONT_CTX *BN_MONT_CTX_new(void)
249 {
250 BN_MONT_CTX *ret;
251
252 if ((ret=(BN_MONT_CTX *)OPENSSL_malloc(sizeof(BN_MONT_CTX))) == NULL)
253 return(NULL);
254
255 BN_MONT_CTX_init(ret);
256 ret->flags=BN_FLG_MALLOCED;
257 return(ret);
258 }
259
260 void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
261 {
262 ctx->ri=0;
263 BN_init(&(ctx->RR));
264 BN_init(&(ctx->N));
265 BN_init(&(ctx->Ni));
266 ctx->flags=0;
267 }
268
269 void BN_MONT_CTX_free(BN_MONT_CTX *mont)
270 {
271 if(mont == NULL)
272 return;
273
274 BN_free(&(mont->RR));
275 BN_free(&(mont->N));
276 BN_free(&(mont->Ni));
277 if (mont->flags & BN_FLG_MALLOCED)
278 OPENSSL_free(mont);
279 }
280
281 int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
282 {
283 BIGNUM Ri,*R;
284
285 BN_init(&Ri);
286 R= &(mont->RR); /* grab RR as a temp */
287 BN_copy(&(mont->N),mod); /* Set N */
288
289 #ifdef MONT_WORD
290 {
291 BIGNUM tmod;
292 BN_ULONG buf[2];
293
294 mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
295 BN_zero(R);
296 BN_set_bit(R,BN_BITS2); /* R */
297
298 buf[0]=mod->d[0]; /* tmod = N mod word size */
299 buf[1]=0;
300 tmod.d=buf;
301 tmod.top=1;
302 tmod.dmax=2;
303 tmod.neg=mod->neg;
304 /* Ri = R^-1 mod N*/
305 if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
306 goto err;
307 BN_lshift(&Ri,&Ri,BN_BITS2); /* R*Ri */
308 if (!BN_is_zero(&Ri))
309 BN_sub_word(&Ri,1);
310 else /* if N mod word size == 1 */
311 BN_set_word(&Ri,BN_MASK2); /* Ri-- (mod word size) */
312 BN_div(&Ri,NULL,&Ri,&tmod,ctx); /* Ni = (R*Ri-1)/N,
313 * keep only least significant word: */
314 mont->n0=Ri.d[0];
315 BN_free(&Ri);
316 }
317 #else /* !MONT_WORD */
318 { /* bignum version */
319 mont->ri=BN_num_bits(mod);
320 BN_zero(R);
321 BN_set_bit(R,mont->ri); /* R = 2^ri */
322 /* Ri = R^-1 mod N*/
323 if ((BN_mod_inverse(&Ri,R,mod,ctx)) == NULL)
324 goto err;
325 BN_lshift(&Ri,&Ri,mont->ri); /* R*Ri */
326 BN_sub_word(&Ri,1);
327 /* Ni = (R*Ri-1) / N */
328 BN_div(&(mont->Ni),NULL,&Ri,mod,ctx);
329 BN_free(&Ri);
330 }
331 #endif
332
333 /* setup RR for conversions */
334 BN_zero(&(mont->RR));
335 BN_set_bit(&(mont->RR),mont->ri*2);
336 BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx);
337
338 return(1);
339 err:
340 return(0);
341 }
342
343 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
344 {
345 if (to == from) return(to);
346
347 BN_copy(&(to->RR),&(from->RR));
348 BN_copy(&(to->N),&(from->N));
349 BN_copy(&(to->Ni),&(from->Ni));
350 to->ri=from->ri;
351 to->n0=from->n0;
352 return(to);
353 }
354
A mirror of the official openssl repository