crypto/bn/bn_recp.c

   1 /*
   2  * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include "internal/cryptlib.h"
  11 #include "bn_local.h"
  12
  13 void BN_RECP_CTX_init(BN_RECP_CTX *recp)
  14 {
  15     memset(recp, 0, sizeof(*recp));
  16     bn_init(&(recp->N));
  17     bn_init(&(recp->Nr));
  18 }
  19
  20 BN_RECP_CTX *BN_RECP_CTX_new(void)
  21 {
  22     BN_RECP_CTX *ret;
  23
  24     if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
  25         return NULL;
  26
  27     bn_init(&(ret->N));
  28     bn_init(&(ret->Nr));
  29     ret->flags = BN_FLG_MALLOCED;
  30     return ret;
  31 }
  32
  33 void BN_RECP_CTX_free(BN_RECP_CTX *recp)
  34 {
  35     if (recp == NULL)
  36         return;
  37     BN_free(&recp->N);
  38     BN_free(&recp->Nr);
  39     if (recp->flags & BN_FLG_MALLOCED)
  40         OPENSSL_free(recp);
  41 }
  42
  43 int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
  44 {
  45     if (!BN_copy(&(recp->N), d))
  46         return 0;
  47     BN_zero(&(recp->Nr));
  48     recp->num_bits = BN_num_bits(d);
  49     recp->shift = 0;
  50     return 1;
  51 }
  52
  53 int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
  54                           BN_RECP_CTX *recp, BN_CTX *ctx)
  55 {
  56     int ret = 0;
  57     BIGNUM *a;
  58     const BIGNUM *ca;
  59
  60     BN_CTX_start(ctx);
  61     if ((a = BN_CTX_get(ctx)) == NULL)
  62         goto err;
  63     if (y != NULL) {
  64         if (x == y) {
  65             if (!BN_sqr(a, x, ctx))
  66                 goto err;
  67         } else {
  68             if (!BN_mul(a, x, y, ctx))
  69                 goto err;
  70         }
  71         ca = a;
  72     } else
  73         ca = x;                 /* Just do the mod */
  74
  75     ret = BN_div_recp(NULL, r, ca, recp, ctx);
  76  err:
  77     BN_CTX_end(ctx);
  78     bn_check_top(r);
  79     return ret;
  80 }
  81
  82 int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
  83                 BN_RECP_CTX *recp, BN_CTX *ctx)
  84 {
  85     int i, j, ret = 0;
  86     BIGNUM *a, *b, *d, *r;
  87
  88     BN_CTX_start(ctx);
  89     d = (dv != NULL) ? dv : BN_CTX_get(ctx);
  90     r = (rem != NULL) ? rem : BN_CTX_get(ctx);
  91     a = BN_CTX_get(ctx);
  92     b = BN_CTX_get(ctx);
  93     if (b == NULL)
  94         goto err;
  95
  96     if (BN_ucmp(m, &(recp->N)) < 0) {
  97         BN_zero(d);
  98         if (!BN_copy(r, m)) {
  99             BN_CTX_end(ctx);
 100             return 0;
 101         }
 102         BN_CTX_end(ctx);
 103         return 1;
 104     }
 105
 106     /*
 107      * We want the remainder Given input of ABCDEF / ab we need multiply
 108      * ABCDEF by 3 digests of the reciprocal of ab
 109      */
 110
 111     /* i := max(BN_num_bits(m), 2*BN_num_bits(N)) */
 112     i = BN_num_bits(m);
 113     j = recp->num_bits << 1;
 114     if (j > i)
 115         i = j;
 116
 117     /* Nr := round(2^i / N) */
 118     if (i != recp->shift)
 119         recp->shift = BN_reciprocal(&(recp->Nr), &(recp->N), i, ctx);
 120     /* BN_reciprocal could have returned -1 for an error */
 121     if (recp->shift == -1)
 122         goto err;
 123
 124     /*-
 125      * d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
 126      *    = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i - BN_num_bits(N)))|
 127      *   <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
 128      *    = |m/N|
 129      */
 130     if (!BN_rshift(a, m, recp->num_bits))
 131         goto err;
 132     if (!BN_mul(b, a, &(recp->Nr), ctx))
 133         goto err;
 134     if (!BN_rshift(d, b, i - recp->num_bits))
 135         goto err;
 136     d->neg = 0;
 137
 138     if (!BN_mul(b, &(recp->N), d, ctx))
 139         goto err;
 140     if (!BN_usub(r, m, b))
 141         goto err;
 142     r->neg = 0;
 143
 144     j = 0;
 145     while (BN_ucmp(r, &(recp->N)) >= 0) {
 146         if (j++ > 2) {
 147             ERR_raise(ERR_LIB_BN, BN_R_BAD_RECIPROCAL);
 148             goto err;
 149         }
 150         if (!BN_usub(r, r, &(recp->N)))
 151             goto err;
 152         if (!BN_add_word(d, 1))
 153             goto err;
 154     }
 155
 156     r->neg = BN_is_zero(r) ? 0 : m->neg;
 157     d->neg = m->neg ^ recp->N.neg;
 158     ret = 1;
 159  err:
 160     BN_CTX_end(ctx);
 161     bn_check_top(dv);
 162     bn_check_top(rem);
 163     return ret;
 164 }
 165
 166 /*
 167  * len is the expected size of the result We actually calculate with an extra
 168  * word of precision, so we can do faster division if the remainder is not
 169  * required.
 170  */
 171 /* r := 2^len / m */
 172 int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
 173 {
 174     int ret = -1;
 175     BIGNUM *t;
 176
 177     BN_CTX_start(ctx);
 178     if ((t = BN_CTX_get(ctx)) == NULL)
 179         goto err;
 180
 181     if (!BN_set_bit(t, len))
 182         goto err;
 183
 184     if (!BN_div(r, NULL, t, m, ctx))
 185         goto err;
 186
 187     ret = len;
 188  err:
 189     bn_check_top(r);
 190     BN_CTX_end(ctx);
 191     return ret;
 192 }