bn_lcl.h 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683
  1. /* crypto/bn/bn_lcl.h */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #ifndef HEADER_BN_LCL_H
  112. # define HEADER_BN_LCL_H
  113. # include "internal/bn_int.h"
  114. #ifdef __cplusplus
  115. extern "C" {
  116. #endif
  117. /*-
  118. * Bignum consistency macros
  119. * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
  120. * bignum data after direct manipulations on the data. There is also an
  121. * "internal" macro, bn_check_top(), for verifying that there are no leading
  122. * zeroes. Unfortunately, some auditing is required due to the fact that
  123. * bn_fix_top() has become an overabused duct-tape because bignum data is
  124. * occasionally passed around in an inconsistent state. So the following
  125. * changes have been made to sort this out;
  126. * - bn_fix_top()s implementation has been moved to bn_correct_top()
  127. * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
  128. * bn_check_top() is as before.
  129. * - if BN_DEBUG *is* defined;
  130. * - bn_check_top() tries to pollute unused words even if the bignum 'top' is
  131. * consistent. (ed: only if BN_DEBUG_RAND is defined)
  132. * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
  133. * The idea is to have debug builds flag up inconsistent bignums when they
  134. * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
  135. * the use of bn_fix_top() was appropriate (ie. it follows directly after code
  136. * that manipulates the bignum) it is converted to bn_correct_top(), and if it
  137. * was not appropriate, we convert it permanently to bn_check_top() and track
  138. * down the cause of the bug. Eventually, no internal code should be using the
  139. * bn_fix_top() macro. External applications and libraries should try this with
  140. * their own code too, both in terms of building against the openssl headers
  141. * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
  142. * defined. This not only improves external code, it provides more test
  143. * coverage for openssl's own code.
  144. */
  145. # ifdef BN_DEBUG
  146. /* We only need assert() when debugging */
  147. # include <assert.h>
  148. # ifdef BN_DEBUG_RAND
  149. /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
  150. # ifndef RAND_pseudo_bytes
  151. int RAND_pseudo_bytes(unsigned char *buf, int num);
  152. # define BN_DEBUG_TRIX
  153. # endif
  154. # define bn_pollute(a) \
  155. do { \
  156. const BIGNUM *_bnum1 = (a); \
  157. if(_bnum1->top < _bnum1->dmax) { \
  158. unsigned char _tmp_char; \
  159. /* We cast away const without the compiler knowing, any \
  160. * *genuinely* constant variables that aren't mutable \
  161. * wouldn't be constructed with top!=dmax. */ \
  162. BN_ULONG *_not_const; \
  163. memcpy(&_not_const, &_bnum1->d, sizeof(_not_const)); \
  164. RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */\
  165. memset(_not_const + _bnum1->top, _tmp_char, \
  166. sizeof(*_not_const) * (_bnum1->dmax - _bnum1->top)); \
  167. } \
  168. } while(0)
  169. # ifdef BN_DEBUG_TRIX
  170. # undef RAND_pseudo_bytes
  171. # endif
  172. # else
  173. # define bn_pollute(a)
  174. # endif
  175. # define bn_check_top(a) \
  176. do { \
  177. const BIGNUM *_bnum2 = (a); \
  178. if (_bnum2 != NULL) { \
  179. assert((_bnum2->top == 0) || \
  180. (_bnum2->d[_bnum2->top - 1] != 0)); \
  181. bn_pollute(_bnum2); \
  182. } \
  183. } while(0)
  184. # define bn_fix_top(a) bn_check_top(a)
  185. # define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
  186. # define bn_wcheck_size(bn, words) \
  187. do { \
  188. const BIGNUM *_bnum2 = (bn); \
  189. assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
  190. /* avoid unused variable warning with NDEBUG */ \
  191. (void)(_bnum2); \
  192. } while(0)
  193. # else /* !BN_DEBUG */
  194. # define bn_pollute(a)
  195. # define bn_check_top(a)
  196. # define bn_fix_top(a) bn_correct_top(a)
  197. # define bn_check_size(bn, bits)
  198. # define bn_wcheck_size(bn, words)
  199. # endif
  200. BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
  201. BN_ULONG w);
  202. BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
  203. void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
  204. BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
  205. BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
  206. int num);
  207. BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
  208. int num);
  209. struct bignum_st {
  210. BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit
  211. * chunks. */
  212. int top; /* Index of last used d +1. */
