bn_mont.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536
  1. /* crypto/bn/bn_mont.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /*
  112. * Details about Montgomery multiplication algorithms can be found at
  113. * http://security.ece.orst.edu/publications.html, e.g.
  114. * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and
  115. * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
  116. */
  117. #include "internal/cryptlib.h"
  118. #include "bn_lcl.h"
  119. #define MONT_WORD /* use the faster word-based algorithm */
  120. #ifdef MONT_WORD
  121. static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
  122. #endif
  123. int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
  124. BN_MONT_CTX *mont, BN_CTX *ctx)
  125. {
  126. BIGNUM *tmp;
  127. int ret = 0;
  128. #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD)
  129. int num = mont->N.top;
  130. if (num > 1 && a->top == num && b->top == num) {
  131. if (bn_wexpand(r, num) == NULL)
  132. return (0);
  133. if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
  134. r->neg = a->neg ^ b->neg;
  135. r->top = num;
  136. bn_correct_top(r);
  137. return (1);
  138. }
  139. }
  140. #endif
  141. BN_CTX_start(ctx);
  142. tmp = BN_CTX_get(ctx);
  143. if (tmp == NULL)
  144. goto err;
  145. bn_check_top(tmp);
  146. if (a == b) {
  147. if (!BN_sqr(tmp, a, ctx))
  148. goto err;
  149. } else {
  150. if (!BN_mul(tmp, a, b, ctx))
  151. goto err;
  152. }
  153. /* reduce from aRR to aR */
  154. #ifdef MONT_WORD
  155. if (!BN_from_montgomery_word(r, tmp, mont))
  156. goto err;
  157. #else
  158. if (!BN_from_montgomery(r, tmp, mont, ctx))
  159. goto err;
  160. #endif
  161. bn_check_top(r);
  162. ret = 1;
  163. err:
  164. BN_CTX_end(ctx);
  165. return (ret);
  166. }
  167. #ifdef MONT_WORD
  168. static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
  169. {
  170. BIGNUM *n;
  171. BN_ULONG *ap, *np, *rp, n0, v, carry;
  172. int nl, max, i;
  173. n = &(mont->N);
  174. nl = n->top;
  175. if (nl == 0) {
  176. ret->top = 0;
  177. return (1);
  178. }
  179. max = (2 * nl); /* carry is stored separately */
  180. if (bn_wexpand(r, max) == NULL)
  181. return (0);
  182. r->neg ^= n->neg;
  183. np = n->d;
  184. rp = r->d;
  185. /* clear the top words of T */
  186. i = max - r->top;
  187. if (i)
  188. memset(&rp[r->top], 0, sizeof(*rp) * i);
  189. r->top = max;
  190. n0 = mont->n0[0];
  191. for (carry = 0, i = 0; i < nl; i++, rp++) {
  192. v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
  193. v = (v + carry + rp[nl]) & BN_MASK2;
  194. carry |= (v != rp[nl]);
  195. carry &= (v <= rp[nl]);
  196. rp[nl] = v;
  197. }
  198. if (bn_wexpand(ret, nl) == NULL)
  199. return (0);
  200. ret->top = nl;
  201. ret->neg = r->neg;
  202. rp = ret->d;
  203. ap = &(r->d[nl]);
  204. # define BRANCH_FREE 1
  205. # if BRANCH_FREE
  206. {
  207. BN_ULONG *nrp;
  208. size_t m;
  209. v = bn_sub_words(rp, ap, np, nl) - carry;
  210. /*
  211. * if subtraction result is real, then trick unconditional memcpy
  212. * below to perform in-place "refresh" instead of actual copy.
