2
0

bn_gf2m.c 29 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091
  1. /* crypto/bn/bn_gf2m.c */
  2. /* ====================================================================
  3. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  4. *
  5. * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
  6. * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
  7. * to the OpenSSL project.
  8. *
  9. * The ECC Code is licensed pursuant to the OpenSSL open source
  10. * license provided below.
  11. *
  12. * In addition, Sun covenants to all licensees who provide a reciprocal
  13. * covenant with respect to their own patents if any, not to sue under
  14. * current and future patent claims necessarily infringed by the making,
  15. * using, practicing, selling, offering for sale and/or otherwise
  16. * disposing of the ECC Code as delivered hereunder (or portions thereof),
  17. * provided that such covenant shall not apply:
  18. * 1) for code that a licensee deletes from the ECC Code;
  19. * 2) separates from the ECC Code; or
  20. * 3) for infringements caused by:
  21. * i) the modification of the ECC Code or
  22. * ii) the combination of the ECC Code with other software or
  23. * devices where such combination causes the infringement.
  24. *
  25. * The software is originally written by Sheueling Chang Shantz and
  26. * Douglas Stebila of Sun Microsystems Laboratories.
  27. *
  28. */
  29. /* NOTE: This file is licensed pursuant to the OpenSSL license below
  30. * and may be modified; but after modifications, the above covenant
  31. * may no longer apply! In such cases, the corresponding paragraph
  32. * ["In addition, Sun covenants ... causes the infringement."] and
  33. * this note can be edited out; but please keep the Sun copyright
  34. * notice and attribution. */
  35. /* ====================================================================
  36. * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
  37. *
  38. * Redistribution and use in source and binary forms, with or without
  39. * modification, are permitted provided that the following conditions
  40. * are met:
  41. *
  42. * 1. Redistributions of source code must retain the above copyright
  43. * notice, this list of conditions and the following disclaimer.
  44. *
  45. * 2. Redistributions in binary form must reproduce the above copyright
  46. * notice, this list of conditions and the following disclaimer in
  47. * the documentation and/or other materials provided with the
  48. * distribution.
  49. *
  50. * 3. All advertising materials mentioning features or use of this
  51. * software must display the following acknowledgment:
  52. * "This product includes software developed by the OpenSSL Project
  53. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  54. *
  55. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  56. * endorse or promote products derived from this software without
  57. * prior written permission. For written permission, please contact
  58. * openssl-core@openssl.org.
  59. *
  60. * 5. Products derived from this software may not be called "OpenSSL"
  61. * nor may "OpenSSL" appear in their names without prior written
  62. * permission of the OpenSSL Project.
  63. *
  64. * 6. Redistributions of any form whatsoever must retain the following
  65. * acknowledgment:
  66. * "This product includes software developed by the OpenSSL Project
  67. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  68. *
  69. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  70. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  71. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  72. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  73. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  74. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  75. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  76. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  77. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  78. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  79. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  80. * OF THE POSSIBILITY OF SUCH DAMAGE.
  81. * ====================================================================
  82. *
  83. * This product includes cryptographic software written by Eric Young
  84. * (eay@cryptsoft.com). This product includes software written by Tim
  85. * Hudson (tjh@cryptsoft.com).
  86. *
  87. */
  88. #include <assert.h>
  89. #include <limits.h>
  90. #include <stdio.h>
  91. #include "cryptlib.h"
  92. #include "bn_lcl.h"
  93. /* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */
  94. #define MAX_ITERATIONS 50
  95. static const BN_ULONG SQR_tb[16] =
  96. { 0, 1, 4, 5, 16, 17, 20, 21,
  97. 64, 65, 68, 69, 80, 81, 84, 85 };
  98. /* Platform-specific macros to accelerate squaring. */
  99. #if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
  100. #define SQR1(w) \
  101. SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
  102. SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
  103. SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
  104. SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
  105. #define SQR0(w) \
  106. SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
  107. SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
  108. SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
  109. SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
  110. #endif
  111. #ifdef THIRTY_TWO_BIT
  112. #define SQR1(w) \
  113. SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
  114. SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
  115. #define SQR0(w) \
  116. SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
  117. SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
  118. #endif
  119. #ifdef SIXTEEN_BIT
  120. #define SQR1(w) \
  121. SQR_tb[(w) >> 12 & 0xF] << 8 | SQR_tb[(w) >> 8 & 0xF]
  122. #define SQR0(w) \
  123. SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
  124. #endif
  125. #ifdef EIGHT_BIT
  126. #define SQR1(w) \
  127. SQR_tb[(w) >> 4 & 0xF]
  128. #define SQR0(w) \
  129. SQR_tb[(w) & 15]
  130. #endif
  131. /* Product of two polynomials a, b each with degree < BN_BITS2 - 1,
  132. * result is a polynomial r with degree < 2 * BN_BITS - 1
  133. * The caller MUST ensure that the variables have the right amount
  134. * of space allocated.
