bn_exp.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990
  1. /* crypto/bn/bn_exp.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include "cryptlib.h"
  112. #include "bn_lcl.h"
  113. /* maximum precomputation table size for *variable* sliding windows */
  114. #define TABLE_SIZE 32
  115. /* this one works - simple but works */
  116. int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
  117. {
  118. int i,bits,ret=0;
  119. BIGNUM *v,*rr;
  120. if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)
  121. {
  122. /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
  123. BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  124. return -1;
  125. }
  126. BN_CTX_start(ctx);
  127. if ((r == a) || (r == p))
  128. rr = BN_CTX_get(ctx);
  129. else
  130. rr = r;
  131. if ((v = BN_CTX_get(ctx)) == NULL) goto err;
  132. if (BN_copy(v,a) == NULL) goto err;
  133. bits=BN_num_bits(p);
  134. if (BN_is_odd(p))
  135. { if (BN_copy(rr,a) == NULL) goto err; }
  136. else { if (!BN_one(rr)) goto err; }
  137. for (i=1; i<bits; i++)
  138. {
  139. if (!BN_sqr(v,v,ctx)) goto err;
  140. if (BN_is_bit_set(p,i))
  141. {
  142. if (!BN_mul(rr,rr,v,ctx)) goto err;
  143. }
  144. }
  145. ret=1;
  146. err:
  147. if (r != rr) BN_copy(r,rr);
  148. BN_CTX_end(ctx);
  149. bn_check_top(r);
  150. return(ret);
  151. }
  152. int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
  153. BN_CTX *ctx)
  154. {
  155. int ret;
  156. bn_check_top(a);
  157. bn_check_top(p);
  158. bn_check_top(m);
  159. /* For even modulus m = 2^k*m_odd, it might make sense to compute
  160. * a^p mod m_odd and a^p mod 2^k separately (with Montgomery
  161. * exponentiation for the odd part), using appropriate exponent
  162. * reductions, and combine the results using the CRT.
  163. *
  164. * For now, we use Montgomery only if the modulus is odd; otherwise,
  165. * exponentiation using the reciprocal-based quick remaindering
  166. * algorithm is used.
  167. *
  168. * (Timing obtained with expspeed.c [computations a^p mod m
  169. * where a, p, m are of the same length: 256, 512, 1024, 2048,
  170. * 4096, 8192 bits], compared to the running time of the
  171. * standard algorithm:
  172. *
  173. * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration]
  174. * 55 .. 77 % [UltraSparc processor, but
  175. * debug-solaris-sparcv8-gcc conf.]
  176. *
  177. * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration]
  178. * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
  179. *
  180. * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
  181. * at 2048 and more bits, but at 512 and 1024 bits, it was
  182. * slower even than the standard algorithm!
  183. *
  184. * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
  185. * should be obtained when the new Montgomery reduction code
  186. * has been integrated into OpenSSL.)
  187. */
  188. #define MONT_MUL_MOD
  189. #define MONT_EXP_WORD
  190. #define RECP_MUL_MOD
  191. #ifdef MONT_MUL_MOD
  192. /* I have finally been able to take out this pre-condition of
  193. * the top bit being set. It was caused by an error in BN_div
  194. * with negatives. There was also another problem when for a^b%m
  195. * a >= m. eay 07-May-97 */
  196. /* if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */
  197. if (BN_is_odd(m))
  198. {
  199. # ifdef MONT_EXP_WORD
  200. if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_CONSTTIME) == 0))
  201. {
  202. BN_ULONG A = a->d[0];
  203. ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
  204. }
  205. else
  206. # endif
  207. ret=BN_mod_exp_mont(r,a,p,m,ctx,NULL);
  208. }
  209. else
  210. #endif
  211. #ifdef RECP_MUL_MOD
  212. { ret=BN_mod_exp_recp(r,a,p,m,ctx); }
  213. #else
  214. { ret=BN_mod_exp_simple(r,a,p,m,ctx); }
  215. #endif
  216. bn_check_top(r);
  217. return(ret);
  218. }
  219. int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
  220. const BIGNUM *m, BN_CTX *ctx)
  221. {
  222. int i,j,bits,ret=0,wstart,wend,window,wvalue;
  223. int start=1;
  224. BIGNUM *aa;
  225. /* Table of variables obtained from 'ctx' */
