bn_div.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476
  1. /* crypto/bn/bn_div.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <openssl/bn.h>
  59. #include "internal/cryptlib.h"
  60. #include "bn_lcl.h"
  61. /* The old slow way */
  62. #if 0
  63. int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
  64. BN_CTX *ctx)
  65. {
  66. int i, nm, nd;
  67. int ret = 0;
  68. BIGNUM *D;
  69. bn_check_top(m);
  70. bn_check_top(d);
  71. if (BN_is_zero(d)) {
  72. BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
  73. return (0);
  74. }
  75. if (BN_ucmp(m, d) < 0) {
  76. if (rem != NULL) {
  77. if (BN_copy(rem, m) == NULL)
  78. return (0);
  79. }
  80. if (dv != NULL)
  81. BN_zero(dv);
  82. return (1);
  83. }
  84. BN_CTX_start(ctx);
  85. D = BN_CTX_get(ctx);
  86. if (dv == NULL)
  87. dv = BN_CTX_get(ctx);
  88. if (rem == NULL)
  89. rem = BN_CTX_get(ctx);
  90. if (D == NULL || dv == NULL || rem == NULL)
  91. goto end;
  92. nd = BN_num_bits(d);
  93. nm = BN_num_bits(m);
  94. if (BN_copy(D, d) == NULL)
  95. goto end;
  96. if (BN_copy(rem, m) == NULL)
  97. goto end;
  98. /*
  99. * The next 2 are needed so we can do a dv->d[0]|=1 later since
  100. * BN_lshift1 will only work once there is a value :-)
  101. */
  102. BN_zero(dv);
  103. if (bn_wexpand(dv, 1) == NULL)
  104. goto end;
  105. dv->top = 1;
  106. if (!BN_lshift(D, D, nm - nd))
  107. goto end;
  108. for (i = nm - nd; i >= 0; i--) {
  109. if (!BN_lshift1(dv, dv))
  110. goto end;
  111. if (BN_ucmp(rem, D) >= 0) {
  112. dv->d[0] |= 1;
  113. if (!BN_usub(rem, rem, D))
  114. goto end;
  115. }
  116. /* CAN IMPROVE (and have now :=) */
  117. if (!BN_rshift1(D, D))
  118. goto end;
  119. }
  120. rem->neg = BN_is_zero(rem) ? 0 : m->neg;
  121. dv->neg = m->neg ^ d->neg;
  122. ret = 1;
  123. end:
  124. BN_CTX_end(ctx);
  125. return (ret);
  126. }
  127. #else
  128. # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
  129. && !defined(PEDANTIC) && !defined(BN_DIV3W)
  130. # if defined(__GNUC__) && __GNUC__>=2
  131. # if defined(__i386) || defined (__i386__)
  132. /*-
  133. * There were two reasons for implementing this template:
  134. * - GNU C generates a call to a function (__udivdi3 to be exact)
  135. * in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
  136. * understand why...);
  137. * - divl doesn't only calculate quotient, but also leaves
  138. * remainder in %edx which we can definitely use here:-)
  139. *
  140. * <appro@fy.chalmers.se>
  141. */
  142. # undef bn_div_words
  143. # define bn_div_words(n0,n1,d0) \
  144. ({ asm volatile ( \
  145. "divl %4" \
  146. : "=a"(q), "=d"(rem) \
  147. : "a"(n1), "d"(n0), "g"(d0) \
  148. : "cc"); \
  149. q; \
  150. })
  151. # define REMAINDER_IS_ALREADY_CALCULATED
  152. # elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
  153. /*
  154. * Same story here, but it's 128-bit by 64-bit division. Wow!
  155. * <appro@fy.chalmers.se>
  156. */
  157. # undef bn_div_words
  158. # define bn_div_words(n0,n1,d0) \
  159. ({ asm volatile ( \
  160. "divq %4" \
  161. : "=a"(q), "=d"(rem) \
  162. : "a"(n1), "d"(n0), "g"(d0) \
  163. : "cc"); \
  164. q; \
  165. })
  166. # define REMAINDER_IS_ALREADY_CALCULATED
  167. # endif /* __<cpu> */
  168. # endif /* __GNUC__ */
  169. # endif /* OPENSSL_NO_ASM */
  170. /*-
  171. * BN_div computes dv := num / divisor, rounding towards
  172. * zero, and sets up rm such that dv*divisor + rm = num holds.
  173. * Thus:
  174. * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
  175. * rm->neg == num->neg (unless the remainder is zero)
  176. * If 'dv' or 'rm' is NULL, the respective value is not returned.
