bn_div.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477
  1. /* crypto/bn/bn_div.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include <openssl/bn.h>
  60. #include "cryptlib.h"
  61. #include "bn_lcl.h"
  62. /* The old slow way */
  63. #if 0
  64. int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
  65. BN_CTX *ctx)
  66. {
  67. int i, nm, nd;
  68. int ret = 0;
  69. BIGNUM *D;
  70. bn_check_top(m);
  71. bn_check_top(d);
  72. if (BN_is_zero(d)) {
  73. BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
  74. return (0);
  75. }
  76. if (BN_ucmp(m, d) < 0) {
  77. if (rem != NULL) {
  78. if (BN_copy(rem, m) == NULL)
  79. return (0);
  80. }
  81. if (dv != NULL)
  82. BN_zero(dv);
  83. return (1);
  84. }
  85. BN_CTX_start(ctx);
  86. D = BN_CTX_get(ctx);
  87. if (dv == NULL)
  88. dv = BN_CTX_get(ctx);
  89. if (rem == NULL)
  90. rem = BN_CTX_get(ctx);
  91. if (D == NULL || dv == NULL || rem == NULL)
  92. goto end;
  93. nd = BN_num_bits(d);
  94. nm = BN_num_bits(m);
  95. if (BN_copy(D, d) == NULL)
  96. goto end;
  97. if (BN_copy(rem, m) == NULL)
  98. goto end;
  99. /*
  100. * The next 2 are needed so we can do a dv->d[0]|=1 later since
  101. * BN_lshift1 will only work once there is a value :-)
  102. */
  103. BN_zero(dv);
  104. if (bn_wexpand(dv, 1) == NULL)
  105. goto end;
  106. dv->top = 1;
  107. if (!BN_lshift(D, D, nm - nd))
  108. goto end;
  109. for (i = nm - nd; i >= 0; i--) {
  110. if (!BN_lshift1(dv, dv))
  111. goto end;
  112. if (BN_ucmp(rem, D) >= 0) {
  113. dv->d[0] |= 1;
  114. if (!BN_usub(rem, rem, D))
  115. goto end;
  116. }
  117. /* CAN IMPROVE (and have now :=) */
  118. if (!BN_rshift1(D, D))
  119. goto end;
  120. }
  121. rem->neg = BN_is_zero(rem) ? 0 : m->neg;
  122. dv->neg = m->neg ^ d->neg;
  123. ret = 1;
  124. end:
  125. BN_CTX_end(ctx);
  126. return (ret);
  127. }
  128. #else
  129. # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
  130. && !defined(PEDANTIC) && !defined(BN_DIV3W)
  131. # if defined(__GNUC__) && __GNUC__>=2
  132. # if defined(__i386) || defined (__i386__)
  133. /*-
  134. * There were two reasons for implementing this template:
  135. * - GNU C generates a call to a function (__udivdi3 to be exact)
  136. * in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
  137. * understand why...);
  138. * - divl doesn't only calculate quotient, but also leaves
  139. * remainder in %edx which we can definitely use here:-)
  140. *
  141. * <appro@fy.chalmers.se>
  142. */
  143. # undef bn_div_words
  144. # define bn_div_words(n0,n1,d0) \
  145. ({ asm volatile ( \
  146. "divl %4" \
  147. : "=a"(q), "=d"(rem) \
  148. : "a"(n1), "d"(n0), "r"(d0) \
  149. : "cc"); \
  150. q; \
  151. })
  152. # define REMAINDER_IS_ALREADY_CALCULATED
  153. # elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
  154. /*
  155. * Same story here, but it's 128-bit by 64-bit division. Wow!
  156. * <appro@fy.chalmers.se>
  157. */
  158. # undef bn_div_words
  159. # define bn_div_words(n0,n1,d0) \
  160. ({ asm volatile ( \
  161. "divq %4" \
  162. : "=a"(q), "=d"(rem) \
  163. : "a"(n1), "d"(n0), "r"(d0) \
  164. : "cc"); \
  165. q; \
  166. })
  167. # define REMAINDER_IS_ALREADY_CALCULATED
  168. # endif /* __<cpu> */
  169. # endif /* __GNUC__ */
  170. # endif /* OPENSSL_NO_ASM */
  171. /*-
  172. * BN_div computes dv := num / divisor, rounding towards
  173. * zero, and sets up rm such that dv*divisor + rm = num holds.
  174. * Thus:
  175. * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
  176. * rm->neg == num->neg (unless the remainder is zero)
  177. * If 'dv' or 'rm' is NULL, the respective value is not returned.