  135. */
  136. #ifdef EIGHT_BIT
  137. static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
  138. {
  139. register BN_ULONG h, l, s;
  140. BN_ULONG tab[4], top1b = a >> 7;
  141. register BN_ULONG a1, a2;
  142. a1 = a & (0x7F); a2 = a1 << 1;
  143. tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
  144. s = tab[b & 0x3]; l = s;
  145. s = tab[b >> 2 & 0x3]; l ^= s << 2; h = s >> 6;
  146. s = tab[b >> 4 & 0x3]; l ^= s << 4; h ^= s >> 4;
  147. s = tab[b >> 6 ]; l ^= s << 6; h ^= s >> 2;
  148. /* compensate for the top bit of a */
  149. if (top1b & 01) { l ^= b << 7; h ^= b >> 1; }
  150. *r1 = h; *r0 = l;
  151. }
  152. #endif
  153. #ifdef SIXTEEN_BIT
  154. static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
  155. {
  156. register BN_ULONG h, l, s;
  157. BN_ULONG tab[4], top1b = a >> 15;
  158. register BN_ULONG a1, a2;
  159. a1 = a & (0x7FFF); a2 = a1 << 1;
  160. tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
  161. s = tab[b & 0x3]; l = s;
  162. s = tab[b >> 2 & 0x3]; l ^= s << 2; h = s >> 14;
  163. s = tab[b >> 4 & 0x3]; l ^= s << 4; h ^= s >> 12;
  164. s = tab[b >> 6 & 0x3]; l ^= s << 6; h ^= s >> 10;
  165. s = tab[b >> 8 & 0x3]; l ^= s << 8; h ^= s >> 8;
  166. s = tab[b >>10 & 0x3]; l ^= s << 10; h ^= s >> 6;
  167. s = tab[b >>12 & 0x3]; l ^= s << 12; h ^= s >> 4;
  168. s = tab[b >>14 ]; l ^= s << 14; h ^= s >> 2;
  169. /* compensate for the top bit of a */
  170. if (top1b & 01) { l ^= b << 15; h ^= b >> 1; }
  171. *r1 = h; *r0 = l;
  172. }
  173. #endif
  174. #ifdef THIRTY_TWO_BIT
  175. static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
  176. {
  177. register BN_ULONG h, l, s;
  178. BN_ULONG tab[8], top2b = a >> 30;
  179. register BN_ULONG a1, a2, a4;
  180. a1 = a & (0x3FFFFFFF); a2 = a1 << 1; a4 = a2 << 1;
  181. tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
  182. tab[4] = a4; tab[5] = a1^a4; tab[6] = a2^a4; tab[7] = a1^a2^a4;
  183. s = tab[b & 0x7]; l = s;
  184. s = tab[b >> 3 & 0x7]; l ^= s << 3; h = s >> 29;
  185. s = tab[b >> 6 & 0x7]; l ^= s << 6; h ^= s >> 26;
  186. s = tab[b >> 9 & 0x7]; l ^= s << 9; h ^= s >> 23;
  187. s = tab[b >> 12 & 0x7]; l ^= s << 12; h ^= s >> 20;
  188. s = tab[b >> 15 & 0x7]; l ^= s << 15; h ^= s >> 17;
  189. s = tab[b >> 18 & 0x7]; l ^= s << 18; h ^= s >> 14;
  190. s = tab[b >> 21 & 0x7]; l ^= s << 21; h ^= s >> 11;
  191. s = tab[b >> 24 & 0x7]; l ^= s << 24; h ^= s >> 8;
  192. s = tab[b >> 27 & 0x7]; l ^= s << 27; h ^= s >> 5;
  193. s = tab[b >> 30 ]; l ^= s << 30; h ^= s >> 2;
  194. /* compensate for the top two bits of a */
  195. if (top2b & 01) { l ^= b << 30; h ^= b >> 2; }
  196. if (top2b & 02) { l ^= b << 31; h ^= b >> 1; }
  197. *r1 = h; *r0 = l;
  198. }
  199. #endif
  200. #if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
  201. static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
  202. {
  203. register BN_ULONG h, l, s;
  204. BN_ULONG tab[16], top3b = a >> 61;
  205. register BN_ULONG a1, a2, a4, a8;
  206. a1 = a & (0x1FFFFFFFFFFFFFFFULL); a2 = a1 << 1; a4 = a2 << 1; a8 = a4 << 1;
  207. tab[ 0] = 0; tab[ 1] = a1; tab[ 2] = a2; tab[ 3] = a1^a2;
  208. tab[ 4] = a4; tab[ 5] = a1^a4; tab[ 6] = a2^a4; tab[ 7] = a1^a2^a4;
  209. tab[ 8] = a8; tab[ 9] = a1^a8; tab[10] = a2^a8; tab[11] = a1^a2^a8;
  210. tab[12] = a4^a8; tab[13] = a1^a4^a8; tab[14] = a2^a4^a8; tab[15] = a1^a2^a4^a8;