  177. */
  178. int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
  179. BN_CTX *ctx)
  180. {
  181. int norm_shift, i, loop;
  182. BIGNUM *tmp, wnum, *snum, *sdiv, *res;
  183. BN_ULONG *resp, *wnump;
  184. BN_ULONG d0, d1;
  185. int num_n, div_n;
  186. int no_branch = 0;
  187. /*
  188. * Invalid zero-padding would have particularly bad consequences so don't
  189. * just rely on bn_check_top() here (bn_check_top() works only for
  190. * BN_DEBUG builds)
  191. */
  192. if ((num->top > 0 && num->d[num->top - 1] == 0) ||
  193. (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
  194. BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
  195. return 0;
  196. }
  197. bn_check_top(num);
  198. bn_check_top(divisor);
  199. if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
  200. || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
  201. no_branch = 1;
  202. }
  203. bn_check_top(dv);
  204. bn_check_top(rm);
  205. /*- bn_check_top(num); *//*
  206. * 'num' has been checked already
  207. */
  208. /*- bn_check_top(divisor); *//*
  209. * 'divisor' has been checked already
  210. */
  211. if (BN_is_zero(divisor)) {
  212. BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
  213. return (0);
  214. }
  215. if (!no_branch && BN_ucmp(num, divisor) < 0) {
  216. if (rm != NULL) {
  217. if (BN_copy(rm, num) == NULL)
  218. return (0);
  219. }
  220. if (dv != NULL)
  221. BN_zero(dv);
  222. return (1);
  223. }
  224. BN_CTX_start(ctx);
  225. tmp = BN_CTX_get(ctx);
  226. snum = BN_CTX_get(ctx);
  227. sdiv = BN_CTX_get(ctx);
  228. if (dv == NULL)
  229. res = BN_CTX_get(ctx);
  230. else
  231. res = dv;
  232. if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
  233. goto err;
  234. /* First we normalise the numbers */
  235. norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
  236. if (!(BN_lshift(sdiv, divisor, norm_shift)))
  237. goto err;
  238. sdiv->neg = 0;
  239. norm_shift += BN_BITS2;
  240. if (!(BN_lshift(snum, num, norm_shift)))
  241. goto err;
  242. snum->neg = 0;
  243. if (no_branch) {
  244. /*
  245. * Since we don't know whether snum is larger than sdiv, we pad snum
  246. * with enough zeroes without changing its value.
  247. */
  248. if (snum->top <= sdiv->top + 1) {
  249. if (bn_wexpand(snum, sdiv->top + 2) == NULL)
  250. goto err;
  251. for (i = snum->top; i < sdiv->top + 2; i++)
  252. snum->d[i] = 0;
  253. snum->top = sdiv->top + 2;
  254. } else {
  255. if (bn_wexpand(snum, snum->top + 1) == NULL)
  256. goto err;
  257. snum->d[snum->top] = 0;
  258. snum->top++;
  259. }
  260. }
  261. div_n = sdiv->top;
  262. num_n = snum->top;
  263. loop = num_n - div_n;
  264. /*
  265. * Lets setup a 'window' into snum This is the part that corresponds to
  266. * the current 'area' being divided
  267. */
  268. wnum.neg = 0;
  269. wnum.d = &(snum->d[loop]);
  270. wnum.top = div_n;
  271. /*
  272. * only needed when BN_ucmp messes up the values between top and max
  273. */
  274. wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
  275. /* Get the top 2 words of sdiv */
  276. /* div_n=sdiv->top; */
  277. d0 = sdiv->d[div_n - 1];
  278. d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
  279. /* pointer to the 'top' of snum */
  280. wnump = &(snum->d[num_n - 1]);
  281. /* Setup to 'res' */
  282. res->neg = (num->neg ^ divisor->neg);
  283. if (!bn_wexpand(res, (loop + 1)))
  284. goto err;
  285. res->top = loop - no_branch;
  286. resp = &(res->d[loop - 1]);
  287. /* space for temp */
  288. if (!bn_wexpand(tmp, (div_n + 1)))
  289. goto err;
  290. if (!no_branch) {
  291. if (BN_ucmp(&wnum, sdiv) >= 0) {
  292. /*
  293. * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
  294. * the const bignum arguments => clean the values between top and
  295. * max again
  296. */
  297. bn_clear_top2max(&wnum);
  298. bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
  299. *resp = 1;
  300. } else
  301. res->top--;
  302. }
  303. /*
  304. * if res->top == 0 then clear the neg value otherwise decrease the resp
  305. * pointer
  306. */
  307. if (res->top == 0)
  308. res->neg = 0;
  309. else
  310. resp--;
  311. for (i = 0; i < loop - 1; i++, wnump--, resp--) {
  312. BN_ULONG q, l0;
  313. /*
  314. * the first part of the loop uses the top two words of snum and sdiv
  315. * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
  316. */
  317. # if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
  318. BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
  319. q = bn_div_3_words(wnump, d1, d0);
  320. # else
  321. BN_ULONG n0, n1, rem = 0;
  322. n0 = wnump[0];
  323. n1 = wnump[-1];
  324. if (n0 == d0)
  325. q = BN_MASK2;
  326. else { /* n0 < d0 */
  327. # ifdef BN_LLONG
  328. BN_ULLONG t2;
  329. # if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
  330. q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
  331. # else
  332. q = bn_div_words(n0, n1, d0);
  333. # ifdef BN_DEBUG_LEVITTE
  334. fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
  335. X) -> 0x%08X\n", n0, n1, d0, q);
  336. # endif
  337. # endif
  338. # ifndef REMAINDER_IS_ALREADY_CALCULATED
  339. /*
  340. * rem doesn't have to be BN_ULLONG. The least we
  341. * know it's less that d0, isn't it?