  213. /* The next are internal book keeping for bn_expand. */
  214. int dmax; /* Size of the d array. */
  215. int neg; /* one if the number is negative */
  216. int flags;
  217. };
  218. /* Used for montgomery multiplication */
  219. struct bn_mont_ctx_st {
  220. int ri; /* number of bits in R */
  221. BIGNUM RR; /* used to convert to montgomery form */
  222. BIGNUM N; /* The modulus */
  223. BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only
  224. * stored for bignum algorithm) */
  225. BN_ULONG n0[2]; /* least significant word(s) of Ni; (type
  226. * changed with 0.9.9, was "BN_ULONG n0;"
  227. * before) */
  228. int flags;
  229. };
  230. /*
  231. * Used for reciprocal division/mod functions It cannot be shared between
  232. * threads
  233. */
  234. struct bn_recp_ctx_st {
  235. BIGNUM N; /* the divisor */
  236. BIGNUM Nr; /* the reciprocal */
  237. int num_bits;
  238. int shift;
  239. int flags;
  240. };
  241. /* Used for slow "generation" functions. */
  242. struct bn_gencb_st {
  243. unsigned int ver; /* To handle binary (in)compatibility */
  244. void *arg; /* callback-specific data */
  245. union {
  246. /* if(ver==1) - handles old style callbacks */
  247. void (*cb_1) (int, int, void *);
  248. /* if(ver==2) - new callback style */
  249. int (*cb_2) (int, int, BN_GENCB *);
  250. } cb;
  251. };
  252. /*-
  253. * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
  254. *
  255. *
  256. * For window size 'w' (w >= 2) and a random 'b' bits exponent,
  257. * the number of multiplications is a constant plus on average
  258. *
  259. * 2^(w-1) + (b-w)/(w+1);
  260. *
  261. * here 2^(w-1) is for precomputing the table (we actually need
  262. * entries only for windows that have the lowest bit set), and
  263. * (b-w)/(w+1) is an approximation for the expected number of
  264. * w-bit windows, not counting the first one.
  265. *
  266. * Thus we should use
  267. *
  268. * w >= 6 if b > 671
  269. * w = 5 if 671 > b > 239
  270. * w = 4 if 239 > b > 79
  271. * w = 3 if 79 > b > 23
  272. * w <= 2 if 23 > b
  273. *
  274. * (with draws in between). Very small exponents are often selected
  275. * with low Hamming weight, so we use w = 1 for b <= 23.
  276. */
  277. # define BN_window_bits_for_exponent_size(b) \
  278. ((b) > 671 ? 6 : \
  279. (b) > 239 ? 5 : \
  280. (b) > 79 ? 4 : \
  281. (b) > 23 ? 3 : 1)
  282. /*
  283. * BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
  284. * line width of the target processor is at least the following value.
  285. */
  286. # define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
  287. # define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
  288. /*
  289. * Window sizes optimized for fixed window size modular exponentiation
  290. * algorithm (BN_mod_exp_mont_consttime). To achieve the security goals of
  291. * BN_mode_exp_mont_consttime, the maximum size of the window must not exceed
  292. * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). Window size thresholds are
  293. * defined for cache line sizes of 32 and 64, cache line sizes where
  294. * log_2(32)=5 and log_2(64)=6 respectively. A window size of 7 should only be
  295. * used on processors that have a 128 byte or greater cache line size.
  296. */
  297. # if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
  298. # define BN_window_bits_for_ctime_exponent_size(b) \
  299. ((b) > 937 ? 6 : \
  300. (b) > 306 ? 5 : \
  301. (b) > 89 ? 4 : \
  302. (b) > 22 ? 3 : 1)
  303. # define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
  304. # elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
  305. # define BN_window_bits_for_ctime_exponent_size(b) \
  306. ((b) > 306 ? 5 : \
  307. (b) > 89 ? 4 : \
  308. (b) > 22 ? 3 : 1)
  309. # define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
  310. # endif
  311. /* Pentium pro 16,16,16,32,64 */
  312. /* Alpha 16,16,16,16.64 */
  313. # define BN_MULL_SIZE_NORMAL (16)/* 32 */
  314. # define BN_MUL_RECURSIVE_SIZE_NORMAL (16)/* 32 less than */
  315. # define BN_SQR_RECURSIVE_SIZE_NORMAL (16)/* 32 */
  316. # define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */
  317. # define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */
  318. /*
  319. * 2011-02-22 SMS. In various places, a size_t variable or a type cast to
  320. * size_t was used to perform integer-only operations on pointers. This
  321. * failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t
  322. * is still only 32 bits. What's needed in these cases is an integer type
  323. * with the same size as a pointer, which size_t is not certain to be. The
  324. * only fix here is VMS-specific.