  226. BIGNUM *val[TABLE_SIZE];
  227. BN_RECP_CTX recp;
  228. if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)
  229. {
  230. /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
  231. BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  232. return -1;
  233. }
  234. bits=BN_num_bits(p);
  235. if (bits == 0)
  236. {
  237. ret = BN_one(r);
  238. return ret;
  239. }
  240. BN_CTX_start(ctx);
  241. aa = BN_CTX_get(ctx);
  242. val[0] = BN_CTX_get(ctx);
  243. if(!aa || !val[0]) goto err;
  244. BN_RECP_CTX_init(&recp);
  245. if (m->neg)
  246. {
  247. /* ignore sign of 'm' */
  248. if (!BN_copy(aa, m)) goto err;
  249. aa->neg = 0;
  250. if (BN_RECP_CTX_set(&recp,aa,ctx) <= 0) goto err;
  251. }
  252. else
  253. {
  254. if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
  255. }
  256. if (!BN_nnmod(val[0],a,m,ctx)) goto err; /* 1 */
  257. if (BN_is_zero(val[0]))
  258. {
  259. BN_zero(r);
  260. ret = 1;
  261. goto err;
  262. }
  263. window = BN_window_bits_for_exponent_size(bits);
  264. if (window > 1)
  265. {
  266. if (!BN_mod_mul_reciprocal(aa,val[0],val[0],&recp,ctx))
  267. goto err; /* 2 */
  268. j=1<<(window-1);
  269. for (i=1; i<j; i++)
  270. {
  271. if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
  272. !BN_mod_mul_reciprocal(val[i],val[i-1],
  273. aa,&recp,ctx))
  274. goto err;
  275. }
  276. }
  277. start=1; /* This is used to avoid multiplication etc
  278. * when there is only the value '1' in the
  279. * buffer. */
  280. wvalue=0; /* The 'value' of the window */
  281. wstart=bits-1; /* The top bit of the window */
  282. wend=0; /* The bottom bit of the window */
  283. if (!BN_one(r)) goto err;
  284. for (;;)
  285. {
  286. if (BN_is_bit_set(p,wstart) == 0)
  287. {
  288. if (!start)
  289. if (!BN_mod_mul_reciprocal(r,r,r,&recp,ctx))
  290. goto err;
  291. if (wstart == 0) break;
  292. wstart--;
  293. continue;
  294. }
  295. /* We now have wstart on a 'set' bit, we now need to work out
  296. * how bit a window to do. To do this we need to scan
  297. * forward until the last set bit before the end of the
  298. * window */
  299. j=wstart;
  300. wvalue=1;
  301. wend=0;
  302. for (i=1; i<window; i++)
  303. {
  304. if (wstart-i < 0) break;
  305. if (BN_is_bit_set(p,wstart-i))
  306. {
  307. wvalue<<=(i-wend);
  308. wvalue|=1;
  309. wend=i;
  310. }
  311. }
  312. /* wend is the size of the current window */
  313. j=wend+1;
  314. /* add the 'bytes above' */
  315. if (!start)
  316. for (i=0; i<j; i++)
  317. {
  318. if (!BN_mod_mul_reciprocal(r,r,r,&recp,ctx))
  319. goto err;
  320. }
  321. /* wvalue will be an odd number < 2^window */
  322. if (!BN_mod_mul_reciprocal(r,r,val[wvalue>>1],&recp,ctx))
  323. goto err;
  324. /* move the 'window' down further */
  325. wstart-=wend+1;
  326. wvalue=0;
  327. start=0;
  328. if (wstart < 0) break;
  329. }
  330. ret=1;
  331. err:
  332. BN_CTX_end(ctx);
  333. BN_RECP_CTX_free(&recp);
  334. bn_check_top(r);
  335. return(ret);
  336. }
  337. int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  338. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
  339. {
  340. int i,j,bits,ret=0,wstart,wend,window,wvalue;
  341. int start=1;
  342. BIGNUM *d,*r;
  343. const BIGNUM *aa;
  344. /* Table of variables obtained from 'ctx' */
  345. BIGNUM *val[TABLE_SIZE];
  346. BN_MONT_CTX *mont=NULL;
  347. if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)
  348. {
  349. return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
  350. }
  351. bn_check_top(a);
  352. bn_check_top(p);
  353. bn_check_top(m);
  354. if (!BN_is_odd(m))
  355. {
  356. BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
  357. return(0);
  358. }
  359. bits=BN_num_bits(p);
  360. if (bits == 0)
  361. {
  362. ret = BN_one(rr);
  363. return ret;
  364. }
  365. BN_CTX_start(ctx);
  366. d = BN_CTX_get(ctx);
  367. r = BN_CTX_get(ctx);
  368. val[0] = BN_CTX_get(ctx);
  369. if (!d || !r || !val[0]) goto err;
  370. /* If this is not done, things will break in the montgomery
  371. * part */