  211. s = tab[b & 0xF]; l = s;
  212. s = tab[b >> 4 & 0xF]; l ^= s << 4; h = s >> 60;
  213. s = tab[b >> 8 & 0xF]; l ^= s << 8; h ^= s >> 56;
  214. s = tab[b >> 12 & 0xF]; l ^= s << 12; h ^= s >> 52;
  215. s = tab[b >> 16 & 0xF]; l ^= s << 16; h ^= s >> 48;
  216. s = tab[b >> 20 & 0xF]; l ^= s << 20; h ^= s >> 44;
  217. s = tab[b >> 24 & 0xF]; l ^= s << 24; h ^= s >> 40;
  218. s = tab[b >> 28 & 0xF]; l ^= s << 28; h ^= s >> 36;
  219. s = tab[b >> 32 & 0xF]; l ^= s << 32; h ^= s >> 32;
  220. s = tab[b >> 36 & 0xF]; l ^= s << 36; h ^= s >> 28;
  221. s = tab[b >> 40 & 0xF]; l ^= s << 40; h ^= s >> 24;
  222. s = tab[b >> 44 & 0xF]; l ^= s << 44; h ^= s >> 20;
  223. s = tab[b >> 48 & 0xF]; l ^= s << 48; h ^= s >> 16;
  224. s = tab[b >> 52 & 0xF]; l ^= s << 52; h ^= s >> 12;
  225. s = tab[b >> 56 & 0xF]; l ^= s << 56; h ^= s >> 8;
  226. s = tab[b >> 60 ]; l ^= s << 60; h ^= s >> 4;
  227. /* compensate for the top three bits of a */
  228. if (top3b & 01) { l ^= b << 61; h ^= b >> 3; }
  229. if (top3b & 02) { l ^= b << 62; h ^= b >> 2; }
  230. if (top3b & 04) { l ^= b << 63; h ^= b >> 1; }
  231. *r1 = h; *r0 = l;
  232. }
  233. #endif
  234. /* Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
  235. * result is a polynomial r with degree < 4 * BN_BITS2 - 1
  236. * The caller MUST ensure that the variables have the right amount
  237. * of space allocated.
  238. */
  239. static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0, const BN_ULONG b1, const BN_ULONG b0)
  240. {
  241. BN_ULONG m1, m0;
  242. /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
  243. bn_GF2m_mul_1x1(r+3, r+2, a1, b1);
  244. bn_GF2m_mul_1x1(r+1, r, a0, b0);
  245. bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
  246. /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
  247. r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
  248. r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
  249. }
  250. /* Add polynomials a and b and store result in r; r could be a or b, a and b
  251. * could be equal; r is the bitwise XOR of a and b.
  252. */
  253. int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
  254. {
  255. int i;
  256. const BIGNUM *at, *bt;
  257. bn_check_top(a);
  258. bn_check_top(b);
  259. if (a->top < b->top) { at = b; bt = a; }
  260. else { at = a; bt = b; }
  261. bn_wexpand(r, at->top);
  262. for (i = 0; i < bt->top; i++)
  263. {
  264. r->d[i] = at->d[i] ^ bt->d[i];
  265. }
  266. for (; i < at->top; i++)
  267. {
  268. r->d[i] = at->d[i];
  269. }
  270. r->top = at->top;
  271. bn_correct_top(r);
  272. return 1;
  273. }
  274. /* Some functions allow for representation of the irreducible polynomials
  275. * as an int[], say p. The irreducible f(t) is then of the form:
  276. * t^p[0] + t^p[1] + ... + t^p[k]
  277. * where m = p[0] > p[1] > ... > p[k] = 0.
  278. */
  279. /* Performs modular reduction of a and store result in r. r could be a. */
  280. int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
  281. {
  282. int j, k;
  283. int n, dN, d0, d1;
  284. BN_ULONG zz, *z;
  285. bn_check_top(a);
  286. if (!p[0])
  287. {
  288. /* reduction mod 1 => return 0 */
  289. BN_zero(r);
  290. return 1;
  291. }
  292. /* Since the algorithm does reduction in the r value, if a != r, copy
  293. * the contents of a into r so we can do reduction in r.
