bn_mont.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558
  1. /* crypto/bn/bn_mont.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /*
  112. * Details about Montgomery multiplication algorithms can be found at
  113. * http://security.ece.orst.edu/publications.html, e.g.
  114. * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and
  115. * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
  116. */
  117. #include <stdio.h>
  118. #include "cryptlib.h"
  119. #include "bn_lcl.h"
  120. #define MONT_WORD /* use the faster word-based algorithm */
  121. #ifdef MONT_WORD
  122. static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
  123. #endif
  124. int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
  125. BN_MONT_CTX *mont, BN_CTX *ctx)
  126. {
  127. BIGNUM *tmp;
  128. int ret = 0;
  129. #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD)
  130. int num = mont->N.top;
  131. if (num > 1 && a->top == num && b->top == num) {
  132. if (bn_wexpand(r, num) == NULL)
  133. return (0);
  134. if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
  135. r->neg = a->neg ^ b->neg;
  136. r->top = num;
  137. bn_correct_top(r);
  138. return (1);
  139. }
  140. }
  141. #endif
  142. BN_CTX_start(ctx);
  143. tmp = BN_CTX_get(ctx);
  144. if (tmp == NULL)
  145. goto err;
  146. bn_check_top(tmp);
  147. if (a == b) {
  148. if (!BN_sqr(tmp, a, ctx))
  149. goto err;
  150. } else {
  151. if (!BN_mul(tmp, a, b, ctx))
  152. goto err;
  153. }
  154. /* reduce from aRR to aR */
  155. #ifdef MONT_WORD
  156. if (!BN_from_montgomery_word(r, tmp, mont))
  157. goto err;
  158. #else
  159. if (!BN_from_montgomery(r, tmp, mont, ctx))
  160. goto err;
  161. #endif
  162. bn_check_top(r);
  163. ret = 1;
  164. err:
  165. BN_CTX_end(ctx);
  166. return (ret);
  167. }
  168. #ifdef MONT_WORD
  169. static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
  170. {
  171. BIGNUM *n;
  172. BN_ULONG *ap, *np, *rp, n0, v, carry;
  173. int nl, max, i;
  174. n = &(mont->N);
  175. nl = n->top;
  176. if (nl == 0) {
  177. ret->top = 0;
  178. return (1);
  179. }
  180. max = (2 * nl); /* carry is stored separately */
  181. if (bn_wexpand(r, max) == NULL)
  182. return (0);
  183. r->neg ^= n->neg;
  184. np = n->d;
  185. rp = r->d;
  186. /* clear the top words of T */
  187. # if 1
  188. for (i = r->top; i < max; i++) /* memset? XXX */
  189. rp[i] = 0;
  190. # else
  191. memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
  192. # endif
  193. r->top = max;
  194. n0 = mont->n0[0];
  195. # ifdef BN_COUNT
  196. fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl);
  197. # endif
  198. for (carry = 0, i = 0; i < nl; i++, rp++) {
  199. # ifdef __TANDEM
  200. {
  201. long long t1;
  202. long long t2;
  203. long long t3;
  204. t1 = rp[0] * (n0 & 0177777);
  205. t2 = 037777600000l;
  206. t2 = n0 & t2;
  207. t3 = rp[0] & 0177777;
  208. t2 = (t3 * t2) & BN_MASK2;
  209. t1 = t1 + t2;
  210. v = bn_mul_add_words(rp, np, nl, (BN_ULONG)t1);
  211. }
  212. # else
  213. v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
  214. # endif
  215. v = (v + carry + rp[nl]) & BN_MASK2;
  216. carry |= (v != rp[nl]);
  217. carry &= (v <= rp[nl]);
  218. rp[nl] = v;
  219. }
  220. if (bn_wexpand(ret, nl) == NULL)
  221. return (0);
  222. ret->top = nl;
  223. ret->neg = r->neg;
  224. rp = ret->d;
  225. ap = &(r->d[nl]);
  226. # define BRANCH_FREE 1
  227. # if BRANCH_FREE
  228. {
  229. BN_ULONG *nrp;
  230. size_t m;
  231. v = bn_sub_words(rp, ap, np, nl) - carry;
  232. /*
  233. * if subtraction result is real, then trick unconditional memcpy
  234. * below to perform in-place "refresh" instead of actual copy.