  372. if (in_mont != NULL)
  373. mont=in_mont;
  374. else
  375. {
  376. if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
  377. if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
  378. }
  379. if (a->neg || BN_ucmp(a,m) >= 0)
  380. {
  381. if (!BN_nnmod(val[0],a,m,ctx))
  382. goto err;
  383. aa= val[0];
  384. }
  385. else
  386. aa=a;
  387. if (BN_is_zero(aa))
  388. {
  389. BN_zero(rr);
  390. ret = 1;
  391. goto err;
  392. }
  393. if (!BN_to_montgomery(val[0],aa,mont,ctx)) goto err; /* 1 */
  394. window = BN_window_bits_for_exponent_size(bits);
  395. if (window > 1)
  396. {
  397. if (!BN_mod_mul_montgomery(d,val[0],val[0],mont,ctx)) goto err; /* 2 */
  398. j=1<<(window-1);
  399. for (i=1; i<j; i++)
  400. {
  401. if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
  402. !BN_mod_mul_montgomery(val[i],val[i-1],
  403. d,mont,ctx))
  404. goto err;
  405. }
  406. }
  407. start=1; /* This is used to avoid multiplication etc
  408. * when there is only the value '1' in the
  409. * buffer. */
  410. wvalue=0; /* The 'value' of the window */
  411. wstart=bits-1; /* The top bit of the window */
  412. wend=0; /* The bottom bit of the window */
  413. if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
  414. for (;;)
  415. {
  416. if (BN_is_bit_set(p,wstart) == 0)
  417. {
  418. if (!start)
  419. {
  420. if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
  421. goto err;
  422. }
  423. if (wstart == 0) break;
  424. wstart--;
  425. continue;
  426. }
  427. /* We now have wstart on a 'set' bit, we now need to work out
  428. * how bit a window to do. To do this we need to scan
  429. * forward until the last set bit before the end of the
  430. * window */
  431. j=wstart;
  432. wvalue=1;
  433. wend=0;
  434. for (i=1; i<window; i++)
  435. {
  436. if (wstart-i < 0) break;
  437. if (BN_is_bit_set(p,wstart-i))
  438. {
  439. wvalue<<=(i-wend);
  440. wvalue|=1;
  441. wend=i;
  442. }
  443. }
  444. /* wend is the size of the current window */
  445. j=wend+1;
  446. /* add the 'bytes above' */
  447. if (!start)
  448. for (i=0; i<j; i++)
  449. {
  450. if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
  451. goto err;
  452. }
  453. /* wvalue will be an odd number < 2^window */
  454. if (!BN_mod_mul_montgomery(r,r,val[wvalue>>1],mont,ctx))
  455. goto err;
  456. /* move the 'window' down further */
  457. wstart-=wend+1;
  458. wvalue=0;
  459. start=0;
  460. if (wstart < 0) break;
  461. }
  462. if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
  463. ret=1;
  464. err:
  465. if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
  466. BN_CTX_end(ctx);
  467. bn_check_top(rr);
  468. return(ret);
  469. }
  470. /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
  471. * so that accessing any of these table values shows the same access pattern as far
  472. * as cache lines are concerned. The following functions are used to transfer a BIGNUM
  473. * from/to that table. */
  474. static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
  475. {
  476. size_t i, j;
  477. if (bn_wexpand(b, top) == NULL)
  478. return 0;
  479. while (b->top < top)
  480. {
  481. b->d[b->top++] = 0;
  482. }
  483. for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
  484. {
  485. buf[j] = ((unsigned char*)b->d)[i];
  486. }
  487. bn_correct_top(b);
  488. return 1;
  489. }
  490. static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
  491. {
  492. size_t i, j;
  493. if (bn_wexpand(b, top) == NULL)
  494. return 0;
  495. for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
  496. {
  497. ((unsigned char*)b->d)[i] = buf[j];
  498. }
  499. b->top = top;
  500. bn_correct_top(b);
  501. return 1;
  502. }
  503. /* Given a pointer value, compute the next address that is a cache line multiple. */
  504. #define MOD_EXP_CTIME_ALIGN(x_) \
  505. ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
  506. /* This variant of BN_mod_exp_mont() uses fixed windows and the special
  507. * precomputation memory layout to limit data-dependency to a minimum