  294. */
  295. if (a != r)
  296. {
  297. if (!bn_wexpand(r, a->top)) return 0;
  298. for (j = 0; j < a->top; j++)
  299. {
  300. r->d[j] = a->d[j];
  301. }
  302. r->top = a->top;
  303. }
  304. z = r->d;
  305. /* start reduction */
  306. dN = p[0] / BN_BITS2;
  307. for (j = r->top - 1; j > dN;)
  308. {
  309. zz = z[j];
  310. if (z[j] == 0) { j--; continue; }
  311. z[j] = 0;
  312. for (k = 1; p[k] != 0; k++)
  313. {
  314. /* reducing component t^p[k] */
  315. n = p[0] - p[k];
  316. d0 = n % BN_BITS2; d1 = BN_BITS2 - d0;
  317. n /= BN_BITS2;
  318. z[j-n] ^= (zz>>d0);
  319. if (d0) z[j-n-1] ^= (zz<<d1);
  320. }
  321. /* reducing component t^0 */
  322. n = dN;
  323. d0 = p[0] % BN_BITS2;
  324. d1 = BN_BITS2 - d0;
  325. z[j-n] ^= (zz >> d0);
  326. if (d0) z[j-n-1] ^= (zz << d1);
  327. }
  328. /* final round of reduction */
  329. while (j == dN)
  330. {
  331. d0 = p[0] % BN_BITS2;
  332. zz = z[dN] >> d0;
  333. if (zz == 0) break;
  334. d1 = BN_BITS2 - d0;
  335. if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
  336. z[0] ^= zz; /* reduction t^0 component */
  337. for (k = 1; p[k] != 0; k++)
  338. {
  339. BN_ULONG tmp_ulong;
  340. /* reducing component t^p[k]*/
  341. n = p[k] / BN_BITS2;
  342. d0 = p[k] % BN_BITS2;
  343. d1 = BN_BITS2 - d0;
  344. z[n] ^= (zz << d0);
  345. tmp_ulong = zz >> d1;
  346. if (d0 && tmp_ulong)
  347. z[n+1] ^= tmp_ulong;
  348. }
  349. }
  350. bn_correct_top(r);
  351. return 1;
  352. }
  353. /* Performs modular reduction of a by p and store result in r. r could be a.
  354. *
  355. * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
  356. * function is only provided for convenience; for best performance, use the
  357. * BN_GF2m_mod_arr function.
  358. */
  359. int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
  360. {
  361. int ret = 0;
  362. const int max = BN_num_bits(p);
  363. unsigned int *arr=NULL;
  364. bn_check_top(a);
  365. bn_check_top(p);
  366. if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
  367. ret = BN_GF2m_poly2arr(p, arr, max);
  368. if (!ret || ret > max)
  369. {
  370. BNerr(BN_F_BN_GF2M_MOD,BN_R_INVALID_LENGTH);
  371. goto err;
  372. }
  373. ret = BN_GF2m_mod_arr(r, a, arr);
  374. bn_check_top(r);
  375. err:
  376. if (arr) OPENSSL_free(arr);
  377. return ret;
  378. }
  379. /* Compute the product of two polynomials a and b, reduce modulo p, and store
  380. * the result in r. r could be a or b; a could be b.
  381. */
  382. int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)
  383. {
  384. int zlen, i, j, k, ret = 0;
  385. BIGNUM *s;
  386. BN_ULONG x1, x0, y1, y0, zz[4];
  387. bn_check_top(a);
  388. bn_check_top(b);
  389. if (a == b)
  390. {
  391. return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
  392. }
  393. BN_CTX_start(ctx);
  394. if ((s = BN_CTX_get(ctx)) == NULL) goto err;
  395. zlen = a->top + b->top + 4;
  396. if (!bn_wexpand(s, zlen)) goto err;
  397. s->top = zlen;
  398. for (i = 0; i < zlen; i++) s->d[i] = 0;
  399. for (j = 0; j < b->top; j += 2)
  400. {
  401. y0 = b->d[j];
  402. y1 = ((j+1) == b->top) ? 0 : b->d[j+1];
  403. for (i = 0; i < a->top; i += 2)
  404. {
  405. x0 = a->d[i];
  406. x1 = ((i+1) == a->top) ? 0 : a->d[i+1];
  407. bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
  408. for (k = 0; k < 4; k++) s->d[i+j+k] ^= zz[k];
  409. }
  410. }
  411. bn_correct_top(s);
  412. if (BN_GF2m_mod_arr(r, s, p))
  413. ret = 1;
  414. bn_check_top(r);
  415. err:
  416. BN_CTX_end(ctx);
  417. return ret;
  418. }
  419. /* Compute the product of two polynomials a and b, reduce modulo p, and store
  420. * the result in r. r could be a or b; a could equal b.
  421. *
  422. * This function calls down to the BN_GF2m_mod_mul_arr implementation; this wrapper
  423. * function is only provided for convenience; for best performance, use the
  424. * BN_GF2m_mod_mul_arr function.