  213. */
  214. m = (0 - (size_t)v);
  215. nrp =
  216. (BN_ULONG *)(((PTR_SIZE_INT) rp & ~m) | ((PTR_SIZE_INT) ap & m));
  217. for (i = 0, nl -= 4; i < nl; i += 4) {
  218. BN_ULONG t1, t2, t3, t4;
  219. t1 = nrp[i + 0];
  220. t2 = nrp[i + 1];
  221. t3 = nrp[i + 2];
  222. ap[i + 0] = 0;
  223. t4 = nrp[i + 3];
  224. ap[i + 1] = 0;
  225. rp[i + 0] = t1;
  226. ap[i + 2] = 0;
  227. rp[i + 1] = t2;
  228. ap[i + 3] = 0;
  229. rp[i + 2] = t3;
  230. rp[i + 3] = t4;
  231. }
  232. for (nl += 4; i < nl; i++)
  233. rp[i] = nrp[i], ap[i] = 0;
  234. }
  235. # else
  236. if (bn_sub_words(rp, ap, np, nl) - carry)
  237. memcpy(rp, ap, nl * sizeof(BN_ULONG));
  238. # endif
  239. bn_correct_top(r);
  240. bn_correct_top(ret);
  241. bn_check_top(ret);
  242. return (1);
  243. }
  244. #endif /* MONT_WORD */
  245. int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
  246. BN_CTX *ctx)
  247. {
  248. int retn = 0;
  249. #ifdef MONT_WORD
  250. BIGNUM *t;
  251. BN_CTX_start(ctx);
  252. if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
  253. retn = BN_from_montgomery_word(ret, t, mont);
  254. BN_CTX_end(ctx);
  255. #else /* !MONT_WORD */
  256. BIGNUM *t1, *t2;
  257. BN_CTX_start(ctx);
  258. t1 = BN_CTX_get(ctx);
  259. t2 = BN_CTX_get(ctx);
  260. if (t1 == NULL || t2 == NULL)
  261. goto err;
  262. if (!BN_copy(t1, a))
  263. goto err;
  264. BN_mask_bits(t1, mont->ri);
  265. if (!BN_mul(t2, t1, &mont->Ni, ctx))
  266. goto err;
  267. BN_mask_bits(t2, mont->ri);
  268. if (!BN_mul(t1, t2, &mont->N, ctx))
  269. goto err;
  270. if (!BN_add(t2, a, t1))
  271. goto err;
  272. if (!BN_rshift(ret, t2, mont->ri))
  273. goto err;
  274. if (BN_ucmp(ret, &(mont->N)) >= 0) {
  275. if (!BN_usub(ret, ret, &(mont->N)))
  276. goto err;
  277. }
  278. retn = 1;
  279. bn_check_top(ret);
  280. err:
  281. BN_CTX_end(ctx);
  282. #endif /* MONT_WORD */
  283. return (retn);
  284. }
  285. BN_MONT_CTX *BN_MONT_CTX_new(void)
  286. {
  287. BN_MONT_CTX *ret;
  288. if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
  289. return (NULL);
  290. BN_MONT_CTX_init(ret);
  291. ret->flags = BN_FLG_MALLOCED;
  292. return (ret);
  293. }
  294. void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
  295. {
  296. ctx->ri = 0;
  297. bn_init(&(ctx->RR));
  298. bn_init(&(ctx->N));
  299. bn_init(&(ctx->Ni));
  300. ctx->n0[0] = ctx->n0[1] = 0;
  301. ctx->flags = 0;
  302. }
  303. void BN_MONT_CTX_free(BN_MONT_CTX *mont)
  304. {
  305. if (mont == NULL)
  306. return;
  307. BN_clear_free(&(mont->RR));
  308. BN_clear_free(&(mont->N));
  309. BN_clear_free(&(mont->Ni));
  310. if (mont->flags & BN_FLG_MALLOCED)
  311. OPENSSL_free(mont);
  312. }
  313. int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
  314. {
  315. int ret = 0;
  316. BIGNUM *Ri, *R;
  317. if (BN_is_zero(mod))
  318. return 0;
  319. BN_CTX_start(ctx);
  320. if ((Ri = BN_CTX_get(ctx)) == NULL)
  321. goto err;
  322. R = &(mont->RR); /* grab RR as a temp */
  323. if (!BN_copy(&(mont->N), mod))
  324. goto err; /* Set N */
  325. mont->N.neg = 0;
  326. #ifdef MONT_WORD
  327. {
  328. BIGNUM tmod;
  329. BN_ULONG buf[2];
  330. bn_init(&tmod);
  331. tmod.d = buf;
  332. tmod.dmax = 2;
  333. tmod.neg = 0;
  334. mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
  335. # if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
  336. /*
  337. * Only certain BN_BITS2<=32 platforms actually make use of n0[1],
  338. * and we could use the #else case (with a shorter R value) for the
  339. * others. However, currently only the assembler files do know which
  340. * is which.