  342. */
  343. rem = (n1 - q * d0) & BN_MASK2;
  344. # endif
  345. t2 = (BN_ULLONG) d1 *q;
  346. for (;;) {
  347. if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
  348. break;
  349. q--;
  350. rem += d0;
  351. if (rem < d0)
  352. break; /* don't let rem overflow */
  353. t2 -= d1;
  354. }
  355. # else /* !BN_LLONG */
  356. BN_ULONG t2l, t2h;
  357. q = bn_div_words(n0, n1, d0);
  358. # ifdef BN_DEBUG_LEVITTE
  359. fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
  360. X) -> 0x%08X\n", n0, n1, d0, q);
  361. # endif
  362. # ifndef REMAINDER_IS_ALREADY_CALCULATED
  363. rem = (n1 - q * d0) & BN_MASK2;
  364. # endif
  365. # if defined(BN_UMULT_LOHI)
  366. BN_UMULT_LOHI(t2l, t2h, d1, q);
  367. # elif defined(BN_UMULT_HIGH)
  368. t2l = d1 * q;
  369. t2h = BN_UMULT_HIGH(d1, q);
  370. # else
  371. {
  372. BN_ULONG ql, qh;
  373. t2l = LBITS(d1);
  374. t2h = HBITS(d1);
  375. ql = LBITS(q);
  376. qh = HBITS(q);
  377. mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
  378. }
  379. # endif
  380. for (;;) {
  381. if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
  382. break;
  383. q--;
  384. rem += d0;
  385. if (rem < d0)
  386. break; /* don't let rem overflow */
  387. if (t2l < d1)
  388. t2h--;
  389. t2l -= d1;
  390. }
  391. # endif /* !BN_LLONG */
  392. }
  393. # endif /* !BN_DIV3W */
  394. l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
  395. tmp->d[div_n] = l0;
  396. wnum.d--;
  397. /*
  398. * ingore top values of the bignums just sub the two BN_ULONG arrays
  399. * with bn_sub_words
  400. */
  401. if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
  402. /*
  403. * Note: As we have considered only the leading two BN_ULONGs in
  404. * the calculation of q, sdiv * q might be greater than wnum (but
  405. * then (q-1) * sdiv is less or equal than wnum)
  406. */
  407. q--;
  408. if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
  409. /*
  410. * we can't have an overflow here (assuming that q != 0, but
  411. * if q == 0 then tmp is zero anyway)
  412. */
  413. (*wnump)++;
  414. }
  415. /* store part of the result */
  416. *resp = q;
  417. }
  418. bn_correct_top(snum);
  419. if (rm != NULL) {
  420. /*
  421. * Keep a copy of the neg flag in num because if rm==num BN_rshift()
  422. * will overwrite it.
  423. */
  424. int neg = num->neg;
  425. BN_rshift(rm, snum, norm_shift);
  426. if (!BN_is_zero(rm))
  427. rm->neg = neg;
  428. bn_check_top(rm);
  429. }
  430. if (no_branch)
  431. bn_correct_top(res);
  432. BN_CTX_end(ctx);
  433. return (1);
  434. err:
  435. bn_check_top(rm);
  436. BN_CTX_end(ctx);
  437. return (0);
  438. }
  439. #endif