  425. */
  426. int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)
  427. {
  428. int ret = 0;
  429. const int max = BN_num_bits(p);
  430. unsigned int *arr=NULL;
  431. bn_check_top(a);
  432. bn_check_top(b);
  433. bn_check_top(p);
  434. if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
  435. ret = BN_GF2m_poly2arr(p, arr, max);
  436. if (!ret || ret > max)
  437. {
  438. BNerr(BN_F_BN_GF2M_MOD_MUL,BN_R_INVALID_LENGTH);
  439. goto err;
  440. }
  441. ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
  442. bn_check_top(r);
  443. err:
  444. if (arr) OPENSSL_free(arr);
  445. return ret;
  446. }
  447. /* Square a, reduce the result mod p, and store it in a. r could be a. */
  448. int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)
  449. {
  450. int i, ret = 0;
  451. BIGNUM *s;
  452. bn_check_top(a);
  453. BN_CTX_start(ctx);
  454. if ((s = BN_CTX_get(ctx)) == NULL) return 0;
  455. if (!bn_wexpand(s, 2 * a->top)) goto err;
  456. for (i = a->top - 1; i >= 0; i--)
  457. {
  458. s->d[2*i+1] = SQR1(a->d[i]);
  459. s->d[2*i ] = SQR0(a->d[i]);
  460. }
  461. s->top = 2 * a->top;
  462. bn_correct_top(s);
  463. if (!BN_GF2m_mod_arr(r, s, p)) goto err;
  464. bn_check_top(r);
  465. ret = 1;
  466. err:
  467. BN_CTX_end(ctx);
  468. return ret;
  469. }
  470. /* Square a, reduce the result mod p, and store it in a. r could be a.
  471. *
  472. * This function calls down to the BN_GF2m_mod_sqr_arr implementation; this wrapper
  473. * function is only provided for convenience; for best performance, use the
  474. * BN_GF2m_mod_sqr_arr function.
  475. */
  476. int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
  477. {
  478. int ret = 0;
  479. const int max = BN_num_bits(p);
  480. unsigned int *arr=NULL;
  481. bn_check_top(a);
  482. bn_check_top(p);
  483. if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
  484. ret = BN_GF2m_poly2arr(p, arr, max);
  485. if (!ret || ret > max)
  486. {
  487. BNerr(BN_F_BN_GF2M_MOD_SQR,BN_R_INVALID_LENGTH);
  488. goto err;
  489. }
  490. ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
  491. bn_check_top(r);
  492. err:
  493. if (arr) OPENSSL_free(arr);
  494. return ret;
  495. }
  496. /* Invert a, reduce modulo p, and store the result in r. r could be a.
  497. * Uses Modified Almost Inverse Algorithm (Algorithm 10) from
  498. * Hankerson, D., Hernandez, J.L., and Menezes, A. "Software Implementation
  499. * of Elliptic Curve Cryptography Over Binary Fields".
  500. */
  501. int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
  502. {
  503. BIGNUM *b, *c, *u, *v, *tmp;
  504. int ret = 0;
  505. bn_check_top(a);
  506. bn_check_top(p);
  507. BN_CTX_start(ctx);
  508. b = BN_CTX_get(ctx);
  509. c = BN_CTX_get(ctx);
  510. u = BN_CTX_get(ctx);
  511. v = BN_CTX_get(ctx);
  512. if (v == NULL) goto err;
  513. if (!BN_one(b)) goto err;
  514. if (!BN_GF2m_mod(u, a, p)) goto err;
  515. if (!BN_copy(v, p)) goto err;
  516. if (BN_is_zero(u)) goto err;
  517. while (1)
  518. {
  519. while (!BN_is_odd(u))
  520. {
  521. if (!BN_rshift1(u, u)) goto err;
  522. if (BN_is_odd(b))
  523. {
  524. if (!BN_GF2m_add(b, b, p)) goto err;
  525. }
  526. if (!BN_rshift1(b, b)) goto err;
  527. }
  528. if (BN_abs_is_word(u, 1)) break;
  529. if (BN_num_bits(u) < BN_num_bits(v))
  530. {
  531. tmp = u; u = v; v = tmp;
  532. tmp = b; b = c; c = tmp;
  533. }
  534. if (!BN_GF2m_add(u, u, v)) goto err;
  535. if (!BN_GF2m_add(b, b, c)) goto err;
  536. }
  537. if (!BN_copy(r, b)) goto err;
  538. bn_check_top(r);
  539. ret = 1;
  540. err:
  541. BN_CTX_end(ctx);
  542. return ret;
  543. }
  544. /* Invert xx, reduce modulo p, and store the result in r. r could be xx.
  545. *
  546. * This function calls down to the BN_GF2m_mod_inv implementation; this wrapper
  547. * function is only provided for convenience; for best performance, use the
  548. * BN_GF2m_mod_inv function.