  325. */
  326. # if defined(OPENSSL_SYS_VMS)
  327. # if __INITIAL_POINTER_SIZE == 64
  328. # define PTR_SIZE_INT long long
  329. # else /* __INITIAL_POINTER_SIZE == 64 */
  330. # define PTR_SIZE_INT int
  331. # endif /* __INITIAL_POINTER_SIZE == 64 [else] */
  332. # elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */
  333. # define PTR_SIZE_INT size_t
  334. # endif /* defined(OPENSSL_SYS_VMS) [else] */
  335. # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
  336. /*
  337. * BN_UMULT_HIGH section.
  338. *
  339. * No, I'm not trying to overwhelm you when stating that the
  340. * product of N-bit numbers is 2*N bits wide:-) No, I don't expect
  341. * you to be impressed when I say that if the compiler doesn't
  342. * support 2*N integer type, then you have to replace every N*N
  343. * multiplication with 4 (N/2)*(N/2) accompanied by some shifts
  344. * and additions which unavoidably results in severe performance
  345. * penalties. Of course provided that the hardware is capable of
  346. * producing 2*N result... That's when you normally start
  347. * considering assembler implementation. However! It should be
  348. * pointed out that some CPUs (most notably Alpha, PowerPC and
  349. * upcoming IA-64 family:-) provide *separate* instruction
  350. * calculating the upper half of the product placing the result
  351. * into a general purpose register. Now *if* the compiler supports
  352. * inline assembler, then it's not impossible to implement the
  353. * "bignum" routines (and have the compiler optimize 'em)
  354. * exhibiting "native" performance in C. That's what BN_UMULT_HIGH
  355. * macro is about:-)
  356. *
  357. * <appro@fy.chalmers.se>
  358. */
  359. # if defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
  360. # if defined(__DECC)
  361. # include <c_asm.h>
  362. # define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
  363. # elif defined(__GNUC__) && __GNUC__>=2
  364. # define BN_UMULT_HIGH(a,b) ({ \
  365. register BN_ULONG ret; \
  366. asm ("umulh %1,%2,%0" \
  367. : "=r"(ret) \
  368. : "r"(a), "r"(b)); \
  369. ret; })
  370. # endif /* compiler */
  371. # elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG)
  372. # if defined(__GNUC__) && __GNUC__>=2
  373. # define BN_UMULT_HIGH(a,b) ({ \
  374. register BN_ULONG ret; \
  375. asm ("mulhdu %0,%1,%2" \
  376. : "=r"(ret) \
  377. : "r"(a), "r"(b)); \
  378. ret; })
  379. # endif /* compiler */
  380. # elif (defined(__x86_64) || defined(__x86_64__)) && \
  381. (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
  382. # if defined(__GNUC__) && __GNUC__>=2
  383. # define BN_UMULT_HIGH(a,b) ({ \
  384. register BN_ULONG ret,discard; \
  385. asm ("mulq %3" \
  386. : "=a"(discard),"=d"(ret) \
  387. : "a"(a), "g"(b) \
  388. : "cc"); \
  389. ret; })
  390. # define BN_UMULT_LOHI(low,high,a,b) \
  391. asm ("mulq %3" \
  392. : "=a"(low),"=d"(high) \
  393. : "a"(a),"g"(b) \
  394. : "cc");
  395. # endif
  396. # elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
  397. # if defined(_MSC_VER) && _MSC_VER>=1400
  398. unsigned __int64 __umulh(unsigned __int64 a, unsigned __int64 b);
  399. unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
  400. unsigned __int64 *h);
  401. # pragma intrinsic(__umulh,_umul128)
  402. # define BN_UMULT_HIGH(a,b) __umulh((a),(b))
  403. # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
  404. # endif
  405. # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
  406. # if defined(__GNUC__) && __GNUC__>=2
  407. # if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4)