  178. */
  179. int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
  180. BN_CTX *ctx)
  181. {
  182. int norm_shift, i, loop;
  183. BIGNUM *tmp, wnum, *snum, *sdiv, *res;
  184. BN_ULONG *resp, *wnump;
  185. BN_ULONG d0, d1;
  186. int num_n, div_n;
  187. int no_branch = 0;
  188. /*
  189. * Invalid zero-padding would have particularly bad consequences so don't
  190. * just rely on bn_check_top() here (bn_check_top() works only for
  191. * BN_DEBUG builds)
  192. */
  193. if ((num->top > 0 && num->d[num->top - 1] == 0) ||
  194. (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
  195. BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
  196. return 0;
  197. }
  198. bn_check_top(num);
  199. bn_check_top(divisor);
  200. if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
  201. || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
  202. no_branch = 1;
  203. }
  204. bn_check_top(dv);
  205. bn_check_top(rm);
  206. /*- bn_check_top(num); *//*
  207. * 'num' has been checked already
  208. */
  209. /*- bn_check_top(divisor); *//*
  210. * 'divisor' has been checked already
  211. */
  212. if (BN_is_zero(divisor)) {
  213. BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
  214. return (0);
  215. }
  216. if (!no_branch && BN_ucmp(num, divisor) < 0) {
  217. if (rm != NULL) {
  218. if (BN_copy(rm, num) == NULL)
  219. return (0);
  220. }
  221. if (dv != NULL)
  222. BN_zero(dv);
  223. return (1);
  224. }
  225. BN_CTX_start(ctx);
  226. tmp = BN_CTX_get(ctx);
  227. snum = BN_CTX_get(ctx);
  228. sdiv = BN_CTX_get(ctx);
  229. if (dv == NULL)
  230. res = BN_CTX_get(ctx);
  231. else
  232. res = dv;
  233. if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
  234. goto err;
  235. /* First we normalise the numbers */
  236. norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
  237. if (!(BN_lshift(sdiv, divisor, norm_shift)))
  238. goto err;
  239. sdiv->neg = 0;
  240. norm_shift += BN_BITS2;
  241. if (!(BN_lshift(snum, num, norm_shift)))
  242. goto err;
  243. snum->neg = 0;
  244. if (no_branch) {
  245. /*
  246. * Since we don't know whether snum is larger than sdiv, we pad snum
  247. * with enough zeroes without changing its value.
  248. */
  249. if (snum->top <= sdiv->top + 1) {
  250. if (bn_wexpand(snum, sdiv->top + 2) == NULL)
  251. goto err;
  252. for (i = snum->top; i < sdiv->top + 2; i++)
  253. snum->d[i] = 0;
  254. snum->top = sdiv->top + 2;
  255. } else {
  256. if (bn_wexpand(snum, snum->top + 1) == NULL)
  257. goto err;
  258. snum->d[snum->top] = 0;
  259. snum->top++;
  260. }
  261. }
  262. div_n = sdiv->top;
  263. num_n = snum->top;
  264. loop = num_n - div_n;
  265. /*
  266. * Lets setup a 'window' into snum This is the part that corresponds to
  267. * the current 'area' being divided
  268. */
  269. wnum.neg = 0;
  270. wnum.d = &(snum->d[loop]);
  271. wnum.top = div_n;
  272. /*
  273. * only needed when BN_ucmp messes up the values between top and max
  274. */
  275. wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
  276. /* Get the top 2 words of sdiv */
  277. /* div_n=sdiv->top; */
  278. d0 = sdiv->d[div_n - 1];
  279. d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
  280. /* pointer to the 'top' of snum */
  281. wnump = &(snum->d[num_n - 1]);
  282. /* Setup to 'res' */
  283. res->neg = (num->neg ^ divisor->neg);
  284. if (!bn_wexpand(res, (loop + 1)))
  285. goto err;
  286. res->top = loop - no_branch;
  287. resp = &(res->d[loop - 1]);
  288. /* space for temp */
  289. if (!bn_wexpand(tmp, (div_n + 1)))
  290. goto err;
  291. if (!no_branch) {
  292. if (BN_ucmp(&wnum, sdiv) >= 0) {
  293. /*
  294. * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
  295. * the const bignum arguments => clean the values between top and
  296. * max again
  297. */
  298. bn_clear_top2max(&wnum);
  299. bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
  300. *resp = 1;
  301. } else
  302. res->top--;
  303. }
  304. /*
  305. * if res->top == 0 then clear the neg value otherwise decrease the resp
  306. * pointer
  307. */
  308. if (res->top == 0)
  309. res->neg = 0;
  310. else
  311. resp--;
  312. for (i = 0; i < loop - 1; i++, wnump--, resp--) {
  313. BN_ULONG q, l0;
  314. /*
  315. * the first part of the loop uses the top two words of snum and sdiv
  316. * to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
  317. */
  318. # if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
  319. BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
  320. q = bn_div_3_words(wnump, d1, d0);
  321. # else
  322. BN_ULONG n0, n1, rem = 0;
  323. n0 = wnump[0];
  324. n1 = wnump[-1];
  325. if (n0 == d0)
  326. q = BN_MASK2;
  327. else { /* n0 < d0 */
  328. # ifdef BN_LLONG
  329. BN_ULLONG t2;
  330. # if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
  331. q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
  332. # else
  333. q = bn_div_words(n0, n1, d0);
  334. # ifdef BN_DEBUG_LEVITTE
  335. fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
  336. X) -> 0x%08X\n", n0, n1, d0, q);
  337. # endif
  338. # endif
  339. # ifndef REMAINDER_IS_ALREADY_CALCULATED
  340. /*
  341. * rem doesn't have to be BN_ULLONG. The least we
  342. * know it's less that d0, isn't it?