  549. */
  550. int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)
  551. {
  552. BIGNUM *field;
  553. int ret = 0;
  554. bn_check_top(xx);
  555. BN_CTX_start(ctx);
  556. if ((field = BN_CTX_get(ctx)) == NULL) goto err;
  557. if (!BN_GF2m_arr2poly(p, field)) goto err;
  558. ret = BN_GF2m_mod_inv(r, xx, field, ctx);
  559. bn_check_top(r);
  560. err:
  561. BN_CTX_end(ctx);
  562. return ret;
  563. }
  564. #ifndef OPENSSL_SUN_GF2M_DIV
  565. /* Divide y by x, reduce modulo p, and store the result in r. r could be x
  566. * or y, x could equal y.
  567. */
  568. int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, BN_CTX *ctx)
  569. {
  570. BIGNUM *xinv = NULL;
  571. int ret = 0;
  572. bn_check_top(y);
  573. bn_check_top(x);
  574. bn_check_top(p);
  575. BN_CTX_start(ctx);
  576. xinv = BN_CTX_get(ctx);
  577. if (xinv == NULL) goto err;
  578. if (!BN_GF2m_mod_inv(xinv, x, p, ctx)) goto err;
  579. if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx)) goto err;
  580. bn_check_top(r);
  581. ret = 1;
  582. err:
  583. BN_CTX_end(ctx);
  584. return ret;
  585. }
  586. #else
  587. /* Divide y by x, reduce modulo p, and store the result in r. r could be x
  588. * or y, x could equal y.
  589. * Uses algorithm Modular_Division_GF(2^m) from
  590. * Chang-Shantz, S. "From Euclid's GCD to Montgomery Multiplication to
  591. * the Great Divide".
  592. */
  593. int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, BN_CTX *ctx)
  594. {
  595. BIGNUM *a, *b, *u, *v;
  596. int ret = 0;
  597. bn_check_top(y);
  598. bn_check_top(x);
  599. bn_check_top(p);
  600. BN_CTX_start(ctx);
  601. a = BN_CTX_get(ctx);
  602. b = BN_CTX_get(ctx);
  603. u = BN_CTX_get(ctx);
  604. v = BN_CTX_get(ctx);
  605. if (v == NULL) goto err;
  606. /* reduce x and y mod p */
  607. if (!BN_GF2m_mod(u, y, p)) goto err;
  608. if (!BN_GF2m_mod(a, x, p)) goto err;
  609. if (!BN_copy(b, p)) goto err;
  610. while (!BN_is_odd(a))
  611. {
  612. if (!BN_rshift1(a, a)) goto err;
  613. if (BN_is_odd(u)) if (!BN_GF2m_add(u, u, p)) goto err;
  614. if (!BN_rshift1(u, u)) goto err;
  615. }
  616. do
  617. {
  618. if (BN_GF2m_cmp(b, a) > 0)
  619. {
  620. if (!BN_GF2m_add(b, b, a)) goto err;
  621. if (!BN_GF2m_add(v, v, u)) goto err;
  622. do
  623. {
  624. if (!BN_rshift1(b, b)) goto err;
  625. if (BN_is_odd(v)) if (!BN_GF2m_add(v, v, p)) goto err;
  626. if (!BN_rshift1(v, v)) goto err;
  627. } while (!BN_is_odd(b));
  628. }
  629. else if (BN_abs_is_word(a, 1))
  630. break;
  631. else
  632. {
  633. if (!BN_GF2m_add(a, a, b)) goto err;
  634. if (!BN_GF2m_add(u, u, v)) goto err;
  635. do
  636. {
  637. if (!BN_rshift1(a, a)) goto err;
  638. if (BN_is_odd(u)) if (!BN_GF2m_add(u, u, p)) goto err;
  639. if (!BN_rshift1(u, u)) goto err;
  640. } while (!BN_is_odd(a));
  641. }
  642. } while (1);
  643. if (!BN_copy(r, u)) goto err;
  644. bn_check_top(r);
  645. ret = 1;
  646. err:
  647. BN_CTX_end(ctx);
  648. return ret;
  649. }
  650. #endif
  651. /* Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
  652. * or yy, xx could equal yy.
  653. *
  654. * This function calls down to the BN_GF2m_mod_div implementation; this wrapper
  655. * function is only provided for convenience; for best performance, use the
  656. * BN_GF2m_mod_div function.
  657. */
  658. int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)
  659. {
  660. BIGNUM *field;
  661. int ret = 0;
  662. bn_check_top(yy);
  663. bn_check_top(xx);
  664. BN_CTX_start(ctx);
  665. if ((field = BN_CTX_get(ctx)) == NULL) goto err;
  666. if (!BN_GF2m_arr2poly(p, field)) goto err;
  667. ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
  668. bn_check_top(r);
  669. err:
  670. BN_CTX_end(ctx);
  671. return ret;
  672. }
  673. /* Compute the bth power of a, reduce modulo p, and store
  674. * the result in r. r could be a.