  235. */
  236. m = (0 - (size_t)v);
  237. nrp =
  238. (BN_ULONG *)(((PTR_SIZE_INT) rp & ~m) | ((PTR_SIZE_INT) ap & m));
  239. for (i = 0, nl -= 4; i < nl; i += 4) {
  240. BN_ULONG t1, t2, t3, t4;
  241. t1 = nrp[i + 0];
  242. t2 = nrp[i + 1];
  243. t3 = nrp[i + 2];
  244. ap[i + 0] = 0;
  245. t4 = nrp[i + 3];
  246. ap[i + 1] = 0;
  247. rp[i + 0] = t1;
  248. ap[i + 2] = 0;
  249. rp[i + 1] = t2;
  250. ap[i + 3] = 0;
  251. rp[i + 2] = t3;
  252. rp[i + 3] = t4;
  253. }
  254. for (nl += 4; i < nl; i++)
  255. rp[i] = nrp[i], ap[i] = 0;
  256. }
  257. # else
  258. if (bn_sub_words(rp, ap, np, nl) - carry)
  259. memcpy(rp, ap, nl * sizeof(BN_ULONG));
  260. # endif
  261. bn_correct_top(r);
  262. bn_correct_top(ret);
  263. bn_check_top(ret);
  264. return (1);
  265. }
  266. #endif /* MONT_WORD */
  267. int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
  268. BN_CTX *ctx)
  269. {
  270. int retn = 0;
  271. #ifdef MONT_WORD
  272. BIGNUM *t;
  273. BN_CTX_start(ctx);
  274. if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
  275. retn = BN_from_montgomery_word(ret, t, mont);
  276. BN_CTX_end(ctx);
  277. #else /* !MONT_WORD */
  278. BIGNUM *t1, *t2;
  279. BN_CTX_start(ctx);
  280. t1 = BN_CTX_get(ctx);
  281. t2 = BN_CTX_get(ctx);
  282. if (t1 == NULL || t2 == NULL)
  283. goto err;
  284. if (!BN_copy(t1, a))
  285. goto err;
  286. BN_mask_bits(t1, mont->ri);
  287. if (!BN_mul(t2, t1, &mont->Ni, ctx))
  288. goto err;
  289. BN_mask_bits(t2, mont->ri);
  290. if (!BN_mul(t1, t2, &mont->N, ctx))
  291. goto err;
  292. if (!BN_add(t2, a, t1))
  293. goto err;
  294. if (!BN_rshift(ret, t2, mont->ri))
  295. goto err;
  296. if (BN_ucmp(ret, &(mont->N)) >= 0) {
  297. if (!BN_usub(ret, ret, &(mont->N)))
  298. goto err;
  299. }
  300. retn = 1;
  301. bn_check_top(ret);
  302. err:
  303. BN_CTX_end(ctx);
  304. #endif /* MONT_WORD */
  305. return (retn);
  306. }
  307. BN_MONT_CTX *BN_MONT_CTX_new(void)
  308. {
  309. BN_MONT_CTX *ret;
  310. if ((ret = (BN_MONT_CTX *)OPENSSL_malloc(sizeof(BN_MONT_CTX))) == NULL)
  311. return (NULL);
  312. BN_MONT_CTX_init(ret);
  313. ret->flags = BN_FLG_MALLOCED;
  314. return (ret);
  315. }
  316. void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
  317. {
  318. ctx->ri = 0;
  319. BN_init(&(ctx->RR));
  320. BN_init(&(ctx->N));
  321. BN_init(&(ctx->Ni));
  322. ctx->n0[0] = ctx->n0[1] = 0;
  323. ctx->flags = 0;
  324. }
  325. void BN_MONT_CTX_free(BN_MONT_CTX *mont)
  326. {
  327. if (mont == NULL)
  328. return;
  329. BN_clear_free(&(mont->RR));
  330. BN_clear_free(&(mont->N));
  331. BN_clear_free(&(mont->Ni));
  332. if (mont->flags & BN_FLG_MALLOCED)
  333. OPENSSL_free(mont);
  334. }
  335. int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
  336. {
  337. int ret = 0;
  338. BIGNUM *Ri, *R;
  339. if (BN_is_zero(mod))
  340. return 0;
  341. BN_CTX_start(ctx);
  342. if ((Ri = BN_CTX_get(ctx)) == NULL)
  343. goto err;
  344. R = &(mont->RR); /* grab RR as a temp */
  345. if (!BN_copy(&(mont->N), mod))
  346. goto err; /* Set N */
  347. mont->N.neg = 0;
  348. #ifdef MONT_WORD
  349. {
  350. BIGNUM tmod;
  351. BN_ULONG buf[2];
  352. BN_init(&tmod);
  353. tmod.d = buf;
  354. tmod.dmax = 2;
  355. tmod.neg = 0;
  356. mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
  357. # if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
  358. /*
  359. * Only certain BN_BITS2<=32 platforms actually make use of n0[1],
  360. * and we could use the #else case (with a shorter R value) for the
  361. * others. However, currently only the assembler files do know which
  362. * is which.