  343. */
  344. rem = (n1 - q * d0) & BN_MASK2;
  345. # endif
  346. t2 = (BN_ULLONG) d1 *q;
  347. for (;;) {
  348. if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
  349. break;
  350. q--;
  351. rem += d0;
  352. if (rem < d0)
  353. break; /* don't let rem overflow */
  354. t2 -= d1;
  355. }
  356. # else /* !BN_LLONG */
  357. BN_ULONG t2l, t2h;
  358. q = bn_div_words(n0, n1, d0);
  359. # ifdef BN_DEBUG_LEVITTE
  360. fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
  361. X) -> 0x%08X\n", n0, n1, d0, q);
  362. # endif
  363. # ifndef REMAINDER_IS_ALREADY_CALCULATED
  364. rem = (n1 - q * d0) & BN_MASK2;
  365. # endif
  366. # if defined(BN_UMULT_LOHI)
  367. BN_UMULT_LOHI(t2l, t2h, d1, q);
  368. # elif defined(BN_UMULT_HIGH)
  369. t2l = d1 * q;
  370. t2h = BN_UMULT_HIGH(d1, q);
  371. # else
  372. {
  373. BN_ULONG ql, qh;
  374. t2l = LBITS(d1);
  375. t2h = HBITS(d1);
  376. ql = LBITS(q);
  377. qh = HBITS(q);
  378. mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
  379. }
  380. # endif
  381. for (;;) {
  382. if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
  383. break;
  384. q--;
  385. rem += d0;
  386. if (rem < d0)
  387. break; /* don't let rem overflow */
  388. if (t2l < d1)
  389. t2h--;
  390. t2l -= d1;
  391. }
  392. # endif /* !BN_LLONG */
  393. }
  394. # endif /* !BN_DIV3W */
  395. l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
  396. tmp->d[div_n] = l0;
  397. wnum.d--;
  398. /*
  399. * ingore top values of the bignums just sub the two BN_ULONG arrays
  400. * with bn_sub_words
  401. */
  402. if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
  403. /*
  404. * Note: As we have considered only the leading two BN_ULONGs in
  405. * the calculation of q, sdiv * q might be greater than wnum (but
  406. * then (q-1) * sdiv is less or equal than wnum)
  407. */
  408. q--;
  409. if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
  410. /*
  411. * we can't have an overflow here (assuming that q != 0, but
  412. * if q == 0 then tmp is zero anyway)
  413. */
  414. (*wnump)++;
  415. }
  416. /* store part of the result */
  417. *resp = q;
  418. }
  419. bn_correct_top(snum);
  420. if (rm != NULL) {
  421. /*
  422. * Keep a copy of the neg flag in num because if rm==num BN_rshift()
  423. * will overwrite it.
  424. */
  425. int neg = num->neg;
  426. BN_rshift(rm, snum, norm_shift);
  427. if (!BN_is_zero(rm))
  428. rm->neg = neg;
  429. bn_check_top(rm);
  430. }
  431. if (no_branch)
  432. bn_correct_top(res);
  433. BN_CTX_end(ctx);
  434. return (1);
  435. err:
  436. bn_check_top(rm);
  437. BN_CTX_end(ctx);
  438. return (0);
  439. }
  440. #endif