  508. * to protect secret exponents (cf. the hyper-threading timing attacks
  509. * pointed out by Colin Percival,
  510. * http://www.daemonology.net/hyperthreading-considered-harmful/)
  511. */
  512. int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  513. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
  514. {
  515. int i,bits,ret=0,idx,window,wvalue;
  516. int top;
  517. BIGNUM *r;
  518. const BIGNUM *aa;
  519. BN_MONT_CTX *mont=NULL;
  520. int numPowers;
  521. unsigned char *powerbufFree=NULL;
  522. int powerbufLen = 0;
  523. unsigned char *powerbuf=NULL;
  524. BIGNUM *computeTemp=NULL, *am=NULL;
  525. bn_check_top(a);
  526. bn_check_top(p);
  527. bn_check_top(m);
  528. top = m->top;
  529. if (!(m->d[0] & 1))
  530. {
  531. BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
  532. return(0);
  533. }
  534. bits=BN_num_bits(p);
  535. if (bits == 0)
  536. {
  537. ret = BN_one(rr);
  538. return ret;
  539. }
  540. /* Initialize BIGNUM context and allocate intermediate result */
  541. BN_CTX_start(ctx);
  542. r = BN_CTX_get(ctx);
  543. if (r == NULL) goto err;
  544. /* Allocate a montgomery context if it was not supplied by the caller.
  545. * If this is not done, things will break in the montgomery part.
  546. */
  547. if (in_mont != NULL)
  548. mont=in_mont;
  549. else
  550. {
  551. if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
  552. if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
  553. }
  554. /* Get the window size to use with size of p. */
  555. window = BN_window_bits_for_ctime_exponent_size(bits);
  556. /* Allocate a buffer large enough to hold all of the pre-computed
  557. * powers of a.
  558. */
  559. numPowers = 1 << window;
  560. powerbufLen = sizeof(m->d[0])*top*numPowers;
  561. if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
  562. goto err;
  563. powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
  564. memset(powerbuf, 0, powerbufLen);
  565. /* Initialize the intermediate result. Do this early to save double conversion,
  566. * once each for a^0 and intermediate result.
  567. */
  568. if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
  569. if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
  570. /* Initialize computeTemp as a^1 with montgomery precalcs */
  571. computeTemp = BN_CTX_get(ctx);
  572. am = BN_CTX_get(ctx);
  573. if (computeTemp==NULL || am==NULL) goto err;
  574. if (a->neg || BN_ucmp(a,m) >= 0)
  575. {
  576. if (!BN_mod(am,a,m,ctx))
  577. goto err;
  578. aa= am;
  579. }
  580. else
  581. aa=a;
  582. if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
  583. if (!BN_copy(computeTemp, am)) goto err;
  584. if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
  585. /* If the window size is greater than 1, then calculate
  586. * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
  587. * (even powers could instead be computed as (a^(i/2))^2
  588. * to use the slight performance advantage of sqr over mul).
  589. */
  590. if (window > 1)
  591. {
  592. for (i=2; i<numPowers; i++)
  593. {
  594. /* Calculate a^i = a^(i-1) * a */
  595. if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
  596. goto err;
  597. if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
  598. }
  599. }
  600. /* Adjust the number of bits up to a multiple of the window size.
  601. * If the exponent length is not a multiple of the window size, then
  602. * this pads the most significant bits with zeros to normalize the
  603. * scanning loop to there's no special cases.
  604. *
  605. * * NOTE: Making the window size a power of two less than the native
  606. * * word size ensures that the padded bits won't go past the last
  607. * * word in the internal BIGNUM structure. Going past the end will
  608. * * still produce the correct result, but causes a different branch
  609. * * to be taken in the BN_is_bit_set function.
  610. */
  611. bits = ((bits+window-1)/window)*window;
  612. idx=bits-1; /* The top bit of the window */
  613. /* Scan the exponent one window at a time starting from the most
  614. * significant bits.