  363. */
  364. BN_zero(R);
  365. if (!(BN_set_bit(R, 2 * BN_BITS2)))
  366. goto err;
  367. tmod.top = 0;
  368. if ((buf[0] = mod->d[0]))
  369. tmod.top = 1;
  370. if ((buf[1] = mod->top > 1 ? mod->d[1] : 0))
  371. tmod.top = 2;
  372. if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
  373. goto err;
  374. if (!BN_lshift(Ri, Ri, 2 * BN_BITS2))
  375. goto err; /* R*Ri */
  376. if (!BN_is_zero(Ri)) {
  377. if (!BN_sub_word(Ri, 1))
  378. goto err;
  379. } else { /* if N mod word size == 1 */
  380. if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL)
  381. goto err;
  382. /* Ri-- (mod double word size) */
  383. Ri->neg = 0;
  384. Ri->d[0] = BN_MASK2;
  385. Ri->d[1] = BN_MASK2;
  386. Ri->top = 2;
  387. }
  388. if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
  389. goto err;
  390. /*
  391. * Ni = (R*Ri-1)/N, keep only couple of least significant words:
  392. */
  393. mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
  394. mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
  395. # else
  396. BN_zero(R);
  397. if (!(BN_set_bit(R, BN_BITS2)))
  398. goto err; /* R */
  399. buf[0] = mod->d[0]; /* tmod = N mod word size */
  400. buf[1] = 0;
  401. tmod.top = buf[0] != 0 ? 1 : 0;
  402. /* Ri = R^-1 mod N */
  403. if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
  404. goto err;
  405. if (!BN_lshift(Ri, Ri, BN_BITS2))
  406. goto err; /* R*Ri */
  407. if (!BN_is_zero(Ri)) {
  408. if (!BN_sub_word(Ri, 1))
  409. goto err;
  410. } else { /* if N mod word size == 1 */
  411. if (!BN_set_word(Ri, BN_MASK2))
  412. goto err; /* Ri-- (mod word size) */
  413. }
  414. if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
  415. goto err;
  416. /*
  417. * Ni = (R*Ri-1)/N, keep only least significant word:
  418. */
  419. mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
  420. mont->n0[1] = 0;
  421. # endif
  422. }
  423. #else /* !MONT_WORD */
  424. { /* bignum version */
  425. mont->ri = BN_num_bits(&mont->N);
  426. BN_zero(R);
  427. if (!BN_set_bit(R, mont->ri))
  428. goto err; /* R = 2^ri */
  429. /* Ri = R^-1 mod N */
  430. if ((BN_mod_inverse(Ri, R, &mont->N, ctx)) == NULL)
  431. goto err;
  432. if (!BN_lshift(Ri, Ri, mont->ri))
  433. goto err; /* R*Ri */
  434. if (!BN_sub_word(Ri, 1))
  435. goto err;
  436. /*
  437. * Ni = (R*Ri-1) / N
  438. */
  439. if (!BN_div(&(mont->Ni), NULL, Ri, &mont->N, ctx))
  440. goto err;
  441. }
  442. #endif
  443. /* setup RR for conversions */
  444. BN_zero(&(mont->RR));
  445. if (!BN_set_bit(&(mont->RR), mont->ri * 2))
  446. goto err;
  447. if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
  448. goto err;
  449. ret = 1;
  450. err:
  451. BN_CTX_end(ctx);
  452. return ret;
  453. }
  454. BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
  455. {
  456. if (to == from)
  457. return (to);
  458. if (!BN_copy(&(to->RR), &(from->RR)))
  459. return NULL;
  460. if (!BN_copy(&(to->N), &(from->N)))
  461. return NULL;
  462. if (!BN_copy(&(to->Ni), &(from->Ni)))
  463. return NULL;
  464. to->ri = from->ri;
  465. to->n0[0] = from->n0[0];
  466. to->n0[1] = from->n0[1];
  467. return (to);
  468. }
  469. BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
  470. const BIGNUM *mod, BN_CTX *ctx)
  471. {
  472. BN_MONT_CTX *ret;
  473. CRYPTO_r_lock(lock);
  474. ret = *pmont;
  475. CRYPTO_r_unlock(lock);
  476. if (ret)
  477. return ret;
  478. /*
  479. * We don't want to serialise globally while doing our lazy-init math in
  480. * BN_MONT_CTX_set. That punishes threads that are doing independent
  481. * things. Instead, punish the case where more than one thread tries to
  482. * lazy-init the same 'pmont', by having each do the lazy-init math work
  483. * independently and only use the one from the thread that wins the race
  484. * (the losers throw away the work they've done).
  485. */
  486. ret = BN_MONT_CTX_new();
  487. if (!ret)
  488. return NULL;
  489. if (!BN_MONT_CTX_set(ret, mod, ctx)) {
  490. BN_MONT_CTX_free(ret);
  491. return NULL;
  492. }
  493. /* The locked compare-and-set, after the local work is done. */
  494. CRYPTO_w_lock(lock);
  495. if (*pmont) {
  496. BN_MONT_CTX_free(ret);
  497. ret = *pmont;
  498. } else
  499. *pmont = ret;
  500. CRYPTO_w_unlock(lock);
  501. return ret;
  502. }