  408. /* "h" constraint is no more since 4.4 */
  409. # define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
  410. # define BN_UMULT_LOHI(low,high,a,b) ({ \
  411. __uint128_t ret=(__uint128_t)(a)*(b); \
  412. (high)=ret>>64; (low)=ret; })
  413. # else
  414. # define BN_UMULT_HIGH(a,b) ({ \
  415. register BN_ULONG ret; \
  416. asm ("dmultu %1,%2" \
  417. : "=h"(ret) \
  418. : "r"(a), "r"(b) : "l"); \
  419. ret; })
  420. # define BN_UMULT_LOHI(low,high,a,b)\
  421. asm ("dmultu %2,%3" \
  422. : "=l"(low),"=h"(high) \
  423. : "r"(a), "r"(b));
  424. # endif
  425. # endif
  426. # elif defined(__aarch64__) && defined(SIXTY_FOUR_BIT_LONG)
  427. # if defined(__GNUC__) && __GNUC__>=2
  428. # define BN_UMULT_HIGH(a,b) ({ \
  429. register BN_ULONG ret; \
  430. asm ("umulh %0,%1,%2" \
  431. : "=r"(ret) \
  432. : "r"(a), "r"(b)); \
  433. ret; })
  434. # endif
  435. # endif /* cpu */
  436. # endif /* OPENSSL_NO_ASM */
  437. /*************************************************************
  438. * Using the long long type
  439. */
  440. # define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
  441. # define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
  442. # ifdef BN_DEBUG_RAND
  443. # define bn_clear_top2max(a) \
  444. { \
  445. int ind = (a)->dmax - (a)->top; \
  446. BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
  447. for (; ind != 0; ind--) \
  448. *(++ftl) = 0x0; \
  449. }
  450. # else
  451. # define bn_clear_top2max(a)
  452. # endif
  453. # ifdef BN_LLONG
  454. # define mul_add(r,a,w,c) { \
  455. BN_ULLONG t; \
  456. t=(BN_ULLONG)w * (a) + (r) + (c); \
  457. (r)= Lw(t); \
  458. (c)= Hw(t); \
  459. }
  460. # define mul(r,a,w,c) { \
  461. BN_ULLONG t; \
  462. t=(BN_ULLONG)w * (a) + (c); \
  463. (r)= Lw(t); \
  464. (c)= Hw(t); \
  465. }
  466. # define sqr(r0,r1,a) { \
  467. BN_ULLONG t; \
  468. t=(BN_ULLONG)(a)*(a); \
  469. (r0)=Lw(t); \
  470. (r1)=Hw(t); \
  471. }
  472. # elif defined(BN_UMULT_LOHI)
  473. # define mul_add(r,a,w,c) { \
  474. BN_ULONG high,low,ret,tmp=(a); \
  475. ret = (r); \
  476. BN_UMULT_LOHI(low,high,w,tmp); \
  477. ret += (c); \
  478. (c) = (ret<(c))?1:0; \
  479. (c) += high; \
  480. ret += low; \
  481. (c) += (ret<low)?1:0; \
  482. (r) = ret; \
  483. }
  484. # define mul(r,a,w,c) { \
  485. BN_ULONG high,low,ret,ta=(a); \
  486. BN_UMULT_LOHI(low,high,w,ta); \
  487. ret = low + (c); \
  488. (c) = high; \
  489. (c) += (ret<low)?1:0; \
  490. (r) = ret; \
  491. }
  492. # define sqr(r0,r1,a) { \
  493. BN_ULONG tmp=(a); \
  494. BN_UMULT_LOHI(r0,r1,tmp,tmp); \
  495. }
  496. # elif defined(BN_UMULT_HIGH)
  497. # define mul_add(r,a,w,c) { \
  498. BN_ULONG high,low,ret,tmp=(a); \
  499. ret = (r); \
  500. high= BN_UMULT_HIGH(w,tmp); \
  501. ret += (c); \
  502. low = (w) * tmp; \
  503. (c) = (ret<(c))?1:0; \
  504. (c) += high; \
  505. ret += low; \
  506. (c) += (ret<low)?1:0; \
  507. (r) = ret; \
  508. }
  509. # define mul(r,a,w,c) { \
  510. BN_ULONG high,low,ret,ta=(a); \
  511. low = (w) * ta; \
  512. high= BN_UMULT_HIGH(w,ta); \
  513. ret = low + (c); \
  514. (c) = high; \
  515. (c) += (ret<low)?1:0; \
  516. (r) = ret; \
  517. }
  518. # define sqr(r0,r1,a) { \
  519. BN_ULONG tmp=(a); \
  520. (r0) = tmp * tmp; \
  521. (r1) = BN_UMULT_HIGH(tmp,tmp); \
  522. }
  523. # else
  524. /*************************************************************
  525. * No long long type
  526. */
  527. # define LBITS(a) ((a)&BN_MASK2l)
  528. # define HBITS(a) (((a)>>BN_BITS4)&BN_MASK2l)
  529. # define L2HBITS(a) (((a)<<BN_BITS4)&BN_MASK2)