  615. */
  616. while (idx >= 0)
  617. {
  618. wvalue=0; /* The 'value' of the window */
  619. /* Scan the window, squaring the result as we go */
  620. for (i=0; i<window; i++,idx--)
  621. {
  622. if (!BN_mod_mul_montgomery(r,r,r,mont,ctx)) goto err;
  623. wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
  624. }
  625. /* Fetch the appropriate pre-computed value from the pre-buf */
  626. if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
  627. /* Multiply the result into the intermediate result */
  628. if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
  629. }
  630. /* Convert the final result from montgomery to standard format */
  631. if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
  632. ret=1;
  633. err:
  634. if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
  635. if (powerbuf!=NULL)
  636. {
  637. OPENSSL_cleanse(powerbuf,powerbufLen);
  638. OPENSSL_free(powerbufFree);
  639. }
  640. if (am!=NULL) BN_clear(am);
  641. if (computeTemp!=NULL) BN_clear(computeTemp);
  642. BN_CTX_end(ctx);
  643. return(ret);
  644. }
  645. int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
  646. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
  647. {
  648. BN_MONT_CTX *mont = NULL;
  649. int b, bits, ret=0;
  650. int r_is_one;
  651. BN_ULONG w, next_w;
  652. BIGNUM *d, *r, *t;
  653. BIGNUM *swap_tmp;
  654. #define BN_MOD_MUL_WORD(r, w, m) \
  655. (BN_mul_word(r, (w)) && \
  656. (/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \
  657. (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
  658. /* BN_MOD_MUL_WORD is only used with 'w' large,
  659. * so the BN_ucmp test is probably more overhead
  660. * than always using BN_mod (which uses BN_copy if
  661. * a similar test returns true). */
  662. /* We can use BN_mod and do not need BN_nnmod because our
  663. * accumulator is never negative (the result of BN_mod does
  664. * not depend on the sign of the modulus).
  665. */
  666. #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
  667. (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
  668. if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)
  669. {
  670. /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
  671. BNerr(BN_F_BN_MOD_EXP_MONT_WORD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  672. return -1;
  673. }
  674. bn_check_top(p);
  675. bn_check_top(m);
  676. if (!BN_is_odd(m))
  677. {
  678. BNerr(BN_F_BN_MOD_EXP_MONT_WORD,BN_R_CALLED_WITH_EVEN_MODULUS);
  679. return(0);
  680. }
  681. if (m->top == 1)
  682. a %= m->d[0]; /* make sure that 'a' is reduced */
  683. bits = BN_num_bits(p);
  684. if (bits == 0)
  685. {
  686. ret = BN_one(rr);
  687. return ret;
  688. }
  689. if (a == 0)
  690. {
  691. BN_zero(rr);
  692. ret = 1;
  693. return ret;
  694. }
  695. BN_CTX_start(ctx);
  696. d = BN_CTX_get(ctx);
  697. r = BN_CTX_get(ctx);
  698. t = BN_CTX_get(ctx);
  699. if (d == NULL || r == NULL || t == NULL) goto err;
  700. if (in_mont != NULL)
  701. mont=in_mont;
  702. else
  703. {
  704. if ((mont = BN_MONT_CTX_new()) == NULL) goto err;
  705. if (!BN_MONT_CTX_set(mont, m, ctx)) goto err;
  706. }
  707. r_is_one = 1; /* except for Montgomery factor */
  708. /* bits-1 >= 0 */
  709. /* The result is accumulated in the product r*w. */
  710. w = a; /* bit 'bits-1' of 'p' is always set */
  711. for (b = bits-2; b >= 0; b--)
  712. {
  713. /* First, square r*w. */
  714. next_w = w*w;
  715. if ((next_w/w) != w) /* overflow */
  716. {
  717. if (r_is_one)
  718. {
  719. if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err;
  720. r_is_one = 0;
  721. }
  722. else
  723. {
  724. if (!BN_MOD_MUL_WORD(r, w, m)) goto err;
  725. }
  726. next_w = 1;
  727. }
  728. w = next_w;
  729. if (!r_is_one)
  730. {
  731. if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) goto err;
  732. }
  733. /* Second, multiply r*w by 'a' if exponent bit is set. */