  675. * Uses simple square-and-multiply algorithm A.5.1 from IEEE P1363.
  676. */
  677. int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)
  678. {
  679. int ret = 0, i, n;
  680. BIGNUM *u;
  681. bn_check_top(a);
  682. bn_check_top(b);
  683. if (BN_is_zero(b))
  684. return(BN_one(r));
  685. if (BN_abs_is_word(b, 1))
  686. return (BN_copy(r, a) != NULL);
  687. BN_CTX_start(ctx);
  688. if ((u = BN_CTX_get(ctx)) == NULL) goto err;
  689. if (!BN_GF2m_mod_arr(u, a, p)) goto err;
  690. n = BN_num_bits(b) - 1;
  691. for (i = n - 1; i >= 0; i--)
  692. {
  693. if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx)) goto err;
  694. if (BN_is_bit_set(b, i))
  695. {
  696. if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx)) goto err;
  697. }
  698. }
  699. if (!BN_copy(r, u)) goto err;
  700. bn_check_top(r);
  701. ret = 1;
  702. err:
  703. BN_CTX_end(ctx);
  704. return ret;
  705. }
  706. /* Compute the bth power of a, reduce modulo p, and store
  707. * the result in r. r could be a.
  708. *
  709. * This function calls down to the BN_GF2m_mod_exp_arr implementation; this wrapper
  710. * function is only provided for convenience; for best performance, use the
  711. * BN_GF2m_mod_exp_arr function.
  712. */
  713. int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)
  714. {
  715. int ret = 0;
  716. const int max = BN_num_bits(p);
  717. unsigned int *arr=NULL;
  718. bn_check_top(a);
  719. bn_check_top(b);
  720. bn_check_top(p);
  721. if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
  722. ret = BN_GF2m_poly2arr(p, arr, max);
  723. if (!ret || ret > max)
  724. {
  725. BNerr(BN_F_BN_GF2M_MOD_EXP,BN_R_INVALID_LENGTH);
  726. goto err;
  727. }
  728. ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
  729. bn_check_top(r);
  730. err:
  731. if (arr) OPENSSL_free(arr);
  732. return ret;
  733. }
  734. /* Compute the square root of a, reduce modulo p, and store
  735. * the result in r. r could be a.
  736. * Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
  737. */
  738. int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)
  739. {
  740. int ret = 0;
  741. BIGNUM *u;
  742. bn_check_top(a);
  743. if (!p[0])
  744. {
  745. /* reduction mod 1 => return 0 */
  746. BN_zero(r);
  747. return 1;
  748. }
  749. BN_CTX_start(ctx);
  750. if ((u = BN_CTX_get(ctx)) == NULL) goto err;
  751. if (!BN_set_bit(u, p[0] - 1)) goto err;
  752. ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
  753. bn_check_top(r);
  754. err:
  755. BN_CTX_end(ctx);
  756. return ret;
  757. }
  758. /* Compute the square root of a, reduce modulo p, and store
  759. * the result in r. r could be a.
  760. *
  761. * This function calls down to the BN_GF2m_mod_sqrt_arr implementation; this wrapper
  762. * function is only provided for convenience; for best performance, use the
  763. * BN_GF2m_mod_sqrt_arr function.
  764. */
  765. int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
  766. {
  767. int ret = 0;
  768. const int max = BN_num_bits(p);
  769. unsigned int *arr=NULL;
  770. bn_check_top(a);
  771. bn_check_top(p);
  772. if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
  773. ret = BN_GF2m_poly2arr(p, arr, max);
  774. if (!ret || ret > max)
  775. {
  776. BNerr(BN_F_BN_GF2M_MOD_SQRT,BN_R_INVALID_LENGTH);
  777. goto err;
  778. }
  779. ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
  780. bn_check_top(r);
  781. err:
  782. if (arr) OPENSSL_free(arr);
  783. return ret;
  784. }
  785. /* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0.