  530. # define LLBITS(a) ((a)&BN_MASKl)
  531. # define LHBITS(a) (((a)>>BN_BITS2)&BN_MASKl)
  532. # define LL2HBITS(a) ((BN_ULLONG)((a)&BN_MASKl)<<BN_BITS2)
  533. # define mul64(l,h,bl,bh) \
  534. { \
  535. BN_ULONG m,m1,lt,ht; \
  536. \
  537. lt=l; \
  538. ht=h; \
  539. m =(bh)*(lt); \
  540. lt=(bl)*(lt); \
  541. m1=(bl)*(ht); \
  542. ht =(bh)*(ht); \
  543. m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
  544. ht+=HBITS(m); \
  545. m1=L2HBITS(m); \
  546. lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
  547. (l)=lt; \
  548. (h)=ht; \
  549. }
  550. # define sqr64(lo,ho,in) \
  551. { \
  552. BN_ULONG l,h,m; \
  553. \
  554. h=(in); \
  555. l=LBITS(h); \
  556. h=HBITS(h); \
  557. m =(l)*(h); \
  558. l*=l; \
  559. h*=h; \
  560. h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
  561. m =(m&BN_MASK2l)<<(BN_BITS4+1); \
  562. l=(l+m)&BN_MASK2; if (l < m) h++; \
  563. (lo)=l; \
  564. (ho)=h; \
  565. }
  566. # define mul_add(r,a,bl,bh,c) { \
  567. BN_ULONG l,h; \
  568. \
  569. h= (a); \
  570. l=LBITS(h); \
  571. h=HBITS(h); \
  572. mul64(l,h,(bl),(bh)); \
  573. \
  574. /* non-multiply part */ \
  575. l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
  576. (c)=(r); \
  577. l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
  578. (c)=h&BN_MASK2; \
  579. (r)=l; \
  580. }
  581. # define mul(r,a,bl,bh,c) { \
  582. BN_ULONG l,h; \
  583. \
  584. h= (a); \
  585. l=LBITS(h); \
  586. h=HBITS(h); \
  587. mul64(l,h,(bl),(bh)); \
  588. \
  589. /* non-multiply part */ \
  590. l+=(c); if ((l&BN_MASK2) < (c)) h++; \
  591. (c)=h&BN_MASK2; \
  592. (r)=l&BN_MASK2; \
  593. }
  594. # endif /* !BN_LLONG */
  595. void BN_RECP_CTX_init(BN_RECP_CTX *recp);
  596. void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
  597. void bn_init(BIGNUM *a);
  598. void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
  599. void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
  600. void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
  601. void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
  602. void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
  603. void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
  604. int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
  605. int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
  606. void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
  607. int dna, int dnb, BN_ULONG *t);
  608. void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
  609. int n, int tna, int tnb, BN_ULONG *t);
  610. void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t);
  611. void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
  612. void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
  613. BN_ULONG *t);
  614. void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
  615. BN_ULONG *t);
  616. BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
  617. int cl, int dl);
  618. BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
  619. int cl, int dl);
  620. int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
  621. const BN_ULONG *np, const BN_ULONG *n0, int num);
  622. BIGNUM *int_bn_mod_inverse(BIGNUM *in,
  623. const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
  624. int *noinv);
  625. int bn_probable_prime_dh(BIGNUM *rnd, int bits,
  626. const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
  627. int bn_probable_prime_dh_retry(BIGNUM *rnd, int bits, BN_CTX *ctx);
  628. int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx);
  629. #ifdef __cplusplus
  630. }
  631. #endif
  632. #endif