  341. */
  342. BN_zero(R);
  343. if (!(BN_set_bit(R, 2 * BN_BITS2)))
  344. goto err;
  345. tmod.top = 0;
  346. if ((buf[0] = mod->d[0]))
  347. tmod.top = 1;
  348. if ((buf[1] = mod->top > 1 ? mod->d[1] : 0))
  349. tmod.top = 2;
  350. if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
  351. goto err;
  352. if (!BN_lshift(Ri, Ri, 2 * BN_BITS2))
  353. goto err; /* R*Ri */
  354. if (!BN_is_zero(Ri)) {
  355. if (!BN_sub_word(Ri, 1))
  356. goto err;
  357. } else { /* if N mod word size == 1 */
  358. if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL)
  359. goto err;
  360. /* Ri-- (mod double word size) */
  361. Ri->neg = 0;
  362. Ri->d[0] = BN_MASK2;
  363. Ri->d[1] = BN_MASK2;
  364. Ri->top = 2;
  365. }
  366. if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
  367. goto err;
  368. /*
  369. * Ni = (R*Ri-1)/N, keep only couple of least significant words:
  370. */
  371. mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
  372. mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
  373. # else
  374. BN_zero(R);
  375. if (!(BN_set_bit(R, BN_BITS2)))
  376. goto err; /* R */
  377. buf[0] = mod->d[0]; /* tmod = N mod word size */
  378. buf[1] = 0;
  379. tmod.top = buf[0] != 0 ? 1 : 0;
  380. /* Ri = R^-1 mod N */
  381. if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
  382. goto err;
  383. if (!BN_lshift(Ri, Ri, BN_BITS2))
  384. goto err; /* R*Ri */
  385. if (!BN_is_zero(Ri)) {
  386. if (!BN_sub_word(Ri, 1))
  387. goto err;
  388. } else { /* if N mod word size == 1 */
  389. if (!BN_set_word(Ri, BN_MASK2))
  390. goto err; /* Ri-- (mod word size) */
  391. }
  392. if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
  393. goto err;
  394. /*
  395. * Ni = (R*Ri-1)/N, keep only least significant word:
  396. */
  397. mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
  398. mont->n0[1] = 0;
  399. # endif
  400. }
  401. #else /* !MONT_WORD */
  402. { /* bignum version */
  403. mont->ri = BN_num_bits(&mont->N);
  404. BN_zero(R);
  405. if (!BN_set_bit(R, mont->ri))
  406. goto err; /* R = 2^ri */
  407. /* Ri = R^-1 mod N */
  408. if ((BN_mod_inverse(Ri, R, &mont->N, ctx)) == NULL)
  409. goto err;
  410. if (!BN_lshift(Ri, Ri, mont->ri))
  411. goto err; /* R*Ri */
  412. if (!BN_sub_word(Ri, 1))
  413. goto err;
  414. /*
  415. * Ni = (R*Ri-1) / N
  416. */
  417. if (!BN_div(&(mont->Ni), NULL, Ri, &mont->N, ctx))
  418. goto err;
  419. }
  420. #endif
  421. /* setup RR for conversions */
  422. BN_zero(&(mont->RR));
  423. if (!BN_set_bit(&(mont->RR), mont->ri * 2))
  424. goto err;
  425. if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
  426. goto err;
  427. ret = 1;
  428. err:
  429. BN_CTX_end(ctx);
  430. return ret;
  431. }
  432. BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
  433. {
  434. if (to == from)
  435. return (to);
  436. if (!BN_copy(&(to->RR), &(from->RR)))
  437. return NULL;
  438. if (!BN_copy(&(to->N), &(from->N)))
  439. return NULL;
  440. if (!BN_copy(&(to->Ni), &(from->Ni)))
  441. return NULL;
  442. to->ri = from->ri;
  443. to->n0[0] = from->n0[0];
  444. to->n0[1] = from->n0[1];
  445. return (to);
  446. }
  447. BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
  448. const BIGNUM *mod, BN_CTX *ctx)
  449. {
  450. BN_MONT_CTX *ret;
  451. CRYPTO_r_lock(lock);
  452. ret = *pmont;
  453. CRYPTO_r_unlock(lock);
  454. if (ret)
  455. return ret;
  456. /*
  457. * We don't want to serialise globally while doing our lazy-init math in
  458. * BN_MONT_CTX_set. That punishes threads that are doing independent
  459. * things. Instead, punish the case where more than one thread tries to
  460. * lazy-init the same 'pmont', by having each do the lazy-init math work
  461. * independently and only use the one from the thread that wins the race
  462. * (the losers throw away the work they've done).
  463. */
  464. ret = BN_MONT_CTX_new();
  465. if (ret == NULL)
  466. return NULL;
  467. if (!BN_MONT_CTX_set(ret, mod, ctx)) {
  468. BN_MONT_CTX_free(ret);
  469. return NULL;
  470. }
  471. /* The locked compare-and-set, after the local work is done. */
  472. CRYPTO_w_lock(lock);
  473. if (*pmont) {
  474. BN_MONT_CTX_free(ret);
  475. ret = *pmont;
  476. } else
  477. *pmont = ret;
  478. CRYPTO_w_unlock(lock);
  479. return ret;
  480. }