  786. * Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
  787. */
  788. int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p[], BN_CTX *ctx)
  789. {
  790. int ret = 0, count = 0;
  791. unsigned int j;
  792. BIGNUM *a, *z, *rho, *w, *w2, *tmp;
  793. bn_check_top(a_);
  794. if (!p[0])
  795. {
  796. /* reduction mod 1 => return 0 */
  797. BN_zero(r);
  798. return 1;
  799. }
  800. BN_CTX_start(ctx);
  801. a = BN_CTX_get(ctx);
  802. z = BN_CTX_get(ctx);
  803. w = BN_CTX_get(ctx);
  804. if (w == NULL) goto err;
  805. if (!BN_GF2m_mod_arr(a, a_, p)) goto err;
  806. if (BN_is_zero(a))
  807. {
  808. BN_zero(r);
  809. ret = 1;
  810. goto err;
  811. }
  812. if (p[0] & 0x1) /* m is odd */
  813. {
  814. /* compute half-trace of a */
  815. if (!BN_copy(z, a)) goto err;
  816. for (j = 1; j <= (p[0] - 1) / 2; j++)
  817. {
  818. if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
  819. if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
  820. if (!BN_GF2m_add(z, z, a)) goto err;
  821. }
  822. }
  823. else /* m is even */
  824. {
  825. rho = BN_CTX_get(ctx);
  826. w2 = BN_CTX_get(ctx);
  827. tmp = BN_CTX_get(ctx);
  828. if (tmp == NULL) goto err;
  829. do
  830. {
  831. if (!BN_rand(rho, p[0], 0, 0)) goto err;
  832. if (!BN_GF2m_mod_arr(rho, rho, p)) goto err;
  833. BN_zero(z);
  834. if (!BN_copy(w, rho)) goto err;
  835. for (j = 1; j <= p[0] - 1; j++)
  836. {
  837. if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
  838. if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx)) goto err;
  839. if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx)) goto err;
  840. if (!BN_GF2m_add(z, z, tmp)) goto err;
  841. if (!BN_GF2m_add(w, w2, rho)) goto err;
  842. }
  843. count++;
  844. } while (BN_is_zero(w) && (count < MAX_ITERATIONS));
  845. if (BN_is_zero(w))
  846. {
  847. BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR,BN_R_TOO_MANY_ITERATIONS);
  848. goto err;
  849. }
  850. }
  851. if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx)) goto err;
  852. if (!BN_GF2m_add(w, z, w)) goto err;
  853. if (BN_GF2m_cmp(w, a))
  854. {
  855. BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_NO_SOLUTION);
  856. goto err;
  857. }
  858. if (!BN_copy(r, z)) goto err;
  859. bn_check_top(r);
  860. ret = 1;
  861. err:
  862. BN_CTX_end(ctx);
  863. return ret;
  864. }
  865. /* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0.
  866. *
  867. * This function calls down to the BN_GF2m_mod_solve_quad_arr implementation; this wrapper
  868. * function is only provided for convenience; for best performance, use the
  869. * BN_GF2m_mod_solve_quad_arr function.
  870. */
  871. int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
  872. {
  873. int ret = 0;
  874. const int max = BN_num_bits(p);
  875. unsigned int *arr=NULL;
  876. bn_check_top(a);
  877. bn_check_top(p);
  878. if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) *
  879. max)) == NULL) goto err;
  880. ret = BN_GF2m_poly2arr(p, arr, max);
  881. if (!ret || ret > max)
  882. {
  883. BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD,BN_R_INVALID_LENGTH);
  884. goto err;
  885. }
  886. ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
  887. bn_check_top(r);
  888. err:
  889. if (arr) OPENSSL_free(arr);
  890. return ret;
  891. }
  892. /* Convert the bit-string representation of a polynomial
  893. * ( \sum_{i=0}^n a_i * x^i , where a_0 is *not* zero) into an array
  894. * of integers corresponding to the bits with non-zero coefficient.
  895. * Up to max elements of the array will be filled. Return value is total
  896. * number of coefficients that would be extracted if array was large enough.
  897. */
  898. int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max)
  899. {
  900. int i, j, k = 0;
  901. BN_ULONG mask;
  902. if (BN_is_zero(a) || !BN_is_bit_set(a, 0))
  903. /* a_0 == 0 => return error (the unsigned int array
  904. * must be terminated by 0)
  905. */
  906. return 0;
  907. for (i = a->top - 1; i >= 0; i--)
  908. {
  909. if (!a->d[i])
  910. /* skip word if a->d[i] == 0 */
  911. continue;
  912. mask = BN_TBIT;
  913. for (j = BN_BITS2 - 1; j >= 0; j--)
  914. {
  915. if (a->d[i] & mask)
  916. {
  917. if (k < max) p[k] = BN_BITS2 * i + j;
  918. k++;
  919. }
  920. mask >>= 1;
  921. }
  922. }
  923. return k;
  924. }
  925. /* Convert the coefficient array representation of a polynomial to a
  926. * bit-string. The array must be terminated by 0.
  927. */
  928. int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a)
  929. {
  930. int i;
  931. bn_check_top(a);
  932. BN_zero(a);
  933. for (i = 0; p[i] != 0; i++)
  934. {
  935. if (BN_set_bit(a, p[i]) == 0)
  936. return 0;
  937. }
  938. BN_set_bit(a, 0);
  939. bn_check_top(a);
  940. return 1;
  941. }