  734. if (BN_is_bit_set(p, b))
  735. {
  736. next_w = w*a;
  737. if ((next_w/a) != w) /* overflow */
  738. {
  739. if (r_is_one)
  740. {
  741. if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err;
  742. r_is_one = 0;
  743. }
  744. else
  745. {
  746. if (!BN_MOD_MUL_WORD(r, w, m)) goto err;
  747. }
  748. next_w = a;
  749. }
  750. w = next_w;
  751. }
  752. }
  753. /* Finally, set r:=r*w. */
  754. if (w != 1)
  755. {
  756. if (r_is_one)
  757. {
  758. if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err;
  759. r_is_one = 0;
  760. }
  761. else
  762. {
  763. if (!BN_MOD_MUL_WORD(r, w, m)) goto err;
  764. }
  765. }
  766. if (r_is_one) /* can happen only if a == 1*/
  767. {
  768. if (!BN_one(rr)) goto err;
  769. }
  770. else
  771. {
  772. if (!BN_from_montgomery(rr, r, mont, ctx)) goto err;
  773. }
  774. ret = 1;
  775. err:
  776. if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
  777. BN_CTX_end(ctx);
  778. bn_check_top(rr);
  779. return(ret);
  780. }
  781. /* The old fallback, simple version :-) */
  782. int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
  783. const BIGNUM *m, BN_CTX *ctx)
  784. {
  785. int i,j,bits,ret=0,wstart,wend,window,wvalue;
  786. int start=1;
  787. BIGNUM *d;
  788. /* Table of variables obtained from 'ctx' */
  789. BIGNUM *val[TABLE_SIZE];
  790. if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)
  791. {
  792. /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
  793. BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  794. return -1;
  795. }
  796. bits=BN_num_bits(p);
  797. if (bits == 0)
  798. {
  799. ret = BN_one(r);
  800. return ret;
  801. }
  802. BN_CTX_start(ctx);
  803. d = BN_CTX_get(ctx);
  804. val[0] = BN_CTX_get(ctx);
  805. if(!d || !val[0]) goto err;
  806. if (!BN_nnmod(val[0],a,m,ctx)) goto err; /* 1 */
  807. if (BN_is_zero(val[0]))
  808. {
  809. BN_zero(r);
  810. ret = 1;
  811. goto err;
  812. }
  813. window = BN_window_bits_for_exponent_size(bits);
  814. if (window > 1)
  815. {
  816. if (!BN_mod_mul(d,val[0],val[0],m,ctx))
  817. goto err; /* 2 */
  818. j=1<<(window-1);
  819. for (i=1; i<j; i++)
  820. {
  821. if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
  822. !BN_mod_mul(val[i],val[i-1],d,m,ctx))
  823. goto err;
  824. }
  825. }
  826. start=1; /* This is used to avoid multiplication etc
  827. * when there is only the value '1' in the
  828. * buffer. */
  829. wvalue=0; /* The 'value' of the window */
  830. wstart=bits-1; /* The top bit of the window */
  831. wend=0; /* The bottom bit of the window */
  832. if (!BN_one(r)) goto err;
  833. for (;;)
  834. {
  835. if (BN_is_bit_set(p,wstart) == 0)
  836. {
  837. if (!start)
  838. if (!BN_mod_mul(r,r,r,m,ctx))
  839. goto err;
  840. if (wstart == 0) break;
  841. wstart--;
  842. continue;
  843. }
  844. /* We now have wstart on a 'set' bit, we now need to work out
  845. * how bit a window to do. To do this we need to scan
  846. * forward until the last set bit before the end of the
  847. * window */
  848. j=wstart;
  849. wvalue=1;
  850. wend=0;
  851. for (i=1; i<window; i++)
  852. {
  853. if (wstart-i < 0) break;
  854. if (BN_is_bit_set(p,wstart-i))
  855. {
  856. wvalue<<=(i-wend);
  857. wvalue|=1;
  858. wend=i;
  859. }
  860. }
  861. /* wend is the size of the current window */
  862. j=wend+1;
  863. /* add the 'bytes above' */
  864. if (!start)
  865. for (i=0; i<j; i++)
  866. {
  867. if (!BN_mod_mul(r,r,r,m,ctx))
  868. goto err;
  869. }
  870. /* wvalue will be an odd number < 2^window */
  871. if (!BN_mod_mul(r,r,val[wvalue>>1],m,ctx))
  872. goto err;
  873. /* move the 'window' down further */
  874. wstart-=wend+1;
  875. wvalue=0;
  876. start=0;
  877. if (wstart < 0) break;
  878. }
  879. ret=1;
  880. err:
  881. BN_CTX_end(ctx);
  882. bn_check_top(r);
  883. return(ret);
  884. }